Re: Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1

2017-09-27 Thread Adam D. Barratt 
Control: tags -1 + pending

On Sun, 2017-09-24 at 09:16 +0200, Sven Joachim wrote:
> On 2017-09-23 19:59 +0100, Adam D. Barratt wrote:
> 
> > Control: tags -1 -moreinfo +confirmed
> > 
> > On Thu, 2017-09-07 at 19:06 +0200, Cyril Brulebois wrote:
> > > Sven Joachim  (2017-09-06):
> > > > Meanwhile seven new CVEs in the tic library and programs have
> > > > been
> > > > reported, and I would like to fix those as well, see the
> > > > attached
> > > > new
> > > > debdiff.  It contains all the library changes from the 20170826
> > > > upstream
> > > > patchlevel and the program fixes of the 20170902 patchlevel.  I
> > > > have
> > > > also attached the test cases for the 13 bugs reported in the
> > > > Red
> > > > Hat
> > > > bugtracker.
> > > > 
> > > > > > > I'd be okay with this, but it will need a kibi-ack due to
> > > > > > > the
> > > > > > > udeb.
> > > > > > 
> > > > > > The changes do not touch the tinfo library which is all
> > > > > > that
> > > > > > shipped in
> > > > > > the udeb.
> > > > > 
> > > > > To elaborate on that, ncurses/tinfo/{alloc,parse}_entry.c are
> > > > > compiled
> > > > > into the tic library while progs/dump_entry.c is for the
> > > > > infocmp
> > > > > and tic
> > > > > programs.  Building 6.0+20161126-1 and 6.0+20161126-1+deb9u1
> > > > > in a
> > > > > stretch chroot produced identical libtinfo.so.5.9 files.
> > > > 
> > > > This is unfortunately no longer the case, since strings.c and
> > > > trim_sgr0.c are compiled into the tinfo library.  However, the
> > > > changes
> > > > to these files are small.
> > > 
> > > I have no straightforward way to double check things still run
> > > smoothly
> > > with stretch's d-i, so I'll follow whatever decision the release
> > > team
> > > makes; if regressions pop up, we'll figure out how to fix them.
> > > 
> > 
> > Let's go with it and keep our fingers crossed that any issues show
> > up
> > quickly.
> 
> Thanks, uploaded.
> 

Flagged for acceptance, thanks.

Regards,

Adam

Re: Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1

2017-09-24 Thread Sven Joachim 
On 2017-09-23 19:59 +0100, Adam D. Barratt wrote:

> Control: tags -1 -moreinfo +confirmed
>
> On Thu, 2017-09-07 at 19:06 +0200, Cyril Brulebois wrote:
>> Sven Joachim  (2017-09-06):
>> > Meanwhile seven new CVEs in the tic library and programs have been
>> > reported, and I would like to fix those as well, see the attached
>> > new
>> > debdiff.  It contains all the library changes from the 20170826
>> > upstream
>> > patchlevel and the program fixes of the 20170902 patchlevel.  I
>> > have
>> > also attached the test cases for the 13 bugs reported in the Red
>> > Hat
>> > bugtracker.
>> > 
>> > > > > I'd be okay with this, but it will need a kibi-ack due to the
>> > > > > udeb.
>> > > > 
>> > > > The changes do not touch the tinfo library which is all that
>> > > > shipped in
>> > > > the udeb.
>> > > 
>> > > To elaborate on that, ncurses/tinfo/{alloc,parse}_entry.c are
>> > > compiled
>> > > into the tic library while progs/dump_entry.c is for the infocmp
>> > > and tic
>> > > programs.  Building 6.0+20161126-1 and 6.0+20161126-1+deb9u1 in a
>> > > stretch chroot produced identical libtinfo.so.5.9 files.
>> > 
>> > This is unfortunately no longer the case, since strings.c and
>> > trim_sgr0.c are compiled into the tinfo library.  However, the
>> > changes
>> > to these files are small.
>> 
>> I have no straightforward way to double check things still run
>> smoothly
>> with stretch's d-i, so I'll follow whatever decision the release team
>> makes; if regressions pop up, we'll figure out how to fix them.
>> 
>
> Let's go with it and keep our fingers crossed that any issues show up
> quickly.

Thanks, uploaded.

