Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1

[Adam D. Barratt]

Control: tags -1 + pending

On Sun, 2017-09-24 at 09:16 +0200, Sven Joachim wrote:
> On 2017-09-23 19:59 +0100, Adam D. Barratt wrote:
> 
> > Control: tags -1 -moreinfo +confirmed
> > 
> > On Thu, 2017-09-07 at 19:06 +0200, Cyril Brulebois wrote:
> > > Sven Joachim  (2017-09-06):
> > > > Meanwhile seven new CVEs in the tic library and programs have
> > > > been
> > > > reported, and I would like to fix those as well, see the
> > > > attached
> > > > new
> > > > debdiff.  It contains all the library changes from the 20170826
> > > > upstream
> > > > patchlevel and the program fixes of the 20170902 patchlevel.  I
> > > > have
> > > > also attached the test cases for the 13 bugs reported in the
> > > > Red
> > > > Hat
> > > > bugtracker.
> > > > 
> > > > > > > I'd be okay with this, but it will need a kibi-ack due to
> > > > > > > the
> > > > > > > udeb.
> > > > > > 
> > > > > > The changes do not touch the tinfo library which is all
> > > > > > that
> > > > > > shipped in
> > > > > > the udeb.
> > > > > 
> > > > > To elaborate on that, ncurses/tinfo/{alloc,parse}_entry.c are
> > > > > compiled
> > > > > into the tic library while progs/dump_entry.c is for the
> > > > > infocmp
> > > > > and tic
> > > > > programs.  Building 6.0+20161126-1 and 6.0+20161126-1+deb9u1
> > > > > in a
> > > > > stretch chroot produced identical libtinfo.so.5.9 files.
> > > > 
> > > > This is unfortunately no longer the case, since strings.c and
> > > > trim_sgr0.c are compiled into the tinfo library.  However, the
> > > > changes
> > > > to these files are small.
> > > 
> > > I have no straightforward way to double check things still run
> > > smoothly
> > > with stretch's d-i, so I'll follow whatever decision the release
> > > team
> > > makes; if regressions pop up, we'll figure out how to fix them.
> > > 
> > 
> > Let's go with it and keep our fingers crossed that any issues show
> > up
> > quickly.
> 
> Thanks, uploaded.
> 

Flagged for acceptance, thanks.

Regards,

Adam

Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1

[Sven Joachim]

On 2017-09-23 19:59 +0100, Adam D. Barratt wrote:

> Control: tags -1 -moreinfo +confirmed
>
> On Thu, 2017-09-07 at 19:06 +0200, Cyril Brulebois wrote:
>> Sven Joachim  (2017-09-06):
>> > Meanwhile seven new CVEs in the tic library and programs have been
>> > reported, and I would like to fix those as well, see the attached
>> > new
>> > debdiff.  It contains all the library changes from the 20170826
>> > upstream
>> > patchlevel and the program fixes of the 20170902 patchlevel.  I
>> > have
>> > also attached the test cases for the 13 bugs reported in the Red
>> > Hat
>> > bugtracker.
>> > 
>> > > > > I'd be okay with this, but it will need a kibi-ack due to the
>> > > > > udeb.
>> > > > 
>> > > > The changes do not touch the tinfo library which is all that
>> > > > shipped in
>> > > > the udeb.
>> > > 
>> > > To elaborate on that, ncurses/tinfo/{alloc,parse}_entry.c are
>> > > compiled
>> > > into the tic library while progs/dump_entry.c is for the infocmp
>> > > and tic
>> > > programs.  Building 6.0+20161126-1 and 6.0+20161126-1+deb9u1 in a
>> > > stretch chroot produced identical libtinfo.so.5.9 files.
>> > 
>> > This is unfortunately no longer the case, since strings.c and
>> > trim_sgr0.c are compiled into the tinfo library.  However, the
>> > changes
>> > to these files are small.
>> 
>> I have no straightforward way to double check things still run
>> smoothly
>> with stretch's d-i, so I'll follow whatever decision the release team
>> makes; if regressions pop up, we'll figure out how to fix them.
>> 
>
> Let's go with it and keep our fingers crossed that any issues show up
> quickly.

Thanks, uploaded.

