1 files changed, 135 insertions, 0 deletions
diff --git a/meta/recipes-core/ncurses/files/CVE-2022-29458.patch b/meta/recipes-core/ncurses/files/CVE-2022-29458.patch
new file mode 100644
index 0000000000..eb1b7c96f9
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/CVE-2022-29458.patch
@@ -0,0 +1,135 @@
+From 5f40697e37e195069f55528fc7a1d77e619ad104 Mon Sep 17 00:00:00 2001
+From: Dan Tran <dantran@microsoft.com>
+Date: Fri, 13 May 2022 13:28:41 -0700
+Subject: [PATCH] ncurses 6.3 before patch 20220416 has an out-of-bounds read
+ and segmentation violation in convert_strings in tinfo/read_entry.c in the
+ terminfo library.
+CVE: CVE-2022-29458
+Upstream-Status: Backport
+[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009870]
+Signed-off-by: Gustavo Lima Chaves <gustavo.chaves@microsoft.com>
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ ncurses/tinfo/alloc_entry.c | 14 ++++++--------
+ ncurses/tinfo/read_entry.c  | 25 +++++++++++++++++++------
+ 2 files changed, 25 insertions(+), 14 deletions(-)
+diff --git a/ncurses/tinfo/alloc_entry.c b/ncurses/tinfo/alloc_entry.c
+index 4bf7d6c8..b49ad6aa 100644
+--- a/ncurses/tinfo/alloc_entry.c
+++ b/ncurses/tinfo/alloc_entry.c
+@@ -48,13 +48,11 @@
+ 
+ #include <tic.h>
+ 
+-MODULE_ID("$Id: alloc_entry.c,v 1.64 2020/02/02 23:34:34 tom Exp $")
+MODULE_ID("$Id: alloc_entry.c,v 1.69 2022/04/16 22:46:53 tom Exp $")
+ 
+ #define ABSENT_OFFSET    -1
+ #define CANCELLED_OFFSET -2
+ 
+-#define MAX_STRTAB     4096    /* documented maximum entry size */
+-
+ static char *stringbuf;                /* buffer for string capabilities */
+ static size_t next_free;       /* next free character in stringbuf */
+ 
+@@ -71,8 +69,8 @@ _nc_init_entry(ENTRY * const tp)
+     }
+ #endif
+ 
+-    if (stringbuf == 0)
+-       TYPE_MALLOC(char, (size_t) MAX_STRTAB, stringbuf);
+    if (stringbuf == NULL)
+       TYPE_MALLOC(char, (size_t) MAX_ENTRY_SIZE, stringbuf);
+ 
+     next_free = 0;
+ 
+@@ -108,11 +106,11 @@ _nc_save_str(const char *const string)
+         * Cheat a little by making an empty string point to the end of the
+         * previous string.
+         */
+-       if (next_free < MAX_STRTAB) {
+       if (next_free < MAX_ENTRY_SIZE) {
+            result = (stringbuf + next_free - 1);
+        }
+-    } else if (next_free + len < MAX_STRTAB) {
+-       _nc_STRCPY(&stringbuf[next_free], string, MAX_STRTAB);
+    } else if (next_free + len < MAX_ENTRY_SIZE) {
+       _nc_STRCPY(&stringbuf[next_free], string, MAX_ENTRY_SIZE);
+        DEBUG(7, ("Saved string %s", _nc_visbuf(string)));
+        DEBUG(7, ("at location %d", (int) next_free));
+        next_free += len;
+diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c
+index 5b570b0f..23c2cebc 100644
+--- a/ncurses/tinfo/read_entry.c
+++ b/ncurses/tinfo/read_entry.c
+@@ -1,5 +1,5 @@
+ /****************************************************************************
+- * Copyright 2018-2019,2020 Thomas E. Dickey                                *
+ * Copyright 2018-2021,2022 Thomas E. Dickey                                *
+  * Copyright 1998-2016,2017 Free Software Foundation, Inc.                  *
+  *                                                                          *
+  * Permission is hereby granted, free of charge, to any person obtaining a  *
+@@ -42,7 +42,7 @@
+ 
+ #include <tic.h>
+ 
+-MODULE_ID("$Id: read_entry.c,v 1.157 2020/02/02 23:34:34 tom Exp $")
+MODULE_ID("$Id: read_entry.c,v 1.162 2022/04/16 21:00:00 tom Exp $")
+ 
+ #define TYPE_CALLOC(type,elts) typeCalloc(type, (unsigned)(elts))
+ 
+@@ -145,6 +145,7 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table)
+ {
+     int i;
+     char *p;
+    bool corrupt = FALSE;
+ 
+     for (i = 0; i < count; i++) {
+        if (IS_NEG1(buf + 2 * i)) {
+@@ -154,8 +155,20 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table)
+        } else if (MyNumber(buf + 2 * i) > size) {
+            Strings[i] = ABSENT_STRING;
+        } else {
+-           Strings[i] = (MyNumber(buf + 2 * i) + table);
+-           TR(TRACE_DATABASE, ("Strings[%d] = %s", i, _nc_visbuf(Strings[i])));
+           int nn = MyNumber(buf + 2 * i);
+           if (nn >= 0 && nn < size) {
+               Strings[i] = (nn + table);
+               TR(TRACE_DATABASE, ("Strings[%d] = %s", i,
+                                   _nc_visbuf(Strings[i])));
+           } else {
+               if (!corrupt) {
+                   corrupt = TRUE;
+                   TR(TRACE_DATABASE,
+                      ("ignore out-of-range index %d to Strings[]", nn));
+                   _nc_warning("corrupt data found in convert_strings");
+               }
+               Strings[i] = ABSENT_STRING;
+           }
+        }
+ 
+        /* make sure all strings are NUL terminated */
+@@ -776,7 +789,7 @@ _nc_read_tic_entry(char *filename,
+         * looking for compiled (binary) terminfo data.