Cheers,
   Sven

Re: Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1

2017-09-23 Thread Adam D. Barratt 
Control: tags -1 -moreinfo +confirmed

On Thu, 2017-09-07 at 19:06 +0200, Cyril Brulebois wrote:
> Sven Joachim  (2017-09-06):
> > Meanwhile seven new CVEs in the tic library and programs have been
> > reported, and I would like to fix those as well, see the attached
> > new
> > debdiff.  It contains all the library changes from the 20170826
> > upstream
> > patchlevel and the program fixes of the 20170902 patchlevel.  I
> > have
> > also attached the test cases for the 13 bugs reported in the Red
> > Hat
> > bugtracker.
> > 
> > > > > I'd be okay with this, but it will need a kibi-ack due to the
> > > > > udeb.
> > > > 
> > > > The changes do not touch the tinfo library which is all that
> > > > shipped in
> > > > the udeb.
> > > 
> > > To elaborate on that, ncurses/tinfo/{alloc,parse}_entry.c are
> > > compiled
> > > into the tic library while progs/dump_entry.c is for the infocmp
> > > and tic
> > > programs.  Building 6.0+20161126-1 and 6.0+20161126-1+deb9u1 in a
> > > stretch chroot produced identical libtinfo.so.5.9 files.
> > 
> > This is unfortunately no longer the case, since strings.c and
> > trim_sgr0.c are compiled into the tinfo library.  However, the
> > changes
> > to these files are small.
> 
> I have no straightforward way to double check things still run
> smoothly
> with stretch's d-i, so I'll follow whatever decision the release team
> makes; if regressions pop up, we'll figure out how to fix them.
> 

Let's go with it and keep our fingers crossed that any issues show up
quickly.

Regards,

Adam

Re: Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1

2017-09-07 Thread Salvatore Bonaccorso 
Hi Sven,

On Thu, Sep 07, 2017 at 08:20:34PM +0200, Sven Joachim wrote:
> On 2017-09-07 05:32 +0200, Salvatore Bonaccorso wrote:
> 
> > Not a must, and note that is just a comment on my side, I'm not a SRM:
> > if possible add a bug closer as well to the changelog entry so that
> > when the point release happends, the correct fixed version is as well
> > propagated to the BTS bugs.
> 
> Heh, it was you who had marked these bugs as found in 6.0+20170715-2 in
> the first place. ;-)  Anyway, I have updated the changelog and also

Yes, let me explain. That was just because at that point it was clear
that the bugs are in that version, no checks for older versions were
made. Then you did further work, and found the jessie and stretch
version as well as affected. So only later updated the BTS with the
repsective other found versions. Hope this explains. But we are maybe
side-tracking the SRM now, so I shut up!

Regards and thanks for your work!
Salvatore

Re: Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1

2017-09-07 Thread Sven Joachim 
On 2017-09-07 05:32 +0200, Salvatore Bonaccorso wrote:

> Not a must, and note that is just a comment on my side, I'm not a SRM:
> if possible add a bug closer as well to the changelog entry so that
> when the point release happends, the correct fixed version is as well
> propagated to the BTS bugs.

Heh, it was you who had marked these bugs as found in 6.0+20170715-2 in
the first place. ;-)  Anyway, I have updated the changelog and also
fixed a typo in it.

diff --git a/debian/changelog b/debian/changelog
index 160b2cb1..a75f99e6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,11 +7,12 @@ ncurses (6.0+20161126-1+deb9u1) stretch; urgency=medium
 regression from the above security fixes (see #868266).
   * Cherry-pick upstream fixes from the 20170826 patchlevel for more
 crash bugs in the tic library (CVE-2017-13728, CVE-2017-13729,
-CVE-2017-13730, CVE-2017-13731, CVE-2017-13732, CVE-2017-13734).
-  * Cerry-pick upstream fixes from the 20170902 patchlevel to fix
-another crash bug in the tic program (CVE-2017-13733).
+CVE-2017-13730, CVE-2017-13731, CVE-2017-13732, CVE-2017-13734,
+Closes: #873723).
+  * Cherry-pick upstream fixes from the 20170902 patchlevel to fix
+another crash bug in the tic program (CVE-2017-13733, Closes: #873746).
 
- -- Sven Joachim   Mon, 04 Sep 2017 22:04:15 +0200
+ -- Sven Joachim   Thu, 07 Sep 2017 19:05:43 +0200
 
 ncurses (6.0+20161126-1) unstable; urgency=low
 

If a new full debdiff is wanted, please say so.