Cheers,
   Sven

Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1

[Adam D. Barratt]

Control: tags -1 -moreinfo +confirmed

On Thu, 2017-09-07 at 19:06 +0200, Cyril Brulebois wrote:
> Sven Joachim  (2017-09-06):
> > Meanwhile seven new CVEs in the tic library and programs have been
> > reported, and I would like to fix those as well, see the attached
> > new
> > debdiff.  It contains all the library changes from the 20170826
> > upstream
> > patchlevel and the program fixes of the 20170902 patchlevel.  I
> > have
> > also attached the test cases for the 13 bugs reported in the Red
> > Hat
> > bugtracker.
> > 
> > > > > I'd be okay with this, but it will need a kibi-ack due to the
> > > > > udeb.
> > > > 
> > > > The changes do not touch the tinfo library which is all that
> > > > shipped in
> > > > the udeb.
> > > 
> > > To elaborate on that, ncurses/tinfo/{alloc,parse}_entry.c are
> > > compiled
> > > into the tic library while progs/dump_entry.c is for the infocmp
> > > and tic
> > > programs.  Building 6.0+20161126-1 and 6.0+20161126-1+deb9u1 in a
> > > stretch chroot produced identical libtinfo.so.5.9 files.
> > 
> > This is unfortunately no longer the case, since strings.c and
> > trim_sgr0.c are compiled into the tinfo library.  However, the
> > changes
> > to these files are small.
> 
> I have no straightforward way to double check things still run
> smoothly
> with stretch's d-i, so I'll follow whatever decision the release team
> makes; if regressions pop up, we'll figure out how to fix them.
> 

Let's go with it and keep our fingers crossed that any issues show up
quickly.

Regards,

Adam

Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1

[Sven Joachim]

On 2017-09-09 15:08 +0200, Julien Cristau wrote:

> Do you know what the reverse dependencies of the tic program or library
> are in Debian,

Short answer: I don't know.

Long answer:

The tic library is used by tack and a few programs in ncurses-bin (tic
and its aliases infotocap/captoinfo, infocmp and toe).  I am not aware
of any others, but there might be one or two.

For the programs, infocmp is commonly used by Perl's Term::Cap module
which in turn is used by other Perl modules, so by quite a few
packages.  It only runs infocmp on the terminfo description pointed to
by the TERM variable.  There are 40+ other hits for infocmp on
codesearch.debian.net, I have not really checked them.

Apparently captoinfo and infotocap have no reverse dependencies.  For
tic and toe, it is impossible to check due to their short names. :-(

If you run tic with common arguments as a normal user, it will write to
the ~/.terminfo directory, creating it if necessary.  I don't have this
directory which indicates that third parties don't run tic behind my
back, but then again I have only a fraction of all packages installed.

> and whether any of them commonly process untrusted
> terminfo data (though I know that's not an easy thing to paint as
> black/white)?

If I had known such a program, I would have asked for a DSA after all.
So I don't know, but my knowledge is limited and Debian is large.

Cheers,
   Sven

Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1

[Julien Cristau]

Control: tag -1 moreinfo

On Sun, Jul  9, 2017 at 19:30:55 +0200, Sven Joachim wrote:

> Package: release.debian.org
> Severity: normal
> Tags: stretch
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> Recently a few flaws in the tic program and the tic library have been
> detected: null pointer dereference, buffer overflow, stack smashing, you
> name it.  Six bugs have been reported in the Red Hat bugtracker and four
> CVEs assigned.  Fortunately there are rather few users who would run
> affected programs at all, so it was decided that no DSA would be
> necessary.
> 
Hi Sven,

Do you know what the reverse dependencies of the tic program or library
are in Debian, and whether any of them commonly process untrusted
terminfo data (though I know that's not an easy thing to paint as
black/white)?

Thanks,
Julien

Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1

[Salvatore Bonaccorso]

Hi Sven,

On Thu, Sep 07, 2017 at 08:20:34PM +0200, Sven Joachim wrote:
> On 2017-09-07 05:32 +0200, Salvatore Bonaccorso wrote:
> 
> > Not a must, and note that is just a comment on my side, I'm not a SRM:
> > if possible add a bug closer as well to the changelog entry so that
> > when the point release happends, the correct fixed version is as well
> > propagated to the BTS bugs.
> 
> Heh, it was you who had marked these bugs as found in 6.0+20170715-2 in
> the first place. ;-)  Anyway, I have updated the changelog and also

Yes, let me explain. That was just because at that point it was clear
that the bugs are in that version, no checks for older versions were
made. Then you did further work, and found the jessie and stretch
version as well as affected. So only later updated the BTS with the
repsective other found versions. Hope this explains. But we are maybe
side-tracking the SRM now, so I shut up!

Regards and thanks for your work!
Salvatore

Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1

[Sven Joachim]

On 2017-09-07 05:32 +0200, Salvatore Bonaccorso wrote:

> Not a must, and note that is just a comment on my side, I'm not a SRM:
> if possible add a bug closer as well to the changelog entry so that
> when the point release happends, the correct fixed version is as well
> propagated to the BTS bugs.

Heh, it was you who had marked these bugs as found in 6.0+20170715-2 in
the first place. ;-)  Anyway, I have updated the changelog and also
fixed a typo in it.

diff --git a/debian/changelog b/debian/changelog
index 160b2cb1..a75f99e6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,11 +7,12 @@ ncurses (6.0+20161126-1+deb9u1) stretch; urgency=medium
 regression from the above security fixes (see #868266).
   * Cherry-pick upstream fixes from the 20170826 patchlevel for more
 crash bugs in the tic library (CVE-2017-13728, CVE-2017-13729,
-CVE-2017-13730, CVE-2017-13731, CVE-2017-13732, CVE-2017-13734).
-  * Cerry-pick upstream fixes from the 20170902 patchlevel to fix
-another crash bug in the tic program (CVE-2017-13733).
+CVE-2017-13730, CVE-2017-13731, CVE-2017-13732, CVE-2017-13734,
+Closes: #873723).
+  * Cherry-pick upstream fixes from the 20170902 patchlevel to fix
+another crash bug in the tic program (CVE-2017-13733, Closes: #873746).
 
- -- Sven Joachim   Mon, 04 Sep 2017 22:04:15 +0200
+ -- Sven Joachim   Thu, 07 Sep 2017 19:05:43 +0200
 
 ncurses (6.0+20161126-1) unstable; urgency=low
 

If a new full debdiff is wanted, please say so.

Cheers,
   Sven

Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1

[Cyril Brulebois]

Sven Joachim  (2017-09-06):
> Meanwhile seven new CVEs in the tic library and programs have been
> reported, and I would like to fix those as well, see the attached new
> debdiff.  It contains all the library changes from the 20170826 upstream
> patchlevel and the program fixes of the 20170902 patchlevel.  I have
> also attached the test cases for the 13 bugs reported in the Red Hat
> bugtracker.
> 
> >>> I'd be okay with this, but it will need a kibi-ack due to the udeb.
> >>
> >> The changes do not touch the tinfo library which is all that shipped in
> >> the udeb.
> >
> > To elaborate on that, ncurses/tinfo/{alloc,parse}_entry.c are compiled
> > into the tic library while progs/dump_entry.c is for the infocmp and tic
> > programs.  Building 6.0+20161126-1 and 6.0+20161126-1+deb9u1 in a
> > stretch chroot produced identical libtinfo.so.5.9 files.
> 
> This is unfortunately no longer the case, since strings.c and
> trim_sgr0.c are compiled into the tinfo library.  However, the changes
> to these files are small.

I have no straightforward way to double check things still run smoothly
with stretch's d-i, so I'll follow whatever decision the release team
makes; if regressions pop up, we'll figure out how to fix them.


