bug-ncurses
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bug-ncurses] tic Buffer Overflow

From: Dr. Werner Fink
Subject: Re: [bug-ncurses] tic Buffer Overflow
Date: Thu, 23 Nov 2017 16:34:28 +0100
User-agent: NeoMutt/20170912 (1.9.0) 
On Thu, Nov 23, 2017 at 07:37:49AM -0500, Thomas Dickey wrote:
> On Thu, Nov 23, 2017 at 12:11:47AM -0500, Hosein Askari wrote:
> > 
> > To whom it may concern,
> 
> Just to remind people of longstanding policy:
> 
> a) don't send html mail.  If it's an attachment viewable in lynx, I'll
>    piece it together.  This report is too badly mangled to make sense of.
> 
>    Perhaps I can cut/paste from the mailing-list archive.
>    That was the only reason that I approved this posting.
> 
> b) when citing bug reports, report against the development version.
> 
>    This report cites neither the release version, nor a current development
>    version:
> 
>    Stack-based   Buffer   Overflow  #CVE:  CVE-2017-16879  #CWE:  CWE-119
>    #Exploit      Author:      Hosein     Askari     #Vendor     HomePage:
>    https://www.gnu.org/software/ncurses/  #Version : 6.0.20160213 #Tested
>    on:    Ubuntu    16.04   #Category:   Application   #Author   Mail   :
>    address@hidden #Description: Stack-based buffer overflow in the
> 
> c) when reporting against a package done by some distributors, start
>    by referencing the bug report in that system.
> 
>    I don't see a bug report cited, nor is there one on "launchpad".
> 
> There were several fixes made this year in the area which you are
> reporting.  If you have a followup report, it will be dealt with.

Beside this, using

  --enable-string-hacks

avoids the sprintf() based buffer overflow.

Werner

-- 
  "Having a smoking section in a restaurant is like having
          a peeing section in a swimming pool." -- Edward Burr

Attachment: signature.asc
Description: PGP signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]