From unknown Mon Jun 23 20:15:22 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#27619 <27619@debbugs.gnu.org> To: bug#27619 <27619@debbugs.gnu.org> Subject: Status: [PATCH] gnu: ncurses: Fix CVE-2017-10684 and CVE-2017-10685. Reply-To: bug#27619 <27619@debbugs.gnu.org> Date: Tue, 24 Jun 2025 03:15:22 +0000 retitle 27619 [PATCH] gnu: ncurses: Fix CVE-2017-10684 and CVE-2017-10685. reassign 27619 guix-patches submitter 27619 Leo Famulari severity 27619 normal tag 27619 patch thanks From debbugs-submit-bounces@debbugs.gnu.org Sat Jul 08 11:12:55 2017 Received: (at submit) by debbugs.gnu.org; 8 Jul 2017 15:12:55 +0000 Received: from localhost ([127.0.0.1]:58017 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dTrPc-0007I1-LF for submit@debbugs.gnu.org; Sat, 08 Jul 2017 11:12:55 -0400 Received: from eggs.gnu.org ([208.118.235.92]:54251) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dTrPX-0007Hi-LQ for submit@debbugs.gnu.org; Sat, 08 Jul 2017 11:12:46 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dTrPQ-00044n-RH for submit@debbugs.gnu.org; Sat, 08 Jul 2017 11:12:38 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:48640) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dTrPQ-00044f-NW for submit@debbugs.gnu.org; Sat, 08 Jul 2017 11:12:36 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:45215) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dTrPO-0006o5-Sq for guix-patches@gnu.org; Sat, 08 Jul 2017 11:12:36 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dTrPL-00043V-EQ for guix-patches@gnu.org; Sat, 08 Jul 2017 11:12:34 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:51435) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dTrPK-00043L-Vc for guix-patches@gnu.org; Sat, 08 Jul 2017 11:12:31 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 3B73E207CA; Sat, 8 Jul 2017 11:12:30 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Sat, 08 Jul 2017 11:12:30 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=X2k3pEDHn2u+SzQeH81yx/FCit6e1Re3OCMMt3 xMwRI=; b=FZ8yHTOu3jeLT5zoUvYewmbr5lX6lTao/tuSMFsb9PBTOmTpPGEvo3 1+hllspHgNwT9x1zdbrTJdtaLdS6BnxEf9IHKGWCOnu9S9ZZgj1ZiUcsJ077c4t9 9UOAta8E/9TivhPnnWCCh4rAczmh9Ei9oNaBG+sIOga8T0xcSyHs8= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=X2k3pEDHn2u+SzQeH8 1yx/FCit6e1Re3OCMMt3xMwRI=; b=MA62IvNOHvQjhDq21+MTtrYBApnF0sUyWv g8DvF9SjJ/8qpilNFaCn582S+/yJ95GzOC1szoS8kV+8TkVRfJ6O8VFulDPUsyCu VhqQ7ktvgvjtseFTEUKCu7z3vb7vwE9qN1tHFMsex256dbkc54grQUQlqpFIOj9W Hknn9XwOPemmG3hQOB1MU6saVPtLRQqujI9V/g92ZsPA8l24b7nnODH7Rnc+UEyW L795w3CQeh94ivwdrr9+EY3ZAaycSS8B1bjaXuc84iXXLPccvDukAbqyOyHV2097 1P6BWY+ovoVE3T7fvvAFodSdNOGji1lMQJARwF1j2dV4577dKnEA== X-ME-Sender: X-Sasl-enc: qG/aOv1ECYwEy9n3dl3LoGe5a4Y+HjXgLaPcrMOcGVu2 1499526749 Received: from jasmine.lan (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70]) by mail.messagingengine.com (Postfix) with ESMTPA id E863D7E881 for ; Sat, 8 Jul 2017 11:12:29 -0400 (EDT) From: Leo Famulari To: guix-patches@gnu.org Subject: [PATCH] gnu: ncurses: Fix CVE-2017-10684 and CVE-2017-10685. Date: Sat, 8 Jul 2017 11:12:25 -0400 Message-Id: <4e81522dea150cbcc087a44959935008649cce36.1499526742.git.leo@famulari.name> X-Mailer: git-send-email 2.13.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.9 (/) * gnu/packages/patches/ncurses-CVE-2017-10684-10685.