On Sat, Apr 15, 2023 at 09:05:25AM +0200, Sven Joachim wrote: > On 2023-04-13 20:39 +0200, Moritz Mühlenhoff wrote: > > > The following vulnerability was published for ncurses. > > > > CVE-2023-29491 was assigned to > > https://invisible-island.net/ncurses/NEWS.html#index-t20230408 > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2023-29491 > > https://www.cve.org/CVERecord?id=CVE-2023-29491 > > Security boundaries are only crossed for setuid/setgid programs here, > and we probably do not have many setuid binaries linked to libtinfo in > the distribution (on my system, I could not find any). So I guess you > probably do not want to issue a DSA here, right? > > Gentoo users have noticed a few problems after upgrading to the 20230408 > patchlevel[1,2,3], most notably output of openrc being completely > broken. While we do not have that particular problem because openrc in
It was already broken (the "(null)" strings come from its misuse of the ncurses interface, which will require fixes in OpenRC). I'm not going to provide a patch for OpenRC itself - any maintainer should be able to do _that_. Today I'll put out the fix for zero-parameter tsl, along with similar minor improvements, and if nothing else surfaces, use that as the basis for the security-patch. > Debian is built without ncurses support, I do not currently have an idea > which other packages might show misbehavior. So I am rather reluctant > to fix this bug before the bookworm release. Actually, the discussion there should be based on what the disclosure covers. I'm addressing their concerns as well as I'm able. > Cheers, > Sven > > > 1. https://bugs.gentoo.org/904247 > 2. https://bugs.gentoo.org/904263 > 3. https://bugs.gentoo.org/904277 > -- Thomas E. Dickey <dic...@invisible-island.net> https://invisible-island.net
signature.asc
Description: PGP signature