Cheers,
   Sven

Re: Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1

2017-09-07 Thread Cyril Brulebois 
Sven Joachim  (2017-09-06):
> Meanwhile seven new CVEs in the tic library and programs have been
> reported, and I would like to fix those as well, see the attached new
> debdiff.  It contains all the library changes from the 20170826 upstream
> patchlevel and the program fixes of the 20170902 patchlevel.  I have
> also attached the test cases for the 13 bugs reported in the Red Hat
> bugtracker.
> 
> >>> I'd be okay with this, but it will need a kibi-ack due to the udeb.
> >>
> >> The changes do not touch the tinfo library which is all that shipped in
> >> the udeb.
> >
> > To elaborate on that, ncurses/tinfo/{alloc,parse}_entry.c are compiled
> > into the tic library while progs/dump_entry.c is for the infocmp and tic
> > programs.  Building 6.0+20161126-1 and 6.0+20161126-1+deb9u1 in a
> > stretch chroot produced identical libtinfo.so.5.9 files.
> 
> This is unfortunately no longer the case, since strings.c and
> trim_sgr0.c are compiled into the tinfo library.  However, the changes
> to these files are small.

I have no straightforward way to double check things still run smoothly
with stretch's d-i, so I'll follow whatever decision the release team
makes; if regressions pop up, we'll figure out how to fix them.


KiBi.


signature.asc
Description: PGP signature

Re: Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1

2017-09-06 Thread Salvatore Bonaccorso 
Hi Sven

On Wed, Sep 06, 2017 at 06:52:36PM +0200, Sven Joachim wrote:
> On 2017-07-19 20:30 +0200, Sven Joachim wrote:
> 
> > Control: tags -1 - moreinfo
> >
> > On 2017-07-15 12:50 +0200, Sven Joachim wrote:
> >
> >> Control: tags -1 - confirmed
> >> Control: tags -1 + moreinfo
> >>
> >> On 2017-07-15 11:04 +0100, Adam D. Barratt wrote:
> >>
> >>> Control: tags -1 + confirmed d-i
> >>>
> >>> On Sun, 2017-07-09 at 19:30 +0200, Sven Joachim wrote:
>  Recently a few flaws in the tic program and the tic library have been
>  detected: null pointer dereference, buffer overflow, stack smashing, you
>  name it.  Six bugs have been reported in the Red Hat bugtracker and four
>  CVEs assigned.  Fortunately there are rather few users who would run
>  affected programs at all, so it was decided that no DSA would be
>  necessary.
> >>
> >> Unfortunately the fixes have caused a regression in infocmp, see
> >> #868266.  I expect an upstream fix this night, but to properly test it
> >> and prepare new packages taking a bit more time seems advisable.  So I
> >> guess we'll have to defer that for 9.2.
> >
> > The changes from the 20170715 patchlevel were a bit larger than I would
> > have liked, but applied with minimal tweaking to the stretch version.
> > Running "infocmp -C" on all the terminfo files in ncurses-{base,term}
> > showed no difference compared to the infocmp version currently in
> > stretch.
> 
> Meanwhile seven new CVEs in the tic library and programs have been
> reported, and I would like to fix those as well, see the attached new
> debdiff.  It contains all the library changes from the 20170826 upstream
> patchlevel and the program fixes of the 20170902 patchlevel.  I have
> also attached the test cases for the 13 bugs reported in the Red Hat
> bugtracker.

Not a must, and note that is just a comment on my side, I'm not a SRM:
if possible add a bug closer as well to the changelog entry so that
when the point release happends, the correct fixed version is as well
propagated to the BTS bugs.