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/ncurses.scm (ncurses)[replacement]: New field. (ncurses/fixed): New variable. --- gnu/local.mk | 1 + gnu/packages/ncurses.scm | 14 +- .../patches/ncurses-CVE-2017-10684-10685.patch | 200 +++++++++++++++++++++ 3 files changed, 214 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/ncurses-CVE-2017-10684-10685.patch diff --git a/gnu/local.mk b/gnu/local.mk index 1bcd790f2..67d655212 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -844,6 +844,7 @@ dist_patch_DATA = \ %D%/packages/patches/mupen64plus-ui-console-notice.patch \ %D%/packages/patches/musl-CVE-2016-8859.patch \ %D%/packages/patches/mutt-store-references.patch \ + %D%/packages/patches/ncurses-CVE-2017-10684-10685.patch \ %D%/packages/patches/net-tools-bitrot.patch \ %D%/packages/patches/netcdf-date-time.patch \ %D%/packages/patches/netcdf-tst_h_par.patch \ diff --git a/gnu/packages/ncurses.scm b/gnu/packages/ncurses.scm index 44a79e718..0b23baf12 100644 --- a/gnu/packages/ncurses.scm +++ b/gnu/packages/ncurses.scm @@ -1,7 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2012, 2013, 2014, 2015 Ludovic Courtès ;;; Copyright © 2014, 2016 Mark H Weaver -;;; Copyright © 2015 Leo Famulari +;;; Copyright © 2015, 2017 Leo Famulari ;;; Copyright © 2016 ng0 ;;; Copyright © 2016 Efraim Flashner ;;; Copyright © 2016 Jan Nieuwenhuizen @@ -37,6 +37,7 @@ (define-public ncurses (package (name "ncurses") + (replacement ncurses/fixed) (version "6.0") (source (origin (method url-fetch) @@ -188,6 +189,17 @@ ncursesw library provides wide character support.") (license x11) (home-page "https://www.gnu.org/software/ncurses/"))) +(define ncurses/fixed + (package + (inherit ncurses) + (source + (origin + (inherit (package-source ncurses)) + (patches + (append + (origin-patches (package-source ncurses)) + (search-patches "ncurses-CVE-2017-10684-10685.patch"))))))) + (define-public dialog (package (name "dialog") diff --git a/gnu/packages/patches/ncurses-CVE-2017-10684-10685.patch b/gnu/packages/patches/ncurses-CVE-2017-10684-10685.patch new file mode 100644 index 000000000..1f1b26801 --- /dev/null +++ b/gnu/packages/patches/ncurses-CVE-2017-10684-10685.patch @@ -0,0 +1,200 @@ +Fix CVE-2017-10684 and CVE-2017-10685: + +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10684 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10685 + +Bug reports included proof of concept reproducer inputs: + +https://bugzilla.redhat.com/show_bug.cgi?id=1464684 +https://bugzilla.redhat.com/show_bug.cgi?id=1464685 +https://bugzilla.redhat.com/show_bug.cgi?id=1464686 +https://bugzilla.redhat.com/show_bug.cgi?id=1464687 +https://bugzilla.redhat.com/show_bug.cgi?id=1464688 +https://bugzilla.redhat.com/show_bug.cgi?id=1464691 +https://bugzilla.redhat.com/show_bug.cgi?id=1464692 + +Patches copied from ncurses patch release 20170701: + +ftp://invisible-island.net/ncurses/6.0/ncurses-6.0-20170701.patch.gz + +Excerpt from patch release announcement: + + + add/improve checks in tic's parser to address invalid input + (Redhat #1464684, #1464685, #1464686, #1464691). + + alloc_entry.c, add a check for a null-pointer. + + parse_entry.c, add several checks for valid pointers as well as + one check to ensure that a single character on a line is not + treated as the 2-character termcap short-name. + + the fixes for Redhat #1464685 obscured a problem subsequently + reported in Redhat #1464687; the given test-case was no longer + reproducible. Testing without the fixes for the earlier reports + showed a problem with buffer overflow in dump_entry.c, which is + addressed by reducing the use of a fixed-size buffer. + +https://lists.gnu.org/archive/html/bug-ncurses/2017-07/msg00001.html + +--- ncurses-6.0-20170624+/ncurses/tinfo/alloc_entry.c 2017-04-09 23:33:51.000000000 +0000 ++++ ncurses-6.0-20170701/ncurses/tinfo/alloc_entry.c 2017-06-27 23:48:55.000000000 +0000 +@@ -96,7 +96,11 @@ + { + char *result = 0; + size_t old_next_free = next_free; +- size_t len = strlen(string) + 1; ++ size_t len; ++ ++ if (string == 0) ++ return _nc_save_str(""); ++ len = strlen(string) + 1; + + if (len == 1 && next_free != 0) { + /* +--- ncurses-6.0-20170624+/ncurses/tinfo/parse_entry.c 2017-06-24 22:59:46.000000000 +0000 ++++ ncurses-6.0-20170701/ncurses/tinfo/parse_entry.c 2017-06-28 00:53:12.000000000 +0000 +@@ -236,13 +236,14 @@ + * implemented it. Note that the resulting terminal type was never the + * 2-character name, but was instead the first alias after that. + */ ++#define ok_TC2(s) (isgraph(UChar(s)) && (s) != '|') + ptr = _nc_curr_token.tk_name; + if (_nc_syntax == SYN_TERMCAP + #if NCURSES_XNAMES + && !_nc_user_definable + #endif + ) { +- if (ptr[2] == '|') { ++ if (ok_TC2(ptr[0]) && ok_TC2(ptr[1]) && (ptr[2] == '|')) { + ptr += 3; + _nc_curr_token.tk_name[2] = '\0'; + } +@@ -284,9 +285,11 @@ + if (is_use || is_tc) { + entryp->uses[entryp->nuses].name = _nc_save_str(_nc_curr_token.tk_valstring); + entryp->uses[entryp->nuses].line = _nc_curr_line; +- entryp->nuses++; +- if (entryp->nuses > 1 && is_tc) { +- BAD_TC_USAGE ++ if (VALID_STRING(entryp->uses[entryp->nuses].name)) { ++ entryp->nuses++; ++ if (entryp->nuses > 1 && is_tc) { ++ BAD_TC_USAGE ++ } + } + } else { + /* normal token lookup */ +@@ -588,7 +591,7 @@ + static void + append_acs(string_desc * dst, int code, char *src) + { +- if (src != 0 && strlen(src) == 1) { ++ if (VALID_STRING(src) && strlen(src) == 1) { + append_acs0(dst, code, *src); + } + } +@@ -849,15 +852,14 @@ + } + + if (tp->Strings[to_ptr->nte_index]) { ++ const char *s = tp->Strings[from_ptr->nte_index]; ++ const char *t = tp->Strings[to_ptr->nte_index]; + /* There's no point in warning about it if it's the same + * string; that's just an inefficiency. + */ +- if (strcmp( +- tp->Strings[from_ptr->nte_index], +- tp->Strings[to_ptr->nte_index]) != 0) ++ if (VALID_STRING(s) && VALID_STRING(t) && strcmp(s, t) != 0) + _nc_warning("%s (%s) already has an explicit value %s, ignoring ko", +- ap->to, ap->from, +- _nc_visbuf(tp->Strings[to_ptr->nte_index])); ++ ap->to, ap->from, t); + continue; + } + +--- ncurses-6.0-20170624+/progs/dump_entry.c 2017-06-23 22:47:43.000000000 +0000 ++++ ncurses-6.0-20170701/progs/dump_entry.c 2017-07-01 11:27:29.000000000 +0000 +@@ -841,9 +841,10 @@ + PredIdx num_strings = 0; + bool outcount = 0; + +-#define WRAP_CONCAT \ +- wrap_concat(buffer); \ +- outcount = TRUE ++#define WRAP_CONCAT1(s) wrap_concat(s); outcount = TRUE ++#define WRAP_CONCAT2(a,b) wrap_concat(a); WRAP_CONCAT1(b) ++#define WRAP_CONCAT3(a,b,c) wrap_concat(a); WRAP_CONCAT2(b,c) ++#define WRAP_CONCAT WRAP_CONCAT1(buffer) + + len = 12; /* terminfo file-header */ + +@@ -1007,9 +1008,9 @@ + set_attributes = save_sgr; + + trimmed_sgr0 = _nc_trim_sgr0(tterm); +- if (strcmp(capability, trimmed_sgr0)) ++ if (strcmp(capability, trimmed_sgr0)) { + capability = trimmed_sgr0; +- else { ++ } else { + if (trimmed_sgr0 != exit_attribute_mode) + free(trimmed_sgr0); + } +@@ -1046,13 +1047,21 @@ + _nc_SPRINTF(buffer, _nc_SLIMIT(sizeof(buffer)) + "%s=!!! %s WILL NOT CONVERT !!!", + name, srccap); ++ WRAP_CONCAT; + } else if (suppress_untranslatable) { + continue; + } else { + char *s = srccap, *d = buffer; +- _nc_SPRINTF(d, _nc_SLIMIT(sizeof(buffer)) "..