ncurses: Fix CVE-2023-45918

ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c. References: https://nvd.nist.gov/vuln/detail/CVE-2023-45918 (From OE-Core rev: 6573995adf4cfd48b036f8463b39f3864fcfd85b) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Soumya Sambu <soumya.sambu@windriver.com> 2024-05-06 04:32:58 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2024-05-09 09:48:58 +0100
commit: d0fc704e40c2cdec41f9eb83fca92312d4ff1b29 (patch)
tree: e1133b2ab17ebd510321cd6e61a7dcbafa1ee636
parent: 12c447b38a87e6de8541c10960dd544956fc5762 (diff)
download: poky-d0fc704e40c2cdec41f9eb83fca92312d4ff1b29.tar.gz
2 files changed, 181 insertions, 0 deletions
diff --git a/meta/recipes-core/ncurses/files/CVE-2023-45918.patch b/meta/recipes-core/ncurses/files/CVE-2023-45918.patch
new file mode 100644
index 0000000000..fbdae49a61
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/CVE-2023-45918.patch
@@ -0,0 +1,180 @@
+From bcf02d3242f1c7d57224a95f7903fcf4b5e7695d Mon Sep 17 00:00:00 2001
+From: Thomas E. Dickey <dickey@invisible-island.net>
+Date: Fri, 16 Jun 2023 02:54:29 +0530
+Subject: [PATCH] Fix CVE-2023-45918
+CVE: CVE-2023-45918
+Upstream-Status: Backport [https://ncurses.scripts.mit.edu/?p=ncurses.git;a=commit;h=bcf02d3242f1c7d57224a95f7903fcf4b5e7695d]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ ncurses/tinfo/comp_error.c | 15 ++++++---
+ ncurses/tinfo/read_entry.c | 65 ++++++++++++++++++++++++++------------
+ 2 files changed, 56 insertions(+), 24 deletions(-)
+diff --git a/ncurses/tinfo/comp_error.c b/ncurses/tinfo/comp_error.c
+index 48f48784..ee518e28 100644
+--- a/ncurses/tinfo/comp_error.c
+++ b/ncurses/tinfo/comp_error.c
+@@ -60,8 +60,15 @@ _nc_get_source(void)
+ NCURSES_EXPORT(void)
+ _nc_set_source(const char *const name)
+ {
+-    FreeIfNeeded(SourceName);
+-    SourceName = strdup(name);
+    if (name == NULL) {
+       free(SourceName);
+       SourceName = NULL;
+    } else if (SourceName == NULL) {
+       SourceName = strdup(name);
+    } else if (strcmp(name, SourceName)) {
+       free(SourceName);
+       SourceName = strdup(name);
+    }
+ }
+ NCURSES_EXPORT(void)
+@@ -95,9 +102,9 @@ static NCURSES_INLINE void
+ where_is_problem(void)
+ {
+     fprintf(stderr, "\"%s\"", SourceName ? SourceName : "?");
+-    if (_nc_curr_line >= 0)
+    if (_nc_curr_line > 0)
+        fprintf(stderr, ", line %d", _nc_curr_line);
+-    if (_nc_curr_col >= 0)
+    if (_nc_curr_col > 0)
+        fprintf(stderr, ", col %d", _nc_curr_col);
+     if (TermType != 0 && TermType[0] != '\0')
+        fprintf(stderr, ", terminal '%s'", TermType);
+diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c
+index 341337d2..b0c3ad26 100644
+--- a/ncurses/tinfo/read_entry.c
+++ b/ncurses/tinfo/read_entry.c
+@@ -138,12 +138,13 @@ convert_16bits(char *buf, NCURSES_INT2 *Numbers, int count)
+ }
+ #endif
+-static void
+-convert_strings(char *buf, char **Strings, int count, int size, char *table)
+static bool
+convert_strings(char *buf, char **Strings, int count, int size,
+               char *table, bool always)
+ {
+     int i;
+     char *p;
+-    bool corrupt = FALSE;
+    bool success = TRUE;
+     for (i = 0; i < count; i++) {
+        if (IS_NEG1(buf + 2 * i)) {
