33070 – ncurses new security issue CVE-2023-45918

Bug 33070 - ncurses new security issue CVE-2023-45918

Summary: ncurses new security issue CVE-2023-45918

Status:	NEW

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Jani Välimaa
QA Contact:	Sec team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2024-04-09 10:20 CEST by Nicolas Salguero
Modified:	2024-04-11 09:34 CEST (History)
CC List:	0 users

See Also:
Source RPM:	ncurses-6.3-20221203.2.1.mga9.src.rpm
CVE:	CVE-2023-45918
Status comment:	Patches available from SUSE and fixed upstream in 6.4-20230615

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-04-09 10:20:43 CEST

SUSE has issued an advisory on April 8:
https://lwn.net/Articles/968983/

According to https://security-tracker.debian.org/tracker/CVE-2023-45918, it is fixed in ncurses-6.4-20230615 patchlevel.

Mageia 9 is also affected.

Nicolas Salguero 2024-04-09 10:21:28 CEST

Source RPM: (none) => ncurses-6.4-20240323.2.mga10.src.rpm
Status comment: (none) => Patches available from SUSE and fixed upstream in 6.4-20230615
CVE: (none) => CVE-2023-45918

Nicolas Salguero 2024-04-09 10:21:32 CEST

Whiteboard: (none) => MGA9TOO

Comment 1 Lewis Smith 2024-04-09 21:09:51 CEST

Puzzled: The only 2023 version I see in Cauldron is 6.4-20230902, which looks more recent than the one containing the fix; we have since version 6.4-20240217, version 6.4-20240323. Is there a catch?

BTAIM assigning to wally who looks to be the current maintainer of ncurses.

Assignee: bugsquad => jani.valimaa

Nicolas Salguero 2024-04-11 09:34:16 CEST

Source RPM: ncurses-6.4-20240323.2.mga10.src.rpm => ncurses-6.3-20221203.2.1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9

Note You need to log in before you can comment on or make changes to this bug.