Bug 23135

Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Patched package uploaded for Mageia 6.

Advisory:
========================

Updated ncurses package fixes security vulnerability:

A flaw was found in ncurses before 6.1.20180414 where a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c could lead to a remote denial of service if the terminfo library code is used to process untrusted terminfo data in which a use-name is invalid syntax (CVE-2018-10754).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10754
https://bugzilla.redhat.com/show_bug.cgi?id=1576119
========================

Updated packages in core/updates_testing:
========================
lib64ncurses5-6.0-8.2.mga6
lib64ncurses6-6.0-8.2.mga6
lib64ncurses-devel-6.0-8.2.mga6
lib64ncursesw5-6.0-8.2.mga6
lib64ncursesw6-6.0-8.2.mga6
lib64ncursesw-devel-6.0-8.2.mga6
ncurses-6.0-8.2.mga6
ncurses-extraterms-6.0-8.2.mga6

from ncurses-6.0-8.2.mga6.src.rpm

Test procedure: https://bugs.mageia.org/show_bug.cgi?id=21197#c12

Assignee: pkg-bugs => qa-bugs
CC: (none) => mrambo
Keywords: (none) => has_procedure

Mageia 6, x86_64

Before updating:

CVE-2018-10754
https://bugzilla.redhat.com/show_bug.cgi?id=1566575
$ tic POC
"POC", line 1, col 4095: dubious character `[' in name or alias field
"POC", line 1, col 4095: invalid entry name "t:@txXt:t[tc=�:tc=t���������������������������͸������ո��������������������� ������������ڸ������������������������������ڸ����������������������������������bbbbbbbbbbbbbbbbbbbbbbbbbbbb�����������������������������������������ո����������������������������������������������bbbWbbbbbbbbbbbbbbbbbbbbbbbb����������������bbbbbbb�����������������������������������������ո����������������������������������ڸ�����������������C@@:tc=t:cVVVVVVVV=�$C@@@@B��������������������������������������������������������������"
"POC", line 1, col 4096, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - 'M-z'
"POC", line 2, col 19, terminal 'invalid': Too much data, some is lost: t#
"POC", line 2, col 21, terminal 'invalid': Illegal character - '^H'
"POC", line 2, col 21, terminal 'invalid': unknown capability 't'
"POC", line 2, col 22, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - '^H'
"POC", line 3, col 9, terminal 'invalid': Too much data, some is lost: t
Segmentation fault (core dumped)

----------------------------------------------------------------------------

Updated the packages:

- lib64ncurses-devel-6.0-8.2.mga6.x86_64
- lib64ncurses5-6.0-8.2.mga6.x86_64
- lib64ncurses6-6.0-8.2.mga6.x86_64
- lib64ncursesw-devel-6.0-8.2.mga6.x86_64
- lib64ncursesw5-6.0-8.2.mga6.x86_64
- lib64ncursesw6-6.0-8.2.mga6.x86_64
- ncurses-6.0-8.2.mga6.x86_64
- ncurses-extraterms-6.0-8.2.mga6.x86_64

$ tic POC
"POC", line 1, col 4095: dubious character `[' in name or alias field
"POC", line 1, col 4095: invalid entry name "t:@txXt:t[tc=�:tc=t���������������������������͸������ո��������������������� ������������ڸ��������������������������
[...]
��������������������������������������������������������': Too much data, some is lost: 

Segmentation fault (core dumped)

This output resembles that from the pre-update test but is much more verbose which demonstrates that something has changed, like the application of a patch, but the segfault has not been intercepted.
Leaving this open for comments.

$ urpmq --whatrequires ncurses | sort -u
basesystem-minimal
cmus
eterm
gfs2-utils
kon2
mindi
ncurses
ncurses-extraterms
nethogs
quagga
tritonus-fluidsynth

Referring to the test procedure linked above:

$ strace top 2> top.trace
$ grep ncurses top.trace
$ urpmq --requires-recursive irssi | sort -u | grep ncurses
lib64ncurses6
$ urpmq --requires-recursive ettercap | sort -u | grep ncurses
lib64ncurses6
lib64ncursesw6

Installed ettercap and ran
$ ettercap -C
which showed the interface in a terminal.  Set some options from the menus but don't really have a clue about use and no time to investigate but curses is working.

irssi I am familiar with.  Onto freenode and joined #mageia-qa, gave a shout and left.  No problems.

Leaving this one hanging.  Shall check back in a week or so.  Probably OK.

CC: (none) => tarazed25

With the patch from https://patchwork.openembedded.org/patch/150918/, there is no more segmentation fault.

Advisory:
========================

Updated ncurses package fixes security vulnerability:

A flaw was found in ncurses before 6.1.20180414 where a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c could lead to a remote denial of service if the terminfo library code is used to process untrusted terminfo data in which a use-name is invalid syntax (CVE-2018-10754).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10754
https://bugzilla.redhat.com/show_bug.cgi?id=1576119
========================

Updated packages in core/updates_testing:
========================
lib(64)ncurses5-6.0-8.3.mga6
lib(64)ncurses6-6.0-8.3.mga6
lib(64)ncurses-devel-6.0-8.3.mga6
lib(64)ncursesw5-6.0-8.3.mga6
lib(64)ncursesw6-6.0-8.3.mga6
lib(64)ncursesw-devel-6.0-8.3.mga6
ncurses-6.0-8.3.mga6
ncurses-extraterms-6.0-8.3.mga6

from ncurses-6.0-8.3.mga6.src.rpm

Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero

MGA6-32 on IBM Thinkpad R50e MATE
No installation issues.
Tried ettercap -C, that displayed a menu, I could click on these, but no reaction whatsoever
irssi: I could connect to freenode, join #mageia-qa, shouted a bit, but no response , left it.
drakdm shows up OK.
OK qs far as I am concerned.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Advisory committed to svn. Validating the update.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0299.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

This is the same issue as CVE-2018-19211:
https://ubuntu.com/security/CVE-2018-19211