+@@ -159,13 +160,10 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table)
+                TR(TRACE_DATABASE, ("Strings[%d] = %s", i,
+                                    _nc_visbuf(Strings[i])));
+            } else {
+-               if (!corrupt) {
+-                   corrupt = TRUE;
+-                   TR(TRACE_DATABASE,
+-                      ("ignore out-of-range index %d to Strings[]", nn));
+-                   _nc_warning("corrupt data found in convert_strings");
+-               }
+-               Strings[i] = ABSENT_STRING;
+               TR(TRACE_DATABASE,
+                  ("found out-of-range index %d to Strings[%d]", nn, i));
+               success = FALSE;
+               break;
+            }
+        }
+@@ -175,10 +173,25 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table)
+                if (*p == '\0')
+                    break;
+            /* if there is no NUL, ignore the string */
+-           if (p >= table + size)
+           if (p >= table + size) {
+                Strings[i] = ABSENT_STRING;
+           } else if (p == Strings[i] && always) {
+               TR(TRACE_DATABASE,
+                  ("found empty but required Strings[%d]", i));
+               success = FALSE;
+               break;
+           }
+       } else if (always) {    /* names are always needed */
+           TR(TRACE_DATABASE,
+              ("found invalid but required Strings[%d]", i));
+           success = FALSE;
+           break;
+        }
+     }
+    if (!success) {
+       _nc_warning("corrupt data found in convert_strings");
+    }
+    return success;
+ }
+ static int
+@@ -382,7 +395,10 @@ _nc_read_termtype(TERMTYPE2 *ptr, char *buffer, int limit)
+        if (Read(string_table, (unsigned) str_size) != str_size) {
+            returnDB(TGETENT_NO);
+        }
+-       convert_strings(buf, ptr->Strings, str_count, str_size, string_table);
+       if (!convert_strings(buf, ptr->Strings, str_count, str_size,
+                            string_table, FALSE)) {
+           returnDB(TGETENT_NO);
+       }
+     }
+ #if NCURSES_XNAMES
+@@ -483,8 +499,10 @@ _nc_read_termtype(TERMTYPE2 *ptr, char *buffer, int limit)
+               ("Before computing extended-string capabilities "
+                "str_count=%d, ext_str_count=%d",
+                str_count, ext_str_count));
+-           convert_strings(buf, ptr->Strings + str_count, ext_str_count,
+-                           ext_str_limit, ptr->ext_str_table);
+           if (!convert_strings(buf, ptr->Strings + str_count, ext_str_count,
+                                ext_str_limit, ptr->ext_str_table, FALSE)) {
+               returnDB(TGETENT_NO);
+           }
+            for (i = ext_str_count - 1; i >= 0; i--) {
+                TR(TRACE_DATABASE, ("MOVE from [%d:%d] %s",
+                                    i, i + str_count,
+@@ -516,10 +534,13 @@ _nc_read_termtype(TERMTYPE2 *ptr, char *buffer, int limit)
+            TR(TRACE_DATABASE,
+               ("ext_NAMES starting @%d in extended_strings, first = %s",
+                base, _nc_visbuf(ptr->ext_str_table + base)));
+-           convert_strings(buf + (2 * ext_str_count),
