Bug 25814 - ncurses new security issues CVE-2019-17594 and CVE-2019-17595
Summary: ncurses new security issues CVE-2019-17594 and CVE-2019-17595
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-12-03 22:23 CET by David Walser
Modified: 2019-12-14 01:38 CET (History)
5 users (show)

See Also:
Source RPM: ncurses-6.1-20181117.3.mga7
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-12-03 22:23:59 CET 
openSUSE has issued an advisory on November 24:
https://lists.opensuse.org/opensuse-updates/2019-11/msg00126.html

The issues are fixed upstream in 6.1-20191012.

Mageia 7 is also affected.
David Walser 2019-12-03 22:24:16 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Jani Välimaa 2019-12-10 19:19:50 CET 
Fixed in cauldron.

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Source RPM: ncurses-6.1-20190817.1.mga8.src.rpm => ncurses-6.1-20181117.3.mga7

Comment 2 Jani Välimaa 2019-12-10 19:22:08 CET 
Pushed ncurses-6.1-20181117.3.1.mga7 with patches from OpenSUSE to mga7 core/updates_testing.

Please test.

CC: (none) => jani.valimaa
Assignee: jani.valimaa => qa-bugs

Comment 3 David Walser 2019-12-10 22:57:18 CET 
Advisory:
========================

Updated ncurses packages fix security vulnerability:

Heap-based buffer over-read in the _nc_find_entry function (CVE-2019-17594).

Heap-based buffer over-read in the fmt_entry function (CVE-2019-17595).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595
https://lists.opensuse.org/opensuse-updates/2019-11/msg00126.html
========================

Updated packages in core/updates_testing:
========================
ncurses-6.1-20181117.3.1.mga7
libncurses6-6.1-20181117.3.1.mga7
libncursesw6-6.1-20181117.3.1.mga7
libncurses5-6.1-20181117.3.1.mga7
libncursesw5-6.1-20181117.3.1.mga7
ncurses-extraterms-6.1-20181117.3.1.mga7
libncurses-devel-6.1-20181117.3.1.mga7
libncursesw-devel-6.1-20181117.3.1.mga7

from ncurses-6.1-20181117.3.1.mga7.src.rpm
Comment 4 Brian Rockwell 2019-12-13 18:55:38 CET 
MGA7-64 

installed

- lib64ncurses-devel-6.1-20181117.3.1.mga7.x86_64
- lib64ncurses5-6.1-20181117.3.1.mga7.x86_64
- lib64ncurses6-6.1-20181117.3.1.mga7.x86_64
- lib64ncursesw-devel-6.1-20181117.3.1.mga7.x86_64
- lib64ncursesw5-6.1-20181117.3.1.mga7.x86_64
- lib64ncursesw6-6.1-20181117.3.1.mga7.x86_64
- ncurses-6.1-20181117.3.1.mga7.x86_64
- ncurses-extraterms-6.1-20181117.3.1.mga7.x86_64

then installed irssi

connected and said "hi to some folks at mageia.

No time to write code, so focused on this.

Working for me.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => brtians1

Comment 5 Thomas Andrews 2019-12-14 00:03:47 CET 
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-12-14 00:48:54 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 6 Mageia Robot 2019-12-14 01:38:17 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0387.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.