KiBi.


signature.asc
Description: PGP signature

Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1

[Salvatore Bonaccorso]

Hi Sven

On Wed, Sep 06, 2017 at 06:52:36PM +0200, Sven Joachim wrote:
> On 2017-07-19 20:30 +0200, Sven Joachim wrote:
> 
> > Control: tags -1 - moreinfo
> >
> > On 2017-07-15 12:50 +0200, Sven Joachim wrote:
> >
> >> Control: tags -1 - confirmed
> >> Control: tags -1 + moreinfo
> >>
> >> On 2017-07-15 11:04 +0100, Adam D. Barratt wrote:
> >>
> >>> Control: tags -1 + confirmed d-i
> >>>
> >>> On Sun, 2017-07-09 at 19:30 +0200, Sven Joachim wrote:
>  Recently a few flaws in the tic program and the tic library have been
>  detected: null pointer dereference, buffer overflow, stack smashing, you
>  name it.  Six bugs have been reported in the Red Hat bugtracker and four
>  CVEs assigned.  Fortunately there are rather few users who would run
>  affected programs at all, so it was decided that no DSA would be
>  necessary.
> >>
> >> Unfortunately the fixes have caused a regression in infocmp, see
> >> #868266.  I expect an upstream fix this night, but to properly test it
> >> and prepare new packages taking a bit more time seems advisable.  So I
> >> guess we'll have to defer that for 9.2.
> >
> > The changes from the 20170715 patchlevel were a bit larger than I would
> > have liked, but applied with minimal tweaking to the stretch version.
> > Running "infocmp -C" on all the terminfo files in ncurses-{base,term}
> > showed no difference compared to the infocmp version currently in
> > stretch.
> 
> Meanwhile seven new CVEs in the tic library and programs have been
> reported, and I would like to fix those as well, see the attached new
> debdiff.  It contains all the library changes from the 20170826 upstream
> patchlevel and the program fixes of the 20170902 patchlevel.  I have
> also attached the test cases for the 13 bugs reported in the Red Hat
> bugtracker.

Not a must, and note that is just a comment on my side, I'm not a SRM:
if possible add a bug closer as well to the changelog entry so that
when the point release happends, the correct fixed version is as well
propagated to the BTS bugs.

Regards,
Salvatore

Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1

[Sven Joachim]

On 2017-07-19 20:30 +0200, Sven Joachim wrote:

> Control: tags -1 - moreinfo
>
> On 2017-07-15 12:50 +0200, Sven Joachim wrote:
>
>> Control: tags -1 - confirmed
>> Control: tags -1 + moreinfo
>>
>> On 2017-07-15 11:04 +0100, Adam D. Barratt wrote:
>>
>>> Control: tags -1 + confirmed d-i
>>>
>>> On Sun, 2017-07-09 at 19:30 +0200, Sven Joachim wrote:
 Recently a few flaws in the tic program and the tic library have been
 detected: null pointer dereference, buffer overflow, stack smashing, you
 name it.  Six bugs have been reported in the Red Hat bugtracker and four
 CVEs assigned.  Fortunately there are rather few users who would run
 affected programs at all, so it was decided that no DSA would be
 necessary.
>>
>> Unfortunately the fixes have caused a regression in infocmp, see
>> #868266.  I expect an upstream fix this night, but to properly test it
>> and prepare new packages taking a bit more time seems advisable.  So I
>> guess we'll have to defer that for 9.2.
>
> The changes from the 20170715 patchlevel were a bit larger than I would
> have liked, but applied with minimal tweaking to the stretch version.
> Running "infocmp -C" on all the terminfo files in ncurses-{base,term}
> showed no difference compared to the infocmp version currently in
> stretch.

Meanwhile seven new CVEs in the tic library and programs have been
reported, and I would like to fix those as well, see the attached new
debdiff.  It contains all the library changes from the 20170826 upstream
patchlevel and the program fixes of the 20170902 patchlevel.  I have
also attached the test cases for the 13 bugs reported in the Red Hat
bugtracker.

>>> I'd be okay with this, but it will need a kibi-ack due to the udeb.
>>
>> The changes do not touch the tinfo library which is all that shipped in
>> the udeb.
>
> To elaborate on that, ncurses/tinfo/{alloc,parse}_entry.c are compiled
> into the tic library while progs/dump_entry.c is for the infocmp and tic
> programs.  Building 6.0+20161126-1 and 6.0+20161126-1+deb9u1 in a
> stretch chroot produced identical libtinfo.so.5.9 files.

This is unfortunately no longer the case, since strings.c and
trim_sgr0.c are compiled into the tinfo library.  However, the changes
to these files are small.