%s=", name); +- d += strlen(d); ++ WRAP_CONCAT3("..", name, "="); + while ((*d = *s++) != 0) { ++ if ((d - buffer - 1) >= (int) sizeof(buffer)) { ++ fprintf(stderr, ++ "%s: value for %s is too long\n", ++ _nc_progname, ++ name); ++ *d = '\0'; ++ break; ++ } + if (*d == ':') { + *d++ = '\\'; + *d = ':'; +@@ -1061,13 +1070,12 @@ + } + d++; + } ++ WRAP_CONCAT; + } + } else { +- _nc_SPRINTF(buffer, _nc_SLIMIT(sizeof(buffer)) +- "%s=%s", name, cv); ++ WRAP_CONCAT3(name, "=", cv); + } + len += (int) strlen(capability) + 1; +- WRAP_CONCAT; + } else { + char *src = _nc_tic_expand(capability, + outform == F_TERMINFO, numbers); +@@ -1083,8 +1091,7 @@ + strcpy_DYN(&tmpbuf, src); + } + len += (int) strlen(capability) + 1; +- wrap_concat(tmpbuf.text); +- outcount = TRUE; ++ WRAP_CONCAT1(tmpbuf.text); + } + } + /* e.g., trimmed_sgr0 */ +@@ -1526,7 +1533,8 @@ + } + if (len > critlen) { + (void) fprintf(stderr, +- "warning: %s entry is %d bytes long\n", ++ "%s: %s entry is %d bytes long\n", ++ _nc_progname, + _nc_first_name(tterm->term_names), + len); + SHOW_WHY("# WARNING: this entry, %d bytes long, may core-dump %s libraries!\n", -- 2.13.2 From debbugs-submit-bounces@debbugs.gnu.org Sat Jul 08 11:22:05 2017 Received: (at 27619) by debbugs.gnu.org; 8 Jul 2017 15:22:05 +0000 Received: from localhost ([127.0.0.1]:58024 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dTrYb-0007Wc-61 for submit@debbugs.gnu.org; Sat, 08 Jul 2017 11:22:05 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:54339) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dTrYZ-0007WV-TR for 27619@debbugs.gnu.org; Sat, 08 Jul 2017 11:22:04 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 6C015206C1; Sat, 8 Jul 2017 11:22:03 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Sat, 08 Jul 2017 11:22:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=content-type:date:from:message-id:mime-version:subject:to :x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=aJh Fve8r4m4zOmvK/f0vudMSPEPqKxUEabQZ29cymyY=; b=fDK3YKWQWwyWHbqWPJ4 6m6jkrEbzkoyxVX591D8ge0IoOXaGqPKtQMvy9T8snhOxwZiMNCQ1kg2rNvEq4ms vimU75RQc/OmDPHUDtGZYMtxSx9izsMTB5iDvebqWYg0Bs6sXuX2NyGnL9hjGLjE ebU8gIymILMDq8SRkW/Ov1pY= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=fm1; bh=aJhFve8r4m4zOmvK/f0vudMSPEPqKxUEabQZ29cym yY=; b=nH/A2aEWsdV3skgRmzuR5r09mjflTsX8Qz613JercihdEUvT5UdZ3nYHz Uqnn+s/Zncr4F/d8jvXKeB5UX4aGYhGXECJ5WVvGQBHCz14NdJY0Pre6CXGUnaoM KU2WvSp5doSzZezwges7ZpiFSs+DgHw1X3Hu6qds6h5BG7dI/RfHGvup9cY/RTYm mnAwdFWeTCntiG/2CtuAv/5K2cNG84fWyRNvvlDzL8ZjkBDJeKB6XdAlEjnK8wx8 ZPEIYCEyn6VaL4tkEPfniwUZMQjljdA2Rp1LZT29GuPvE2Y2RKuq09B1pMym8deM JtbP5hhN45Y15nZRPh7nFo3j8gGbA== X-ME-Sender: X-Sasl-enc: UgDCarlO7yTrtGAnNSucHiSTWCBVFGlz+/H341OBlzmY 1499527323 Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70]) by mail.messagingengine.com (Postfix) with ESMTPA id 35D1B24776 for <27619@debbugs.gnu.org>; Sat, 8 Jul 2017 11:22:03 -0400 (EDT) Date: Sat, 8 Jul 2017 11:22:02 -0400 From: Leo Famulari To: 27619@debbugs.gnu.org Subject: ncurses patch releases Message-ID: <20170708152202.GA3666@jasmine.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="6TrnltStXW4iwmi0" Content-Disposition: inline User-Agent: Mutt/1.8.3 (2017-05-23) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 27619 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --6TrnltStXW4iwmi0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline According to this message on bug-ncurses, the fixes could be incomplete, although I doubt that person is using the exact same subset of the upstream patch as the one I am proposing: https://lists.gnu.org/archive/html/bug-ncurses/2017-07/msg00008.html On the general subject of ncurses bugs, the ncurses author issues patch releases for ncurses frequently: ftp://invisible-island.net/ncurses/6.0/ I didn't know that and I haven't read the changelogs to see if there are other very important fixes for us to use. --6TrnltStXW4iwmi0 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllg+JoACgkQJkb6MLrK fwhIgxAA526gJUalUTilIRAaUJN6kAZJuqQWAEIzltAPB2Y5SwSSqv1ZIBpY9qKx HpqBZL4xQUBsrqpfw67XL3nkHtCpo0tzXTRvd5w2DmYZo3YGBFldAgUq4C9ybxoG JFls6zTKaTFPKHGhGKE4IKA1f9W9f6Ccgmk6qtcUhuw5161AePOkeAfVFfG9HGyF gysRde3lMQYpWUI2UOIXDKv1+/LQNoGFP8xDneKaYpNBv6uDcRzGWGzvLB9lr/xZ YqQjzjqMr2P0LwS0YkAMPUV9QXMjijv5E/hJiHMPqiPVDqV30Lif7nkLUXgQ45Nf RzF2/0T6EbDkMm5sIC5ARVZwjNvsLGMr2gmFQQ0QZGPtGdJ3AgDSXMzdRVkkjQ46 wrLMFwwzjWQs6wCeGZ9AMlrGfWlLUUUA/uJyjs7ZkPQ2AFBYQdHsxtYMcaWp7XzR YPfq8f2oH1nkoctnbJoVxTfI0NKJEFEU3wyKZluriSxs8nrnpFBrcLQuyhu32I7K Z56aHJcC4q2IBysRSb7uXeaC9BI9CvZwsynz2Iu7PF6Em76I2CnN6zFF/XElb2A/ x7jn+H96Zm+JoIeGhdEb6R1mO4p8Q2bXtz4hFSd+bT4O6LjfjR4+z6UELjYVhU05 icRPZbrK6kRHikvgmvRfd9vSeU5iVTXaeYiueraXkS3yJiDnLKE= =4k3q -----END PGP SIGNATURE----- --6TrnltStXW4iwmi0-- From debbugs-submit-bounces@debbugs.gnu.org Mon Jul 10 06:29:18 2017 Received: (at 27619) by debbugs.gnu.org; 10 Jul 2017 10:29:18 +0000 Received: from localhost ([127.0.0.1]:59624 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dUVwM-0001rT-AV for submit@debbugs.gnu.org; Mon, 10 Jul 2017 06:29:18 -0400 Received: from eggs.gnu.org ([208.118.235.92]:43540) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dUVwI-0001rB-Ug for 27619@debbugs.gnu.org; Mon, 10 Jul 2017 06:29:17 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dUVw9-0001eE-Pr for 27619@debbugs.gnu.org; Mon, 10 Jul 2017 06:29:09 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD, UNWANTED_LANGUAGE_BODY autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:39183) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dUVw9-0001dv-M1; Mon, 10 Jul 2017 06:29:05 -0400 Received: from [193.50.110.240] (port=48504 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dUVw9-000592-2E; Mon, 10 Jul 2017 06:29:05 -0400 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Leo Famulari Subject: Re: [bug#27619] [PATCH] gnu: ncurses: Fix CVE-2017-10684 and CVE-2017-10685. References: <4e81522dea150cbcc087a44959935008649cce36.1499526742.git.leo@famulari.name> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 22 Messidor an 225 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-unknown-linux-gnu Date: Mon, 10 Jul 2017 12:29:03 +0200 In-Reply-To: <4e81522dea150cbcc087a44959935008649cce36.1499526742.git.leo@famulari.name> (Leo Famulari's message of "Sat, 8 Jul 2017 11:12:25 -0400") Message-ID: <87mv8c60wg.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 27619 Cc: 27619@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Leo Famulari skribis: > * gnu/packages/patches/ncurses-CVE-2017-10684-10685.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > * gnu/packages/ncurses.scm (ncurses)[replacement]: New field. > (ncurses/fixed): New variable. LGTM, thank you! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Mon Jul 10 06:31:06 2017 Received: (at 27619) by debbugs.gnu.org; 10 Jul 2017 10:31:07 +0000 Received: from localhost ([127.0.0.1]:59629 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dUVy6-0001vZ-MM for submit@debbugs.gnu.org; Mon, 10 Jul 2017 06:31:06 -0400 Received: from eggs.gnu.org ([208.118.235.92]:44208) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dUVy5-0001v5-IF for 27619@debbugs.gnu.org; Mon, 10 Jul 2017 06:31:05 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dUVxw-00038W-Fv for 27619@debbugs.gnu.org; Mon, 10 Jul 2017 06:31:00 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_20,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:39225) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dUVxw-00038O-Cb; Mon, 10 Jul 2017 06:30:56 -0400 Received: from [193.50.110.240] (port=48510 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dUVxv-0008Ka-Kb; Mon, 10 Jul 2017 06:30:56 -0400 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Leo Famulari Subject: Re: [bug#27619] ncurses patch releases References: <4e81522dea150cbcc087a44959935008649cce36.1499526742.git.leo@famulari.name> <20170708152202.GA3666@jasmine.lan> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 22 Messidor an 225 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-unknown-linux-gnu Date: Mon, 10 Jul 2017 12:30:54 +0200 In-Reply-To: <20170708152202.GA3666@jasmine.lan> (Leo Famulari's message of "Sat, 8 Jul 2017 11:22:02 -0400") Message-ID: <87inj060td.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 27619 Cc: 27619@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Leo Famulari skribis: > According to this message on bug-ncurses, the fixes could be incomplete, > although I doubt that person is using the exact same subset of the > upstream patch as the one I am proposing: > > https://lists.gnu.org/archive/html/bug-ncurses/2017-07/msg00008.html > > On the general subject of ncurses bugs, the ncurses author issues patch > releases for ncurses frequently: > > ftp://invisible-island.net/ncurses/6.0/ > > I didn't know that and I haven't read the changelogs to see if there are > other very important fixes for us to use. Indeed, it might be best to regularly upgrade from there. BTW, what should we do in =E2=80=98core-updates=E2=80=99? I would suggest = at least applying the patch you sent, and maybe upgrading to one of the releases above, though I haven=E2=80=99t checked what fixes they contain. Thanks, Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Mon Jul 10 13:36:52 2017 Received: (at 27619-done) by debbugs.gnu.org; 10 Jul 2017 17:36:52 +0000 Received: from localhost ([127.0.0.1]:32920 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dUcc7-0005yO-O8 for submit@debbugs.gnu.org; Mon, 10 Jul 2017 13:36:51 -0400 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:54889) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dUcc6-0005yG-79 for 27619-done@debbugs.gnu.org; Mon, 10 Jul 2017 13:36:50 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id AE3532065E; Mon, 10 Jul 2017 13:36:49 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Mon, 10 Jul 2017 13:36:49 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=3gSV2+pkkd2uW67P8345YdLwtU64EXeAhm0aUj VALRY=; b=C/H8Af/bO9vBLP02w0VLx0C5R/zU1bmvdtTlHtdCUEJUkHztlVtvZy 4jr7HcY1kU3vVMc+is36MP1cM7YRYghwkaUbm8MHmvfPYi9O+2WqSZVe4ljTq7eB qrplWZwXE6PtMyr55Y8lx2NG0uuPMdkyRu6FoJwAGzgvl11s8Iz3s= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=3gSV2+pkkd2uW67P83 45YdLwtU64EXeAhm0aUjVALRY=; b=BebM/KKRoccYxMGwviLmwwdIvx5D5Mn9Qb shMGIDsCQxAVlCu0qjGjzT4Qh1PKtuSkGO+Jv8cfwXO1XgiHrgBtQj8a2EQz2XsV nxFpgExjy9RXwKHZU8v+yt7oex24wC7aqpwx0z4tuxeBwTp1B38CkkDQuNi21BLO 5HT1SYpJfpjFfAF+60hAnjCaBFP4zG6Brw1inHJ8BK0bU1NZyMGbTl8e/3vm1qdv //P4qwzI4Vf2G5GPWhXpn9BZwvWlZ3XaHk1ETps0EOu/+dJM93EYo/07MbZAJdt4 Qv4tSWNIPoGEYDfhhkYNErQddx/H0J9edlT8EdMK6puCPF2dfFeg== X-ME-Sender: X-Sasl-enc: P5W1glTi16FqW7q0BuxqTmi55ZWj7D0fMVQNNNth38s/ 1499708209 Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70]) by mail.messagingengine.com (Postfix) with ESMTPA id 6CE7424009; Mon, 10 Jul 2017 13:36:49 -0400 (EDT) Date: Mon, 10 Jul 2017 13:36:48 -0400 From: Leo Famulari To: Ludovic =?iso-8859-1?Q?Court=E8s?