On 2017-09-23 19:59 +0100, Adam D. Barratt wrote:
> Control: tags -1 -moreinfo +confirmed
>
> On Thu, 2017-09-07 at 19:06 +0200, Cyril Brulebois wrote:
>> Sven Joachim <svenj...@gmx.de> (2017-09-06):
>> > Meanwhile seven new CVEs in the tic library and programs have been
>> > reported, and I would like to fix those as well, see the attached
>> > new
>> > debdiff. It contains all the library changes from the 20170826
>> > upstream
>> > patchlevel and the program fixes of the 20170902 patchlevel. I
>> > have
>> > also attached the test cases for the 13 bugs reported in the Red
>> > Hat
>> > bugtracker.
>> >
>> > > > > I'd be okay with this, but it will need a kibi-ack due to the
>> > > > > udeb.
>> > > >
>> > > > The changes do not touch the tinfo library which is all that
>> > > > shipped in
>> > > > the udeb.
>> > >
>> > > To elaborate on that, ncurses/tinfo/{alloc,parse}_entry.c are
>> > > compiled
>> > > into the tic library while progs/dump_entry.c is for the infocmp
>> > > and tic
>> > > programs. Building 6.0+20161126-1 and 6.0+20161126-1+deb9u1 in a
>> > > stretch chroot produced identical libtinfo.so.5.9 files.
>> >
>> > This is unfortunately no longer the case, since strings.c and
>> > trim_sgr0.c are compiled into the tinfo library. However, the
>> > changes
>> > to these files are small.
>>
>> I have no straightforward way to double check things still run
>> smoothly
>> with stretch's d-i, so I'll follow whatever decision the release team
>> makes; if regressions pop up, we'll figure out how to fix them.
>>
>
> Let's go with it and keep our fingers crossed that any issues show up
> quickly.
Thanks, uploaded.
Cheers,
Sven
