On Wed, 2019-11-06 at 11:54 +0000, Adam D. Barratt wrote: > Control: tags -1 + confirmed d-i > > On 2019-11-02 19:10, Sven Joachim wrote: > > I would like to upload ncurses 6.1+20181013-2+deb10u2 to buster, > > fixing > > several bugs in tic's parser which have been reported last > > month. Two > > of them are heap buffer overflows that have been assigned CVE > > numbers > > and a Debian bug[1], two others are out-of-bound-reads and one an > > infinite loop. > > > > I have verified that the reported crashes and the infinite loop > > which I > > could reproduce in ncurses 6.1+20181013-2+deb10u1 appear to be > > fixed, > > at > > least with the submitted corrupt input files. Also, the compiled > > terminfo files in ncurses-base and ncurses-term are identical to > > the > > ones currently in buster. > > > > This upload touches the tinfo library which is used in the > > installer, > > however to the best of my knowledge the changed functions are only > > used > > by tic and not by any other packages. > > Nevertheless I'd appreciate a formal ACK there.
Given that the window for getting fixes into the 10.2 point release closes this weekend, feel free to upload and we'll wait for the d-i ack before deciding whether to include it in 10.2. Regards, Adam