+-                           ptr->ext_Names,
+-                           (int) need,
+-                           ext_str_limit, ptr->ext_str_table + base);
+           if (!convert_strings(buf + (2 * ext_str_count),
+                                ptr->ext_Names,
+                                (int) need,
+                                ext_str_limit, ptr->ext_str_table + base,
+                                TRUE)) {
+               returnDB(TGETENT_NO);
+           }
+        }
+        TR(TRACE_DATABASE,
+@@ -572,13 +593,17 @@ _nc_read_file_entry(const char *const filename, TERMTYPE2 *ptr)
+        int limit;
+        char buffer[MAX_ENTRY_SIZE + 1];
+-       if ((limit = (int) fread(buffer, sizeof(char), sizeof(buffer), fp))
+-           > 0) {
+       limit = (int) fread(buffer, sizeof(char), sizeof(buffer), fp);
+       if (limit > 0) {
+           const char *old_source = _nc_get_source();
+            TR(TRACE_DATABASE, ("read terminfo %s", filename));
+           if (old_source == NULL)
+               _nc_set_source(filename);
+            if ((code = _nc_read_termtype(ptr, buffer, limit)) == TGETENT_NO) {
+                _nc_free_termtype2(ptr);
+            }
+           _nc_set_source(old_source);
+        } else {
+            code = TGETENT_NO;
+        }
+--
+2.40.0
diff --git a/meta/recipes-core/ncurses/ncurses_6.4.bb b/meta/recipes-core/ncurses/ncurses_6.4.bb
index 31f18bbadc..97130c06d6 100644
--- a/meta/recipes-core/ncurses/ncurses_6.4.bb
+++ b/meta/recipes-core/ncurses/ncurses_6.4.bb
@@ -7,6 +7,7 @@ SRC_URI += "file://0001-tic-hang.patch \
           file://0001-Fix-CVE-2023-29491.patch \
           file://0001-Updating-reset-code-ncurses-6.4-patch-20231104.patch \
           file://CVE-2023-50495.patch \
+           file://CVE-2023-45918.patch \
           "
 # commit id corresponds to the revision in package version
 SRCREV = "79b9071f2be20a24c7be031655a5638f6032f29f"
author	Soumya Sambu <soumya.sambu@windriver.com>	2024-05-06 04:32:58 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2024-05-09 09:48:58 +0100
commit	d0fc704e40c2cdec41f9eb83fca92312d4ff1b29 (patch)
tree	e1133b2ab17ebd510321cd6e61a7dcbafa1ee636
parent	12c447b38a87e6de8541c10960dd544956fc5762 (diff)
download	poky-d0fc704e40c2cdec41f9eb83fca92312d4ff1b29.tar.gz

diff --git a/meta/recipes-core/ncurses/files/CVE-2023-45918.patch b/meta/recipes-core/ncurses/files/CVE-2023-45918.patch new file mode 100644 index 0000000000..fbdae49a61 --- /dev/null +++ b/meta/recipes-core/ncurses/files/CVE-2023-45918.patch
@@ -0,0 +1,180 @@
		1	From bcf02d3242f1c7d57224a95f7903fcf4b5e7695d Mon Sep 17 00:00:00 2001
		2	From: Thomas E. Dickey <dickey@invisible-island.net>
		3	Date: Fri, 16 Jun 2023 02:54:29 +0530
		4	Subject: [PATCH] Fix CVE-2023-45918
		5
		6	CVE: CVE-2023-45918
		7
		8	Upstream-Status: Backport [https://ncurses.scripts.mit.edu/?p=ncurses.git;a=commit;h=bcf02d3242f1c7d57224a95f7903fcf4b5e7695d]
		9
		10	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
		11	---
		12	ncurses/tinfo/comp_error.c \| 15 ++++++---
		13	ncurses/tinfo/read_entry.c \| 65 ++++++++++++++++++++++++++------------
		14	2 files changed, 56 insertions(+), 24 deletions(-)
		15
