Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1
Control: tags -1 + pending On Sun, 2017-09-24 at 09:16 +0200, Sven Joachim wrote: > On 2017-09-23 19:59 +0100, Adam D. Barratt wrote: > > > Control: tags -1 -moreinfo +confirmed > > > > On Thu, 2017-09-07 at 19:06 +0200, Cyril Brulebois wrote: > > > Sven Joachim(2017-09-06): > > > > Meanwhile seven new CVEs in the tic library and programs have > > > > been > > > > reported, and I would like to fix those as well, see the > > > > attached > > > > new > > > > debdiff. It contains all the library changes from the 20170826 > > > > upstream > > > > patchlevel and the program fixes of the 20170902 patchlevel. I > > > > have > > > > also attached the test cases for the 13 bugs reported in the > > > > Red > > > > Hat > > > > bugtracker. > > > > > > > > > > > I'd be okay with this, but it will need a kibi-ack due to > > > > > > > the > > > > > > > udeb. > > > > > > > > > > > > The changes do not touch the tinfo library which is all > > > > > > that > > > > > > shipped in > > > > > > the udeb. > > > > > > > > > > To elaborate on that, ncurses/tinfo/{alloc,parse}_entry.c are > > > > > compiled > > > > > into the tic library while progs/dump_entry.c is for the > > > > > infocmp > > > > > and tic > > > > > programs. Building 6.0+20161126-1 and 6.0+20161126-1+deb9u1 > > > > > in a > > > > > stretch chroot produced identical libtinfo.so.5.9 files. > > > > > > > > This is unfortunately no longer the case, since strings.c and > > > > trim_sgr0.c are compiled into the tinfo library. However, the > > > > changes > > > > to these files are small. > > > > > > I have no straightforward way to double check things still run > > > smoothly > > > with stretch's d-i, so I'll follow whatever decision the release > > > team > > > makes; if regressions pop up, we'll figure out how to fix them. > > > > > > > Let's go with it and keep our fingers crossed that any issues show > > up > > quickly. > > Thanks, uploaded. > Flagged for acceptance, thanks. Regards, Adam
Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1
On 2017-09-23 19:59 +0100, Adam D. Barratt wrote: > Control: tags -1 -moreinfo +confirmed > > On Thu, 2017-09-07 at 19:06 +0200, Cyril Brulebois wrote: >> Sven Joachim(2017-09-06): >> > Meanwhile seven new CVEs in the tic library and programs have been >> > reported, and I would like to fix those as well, see the attached >> > new >> > debdiff. It contains all the library changes from the 20170826 >> > upstream >> > patchlevel and the program fixes of the 20170902 patchlevel. I >> > have >> > also attached the test cases for the 13 bugs reported in the Red >> > Hat >> > bugtracker. >> > >> > > > > I'd be okay with this, but it will need a kibi-ack due to the >> > > > > udeb. >> > > > >> > > > The changes do not touch the tinfo library which is all that >> > > > shipped in >> > > > the udeb. >> > > >> > > To elaborate on that, ncurses/tinfo/{alloc,parse}_entry.c are >> > > compiled >> > > into the tic library while progs/dump_entry.c is for the infocmp >> > > and tic >> > > programs. Building 6.0+20161126-1 and 6.0+20161126-1+deb9u1 in a >> > > stretch chroot produced identical libtinfo.so.5.9 files. >> > >> > This is unfortunately no longer the case, since strings.c and >> > trim_sgr0.c are compiled into the tinfo library. However, the >> > changes >> > to these files are small. >> >> I have no straightforward way to double check things still run >> smoothly >> with stretch's d-i, so I'll follow whatever decision the release team >> makes; if regressions pop up, we'll figure out how to fix them. >> > > Let's go with it and keep our fingers crossed that any issues show up > quickly. Thanks, uploaded. Cheers, Sven
Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1
