-
ncurses (6.1-1ubuntu1.18.04.1) bionic-security; urgency=medium
* SECURITY UPDATE: heap buffer overflow in the _nc_find_entry function
- debian/patches/CVE-2019-17594.patch: check for invalid hashcode in
_nc_find_type_entry and _nc_find_entry.
- CVE-2019-17594.patch
* SECURITY UPDATE: heap buffer overflow in the fmt_entry function
- debian/patches/CVE-2019-17595.patch: check for missing character after
backslash in fmt_entry.
- CVE-2019-17595
* SECURITY UPDATE: heap buffer overflow in the _nc_captoinfo function
- debian/patches/CVE-2021-39537.patch: add a check for end-of-string in
cvtchar to handle a malformed string in infotocap.
- CVE-2021-39537
* SECURITY UPDATE: out-of-bounds read in the convert_strings function
- debian/patches/CVE-2022-29458.patch:add a limit-check to guard against
corrupt terminfo data.
- CVE-2022-29458
* SECURITY UPDATE: memory corruption when processing malformed terminfo data
entries loaded by setuid/setgid programs
- debian/patches/CVE-2023-29491-mitigation.patch: change the
--disable-root-environ configure option behavior.
- debian/rules: set --disable-root-environ in configuration options.
- debian/libtinfo5.symbols: add _nc_env_access to symbols files.
- CVE-2023-29491
* debian/patches/fix-off-by-one-loop-convert-strings.patch: correct an
off-by-one loop-limit in convert_strings function.
* debian/patches/fix-tic-infloop.diff: modify tic to exit if it cannot
remove a conflicting name.
* debian/patches/fix-write_it.diff: check for missing character after
backslash in write_it.
-- Camila Camargo de Matos <email address hidden> Tue, 16 May 2023 15:54:45 -0300
-
ncurses (6.1-1ubuntu1.18.04) bionic-proposed; urgency=medium
* SRU: LP: #1772872: Backport changes from 6.1+20180210-4:
* Move screen.xterm-256color and rxvt-unicode-256color terminfo entries
from ncurses-term to ncurses-base (Closes: #898666, #898948).
* Cherry-pick a fix from the 20180414 patchlevel: add a null-pointer
check in _nc_parse_entry to handle an error when a use-name is invalid
syntax (report by Chung-Yi Lin, CVE-2018-10754).
-- Matthias Klose <email address hidden> Wed, 23 May 2018 10:08:27 +0200
-
ncurses (6.1-1ubuntu1) bionic; urgency=low
* Merge from Debian unstable. Remaining changes:
- Add a simple autopkgtest to the package.
- Build x32 packages.
- Build lib32 packages on s390x.
ncurses (6.1-1) unstable; urgency=low
* New upstream release.
* Refresh Debian patches.
* Update symbols files and bump shlibs.
- Bump the minimal version of symbols introduced after the 6.0
release to 6.1.
- Reset the minimal version of _nc_read_entry to back to 6.
* Pass --disable-stripping to the configure scripts.
* Update xterm.ti from xterm 331.
* Use https in the Homepage field.
* Update Vcs-{Browser,Git} URLs to point at salsa.debian.org.
* Change priority of all library packages to optional.
* Update years in debian/copyright.
-- Julian Andres Klode <email address hidden> Mon, 12 Feb 2018 10:33:09 +0100
-
ncurses (6.0+20171125-1ubuntu1) bionic; urgency=low
* Merge from Debian unstable (LP: #1637239). Remaining changes:
- Add a simple autopkgtest to the package.
- Build x32 packages.
- Build lib32 packages on s390x.
* Fix typo in libx32 package descriptions
ncurses (6.0+20171125-1) unstable; urgency=medium
* New upstream patchlevel.
- Modify _nc_write_entry() to truncate too-long filename (report by
Hosein Askari (CVE-2017-16879), Closes: #882620).
* Change priority of the -dbg packages and the udeb to optional.
* Delete trailing whitespace in debian/changelog.
* Bump debhelper compatibility level to 10.
* Switch from dh_autotools-dev_updateconfig to dh_update_autotools_config
and drop the explicit autotools-dev build dependency.
* Drop dpkg-dev build dependency, already fulfilled in oldstable.
* Do not require (fake)root for building the packages.
* Configure the test programs with --with-x11-rgb=/etc/X11/rgb.txt.
ncurses (6.0+20170902-1) unstable; urgency=medium
* New upstream patchlevel.
- Modify check in fmt_entry() to handle a cancelled reset string
(CVE-2017-13733, Closes: #873746).
ncurses (6.0+20170827-1) unstable; urgency=medium
* New upstream patchlevel.
- Add/improve checks in tic's parser to address invalid input
(Closes: #873723).
+ Add a check in comp_scan.c to handle the special case where a
nontext file ending with a NUL rather than newline is given to
tic as input (CVE-2017-13728).
+ Allow for cancelled capabilities in _nc_save_str (CVE-2017-13729).
+ Add validity checks for "use=" target in _nc_parse_entry
(CVE-2017-13730).
