This bug was fixed in the package ncurses - 6.0+20171125-1ubuntu1 --------------- ncurses (6.0+20171125-1ubuntu1) bionic; urgency=low * Merge from Debian unstable (LP: #1637239). Remaining changes: - Add a simple autopkgtest to the package. - Build x32 packages. - Build lib32 packages on s390x. * Fix typo in libx32 package descriptions ncurses (6.0+20171125-1) unstable; urgency=medium * New upstream patchlevel. - Modify _nc_write_entry() to truncate too-long filename (report by Hosein Askari (CVE-2017-16879), Closes: #882620). * Change priority of the -dbg packages and the udeb to optional. * Delete trailing whitespace in debian/changelog. * Bump debhelper compatibility level to 10. * Switch from dh_autotools-dev_updateconfig to dh_update_autotools_config and drop the explicit autotools-dev build dependency. * Drop dpkg-dev build dependency, already fulfilled in oldstable. * Do not require (fake)root for building the packages. * Configure the test programs with --with-x11-rgb=/etc/X11/rgb.txt. ncurses (6.0+20170902-1) unstable; urgency=medium * New upstream patchlevel. - Modify check in fmt_entry() to handle a cancelled reset string (CVE-2017-13733, Closes: #873746). ncurses (6.0+20170827-1) unstable; urgency=medium * New upstream patchlevel. - Add/improve checks in tic's parser to address invalid input (Closes: #873723). + Add a check in comp_scan.c to handle the special case where a nontext file ending with a NUL rather than newline is given to tic as input (CVE-2017-13728). + Allow for cancelled capabilities in _nc_save_str (CVE-2017-13729). + Add validity checks for "use=" target in _nc_parse_entry (CVE-2017-13730). + Check for invalid strings in postprocess_termcap (CVE-2017-13731). + Reset secondary pointers on EOF in next_char() (CVE-2017-13732). + Guard _nc_safe_strcpy() and _nc_safe_strcat() against calls using cancelled strings (CVE-2017-13734). - Add usage message to clear command (Closes: #371855). * Configure the test programs with --datadir=/usr/share/ncurses-examples. * Look for tarballs on ftp.invisible-island.net in the watch files. ncurses (6.0+20170715-2) unstable; urgency=medium * Bump the minimal version of _nc_read_entry to 6.0+20170715 for partial upgrades from testing. ncurses (6.0+20170715-1) unstable; urgency=medium * New upstream patchlevel. - Bring back the _nc_read_entry symbol in libtinfo5 (Closes: #868328), drop the _nc_read_entry2 symbol which should not have been added. - Repair termcap-format from tic/infocmp broken in 20170701 fixes (Closes: #868266). ncurses (6.0+20170708-1) unstable; urgency=high * New upstream patchlevel. - Correct a limit-check in fixes from CVE-2017-10684 (report by Sven Joachim). * Amend the previous Debian changelog entry with CVE references. ncurses (6.0+20170701-1) unstable; urgency=low * New upstream patchlevel. - Add/improve checks in tic's parser to address invalid input (Redhat #1464684, #1464685, #1464686, #1464691). + alloc_entry.c, add a check for a null-pointer (CVE-2017-11113). + parse_entry.c, add several checks for valid pointers (CVE-2017-11112), as well as one check to ensure that a single character on a line is not treated as the 2-character termcap short-name. - Fix a problem with buffer overflow in dump_entry.c, which is addressed by reducing the use of a fixed-size buffer (CVE-2017-16084, CVE-2017-10685). * Refresh Debian patches. * Update symbols files. - Add new symbol _nc_read_entry2. - Drop wo unused symbols obsoleted in 2004: _nc_check_termtype and _nc_resolve_uses. * Blacklist dvtm and dvtm-256color terminfo entries which are shipped in the dvtm package (Closes: #863969). * Mark ncurses-doc as Multi-Arch: foreign. ncurses (6.0+20170408-1) experimental; urgency=low * New upstream patchlevel. - Fix a memory leak in the window-list when creating multiple screens (reports by Andres Martinelli, Closes: #783486). * Provide a curses(3) symlink to ncurses (Closes: #859293). * Set LD_LIBRARY_PATH when building the test programs, fixes an impending FTBFS when we switch to libncursesw6 from libncursesw5. * Update years in debian/copyright. * Change priority of libncurses5 to optional (see #852002). ncurses (6.0+20161126-1) unstable; urgency=low * New upstream patchlevel. - Omit selection of ISO-8859-1 for G0 in enacs capability from linux2.6 entry, to avoid conflict with the user-defined mapping (Closes: #830694). * Update symbols files for new symbol unfocus_current_field. ncurses (6.0+20160917-1) unstable; urgency=medium * New upstream patchlevel. - Fix typo in 20160910 changes (Closes: #837892, patch by Sven Joachim). ncurses (6.0+20160910-1) unstable; urgency=low * New upstream patchlevel. - Trim trailing blanks from include/Caps*, to work around a problem in sed (Closes: #818067). * Invoke configure via relative paths to prevent the build path from showing up in binaries. * Enable parallel builds. -- Julian Andres Klode