Control: tags -1 -moreinfo +confirmed On Thu, 2017-09-07 at 19:06 +0200, Cyril Brulebois wrote: > Sven Joachim(2017-09-06): > > Meanwhile seven new CVEs in the tic library and programs have been > > reported, and I would like to fix those as well, see the attached > > new > > debdiff. It contains all the library changes from the 20170826 > > upstream > > patchlevel and the program fixes of the 20170902 patchlevel. I > > have > > also attached the test cases for the 13 bugs reported in the Red > > Hat > > bugtracker. > > > > > > > I'd be okay with this, but it will need a kibi-ack due to the > > > > > udeb. > > > > > > > > The changes do not touch the tinfo library which is all that > > > > shipped in > > > > the udeb. > > > > > > To elaborate on that, ncurses/tinfo/{alloc,parse}_entry.c are > > > compiled > > > into the tic library while progs/dump_entry.c is for the infocmp > > > and tic > > > programs. Building 6.0+20161126-1 and 6.0+20161126-1+deb9u1 in a > > > stretch chroot produced identical libtinfo.so.5.9 files. > > > > This is unfortunately no longer the case, since strings.c and > > trim_sgr0.c are compiled into the tinfo library. However, the > > changes > > to these files are small. > > I have no straightforward way to double check things still run > smoothly > with stretch's d-i, so I'll follow whatever decision the release team > makes; if regressions pop up, we'll figure out how to fix them. > Let's go with it and keep our fingers crossed that any issues show up quickly. Regards, Adam
Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1
On 2017-09-09 15:08 +0200, Julien Cristau wrote: > Do you know what the reverse dependencies of the tic program or library > are in Debian, Short answer: I don't know. Long answer: The tic library is used by tack and a few programs in ncurses-bin (tic and its aliases infotocap/captoinfo, infocmp and toe). I am not aware of any others, but there might be one or two. For the programs, infocmp is commonly used by Perl's Term::Cap module which in turn is used by other Perl modules, so by quite a few packages. It only runs infocmp on the terminfo description pointed to by the TERM variable. There are 40+ other hits for infocmp on codesearch.debian.net, I have not really checked them. Apparently captoinfo and infotocap have no reverse dependencies. For tic and toe, it is impossible to check due to their short names. :-( If you run tic with common arguments as a normal user, it will write to the ~/.terminfo directory, creating it if necessary. I don't have this directory which indicates that third parties don't run tic behind my back, but then again I have only a fraction of all packages installed. > and whether any of them commonly process untrusted > terminfo data (though I know that's not an easy thing to paint as > black/white)? If I had known such a program, I would have asked for a DSA after all. So I don't know, but my knowledge is limited and Debian is large. Cheers, Sven
Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1
Control: tag -1 moreinfo On Sun, Jul 9, 2017 at 19:30:55 +0200, Sven Joachim wrote: > Package: release.debian.org > Severity: normal > Tags: stretch > User: release.debian@packages.debian.org > Usertags: pu > > Recently a few flaws in the tic program and the tic library have been > detected: null pointer dereference, buffer overflow, stack smashing, you > name it. Six bugs have been reported in the Red Hat bugtracker and four > CVEs assigned. Fortunately there are rather few users who would run > affected programs at all, so it was decided that no DSA would be > necessary. > Hi Sven, Do you know what the reverse dependencies of the tic program or library are in Debian, and whether any of them commonly process untrusted terminfo data (though I know that's not an easy thing to paint as black/white)? Thanks, Julien
Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1
Hi Sven, On Thu, Sep 07, 2017 at 08:20:34PM +0200, Sven Joachim wrote: > On 2017-09-07 05:32 +0200, Salvatore Bonaccorso wrote: > > > Not a must, and note that is just a comment on my side, I'm not a SRM: > > if possible add a bug closer as well to the changelog entry so that > > when the point release happends, the correct fixed version is as well > > propagated to the BTS bugs. > > Heh, it was you who had marked these bugs as found in 6.0+20170715-2 in > the first place. ;-) Anyway, I have updated the changelog and also Yes, let me explain. That was just because at that point it was clear that the bugs are in that version, no checks for older versions were made. Then you did further work, and found the jessie and stretch version as well as affected. So only later updated the BTS with the repsective other found versions. Hope this explains. But we are maybe side-tracking the SRM now, so I shut up! Regards and thanks for your work! Salvatore
Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1
On 2017-09-07 05:32 +0200, Salvatore Bonaccorso wrote: > Not a must, and note that is just a comment on my side, I'm not a SRM: > if possible add a bug closer as well to the changelog entry so that > when the point release happends, the correct fixed version is as well > propagated to the BTS bugs. Heh, it was you who had marked these bugs as found in 6.0+20170715-2 in the first place. ;-) Anyway, I have updated the changelog and also fixed a typo in it. diff --git a/debian/changelog b/debian/changelog index 160b2cb1..a75f99e6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -7,11 +7,12 @@ ncurses (6.0+20161126-1+deb9u1) stretch; urgency=medium regression from the above security fixes (see #868266). * Cherry-pick upstream fixes from the 20170826 patchlevel for more crash bugs in the tic library (CVE-2017-13728, CVE-2017-13729, -CVE-2017-13730, CVE-2017-13731, CVE-2017-13732, CVE-2017-13734). - * Cerry-pick upstream fixes from the 20170902 patchlevel to fix -another crash bug in the tic program (CVE-2017-13733). +CVE-2017-13730, CVE-2017-13731, CVE-2017-13732, CVE-2017-13734, +Closes: #873723). + * Cherry-pick upstream fixes from the 20170902 patchlevel to fix +another crash bug in the tic program (CVE-2017-13733, Closes: #873746). - -- Sven JoachimMon, 04 Sep 2017 22:04:15 +0200 + -- Sven Joachim Thu, 07 Sep 2017 19:05:43 +0200 ncurses (6.0+20161126-1) unstable; urgency=low If a new full debdiff is wanted, please say so. Cheers, Sven
Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1
Sven Joachim(2017-09-06): > Meanwhile seven new CVEs in the tic library and programs have been > reported, and I would like to fix those as well, see the attached new > debdiff. It contains all the library changes from the 20170826 upstream > patchlevel and the program fixes of the 20170902 patchlevel. I have > also attached the test cases for the 13 bugs reported in the Red Hat > bugtracker. > > >>> I'd be okay with this, but it will need a kibi-ack due to the udeb. > >> > >> The changes do not touch the tinfo library which is all that shipped in > >> the udeb. > > > > To elaborate on that, ncurses/tinfo/{alloc,parse}_entry.c are compiled > > into the tic library while progs/dump_entry.c is for the infocmp and tic > > programs. Building 6.0+20161126-1 and 6.0+20161126-1+deb9u1 in a > > stretch chroot produced identical libtinfo.so.5.9 files. > > This is unfortunately no longer the case, since strings.c and > trim_sgr0.c are compiled into the tinfo library. However, the changes > to these files are small. I have no straightforward way to double check things still run smoothly with stretch's d-i, so I'll follow whatever decision the release team makes; if regressions pop up, we'll figure out how to fix them. KiBi. signature.asc Description: PGP signature
Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1
Hi Sven On Wed, Sep 06, 2017 at 06:52:36PM +0200, Sven Joachim wrote: > On 2017-07-19 20:30 +0200, Sven Joachim wrote: > > > Control: tags -1 - moreinfo > > > > On 2017-07-15 12:50 +0200, Sven Joachim wrote: > > > >> Control: tags -1 - confirmed > >> Control: tags -1 + moreinfo > >> > >> On 2017-07-15 11:04 +0100, Adam D. Barratt wrote: > >> > >>> Control: tags -1 + confirmed d-i > >>> > >>> On Sun, 2017-07-09 at 19:30 +0200, Sven Joachim wrote: > Recently a few flaws in the tic program and the tic library have been > detected: null pointer dereference, buffer overflow, stack smashing, you > name it. Six bugs have been reported in the Red Hat bugtracker and four > CVEs assigned. Fortunately there are rather few users who would run > affected programs at all, so it was decided that no DSA would be > necessary. > >> > >> Unfortunately the fixes have caused a regression in infocmp, see > >> #868266. I expect an upstream fix this night, but to properly test it > >> and prepare new packages taking