Regards,
Salvatore

Re: Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1

2017-09-06 Thread Sven Joachim 
On 2017-07-19 20:30 +0200, Sven Joachim wrote:

> Control: tags -1 - moreinfo
>
> On 2017-07-15 12:50 +0200, Sven Joachim wrote:
>
>> Control: tags -1 - confirmed
>> Control: tags -1 + moreinfo
>>
>> On 2017-07-15 11:04 +0100, Adam D. Barratt wrote:
>>
>>> Control: tags -1 + confirmed d-i
>>>
>>> On Sun, 2017-07-09 at 19:30 +0200, Sven Joachim wrote:
 Recently a few flaws in the tic program and the tic library have been
 detected: null pointer dereference, buffer overflow, stack smashing, you
 name it.  Six bugs have been reported in the Red Hat bugtracker and four
 CVEs assigned.  Fortunately there are rather few users who would run
 affected programs at all, so it was decided that no DSA would be
 necessary.
>>
>> Unfortunately the fixes have caused a regression in infocmp, see
>> #868266.  I expect an upstream fix this night, but to properly test it
>> and prepare new packages taking a bit more time seems advisable.  So I
>> guess we'll have to defer that for 9.2.
>
> The changes from the 20170715 patchlevel were a bit larger than I would
> have liked, but applied with minimal tweaking to the stretch version.
> Running "infocmp -C" on all the terminfo files in ncurses-{base,term}
> showed no difference compared to the infocmp version currently in
> stretch.

Meanwhile seven new CVEs in the tic library and programs have been
reported, and I would like to fix those as well, see the attached new
debdiff.  It contains all the library changes from the 20170826 upstream
patchlevel and the program fixes of the 20170902 patchlevel.  I have
also attached the test cases for the 13 bugs reported in the Red Hat
bugtracker.

>>> I'd be okay with this, but it will need a kibi-ack due to the udeb.
>>
>> The changes do not touch the tinfo library which is all that shipped in
>> the udeb.
>
> To elaborate on that, ncurses/tinfo/{alloc,parse}_entry.c are compiled
> into the tic library while progs/dump_entry.c is for the infocmp and tic
> programs.  Building 6.0+20161126-1 and 6.0+20161126-1+deb9u1 in a
> stretch chroot produced identical libtinfo.so.5.9 files.

This is unfortunately no longer the case, since strings.c and
trim_sgr0.c are compiled into the tinfo library.  However, the changes
to these files are small.

Cheers,
   Sven

diff -Nru ncurses-6.0+20161126/debian/changelog ncurses-6.0+20161126/debian/changelog
--- ncurses-6.0+20161126/debian/changelog	2016-11-29 21:19:08.0 +0100
+++ ncurses-6.0+20161126/debian/changelog	2017-09-04 22:04:15.0 +0200
@@ -1,3 +1,18 @@
+ncurses (6.0+20161126-1+deb9u1) stretch; urgency=medium
+
+  * Cherry-pick upstream fixes from the 20170701 and 20170708 patchlevels
+for various crash bugs in the tic library and the tic binary
+(CVE-2017-10684, CVE-2017-10685, CVE-2017-2, CVE-2017-3).
+  * Backport termcap-format fix from the 20170715 patchlevel, repairing a
+regression from the above security fixes (see #868266).
+  * Cherry-pick upstream fixes from the 20170826 patchlevel for more
+crash bugs in the tic library (CVE-2017-13728, CVE-2017-13729,
+CVE-2017-13730, CVE-2017-13731, CVE-2017-13732, CVE-2017-13734).
+  * Cerry-pick upstream fixes from the 20170902 patchlevel to fix
+another crash bug in the tic program (CVE-2017-13733).
+
+ -- Sven Joachim   Mon, 04 Sep 2017 22:04:15 +0200
+
 ncurses (6.0+20161126-1) unstable; urgency=low
 
