diff options
author | Mingli Yu <mingli.yu@windriver.com> | 2024-04-10 13:29:38 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2024-04-22 22:05:57 +0100 |
commit | 52000c8758a5c3dd1d2c0027771d1cd231ae9e27 (patch) | |
tree | df2c46f0c7fe106a74f77b6f76253d2111d78da0 | |
parent | 3126159fe4e98edb8bba2dcd8ad4d7a7001502da (diff) | |
download | poky-52000c8758a5c3dd1d2c0027771d1cd231ae9e27.tar.gz |
ncurses: Fix CVE-2023-50495
Backport a patch [1] to fix CVE-2023-50495.
[1] http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commitdiff;h=7723dd6799ab10b32047ec73b14df9f107bafe99
(From OE-Core rev: bdae54177308b338bd7c75437ae4943e9da8c8ab)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-core/ncurses/files/CVE-2023-50495.patch | 301 | ||||
-rw-r--r-- | meta/recipes-core/ncurses/ncurses_6.4.bb | 1 |
2 files changed, 302 insertions, 0 deletions
diff --git a/meta/recipes-core/ncurses/files/CVE-2023-50495.patch b/meta/recipes-core/ncurses/files/CVE-2023-50495.patch new file mode 100644 index 0000000000..7d90ddd30f --- /dev/null +++ b/meta/recipes-core/ncurses/files/CVE-2023-50495.patch | |||
@@ -0,0 +1,301 @@ | |||
1 | From 7daae3f2139a678fe0ae0b42fcf8d807cbff485c Mon Sep 17 00:00:00 2001 | ||
2 | From: Mingli Yu <mingli.yu@windriver.com> | ||
3 | Date: Sun, 4 Feb 2024 13:42:38 +0800 | ||
4 | Subject: [PATCH] parse_entry.c: check return value of _nc_save_str | ||
5 | |||
6 | * check return value of _nc_save_str(), in special case for tic where | ||
7 | extended capabilities are processed but the terminal description was | ||
8 | not initialized (report by Ziqiao Kong). | ||
9 | |||
10 | * regenerate llib-* files. | ||
11 | |||
12 | CVE: CVE-2023-50495 | ||
13 | |||
14 | Upstream-Status: Backport [http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commitdiff;h=7723dd6799ab10b32047ec73b14df9f107bafe99] | ||
15 | |||
16 | Signed-off-by: Mingli Yu <mingli.yu@windriver.com> | ||
17 | --- | ||
18 | ncurses/llib-lncurses | 15 +++++++++++++++ | ||
19 | ncurses/llib-lncursest | 15 +++++++++++++++ | ||
20 | ncurses/llib-lncursestw | 15 +++++++++++++++ | ||
21 | ncurses/llib-lncursesw | 15 +++++++++++++++ | ||
22 | ncurses/llib-ltinfo | 15 +++++++++++++++ | ||
23 | ncurses/llib-ltinfot | 15 +++++++++++++++ | ||
24 | ncurses/llib-ltinfotw | 15 +++++++++++++++ | ||
25 | ncurses/llib-ltinfow | 15 +++++++++++++++ | ||
26 | ncurses/tinfo/parse_entry.c | 23 ++++++++++++++++------- | ||
27 | 9 files changed, 136 insertions(+), 7 deletions(-) | ||
28 | |||
29 | diff --git a/ncurses/llib-lncurses b/ncurses/llib-lncurses | ||
30 | index 211cf3b7..e4190aa2 100644 | ||
31 | --- a/ncurses/llib-lncurses | ||
32 | +++ b/ncurses/llib-lncurses | ||
33 | @@ -3656,6 +3656,21 @@ char *tiparm( | ||
34 | ...) | ||
35 | { return(*(char **)0); } | ||
36 | |||
37 | +#undef tiparm_s | ||
38 | +char *tiparm_s( | ||
39 | + int num_expected, | ||
40 | + int tparm_type, | ||
41 | + const char *string, | ||
42 | + ...) | ||
43 | + { return(*(char **)0); } | ||
44 | + | ||
45 | +#undef tiscan_s | ||
46 | +int tiscan_s( | ||
47 | + int *num_expected, | ||
48 | + int *tparm_type, | ||
