On 2017-11-25 11:35 +0100, Salvatore Bonaccorso wrote:
> On Sat, Nov 25, 2017 at 10:27:14AM +0100, Sven Joachim wrote:
>> Control: severity -1 important
>>
>> On 2017-11-24 16:23 -0500, Luciano Bello wrote:
>>
>> > Package: ncurses
>> > X-Debbugs-CC: t...@security.debian.org
>> > secure-testing-t...@lists.alioth.debian.org
>> > Severity: grave
>> > Tags: security
>> >
>> > Hi,
>> >
>> > the following vulnerability was published for ncurses.
>> >
>> > CVE-2017-16879[0]:
>> > | Stack-based buffer overflow in the _nc_write_entry function in
>> > | tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial
>> > | of service (application crash) or possibly execute arbitrary code via
>> > | a crafted terminfo file, as demonstrated by tic.
>>
>> For the crash to happen the attacker needs to persuade the victim into
>> running tic on their terminfo file first (there are no users of the
>> _nc_write_entry function besides tic), and arbitrary code execution
>> should be prevented by the stack protection.
>>
>> Like the previous CVEs on ncurses published earlier this year, this
>> should be tagged no-DSA in the tracker.
>
> sounds reasonable, I have marked it as such.
>
> Do you plan to followup as well with a jessie- and stretch-pu once
> fixed in unstable?
Probably, depends on how easy it is to backport the patch(es).
Cheers,
Sven