= Subject: Re: [bug#27619] ncurses patch releases Message-ID: <20170710173648.GB21050@jasmine.lan> References: <4e81522dea150cbcc087a44959935008649cce36.1499526742.git.leo@famulari.name> <20170708152202.GA3666@jasmine.lan> <87inj060td.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="St7VIuEGZ6dlpu13" Content-Disposition: inline In-Reply-To: <87inj060td.fsf@gnu.org> User-Agent: Mutt/1.8.3 (2017-05-23) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 27619-done Cc: 27619-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --St7VIuEGZ6dlpu13 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jul 10, 2017 at 12:30:54PM +0200, Ludovic Court=C3=A8s wrote: > Leo Famulari skribis: >=20 > > According to this message on bug-ncurses, the fixes could be incomplete, > > although I doubt that person is using the exact same subset of the > > upstream patch as the one I am proposing: > > > > https://lists.gnu.org/archive/html/bug-ncurses/2017-07/msg00008.html > > > > On the general subject of ncurses bugs, the ncurses author issues patch > > releases for ncurses frequently: > > > > ftp://invisible-island.net/ncurses/6.0/ > > > > I didn't know that and I haven't read the changelogs to see if there are > > other very important fixes for us to use. >=20 > Indeed, it might be best to regularly upgrade from there. >=20 > BTW, what should we do in =E2=80=98core-updates=E2=80=99? I would sugges= t at least > applying the patch you sent, and maybe upgrading to one of the releases > above, though I haven=E2=80=99t checked what fixes they contain. Since we are still making relatively "heavy" changes (groff and ghostscript), I'll apply these patches without a graft on core-updates. Then we should freeze it, for real :) I looked into applying the upstream patch releases. It's not trivial, because some of them are "just patches" and some of them are shell scripts. So, we'll need to do write some special code to build ncurses. I'd rather continue with core-updates and do this later. Also, I'd like for us to download these patch releases when needed instead of including them with Guix. It will mean that ncurses will almost always be grafted... --St7VIuEGZ6dlpu13 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlljuzAACgkQJkb6MLrK fwhPBA/9Gk4pEC21TtwsKwtllgwUl1IeBanc8E/YeIeqsjzwuUes/HPS0ukd0U1v 8DuokgyQtmplKTRLkfVzEbkEu/SbdyUmyNKXIN8KZs6E7kaonnQNB3gysatjlrA0 3QSWoodDL6YDpwu81RznKnBqzTWkNGixMs9f4r5uZ3IVO1wXkJU4SEGpCyCKZEry TBOivYAkehcwSob8JpmruzBzuN44++EolP7JV1khTaMbl3NhkaflenWoXdysPRdh JaD4suCVZlMvVS0EjiF7SEdIWFrVWGTxDqFA3Krtv8sHf49WzXVgO5puwA9FJ203 +yBDy2b6qLmAhfFHzRVPJCmhEYcXlsxL/XF0/vJeFJOnXFj5Iw6TINd49gyeIsjj pl4X2WZW5LYrIpECgMrxFZDMQ0TL3m4w6yO5d4CfjoIbNSwpdBjcT1jGzJUYgBGP VILGlF+JZlpu4slcUOFk0xw1naRW0g12GI7EUpc9DM87EUeJIMd8A6BzhdhNqGgX Bipdc/Ywguj62irCEiyaYzyTAuclB4P/Y9nSZnibF0VA8hOVpabgTxCZ3zcufOUA 9tki3ptzkuFf/t9VEXy8ZktrpelGSBkI0UISc5tTfBItks5udWCRsdRkLB3y0ynl RLTXF561jmsa7jamcOvKJ/Q927J8kUcztWplRtGxe/KKrDIYG3g= =uso2 -----END PGP SIGNATURE----- --St7VIuEGZ6dlpu13-- From debbugs-submit-bounces@debbugs.gnu.org Tue Jul 11 10:47:57 