49 | + const char *string) | ||
50 | + { return(*(int *)0); } | ||
51 | + | ||
52 | #undef _nc_tiparm | ||
53 | char *_nc_tiparm( | ||
54 | int expected, | ||
55 | diff --git a/ncurses/llib-lncursest b/ncurses/llib-lncursest | ||
56 | index 1b09d676..e07abba6 100644 | ||
57 | --- a/ncurses/llib-lncursest | ||
58 | +++ b/ncurses/llib-lncursest | ||
59 | @@ -3741,6 +3741,21 @@ char *tiparm( | ||
60 | ...) | ||
61 | { return(*(char **)0); } | ||
62 | |||
63 | +#undef tiparm_s | ||
64 | +char *tiparm_s( | ||
65 | + int num_expected, | ||
66 | + int tparm_type, | ||
67 | + const char *string, | ||
68 | + ...) | ||
69 | + { return(*(char **)0); } | ||
70 | + | ||
71 | +#undef tiscan_s | ||
72 | +int tiscan_s( | ||
73 | + int *num_expected, | ||
74 | + int *tparm_type, | ||
75 | + const char *string) | ||
76 | + { return(*(int *)0); } | ||
77 | + | ||
78 | #undef _nc_tiparm | ||
79 | char *_nc_tiparm( | ||
80 | int expected, | ||
81 | diff --git a/ncurses/llib-lncursestw b/ncurses/llib-lncursestw | ||
82 | index 4576e0fc..747c6be8 100644 | ||
83 | --- a/ncurses/llib-lncursestw | ||
84 | +++ b/ncurses/llib-lncursestw | ||
85 | @@ -4702,6 +4702,21 @@ char *tiparm( | ||
86 | ...) | ||
87 | { return(*(char **)0); } | ||
88 | |||
89 | +#undef tiparm_s | ||
90 | +char *tiparm_s( | ||
91 | + int num_expected, | ||
92 | + int tparm_type, | ||
93 | + const char *string, | ||
94 | + ...) | ||
95 | + { return(*(char **)0); } | ||
96 | + | ||
97 | +#undef tiscan_s | ||
98 | +int tiscan_s( | ||
99 | + int *num_expected, | ||
100 | + int *tparm_type, | ||
101 | + const char *string) | ||
102 | + { return(*(int *)0); } | ||
103 | + | ||
104 | #undef _nc_tiparm | ||
105 | char *_nc_tiparm( | ||
106 | int expected, | ||
107 | diff --git a/ncurses/llib-lncursesw b/ncurses/llib-lncursesw | ||
108 | index 127350d2..862305d9 100644 | ||
109 | --- a/ncurses/llib-lncursesw | ||
110 | +++ b/ncurses/llib-lncursesw | ||
111 | @@ -4617,6 +4617,21 @@ char *tiparm( | ||
112 | ...) | ||
113 | { return(*(char **)0); } | ||
114 | |||
115 | +#undef tiparm_s | ||
116 | +char *tiparm_s( | ||
117 | + int num_expected, | ||
118 | + int tparm_type, | ||
119 | + const char *string, | ||
120 | + ...) | ||
121 | + { return(*(char **)0); } | ||
122 | + | ||
123 | +#undef tiscan_s | ||
124 | +int tiscan_s( | ||
125 | + int *num_expected, | ||
126 | + int *tparm_type, | ||
127 | + const char *string) | ||
128 | + { return(*(int *)0); } | ||
129 | + | ||
130 | #undef _nc_tiparm | ||
131 | char *_nc_tiparm( | ||
132 | int expected, | ||
133 | diff --git a/ncurses/llib-ltinfo b/ncurses/llib-ltinfo | ||
134 | index a5cd7cd3..31e5e9a6 100644 | ||
135 | --- a/ncurses/llib-ltinfo | ||
136 | +++ b/ncurses/llib-ltinfo | ||
137 | @@ -927,6 +927,21 @@ char *tiparm( | ||
138 | ...) | ||
139 | { return(*(char **)0); } | ||
140 | |||
141 | +#undef tiparm_s | ||
142 | +char *tiparm_s( | ||
143 | + int num_expected, | ||
144 | + int tparm_type, | ||
145 | + const char *string, | ||
146 | + ...) | ||
147 | + { return(*(char **)0); } | ||
148 | + | ||
149 | +#undef tiscan_s | ||
150 | +int tiscan_s( | ||
151 | + int *num_expected, | ||
