Debian Bug report logs - #885582
stretch-pu: package ncurses/6.0+20161126-1+deb9u2

Package: release.debian.org; Maintainer for release.debian.org is Debian Release Team <debian-release@lists.debian.org>;

Reported by: Sven Joachim <svenjoac@gmx.de>

Date: Thu, 28 Dec 2017 10:39:01 UTC

Severity: normal

Tags: confirmed, d-i, stretch

Fixed in version 9.4

Done: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, svenjoac@gmx.de, kibi@debian.org, debian-boot@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#885582; Package release.debian.org. (Thu, 28 Dec 2017 10:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Sven Joachim <svenjoac@gmx.de>:
New Bug report received and forwarded. Copy sent to svenjoac@gmx.de, kibi@debian.org, debian-boot@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>. (Thu, 28 Dec 2017 10:39:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package: release.debian.org
Severity: normal
Tags: stretch d-i
User: release.debian.org@packages.debian.org
Usertags: pu

I would like to fix bug #882620 aka CVE-2017-16879 in stretch, a buffer
overflow in the _nc_write_entry function.

While this touches the tinfo library used in the installer,
_nc_write_entry() is only used by tic as far as I am aware.

Cheers,
       Sven

[ncurses-stretch.diff (text/x-diff, inline)]

diff -Nru ncurses-6.0+20161126/debian/changelog ncurses-6.0+20161126/debian/changelog
--- ncurses-6.0+20161126/debian/changelog	2017-09-07 19:05:43.000000000 +0200
+++ ncurses-6.0+20161126/debian/changelog	2017-12-28 10:47:33.000000000 +0100
@@ -1,3 +1,11 @@
+ncurses (6.0+20161126-1+deb9u2) stretch; urgency=medium
+
+  * Cherry-pick upstream fix from the 20171125 patchlevel to fix
+    a buffer overflow in the _nc_write_entry function
+    (CVE-2017-16879, Closes: #882620).
+
+ -- Sven Joachim <svenjoac@gmx.de>  Thu, 28 Dec 2017 10:47:33 +0100
+
 ncurses (6.0+20161126-1+deb9u1) stretch; urgency=medium
 
   * Cherry-pick upstream fixes from the 20170701 and 20170708 patchlevels
diff -Nru ncurses-6.0+20161126/debian/patches/cve-2017-16879.diff ncurses-6.0+20161126/debian/patches/cve-2017-16879.diff
--- ncurses-6.0+20161126/debian/patches/cve-2017-16879.diff	1970-01-01 01:00:00.000000000 +0100
+++ ncurses-6.0+20161126/debian/patches/cve-2017-16879.diff	2017-12-28 10:32:23.000000000 +0100
@@ -0,0 +1,44 @@
+Author: Sven Joachim <svenjoac@gmx.de>
+Description: Fix for CVE-2017-16879 in the _nc_write_entry function
+ Fix for CVE-2017-16879 cherry-picked from upstream patchlevel
+ 20171125.
+Bug-Debian: https://bugs.debian.org/882620
+Forwarded: not-needed
+Last-Update: 2017-11-27
+
+---
+ ncurses/tinfo/write_entry.c |   11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/ncurses/tinfo/write_entry.c
++++ b/ncurses/tinfo/write_entry.c
+@@ -267,6 +267,9 @@ _nc_write_entry(TERMTYPE *const tp)
+ #endif
+ #endif /* USE_SYMLINKS */
+ 
++    unsigned limit2 = sizeof(filename) - (2 + LEAF_LEN);
++    char saved = '\0';
++
+     static int call_count;
+     static time_t start_time;	/* time at start of writes */
+ 
+@@ -365,12 +368,18 @@ _nc_write_entry(TERMTYPE *const tp)
+ 	start_time = 0;
+     }
+ 
+-    if (strlen(first_name) >= sizeof(filename) - (2 + LEAF_LEN))
++    if (strlen(first_name) >= sizeof(filename) - (2 + LEAF_LEN)) {
+ 	_nc_warning("terminal name too long.");
++	saved = first_name[limit2];
++	first_name[limit2] = '\0';
++    }
+ 
+     _nc_SPRINTF(filename, _nc_SLIMIT(sizeof(filename))
+ 		LEAF_FMT "/%s", first_name[0], first_name);
+ 
++    if (saved)
++	first_name[limit2] = saved;
++
+     /*
+      * Has this primary name been written since the first call to
+      * write_entry()?  If so, the newer write will step on the older,
diff -Nru ncurses-6.0+20161126/debian/patches/series ncurses-6.0+20161126/debian/patches/series
--- ncurses-6.0+20161126/debian/patches/series	2017-09-07 19:05:43.000000000 +0200
+++ ncurses-6.0+20161126/debian/patches/series	2017-12-28 10:32:23.000000000 +0100
@@ -5,3 +5,4 @@
 termcap-fix.diff
 more-cve-fixes.diff
 cve-2017-13733.diff
+cve-2017-16879.diff

