diff options
Diffstat (limited to 'meta/recipes-core/ncurses')
-rw-r--r-- | meta/recipes-core/ncurses/files/CVE-2021-39537.patch | 30 | ||||
-rw-r--r-- | meta/recipes-core/ncurses/files/CVE-2022-29458.patch | 135 | ||||
-rw-r--r-- | meta/recipes-core/ncurses/files/CVE-2023-29491.patch | 45 | ||||
-rw-r--r-- | meta/recipes-core/ncurses/files/CVE-2023-50495.patch | 79 | ||||
-rw-r--r-- | meta/recipes-core/ncurses/ncurses.inc | 2 | ||||
-rw-r--r-- | meta/recipes-core/ncurses/ncurses_6.2.bb | 6 |
6 files changed, 295 insertions, 2 deletions
diff --git a/meta/recipes-core/ncurses/files/CVE-2021-39537.patch b/meta/recipes-core/ncurses/files/CVE-2021-39537.patch new file mode 100644 index 0000000000..7655200350 --- /dev/null +++ b/meta/recipes-core/ncurses/files/CVE-2021-39537.patch @@ -0,0 +1,30 @@ +$NetBSD: patch-ncurses_tinfo_captoinfo.c,v 1.1 2021/10/09 07:52:36 wiz Exp $ + +Fix for CVE-2021-39537 from upstream: +https://github.com/ThomasDickey/ncurses-snapshots/commit/63ca9e061f4644795d6f3f559557f3e1ed8c738b#diff-7e95c7bc5f213e9be438e69a9d5d0f261a14952bcbd692f7b9014217b8047340 + +CVE: CVE-2021-39537 +Upstream-Status: Backport [http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/devel/ncurses/patches/Attic/patch-ncurses_tinfo_captoinfo.c?rev=1.1&content-type=text/x-cvsweb-markup] +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- a/ncurses/tinfo/captoinfo.c 2020-02-02 23:34:34.000000000 +0000 ++++ b/ncurses/tinfo/captoinfo.c +@@ -216,12 +216,15 @@ cvtchar(register const char *sp) + } + break; + case '^': ++ len = 2; + c = UChar(*++sp); +- if (c == '?') ++ if (c == '?') { + c = 127; +- else ++ } else if (c == '\0') { ++ len = 1; ++ } else { + c &= 0x1f; +- len = 2; ++ } + break; + default: + c = UChar(*sp); diff --git a/meta/recipes-core/ncurses/files/CVE-2022-29458.patch b/meta/recipes-core/ncurses/files/CVE-2022-29458.patch new file mode 100644 index 0000000000..eb1b7c96f9 --- /dev/null +++ b/meta/recipes-core/ncurses/files/CVE-2022-29458.patch @@ -0,0 +1,135 @@ +From 5f40697e37e195069f55528fc7a1d77e619ad104 Mon Sep 17 00:00:00 2001 +From: Dan Tran <dantran@microsoft.com> +Date: Fri, 13 May 2022 13:28:41 -0700 +Subject: [PATCH] ncurses 6.3 before patch 20220416 has an out-of-bounds read + and segmentation violation in convert_strings in tinfo/read_entry.c in the + terminfo library. + +CVE: CVE-2022-29458 +Upstream-Status: Backport +[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009870] + +Signed-off-by: Gustavo Lima Chaves <gustavo.chaves@microsoft.com> +Signed-off-by: Dan Tran <dantran@microsoft.com> +--- + ncurses/tinfo/alloc_entry.c | 14 ++++++-------- + ncurses/tinfo/read_entry.c | 25 +++++++++++++++++++------ + 2 files changed, 25 insertions(+), 14 deletions(-) + +diff --git a/ncurses/tinfo/alloc_entry.c b/ncurses/tinfo/alloc_entry.c +index 4bf7d6c8..b49ad6aa 100644 +--- a/ncurses/tinfo/alloc_entry.c ++++ b/ncurses/tinfo/alloc_entry.c +@@ -48,13 +48,11 @@ + + #include <tic.h> + +-MODULE_ID("$Id: alloc_entry.c,v 1.64 2020/02/02 23:34:34 tom Exp $") ++MODULE_ID("$Id: alloc_entry.c,v 1.69 2022/04/16 22:46:53 tom Exp $") + + #define ABSENT_OFFSET -1 + #define CANCELLED_OFFSET -2 + +-#define MAX_STRTAB 4096 /* documented maximum entry size */ +- + static char *stringbuf; /* buffer for string