152 | + int *tparm_type, | ||
153 | + const char *string) | ||
154 | + { return(*(int *)0); } | ||
155 | + | ||
156 | #undef _nc_tiparm | ||
157 | char *_nc_tiparm( | ||
158 | int expected, | ||
159 | diff --git a/ncurses/llib-ltinfot b/ncurses/llib-ltinfot | ||
160 | index bd3de812..48e5c25a 100644 | ||
161 | --- a/ncurses/llib-ltinfot | ||
162 | +++ b/ncurses/llib-ltinfot | ||
163 | @@ -1003,6 +1003,21 @@ char *tiparm( | ||
164 | ...) | ||
165 | { return(*(char **)0); } | ||
166 | |||
167 | +#undef tiparm_s | ||
168 | +char *tiparm_s( | ||
169 | + int num_expected, | ||
170 | + int tparm_type, | ||
171 | + const char *string, | ||
172 | + ...) | ||
173 | + { return(*(char **)0); } | ||
174 | + | ||
175 | +#undef tiscan_s | ||
176 | +int tiscan_s( | ||
177 | + int *num_expected, | ||
178 | + int *tparm_type, | ||
179 | + const char *string) | ||
180 | + { return(*(int *)0); } | ||
181 | + | ||
182 | #undef _nc_tiparm | ||
183 | char *_nc_tiparm( | ||
184 | int expected, | ||
185 | diff --git a/ncurses/llib-ltinfotw b/ncurses/llib-ltinfotw | ||
186 | index 4d35a1e1..64dfdfa5 100644 | ||
187 | --- a/ncurses/llib-ltinfotw | ||
188 | +++ b/ncurses/llib-ltinfotw | ||
189 | @@ -1025,6 +1025,21 @@ char *tiparm( | ||
190 | ...) | ||
191 | { return(*(char **)0); } | ||
192 | |||
193 | +#undef tiparm_s | ||
194 | +char *tiparm_s( | ||
195 | + int num_expected, | ||
196 | + int tparm_type, | ||
197 | + const char *string, | ||
198 | + ...) | ||
199 | + { return(*(char **)0); } | ||
200 | + | ||
201 | +#undef tiscan_s | ||
202 | +int tiscan_s( | ||
203 | + int *num_expected, | ||
204 | + int *tparm_type, | ||
205 | + const char *string) | ||
206 | + { return(*(int *)0); } | ||
207 | + | ||
208 | #undef _nc_tiparm | ||
209 | char *_nc_tiparm( | ||
210 | int expected, | ||
211 | diff --git a/ncurses/llib-ltinfow b/ncurses/llib-ltinfow | ||
212 | index db846764..7e17a35f 100644 | ||
213 | --- a/ncurses/llib-ltinfow | ||
214 | +++ b/ncurses/llib-ltinfow | ||
215 | @@ -949,6 +949,21 @@ char *tiparm( | ||
216 | ...) | ||
217 | { return(*(char **)0); } | ||
218 | |||
219 | +#undef tiparm_s | ||
220 | +char *tiparm_s( | ||
221 | + int num_expected, | ||
222 | + int tparm_type, | ||
223 | + const char *string, | ||
224 | + ...) | ||
225 | + { return(*(char **)0); } | ||
226 | + | ||
227 | +#undef tiscan_s | ||
228 | +int tiscan_s( | ||
229 | + int *num_expected, | ||
230 | + int *tparm_type, | ||
231 | + const char *string) | ||
232 | + { return(*(int *)0); } | ||
233 | + | ||
234 | #undef _nc_tiparm | ||
235 | char *_nc_tiparm( | ||
236 | int expected, | ||
237 | diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c | ||
238 | index 14bcb67e..0a0b5637 100644 | ||
239 | --- a/ncurses/tinfo/parse_entry.c | ||
240 | +++ b/ncurses/tinfo/parse_entry.c | ||
241 | @@ -110,7 +110,7 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type) | ||
242 | /* Well, we are given a cancel for a name that we don't recognize */ | ||
243 | return _nc_extend_names(entryp, name, STRING); | ||
244 | default: | ||
245 | - return 0; | ||
246 | + return NULL; | ||
247 | } | ||
248 | |||
