[CVE-2017-16879] ncurses: Stack-based buffer overflow

Debian Bug report logs - #882620
[CVE-2017-16879] ncurses: Stack-based buffer overflow

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>

To: submit@bugs.debian.org

Subject: [CVE-2017-16879] ncurses: Stack-based buffer overflow

Date: Fri, 24 Nov 2017 16:23:20 -0500

Package: ncurses
X-Debbugs-CC: team@security.debian.org
secure-testing-team@lists.alioth.debian.org
Severity: grave
Tags: security

Hi,

the following vulnerability was published for ncurses.

CVE-2017-16879[0]:
| Stack-based buffer overflow in the _nc_write_entry function in
| tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial
| of service (application crash) or possibly execute arbitrary code via
| a crafted terminfo file, as demonstrated by tic.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.


I checked the PoC from [1] and looks like working in every supported
Debian distro at the moment.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-16879
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16879
[1] https://packetstormsecurity.com/files/download/145045/tic-overflow.tgz

Please adjust the affected versions in the BTS as needed.

Message #14 received at 882620@bugs.debian.org (full text, mbox, reply):

From: Sven Joachim <svenjoac@gmx.de>

To: Luciano Bello <luciano@debian.org>

Cc: 882620@bugs.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org

Subject: Re: Bug#882620: [CVE-2017-16879] ncurses: Stack-based buffer overflow

Date: Sat, 25 Nov 2017 10:27:14 +0100

Control: severity -1 important

On 2017-11-24 16:23 -0500, Luciano Bello wrote:

> Package: ncurses
> X-Debbugs-CC: team@security.debian.org
> secure-testing-team@lists.alioth.debian.org
> Severity: grave
> Tags: security
>
> Hi,
>
> the following vulnerability was published for ncurses.
>
> CVE-2017-16879[0]:
> | Stack-based buffer overflow in the _nc_write_entry function in
> | tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial
> | of service (application crash) or possibly execute arbitrary code via
> | a crafted terminfo file, as demonstrated by tic.

For the crash to happen the attacker needs to persuade the victim into
running tic on their terminfo file first (there are no users of the
_nc_write_entry function besides tic), and arbitrary code execution
should be prevented by the stack protection.

Like the previous CVEs on ncurses published earlier this year, this
should be tagged no-DSA in the tracker.

Cheers,
       Sven

Message #21 received at 882620@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Sven Joachim <svenjoac@gmx.de>

Cc: Luciano Bello <luciano@debian.org>, secure-testing-team@lists.alioth.debian.org, 882620@bugs.debian.org, team@security.debian.org

Subject: Re: [Secure-testing-team] Bug#882620: [CVE-2017-16879] ncurses: Stack-based buffer overflow

Date: Sat, 25 Nov 2017 11:35:17 +0100

Hi Sven,

On Sat, Nov 25, 2017 at 10:27:14AM +0100, Sven Joachim wrote:
> Control: severity -1 important
> 
> On 2017-11-24 16:23 -0500, Luciano Bello wrote:
> 
> > Package: ncurses
> > X-Debbugs-CC: team@security.debian.org
> > secure-testing-team@lists.alioth.debian.org
> > Severity: grave
> > Tags: security
> >
> > Hi,
> >
> > the following vulnerability was published for ncurses.
> >
> > CVE-2017-16879[0]:
> > | Stack-based buffer overflow in the _nc_write_entry function in
> > | tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial
> > | of service (application crash) or possibly execute arbitrary code via
> > | a crafted terminfo file, as demonstrated by tic.
> 
> For the crash to happen the attacker needs to persuade the victim into
> running tic on their terminfo file first (there are no users of the
> _nc_write_entry function besides tic), and arbitrary code execution
> should be prevented by the stack protection.
> 
> Like the previous CVEs on ncurses published earlier this year, this
> should be tagged no-DSA in the tracker.

sounds reasonable, I have marked it as such.

Do you plan to followup as well with a jessie- and stretch-pu once
fixed in unstable?

Thanks for your work,

Regards,
Salvatore

Message #26 received at 882620@bugs.debian.org (full text, mbox, reply):

From: Sven Joachim <svenjoac@gmx.de>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 882620@bugs.debian.org, Luciano Bello <luciano@debian.org>, secure-testing-team@lists.alioth.debian.org, team@security.debian.org

Subject: Re: Bug#882620: [CVE-2017-16879] ncurses: Stack-based buffer overflow

Date: Sat, 25 Nov 2017 11:52:38 +0100

On 2017-11-25 11:35 +0100, Salvatore Bonaccorso wrote:


> On Sat, Nov 25, 2017 at 10:27:14AM +0100, Sven Joachim wrote:
>> Control: severity -1 important
>> 
>> On 2017-11-24 16:23 -0500, Luciano Bello wrote:
>> 
>> > Package: ncurses
>> > X-Debbugs-CC: team@security.debian.org
>> > secure-testing-team@lists.alioth.debian.org
>> > Severity: grave
>> > Tags: security
>> >
>> > Hi,
>> >
>> > the following vulnerability was published for ncurses.
>> >
>> > CVE-2017-16879[0]:
>> > | Stack-based buffer overflow in the _nc_write_entry function in
>> > | tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial
>> > | of service (application crash) or possibly execute arbitrary code via
>> > | a crafted terminfo file, as demonstrated by tic.
>> 
>> For the crash to happen the attacker needs to persuade the victim into
>> running tic on their terminfo file first (there are no users of the
>> _nc_write_entry function besides tic), and arbitrary code execution
>> should be prevented by the stack protection.
>> 
>> Like the previous CVEs on ncurses published earlier this year, this
>> should be tagged no-DSA in the tracker.
>
> sounds reasonable, I have marked it as such.
>
> Do you plan to followup as well with a jessie- and stretch-pu once
> fixed in unstable?

Probably, depends on how easy it is to backport the patch(es).

Cheers,
       Sven

Message #31 received at 882620-submitter@bugs.debian.org (full text, mbox, reply):

From: Sven Joachim <svenjoac@gmx.de>

To: 882620-submitter@bugs.debian.org

Subject: Bug#882620 marked as pending

Date: Sun, 26 Nov 2017 15:38:29 +0000

tag 882620 pending
thanks

Hello,

Bug #882620 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    https://anonscm.debian.org/cgit/collab-maint/ncurses.git/commit/?id=18cf5a0

---
commit 18cf5a0f5e78e07d35250a83c9151a18d8d83fed
Author: Sven Joachim <svenjoac@gmx.de>
Date:   Sun Nov 26 14:27:10 2017 +0100

    Close bug #882620

diff --git a/debian/changelog b/debian/changelog
index 9dbd15c..b4fc27b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,8 @@
 ncurses (6.0+20171125-1) UNRELEASED; urgency=medium
 
   * New upstream patchlevel.
+    - Modify _nc_write_entry() to truncate too-long filename (report by
+      Hosein Askari (CVE-2017-16879), Closes: #882620).
 
  -- Sven Joachim <svenjoac@gmx.de>  Sun, 26 Nov 2017 14:22:46 +0100
 

Message #38 received at 882620-close@bugs.debian.org (full text, mbox, reply):

