Control: tag -1 moreinfo
On Thu, Dec 28, 2017 at 11:34:33 +0100, Sven Joachim wrote:
> Package: release.debian.org
> Severity: normal
> Tags: stretch d-i
> User: release.debian....@packages.debian.org
> Usertags: pu
>
> I would like to fix bug #882620 aka CVE-2017-16879 in stretch, a buffer
> overflow in the _nc_write_entry function.
>
> While this touches the tinfo library used in the installer,
> _nc_write_entry() is only used by tic as far as I am aware.
>
Thanks, go ahead.
[...]
> +--- a/ncurses/tinfo/write_entry.c
> ++++ b/ncurses/tinfo/write_entry.c
> +@@ -267,6 +267,9 @@ _nc_write_entry(TERMTYPE *const tp)
> + #endif
> + #endif /* USE_SYMLINKS */
> +
> ++ unsigned limit2 = sizeof(filename) - (2 + LEAF_LEN);
> ++ char saved = '\0';
> ++
> + static int call_count;
> + static time_t start_time; /* time at start of writes */
> +
> +@@ -365,12 +368,18 @@ _nc_write_entry(TERMTYPE *const tp)
> + start_time = 0;
> + }
> +
> +- if (strlen(first_name) >= sizeof(filename) - (2 + LEAF_LEN))
> ++ if (strlen(first_name) >= sizeof(filename) - (2 + LEAF_LEN)) {
kind of curious that limit2 wasn't used here...
> + _nc_warning("terminal name too long.");
> ++ saved = first_name[limit2];
> ++ first_name[limit2] = '\0';
> ++ }
> +
> + _nc_SPRINTF(filename, _nc_SLIMIT(sizeof(filename))
> + LEAF_FMT "/%s", first_name[0], first_name);
> +
> ++ if (saved)
> ++ first_name[limit2] = saved;
> ++
> + /*
> + * Has this primary name been written since the first call to
> + * write_entry()? If so, the newer write will step on the older,
Cheers,
Julien
