Control: found -1 6.2+20201114-2 Control: tags -1 + bullseye On 2023-01-26 22:34 +0100, Salvatore Bonaccorso wrote:
> On Sun, Jan 22, 2023 at 01:16:21PM +0100, Sven Joachim wrote: >> Package: ncurses-bin >> Version: 6.4-1 >> Tags: security fixed-upstream >> Forwarded: >> https://lists.gnu.org/archive/html/bug-ncurses/2023-01/msg00035.html >> X-Debbugs-CC: t...@security.debian.org >> >> Running tic on the attached file triggers a stack buffer overflow: >> >> ,---- >> | $ tic -I minimized-crash1 >> | "minimized-crash1", line 1, col 606, terminal '0': Very long string found. >> Missing separator? >> | "minimized-crash1", line 1, col 4098, terminal '0': Missing separator >> | *** buffer overflow detected ***: terminated >> | [1] 485807 IOT instruction tic -I minimized-crash1 >> `---- >> >> This has been reported upstream yesterday and was promptly addressed in >> this weekend's patchlevel. I intend to cherry-pick the patch for >> Bookworm, maybe it could also be included in a Bullseye point release if >> older versions are affected. >> >> The impact seems to be rather low, as the attacker needs to persuade the >> victim to run tic on crafted input, and thanks to the stack protection >> nothing worse than a crash should happen. > > FWIW, this sounds good. If bullseye is affected, then a potential fix > can go in via an upcoming bullseye point release. Just tested tic from bullseye and could reproduce the crash. The patch appears to apply cleanly. Cheers, Sven