Your message dated Tue, 12 Jun 2018 20:43:56 +0000
with message-id <[email protected]>
and subject line Bug#882620: fixed in ncurses 5.9+20140913-1+deb8u3
has caused the Debian Bug report #882620,
regarding [CVE-2017-16879] ncurses: Stack-based buffer overflow
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
882620: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882620
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ncurses
X-Debbugs-CC: [email protected]
[email protected]
Severity: grave
Tags: security
Hi,
the following vulnerability was published for ncurses.
CVE-2017-16879[0]:
| Stack-based buffer overflow in the _nc_write_entry function in
| tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial
| of service (application crash) or possibly execute arbitrary code via
| a crafted terminfo file, as demonstrated by tic.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
I checked the PoC from [1] and looks like working in every supported
Debian distro at the moment.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-16879
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16879
[1] https://packetstormsecurity.com/files/download/145045/tic-overflow.tgz
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: ncurses
Source-Version: 5.9+20140913-1+deb8u3
We believe that the bug you reported is fixed in the latest version of
ncurses, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sven Joachim <[email protected]> (supplier of updated ncurses package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 28 Dec 2017 11:14:57 +0100
Source: ncurses
Binary: libtinfo5 libncurses5 libtinfo-dev libtinfo5-dbg libncurses5-dev
libncurses5-dbg libncursesw5 libncursesw5-dev libncursesw5-dbg lib64ncurses5
lib64ncurses5-dev lib32ncurses5 lib32ncurses5-dev lib32ncursesw5
lib32ncursesw5-dev lib64tinfo5 lib32tinfo5 lib32tinfo-dev ncurses-bin
ncurses-base ncurses-term ncurses-examples ncurses-doc
Architecture: source all
Version: 5.9+20140913-1+deb8u3
Distribution: jessie
Urgency: medium
Maintainer: Craig Small <[email protected]>
Changed-By: Sven Joachim <[email protected]>
Description:
lib32ncurses5 - shared libraries for terminal handling (32-bit)
lib32ncurses5-dev - developer's libraries for ncurses (32-bit)
lib32ncursesw5 - shared libraries for terminal handling (wide character
support) (
lib32ncursesw5-dev - developer's libraries for ncursesw (32-bit)
lib32tinfo-dev - developer's library for the low-level terminfo library
(32-bit)
lib32tinfo5 - shared low-level terminfo library for terminal handling (32-bit)
lib64ncurses5 - shared libraries for terminal handling (64-bit)
lib64ncurses5-dev - developer's libraries for ncurses (64-bit)
lib64tinfo5 - shared low-level terminfo library for terminal handling (64-bit)
libncurses5 - shared libraries for terminal handling
libncurses5-dbg - debugging/profiling libraries for ncurses
libncurses5-dev - developer's libraries for ncurses
libncursesw5 - shared libraries for terminal handling (wide character support)
libncursesw5-dbg - debugging/profiling libraries for ncursesw
libncursesw5-dev - developer's libraries for ncursesw
libtinfo-dev - developer's library for the low-level terminfo library
libtinfo5 - shared low-level terminfo library for terminal handling
libtinfo5-dbg - debugging/profiling library for the low-level terminfo library
ncurses-base - basic terminal type definitions
ncurses-bin - terminal-related programs and man pages
ncurses-doc - developer's guide and documentation for ncurses
ncurses-examples - test programs and examples for ncurses
ncurses-term - additional terminal type definitions
Closes: 882620
Changes:
ncurses (5.9+20140913-1+deb8u3) jessie; urgency=medium
.
* Cherry-pick upstream fix from the 20171125 patchlevel to fix
a buffer overflow in the _nc_write_entry function
(CVE-2017-16879, Closes: #882620).