+ Check for invalid strings in postprocess_termcap (CVE-2017-13731).
+ Reset secondary pointers on EOF in next_char() (CVE-2017-13732).
+ Guard _nc_safe_strcpy() and _nc_safe_strcat() against calls using
cancelled strings (CVE-2017-13734).
- Add usage message to clear command (Closes: #371855).
* Configure the test programs with --datadir=/usr/share/ncurses-examples.
* Look for tarballs on ftp.invisible-island.net in the watch files.
ncurses (6.0+20170715-2) unstable; urgency=medium
* Bump the minimal version of _nc_read_entry to 6.0+20170715 for partial
upgrades from testing.
ncurses (6.0+20170715-1) unstable; urgency=medium
* New upstream patchlevel.
- Bring back the _nc_read_entry symbol in libtinfo5 (Closes: #868328),
drop the _nc_read_entry2 symbol which should not have been added.
- Repair termcap-format from tic/infocmp broken in 20170701 fixes
(Closes: #868266).
ncurses (6.0+20170708-1) unstable; urgency=high
* New upstream patchlevel.
- Correct a limit-check in fixes from CVE-2017-10684
(report by Sven Joachim).
* Amend the previous Debian changelog entry with CVE references.
ncurses (6.0+20170701-1) unstable; urgency=low
* New upstream patchlevel.
- Add/improve checks in tic's parser to address invalid input
(Redhat #1464684, #1464685, #1464686, #1464691).
+ alloc_entry.c, add a check for a null-pointer (CVE-2017-11113).
+ parse_entry.c, add several checks for valid pointers (CVE-2017-11112),
as well as one check to ensure that a single character on a line is
not treated as the 2-character termcap short-name.
- Fix a problem with buffer overflow in dump_entry.c, which is
addressed by reducing the use of a fixed-size buffer
(CVE-2017-16084, CVE-2017-10685).
* Refresh Debian patches.
* Update symbols files.
- Add new symbol _nc_read_entry2.
- Drop wo unused symbols obsoleted in 2004: _nc_check_termtype and
_nc_resolve_uses.
* Blacklist dvtm and dvtm-256color terminfo entries which are shipped
in the dvtm package (Closes: #863969).
* Mark ncurses-doc as Multi-Arch: foreign.
ncurses (6.0+20170408-1) experimental; urgency=low
* New upstream patchlevel.
- Fix a memory leak in the window-list when creating multiple
screens (reports by Andres Martinelli, Closes: #783486).
* Provide a curses(3) symlink to ncurses (Closes: #859293).
* Set LD_LIBRARY_PATH when building the test programs, fixes an
impending FTBFS when we switch to libncursesw6 from libncursesw5.
* Update years in debian/copyright.
* Change priority of libncurses5 to optional (see #852002).
ncurses (6.0+20161126-1) unstable; urgency=low
* New upstream patchlevel.
- Omit selection of ISO-8859-1 for G0 in enacs capability from
linux2.6 entry, to avoid conflict with the user-defined mapping
(Closes: #830694).
* Update symbols files for new symbol unfocus_current_field.
ncurses (6.0+20160917-1) unstable; urgency=medium
* New upstream patchlevel.
- Fix typo in 20160910 changes (Closes: #837892, patch by Sven Joachim).
ncurses (6.0+20160910-1) unstable; urgency=low
* New upstream patchlevel.
- Trim trailing blanks from include/Caps*, to work around a problem
in sed (Closes: #818067).
* Invoke configure via relative paths to prevent the build path from
showing up in binaries.
* Enable parallel builds.
-- Julian Andres Klode <email address hidden> Thu, 11 Jan 2018 20:51:25 +0100
-
ncurses (6.0+20160625-1ubuntu1) yakkety; urgency=low
* Merge from Debian unstable (LP: #1598850). Remaining changes:
- Add a simple autopkgtest to the package.
- Build x32 packages.
- Build lib32 packages on s390x.
ncurses (6.0+20160625-1) unstable; urgency=low
* New upstream patchlevel.
- Make linux3.0 entry the default linux entry (Closes: #823658, #515609).
- Improve manual pages for wgetch and wget_wch to point out that they
might return values without names in curses.h (Closes: #822426).
- Amend change to _nc_do_color to restore the early return for the
special case used in _nc_screen_wrap (report by Dick Streefland,
Closes: #816887).
* Update xterm.ti from xterm 325.
* Enable the bindnow hardening flag.
* Really install the Debian FAQ into the libtinfo5 package.
* Update links in the Debian FAQ.
ncurses (6.0+20160319-2) unstable; urgency=low
* Team upload
[ Roger Shimizu ]
* Add udeb support to libtinfo5 (Closes: #819397).
[ Sven Joachim ]
* Do not include the tic library in the libtinfo5-udeb package.
[ Axel Beckert ]
* Declare compliance with Debian Policy 3.9.8. (No changes needed.)
* Uploading the package for Sven. Upload sponsoring is needed since
there is a new binary (udeb) package included.
-- Tiago Stürmer Daitx <email address hidden> Wed, 06 Jul 2016 23:11:18 +0000