From https://www.openwall.com/lists/oss-security/2023/04/12/5: """ Our team has worked with the maintainer of the ncurses library (used by several software packages in Linux) to fix several memory corruption vulnerabilities. They are now fixed at commit 20230408 - see details here (https://invisible-island.net/ncurses/NEWS.html#index-t20230408 [1]) A CVE was assigned (CVE-2023-29491) - it's still under a "reserved" status. """
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c46795fb6af168a089d6ba651a41d3aadedcbcd4 commit c46795fb6af168a089d6ba651a41d3aadedcbcd4 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-04-13 01:34:10 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-04-13 01:48:34 +0000 sys-libs/ncurses: add 6.4_p20230408 Bug: https://bugs.gentoo.org/904247 Signed-off-by: Sam James <sam@gentoo.org> sys-libs/ncurses/Manifest | 21 ++ sys-libs/ncurses/ncurses-6.4_p20230408.ebuild | 430 ++++++++++++++++++++++++++ 2 files changed, 451 insertions(+)
I just tried 6.4_p20230408 and it breaks OpenRC output: everything is printed in color and as (null).
(In reply to Holger Hoffstätte from comment #2) > I just tried 6.4_p20230408 and it breaks OpenRC output: everything is > printed in color and as (null). This does not happen with 6.4_p20230401 - everything looks OK.
Seeing same here -- rc-status output is correct with sys-libs/ncurses-6.4_p20230401, and wrecked with sys-libs/ncurses-6.4_p20230408: mega / # rc-status Runlevel: (null)default(null) dictd (null) (null)[(null) started (null)](null) dbus [...] (crazy colors omitted of necessity:-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4f216f091714951425b866d71dcb4fd1557d4ab2 commit 4f216f091714951425b866d71dcb4fd1557d4ab2 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-04-13 16:56:00 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-04-13 16:56:00 +0000 profiles: mask =sys-libs/ncurses-6.4_p20230408 Bug: https://bugs.gentoo.org/904247 Bug: https://bugs.gentoo.org/904263 Signed-off-by: Sam James <sam@gentoo.org> profiles/package.mask | 6 ++++++ 1 file changed, 6 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=36cb6e7e797ce084f8952716da8816e3613bedd0 commit 36cb6e7e797ce084f8952716da8816e3613bedd0 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-04-16 03:26:39 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-04-16 03:28:54 +0000 sys-libs/ncurses: add 6.4_p20230415 This should fix the issues with vim (bug #904263) but this version remains masked for now because OpenRC itself needs fixing due to abuse of ncurses (bug #904277). Bug: https://bugs.gentoo.org/904247 Bug: https://bugs.gentoo.org/904277 Closes: https://bugs.gentoo.org/904263 Signed-off-by: Sam James <sam@gentoo.org> profiles/package.mask | 5 + sys-libs/ncurses/Manifest | 3 + sys-libs/ncurses/ncurses-6.4_p20230415.ebuild | 431 ++++++++++++++++++++++++++ 3 files changed, 439 insertions(+)
Created attachment 871520 [details] ncurses-6.4_p20230918 without gentoo patches I tried newest ncurses-6.4_p20230918 without gentoo patches and I didn't found any issue.
(In reply to Martin Filo from comment #7) > Created attachment 871520 [details] > ncurses-6.4_p20230918 without gentoo patches > > I tried newest ncurses-6.4_p20230918 without gentoo patches and I didn't > found any issue. I'm not sure why you've posted this here. There's a fixed version in tree already, but it's masked because OpenRC isn't yet compatible with it. The incompatibility is not to do with any Gentoo patches and there's some work going on in bug 904277 for it. If you want a general version bump, please file a new bug for that.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dc92b4a3a8aafac2120438d89ea4e85d77006c97 commit dc92b4a3a8aafac2120438d89ea4e85d77006c97 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-04-06 08:24:36 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-04-06 08:24:36 +0000 profiles: (finally) unmask ncurses OpenRC is now fixed. Bug: https://bugs.gentoo.org/904247 Bug: https://bugs.gentoo.org/904263 Signed-off-by: Sam James <sam@gentoo.org> profiles/package.mask | 11 ----------- 1 file changed, 11 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f50dd58c32a3b97ce0a017ceb2a3077a36ecbe5a commit f50dd58c32a3b97ce0a017ceb2a3077a36ecbe5a Author: Sam James <sam@gentoo.org> AuthorDate: 2024-04-06 09:19:16 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-04-06 09:20:07 +0000 sys-libs/ncurses-compat: add 6.4_p20240330 Bug: https://bugs.gentoo.org/904247 Bug: https://bugs.gentoo.org/922817 Signed-off-by: Sam James <sam@gentoo.org> sys-libs/ncurses-compat/Manifest | 117 +++++++ .../ncurses-compat-6.4_p20240330.ebuild | 382 +++++++++++++++++++++ 2 files changed, 499 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=6c6eeaac04ac4b0a613b8259d0714ae4ffb8c4d7 commit 6c6eeaac04ac4b0a613b8259d0714ae4ffb8c4d7 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-08-09 11:05:25 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-08-09 11:05:36 +0000 [ GLSA 202408-19 ] ncurses: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/839351 Bug: https://bugs.gentoo.org/904247 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202408-19.xml | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+)