From: Sven Joachim <svenjoac@gmx.de>

To: 882620-close@bugs.debian.org

Subject: Bug#882620: fixed in ncurses 6.0+20171125-1

Date: Mon, 27 Nov 2017 17:19:03 +0000

Source: ncurses
Source-Version: 6.0+20171125-1

We believe that the bug you reported is fixed in the latest version of
ncurses, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 882620@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sven Joachim <svenjoac@gmx.de> (supplier of updated ncurses package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 27 Nov 2017 17:56:51 +0100
Source: ncurses
Binary: libtinfo5 libtinfo5-udeb libncurses5 libtinfo-dev libtinfo5-dbg libncurses5-dev libncurses5-dbg libncursesw5 libncursesw5-dev libncursesw5-dbg lib64ncurses5 lib64ncurses5-dev lib32ncurses5 lib32ncurses5-dev lib32ncursesw5 lib32ncursesw5-dev lib64tinfo5 lib32tinfo5 lib32tinfo-dev ncurses-bin ncurses-base ncurses-term ncurses-examples ncurses-doc
Architecture: source
Version: 6.0+20171125-1
Distribution: unstable
Urgency: medium
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Sven Joachim <svenjoac@gmx.de>
Description:
 lib32ncurses5 - shared libraries for terminal handling (32-bit)
 lib32ncurses5-dev - developer's libraries for ncurses (32-bit)
 lib32ncursesw5 - shared libraries for terminal handling (wide character support) (
 lib32ncursesw5-dev - developer's libraries for ncursesw (32-bit)
 lib32tinfo-dev - developer's library for the low-level terminfo library (32-bit)
 lib32tinfo5 - shared low-level terminfo library for terminal handling (32-bit)
 lib64ncurses5 - shared libraries for terminal handling (64-bit)
 lib64ncurses5-dev - developer's libraries for ncurses (64-bit)
 lib64tinfo5 - shared low-level terminfo library for terminal handling (64-bit)
 libncurses5 - shared libraries for terminal handling
 libncurses5-dbg - debugging/profiling libraries for ncurses
 libncurses5-dev - developer's libraries for ncurses
 libncursesw5 - shared libraries for terminal handling (wide character support)
 libncursesw5-dbg - debugging/profiling libraries for ncursesw
 libncursesw5-dev - developer's libraries for ncursesw
 libtinfo-dev - developer's library for the low-level terminfo library
 libtinfo5  - shared low-level terminfo library for terminal handling
 libtinfo5-dbg - debugging/profiling library for the low-level terminfo library
 libtinfo5-udeb - shared low-level terminfo library for terminal handling - udeb (udeb)
 ncurses-base - basic terminal type definitions
 ncurses-bin - terminal-related programs and man pages
 ncurses-doc - developer's guide and documentation for ncurses
 ncurses-examples - test programs and examples for ncurses
 ncurses-term - additional terminal type definitions
Closes: 882620
Changes:
 ncurses (6.0+20171125-1) unstable; urgency=medium
 .
   * New upstream patchlevel.
