From owner-freebsd-security  Tue Oct 10 19: 4:59 2000
Delivered-To: freebsd-security@freebsd.org
Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177])
	by hub.freebsd.org (Postfix) with ESMTP
	id 3AA1637B502; Tue, 10 Oct 2000 19:04:56 -0700 (PDT)
Received: (from kris@localhost)
	by citusc17.usc.edu (8.9.3/8.9.3) id TAA05060;
	Tue, 10 Oct 2000 19:05:17 -0700 (PDT)
Date: Tue, 10 Oct 2000 19:05:17 -0700
From: Kris Kennaway <kris@citusc.usc.edu>
To: Trevor Johnson <trevor@jpj.net>
Cc: Mike Silbersack <silby@silby.com>, freebsd-security@FreeBSD.ORG,
	peter@FreeBSD.ORG
Subject: Re: ncurses buffer overflows (fwd)
Message-ID: <20001010190517.B5034@citusc17.usc.edu>
References: <Pine.BSF.4.21.0010101908580.4266-100000@achilles.silby.com> <Pine.BSI.4.21.0010102142590.8787-100000@blues.jpj.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.BSI.4.21.0010102142590.8787-100000@blues.jpj.net>; from trevor@jpj.net on Tue, Oct 10, 2000 at 09:55:15PM -0400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, Oct 10, 2000 at 09:55:15PM -0400, Trevor Johnson wrote:
> > Well, the advisory states that ncurses 5.0 and before are vulnerable.  It
> > looks like 5.1-prerelease is what 4.1+ are using.  So, until we here more
> > from warner/kris, I'm assuming that 4.0/3.x are vulnerable, but 4.1+ is
> > safe.
> 
> The fixes were applied in ncurses-20001007.  We have ncurses-20000701.
> 
> I'm attempting to prepare ncurses-20001009 for importing:  
> http://people.freebsd.org/~trevor/ncurses/ .  I've mentioned it to Peter
> Wemm.  It needs more testing though (I haven't even done a "make world").

I believe Peter was also looking at this - I think he was basically
ready to commit. Thanks for taking a look at it, though.

Kris


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message