Bug#885582: stretch-pu: package ncurses/6.0+20161126-1+deb9u2

[Sven Joachim]

Package: release.debian.org
Severity: normal
Tags: stretch d-i
User: release.debian....@packages.debian.org
Usertags: pu

I would like to fix bug #882620 aka CVE-2017-16879 in stretch, a buffer
overflow in the _nc_write_entry function.

While this touches the tinfo library used in the installer,
_nc_write_entry() is only used by tic as far as I am aware.

Cheers,
       Sven


diff -Nru ncurses-6.0+20161126/debian/changelog ncurses-6.0+20161126/debian/changelog
--- ncurses-6.0+20161126/debian/changelog	2017-09-07 19:05:43.000000000 +0200
+++ ncurses-6.0+20161126/debian/changelog	2017-12-28 10:47:33.000000000 +0100
@@ -1,3 +1,11 @@
+ncurses (6.0+20161126-1+deb9u2) stretch; urgency=medium
+
+  * Cherry-pick upstream fix from the 20171125 patchlevel to fix
+    a buffer overflow in the _nc_write_entry function
+    (CVE-2017-16879, Closes: #882620).
+
+ -- Sven Joachim <svenj...@gmx.de>  Thu, 28 Dec 2017 10:47:33 +0100
+
 ncurses (6.0+20161126-1+deb9u1) stretch; urgency=medium
 
   * Cherry-pick upstream fixes from the 20170701 and 20170708 patchlevels
diff -Nru ncurses-6.0+20161126/debian/patches/cve-2017-16879.diff ncurses-6.0+20161126/debian/patches/cve-2017-16879.diff
--- ncurses-6.0+20161126/debian/patches/cve-2017-16879.diff	1970-01-01 01:00:00.000000000 +0100
+++ ncurses-6.0+20161126/debian/patches/cve-2017-16879.diff	2017-12-28 10:32:23.000000000 +0100
@@ -0,0 +1,44 @@
+Author: Sven Joachim <svenj...@gmx.de>
+Description: Fix for CVE-2017-16879 in the _nc_write_entry function
+ Fix for CVE-2017-16879 cherry-picked from upstream patchlevel
+ 20171125.
+Bug-Debian: https://bugs.debian.org/882620
+Forwarded: not-needed
+Last-Update: 2017-11-27
+
+---
+ ncurses/tinfo/write_entry.c |   11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/ncurses/tinfo/write_entry.c
++++ b/ncurses/tinfo/write_entry.c
+@@ -267,6 +267,9 @@ _nc_write_entry(TERMTYPE *const tp)
+ #endif
+ #endif /* USE_SYMLINKS */
+ 
++    unsigned limit2 = sizeof(filename) - (2 + LEAF_LEN);
++    char saved = '\0';
++
+     static int call_count;
+     static time_t start_time;	/* time at start of writes */
+ 
+@@ -365,12 +368,18 @@ _nc_write_entry(TERMTYPE *const tp)
+ 	start_time = 0;
+     }
+ 
+-    if (strlen(first_name) >= sizeof(filename) - (2 + LEAF_LEN))
++    if (strlen(first_name) >= sizeof(filename) - (2 + LEAF_LEN)) {
+ 	_nc_warning("terminal name too long.");
++	saved = first_name[limit2];
++	first_name[limit2] = '\0';
++    }
+ 
+     _nc_SPRINTF(filename, _nc_SLIMIT(sizeof(filename))
+ 		LEAF_FMT "/%s", first_name[0], first_name);
+ 
++    if (saved)
++	first_name[limit2] = saved;
++
+     /*
+      * Has this primary name been written since the first call to
+      * write_entry()?  If so, the newer write will step on the older,
diff -Nru ncurses-6.0+20161126/debian/patches/series ncurses-6.0+20161126/debian/patches/series
--- ncurses-6.0+20161126/debian/patches/series	2017-09-07 19:05:43.000000000 +0200
+++ ncurses-6.0+20161126/debian/patches/series	2017-12-28 10:32:23.000000000 +0100
@@ -5,3 +5,4 @@
 termcap-fix.diff
 more-cve-fixes.diff
 cve-2017-13733.diff
+cve-2017-16879.diff