Cheers,
   Sven

diff -Nru ncurses-6.0+20161126/debian/changelog ncurses-6.0+20161126/debian/changelog
--- ncurses-6.0+20161126/debian/changelog	2016-11-29 21:19:08.0 +0100
+++ ncurses-6.0+20161126/debian/changelog	2017-09-04 22:04:15.0 +0200
@@ -1,3 +1,18 @@
+ncurses (6.0+20161126-1+deb9u1) stretch; urgency=medium
+
+  * Cherry-pick upstream fixes from the 20170701 and 20170708 patchlevels
+for various crash bugs in the tic library and the tic binary
+(CVE-2017-10684, CVE-2017-10685, CVE-2017-2, CVE-2017-3).
+  * Backport termcap-format fix from the 20170715 patchlevel, repairing a
+regression from the above security fixes (see #868266).
+  * Cherry-pick upstream fixes from the 20170826 patchlevel for more
+crash bugs in the tic library (CVE-2017-13728, CVE-2017-13729,
+CVE-2017-13730, CVE-2017-13731, CVE-2017-13732, CVE-2017-13734).
+  * Cerry-pick upstream fixes from the 20170902 patchlevel to fix
+another crash bug in the tic program (CVE-2017-13733).
+
+ -- Sven Joachim   Mon, 04 Sep 2017 22:04:15 +0200
+
 ncurses (6.0+20161126-1) unstable; urgency=low
 
   * New upstream patchlevel.
diff -Nru ncurses-6.0+20161126/debian/patches/cve-2017-13733.diff ncurses-6.0+20161126/debian/patches/cve-2017-13733.diff
--- ncurses-6.0+20161126/debian/patches/cve-2017-13733.diff	1970-01-01 01:00:00.0 +0100
+++ ncurses-6.0+20161126/debian/patches/cve-2017-13733.diff	2017-09-04 22:04:15.0 +0200
@@ -0,0 +1,91 @@
+Author: Sven Joachim 
+Description: Fix for CVE-2017-13733 in the tic program
+ Fix for CVE-2017-13733 cherry-picked from upstream patchlevel
+ 20170902.
+Bug-Debian: https://bugs.debian.org/873746
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1484290
+Forwarded: not-needed
+Last-Update: 2017-09-04
+
+---
+ progs/dump_entry.c |   19 ++-
+ progs/tput.c   |2 +-
+ 2 files changed, 11 insertions(+), 10 deletions(-)
+
+--- a/progs/dump_entry.c
 b/progs/dump_entry.c
+@@ -957,12 +957,12 @@ fmt_entry(TERMTYPE *tterm,
+ #undef CUR
+ #define CUR tterm->
+ if (outform == F_TERMCAP) {
+-	if (termcap_reset != ABSENT_STRING) {
+-	if (init_3string != ABSENT_STRING
++	if (VALID_STRING(termcap_reset)) {
++	if (VALID_STRING(init_3string)
+ 		&& !strcmp(init_3string, termcap_reset))
+ 		DISCARD(init_3string);
+ 
+-	if (reset_2string != ABSENT_STRING
++	if (VALID_STRING(reset_2string)
+ 		&& !strcmp(reset_2string, termcap_reset))
+ 		DISCARD(reset_2string);
+ 	}
+@@ -1038,7 +1038,7 @@ fmt_entry(TERMTYPE *tterm,
+ 	buffer[0] = '\0';
+ 
+ 	if (predval != FAIL) {
+-	if (capability != ABSENT_STRING
++	if (VALID_STRING(capability)
+ 		&& i + 1 > 

Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1

[Sven Joachim]

Control: tags -1 - moreinfo

On 2017-07-15 12:50 +0200, Sven Joachim wrote:

> Control: tags -1 - confirmed
> Control: tags -1 + moreinfo
>
> On 2017-07-15 11:04 +0100, Adam D. Barratt wrote:
>
>> Control: tags -1 + confirmed d-i
>>
>> On Sun, 2017-07-09 at 19:30 +0200, Sven Joachim wrote:
>>> Recently a few flaws in the tic program and the tic library have been
>>> detected: null pointer dereference, buffer overflow, stack smashing, you
>>> name it.  Six bugs have been reported in the Red Hat bugtracker and four
>>> CVEs assigned.  Fortunately there are rather few users who would run
>>> affected programs at all, so it was decided that no DSA would be
>>> necessary.
>
> Unfortunately the fixes have caused a regression in infocmp, see
> #868266.  I expect an upstream fix this night, but to properly test it
> and prepare new packages taking a bit more time seems advisable.  So I
> guess we'll have to defer that for 9.2.