capabilities */ + static size_t next_free; /* next free character in stringbuf */ + +@@ -71,8 +69,8 @@ _nc_init_entry(ENTRY * const tp) + } + #endif + +- if (stringbuf == 0) +- TYPE_MALLOC(char, (size_t) MAX_STRTAB, stringbuf); ++ if (stringbuf == NULL) ++ TYPE_MALLOC(char, (size_t) MAX_ENTRY_SIZE, stringbuf); + + next_free = 0; + +@@ -108,11 +106,11 @@ _nc_save_str(const char *const string) + * Cheat a little by making an empty string point to the end of the + * previous string. + */ +- if (next_free < MAX_STRTAB) { ++ if (next_free < MAX_ENTRY_SIZE) { + result = (stringbuf + next_free - 1); + } +- } else if (next_free + len < MAX_STRTAB) { +- _nc_STRCPY(&stringbuf[next_free], string, MAX_STRTAB); ++ } else if (next_free + len < MAX_ENTRY_SIZE) { ++ _nc_STRCPY(&stringbuf[next_free], string, MAX_ENTRY_SIZE); + DEBUG(7, ("Saved string %s", _nc_visbuf(string))); + DEBUG(7, ("at location %d", (int) next_free)); + next_free += len; +diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c +index 5b570b0f..23c2cebc 100644 +--- a/ncurses/tinfo/read_entry.c ++++ b/ncurses/tinfo/read_entry.c +@@ -1,5 +1,5 @@ + /**************************************************************************** +- * Copyright 2018-2019,2020 Thomas E. Dickey * ++ * Copyright 2018-2021,2022 Thomas E. Dickey * + * Copyright 1998-2016,2017 Free Software Foundation, Inc. * + * * + * Permission is hereby granted, free of charge, to any person obtaining a * +@@ -42,7 +42,7 @@ + + #include <tic.h> + +-MODULE_ID("$Id: read_entry.c,v 1.157 2020/02/02 23:34:34 tom Exp $") ++MODULE_ID("$Id: read_entry.c,v 1.162 2022/04/16 21:00:00 tom Exp $") + + #define TYPE_CALLOC(type,elts) typeCalloc(type, (unsigned)(elts)) + +@@ -145,6 +145,7 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table) + { + int i; + char *p; ++ bool corrupt = FALSE; + + for (i = 0; i < count; i++) { + if (IS_NEG1(buf + 2 * i)) { +@@ -154,8 +155,20 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table) + } else if (MyNumber(buf + 2 * i) > size) { + Strings[i] = ABSENT_STRING; + } else { +- Strings[i] = (MyNumber(buf + 2 * i) + table); +- TR(TRACE_DATABASE, ("Strings[%d] = %s", i, _nc_visbuf(Strings[i]))); ++ int nn = MyNumber(buf + 2 * i); ++ if (nn >= 0 && nn < size) { ++ Strings[i] = (nn + table); ++ TR(TRACE_DATABASE, ("Strings[%d] = %s", i, ++ _nc_visbuf(Strings[i]))); ++ } else { ++ if (!corrupt) { ++ corrupt = TRUE; ++ TR(TRACE_DATABASE, ++ ("ignore out-of-range index %d to Strings[]", nn)); ++ _nc_warning("corrupt data found in convert_strings"); ++ } ++ Strings[i] = ABSENT_STRING; ++ } + } + + /* make sure all strings are NUL terminated */ +@@ -776,7 +789,7 @@ _nc_read_tic_entry(char *filename, + * looking for compiled (binary) terminfo data. + * + * cgetent uses a two-level lookup. On the first it uses the given +- * name to return a record containing only the aliases for an entry. ++ * name to return a record containing only the aliases for an entry. + * On the second (using that list of aliases as a key), it returns the + * content of the terminal description. We expect second lookup to + * return data beginning with the same set of aliases. +@@ -833,7 +846,7 @@ _nc_read_tic_entry(char *filename, + #endif /* NCURSES_USE_DATABASE */ + + /* +- * Find and read the