Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 698210 (CVE-2019-17594, CVE-2019-17595) - <sys-libs/ncurses-6.2: multiple vulnerabilities (CVE-2019-{17594,17595})
Summary: <sys-libs/ncurses-6.2: multiple vulnerabilities (CVE-2019-{17594,17595})
Status: RESOLVED FIXED
Alias: CVE-2019-17594, CVE-2019-17595
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+ cve]
Keywords: CC-ARCHES
Depends on:
Blocks:
 
Reported: 2019-10-21 17:15 UTC by lperkins
Modified: 2021-01-26 00:22 UTC (History)
3 users (show)

See Also:
Package list:
=sys-libs/ncurses-6.2-r1
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description lperkins 2019-10-21 17:15:36 UTC 
sys-libs/ncurses prior to 6.1-20191012 has security vulnerabilities.  It would be good to get an updated version available in the tree.

Reproducible: Always
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-01 03:51:44 UTC 
There is an additional bug CVE-2019-17594:
"There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012."
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-05 22:57:21 UTC 
@maintainer(s), please advise if ready for stabilisation, or call yourself
Comment 3 Agostino Sarubbo gentoo-dev 2020-05-06 14:23:40 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-05-08 17:12:08 UTC 
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-05-08 17:13:55 UTC 
s390 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-05-08 17:15:21 UTC 
sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-05-09 07:43:41 UTC 
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-05-09 07:46:58 UTC 
ppc64 stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2020-05-10 08:29:53 UTC 
hppa stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-05-11 16:50:02 UTC 
x86 stable
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-08 16:43:25 UTC 
arm64 stable

----
@maintainer(s), please cleanup
Comment 12 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-07-29 20:11:27 UTC 
Tree is clean:

commit 141f394e8b1f274d1f14cc60d3370ed50345fe25
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Tue Jul 14 12:49:10 2020 +0200

    sys-libs/ncurses: Removed old

    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 delete mode 100644 sys-libs/ncurses/ncurses-6.1_p20181020.ebuild
 delete mode 100644 sys-libs/ncurses/ncurses-6.1_p20190609.ebuild
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2021-01-26 00:22:22 UTC 
This issue was resolved and addressed in
 GLSA 202101-28 at https://security.gentoo.org/glsa/202101-28
by GLSA coordinator Sam James (sam_c).