The changes from the 20170715 patchlevel were a bit larger than I would
have liked, but applied with minimal tweaking to the stretch version.
Running "infocmp -C" on all the terminfo files in ncurses-{base,term}
showed no difference compared to the infocmp version currently in
stretch.

>> I'd be okay with this, but it will need a kibi-ack due to the udeb.
>
> The changes do not touch the tinfo library which is all that shipped in
> the udeb.

To elaborate on that, ncurses/tinfo/{alloc,parse}_entry.c are compiled
into the tic library while progs/dump_entry.c is for the infocmp and tic
programs.  Building 6.0+20161126-1 and 6.0+20161126-1+deb9u1 in a
stretch chroot produced identical libtinfo.so.5.9 files.

Cheers,
   Sven

--- ncurses-6.0+20161126/debian/changelog	2016-11-29 21:19:08.0 +0100
+++ ncurses-6.0+20161126/debian/changelog	2017-07-17 20:47:58.0 +0200
@@ -1,3 +1,13 @@
+ncurses (6.0+20161126-1+deb9u1) stretch; urgency=medium
+
+  * Cherry-pick upstream fixes from the 20170701 and 20170708 patchlevels
+for various crash bugs in the tic library and the tic binary
+(CVE-2017-10684, CVE-2017-10685, CVE-2017-2, CVE-2017-3).
+  * Backport termcap-format fix from the 20170715 patchlevel, repairing a
+regression from the above security fixes (see #868266).
+
+ -- Sven Joachim   Mon, 17 Jul 2017 20:47:58 +0200
+
 ncurses (6.0+20161126-1) unstable; urgency=low
 
   * New upstream patchlevel.
diff -Nru ncurses-6.0+20161126/debian/patches/cve-fixes.diff ncurses-6.0+20161126/debian/patches/cve-fixes.diff
--- ncurses-6.0+20161126/debian/patches/cve-fixes.diff	1970-01-01 01:00:00.0 +0100
+++ ncurses-6.0+20161126/debian/patches/cve-fixes.diff	2017-07-17 20:47:58.0 +0200
@@ -0,0 +1,185 @@
+Author: Sven Joachim 
+Description: Fixes for four CVEs
+ Fixes for CVE 2017-10684, CVE-2017-10685, CVE-2017-2,
+ CVE-2017-3 cherry-picked from upstream patchlevels 20170701 and
+ 20170708.
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464684
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464685
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464686
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464687
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464691
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464692
+Forwarded: not-needed
+Last-Update: 2017-07-09
+
+---
+ ncurses/tinfo/alloc_entry.c |6 +-
+ ncurses/tinfo/parse_entry.c |   22 --
+ progs/dump_entry.c  |   34 +-
+ 3 files changed, 38 insertions(+), 24 deletions(-)
+
+--- a/ncurses/tinfo/alloc_entry.c
 b/ncurses/tinfo/alloc_entry.c
+@@ -96,7 +96,11 @@ _nc_save_str(const char *const string)
+ {
+ char *result = 0;
+ size_t old_next_free = next_free;
+-size_t len = strlen(string) + 1;
++size_t len;
++
++if (string == 0)
++	return _nc_save_str("");
++len = strlen(string) + 1;
+ 
+ if (len == 1 && next_free != 0) {
+ 	/*
+--- a/ncurses/tinfo/parse_entry.c
 b/ncurses/tinfo/parse_entry.c
+@@ -236,13 +236,14 @@ _nc_parse_entry(struct entry *entryp, in
+  * implemented it.  Note that the resulting terminal type was never the
+  * 2-character name, but was instead the first alias after that.
+  */
++#define ok_TC2(s) (isgraph(UChar(s)) && (s) != '|')
+ ptr = _nc_curr_token.tk_name;
+ if (_nc_syntax == SYN_TERMCAP
+ #if NCURSES_XNAMES
+ 	&& !_nc_user_definable
+ #endif
+ 	) {
+-	if (ptr[2] == '|') {
++	if (ok_TC2(ptr[0]) && ok_TC2(ptr[1]) && (ptr[2] == '|')) {
+ 	ptr += 3;
+ 	_nc_curr_token.tk_name[2] = '\0';
+ 	}
+@@ -284,9 +285,11 @@ _nc_parse_entry(struct entry *entryp, in
+ 	if (is_use || is_tc) {
+ 	entryp->uses[entryp->nuses].name = _nc_save_str(_nc_curr_token.tk_valstring);
+ 	entryp->uses[entryp->nuses].line = _nc_curr_line;
+-	entryp->nuses++;
+-	if (entryp->nuses > 1 && is_tc) {
+-		BAD_TC_USAGE
++	if 

Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1

[Sven Joachim]

Control: tags -1 - confirmed
Control: tags -1 + moreinfo

On 2017-07-15 11:04 +0100, Adam D. Barratt wrote:

> Control: tags -1 + confirmed d-i
>
> On Sun, 2017-07-09 at 19:30 +0200, Sven Joachim wrote:
>> Recently a few flaws in the tic program and the tic library have been
>> detected: null pointer dereference, buffer overflow, stack smashing, you
>> name it.  Six bugs have been reported in the Red Hat bugtracker and four
>> CVEs assigned.  Fortunately there are rather few users who would run
>> affected programs at all, so it was decided that no DSA would be
>> necessary.

Unfortunately the fixes have caused a regression in infocmp, see
#868266.  I expect an upstream fix this night, but to properly test it
and prepare new packages taking a bit more time seems advisable.  So I
guess we'll have to defer that for 9.2.

> I'd be okay with this, but it will need a kibi-ack due to the udeb.

The changes do not touch the tinfo library which is all that shipped in
the udeb.

Cheers,
   Sven

Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1

[Adam D. Barratt]

Control: tags -1 + confirmed d-i

On Sun, 2017-07-09 at 19:30 +0200, Sven Joachim wrote:
> Recently a few flaws in the tic program and the tic library have been
> detected: null pointer dereference, buffer overflow, stack smashing, you
> name it.  Six bugs have been reported in the Red Hat bugtracker and four
> CVEs assigned.  Fortunately there are rather few users who would run
> affected programs at all, so it was decided that no DSA would be
> necessary.

I'd be okay with this, but it will need a kibi-ack due to the udeb.

Regards,

Adam

Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1

[Sven Joachim]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Recently a few flaws in the tic program and the tic library have been
detected: null pointer dereference, buffer overflow, stack smashing, you
name it.  Six bugs have been reported in the Red Hat bugtracker and four
CVEs assigned.  Fortunately there are rather few users who would run
affected programs at all, so it was decided that no DSA would be
necessary.

Upstream has fixed these problems in the latest patchlevels (already in
sid), and I would like to address them in a stable upload.  I have
verified that the testcases in the reported Red Hat bugs no longer cause
crashes (if anybody wants to verify that, I can send them).

Cheers,
   Sven

diff -Nru ncurses-6.0+20161126/debian/changelog ncurses-6.0+20161126/debian/changelog
--- ncurses-6.0+20161126/debian/changelog	2016-11-29 21:19:08.0 +0100
+++ ncurses-6.0+20161126/debian/changelog	2017-07-09 15:32:26.0 +0200
@@ -1,3 +1,11 @@
+ncurses (6.0+20161126-1+deb9u1) stretch; urgency=medium
+
+  * Cherry-pick upstream fixes from the 20170701 and 20170708 patchlevels
+for various crash bugs in the tic library and the tic binary
+(CVE-2017-10684, CVE-2017-10685, CVE-2017-2, CVE-2017-3).
+
+ -- Sven Joachim   Sun, 09 Jul 2017 15:32:26 +0200
+
 ncurses (6.0+20161126-1) unstable; urgency=low
 