compiled entry for a given terminal type, if it exists. ++ * Find and read the compiled entry for a given terminal type, if it exists. + * We take pains here to make sure no combination of environment variables and + * terminal type name can be used to overrun the file buffer. + */ +-- +2.36.1 + diff --git a/meta/recipes-core/ncurses/files/CVE-2023-29491.patch b/meta/recipes-core/ncurses/files/CVE-2023-29491.patch new file mode 100644 index 0000000000..0a0497723f --- /dev/null +++ b/meta/recipes-core/ncurses/files/CVE-2023-29491.patch @@ -0,0 +1,45 @@ +Backport of: + +Author: Sven Joachim <svenjoac@gmx.de> +Description: Change the --disable-root-environ configure option behavior + By default, the --disable-root-environ option forbids program run by + the superuser to load custom terminfo entries. This patch changes + that to only restrict programs running with elevated privileges, + matching the behavior of the --disable-setuid-environ option + introduced in the 20230423 upstream patchlevel. +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034372#29 +Bug: https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00018.html +Forwarded: not-needed +Last-Update: 2023-05-01 + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/ncurses/6.2-0ubuntu2.1/ncurses_6.2-0ubuntu2.1.debian.tar.xz] +CVE: CVE-2023-29491 +Signed-off-by: Virendra Thakur <virendrak@kpit.com> + +--- + ncurses/tinfo/access.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/ncurses/tinfo/access.c ++++ b/ncurses/tinfo/access.c +@@ -178,15 +178,16 @@ _nc_is_file_path(const char *path) + NCURSES_EXPORT(int) + _nc_env_access(void) + { ++ int result = TRUE; ++ + #if HAVE_ISSETUGID + if (issetugid()) +- return FALSE; ++ result = FALSE; + #elif HAVE_GETEUID && HAVE_GETEGID + if (getuid() != geteuid() + || getgid() != getegid()) +- return FALSE; ++ result = FALSE; + #endif +- /* ...finally, disallow root */ +- return (getuid() != ROOT_UID) && (geteuid() != ROOT_UID); ++ return result; + } + #endif diff --git a/meta/recipes-core/ncurses/files/CVE-2023-50495.patch b/meta/recipes-core/ncurses/files/CVE-2023-50495.patch new file mode 100644 index 0000000000..58c23866d1 --- /dev/null +++ b/meta/recipes-core/ncurses/files/CVE-2023-50495.patch @@ -0,0 +1,79 @@ +Fix for CVE-2023-50495 from upstream: +https://github.com/ThomasDickey/ncurses-snapshots/commit/efe9674ee14b14b788f9618941f97d31742f0adc + +Reference: +https://invisible-island.net/archives/ncurses/6.4/ncurses-6.4-20230424.patch.gz + +Upstream-Status: Backport [import from suse ftp.pbone.net/mirror/ftp.opensuse.org/update/leap-micro/5.3/sle/src/ncurses-6.1-150000.5.20.1.src.rpm +Upstream commit https://github.com/ThomasDickey/ncurses-snapshots/commit/efe9674ee14b14b788f9618941f97d31742f0adc] +CVE: CVE-2023-50495 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + ncurses/tinfo/parse_entry.