GNU bug report logs - #27619
[PATCH] gnu: ncurses: Fix CVE-2017-10684 and CVE-2017-10685.

Previous Next

Package: guix-patches;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Sat, 8 Jul 2017 15:13:02 UTC

Severity: normal

Tags: patch

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

Full log

Message #22 received at 27619-done <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Leo Famulari <leo <at> famulari.name>
Cc: 27619-done <at> debbugs.gnu.org
Subject: Re: [bug#27619] ncurses patch releases
Date: Tue, 11 Jul 2017 16:47:44 +0200

Leo Famulari <leo <at> famulari.name> skribis:

> On Mon, Jul 10, 2017 at 12:30:54PM +0200, Ludovic Courtès wrote:
>> Leo Famulari <leo <at> famulari.name> skribis:
>> 
>> > According to this message on bug-ncurses, the fixes could be incomplete,
>> > although I doubt that person is using the exact same subset of the
>> > upstream patch as the one I am proposing:
>> >
>> > https://lists.gnu.org/archive/html/bug-ncurses/2017-07/msg00008.html
>> >
>> > On the general subject of ncurses bugs, the ncurses author issues patch
>> > releases for ncurses frequently:
>> >
>> > ftp://invisible-island.net/ncurses/6.0/
>> >
>> > I didn't know that and I haven't read the changelogs to see if there are
>> > other very important fixes for us to use.
>> 
>> Indeed, it might be best to regularly upgrade from there.
>> 
>> BTW, what should we do in ‘core-updates’?  I would suggest at least
>> applying the patch you sent, and maybe upgrading to one of the releases
>> above, though I haven’t checked what fixes they contain.
>
> Since we are still making relatively "heavy" changes (groff and
> ghostscript), I'll apply these patches without a graft on core-updates.
> Then we should freeze it, for real :)

Sounds good!

> I looked into applying the upstream patch releases. It's not trivial,
> because some of them are "just patches" and some of them are shell
> scripts. So, we'll need to do write some special code to build ncurses.
> I'd rather continue with core-updates and do this later.

OK.

> Also, I'd like for us to download these patch releases when needed
> instead of including them with Guix.
>
> It will mean that ncurses will almost always be grafted...

Yeah.

Thanks,
Ludo’.
This bug report was last modified 7 years and 320 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.