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#885582; Package release.debian.org. (Wed, 17 Jan 2018 17:21:12 GMT) (full text, mbox, link).

Acknowledgement sent to Cyril Brulebois <kibi@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Wed, 17 Jan 2018 17:21:12 GMT) (full text, mbox, link).

Message #10 received at 885582@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi Sven,

Sven Joachim <svenjoac@gmx.de> (2017-12-28):
> Package: release.debian.org
> Severity: normal
> Tags: stretch d-i
> User: release.debian.org@packages.debian.org
> Usertags: pu
> 
> I would like to fix bug #882620 aka CVE-2017-16879 in stretch, a
> buffer overflow in the _nc_write_entry function.
> 
> While this touches the tinfo library used in the installer,
> _nc_write_entry() is only used by tic as far as I am aware.

No objections, and sorry for the lag.


Cheers,
-- 
Cyril Brulebois (kibi@debian.org)            <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#885582; Package release.debian.org. (Sat, 10 Feb 2018 10:12:03 GMT) (full text, mbox, link).

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 10 Feb 2018 10:12:03 GMT) (full text, mbox, link).

Message #15 received at 885582@bugs.debian.org (full text, mbox, reply):

Control: tag -1 moreinfo

On Thu, Dec 28, 2017 at 11:34:33 +0100, Sven Joachim wrote:

> Package: release.debian.org
> Severity: normal
> Tags: stretch d-i
> User: release.debian.org@packages.debian.org
> Usertags: pu
> 
> I would like to fix bug #882620 aka CVE-2017-16879 in stretch, a buffer
> overflow in the _nc_write_entry function.
> 
> While this touches the tinfo library used in the installer,
> _nc_write_entry() is only used by tic as far as I am aware.
> 
Thanks, go ahead.

[...]
> +--- a/ncurses/tinfo/write_entry.c
> ++++ b/ncurses/tinfo/write_entry.c
> +@@ -267,6 +267,9 @@ _nc_write_entry(TERMTYPE *const tp)
> + #endif
> + #endif /* USE_SYMLINKS */
> + 
> ++    unsigned limit2 = sizeof(filename) - (2 + LEAF_LEN);
> ++    char saved = '\0';
> ++
> +     static int call_count;
> +     static time_t start_time;	/* time at start of writes */
> + 
> +@@ -365,12 +368,18 @@ _nc_write_entry(TERMTYPE *const tp)
> + 	start_time = 0;
> +     }
> + 
> +-    if (strlen(first_name) >= sizeof(filename) - (2 + LEAF_LEN))
> ++    if (strlen(first_name) >= sizeof(filename) - (2 + LEAF_LEN)) {

kind of curious that limit2 wasn't used here...

> + 	_nc_warning("terminal name too long.");
> ++	saved = first_name[limit2];
> ++	first_name[limit2] = '\0';
> ++    }
> + 
> +     _nc_SPRINTF(filename, _nc_SLIMIT(sizeof(filename))
> + 		LEAF_FMT "/%s", first_name[0], first_name);
> + 
> ++    if (saved)
> ++	first_name[limit2] = saved;
> ++
> +     /*
> +      * Has this primary name been written since the first call to
> +      * write_entry()?  If so, the newer write will step on the older,

Cheers,
Julien

Added tag(s) moreinfo. Request was from Julien Cristau <jcristau@debian.org> to 885582-submit@bugs.debian.org. (Sat, 10 Feb 2018 10:12:03 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#885582; Package release.debian.org. (Sun, 11 Feb 2018 08:36:08 GMT) (full text, mbox, link).

