Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: ncur...@packages.debian.org
Control: affects -1 + src:ncurses
I would like to fix three bugs[1,2,3] in ncurses for Bookworm. While
none of them is RC, they have some impact on users, and the changes are
fairly small.
[ Reason ]
1. Pasting in vim is broken on some terminal emulators[1]
Remedy: Declare versioned Breaks against vim-common in ncurses-{base,term}
2. Stack buffer overflow in "tic -I" on crafted input[2]
Remedy: Cherry-pick upstream fix
3. On i386 and mips64el, libncurses++w.a is not stripped[3]
Remedy: Strip the file by hand in debian/rules
[ Impact ]
1. On upgrades from Bullseye to Bookworm, if ncurses-base is upgraded
before vim (which is rather likely without the Breaks), pasting in
vim is severely broken for some terminal emulators and values of
$TERM. One rather popular combination is using tmux and TERM=tmux
or TERM=tmux-256color.
For the gory details see #1027435, #1027674[4] and upstream issue
11766[5] in vim.
2. Potentially a security issue, although it requires some cooperation
by the victim, and the stack protection should prevent worse things
than a crash. Several cases of such crash bugs in tic have been
fixed via point releases in the past.
3. On the affected architectures, several hundred kilobytes are used,
and the size of libncurses-dev.deb also increases, wasting bandwith.
Perhaps more importantly, the build becomes unreproducible, a sad
regression compared to previous Debian releases.
[ Tests ]
1. No tests have been performed yet. Once ncurses 6.4-2 is in unstable
I intend to test upgrades from Bullseye in a chroot, but real world
examples with 1000+ installed packages will have to be tested by
users.
2. The reproducer test given by the upstream bug submitter no longer
crashes. The terminfo database in the ncurses-{base,term} packages
is identical with the 6.4-1 version.
3. The offending file is stripped on i386, and two test builds produced
identical packages.
[ Risks ]
1. On upgrades from Bullseye, the upgrade of ncurses-base and
ncurses-term will be delayed. All reverse dependencies in the archive
are satisfied with the Bullseye versions, so I do not expect problems.
2. Although the fix is small, it might still contain bugs. Any damage
will be limited to the usage of "infocmp -u", "tic -I" and "tic -C"
(or their aliases infotocap and captoinfo), which are not used very
often.
3. Although the workaround for debhelper bug #875780[6] is not exactly
pretty, it should not pose any risks.
[ Checklist ]
[x] all changes are documented in debian/changelog
[x] I reviewed all changes and I approve them
[x] attach the patches applied in git, rather than a debdiff
Thanks for your consideration.
Cheers,
Sven
1. https://bugs.debian.org/1027435
2. https://bugs.debian.org/1029399
3. https://bugs.debian.org/1029404
4. https://bugs.debian.org/1027674
5. https://github.com/vim/vim/issues/11766
6. https://bugs.debian.org/875780
From 12bb87e58cf0ad787b90281452404a9ee1240244 Mon Sep 17 00:00:00 2001
From: Sven Joachim
Date: Sun, 22 Jan 2023 18:02:59 +0100
Subject: [PATCH 1/3] Add versioned Breaks against vim-common to
ncurses-{base,term}
Pasting text is broken in older vim versions for some rather popular
terminals and values of $TERM, e.g. in tmux if TERM is set to "tmux"
or "tmux-256color". To avoid nasty surprises on partial upgrades,
ensure that a fixed vim version is installed along the new terminfo
database.
Closes: #1027435
---
debian/changelog | 7 +++
debian/control | 4 ++--
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 3af8f1e5..fdd6f828 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ncurses (6.4-2) UNRELEASED; urgency=medium
+
+ * Add Breaks against vim-common (<< 2:9.0.1000-2) to ncurses-base
+and ncurses-term (Closes: #1027435).
+
+ -- Sven Joachim Sun, 22 Jan 2023 17:59:41 +0100
+
ncurses (6.4-1) unstable; urgency=medium
* New upstream release.
diff --git a/debian/control b/debian/control
index 0d2f7af0..fc151b97 100644
--- a/debian/control
+++ b/debian/control
@@ -24,7 +24,7 @@ Provides: ncurses-runtime
Breaks: libtinfo5 (<< 6.1), libslang2 (<< 2.3.1a-3), libunibilium0 (<< 2),
libunibilium4 (<< 2.0.0-3), bash-static (<< 4.4.18-1.1),
zsh-static (<< 5.4.2-4), libmono-corlib4.5-cil (<< 4.6.2.7+dfsg-2),
-neovim (<< 0.6.0)
+neovim (<< 0.6.0), vim-common (<< 2:9.0.1000-2)
Description: basic terminal type definitions
The ncurses library routines are a terminal-independent method of
updating character screens with reasonable optimization.
@@ -44,7 +44,7 @@ Replaces: dvtm (<< 0.15-3), alacritty (<< 0.3.4~), jfbterm (<< 0.4.7-10),
Breaks: libtinfo5 (<< 6.1), libslang2 (<< 2.3.1a-3), libunibilium0 (<<