Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
The same problem with the same fix as in #885582 for stretch. Cheers, Sven
diff -Nru ncurses-5.9+20140913/debian/changelog ncurses-5.9+20140913/debian/changelog --- ncurses-5.9+20140913/debian/changelog 2017-12-03 11:20:45.000000000 +0100 +++ ncurses-5.9+20140913/debian/changelog 2017-12-28 11:14:57.000000000 +0100 @@ -1,3 +1,11 @@ +ncurses (5.9+20140913-1+deb8u3) jessie; urgency=medium + + * Cherry-pick upstream fix from the 20171125 patchlevel to fix + a buffer overflow in the _nc_write_entry function + (CVE-2017-16879, Closes: #882620). + + -- Sven Joachim <svenj...@gmx.de> Thu, 28 Dec 2017 11:14:57 +0100 + ncurses (5.9+20140913-1+deb8u2) jessie; urgency=medium * Re-upload with no changes to work around #826161. diff -Nru ncurses-5.9+20140913/debian/patches/cve-2017-16879.diff ncurses-5.9+20140913/debian/patches/cve-2017-16879.diff --- ncurses-5.9+20140913/debian/patches/cve-2017-16879.diff 1970-01-01 01:00:00.000000000 +0100 +++ ncurses-5.9+20140913/debian/patches/cve-2017-16879.diff 2017-12-28 10:53:47.000000000 +0100 @@ -0,0 +1,44 @@ +Author: Sven Joachim <svenj...@gmx.de> +Description: Fix for CVE-2017-16879 in the _nc_write_entry function + Fix for CVE-2017-16879 cherry-picked from upstream patchlevel + 20171125. +Bug-Debian: https://bugs.debian.org/882620 +Forwarded: not-needed +Last-Update: 2017-11-27 + +--- + ncurses/tinfo/write_entry.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/ncurses/tinfo/write_entry.c ++++ b/ncurses/tinfo/write_entry.c +@@ -268,6 +268,9 @@ _nc_write_entry(TERMTYPE *const tp) + #endif + #endif /* USE_SYMLINKS */ + ++ unsigned limit2 = sizeof(filename) - (2 + LEAF_LEN); ++ char saved = '\0'; ++ + static int call_count; + static time_t start_time; /* time at start of writes */ + +@@ -366,12 +369,18 @@ _nc_write_entry(TERMTYPE *const tp) + start_time = 0; + } + +- if (strlen(first_name) >= sizeof(filename) - (2 + LEAF_LEN)) ++ if (strlen(first_name) >= sizeof(filename) - (2 + LEAF_LEN)) { + _nc_warning("terminal name too long."); ++ saved = first_name[limit2]; ++ first_name[limit2] = '\0'; ++ } + + _nc_SPRINTF(filename, _nc_SLIMIT(sizeof(filename)) + LEAF_FMT "/%s", first_name[0], first_name); + ++ if (saved) ++ first_name[limit2] = saved; ++ + /* + * Has this primary name been written since the first call to + * write_entry()? If so, the newer write will step on the older, diff -Nru ncurses-5.9+20140913/debian/patches/series ncurses-5.9+20140913/debian/patches/series --- ncurses-5.9+20140913/debian/patches/series 2017-12-01 10:17:11.000000000 +0100 +++ ncurses-5.9+20140913/debian/patches/series 2017-12-28 10:53:47.000000000 +0100 @@ -5,3 +5,4 @@ termcap-fix.diff more-cve-fixes.diff cve-2017-13733.diff +cve-2017-16879.diff