On Sun, Jan 22, 2023 at 01:16:21PM +0100, Sven Joachim wrote: > Package: ncurses-bin > Version: 6.4-1 > Tags: security fixed-upstream > Forwarded: > https://lists.gnu.org/archive/html/bug-ncurses/2023-01/msg00035.html > X-Debbugs-CC: t...@security.debian.org > > Running tic on the attached file triggers a stack buffer overflow: > > ,---- > | $ tic -I minimized-crash1 > | "minimized-crash1", line 1, col 606, terminal '0': Very long string found. > Missing separator? > | "minimized-crash1", line 1, col 4098, terminal '0': Missing separator > | *** buffer overflow detected ***: terminated > | [1] 485807 IOT instruction tic -I minimized-crash1 > `---- > > This has been reported upstream yesterday and was promptly addressed in > this weekend's patchlevel. I intend to cherry-pick the patch for > Bookworm, maybe it could also be included in a Bullseye point release if > older versions are affected. > > The impact seems to be rather low, as the attacker needs to persuade the > victim to run tic on crafted input, and thanks to the stack protection > nothing worse than a crash should happen.
FWIW, this sounds good. If bullseye is affected, then a potential fix can go in via an upcoming bullseye point release. Regards, Salvatore