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c +index 23574b66..56ba9ae6 100644 +--- a/ncurses/tinfo/parse_entry.c ++++ b/ncurses/tinfo/parse_entry.c +@@ -110,7 +110,7 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type) + /* Well, we are given a cancel for a name that we don't recognize */ + return _nc_extend_names(entryp, name, STRING); + default: +- return 0; ++ return NULL; + } + + /* Adjust the 'offset' (insertion-point) to keep the lists of extended +@@ -142,6 +142,11 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type) + for (last = (unsigned) (max - 1); last > tindex; last--) + + if (!found) { ++ char *saved; ++ ++ if ((saved = _nc_save_str(name)) == NULL) ++ return NULL; ++ + switch (token_type) { + case BOOLEAN: + tp->ext_Booleans++; +@@ -169,7 +174,7 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type) + TYPE_REALLOC(char *, actual, tp->ext_Names); + while (--actual > offset) + tp->ext_Names[actual] = tp->ext_Names[actual - 1]; +- tp->ext_Names[offset] = _nc_save_str(name); ++ tp->ext_Names[offset] = saved; + } + + temp.nte_name = tp->ext_Names[offset]; +@@ -337,6 +342,8 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent) + bool is_use = (strcmp(_nc_curr_token.tk_name, "use") == 0); + bool is_tc = !is_use && (strcmp(_nc_curr_token.tk_name, "tc") == 0); + if (is_use || is_tc) { ++ char *saved; ++ + if (!VALID_STRING(_nc_curr_token.tk_valstring) + || _nc_curr_token.tk_valstring[0] == '\0') { + _nc_warning("missing name for use-clause"); +@@ -350,11 +357,13 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent) + _nc_curr_token.tk_valstring); + continue; + } +- entryp->uses[entryp->nuses].name = _nc_save_str(_nc_curr_token.tk_valstring); +- entryp->uses[entryp->nuses].line = _nc_curr_line; +- entryp->nuses++; +- if (entryp->nuses > 1 && is_tc) { +- BAD_TC_USAGE ++ if ((saved = _nc_save_str(_nc_curr_token.tk_valstring)) != NULL) { ++ entryp->uses[entryp->nuses].name = saved; ++ entryp->uses[entryp->nuses].line = _nc_curr_line; ++ entryp->nuses++; ++ if (entryp->nuses > 1 && is_tc) { ++ BAD_TC_USAGE ++ } + } + } else { + /* normal token lookup */ +-- +2.25.1 + diff --git a/meta/recipes-core/ncurses/ncurses.inc b/meta/recipes-core/ncurses/ncurses.inc index 7f1834f0dc..ee0b15ecf0 100644 --- a/meta/recipes-core/ncurses/ncurses.inc +++ b/meta/recipes-core/ncurses/ncurses.inc @@ -13,7 +13,7 @@ BINCONFIG = "${bindir}/ncurses5-config ${bindir}/ncursesw5-config \ inherit autotools binconfig-disabled multilib_header pkgconfig # Upstream has useful patches at times at ftp://invisible-island.net/ncurses/ -SRC_URI = "git://salsa.debian.org/debian/ncurses.git;protocol=https" +SRC_URI = "git://salsa.debian.org/debian/ncurses.git;protocol=https;branch=master" EXTRA_AUTORECONF = "-I m4" diff --git a/meta/recipes-core/ncurses/ncurses_6.2.bb b/meta/recipes-core/ncurses/ncurses_6.2.bb index 76f0cf97f4..dbff149f55 100644 --- a/meta/recipes-core/ncurses/ncurses_6.2.bb +++ b/meta/recipes-core/ncurses/ncurses_6.2.bb @@ -3,11 +3,15 @@ require ncurses.inc SRC_URI += "file://0001-tic-hang.patch \ file://0002-configure-reproducible.patch \ file://0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch \ + file://CVE-2021-39537.patch \ + file://CVE-2022-29458.patch \ + file://CVE-2023-29491.patch \ + file://CVE-2023-50495.patch \ " # commit id corresponds to the revision in package version SRCREV = "a669013cd5e9d6434e5301348ea51baf306c93c4" S = "${WORKDIR}/git" -EXTRA_OECONF += "--with-abi-version=5" +EXTRA_OECONF += "--with-abi-version=5 --disable-root-environ" UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+(\+\d+)*)" # This is needed when using patchlevel versions like 6.1+20181013 |