Acknowledgement sent to Sven Joachim <svenjoac@gmx.de>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sun, 11 Feb 2018 08:36:08 GMT) (full text, mbox, link).

Message #22 received at 885582@bugs.debian.org (full text, mbox, reply):

On 2018-02-10 11:08 +0100, Julien Cristau wrote:

> Control: tag -1 moreinfo
> [...]
> Thanks, go ahead.

This is contradictory.  Did you meant to tag the bug "confirmed" rather
than "moreinfo"?

>> +--- a/ncurses/tinfo/write_entry.c
>> ++++ b/ncurses/tinfo/write_entry.c
>> +@@ -267,6 +267,9 @@ _nc_write_entry(TERMTYPE *const tp)
>> + #endif
>> + #endif /* USE_SYMLINKS */
>> + 
>> ++    unsigned limit2 = sizeof(filename) - (2 + LEAF_LEN);
>> ++    char saved = '\0';
>> ++
>> +     static int call_count;
>> +     static time_t start_time;	/* time at start of writes */
>> + 
>> +@@ -365,12 +368,18 @@ _nc_write_entry(TERMTYPE *const tp)
>> + 	start_time = 0;
>> +     }
>> + 
>> +-    if (strlen(first_name) >= sizeof(filename) - (2 + LEAF_LEN))
>> ++    if (strlen(first_name) >= sizeof(filename) - (2 + LEAF_LEN)) {
>
> kind of curious that limit2 wasn't used here...

Good point, I reported this upstream:
https://lists.gnu.org/archive/html/bug-ncurses/2018-02/msg00016.html.

Cheers,
       Sven

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#885582; Package release.debian.org. (Sun, 11 Feb 2018 08:48:06 GMT) (full text, mbox, link).

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sun, 11 Feb 2018 08:48:06 GMT) (full text, mbox, link).

Message #27 received at 885582@bugs.debian.org (full text, mbox, reply):

Control: tag -1 - moreinfo
Control: tag -1 confirmed

On Sat, Feb 10, 2018 at 11:08:37 +0100, Julien Cristau wrote:

> Control: tag -1 moreinfo
> 
Got that one wrong, sorry.

Cheers,
Julien

Removed tag(s) moreinfo. Request was from Julien Cristau <jcristau@debian.org> to 885582-submit@bugs.debian.org. (Sun, 11 Feb 2018 08:48:06 GMT) (full text, mbox, link).

Added tag(s) confirmed. Request was from Julien Cristau <jcristau@debian.org> to 885582-submit@bugs.debian.org. (Sun, 11 Feb 2018 08:48:07 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#885582; Package release.debian.org. (Sun, 11 Feb 2018 09:39:03 GMT) (full text, mbox, link).

Message #36 received at 885582@bugs.debian.org (full text, mbox, reply):

On 2018-02-11 09:45 +0100, Julien Cristau wrote:

> Control: tag -1 - moreinfo
> Control: tag -1 confirmed
>
> On Sat, Feb 10, 2018 at 11:08:37 +0100, Julien Cristau wrote:
>
>> Control: tag -1 moreinfo
>> 
> Got that one wrong, sorry.

Thanks, uploaded.

Cheers,
       Sven

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Wed, 14 Feb 2018 21:21:14 GMT) (full text, mbox, link).

Message #41 received at 885582@bugs.debian.org (full text, mbox, reply):

Control: tags -1 + pending

On Sun, 2018-02-11 at 10:35 +0100, Sven Joachim wrote:
> On 2018-02-11 09:45 +0100, Julien Cristau wrote:
> 
> > Control: tag -1 - moreinfo
> > Control: tag -1 confirmed
> > 
> > On Sat, Feb 10, 2018 at 11:08:37 +0100, Julien Cristau wrote:
> > 
> > > Control: tag -1 moreinfo
> > > 
> > 
> > Got that one wrong, sorry.
> 
> Thanks, uploaded.