+         *
+         * cgetent uses a two-level lookup.  On the first it uses the given
+-        * name to return a record containing only the aliases for an entry. 
+        * name to return a record containing only the aliases for an entry.
+         * On the second (using that list of aliases as a key), it returns the
+         * content of the terminal description.  We expect second lookup to
+         * return data beginning with the same set of aliases.
+@@ -833,7 +846,7 @@ _nc_read_tic_entry(char *filename,
+ #endif /* NCURSES_USE_DATABASE */
+ 
+ /*
+- * Find and read the compiled entry for a given terminal type, if it exists. 
+ * Find and read the compiled entry for a given terminal type, if it exists.
+  * We take pains here to make sure no combination of environment variables and
+  * terminal type name can be used to overrun the file buffer.
+  */
+-- 
+2.36.1

diff --git a/meta/recipes-core/ncurses/files/CVE-2022-29458.patch b/meta/recipes-core/ncurses/files/CVE-2022-29458.patch new file mode 100644 index 0000000000..eb1b7c96f9 --- /dev/null +++ b/meta/recipes-core/ncurses/files/CVE-2022-29458.patch
@@ -0,0 +1,135 @@
	1	From 5f40697e37e195069f55528fc7a1d77e619ad104 Mon Sep 17 00:00:00 2001
	2	From: Dan Tran <dantran@microsoft.com>
	3	Date: Fri, 13 May 2022 13:28:41 -0700
	4	Subject: [PATCH] ncurses 6.3 before patch 20220416 has an out-of-bounds read
	5	and segmentation violation in convert_strings in tinfo/read_entry.c in the
	6	terminfo library.
	7
	8	CVE: CVE-2022-29458
	9	Upstream-Status: Backport
	10	[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009870]
	11
	12	Signed-off-by: Gustavo Lima Chaves <gustavo.chaves@microsoft.com>
	13	Signed-off-by: Dan Tran <dantran@microsoft.com>
	14	---
	15	ncurses/tinfo/alloc_entry.c \| 14 ++++++--------
	16	ncurses/tinfo/read_entry.c \| 25 +++++++++++++++++++------
	17	2 files changed, 25 insertions(+), 14 deletions(-)
	18
	19	diff --git a/ncurses/tinfo/alloc_entry.c b/ncurses/tinfo/alloc_entry.c
	20	index 4bf7d6c8..b49ad6aa 100644
	21	--- a/ncurses/tinfo/alloc_entry.c
	22	+++ b/ncurses/tinfo/alloc_entry.c
	23	@@ -48,13 +48,11 @@
	24
	25	#include <tic.h>
	26
	27	-MODULE_ID("$Id: alloc_entry.c,v 1.64 2020/02/02 23:34:34 tom Exp $")
	28	+MODULE_ID("$Id: alloc_entry.c,v 1.69 2022/04/16 22:46:53 tom Exp $")
	29
	30	#define ABSENT_OFFSET -1
	31	#define CANCELLED_OFFSET -2
	32
	33	-#define MAX_STRTAB 4096 /* documented maximum entry size */
	34	-
	35	static char stringbuf; / buffer for string capabilities */
	36	static size_t next_free; /* next free character in stringbuf */
	37
	38	@@ -71,8 +69,8 @@ _nc_init_entry(ENTRY * const tp)
	39	}
	40	#endif
	41
	42	- if (stringbuf == 0)
	43	- TYPE_MALLOC(char, (size_t) MAX_STRTAB, stringbuf);
	44	+ if (stringbuf == NULL)
	45	+ TYPE_MALLOC(char, (size_t) MAX_ENTRY_SIZE, stringbuf);
	46
	47	next_free = 0;
	48
	49	@@ -108,11 +106,11 @@ _nc_save_str(const char *const string)
	50	* Cheat a little by making an empty string point to the end of the
	51	* previous string.
