Re: ncurses fixes upstream

["alice" <alice () ayaya dev>]

On Wed Apr 12, 2023 at 10:40 PM CEST, Jonathan Bar Or (JBO) wrote:
> Hello oss-security,
>
> Our team has worked with the maintainer of the ncurses library (used by several software packages in Linux) to fix 
> several memory corruption vulnerabilities.
> They are now fixed at commit 20230408 - see details here 
> (https://invisible-island.net/ncurses/NEWS.html#index-t20230408)
> A CVE was assigned (CVE-2023-29491) - it's still under a "reserved" status.
>
> How can we ensure those fixes get deployed upstream, in major Linux distributions?

having a patch that is possible to apply to ncurses would make this possible,
since otherwise it's not possible to patch anything without just updating to the
latest ncurses snapshot.

that said,

- ncurses doesn't keep any git (or whatever) history anywhere (to my knowledge),
  so i don't know where this would even come from

- as someone that uses the latest snapshots, 20230401 works, but 20230408 breaks
  some applications like tmux (when clicking with the mouse, it just exits). i
  assume this breakage is caused by these fixes in question, but i didn't debug
  it further.

> We've reached out to Arch, RedHat, Canonical and other popular distros independently.
>
> Thanks!
>                              JBO