Checksums-Sha1:
105836458e8abf25c132ff43f3032ea1007c255c 3505 ncurses_5.9+20140913-1+deb8u3.dsc
e1eab548c2f046f794453a023450255935b370f0 57136
ncurses_5.9+20140913-1+deb8u3.debian.tar.xz
04f79733f8daa11c20646a926c647b5e1576373d 222478
ncurses-base_5.9+20140913-1+deb8u3_all.deb
73dd3b11878ceff0afebfecc1f8434cb58088582 454338
ncurses-term_5.9+20140913-1+deb8u3_all.deb
13c07a168a1d629a1750fe22049cabbc71857332 787658
ncurses-doc_5.9+20140913-1+deb8u3_all.deb
Checksums-Sha256:
a4136ac92fd361e7b3c61f7e5a08e145841d960b2feefe014174f8109a997f0b 3505
ncurses_5.9+20140913-1+deb8u3.dsc
5edac557abf72e2f22c37423a9c8441f4da4509506e01b59b71d5120bd21a8ea 57136
ncurses_5.9+20140913-1+deb8u3.debian.tar.xz
0e5b9b31ab3307f399f874ec2805cbdbf410ebd78f45b1fe68489ce8073b9055 222478
ncurses-base_5.9+20140913-1+deb8u3_all.deb
fa6bc6b19d8bed6f69495c8ed3cb46bc353dcfdb1d0799a807b67d6f3292a0ed 454338
ncurses-term_5.9+20140913-1+deb8u3_all.deb
9621b834f1e31916524455385cb434d7d3240ef04253174269d07e7c119f6965 787658
ncurses-doc_5.9+20140913-1+deb8u3_all.deb
Files:
9fb0fde24358bb81a2cca6539d830d26 3505 libs required
ncurses_5.9+20140913-1+deb8u3.dsc
7000585c8cda5e7181b08c41467addad 57136 libs required
ncurses_5.9+20140913-1+deb8u3.debian.tar.xz
26703d1ee608fd706f4ca541d98ce263 222478 misc required
ncurses-base_5.9+20140913-1+deb8u3_all.deb
0fb0dcd03a4100b7170e128432e8313f 454338 misc standard
ncurses-term_5.9+20140913-1+deb8u3_all.deb
88dba7574ddca43f5313d7932fcfa972 787658 doc optional
ncurses-doc_5.9+20140913-1+deb8u3_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEKF8heKgv5Jai5p4QOxBucY1rMawFAlsbbXQACgkQOxBucY1r
MawPuw/+OCy7mtOhZwRW9Dx+bDCe2T4/IkuXS5Mt3BIB61iUbPJr1jDwnCEf2qeB
7zQkWnY+dChxG0RPL4PXr2Fe7PPX1veq6pHBbJanQCj6DVaqsvKzFHwNqeWr2Qou
WdQi2xJ3BKH+TiYenin3zOPzYhzEcrs5YJORidz3DSPAU3rsfd+JcjalztEkVN8g
e6Tk8S5MKJ+0a2pNCH3sBhBX1y5UgefzVHtLzmukbuGucFJkly+L5K+zIeT2je8b
oANd2MlIMNCy+7Pt8ejHSLJ2wQaSP7y6nKk6NFSBhmHL18tzLMvMXevha7H6rn9M
xmPk2YdvCsORxLPUFyCtWwBm/hj02ga3A2GI7511Y32TPw1uxDNbYnoCEzT9IMph
QUK0s64EXvJKxi7we+h65JDJW0MMuOCU0uELEsHtZu9R+4KyyUMY/3xPWyFgkBD1
5wuG3e9kvTsU+eYNimKKjTMmVXuJQuX41ahs0g7CAZA2k2eT9KqOf5b5RVm51DQg
syCNX68DPD1b52a6NFM/InvSMRyTlfPnwiTv40nH8Yao0EyQwwWV6dPT9RE6l1R1
DJ0KWc4aNsHFp6KVfrHvH/akqvD6fxVZWsQDyR9USBJT3xWxpXWQBZPipRjElinE
wLiSSlSpUC9fyGEeOkhN4X93SzXqf5nevt//8pnTfr0nwwz8FyA=
=Jnuo
-----END PGP SIGNATURE-----
--- End Message ---