   * New upstream patchlevel.
diff -Nru ncurses-6.0+20161126/debian/patches/cve-2017-13733.diff ncurses-6.0+20161126/debian/patches/cve-2017-13733.diff
--- ncurses-6.0+20161126/debian/patches/cve-2017-13733.diff	1970-01-01 01:00:00.0 +0100
+++ ncurses-6.0+20161126/debian/patches/cve-2017-13733.diff	2017-09-04 22:04:15.0 +0200
@@ -0,0 +1,91 @@
+Author: Sven Joachim 
+Description: Fix for CVE-2017-13733 in the tic program
+ Fix for CVE-2017-13733 cherry-picked from upstream patchlevel
+ 20170902.
+Bug-Debian: https://bugs.debian.org/873746
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1484290
+Forwarded: not-needed
+Last-Update: 2017-09-04
+
+---
+ progs/dump_entry.c |   19 ++-
+ progs/tput.c   |2 +-
+ 2 files changed, 11 insertions(+), 10 deletions(-)
+
+--- a/progs/dump_entry.c
 b/progs/dump_entry.c
+@@ -957,12 +957,12 @@ fmt_entry(TERMTYPE *tterm,
+ #undef CUR
+ #define CUR tterm->
+ if (outform == F_TERMCAP) {
+-	if (termcap_reset != ABSENT_STRING) {
+-	if (init_3string != ABSENT_STRING
++	if (VALID_STRING(termcap_reset)) {
++	if (VALID_STRING(init_3string)
+ 		&& !strcmp(init_3string, termcap_reset))
+ 		DISCARD(init_3string);
+ 
+-	if (reset_2string != ABSENT_STRING
++	if (VALID_STRING(reset_2string)
+ 		&& !strcmp(reset_2string, termcap_reset))
+ 		DISCARD(reset_2string);
+ 	}
+@@ -1038,7 +1038,7 @@ fmt_entry(TERMTYPE *tterm,
+ 	buffer[0] = '\0';
+ 
+ 	if (predval != FAIL) {
+-	if (capability != ABSENT_STRING
++	if (VALID_STRING(capability)
+ 		&& i + 1 >

Re: Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1

2017-07-19 Thread Sven Joachim 
Control: tags -1 - moreinfo

On 2017-07-15 12:50 +0200, Sven Joachim wrote:

> Control: tags -1 - confirmed
> Control: tags -1 + moreinfo
>
> On 2017-07-15 11:04 +0100, Adam D. Barratt wrote:
>
>> Control: tags -1 + confirmed d-i
>>
>> On Sun, 2017-07-09 at 19:30 +0200, Sven Joachim wrote:
>>> Recently a few flaws in the tic program and the tic library have been
>>> detected: null pointer dereference, buffer overflow, stack smashing, you
>>> name it.  Six bugs have been reported in the Red Hat bugtracker and four
>>> CVEs assigned.  Fortunately there are rather few users who would run
>>> affected programs at all, so it was decided that no DSA would be
>>> necessary.
>
> Unfortunately the fixes have caused a regression in infocmp, see
> #868266.  I expect an upstream fix this night, but to properly test it
> and prepare new packages taking a bit more time seems advisable.  So I
> guess we'll have to defer that for 9.2.

The changes from the 20170715 patchlevel were a bit larger than I would
have liked, but applied with minimal tweaking to the stretch version.
Running "infocmp -C" on all the terminfo files in ncurses-{base,term}
showed no difference compared to the infocmp version currently in
stretch.

>> I'd be okay with this, but it will need a kibi-ack due to the udeb.
>
> The changes do not touch the tinfo library which is all that shipped in
> the udeb.

To elaborate on that, ncurses/tinfo/{alloc,parse}_entry.c are compiled
into the tic library while progs/dump_entry.c is for the infocmp and tic
programs.  Building 6.0+20161126-1 and 6.0+20161126-1+deb9u1 in a
stretch chroot produced identical libtinfo.so.5.9 files.

Cheers,
   Sven

--- ncurses-6.0+20161126/debian/changelog	2016-11-29 21:19:08.0 +0100
+++ ncurses-6.0+20161126/debian/changelog	2017-07-17 20:47:58.0 +0200
@@ -1,3 +1,13 @@
+ncurses (6.0+20161126-1+deb9u1) stretch; urgency=medium
+
+  * Cherry-pick upstream fixes from the 20170701 and 20170708 patchlevels
+for various crash bugs in the tic library and the tic binary
+(CVE-2017-10684, CVE-2017-10685, CVE-2017-2, CVE-2017-3).
+  * Backport termcap-format fix from the 20170715 patchlevel, repairing a
+regression from the above security fixes (see #868266).
+
+ -- Sven Joachim   Mon, 17 Jul 2017 20:47:58 +0200
+
 ncurses (6.0+20161126-1) unstable; urgency=low
 
