Bug 33070

Summary: ncurses new security issue CVE-2023-45918
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: Jani Välimaa <jani.valimaa>
Status: NEW --- QA Contact: Sec team <security>
Severity: normal    
Priority: Normal    
Version: 9   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: ncurses-6.3-20221203.2.1.mga9.src.rpm CVE: CVE-2023-45918
Status comment: Patches available from SUSE and fixed upstream in 6.4-20230615

Description Nicolas Salguero 2024-04-09 10:20:43 CEST 
SUSE has issued an advisory on April 8:
https://lwn.net/Articles/968983/

According to https://security-tracker.debian.org/tracker/CVE-2023-45918, it is fixed in ncurses-6.4-20230615 patchlevel.

Mageia 9 is also affected.
Nicolas Salguero 2024-04-09 10:21:28 CEST

Source RPM: (none) => ncurses-6.4-20240323.2.mga10.src.rpm
Status comment: (none) => Patches available from SUSE and fixed upstream in 6.4-20230615
CVE: (none) => CVE-2023-45918

Nicolas Salguero 2024-04-09 10:21:32 CEST

Whiteboard: (none) => MGA9TOO

Comment 1 Lewis Smith 2024-04-09 21:09:51 CEST 
Puzzled: The only 2023 version I see in Cauldron is 6.4-20230902, which looks more recent than the one containing the fix; we have since version 6.4-20240217, version 6.4-20240323. Is there a catch?

BTAIM assigning to wally who looks to be the current maintainer of ncurses.

Assignee: bugsquad => jani.valimaa

Nicolas Salguero 2024-04-11 09:34:16 CEST

Source RPM: ncurses-6.4-20240323.2.mga10.src.rpm => ncurses-6.3-20221203.2.1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9