a bit more time seems advisable. So I > >> guess we'll have to defer that for 9.2. > > > > The changes from the 20170715 patchlevel were a bit larger than I would > > have liked, but applied with minimal tweaking to the stretch version. > > Running "infocmp -C" on all the terminfo files in ncurses-{base,term} > > showed no difference compared to the infocmp version currently in > > stretch. > > Meanwhile seven new CVEs in the tic library and programs have been > reported, and I would like to fix those as well, see the attached new > debdiff. It contains all the library changes from the 20170826 upstream > patchlevel and the program fixes of the 20170902 patchlevel. I have > also attached the test cases for the 13 bugs reported in the Red Hat > bugtracker. Not a must, and note that is just a comment on my side, I'm not a SRM: if possible add a bug closer as well to the changelog entry so that when the point release happends, the correct fixed version is as well propagated to the BTS bugs. Regards, Salvatore
Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1
On 2017-07-19 20:30 +0200, Sven Joachim wrote: > Control: tags -1 - moreinfo > > On 2017-07-15 12:50 +0200, Sven Joachim wrote: > >> Control: tags -1 - confirmed >> Control: tags -1 + moreinfo >> >> On 2017-07-15 11:04 +0100, Adam D. Barratt wrote: >> >>> Control: tags -1 + confirmed d-i >>> >>> On Sun, 2017-07-09 at 19:30 +0200, Sven Joachim wrote: Recently a few flaws in the tic program and the tic library have been detected: null pointer dereference, buffer overflow, stack smashing, you name it. Six bugs have been reported in the Red Hat bugtracker and four CVEs assigned. Fortunately there are rather few users who would run affected programs at all, so it was decided that no DSA would be necessary. >> >> Unfortunately the fixes have caused a regression in infocmp, see >> #868266. I expect an upstream fix this night, but to properly test it >> and prepare new packages taking a bit more time seems advisable. So I >> guess we'll have to defer that for 9.2. > > The changes from the 20170715 patchlevel were a bit larger than I would > have liked, but applied with minimal tweaking to the stretch version. > Running "infocmp -C" on all the terminfo files in ncurses-{base,term} > showed no difference compared to the infocmp version currently in > stretch. Meanwhile seven new CVEs in the tic library and programs have been reported, and I would like to fix those as well, see the attached new debdiff. It contains all the library changes from the 20170826 upstream patchlevel and the program fixes of the 20170902 patchlevel. I have also attached the test cases for the 13 bugs reported in the Red Hat bugtracker. >>> I'd be okay with this, but it will need a kibi-ack due to the udeb. >> >> The changes do not touch the tinfo library which is all that shipped in >> the udeb. > > To elaborate on that, ncurses/tinfo/{alloc,parse}_entry.c are compiled > into the tic library while progs/dump_entry.c is for the infocmp and tic > programs. Building 6.0+20161126-1 and 6.0+20161126-1+deb9u1 in a > stretch chroot produced identical libtinfo.so.5.9 files. This is unfortunately no longer the case, since strings.c and trim_sgr0.c are compiled into the tinfo library. However, the changes to these files are small. Cheers, Sven diff -Nru ncurses-6.0+20161126/debian/changelog ncurses-6.0+20161126/debian/changelog --- ncurses-6.0+20161126/debian/changelog 2016-11-29 21:19:08.0 +0100 +++ ncurses-6.0+20161126/debian/changelog 2017-09-04 22:04:15.0 +0200 @@ -1,3 +1,18 @@ +ncurses (6.0+20161126-1+deb9u1) stretch; urgency=medium + + * Cherry-pick upstream fixes from the 20170701 and 20170708 patchlevels +for various crash bugs in the tic library and the tic binary +(CVE-2017-10684, CVE-2017-10685, CVE-2017-2, CVE-2017-3). + * Backport termcap-format fix from the 20170715 patchlevel, repairing a +regression from the above security fixes (see #868266). + * Cherry-pick upstream fixes from the 20170826 patchlevel for more +crash bugs in the tic library (CVE-2017-13728, CVE-2017-13729, +CVE-2017-13730, CVE-2017-13731, CVE-2017-13732, CVE-2017-13734). + * Cerry-pick upstream fixes from the 20170902 patchlevel to fix +another crash bug in the tic program (CVE-2017-13733). + + -- Sven JoachimMon, 04 Sep 2017 22:04:15 +0200 + ncurses (6.0+20161126-1) unstable; urgency=low * New upstream patchlevel. diff -Nru ncurses-6.0+20161126/debian/patches/cve-2017-13733.diff ncurses-6.0+20161126/debian/patches/cve-2017-13733.diff --- ncurses-6.0+20161126/debian/patches/cve-2017-13733.diff 1970-01-01 01:00:00.0 +0100 +++ ncurses-6.0+20161126/debian/patches/cve-2017-13733.diff 2017-09-04 22:04:15.0 +0200 @@ -0,0 +1,91 @@ +Author: Sven Joachim +Description: Fix for CVE-2017-13733 in the tic program + Fix for CVE-2017-13733 cherry-picked from upstream patchlevel + 20170902. +Bug-Debian: https://bugs.debian.org/873746 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1484290 +Forwarded: not-needed +Last-Update: 2017-09-04 + +--- + progs/dump_entry.c | 19 ++- + progs/tput.c |2 +- + 2 files changed, 11 insertions(+), 10 deletions(-) + +--- a/progs/dump_entry.c b/progs/dump_entry.c +@@ -957,12 +957,12 @@ fmt_entry(TERMTYPE *tterm, + #undef CUR + #define CUR tterm-> + if (outform == F_TERMCAP) { +- if (termcap_reset != ABSENT_STRING) { +- if (init_3string != ABSENT_STRING ++ if (VALID_STRING(termcap_reset)) { ++ if (VALID_STRING(init_3string) + && !strcmp(init_3string, termcap_reset)) + DISCARD(init_3string); + +- if (reset_2string != ABSENT_STRING ++ if (VALID_STRING(reset_2string) + && !strcmp(reset_2string, termcap_reset)) + DISCARD(reset_2string); + } +@@ -1038,7 +1038,7 @@ fmt_entry(TERMTYPE *tterm, + buffer[0] = '\0'; + + if (predval != FAIL) { +- if (capability != ABSENT_STRING ++ if (VALID_STRING(capability) + && i + 1 >
Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1
Control: tags -1 - moreinfo On 2017-07-15 12:50 +0200, Sven Joachim wrote: > Control: tags -1 - confirmed > Control: tags -1 + moreinfo > > On 2017-07-15 11:04 +0100, Adam D. Barratt wrote: > >> Control: tags -1 + confirmed d-i >> >> On Sun, 2017-07-09 at 19:30 +0200, Sven Joachim wrote: >>> Recently a few flaws in the tic program and the tic library have been >>> detected: null pointer dereference, buffer overflow, stack smashing, you >>> name it. Six bugs have been reported in the Red Hat bugtracker and four >>> CVEs assigned. Fortunately there are rather few users who would run >>> affected programs at all, so it was decided that no DSA would be >>> necessary. > > Unfortunately the fixes have caused a regression in infocmp, see > #868266. I expect an upstream fix this night, but to properly test it > and prepare new packages taking a bit more time seems advisable. So I > guess we'll have to defer that for 9.2. The changes from the 20170715 patchlevel were a bit larger than I would have liked, but applied with minimal tweaking to the stretch version. Running "infocmp -C" on all the terminfo files in ncurses-{base,term} showed no difference compared to the infocmp version currently in stretch. >> I'd be okay with this, but it will need a kibi-ack due to the udeb. > > The changes do not touch the tinfo library which is all that shipped in > the udeb. To elaborate on that, ncurses/tinfo/{alloc,parse}_entry.c are compiled into the tic library while progs/dump_entry.c is for the infocmp and tic programs. Building 6.0+20161126-1 and 6.0+20161126-1+deb9u1 in a stretch chroot produced identical libtinfo.so.5.9 files. Cheers, Sven --- ncurses-6.0+20161126/debian/changelog 2016-11-29 21:19:08.0 +0100 +++ ncurses-6.0+20161126/debian/changelog 2017-07-17 20:47:58.0 +0200 @@ -1,3 +1,13 @@ +ncurses (6.0+20161126-1+deb9u1) stretch; urgency=medium + + * Cherry-pick upstream fixes from the 20170701 and 20170708 patchlevels +for various crash bugs in the tic library and the tic binary +(CVE-2017-10684, CVE-2017-10685, CVE-2017-2, CVE-2017-3). + * Backport termcap-format fix from the 20170715 patchlevel, repairing a +regression from the above security fixes (see #868266). + + -- Sven JoachimMon, 17 Jul 2017 20:47:58 +0200 + ncurses (6.0+20161126-1) unstable; urgency=low * New upstream patchlevel. diff -Nru ncurses-6.0+20161126/debian/patches/cve-fixes.diff ncurses-6.0+20161126/debian/patches/cve-fixes.diff --- ncurses-6.0+20161126/debian/patches/cve-fixes.diff 1970-01-01 01:00:00.0 +0100 +++ ncurses-6.0+20161126/debian/patches/cve-fixes.diff 2017-07-17 20:47:58.0 +0200 @@ -0,0 +1,185 @@ +Author: Sven Joachim +Description: Fixes for four CVEs + Fixes for CVE 2017-10684, CVE-2017-10685, CVE-2017-2, + CVE-2017-3 cherry-picked from upstream patchlevels 20170701 and + 20170708. +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464684 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464685 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464686 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464687 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464691 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464692 +Forwarded: not-needed +Last-Update: 2017-07-09 + +--- + ncurses/tinfo/alloc_entry.c |6 +- + ncurses/tinfo/parse_entry.c | 22 -- + progs/dump_entry.c | 34 +- + 3 files changed, 38 insertions(+), 24 deletions(-) + +--- a/ncurses/tinfo/alloc_entry.c b/ncurses/tinfo/alloc_entry.c +@@ -96,7 +96,11 @@ _nc_save_str(const char *const string) + { + char *result = 0; + size_t old_next_free = next_free; +-size_t len = strlen(string) + 1; ++size_t len; ++ ++if (string == 0) ++ return _nc_save_str(""); ++len = strlen(string) + 1; + + if (len == 1 && next_free != 0) { + /* +--- a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c +@@ -236,13 +236,14 @@ _nc_parse_entry(struct entry *entryp, in + * implemented it. Note that the resulting terminal type was never the + * 2-character name, but was instead the first alias after that. + */ ++#define ok_TC2(s) (isgraph(UChar(s)) && (s) != '|') + ptr = _nc_curr_token.tk_name; + if (_nc_syntax == SYN_TERMCAP + #if NCURSES_XNAMES + && !_nc_user_definable + #endif + ) { +- if (ptr[2] == '|') { ++ if (ok_TC2(ptr[0]) && ok_TC2(ptr[1]) && (ptr[2] == '|')) { + ptr += 3; + _nc_curr_token.tk_name[2] = '\0'; + } +@@ -284,9 +285,11 @@ _nc_parse_entry(struct entry *entryp, in + if (is_use || is_tc) { + entryp->uses[entryp->nuses].name = _nc_save_str(_nc_curr_token.tk_valstring); + entryp->uses[entryp->nuses].line = _nc_curr_line; +- entryp->nuses++; +- if (entryp->nuses > 1 && is_tc) { +- BAD_TC_USAGE ++ if
Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1
Control: tags -1 - confirmed Control: tags -1 + moreinfo On 2017-07-15 11:04 +0100, Adam D. Barratt wrote: > Control: tags -1 + confirmed d-i > > On Sun, 2017-07-09 at 19:30 +0200, Sven Joachim wrote: >> Recently a few flaws in the tic program and the tic library have been >> detected: null pointer dereference, buffer overflow, stack smashing, you >> name it. Six bugs have been reported in the Red Hat bugtracker and four >> CVEs assigned. Fortunately there are rather few users who would run >> affected programs at all, so it was decided that no DSA would be >> necessary. Unfortunately the fixes have caused a regression in infocmp, see #868266. I expect an upstream fix this night, but to properly test it and prepare new packages taking a bit more time seems advisable. So I guess we'll have to defer that for 9.2. > I'd be okay with this, but it will need a kibi-ack due to the udeb. The changes do not touch the tinfo library which is all that shipped in the udeb. Cheers, Sven
Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1
Control: tags -1 + confirmed d-i On Sun, 2017-07-09 at 19:30 +0200, Sven Joachim wrote: > Recently a few flaws in the tic program and the tic library have been > detected: null pointer dereference, buffer overflow, stack smashing, you > name it. Six bugs have been reported in the Red Hat bugtracker and four > CVEs assigned. Fortunately there are rather few users who would run > affected programs at all, so it was decided that no DSA would be > necessary. I'd be okay with this, but it will need a kibi-ack due to the udeb. Regards, Adam