     - Modify _nc_write_entry() to truncate too-long filename (report by
       Hosein Askari (CVE-2017-16879), Closes: #882620).
   * Change priority of the -dbg packages and the udeb to optional.
   * Delete trailing whitespace in debian/changelog.
   * Bump debhelper compatibility level to 10.
   * Switch from dh_autotools-dev_updateconfig to dh_update_autotools_config
     and drop the explicit autotools-dev build dependency.
   * Drop dpkg-dev build dependency, already fulfilled in oldstable.
   * Do not require (fake)root for building the packages.
   * Configure the test programs with --with-x11-rgb=/etc/X11/rgb.txt.
Checksums-Sha1:
 9a80eff022ff64821696fa66c1bb130672ef5a9f 3987 ncurses_6.0+20171125-1.dsc
 179d79d707ac5040499294e3206fd558d52b604a 3352201 ncurses_6.0+20171125.orig.tar.gz
 13656bfcf44dc945bece6e4d60399dd356344225 267 ncurses_6.0+20171125.orig.tar.gz.asc
 ebe94b4c79eb5b9208317b1d5cee546667786907 53708 ncurses_6.0+20171125-1.debian.tar.xz
 496f1dc8afcf1b57163f3b9684503d5c8d66be8c 7433 ncurses_6.0+20171125-1_source.buildinfo
Checksums-Sha256:
 b9666ab885c0dabf316a5e0ff840834bc20814db4cec458592bc5a09458e0ca7 3987 ncurses_6.0+20171125-1.dsc
 22adbdd3c2ddfaabea8ea75de3c585d59d2a2cde4b5197dd7dd40a3481fc4d85 3352201 ncurses_6.0+20171125.orig.tar.gz
 5140b404d8c4ac29241d2461a5cbadcd0a821aa61c1ce6ef5fb07030c8e491c3 267 ncurses_6.0+20171125.orig.tar.gz.asc
 e238bf01871ca0a738268cfcc01f63e5c2cdab045a5eb4e4e75219ab821f65f9 53708 ncurses_6.0+20171125-1.debian.tar.xz
 26c2d7e0b9b34bd927aaf34ad25903b82ca2979f507b85355ce33385a9b1d1fd 7433 ncurses_6.0+20171125-1_source.buildinfo
Files:
 8408f16678ee6c9852437f62e740f3d1 3987 libs required ncurses_6.0+20171125-1.dsc
 4aeb6cbb167d23386e929291dcd14c42 3352201 libs required ncurses_6.0+20171125.orig.tar.gz
 aa8e99d7c3d3ec28cd82d8bc73e0a062 267 libs required ncurses_6.0+20171125.orig.tar.gz.asc
 d609cbc1939f6c18c036b704d2e237da 53708 libs required ncurses_6.0+20171125-1.debian.tar.xz
 351d544f1e24131c1f75aaf0a281c2b5 7433 libs required ncurses_6.0+20171125-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKF8heKgv5Jai5p4QOxBucY1rMawFAlocRAoACgkQOxBucY1r
MawyUxAAnJuw9CkfuJPh4cJsAhrQvODSigbxqpZijE50UaKD9YHAqNXxNbtRlpBx
3UK+iftdfEc1Bin3zfJX7/uKND2we56vTMmA6e/w/xr3drVbpy6wx0sDYeyVckny
Ehgfo+AFqXWyO5HaQdZiydIH/1AcSQq15XGcrjnJ8g2vwgCGTTZ29iJZgg9QkfU+
72dququNbmbn4J/8TFzJ8SqzJm0DS4RvW9MhSOxOUepTtHFu4iNjfzs4iZ4vLQax
L/s0ZDaPQUyhx2iI+2kRvmgJu/FmaGfo7DN44H/Iheu6tS7mKq5zUwbDOuemoATN
kp2MEB8YLkb7e1mhBkqm0h4QoHeQ17nXHcAuLegY7V/FwqXRwCFquLQuofBNt7qd
l83l5YbHyyeZYoVITBG04A6A4jX7ZFdgSaBRJZdBEO2qlu1I4cLww0A1jG/J8d6a
SsnPtQppRb4sCIZprlIIO3xbKrxKQZeMTFz0a34w7UhCaeuizfy82d868Un/CRV9
NMC0IlX+Dss0VpBqiaBxD4sYXDX+zVj2aHnwFtS7eyC0ir+SuEIpGLKoeeaYACY4
6OtFy4+FMTYNB0CPxe6TbupgQXdY+nEDSojaBidy7WHPtU7XTVc4PvY4505pAw4b
dThW9m+ZKD7+KkiojVcqdsfWrsBYk14LKI/gcKz6EbaY+FVtJCM=
=Y97R
-----END PGP SIGNATURE-----

