diff options
author | Trevor Gamblin <trevor.gamblin@windriver.com> | 2019-10-18 07:35:36 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-10-29 09:08:17 +0000 |
commit | ed29b7291d45a94271dff9fe8ca3611d6b025e27 (patch) | |
tree | 496091e6eea8a617014261e3229fa1ce2b8a916d /meta/recipes-core | |
parent | 5fb336e9579420a90561f57908a2300d1c4abd64 (diff) | |
download | poky-ed29b7291d45a94271dff9fe8ca3611d6b025e27.tar.gz |
ncurses: fix CVE-2019-17594, CVE-2019-17595
Backport changes to tinfo/comp_hash.c, tinfo/parse_entry.c,
and progs/dump_entry.c from upstream to fix CVEs.
(From OE-Core rev: 7ec70aeb0c6f6080523efa0f983fa36b92cb5558)
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core')
-rw-r--r-- | meta/recipes-core/ncurses/files/0001-ncurses-selective-backport-of-20191012-patch.patch | 169 | ||||
-rw-r--r-- | meta/recipes-core/ncurses/ncurses_6.1+20190803.bb | 1 |
2 files changed, 170 insertions, 0 deletions
diff --git a/meta/recipes-core/ncurses/files/0001-ncurses-selective-backport-of-20191012-patch.patch b/meta/recipes-core/ncurses/files/0001-ncurses-selective-backport-of-20191012-patch.patch new file mode 100644 index 0000000000..7870c4ba32 --- /dev/null +++ b/meta/recipes-core/ncurses/files/0001-ncurses-selective-backport-of-20191012-patch.patch | |||
@@ -0,0 +1,169 @@ | |||
1 | From 064b77f173337aa790f1cec0d741bfbc61a33d31 Mon Sep 17 00:00:00 2001 | ||
2 | From: Trevor Gamblin <trevor.gamblin@windriver.com> | ||
3 | Date: Fri, 18 Oct 2019 09:57:43 -0400 | ||
4 | Subject: [PATCH] ncurses: selective backport of 20191012 patch | ||
5 | |||
6 | Upstream-Status: Backport [https://salsa.debian.org/debian/ncurses/commit/243908b1e3d81] | ||
7 | |||
8 | Contents of the upstream patch that are not applied to comp_hash.c, | ||
9 | parse_entry.c, or dump_entry.c have been omitted. | ||
10 | |||
11 | CVE: CVE-2019-17594 | ||
12 | CVE: CVE-2019-17595 | ||
13 | |||
14 | Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> | ||
15 | |||
16 | --- | ||
17 | ncurses/tinfo/comp_hash.c | 14 ++++++++++---- | ||
18 | ncurses/tinfo/parse_entry.c | 32 ++++++++++++++++---------------- | ||
19 | progs/dump_entry.c | 7 ++++--- | ||
20 | 3 files changed, 30 insertions(+), 23 deletions(-) | ||
21 | |||
22 | diff --git a/ncurses/tinfo/comp_hash.c b/ncurses/tinfo/comp_hash.c | ||
23 | index 21f165ca..a62d38f9 100644 | ||
24 | --- a/ncurses/tinfo/comp_hash.c | ||
25 | +++ b/ncurses/tinfo/comp_hash.c | ||
26 | @@ -44,7 +44,7 @@ | ||
27 | #include <tic.h> | ||
28 | #include <hashsize.h> | ||
29 | |||
30 | -MODULE_ID("$Id: comp_hash.c,v 1.49 2019/03/10 00:06:48 tom Exp $") | ||
31 | +MODULE_ID("$Id: comp_hash.c,v 1.51 2019/10/12 16:32:13 tom Exp $") | ||
32 | |||
33 | /* | ||
34 | * Finds the entry for the given string in the hash table if present. | ||
35 | @@ -63,7 +63,9 @@ _nc_find_entry(const char *string, | ||
36 | |||
37 | hashvalue = data->hash_of(string); | ||
38 | |||
39 | - if (data->table_data[hashvalue] >= 0) { | ||
40 | + if (hashvalue >= 0 | ||
41 | + && (unsigned) hashvalue < data->table_size | ||
42 | + && data->table_data[hashvalue] >= 0) { | ||
43 | |||
44 | real_table = _nc_get_table(termcap); | ||
45 | ptr = real_table + data->table_data[hashvalue]; | ||