   * New upstream patchlevel.
diff -Nru ncurses-6.0+20161126/debian/patches/cve-fixes.diff ncurses-6.0+20161126/debian/patches/cve-fixes.diff
--- ncurses-6.0+20161126/debian/patches/cve-fixes.diff	1970-01-01 01:00:00.0 +0100
+++ ncurses-6.0+20161126/debian/patches/cve-fixes.diff	2017-07-09 15:32:26.0 +0200
@@ -0,0 +1,185 @@
+Author: Sven Joachim 
+Description: Fixes for four CVEs
+ Fixes for CVE 2017-10684, CVE-2017-10685, CVE-2017-2,
+ CVE-2017-3 cherry-picked from upstream patchlevels 20170701 and
+ 20170708.
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464684
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464685
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464686
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464687
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464691
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464692
+Forwarded: not-needed
+Last-Update: 2017-07-09
+
+---
+ ncurses/tinfo/alloc_entry.c |6 +-
+ ncurses/tinfo/parse_entry.c |   22 --
+ progs/dump_entry.c  |   34 +-
+ 3 files changed, 38 insertions(+), 24 deletions(-)
+
+--- a/ncurses/tinfo/alloc_entry.c
 b/ncurses/tinfo/alloc_entry.c
+@@ -96,7 +96,11 @@ _nc_save_str(const char *const string)
+ {
+ char *result = 0;
+ size_t old_next_free = next_free;
+-size_t len = strlen(string) + 1;
++size_t len;
++
++if (string == 0)
++	return _nc_save_str("");
++len = strlen(string) + 1;
+ 
+ if (len == 1 && next_free != 0) {
+ 	/*
+--- a/ncurses/tinfo/parse_entry.c
 b/ncurses/tinfo/parse_entry.c
+@@ -236,13 +236,14 @@ _nc_parse_entry(struct entry *entryp, in
+  * implemented it.  Note that the resulting terminal type was never the
+  * 2-character name, but was instead the first alias after that.
+  */
++#define ok_TC2(s) (isgraph(UChar(s)) && (s) != '|')
+ ptr = _nc_curr_token.tk_name;
+ if (_nc_syntax == SYN_TERMCAP
+ #if NCURSES_XNAMES
+ 	&& !_nc_user_definable
+ #endif
+ 	) {
+-	if (ptr[2] == '|') {
++	if (ok_TC2(ptr[0]) && ok_TC2(ptr[1]) && (ptr[2] == '|')) {
+ 	ptr += 3;
+ 	_nc_curr_token.tk_name[2] = '\0';
+ 	}
+@@ -284,9 +285,11 @@ _nc_parse_entry(struct entry *entryp, in
+ 	if (is_use || is_tc) {
+ 	entryp->uses[entryp->nuses].name = _nc_save_str(_nc_curr_token.tk_valstring);
+ 	entryp->uses[entryp->nuses].line = _nc_curr_line;
+-	entryp->nuses++;
+-	if (entryp->nuses > 1 && is_tc) {
+-		BAD_TC_USAGE
++	if (VALID_STRING(entryp->uses[entryp->nuses].name)) {
++		entryp->nuses++;
++		if (entryp->nuses > 1 && is_tc) {
++		BAD_TC_USAGE
++		}
+ 	}
+ 	} else {
+ 	/* normal token lookup */
+@@ -572,7 +575,7 @@ append_acs0(string_desc * dst, int code,
+ static void
+ append_acs(string_desc * dst, int code, char *src)
+ {
+-if (src != 0 && strlen(src) == 1) {
++if (VALID_STRING(src) && strlen(src) == 1) {
+ 	append_acs0(dst, code, *src);
+ }
+ }
+@@ -833,15 +836,14 @@ postprocess_termcap(TERMTYPE *tp, bool h
+ 	}
+ 
+ 	if (tp->Strings[to_ptr->nte_index]) {
++		const char *s = tp->Strings[from_ptr->nte_index];
++		const char *t = tp->Strings[to_ptr->nte_index];
+ 		/* There's no point in warning about it if it's the same
+ 		 * string; that's just an inefficiency.
+ 		 */
+-		if (strcmp(
+-			  tp->Strings[from_ptr->nte_index],
+-			  tp->Strings[to_ptr->nte_index]) != 0)
++		if (VALID_STRING(s) && VALID_STRING(t) && strcmp(s, t) != 0)
+