Message #51 received at 882620-close@bugs.debian.org (full text, mbox, reply):

From: Sven Joachim <svenjoac@gmx.de>

To: 882620-close@bugs.debian.org

Subject: Bug#882620: fixed in ncurses 6.0+20161126-1+deb9u2

Date: Wed, 14 Feb 2018 21:17:25 +0000

Source: ncurses
Source-Version: 6.0+20161126-1+deb9u2

We believe that the bug you reported is fixed in the latest version of
ncurses, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 882620@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sven Joachim <svenjoac@gmx.de> (supplier of updated ncurses package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 28 Dec 2017 10:47:33 +0100
Source: ncurses
Binary: libtinfo5 libtinfo5-udeb libncurses5 libtinfo-dev libtinfo5-dbg libncurses5-dev libncurses5-dbg libncursesw5 libncursesw5-dev libncursesw5-dbg lib64ncurses5 lib64ncurses5-dev lib32ncurses5 lib32ncurses5-dev lib32ncursesw5 lib32ncursesw5-dev lib64tinfo5 lib32tinfo5 lib32tinfo-dev ncurses-bin ncurses-base ncurses-term ncurses-examples ncurses-doc
Architecture: source
Version: 6.0+20161126-1+deb9u2
Distribution: stretch
Urgency: medium
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Sven Joachim <svenjoac@gmx.de>
Description:
 lib32ncurses5 - shared libraries for terminal handling (32-bit)
 lib32ncurses5-dev - developer's libraries for ncurses (32-bit)
 lib32ncursesw5 - shared libraries for terminal handling (wide character support) (
 lib32ncursesw5-dev - developer's libraries for ncursesw (32-bit)
 lib32tinfo-dev - developer's library for the low-level terminfo library (32-bit)
 lib32tinfo5 - shared low-level terminfo library for terminal handling (32-bit)
 lib64ncurses5 - shared libraries for terminal handling (64-bit)
 lib64ncurses5-dev - developer's libraries for ncurses (64-bit)
 lib64tinfo5 - shared low-level terminfo library for terminal handling (64-bit)
 libncurses5 - shared libraries for terminal handling
 libncurses5-dbg - debugging/profiling libraries for ncurses
 libncurses5-dev - developer's libraries for ncurses
 libncursesw5 - shared libraries for terminal handling (wide character support)
 libncursesw5-dbg - debugging/profiling libraries for ncursesw
 libncursesw5-dev - developer's libraries for ncursesw
 libtinfo-dev - developer's library for the low-level terminfo library
 libtinfo5  - shared low-level terminfo library for terminal handling
 libtinfo5-dbg - debugging/profiling library for the low-level terminfo library
 libtinfo5-udeb - shared low-level terminfo library for terminal handling - udeb (udeb)
 ncurses-base - basic terminal type definitions
 ncurses-bin - terminal-related programs and man pages
 ncurses-doc - developer's guide and documentation for ncurses
 ncurses-examples - test programs and examples for ncurses
 ncurses-term - additional terminal type definitions
Closes: 882620
Changes:
 ncurses (6.0+20161126-1+deb9u2) stretch; urgency=medium
 .
   * Cherry-pick upstream fix from the 20171125 patchlevel to fix
     a buffer overflow in the _nc_write_entry function
     (CVE-2017-16879, Closes: #882620).
Checksums-Sha1:
 006f9876718a6a8081843fd99e36d09a66d6f335 3784 ncurses_6.0+20161126-1+deb9u2.dsc
 80fd31f9b95153dbe1d8c3e5f92f6401dd3ed5e7 59324 ncurses_6.0+20161126-1+deb9u2.debian.tar.xz
 8035d57fd29b8e96926a129d5a00e8b12417b772 7457 ncurses_6.0+20161126-1+deb9u2_source.buildinfo
Checksums-Sha256:
 8cd721a065bea8275bf8daae9f01018b5fa2e9e020ac7c09fb61220804c9b9f5 3784 ncurses_6.0+20161126-1+deb9u2.dsc
 04e6b5acf08d730c34f200ddb92144465ec346c0a3c1c2b9cbcd72ed9ddab1e7 59324 ncurses_6.0+20161126-1+deb9u2.debian.tar.xz
 2280d8666ace3319a2013211d1aeac1924fb0021e42a620666df81272aa73fe0 7457 ncurses_6.0+20161126-1+deb9u2_source.buildinfo
Files:
 ecc121dbddf0c4a19e76de26b94f714b 3784 libs required ncurses_6.0+20161126-1+deb9u2.dsc
 b02869572bbe0c8415da8efdc0b47385 59324 libs required ncurses_6.0+20161126-1+deb9u2.debian.tar.xz
 4ff8495be9a005c725862a90633342ef 7457 libs required ncurses_6.0+20161126-1+deb9u2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKF8heKgv5Jai5p4QOxBucY1rMawFAlqAB4UACgkQOxBucY1r
Maz+MBAArY7bZZRH52p5b42nn2qH1i0mB+ApT9z1JtUs/TWyq08zyYKDhOzfMQQb
c1iaY0tnNWrLuiMNnPrd189IkjSrNJSNrAVuxMHB0blxUSWSSXadGX0oZEInWNIF
0KSVPFi01MjpCDi1kVdhomDtz1XVFtzxSWrrMqQju/PKw9GiK7tCrGKrR7jec9UG
532Tz29coMvfE2PDSSZRQKdYLnlBa5MH8lSxqp87xJ03kP0AJlgXvi+PGkQqUcIe
7g0aYtGxgXDfY4R+/dDXw+P677pznOJAUUsOGSKTsbtQT0WST1seP5bk0iv+WS0y
YAInBQJy2Pcq8r+lfrlG7ZftMUWQ9VV6MAMhz4B8KsTLuB2Czo+KcvDtanBjT33U
fWNV3hKPcGnf5JP3ZtfWBYiJgtb4d8zFTsVMySDYISjU2p/m+t84A4FMsurqCqA9
4j56C3X3s0dBU+bdAzwPzPN9OhHiaJZ+sNDySoJbr5qDvL5UfiklKlipL535O26t
1ys2LiONr0p2qYeP7zN7/jXRcYsQxigjFmWF9fvNv/SYCgcWc7WY2+AQgyQZncUk
UGzO+exiOGuYORLwdj3ROAUrm9HjBGyhwpmt60v/EQa4oOVmVyNRro7QxM8KuDzY
lWg1BDcUKY5Vfv5zd1p3HY3r9R2QBPlJx1NpM01seJxl2lMDf5M=
=Viki
-----END PGP SIGNATURE-----