46 | @@ -96,7 +98,9 @@ _nc_find_type_entry(const char *string, | ||
47 | const HashData *data = _nc_get_hash_info(termcap); | ||
48 | int hashvalue = data->hash_of(string); | ||
49 | |||
50 | - if (data->table_data[hashvalue] >= 0) { | ||
51 | + if (hashvalue >= 0 | ||
52 | + && (unsigned) hashvalue < data->table_size | ||
53 | + && data->table_data[hashvalue] >= 0) { | ||
54 | const struct name_table_entry *const table = _nc_get_table(termcap); | ||
55 | |||
56 | ptr = table + data->table_data[hashvalue]; | ||
57 | @@ -124,7 +128,9 @@ _nc_find_user_entry(const char *string) | ||
58 | |||
59 | hashvalue = data->hash_of(string); | ||
60 | |||
61 | - if (data->table_data[hashvalue] >= 0) { | ||
62 | + if (hashvalue >= 0 | ||
63 | + && (unsigned) hashvalue < data->table_size | ||
64 | + && data->table_data[hashvalue] >= 0) { | ||
65 | |||
66 | real_table = _nc_get_userdefs_table(); | ||
67 | ptr = real_table + data->table_data[hashvalue]; | ||
68 | diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c | ||
69 | index f8cca8b5..064376c5 100644 | ||
70 | --- a/ncurses/tinfo/parse_entry.c | ||
71 | +++ b/ncurses/tinfo/parse_entry.c | ||
72 | @@ -47,7 +47,7 @@ | ||
73 | #include <ctype.h> | ||
74 | #include <tic.h> | ||
75 | |||
76 | -MODULE_ID("$Id: parse_entry.c,v 1.97 2019/08/03 23:10:38 tom Exp $") | ||
77 | +MODULE_ID("$Id: parse_entry.c,v 1.98 2019/10/12 00:50:31 tom Exp $") | ||
78 | |||
79 | #ifdef LINT | ||
80 | static short const parametrized[] = | ||
81 | @@ -654,12 +654,12 @@ _nc_capcmp(const char *s, const char *t) | ||
82 | } | ||
83 | |||
84 | static void | ||
85 | -append_acs0(string_desc * dst, int code, int src) | ||
86 | +append_acs0(string_desc * dst, int code, char *src, size_t off) | ||
87 | { | ||
88 | - if (src != 0) { | ||
89 | + if (src != 0 && off < strlen(src)) { | ||
90 | char temp[3]; | ||
91 | temp[0] = (char) code; | ||
92 | - temp[1] = (char) src; | ||
93 | + temp[1] = src[off]; | ||
94 | temp[2] = 0; | ||
95 | _nc_safe_strcat(dst, temp); | ||
96 | } | ||
97 | @@ -669,7 +669,7 @@ static void | ||
98 | append_acs(string_desc * dst, int code, char *src) | ||
99 | { | ||
100 | if (VALID_STRING(src) && strlen(src) == 1) { | ||
101 | - append_acs0(dst, code, *src); | ||
102 | + append_acs0(dst, code, src, 0); | ||
103 | } | ||
104 | } | ||
105 | |||
106 | @@ -1038,17 +1038,17 @@ postprocess_terminfo(TERMTYPE2 *tp) | ||
107 | _nc_str_init(&result, buf2, sizeof(buf2)); | ||
108 | _nc_safe_strcat(&result, acs_chars); | ||
109 | |||
110 | - append_acs0(&result, 'l', box_chars_1[0]); /* ACS_ULCORNER */ | ||
111 | - append_acs0(&result, 'q', box_chars_1[1]); /* ACS_HLINE */ | ||
112 | - append_acs0(&result, 'k', box_chars_1[2]); /* ACS_URCORNER */ | ||
113 | - append_acs0(&result, 'x', box_chars_1[3]); /* ACS_VLINE */ | ||
114 | - append_acs0(&result, 'j', box_chars_1[4]); /* ACS_LRCORNER */ | ||
115 | - append_acs0(&result, 'm', box_chars_1[5]); /* ACS_LLCORNER */ | ||
116 | - append_acs0(&result, 'w', box_chars_1[6]); /* ACS_TTEE */ | ||
117 | - append_acs0(&result, 'u', box_chars_1[7]); /* ACS_RTEE */ | ||
118 | - append_acs0(&result, 'v', box_chars_1[8]); /* ACS_BTEE */ | ||
119 | - append_acs0(&result, 't', box_chars_1[9]); /* ACS_LTEE */ | ||
120 | - append_acs0(&result, 'n', box_chars_1[10]); /* ACS_PLUS */ | ||
121 | + append_acs0(&result, 'l', box_chars_1, 0); /* ACS_ULCORNER */ | ||
122 | + append_acs0(&result, 'q', box_chars_1, 1); /* ACS_HLINE */ | ||
123 | + append_acs0(&result, 'k', box_chars_1, 2); /* ACS_URCORNER */ | ||
124 | + append_acs0(&result, 'x', box_chars_1, 3); /* ACS_VLINE */ | ||
125 | + append_acs0(&result, 'j', box_chars_1, 4); /* ACS_LRCORNER */ | ||
126 | + append_acs0(&result, 'm', box_chars_1, 5); /* ACS_LLCORNER */ | ||
127 | + append_acs0(&result, 'w', box_chars_1, 6); /* ACS_TTEE */ | ||
128 | + append_acs0(&result, 'u', box_chars_1, 7); /* ACS_RTEE */ | ||
129 | + append_acs0(&result, 'v', box_chars_1, 8); /* ACS_BTEE */ | ||
130 | + append_acs0(&result, 't', box_chars_1, 9); /* ACS_LTEE */ | ||
131 | + append_acs0(&result, 'n', box_chars_1, 10); /* ACS_PLUS */ | ||
132 | |||
133 | if (buf2[0]) { | ||
134 | acs_chars = _nc_save_str(buf2); | ||
135 | diff --git a/progs/dump_entry.c b/progs/dump_entry.c | ||
136 | index d0e420ec..8a47084a 100644 | ||
137 | --- a/progs/dump_entry.c | ||
138 | +++ b/progs/dump_entry.c | ||
139 | @@ -39,7 +39,7 @@ | ||
140 | #include "termsort.c" /* this C file is generated */ | ||
141 | #include <parametrized.h> /* so is this */ | ||
142 | |||
143 | -MODULE_ID("$Id: dump_entry.c,v 1.173 2019/05/11 21:02:24 tom Exp $") | ||
144 | +MODULE_ID("$Id: dump_entry.c,v 1.175 2019/10/12 15:59:07 tom Exp $") | ||
145 | |||
146 | #define DISCARD(string) string = ABSENT_STRING | ||
147 | #define PRINTF (void) printf | ||
148 | @@ -1136,7 +1136,8 @@ fmt_entry(TERMTYPE2 *tterm, | ||
149 | *d++ = '\\'; | ||
150 | *d = ':'; | ||
151 | } else if (*d == '\\') { | ||
152 | - *++d = *s++; | ||
153 | + if ((*++d = *s++) == '\0') | ||
154 | + break; | ||
155 | } | ||
156 | d++; | ||
157 | *d = '\0'; | ||
158 | @@ -1396,7 +1397,7 @@ one_one_mapping(const char *mapping) | ||
159 | |||
160 | if (VALID_STRING(mapping)) { | ||
161 | int n = 0; | ||
162 | - while (mapping[n] != '\0') { | ||
163 | + while (mapping[n] != '\0' && mapping[n + 1] != '\0') { | ||
164 | if (isLine(mapping[n]) && | ||
165 | mapping[n] != mapping[n + 1]) { | ||
166 | result = FALSE; | ||
167 | -- | ||
168 | 2.17.1 | ||
169 | |||
diff --git a/meta/recipes-core/ncurses/ncurses_6.1+20190803.bb b/meta/recipes-core/ncurses/ncurses_6.1+20190803.bb index a44d78e4fe..e638a3737c 100644 --- a/meta/recipes-core/ncurses/ncurses_6.1+20190803.bb +++ b/meta/recipes-core/ncurses/ncurses_6.1+20190803.bb | |||
@@ -3,6 +3,7 @@ require ncurses.inc | |||
3 | SRC_URI += "file://0001-tic-hang.patch \ | 3 | SRC_URI += "file://0001-tic-hang.patch \ |
4 | file://0002-configure-reproducible.patch \ | 4 | file://0002-configure-reproducible.patch \ |
5 | file://config.cache \ | 5 | file://config.cache \ |
6 | file://0001-ncurses-selective-backport-of-20191012-patch.patch \ | ||
6 | " | 7 | " |
7 | # commit id corresponds to the revision in package version | 8 | # commit id corresponds to the revision in package version |
8 | SRCREV = "3c9b2677c96c645496997321bf2fe465a5e7e21f" | 9 | SRCREV = "3c9b2677c96c645496997321bf2fe465a5e7e21f" |