		16	diff --git a/ncurses/tinfo/comp_error.c b/ncurses/tinfo/comp_error.c
		17	index 48f48784..ee518e28 100644
		18	--- a/ncurses/tinfo/comp_error.c
		19	+++ b/ncurses/tinfo/comp_error.c
		20	@@ -60,8 +60,15 @@ _nc_get_source(void)
		21	NCURSES_EXPORT(void)
		22	_nc_set_source(const char *const name)
		23	{
		24	- FreeIfNeeded(SourceName);
		25	- SourceName = strdup(name);
		26	+ if (name == NULL) {
		27	+ free(SourceName);
		28	+ SourceName = NULL;
		29	+ } else if (SourceName == NULL) {
		30	+ SourceName = strdup(name);
		31	+ } else if (strcmp(name, SourceName)) {
		32	+ free(SourceName);
		33	+ SourceName = strdup(name);
		34	+ }
		35	}
		36
		37	NCURSES_EXPORT(void)
		38	@@ -95,9 +102,9 @@ static NCURSES_INLINE void
		39	where_is_problem(void)
		40	{
		41	fprintf(stderr, "\"%s\"", SourceName ? SourceName : "?");
		42	- if (_nc_curr_line >= 0)
		43	+ if (_nc_curr_line > 0)
		44	fprintf(stderr, ", line %d", _nc_curr_line);
		45	- if (_nc_curr_col >= 0)
		46	+ if (_nc_curr_col > 0)
		47	fprintf(stderr, ", col %d", _nc_curr_col);
		48	if (TermType != 0 && TermType[0] != '\0')
		49	fprintf(stderr, ", terminal '%s'", TermType);
		50	diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c
		51	index 341337d2..b0c3ad26 100644
		52	--- a/ncurses/tinfo/read_entry.c
		53	+++ b/ncurses/tinfo/read_entry.c
		54	@@ -138,12 +138,13 @@ convert_16bits(char buf, NCURSES_INT2 Numbers, int count)
		55	}
		56	#endif
		57
		58	-static void
		59	-convert_strings(char buf, char Strings, int count, int size, char table)
		60	+static bool
		61	+convert_strings(char buf, char *Strings, int count, int size,
		62	+ char *table, bool always)
		63	{
		64	int i;
		65	char *p;
		66	- bool corrupt = FALSE;
		67	+ bool success = TRUE;
		68
		69	for (i = 0; i < count; i++) {
		70	if (IS_NEG1(buf + 2 * i)) {
		71	@@ -159,13 +160,10 @@ convert_strings(char buf, char Strings, int count, int size, char table)
		72	TR(TRACE_DATABASE, ("Strings[%d] = %s", i,
		73	_nc_visbuf(Strings[i])));
		74	} else {
		75	- if (!corrupt) {
		76	- corrupt = TRUE;
		77	- TR(TRACE_DATABASE,
		78	- ("ignore out-of-range index %d to Strings[]", nn));
		79	- _nc_warning("corrupt data found in convert_strings");
		80	- }
		81	- Strings[i] = ABSENT_STRING;
		82	+ TR(TRACE_DATABASE,
		83	+ ("found out-of-range index %d to Strings[%d]", nn, i));
		84	+ success = FALSE;
		85	+ break;
		86	}
		87	}
		88
		89	@@ -175,10 +173,25 @@ convert_strings(char buf, char Strings, int count, int size, char table)
		90	if (*p == '\0')
		91	break;
		92	/* if there is no NUL, ignore the string */
		93	- if (p >= table + size)
		94	+ if (p >= table + size) {
		95	Strings[i] = ABSENT_STRING;
		96	+ } else if (p == Strings[i] && always) {
		97	+ TR(TRACE_DATABASE,
		98	+ ("found empty but required Strings[%d]", i));
		99	+ success = FALSE;
		100	+ break;
		101	+ }
		102	+ } else if (always) { /* names are always needed */
		103	+ TR(TRACE_DATABASE,
		104	+ ("found invalid but required Strings[%d]", i));
		105	+ success = FALSE;
		106	+ break;
		107	}
		108	}
		109	+ if (!success) {
		110	+ _nc_warning("corrupt data found in convert_strings");
		111	+ }
		112	+ return success;
		113	}
		114
		115	static int
		116	@@ -382,7 +395,10 @@ _nc_read_termtype(TERMTYPE2 ptr, char buffer, int limit)
