[Bug 1637239] Re: Please merge ncurses 6.0+20161126-1 (main) from Debian unstable (main)

Launchpad Bug Tracker 1637239 at bugs.launchpad.net
Thu Feb 1 04:36:25 UTC 2018 

This bug was fixed in the package ncurses - 6.0+20171125-1ubuntu1

---------------
ncurses (6.0+20171125-1ubuntu1) bionic; urgency=low

  * Merge from Debian unstable (LP: #1637239).  Remaining changes:
    - Add a simple autopkgtest to the package.
    - Build x32 packages.
    - Build lib32 packages on s390x.
  * Fix typo in libx32 package descriptions

ncurses (6.0+20171125-1) unstable; urgency=medium

  * New upstream patchlevel.
    - Modify _nc_write_entry() to truncate too-long filename (report by
      Hosein Askari (CVE-2017-16879), Closes: #882620).
  * Change priority of the -dbg packages and the udeb to optional.
  * Delete trailing whitespace in debian/changelog.
  * Bump debhelper compatibility level to 10.
  * Switch from dh_autotools-dev_updateconfig to dh_update_autotools_config
    and drop the explicit autotools-dev build dependency.
  * Drop dpkg-dev build dependency, already fulfilled in oldstable.
  * Do not require (fake)root for building the packages.
  * Configure the test programs with --with-x11-rgb=/etc/X11/rgb.txt.

ncurses (6.0+20170902-1) unstable; urgency=medium

  * New upstream patchlevel.
    - Modify check in fmt_entry() to handle a cancelled reset string
      (CVE-2017-13733, Closes: #873746).

ncurses (6.0+20170827-1) unstable; urgency=medium

  * New upstream patchlevel.
    - Add/improve checks in tic's parser to address invalid input
      (Closes: #873723).
      + Add a check in comp_scan.c to handle the special case where a
        nontext file ending with a NUL rather than newline is given to
        tic as input (CVE-2017-13728).
      + Allow for cancelled capabilities in _nc_save_str (CVE-2017-13729).
      + Add validity checks for "use=" target in _nc_parse_entry
        (CVE-2017-13730).
      + Check for invalid strings in postprocess_termcap (CVE-2017-13731).
      + Reset secondary pointers on EOF in next_char() (CVE-2017-13732).
      + Guard _nc_safe_strcpy() and _nc_safe_strcat() against calls using
        cancelled strings (CVE-2017-13734).
    - Add usage message to clear command (Closes: #371855).
  * Configure the test programs with --datadir=/usr/share/ncurses-examples.
  * Look for tarballs on ftp.invisible-island.net in the watch files.

ncurses (6.0+20170715-2) unstable; urgency=medium

  * Bump the minimal version of _nc_read_entry to 6.0+20170715 for partial
    upgrades from testing.

ncurses (6.0+20170715-1) unstable; urgency=medium

  * New upstream patchlevel.
    - Bring back the _nc_read_entry symbol in libtinfo5 (Closes: #868328),
      drop the _nc_read_entry2 symbol which should not have been added.
    - Repair termcap-format from tic/infocmp broken in 20170701 fixes
      (Closes: #868266).

ncurses (6.0+20170708-1) unstable; urgency=high

  * New upstream patchlevel.
    - Correct a limit-check in fixes from CVE-2017-10684
      (report by Sven Joachim).
  * Amend the previous Debian changelog entry with CVE references.

ncurses (6.0+20170701-1) unstable; urgency=low

  * New upstream patchlevel.
    - Add/improve checks in tic's parser to address invalid input
      (Redhat #1464684, #1464685, #1464686, #1464691).
      + alloc_entry.c, add a check for a null-pointer (CVE-2017-11113).
      + parse_entry.c, add several checks for valid pointers (CVE-2017-11112),
        as well as one check to ensure that a single character on a line is
        not treated as the 2-character termcap short-name.
    - Fix a problem with buffer overflow in dump_entry.c, which is
      addressed by reducing the use of a fixed-size buffer
      (CVE-2017-16084, CVE-2017-10685).
  * Refresh Debian patches.
  * Update symbols files.
    - Add new symbol _nc_read_entry2.
    - Drop wo unused symbols obsoleted in 2004: _nc_check_termtype and
      _nc_resolve_uses.
  * Blacklist dvtm and dvtm-256color terminfo entries which are shipped
    in the dvtm package (Closes: #863969).
  * Mark ncurses-doc as Multi-Arch: foreign.

ncurses (6.0+20170408-1) experimental; urgency=low

  * New upstream patchlevel.
    - Fix a memory leak in the window-list when creating multiple
      screens (reports by Andres Martinelli, Closes: #783486).
  * Provide a curses(3) symlink to ncurses (Closes: #859293).
  * Set LD_LIBRARY_PATH when building the test programs, fixes an
    impending FTBFS when we switch to libncursesw6 from libncursesw5.
  * Update years in debian/copyright.
  * Change priority of libncurses5 to optional (see #852002).

ncurses (6.0+20161126-1) unstable; urgency=low

  * New upstream patchlevel.
    - Omit selection of ISO-8859-1 for G0 in enacs capability from
      linux2.6 entry, to avoid conflict with the user-defined mapping
      (Closes: #830694).
  * Update symbols files for new symbol unfocus_current_field.

ncurses (6.0+20160917-1) unstable; urgency=medium

  * New upstream patchlevel.
    - Fix typo in 20160910 changes (Closes: #837892, patch by Sven Joachim).

ncurses (6.0+20160910-1) unstable; urgency=low

  * New upstream patchlevel.
    - Trim trailing blanks from include/Caps*, to work around a problem
      in sed (Closes: #818067).
  * Invoke configure via relative paths to prevent the build path from
    showing up in binaries.
  * Enable parallel builds.

 -- Julian Andres Klode <juliank at ubuntu.com>  Thu, 11 Jan 2018 20:51:25
+0100

** Changed in: ncurses (Ubuntu)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-10684

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-10685

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11112

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11113

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13728

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13729

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13730

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13731

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13732

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13733

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13734

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16084

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16879

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ncurses in Ubuntu.
https://bugs.launchpad.net/bugs/1637239

Title:
  Please merge ncurses 6.0+20161126-1 (main) from Debian unstable (main)

Status in ncurses package in Ubuntu:
  Fix Released

Bug description:
  Ubuntu version: 6.0+20160625-1ubuntu1
  Debian verison: 6.0+20161126-1

  Details: https://merges.ubuntu.com/n/ncurses/REPORT

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ncurses/+bug/1637239/+subscriptions

More information about the foundations-bugs mailing list