Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2019-15547 CVE-2019-15548

Related Vulnerabilities: CVE-2019-15547   CVE-2019-15548  

Source

Debian Bug report logs - #972100
CVE-2019-15547 CVE-2019-15548

version graph

Package: src:rust-ncurses; Maintainer for src:rust-ncurses is Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>;

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Mon, 12 Oct 2020 18:12:01 UTC

Severity: grave

Tags: security, upstream

Found in version rust-ncurses/5.99.0-3

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>:
Bug#972100; Package src:rust-ncurses. (Mon, 12 Oct 2020 18:12:03 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>. (Mon, 12 Oct 2020 18:12:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2019-15547 CVE-2019-15548
Date: Mon, 12 Oct 2020 20:08:22 +0200
Source: rust-ncurses
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>

This was assigned CVE-2019-15547 and CVE-2019-15548:
https://rustsec.org/advisories/RUSTSEC-2019-0006.html

Cheers,
        Moritz

Marked as found in versions rust-ncurses/5.99.0-3. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 12 Oct 2020 19:15:04 GMT) (full text, mbox, link).

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 12 Oct 2020 19:15:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>:
Bug#972100; Package src:rust-ncurses. (Wed, 14 Oct 2020 03:57:03 GMT) (full text, mbox, link).

Acknowledgement sent to peter green <plugwash@p10link.net>:
Extra info received and forwarded to list. Copy sent to Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>. (Wed, 14 Oct 2020 03:57:03 GMT) (full text, mbox, link).

Message #14 received at 972100@bugs.debian.org (full text, mbox, reply):

From: peter green <plugwash@p10link.net>
To: 972100@bugs.debian.org
Subject: Re: CVE-2019-15547 CVE-2019-15548 (rust-ncurses)
Date: Wed, 14 Oct 2020 04:54:08 +0100
I just looked at this issue.

rust-ncurses is a thin wrapper around ncurses. It exposes unsafe (in the rust sense) C
APIs to safe rust code. The rust security team consider this to be a vulnerability.

There is more discussion of this issue at https://github.com/jeaye/ncurses-rs/issues/188
the fix would be to mark most if not all of the functions exposed by the library as
unsafe and release a new major version of the library. Any reverse dependencies would
then need to be adapted to work with the new unsafe functions. The upstream maintainer
has indicated they would be accepting of a pull request but is not interested in doing
the work themselves.

There is also another wrapper called ncursesw which seems to be better maintained
and offers both low-level wrappers (correctly marked as unsafe) and higher-level
wrappers (some of which are safe). It is not packaged in Debian.

I looked to see what if-any packages in Debian use rust-ncurses and I did not find
any in either buster, bullseye or sid. Is there a reason to keep this package around?

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>:
Bug#972100; Package src:rust-ncurses. (Wed, 14 Oct 2020 06:27:02 GMT) (full text, mbox, link).

Acknowledgement sent to Alexander Kjäll <alexander.kjall@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>. (Wed, 14 Oct 2020 06:27:02 GMT) (full text, mbox, link).

Message #19 received at 972100@bugs.debian.org (full text, mbox, reply):

From: Alexander Kjäll <alexander.kjall@gmail.com>
To: peter green <plugwash@p10link.net>, 972100@bugs.debian.org
Subject: Re: [Pkg-rust-maintainers] Bug#972100: CVE-2019-15547 CVE-2019-15548 (rust-ncurses)
Date: Wed, 14 Oct 2020 08:23:32 +0200
Hi

I'm slowly working my way towards packaging ripasso, which doesn't use
ncurses-rs due to the above security problems. But it does use cursive
( https://crates.io/crates/cursive ) which have ncurses-rs as an
optional dependency.

Currently the rust packaging system in debian requires all optional
dependencies to be present in order to build the package.

I have suggested to the cursive maintainer to remove ncurses-rs due to
the above security concerns here (
https://github.com/gyscos/cursive/issues/488 ) but I suspect that this
would be considered quite a disruptive change, I have also started to
rewrite it to use ncursesw but haven't had the time/skill to finish
that work yet.

I'm not opposed to removing it, as that kind of unmaintained code with
known security problems are exploits waiting to happen. But it would
also require a lot of work to happen before we can package anything
that depends on cursive into debian.

best regards
Alexander Kjäll

Den ons 14 okt. 2020 kl 05:57 skrev peter green <plugwash@p10link.net>:
>
> I just looked at this issue.
>
> rust-ncurses is a thin wrapper around ncurses. It exposes unsafe (in the rust sense) C
> APIs to safe rust code. The rust security team consider this to be a vulnerability.
>
> There is more discussion of this issue at https://github.com/jeaye/ncurses-rs/issues/188
> the fix would be to mark most if not all of the functions exposed by the library as
> unsafe and release a new major version of the library. Any reverse dependencies would
> then need to be adapted to work with the new unsafe functions. The upstream maintainer
> has indicated they would be accepting of a pull request but is not interested in doing
> the work themselves.
>
> There is also another wrapper called ncursesw which seems to be better maintained
> and offers both low-level wrappers (correctly marked as unsafe) and higher-level
> wrappers (some of which are safe). It is not packaged in Debian.
>
> I looked to see what if-any packages in Debian use rust-ncurses and I did not find
> any in either buster, bullseye or sid. Is there a reason to keep this package around?
>
> _______________________________________________
> Pkg-rust-maintainers mailing list
> Pkg-rust-maintainers@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-rust-maintainers

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Oct 14 10:34:58 2020; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started