		117	if (Read(string_table, (unsigned) str_size) != str_size) {
		118	returnDB(TGETENT_NO);
		119	}
		120	- convert_strings(buf, ptr->Strings, str_count, str_size, string_table);
		121	+ if (!convert_strings(buf, ptr->Strings, str_count, str_size,
		122	+ string_table, FALSE)) {
		123	+ returnDB(TGETENT_NO);
		124	+ }
		125	}
		126	#if NCURSES_XNAMES
		127
		128	@@ -483,8 +499,10 @@ _nc_read_termtype(TERMTYPE2 ptr, char buffer, int limit)
		129	("Before computing extended-string capabilities "
		130	"str_count=%d, ext_str_count=%d",
		131	str_count, ext_str_count));
		132	- convert_strings(buf, ptr->Strings + str_count, ext_str_count,
		133	- ext_str_limit, ptr->ext_str_table);
		134	+ if (!convert_strings(buf, ptr->Strings + str_count, ext_str_count,
		135	+ ext_str_limit, ptr->ext_str_table, FALSE)) {
		136	+ returnDB(TGETENT_NO);
		137	+ }
		138	for (i = ext_str_count - 1; i >= 0; i--) {
		139	TR(TRACE_DATABASE, ("MOVE from [%d:%d] %s",
		140	i, i + str_count,
		141	@@ -516,10 +534,13 @@ _nc_read_termtype(TERMTYPE2 ptr, char buffer, int limit)
		142	TR(TRACE_DATABASE,
		143	("ext_NAMES starting @%d in extended_strings, first = %s",
		144	base, _nc_visbuf(ptr->ext_str_table + base)));
		145	- convert_strings(buf + (2 * ext_str_count),
		146	- ptr->ext_Names,
		147	- (int) need,
		148	- ext_str_limit, ptr->ext_str_table + base);
		149	+ if (!convert_strings(buf + (2 * ext_str_count),
		150	+ ptr->ext_Names,
		151	+ (int) need,
		152	+ ext_str_limit, ptr->ext_str_table + base,
		153	+ TRUE)) {
		154	+ returnDB(TGETENT_NO);
		155	+ }
		156	}
		157
		158	TR(TRACE_DATABASE,
		159	@@ -572,13 +593,17 @@ _nc_read_file_entry(const char const filename, TERMTYPE2 ptr)
		160	int limit;
		161	char buffer[MAX_ENTRY_SIZE + 1];
		162
		163	- if ((limit = (int) fread(buffer, sizeof(char), sizeof(buffer), fp))
		164	- > 0) {
		165	+ limit = (int) fread(buffer, sizeof(char), sizeof(buffer), fp);
		166	+ if (limit > 0) {
		167	+ const char *old_source = _nc_get_source();
		168
		169	TR(TRACE_DATABASE, ("read terminfo %s", filename));
		170	+ if (old_source == NULL)
		171	+ _nc_set_source(filename);
		172	if ((code = _nc_read_termtype(ptr, buffer, limit)) == TGETENT_NO) {
		173	_nc_free_termtype2(ptr);
		174	}
		175	+ _nc_set_source(old_source);
		176	} else {
		177	code = TGETENT_NO;
		178	}
		179	--
		180	2.40.0


diff --git a/meta/recipes-core/ncurses/ncurses_6.4.bb b/meta/recipes-core/ncurses/ncurses_6.4.bb index 31f18bbadc..97130c06d6 100644 --- a/meta/recipes-core/ncurses/ncurses_6.4.bb +++ b/meta/recipes-core/ncurses/ncurses_6.4.bb
@@ -7,6 +7,7 @@ SRC_URI += "file://0001-tic-hang.patch \
7	file://0001-Fix-CVE-2023-29491.patch \	7	file://0001-Fix-CVE-2023-29491.patch \
8	file://0001-Updating-reset-code-ncurses-6.4-patch-20231104.patch \	8	file://0001-Updating-reset-code-ncurses-6.4-patch-20231104.patch \
9	file://CVE-2023-50495.patch \	9	file://CVE-2023-50495.patch \
		10	file://CVE-2023-45918.patch \
10	"	11	"
11	# commit id corresponds to the revision in package version	12	# commit id corresponds to the revision in package version
12	SRCREV = "79b9071f2be20a24c7be031655a5638f6032f29f"	13	SRCREV = "79b9071f2be20a24c7be031655a5638f6032f29f"