Bug 31792

Summary: ncurses new security issue CVE-2023-29491
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, jani.valimaa, nicolas.salguero, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: ncurses-6.3-20221203.2.mga9.src.rpm CVE: CVE-2023-29491
Status comment:
Bug Depends on:    
Bug Blocks: 30549    

Description David Walser 2023-04-13 17:06:05 CEST 
Security issues fixed upstream in ncurses have been announced on April 12:
https://www.openwall.com/lists/oss-security/2023/04/12/5

It sounds like multiple fixes/vulnerabilities, but just one CVE was requested.

The issues are fixed upstream in 20230408.

Mageia 8 is also affected.
David Walser 2023-04-13 17:06:15 CEST

Status comment: (none) => Fixed upstream in 20230408
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-04-13 21:39:28 CEST 
Assigning globally as this pkg has no evident maintainer; CC'ing wally who has done most version updates for it.

CC: (none) => jani.valimaa
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2023-04-14 02:01:07 CEST 
As noted in the thread linked in Comment 0, the latest upstream ncurses is also causing some issues, two of which are detailed by Gentoo:
https://bugs.gentoo.org/904277
https://bugs.gentoo.org/904263
Comment 3 David Walser 2023-05-09 17:34:28 CEST 
SUSE has issued an advisory for this on May 8:
https://lists.suse.com/pipermail/sle-security-updates/2023-May/014766.html
Comment 4 David Walser 2023-06-16 00:25:49 CEST 
Ubuntu has issued an advisory for this on May 23:
https://ubuntu.com/security/notices/USN-6099-1

Blocks: (none) => 30549

Comment 5 Nicolas Salguero 2023-11-24 12:36:15 CET 
Ubuntu has issued an advisory for this:
https://lwn.net/Articles/952268/

CC: (none) => nicolas.salguero

Nicolas Salguero 2023-11-24 12:36:22 CET

Whiteboard: MGA8TOO => MGA9TOO, MGA8TOO

Comment 6 Nicolas Salguero 2023-11-24 15:42:54 CET 
(In reply to Nicolas Salguero from comment #5)
> Ubuntu has issued an advisory for this:
> https://lwn.net/Articles/952268/

Ooops, I meant: "RedHat has issued an advisory for this"
Comment 7 Nicolas Salguero 2024-03-12 11:16:50 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Local users can trigger security-relevant memory corruption via malformed data. (CVE-2023-29491)

References:
https://www.openwall.com/lists/oss-security/2023/04/12/5
https://lists.suse.com/pipermail/sle-security-updates/2023-May/014766.html
https://ubuntu.com/security/notices/USN-6099-1
https://lwn.net/Articles/952268/
========================

Updated packages in core/updates_testing:
========================
lib(64)ncurses++6-6.3-20221203.2.1.mga9
lib(64)ncurses-devel-6.3-20221203.2.1.mga9
lib(64)ncurses5-6.3-20221203.2.1.mga9
lib(64)ncurses6-6.3-20221203.2.1.mga9
lib(64)ncursesw++6-6.3-20221203.2.1.mga9
lib(64)ncursesw-devel-6.3-20221203.2.1.mga9
lib(64)ncursesw5-6.3-20221203.2.1.mga9
lib(64)ncursesw6-6.3-20221203.2.1.mga9
ncurses-6.3-20221203.2.1.mga9
ncurses-extraterms-6.3-20221203.2.1.mga9

from SRPM:
ncurses-6.3-20221203.2.1.mga9.src.rpm

Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
CVE: (none) => CVE-2023-29491
Version: Cauldron => 9
Whiteboard: MGA9TOO, MGA8TOO => (none)
Status comment: Fixed upstream in 20230408 => (none)

katnatek 2024-03-12 21:53:58 CET

Keywords: (none) => advisory

Comment 8 katnatek 2024-03-12 23:25:30 CET 
RH mageia 9 x86_64

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date


installing lib64ncurses++6-6.3-20221203.2.1.mga9.x86_64.rpm ncurses-extraterms-6.3-20221203.2.1.mga9.x86_64.rpm ncurses-6.3-20221203.2.1.mga9.x86_64.rpm lib64ncurses-devel-6.3-20221203.2.1.mga9.x86_64.rpm lib64ncursesw6-6.3-20221203.2.1.mga9.x86_64.rpm lib64ncurses6-6.3-20221203.2.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/6: lib64ncurses6         ##################################################################################################
      2/6: lib64ncurses++6       ##################################################################################################
      3/6: ncurses               ##################################################################################################
      4/6: ncurses-extraterms    ##################################################################################################
      5/6: lib64ncurses-devel    ##################################################################################################
      6/6: lib64ncursesw6        ##################################################################################################
      1/6: removing lib64ncurses-devel-6.3-20221203.2.mga9.x86_64
                                 ##################################################################################################
      2/6: removing ncurses-extraterms-6.3-20221203.2.mga9.x86_64
                                 ##################################################################################################
      3/6: removing lib64ncurses++6-6.3-20221203.2.mga9.x86_64
                                 ##################################################################################################
      4/6: removing ncurses-6.3-20221203.2.mga9.x86_64
                                 ##################################################################################################
      5/6: removing lib64ncursesw6-6.3-20221203.2.mga9.x86_64
                                 ##################################################################################################
      6/6: removing lib64ncurses6-6.3-20221203.2.mga9.x86_64
                                 ##################################################################################################

Used to test ncurses version of mcc , look good to me
Comment 9 Herman Viaene 2024-03-15 10:59:30 CET 
MGA9-64 Plasma Wayland on HP-Pavillion
No installation issues.
Ref bug 23135, coukd open ettercap, but cann't get any further. More succes with irssi, I could connect to irc.libera.chat and list the available channels.
That's enough to demonstrate ncurses.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

katnatek 2024-03-15 18:35:12 CET

CC: (none) => andrewsfarm

Comment 10 Thomas Andrews 2024-03-15 22:48:35 CET 
Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 11 Mageia Robot 2024-03-15 23:53:02 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0065.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED