On 2023-04-13 20:39 +0200, Moritz Mühlenhoff wrote:
> The following vulnerability was published for ncurses.
>
> CVE-2023-29491 was assigned to
> https://invisible-island.net/ncurses/NEWS.html#index-t20230408
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2023-29491
> https://www.cve.org/CVERecord?id=CVE-2023-29491
Security boundaries are only crossed for setuid/setgid programs here,
and we probably do not have many setuid binaries linked to libtinfo in
the distribution (on my system, I could not find any). So I guess you
probably do not want to issue a DSA here, right?
Gentoo users have noticed a few problems after upgrading to the 20230408
patchlevel[1,2,3], most notably output of openrc being completely
broken. While we do not have that particular problem because openrc in
Debian is built without ncurses support, I do not currently have an idea
which other packages might show misbehavior. So I am rather reluctant
to fix this bug before the bookworm release.
Cheers,
Sven
1. https://bugs.gentoo.org/904247
2. https://bugs.gentoo.org/904263
3. https://bugs.gentoo.org/904277