   * New upstream patchlevel.
diff -Nru ncurses-6.0+20161126/debian/patches/cve-fixes.diff ncurses-6.0+20161126/debian/patches/cve-fixes.diff
--- ncurses-6.0+20161126/debian/patches/cve-fixes.diff	1970-01-01 01:00:00.0 +0100
+++ ncurses-6.0+20161126/debian/patches/cve-fixes.diff	2017-07-17 20:47:58.0 +0200
@@ -0,0 +1,185 @@
+Author: Sven Joachim 
+Description: Fixes for four CVEs
+ Fixes for CVE 2017-10684, CVE-2017-10685, CVE-2017-2,
+ CVE-2017-3 cherry-picked from upstream patchlevels 20170701 and
+ 20170708.
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464684
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464685
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464686
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464687
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464691
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464692
+Forwarded: not-needed
+Last-Update: 2017-07-09
+
+---
+ ncurses/tinfo/alloc_entry.c |6 +-
+ ncurses/tinfo/parse_entry.c |   22 --
+ progs/dump_entry.c  |   34 +-
+ 3 files changed, 38 insertions(+), 24 deletions(-)
+
+--- a/ncurses/tinfo/alloc_entry.c
 b/ncurses/tinfo/alloc_entry.c
+@@ -96,7 +96,11 @@ _nc_save_str(const char *const string)
+ {
+ char *result = 0;
+ size_t old_next_free = next_free;
+-size_t len = strlen(string) + 1;
++size_t len;
++
++if (string == 0)
++	return _nc_save_str("");
++len = strlen(string) + 1;
+ 
+ if (len == 1 && next_free != 0) {
+ 	/*
+--- a/ncurses/tinfo/parse_entry.c
 b/ncurses/tinfo/parse_entry.c
+@@ -236,13 +236,14 @@ _nc_parse_entry(struct entry *entryp, in
+  * implemented it.  Note that the resulting terminal type was never the
+  * 2-character name, but was instead the first alias after that.
+  */
++#define ok_TC2(s) (isgraph(UChar(s)) && (s) != '|')
+ ptr = _nc_curr_token.tk_name;
+ if (_nc_syntax == SYN_TERMCAP
+ #if NCURSES_XNAMES
+ 	&& !_nc_user_definable
+ #endif
+ 	) {
+-	if (ptr[2] == '|') {
++	if (ok_TC2(ptr[0]) && ok_TC2(ptr[1]) && (ptr[2] == '|')) {
+ 	ptr += 3;
+ 	_nc_curr_token.tk_name[2] = '\0';
+ 	}
+@@ -284,9 +285,11 @@ _nc_parse_entry(struct entry *entryp, in
+ 	if (is_use || is_tc) {
+ 	entryp->uses[entryp->nuses].name = _nc_save_str(_nc_curr_token.tk_valstring);
+ 	entryp->uses[entryp->nuses].line = _nc_curr_line;
+-	entryp->nuses++;
+-	if (entryp->nuses > 1 && is_tc) {
+-		BAD_TC_USAGE
++	if

Re: Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1

2017-07-15 Thread Sven Joachim 
Control: tags -1 - confirmed
Control: tags -1 + moreinfo

On 2017-07-15 11:04 +0100, Adam D. Barratt wrote:

> Control: tags -1 + confirmed d-i
>
> On Sun, 2017-07-09 at 19:30 +0200, Sven Joachim wrote:
>> Recently a few flaws in the tic program and the tic library have been
>> detected: null pointer dereference, buffer overflow, stack smashing, you
>> name it.  Six bugs have been reported in the Red Hat bugtracker and four
>> CVEs assigned.  Fortunately there are rather few users who would run
>> affected programs at all, so it was decided that no DSA would be
>> necessary.

Unfortunately the fixes have caused a regression in infocmp, see
#868266.  I expect an upstream fix this night, but to properly test it
and prepare new packages taking a bit more time seems advisable.  So I
guess we'll have to defer that for 9.2.

> I'd be okay with this, but it will need a kibi-ack due to the udeb.

The changes do not touch the tinfo library which is all that shipped in
the udeb.

Cheers,
   Sven

Re: Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1

2017-07-15 Thread Adam D. Barratt 
Control: tags -1 + confirmed d-i

On Sun, 2017-07-09 at 19:30 +0200, Sven Joachim wrote:
> Recently a few flaws in the tic program and the tic library have been
> detected: null pointer dereference, buffer overflow, stack smashing, you
> name it.  Six bugs have been reported in the Red Hat bugtracker and four
> CVEs assigned.  Fortunately there are rather few users who would run
> affected programs at all, so it was decided that no DSA would be
> necessary.

I'd be okay with this, but it will need a kibi-ack due to the udeb.

Regards,

Adam