249 | /* Adjust the 'offset' (insertion-point) to keep the lists of extended | ||
250 | @@ -142,6 +142,11 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type) | ||
251 | for (last = (unsigned) (max - 1); last > tindex; last--) | ||
252 | |||
253 | if (!found) { | ||
254 | + char *saved; | ||
255 | + | ||
256 | + if ((saved = _nc_save_str(name)) == NULL) | ||
257 | + return NULL; | ||
258 | + | ||
259 | switch (token_type) { | ||
260 | case BOOLEAN: | ||
261 | tp->ext_Booleans++; | ||
262 | @@ -169,7 +174,7 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type) | ||
263 | TYPE_REALLOC(char *, actual, tp->ext_Names); | ||
264 | while (--actual > offset) | ||
265 | tp->ext_Names[actual] = tp->ext_Names[actual - 1]; | ||
266 | - tp->ext_Names[offset] = _nc_save_str(name); | ||
267 | + tp->ext_Names[offset] = saved; | ||
268 | } | ||
269 | |||
270 | temp.nte_name = tp->ext_Names[offset]; | ||
271 | @@ -364,6 +369,8 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent) | ||
272 | bool is_use = (strcmp(_nc_curr_token.tk_name, "use") == 0); | ||
273 | bool is_tc = !is_use && (strcmp(_nc_curr_token.tk_name, "tc") == 0); | ||
274 | if (is_use || is_tc) { | ||
275 | + char *saved; | ||
276 | + | ||
277 | if (!VALID_STRING(_nc_curr_token.tk_valstring) | ||
278 | || _nc_curr_token.tk_valstring[0] == '\0') { | ||
279 | _nc_warning("missing name for use-clause"); | ||
280 | @@ -377,11 +384,13 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent) | ||
281 | _nc_curr_token.tk_valstring); | ||
282 | continue; | ||
283 | } | ||
284 | - entryp->uses[entryp->nuses].name = _nc_save_str(_nc_curr_token.tk_valstring); | ||
285 | - entryp->uses[entryp->nuses].line = _nc_curr_line; | ||
286 | - entryp->nuses++; | ||
287 | - if (entryp->nuses > 1 && is_tc) { | ||
288 | - BAD_TC_USAGE | ||
289 | + if ((saved = _nc_save_str(_nc_curr_token.tk_valstring)) != NULL) { | ||
290 | + entryp->uses[entryp->nuses].name = saved; | ||
291 | + entryp->uses[entryp->nuses].line = _nc_curr_line; | ||
292 | + entryp->nuses++; | ||
293 | + if (entryp->nuses > 1 && is_tc) { | ||
294 | + BAD_TC_USAGE | ||
295 | + } | ||
296 | } | ||
297 | } else { | ||
298 | /* normal token lookup */ | ||
299 | -- | ||
300 | 2.25.1 | ||
301 | |||
diff --git a/meta/recipes-core/ncurses/ncurses_6.4.bb b/meta/recipes-core/ncurses/ncurses_6.4.bb index 2c621525f9..31f18bbadc 100644 --- a/meta/recipes-core/ncurses/ncurses_6.4.bb +++ b/meta/recipes-core/ncurses/ncurses_6.4.bb | |||
@@ -6,6 +6,7 @@ SRC_URI += "file://0001-tic-hang.patch \ | |||
6 | file://exit_prototype.patch \ | 6 | file://exit_prototype.patch \ |
7 | file://0001-Fix-CVE-2023-29491.patch \ | 7 | file://0001-Fix-CVE-2023-29491.patch \ |
8 | file://0001-Updating-reset-code-ncurses-6.4-patch-20231104.patch \ | 8 | file://0001-Updating-reset-code-ncurses-6.4-patch-20231104.patch \ |
9 | file://CVE-2023-50495.patch \ | ||
9 | " | 10 | " |
10 | # commit id corresponds to the revision in package version | 11 | # commit id corresponds to the revision in package version |
11 | SRCREV = "79b9071f2be20a24c7be031655a5638f6032f29f" | 12 | SRCREV = "79b9071f2be20a24c7be031655a5638f6032f29f" |