	52	*/
	53	- if (next_free < MAX_STRTAB) {
	54	+ if (next_free < MAX_ENTRY_SIZE) {
	55	result = (stringbuf + next_free - 1);
	56	}
	57	- } else if (next_free + len < MAX_STRTAB) {
	58	- _nc_STRCPY(&stringbuf[next_free], string, MAX_STRTAB);
	59	+ } else if (next_free + len < MAX_ENTRY_SIZE) {
	60	+ _nc_STRCPY(&stringbuf[next_free], string, MAX_ENTRY_SIZE);
	61	DEBUG(7, ("Saved string %s", _nc_visbuf(string)));
	62	DEBUG(7, ("at location %d", (int) next_free));
	63	next_free += len;
	64	diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c
	65	index 5b570b0f..23c2cebc 100644
	66	--- a/ncurses/tinfo/read_entry.c
	67	+++ b/ncurses/tinfo/read_entry.c
	68	@@ -1,5 +1,5 @@
	69	/****************************************************************************
	70	- * Copyright 2018-2019,2020 Thomas E. Dickey *
	71	+ * Copyright 2018-2021,2022 Thomas E. Dickey *
	72	* Copyright 1998-2016,2017 Free Software Foundation, Inc. *
	73	* *
	74	* Permission is hereby granted, free of charge, to any person obtaining a *
	75	@@ -42,7 +42,7 @@
	76
	77	#include <tic.h>
	78
	79	-MODULE_ID("$Id: read_entry.c,v 1.157 2020/02/02 23:34:34 tom Exp $")
	80	+MODULE_ID("$Id: read_entry.c,v 1.162 2022/04/16 21:00:00 tom Exp $")
	81
	82	#define TYPE_CALLOC(type,elts) typeCalloc(type, (unsigned)(elts))
	83
	84	@@ -145,6 +145,7 @@ convert_strings(char buf, char Strings, int count, int size, char table)
	85	{
	86	int i;
	87	char *p;
	88	+ bool corrupt = FALSE;
	89
	90	for (i = 0; i < count; i++) {
	91	if (IS_NEG1(buf + 2 * i)) {
	92	@@ -154,8 +155,20 @@ convert_strings(char buf, char Strings, int count, int size, char table)
	93	} else if (MyNumber(buf + 2 * i) > size) {
	94	Strings[i] = ABSENT_STRING;
	95	} else {
	96	- Strings[i] = (MyNumber(buf + 2 * i) + table);
	97	- TR(TRACE_DATABASE, ("Strings[%d] = %s", i, _nc_visbuf(Strings[i])));
	98	+ int nn = MyNumber(buf + 2 * i);
	99	+ if (nn >= 0 && nn < size) {
	100	+ Strings[i] = (nn + table);
	101	+ TR(TRACE_DATABASE, ("Strings[%d] = %s", i,
	102	+ _nc_visbuf(Strings[i])));
	103	+ } else {
	104	+ if (!corrupt) {
	105	+ corrupt = TRUE;
	106	+ TR(TRACE_DATABASE,
	107	+ ("ignore out-of-range index %d to Strings[]", nn));
	108	+ _nc_warning("corrupt data found in convert_strings");
	109	+ }
	110	+ Strings[i] = ABSENT_STRING;
	111	+ }
	112	}
	113
	114	/* make sure all strings are NUL terminated */
	115	@@ -776,7 +789,7 @@ _nc_read_tic_entry(char *filename,
	116	* looking for compiled (binary) terminfo data.
	117	*
	118	* cgetent uses a two-level lookup. On the first it uses the given
	119	- * name to return a record containing only the aliases for an entry.
	120	+ * name to return a record containing only the aliases for an entry.
	121	* On the second (using that list of aliases as a key), it returns the
	122	* content of the terminal description. We expect second lookup to
	123	* return data beginning with the same set of aliases.
	124	@@ -833,7 +846,7 @@ _nc_read_tic_entry(char *filename,
	125	#endif /* NCURSES_USE_DATABASE */
	126
	127	/*
	128	- * Find and read the compiled entry for a given terminal type, if it exists.
	129	+ * Find and read the compiled entry for a given terminal type, if it exists.
	130	* We take pains here to make sure no combination of environment variables and
	131	* terminal type name can be used to overrun the file buffer.
	132	*/
	133	--
	134	2.36.1
	135