Flagged for acceptance.

Regards,

Adam

Added tag(s) pending. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to 885582-submit@bugs.debian.org. (Wed, 14 Feb 2018 21:21:14 GMT) (full text, mbox, link).

Reply sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
You have taken responsibility. (Sat, 10 Mar 2018 11:04:16 GMT) (full text, mbox, link).

Notification sent to Sven Joachim <svenjoac@gmx.de>:
Bug acknowledged by developer. (Sat, 10 Mar 2018 11:04:16 GMT) (full text, mbox, link).

Message #48 received at 885582-done@bugs.debian.org (full text, mbox, reply):

To: 877593-done@bugs.debian.org, 877934-done@bugs.debian.org, 882158-done@bugs.debian.org, 882434-done@bugs.debian.org, 882697-done@bugs.debian.org, 882773-done@bugs.debian.org, 882813-done@bugs.debian.org, 882815-done@bugs.debian.org, 882819-done@bugs.debian.org, 882821-done@bugs.debian.org, 882822-done@bugs.debian.org, 882826-done@bugs.debian.org, 882827-done@bugs.debian.org, 883066-done@bugs.debian.org, 883124-done@bugs.debian.org, 883483-done@bugs.debian.org, 883952-done@bugs.debian.org, 883959-done@bugs.debian.org, 883963-done@bugs.debian.org, 884111-done@bugs.debian.org, 884451-done@bugs.debian.org, 884452-done@bugs.debian.org, 884483-done@bugs.debian.org, 884606-done@bugs.debian.org, 884711-done@bugs.debian.org, 885027-done@bugs.debian.org, 885086-done@bugs.debian.org, 885184-done@bugs.debian.org, 885531-done@bugs.debian.org, 885582-done@bugs.debian.org, 886380-done@bugs.debian.org, 886482-done@bugs.debian.org, 886589-done@bugs.debian.org, 886593-done@bugs.debian.org, 886636-done@bugs.debian.org, 886877-done@bugs.debian.org, 887311-done@bugs.debian.org, 887352-done@bugs.debian.org, 887359-done@bugs.debian.org, 887589-done@bugs.debian.org, 887855-done@bugs.debian.org, 887999-done@bugs.debian.org, 888006-done@bugs.debian.org, 888488-done@bugs.debian.org, 888552-done@bugs.debian.org, 888731-done@bugs.debian.org, 888802-done@bugs.debian.org, 888958-done@bugs.debian.org, 889001-done@bugs.debian.org, 889279-done@bugs.debian.org, 889317-done@bugs.debian.org, 889622-done@bugs.debian.org, 889728-done@bugs.debian.org, 889983-done@bugs.debian.org, 890105-done@bugs.debian.org, 890189-done@bugs.debian.org, 890470-done@bugs.debian.org, 890506-done@bugs.debian.org, 890860-done@bugs.debian.org, 891053-done@bugs.debian.org, 891142-done@bugs.debian.org, 891277-done@bugs.debian.org, 891285-done@bugs.debian.org, 891419-done@bugs.debian.org, 891421-done@bugs.debian.org, 891423-done@bugs.debian.org, 891426-done@bugs.debian.org, 891464-done@bugs.debian.org, 891484-done@bugs.debian.org, 891503-done@bugs.debian.org, 891577-done@bugs.debian.org, 891807-done@bugs.debian.org, 891829-done@bugs.debian.org, 891854-done@bugs.debian.org, 891900-done@bugs.debian.org, 891918-done@bugs.debian.org, 891972-done@bugs.debian.org, 886771-done@bugs.debian.org, 891585-done@bugs.debian.org

Version: 9.4

Hi,

The update referenced by each of these bugs was included in this
morning's stretch point release.

Regards,

Adam

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 08 Apr 2018 07:35:48 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Jan 19 22:27:09 2024; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #885582 stretch-pu: package ncurses/6.0+20161126-1+deb9u2

Debian Bug report logs - #885582
stretch-pu: package ncurses/6.0+20161126-1+deb9u2