GNU bug report logs - #27619
[PATCH] gnu: ncurses: Fix CVE-2017-10684 and CVE-2017-10685.

Previous Next

Package: guix-patches;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Sat, 8 Jul 2017 15:13:02 UTC

Severity: normal

Tags: patch

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

Full log

Message #19 received at 27619-done <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 27619-done <at> debbugs.gnu.org
Subject: Re: [bug#27619] ncurses patch releases
Date: Mon, 10 Jul 2017 13:36:48 -0400

[Message part 1 (text/plain, inline)]
On Mon, Jul 10, 2017 at 12:30:54PM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo <at> famulari.name> skribis:
> 
> > According to this message on bug-ncurses, the fixes could be incomplete,
> > although I doubt that person is using the exact same subset of the
> > upstream patch as the one I am proposing:
> >
> > https://lists.gnu.org/archive/html/bug-ncurses/2017-07/msg00008.html
> >
> > On the general subject of ncurses bugs, the ncurses author issues patch
> > releases for ncurses frequently:
> >
> > ftp://invisible-island.net/ncurses/6.0/
> >
> > I didn't know that and I haven't read the changelogs to see if there are
> > other very important fixes for us to use.
> 
> Indeed, it might be best to regularly upgrade from there.
> 
> BTW, what should we do in ‘core-updates’?  I would suggest at least
> applying the patch you sent, and maybe upgrading to one of the releases
> above, though I haven’t checked what fixes they contain.

Since we are still making relatively "heavy" changes (groff and
ghostscript), I'll apply these patches without a graft on core-updates.
Then we should freeze it, for real :)

I looked into applying the upstream patch releases. It's not trivial,
because some of them are "just patches" and some of them are shell
scripts. So, we'll need to do write some special code to build ncurses.
I'd rather continue with core-updates and do this later.

Also, I'd like for us to download these patch releases when needed
instead of including them with Guix.

It will mean that ncurses will almost always be grafted...

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 7 years and 320 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.