2017 Received: (at 27619-done) by debbugs.gnu.org; 11 Jul 2017 14:47:57 +0000 Received: from localhost ([127.0.0.1]:34189 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dUwSD-00034e-Ay for submit@debbugs.gnu.org; Tue, 11 Jul 2017 10:47:57 -0400 Received: from eggs.gnu.org ([208.118.235.92]:55074) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dUwSB-00034S-Qb for 27619-done@debbugs.gnu.org; Tue, 11 Jul 2017 10:47:56 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dUwS2-0002d0-SA for 27619-done@debbugs.gnu.org; Tue, 11 Jul 2017 10:47:50 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_20,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:35141) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dUwS2-0002cu-Om; Tue, 11 Jul 2017 10:47:46 -0400 Received: from [193.50.110.146] (port=52096 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dUwS2-0007y4-5w; Tue, 11 Jul 2017 10:47:46 -0400 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Leo Famulari Subject: Re: [bug#27619] ncurses patch releases References: <4e81522dea150cbcc087a44959935008649cce36.1499526742.git.leo@famulari.name> <20170708152202.GA3666@jasmine.lan> <87inj060td.fsf@gnu.org> <20170710173648.GB21050@jasmine.lan> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 23 Messidor an 225 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-unknown-linux-gnu Date: Tue, 11 Jul 2017 16:47:44 +0200 In-Reply-To: <20170710173648.GB21050@jasmine.lan> (Leo Famulari's message of "Mon, 10 Jul 2017 13:36:48 -0400") Message-ID: <87shi3vxm7.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 27619-done Cc: 27619-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Leo Famulari skribis: > On Mon, Jul 10, 2017 at 12:30:54PM +0200, Ludovic Court=C3=A8s wrote: >> Leo Famulari skribis: >>=20 >> > According to this message on bug-ncurses, the fixes could be incomplet= e, >> > although I doubt that person is using the exact same subset of the >> > upstream patch as the one I am proposing: >> > >> > https://lists.gnu.org/archive/html/bug-ncurses/2017-07/msg00008.html >> > >> > On the general subject of ncurses bugs, the ncurses author issues patch >> > releases for ncurses frequently: >> > >> > ftp://invisible-island.net/ncurses/6.0/ >> > >> > I didn't know that and I haven't read the changelogs to see if there a= re >> > other very important fixes for us to use. >>=20 >> Indeed, it might be best to regularly upgrade from there. >>=20 >> BTW, what should we do in =E2=80=98core-updates=E2=80=99? I would sugge= st at least >> applying the patch you sent, and maybe upgrading to one of the releases >> above, though I haven=E2=80=99t checked what fixes they contain. > > Since we are still making relatively "heavy" changes (groff and > ghostscript), I'll apply these patches without a graft on core-updates. > Then we should freeze it, for real :) Sounds good! > I looked into applying the upstream patch releases. It's not trivial, > because some of them are "just patches" and some of them are shell > scripts. So, we'll need to do write some special code to build ncurses. > I'd rather continue with core-updates and do this later. OK. > Also, I'd like for us to download these patch releases when needed > instead of including them with Guix. > > It will mean that ncurses will almost always be grafted... Yeah. Thanks, Ludo=E2=80=99. From unknown Mon Jun 23 20:15:22 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Wed, 09 Aug 2017 11:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator