SUSE has issued an advisory today (July 6): https://lists.opensuse.org/opensuse-security-announce/2017-07/msg00004.html The issues sound important. They are apparently fixed upstream in the July 1st 2017 patchset: http://lists.gnu.org/archive/html/bug-ncurses/2017-07/msg00001.html Mageia 5 is also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
openSUSE has issued an advisory for this today (July 15): https://lists.opensuse.org/opensuse-updates/2017-07/msg00071.html
openSUSE has issued an advisory tomorrow (August 12): https://lists.opensuse.org/opensuse-updates/2017-08/msg00048.html It fixes a regression from the previous CVEs and adds CVE-2017-1111[23].
Summary: ncurses new security issues CVE-2017-10684 and CVE-2017-10685 => ncurses new security issues CVE-2017-1068[45] and CVE-2017-1111[23]
SUSE has issued an advisory on December 1: https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00002.html It fixes 7 new security issues.
Summary: ncurses new security issues CVE-2017-1068[45] and CVE-2017-1111[23] => ncurses new security issues CVE-2017-1068[45] CVE-2017-1111[23], CVE-2017-1372[89], CVE-2017-1373[0-3], CVE-2017-16879
Looking more closely, it looks like CVE-2017-1068[45] were partially fixed in the July 1 patch set, and fully fixed along with CVE-2017-1111[23] in the July 8 patch set, and the other CVEs were fixed later, but hopefully didn't affect 5.9.
Updates checked into SVN and submitted to the build system.
Advisory (Mageia 5): ======================== Updated ncurses packages fix security vulnerabilities: Possible RCE via stack-based buffer overflow in the fmt_entry function (CVE-2017-10684). Possible RCE with format string vulnerability in the fmt_entry function (CVE-2017-10685). Illegal address access in append_acs (CVE-2017-11112). Dereferencing NULL pointer in _nc_parse_entry (CVE-2017-11113). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10684 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10685 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11112 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11113 https://lists.opensuse.org/opensuse-updates/2017-07/msg00071.html https://lists.opensuse.org/opensuse-updates/2017-08/msg00048.html ======================== Updated packages in core/updates_testing: ======================== ncurses-5.9-21.1.mga5 libncurses5-5.9-21.1.mga5 libncursesw5-5.9-21.1.mga5 ncurses-extraterms-5.9-21.1.mga5 libncurses-devel-5.9-21.1.mga5 libncursesw-devel-5.9-21.1.mga5 from ncurses-5.9-21.1.mga5.src.rpm Advisory (Mageia 6): ======================== Updated ncurses packages fix security vulnerabilities: Possible RCE via stack-based buffer overflow in the fmt_entry function (CVE-2017-10684). Possible RCE with format string vulnerability in the fmt_entry function (CVE-2017-10685). Illegal address access in append_acs (CVE-2017-11112). Dereferencing NULL pointer in _nc_parse_entry (CVE-2017-11113). Fix infinite loop in the next_char function in comp_scan.c (CVE-2017-13728). Fix illegal address access in the _nc_save_str (CVE-2017-13729). Fix illegal address access in the function _nc_read_entry_source() (CVE-2017-13730). Fix illegal address access in the function postprocess_termcap() (CVE-2017-13731). Fix illegal address access in the function dump_uses() (CVE-2017-13732). Fix illegal address access in the fmt_entry function (CVE-2017-13733). Fix stack-based buffer overflow in the _nc_write_entry() function (CVE-2017-16879). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10684 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10685 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11112 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11113 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13728 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13729 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13730 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13731 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13732 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13733 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16879 http://invisible-island.net/ncurses/NEWS.html https://lists.opensuse.org/opensuse-updates/2017-07/msg00071.html https://lists.opensuse.org/opensuse-updates/2017-08/msg00048.html https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00002.html ======================== Updated packages in core/updates_testing: ======================== ncurses-6.0-8.1.mga6 libncurses6-6.0-8.1.mga6 libncursesw6-6.0-8.1.mga6 libncurses5-6.0-8.1.mga6 libncursesw5-6.0-8.1.mga6 ncurses-extraterms-6.0-8.1.mga6 libncurses-devel-6.0-8.1.mga6 libncursesw-devel-6.0-8.1.mga6 from ncurses-6.0-8.1.mga6.src.rpm
Assignee: pkg-bugs => qa-bugsVersion: Cauldron => 6Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Testing Mageia 5 x64 UPDATED to: - lib64ncurses-devel-5.9-21.1.mga5.x86_64 - lib64ncurses5-5.9-21.1.mga5.x86_64 - lib64ncursesw5-5.9-21.1.mga5.x86_64 - ncurses-5.9-21.1.mga5.x86_64 - ncurses-extraterms-5.9-21.1.mga5.x86_64 Testing with: # ettercap -C which uses a full-screen curses interface. I had more trouble than necessary with this - needed to read is integral help '?'. Snag: ESC is not used at all, use Ctrl/Q. Once heeded, it seemed to function OK from the curses interface point of view. -------- Running 'top' works. ------- Testing also with: $ irssi which uses a full-screen curses interface. Managed to connect to our IRC channel after sassing how it works. This update looks OK. ------ @David Was about to do the 2 advisories from comment 7 - but whoa! Advisories are identified by the bug number. If we need 2 different advisories, I think we need 2 bugs. I do not see how to combine the two advisories into one.
CC: (none) => lewyssmithWhiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
Lewis, nope, I guess you forgot. I figured you would since we haven't done it in a while, but our system supports multiple advisory per bug (if they are for different Mageia versions). Look in the advisories directory in SVN, you'll see many examples (for instance 16624 appears the be the last one we did like that, 16624.mga4.adv and 16624.mga5.adv).
(In reply to David Walser from comment #9) > Lewis, nope, I guess you forgot. No. first I ever heard about it. It is not documented at all in our Advisories Wiki page; to do. > our system supports multiple advisory per bug (if they > are for different Mageia versions). > Look in the advisories directory in SVN, you'll see many examples (for > instance 16624 appears the be the last one we did like that, 16624.mga4.adv > and 16624.mga5.adv). Yes indeed, I saw several such in my local advisories SVN directory. I got into a terrible mess, spare the details. At last both advisories up there.
Keywords: (none) => advisory
(In reply to Lewis Smith from comment #10) > (In reply to David Walser from comment #9) > > Lewis, nope, I guess you forgot. > No. first I ever heard about it. It is not documented at all in our > Advisories Wiki page; to do. Oh I guess you started doing SVN advisories after we retired mga4. It's been a while since we've been supporting two releases at the same time.
Testing M6/64 Updated to: - lib64ncurses-devel-6.0-8.1.mga6.x86_64 - lib64ncurses6-6.0-8.1.mga6.x86_64 - lib64ncursesw6-6.0-8.1.mga6.x86_64 - ncurses-6.0-8.1.mga6.x86_64 and added manually - ncurses-extraterms-6.0-8.1.mga6.x86_64 Repeated exercises in comment 8 - from a 'real' console. Meant installing 'ettercap' & 'irssi'. $ top Fine. # ettercap -C ettercap-0.8.2-6.mga6 Not at all good. The interface disappeared entirely after some inputs, but could be got back with 'F' (for eaxmple) to re-display the menu bar & screen. It crashed always when trying Hosts-Scan for hosts. Re-trying it from a terminal window was similar, with poor display colours. In case it mattered, I added updated: - lib64ncurses5-6.0-8.1.mga6.x86_64 - lib64ncursesw5-6.0-8.1.mga6.x86_64 which made no difference. All I can try is to downgrade (to 6.0-8) all the packages and see. Which also made no difference, so the problem seems to be with ettercap rather than this update. Again the actual display (when intact) was good on a virtual console, poor in a graphical terminal window. Re-updated all 7 pkgs. $ irssi Worked as well as I could drive it. The display & behaviour were impeccable. Connected to freenode & joined #mageia-qa, left both, all OK. Same from a terminal window. As a final check I tried the only one of these I know, from a virtual console: # drakdm Impeccable. Judging the ettercap problems unrelated to this update, OKing it. And, in our pressed situation, validating.
Keywords: (none) => validated_updateWhiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0001.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0002.html