Bug 25814

Summary: ncurses new security issues CVE-2019-17594 and CVE-2019-17595
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, brtians1, jani.valimaa, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: ncurses-6.1-20181117.3.mga7 CVE:
Status comment:

Description David Walser 2019-12-03 22:23:59 CET 
openSUSE has issued an advisory on November 24:
https://lists.opensuse.org/opensuse-updates/2019-11/msg00126.html

The issues are fixed upstream in 6.1-20191012.

Mageia 7 is also affected.
David Walser 2019-12-03 22:24:16 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Jani Välimaa 2019-12-10 19:19:50 CET 
Fixed in cauldron.

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Source RPM: ncurses-6.1-20190817.1.mga8.src.rpm => ncurses-6.1-20181117.3.mga7

Comment 2 Jani Välimaa 2019-12-10 19:22:08 CET 
Pushed ncurses-6.1-20181117.3.1.mga7 with patches from OpenSUSE to mga7 core/updates_testing.

Please test.

CC: (none) => jani.valimaa
Assignee: jani.valimaa => qa-bugs

Comment 3 David Walser 2019-12-10 22:57:18 CET 
Advisory:
========================

Updated ncurses packages fix security vulnerability:

Heap-based buffer over-read in the _nc_find_entry function (CVE-2019-17594).

Heap-based buffer over-read in the fmt_entry function (CVE-2019-17595).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595
https://lists.opensuse.org/opensuse-updates/2019-11/msg00126.html
========================

Updated packages in core/updates_testing:
========================
ncurses-6.1-20181117.3.1.mga7
libncurses6-6.1-20181117.3.1.mga7
libncursesw6-6.1-20181117.3.1.mga7
libncurses5-6.1-20181117.3.1.mga7
libncursesw5-6.1-20181117.3.1.mga7
ncurses-extraterms-6.1-20181117.3.1.mga7
libncurses-devel-6.1-20181117.3.1.mga7
libncursesw-devel-6.1-20181117.3.1.mga7

from ncurses-6.1-20181117.3.1.mga7.src.rpm
Comment 4 Brian Rockwell 2019-12-13 18:55:38 CET 
MGA7-64 

installed

- lib64ncurses-devel-6.1-20181117.3.1.mga7.x86_64
- lib64ncurses5-6.1-20181117.3.1.mga7.x86_64
- lib64ncurses6-6.1-20181117.3.1.mga7.x86_64
- lib64ncursesw-devel-6.1-20181117.3.1.mga7.x86_64
- lib64ncursesw5-6.1-20181117.3.1.mga7.x86_64
- lib64ncursesw6-6.1-20181117.3.1.mga7.x86_64
- ncurses-6.1-20181117.3.1.mga7.x86_64
- ncurses-extraterms-6.1-20181117.3.1.mga7.x86_64

then installed irssi

connected and said "hi to some folks at mageia.

No time to write code, so focused on this.

Working for me.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => brtians1

Comment 5 Thomas Andrews 2019-12-14 00:03:47 CET 
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-12-14 00:48:54 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 6 Mageia Robot 2019-12-14 01:38:17 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0387.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED