[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [bug-ncurses] tic Buffer Overflow
From: |
Dr. Werner Fink |
Subject: |
Re: [bug-ncurses] tic Buffer Overflow |
Date: |
Thu, 23 Nov 2017 16:34:28 +0100 |
User-agent: |
NeoMutt/20170912 (1.9.0) |
On Thu, Nov 23, 2017 at 07:37:49AM -0500, Thomas Dickey wrote:
> On Thu, Nov 23, 2017 at 12:11:47AM -0500, Hosein Askari wrote:
> >
> > To whom it may concern,
>
> Just to remind people of longstanding policy:
>
> a) don't send html mail. If it's an attachment viewable in lynx, I'll
> piece it together. This report is too badly mangled to make sense of.
>
> Perhaps I can cut/paste from the mailing-list archive.
> That was the only reason that I approved this posting.
>
> b) when citing bug reports, report against the development version.
>
> This report cites neither the release version, nor a current development
> version:
>
> Stack-based Buffer Overflow #CVE: CVE-2017-16879 #CWE: CWE-119
> #Exploit Author: Hosein Askari #Vendor HomePage:
> https://www.gnu.org/software/ncurses/ #Version : 6.0.20160213 #Tested
> on: Ubuntu 16.04 #Category: Application #Author Mail :
> address@hidden #Description: Stack-based buffer overflow in the
>
> c) when reporting against a package done by some distributors, start
> by referencing the bug report in that system.
>
> I don't see a bug report cited, nor is there one on "launchpad".
>
> There were several fixes made this year in the area which you are
> reporting. If you have a followup report, it will be dealt with.
Beside this, using
--enable-string-hacks
avoids the sprintf() based buffer overflow.
Werner
--
"Having a smoking section in a restaurant is like having
a peeing section in a swimming pool." -- Edward Burr
signature.asc
Description: PGP signature