Message #56 received at 882620-close@bugs.debian.org (full text, mbox, reply):

From: Sven Joachim <svenjoac@gmx.de>

To: 882620-close@bugs.debian.org

Subject: Bug#882620: fixed in ncurses 5.9+20140913-1+deb8u3

Date: Tue, 12 Jun 2018 20:43:56 +0000

Source: ncurses
Source-Version: 5.9+20140913-1+deb8u3

We believe that the bug you reported is fixed in the latest version of
ncurses, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 882620@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sven Joachim <svenjoac@gmx.de> (supplier of updated ncurses package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 28 Dec 2017 11:14:57 +0100
Source: ncurses
Binary: libtinfo5 libncurses5 libtinfo-dev libtinfo5-dbg libncurses5-dev libncurses5-dbg libncursesw5 libncursesw5-dev libncursesw5-dbg lib64ncurses5 lib64ncurses5-dev lib32ncurses5 lib32ncurses5-dev lib32ncursesw5 lib32ncursesw5-dev lib64tinfo5 lib32tinfo5 lib32tinfo-dev ncurses-bin ncurses-base ncurses-term ncurses-examples ncurses-doc
Architecture: source all
Version: 5.9+20140913-1+deb8u3
Distribution: jessie
Urgency: medium
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Sven Joachim <svenjoac@gmx.de>
Description:
 lib32ncurses5 - shared libraries for terminal handling (32-bit)
 lib32ncurses5-dev - developer's libraries for ncurses (32-bit)
 lib32ncursesw5 - shared libraries for terminal handling (wide character support) (
 lib32ncursesw5-dev - developer's libraries for ncursesw (32-bit)
 lib32tinfo-dev - developer's library for the low-level terminfo library (32-bit)
 lib32tinfo5 - shared low-level terminfo library for terminal handling (32-bit)
 lib64ncurses5 - shared libraries for terminal handling (64-bit)
 lib64ncurses5-dev - developer's libraries for ncurses (64-bit)
 lib64tinfo5 - shared low-level terminfo library for terminal handling (64-bit)
 libncurses5 - shared libraries for terminal handling
 libncurses5-dbg - debugging/profiling libraries for ncurses
 libncurses5-dev - developer's libraries for ncurses
 libncursesw5 - shared libraries for terminal handling (wide character support)
 libncursesw5-dbg - debugging/profiling libraries for ncursesw
 libncursesw5-dev - developer's libraries for ncursesw
 libtinfo-dev - developer's library for the low-level terminfo library
 libtinfo5  - shared low-level terminfo library for terminal handling
 libtinfo5-dbg - debugging/profiling library for the low-level terminfo library
 ncurses-base - basic terminal type definitions
 ncurses-bin - terminal-related programs and man pages
 ncurses-doc - developer's guide and documentation for ncurses
 ncurses-examples - test programs and examples for ncurses
 ncurses-term - additional terminal type definitions
Closes: 882620
Changes:
 ncurses (5.9+20140913-1+deb8u3) jessie; urgency=medium
 .
   * Cherry-pick upstream fix from the 20171125 patchlevel to fix
     a buffer overflow in the _nc_write_entry function
     (CVE-2017-16879, Closes: #882620).
Checksums-Sha1:
 105836458e8abf25c132ff43f3032ea1007c255c 3505 ncurses_5.9+20140913-1+deb8u3.dsc
 e1eab548c2f046f794453a023450255935b370f0 57136 ncurses_5.9+20140913-1+deb8u3.debian.tar.xz
 04f79733f8daa11c20646a926c647b5e1576373d 222478 ncurses-base_5.9+20140913-1+deb8u3_all.deb
 73dd3b11878ceff0afebfecc1f8434cb58088582 454338 ncurses-term_5.9+20140913-1+deb8u3_all.deb
 13c07a168a1d629a1750fe22049cabbc71857332 787658 ncurses-doc_5.9+20140913-1+deb8u3_all.deb
Checksums-Sha256:
 a4136ac92fd361e7b3c61f7e5a08e145841d960b2feefe014174f8109a997f0b 3505 ncurses_5.9+20140913-1+deb8u3.dsc
 5edac557abf72e2f22c37423a9c8441f4da4509506e01b59b71d5120bd21a8ea 57136 ncurses_5.9+20140913-1+deb8u3.debian.tar.xz
 0e5b9b31ab3307f399f874ec2805cbdbf410ebd78f45b1fe68489ce8073b9055 222478 ncurses-base_5.9+20140913-1+deb8u3_all.deb
 fa6bc6b19d8bed6f69495c8ed3cb46bc353dcfdb1d0799a807b67d6f3292a0ed 454338 ncurses-term_5.9+20140913-1+deb8u3_all.deb
 9621b834f1e31916524455385cb434d7d3240ef04253174269d07e7c119f6965 787658 ncurses-doc_5.9+20140913-1+deb8u3_all.deb
Files:
 9fb0fde24358bb81a2cca6539d830d26 3505 libs required ncurses_5.9+20140913-1+deb8u3.dsc
 7000585c8cda5e7181b08c41467addad 57136 libs required ncurses_5.9+20140913-1+deb8u3.debian.tar.xz
 26703d1ee608fd706f4ca541d98ce263 222478 misc required ncurses-base_5.9+20140913-1+deb8u3_all.deb
 0fb0dcd03a4100b7170e128432e8313f 454338 misc standard ncurses-term_5.9+20140913-1+deb8u3_all.deb
 88dba7574ddca43f5313d7932fcfa972 787658 doc optional ncurses-doc_5.9+20140913-1+deb8u3_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKF8heKgv5Jai5p4QOxBucY1rMawFAlsbbXQACgkQOxBucY1r
MawPuw/+OCy7mtOhZwRW9Dx+bDCe2T4/IkuXS5Mt3BIB61iUbPJr1jDwnCEf2qeB
7zQkWnY+dChxG0RPL4PXr2Fe7PPX1veq6pHBbJanQCj6DVaqsvKzFHwNqeWr2Qou
WdQi2xJ3BKH+TiYenin3zOPzYhzEcrs5YJORidz3DSPAU3rsfd+JcjalztEkVN8g
e6Tk8S5MKJ+0a2pNCH3sBhBX1y5UgefzVHtLzmukbuGucFJkly+L5K+zIeT2je8b
oANd2MlIMNCy+7Pt8ejHSLJ2wQaSP7y6nKk6NFSBhmHL18tzLMvMXevha7H6rn9M
xmPk2YdvCsORxLPUFyCtWwBm/hj02ga3A2GI7511Y32TPw1uxDNbYnoCEzT9IMph
QUK0s64EXvJKxi7we+h65JDJW0MMuOCU0uELEsHtZu9R+4KyyUMY/3xPWyFgkBD1
5wuG3e9kvTsU+eYNimKKjTMmVXuJQuX41ahs0g7CAZA2k2eT9KqOf5b5RVm51DQg
syCNX68DPD1b52a6NFM/InvSMRyTlfPnwiTv40nH8Yao0EyQwwWV6dPT9RE6l1R1
DJ0KWc4aNsHFp6KVfrHvH/akqvD6fxVZWsQDyR9USBJT3xWxpXWQBZPipRjElinE
wLiSSlSpUC9fyGEeOkhN4X93SzXqf5nevt//8pnTfr0nwwz8FyA=
=Jnuo
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.