Bug#867814: stretch-pu: package ncurses/6.0+20161126-1+deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Recently a few flaws in the tic program and the tic library have been detected: null pointer dereference, buffer overflow, stack smashing, you name it. Six bugs have been reported in the Red Hat bugtracker and four CVEs assigned. Fortunately there are rather few users who would run affected programs at all, so it was decided that no DSA would be necessary. Upstream has fixed these problems in the latest patchlevels (already in sid), and I would like to address them in a stable upload. I have verified that the testcases in the reported Red Hat bugs no longer cause crashes (if anybody wants to verify that, I can send them). Cheers, Sven diff -Nru ncurses-6.0+20161126/debian/changelog ncurses-6.0+20161126/debian/changelog --- ncurses-6.0+20161126/debian/changelog 2016-11-29 21:19:08.0 +0100 +++ ncurses-6.0+20161126/debian/changelog 2017-07-09 15:32:26.0 +0200 @@ -1,3 +1,11 @@ +ncurses (6.0+20161126-1+deb9u1) stretch; urgency=medium + + * Cherry-pick upstream fixes from the 20170701 and 20170708 patchlevels +for various crash bugs in the tic library and the tic binary +(CVE-2017-10684, CVE-2017-10685, CVE-2017-2, CVE-2017-3). + + -- Sven JoachimSun, 09 Jul 2017 15:32:26 +0200 + ncurses (6.0+20161126-1) unstable; urgency=low * New upstream patchlevel. diff -Nru ncurses-6.0+20161126/debian/patches/cve-fixes.diff ncurses-6.0+20161126/debian/patches/cve-fixes.diff --- ncurses-6.0+20161126/debian/patches/cve-fixes.diff 1970-01-01 01:00:00.0 +0100 +++ ncurses-6.0+20161126/debian/patches/cve-fixes.diff 2017-07-09 15:32:26.0 +0200 @@ -0,0 +1,185 @@ +Author: Sven Joachim +Description: Fixes for four CVEs + Fixes for CVE 2017-10684, CVE-2017-10685, CVE-2017-2, + CVE-2017-3 cherry-picked from upstream patchlevels 20170701 and + 20170708. +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464684 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464685 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464686 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464687 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464691 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464692 +Forwarded: not-needed +Last-Update: 2017-07-09 + +--- + ncurses/tinfo/alloc_entry.c |6 +- + ncurses/tinfo/parse_entry.c | 22 -- + progs/dump_entry.c | 34 +- + 3 files changed, 38 insertions(+), 24 deletions(-) + +--- a/ncurses/tinfo/alloc_entry.c b/ncurses/tinfo/alloc_entry.c +@@ -96,7 +96,11 @@ _nc_save_str(const char *const string) + { + char *result = 0; + size_t old_next_free = next_free; +-size_t len = strlen(string) + 1; ++size_t len; ++ ++if (string == 0) ++ return _nc_save_str(""); ++len = strlen(string) + 1; + + if (len == 1 && next_free != 0) { + /* +--- a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c +@@ -236,13 +236,14 @@ _nc_parse_entry(struct entry *entryp, in + * implemented it. Note that the resulting terminal type was never the + * 2-character name, but was instead the first alias after that. + */ ++#define ok_TC2(s) (isgraph(UChar(s)) && (s) != '|') + ptr = _nc_curr_token.tk_name; + if (_nc_syntax == SYN_TERMCAP + #if NCURSES_XNAMES + && !_nc_user_definable + #endif + ) { +- if (ptr[2] == '|') { ++ if (ok_TC2(ptr[0]) && ok_TC2(ptr[1]) && (ptr[2] == '|')) { + ptr += 3; + _nc_curr_token.tk_name[2] = '\0'; + } +@@ -284,9 +285,11 @@ _nc_parse_entry(struct entry *entryp, in + if (is_use || is_tc) { + entryp->uses[entryp->nuses].name = _nc_save_str(_nc_curr_token.tk_valstring); + entryp->uses[entryp->nuses].line = _nc_curr_line; +- entryp->nuses++; +- if (entryp->nuses > 1 && is_tc) { +- BAD_TC_USAGE ++ if (VALID_STRING(entryp->uses[entryp->nuses].name)) { ++ entryp->nuses++; ++ if (entryp->nuses > 1 && is_tc) { ++ BAD_TC_USAGE ++ } + } + } else { + /* normal token lookup */ +@@ -572,7 +575,7 @@ append_acs0(string_desc * dst, int code, + static void + append_acs(string_desc * dst, int code, char *src) + { +-if (src != 0 && strlen(src) == 1) { ++if (VALID_STRING(src) && strlen(src) == 1) { + append_acs0(dst, code, *src); + } + } +@@ -833,15 +836,14 @@ postprocess_termcap(TERMTYPE *tp, bool h + } + + if (tp->Strings[to_ptr->nte_index]) { ++ const char *s = tp->Strings[from_ptr->nte_index]; ++ const char *t = tp->Strings[to_ptr->nte_index]; + /* There's no point in warning about it if it's the same + * string; that's just an inefficiency. + */ +- if (strcmp( +- tp->Strings[from_ptr->nte_index], +- tp->Strings[to_ptr->nte_index]) != 0) ++ if (VALID_STRING(s) && VALID_STRING(t) && strcmp(s, t) != 0) +