6 files changed, 295 insertions, 2 deletions
diff --git a/meta/recipes-core/ncurses/files/CVE-2021-39537.patch b/meta/recipes-core/ncurses/files/CVE-2021-39537.patch
new file mode 100644
index 0000000000..7655200350
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/CVE-2021-39537.patch
@@ -0,0 +1,30 @@
+$NetBSD: patch-ncurses_tinfo_captoinfo.c,v 1.1 2021/10/09 07:52:36 wiz Exp $
+Fix for CVE-2021-39537 from upstream:
+https://github.com/ThomasDickey/ncurses-snapshots/commit/63ca9e061f4644795d6f3f559557f3e1ed8c738b#diff-7e95c7bc5f213e9be438e69a9d5d0f261a14952bcbd692f7b9014217b8047340
+CVE: CVE-2021-39537
+Upstream-Status: Backport [http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/devel/ncurses/patches/Attic/patch-ncurses_tinfo_captoinfo.c?rev=1.1&content-type=text/x-cvsweb-markup]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+--- a/ncurses/tinfo/captoinfo.c 2020-02-02 23:34:34.000000000 +0000
+++ b/ncurses/tinfo/captoinfo.c
+@@ -216,12 +216,15 @@ cvtchar(register const char *sp)
+        }
+        break;
+     case '^':
+       len = 2;
+        c = UChar(*++sp);
+-       if (c == '?')
+        if (c == '?') {
+            c = 127;
+-       else
+        } else if (c == '\0') {
+            len = 1;
+        } else {
+            c &= 0x1f;
+-       len = 2;
+       }
+        break;
+     default:
+        c = UChar(*sp);
diff --git a/meta/recipes-core/ncurses/files/CVE-2022-29458.patch b/meta/recipes-core/ncurses/files/CVE-2022-29458.patch
new file mode 100644
index 0000000000..eb1b7c96f9
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/CVE-2022-29458.patch
@@ -0,0 +1,135 @@
+From 5f40697e37e195069f55528fc7a1d77e619ad104 Mon Sep 17 00:00:00 2001
+From: Dan Tran <dantran@microsoft.com>
+Date: Fri, 13 May 2022 13:28:41 -0700
+Subject: [PATCH] ncurses 6.3 before patch 20220416 has an out-of-bounds read
+ and segmentation violation in convert_strings in tinfo/read_entry.c in the
+ terminfo library.
+CVE: CVE-2022-29458
+Upstream-Status: Backport
+[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009870]
+Signed-off-by: Gustavo Lima Chaves <gustavo.chaves@microsoft.com>
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ ncurses/tinfo/alloc_entry.c | 14 ++++++--------
+ ncurses/tinfo/read_entry.c  | 25 +++++++++++++++++++------
+ 2 files changed, 25 insertions(+), 14 deletions(-)
+diff --git a/ncurses/tinfo/alloc_entry.c b/ncurses/tinfo/alloc_entry.c
+index 4bf7d6c8..b49ad6aa 100644
+--- a/ncurses/tinfo/alloc_entry.c
+++ b/ncurses/tinfo/alloc_entry.c
+@@ -48,13 +48,11 @@
+ 
+ #include <tic.h>
+ 
+-MODULE_ID("$Id: alloc_entry.c,v 1.64 2020/02/02 23:34:34 tom Exp $")
+MODULE_ID("$Id: alloc_entry.c,v 1.69 2022/04/16 22:46:53 tom Exp $")
+ 
+ #define ABSENT_OFFSET    -1
+ #define CANCELLED_OFFSET -2
+ 
+-#define MAX_STRTAB     4096    /* documented maximum entry size */
+-
+ static char *stringbuf;                /* buffer for string capabilities */
+ static size_t next_free;       /* next free character in stringbuf */
+ 
+@@ -71,8 +69,8 @@ _nc_init_entry(ENTRY * const tp)
+     }
+ #endif
+ 
+-    if (stringbuf == 0)
+-       TYPE_MALLOC(char, (size_t) MAX_STRTAB, stringbuf);
+    if (stringbuf == NULL)
+       TYPE_MALLOC(char, (size_t) MAX_ENTRY_SIZE, stringbuf);
+ 
+     next_free = 0;
+ 
+@@ -108,11 +106,11 @@ _nc_save_str(const char *const string)
+         * Cheat a little by making an empty string point to the end of the
+         * previous string.
+         */
+-       if (next_free < MAX_STRTAB) {
+       if (next_free < MAX_ENTRY_SIZE) {
+            result = (stringbuf + next_free - 1);
+        }
+-    } else if (next_free + len < MAX_STRTAB) {
+-       _nc_STRCPY(&stringbuf[next_free], string, MAX_STRTAB);
+    } else if (next_free + len < MAX_ENTRY_SIZE) {
+       _nc_STRCPY(&stringbuf[next_free], string, MAX_ENTRY_SIZE);
+        DEBUG(7, ("Saved string %s", _nc_visbuf(string)));
+        DEBUG(7, ("at location %d", (int) next_free));
+        next_free += len;
+diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c
+index 5b570b0f..23c2cebc 100644
+--- a/ncurses/tinfo/read_entry.c
+++ b/ncurses/tinfo/read_entry.c
+@@ -1,5 +1,5 @@
+ /****************************************************************************
+- * Copyright 2018-2019,2020 Thomas E. Dickey                                *
+ * Copyright 2018-2021,2022 Thomas E. Dickey                                *
+  * Copyright 1998-2016,2017 Free Software Foundation, Inc.                  *
+  *                                                                          *
+  * Permission is hereby granted, free of charge, to any person obtaining a  *
+@@ -42,7 +42,7 @@
+ 
+ #include <tic.h>
+ 
+-MODULE_ID("$Id: read_entry.c,v 1.157 2020/02/02 23:34:34 tom Exp $")
+MODULE_ID("$Id: read_entry.c,v 1.162 2022/04/16 21:00:00 tom Exp $")
+ 
+ #define TYPE_CALLOC(type,elts) typeCalloc(type, (unsigned)(elts))
+ 
+@@ -145,6 +145,7 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table)
+ {
+     int i;
+     char *p;
+    bool corrupt = FALSE;
+ 
+     for (i = 0; i < count; i++) {
+        if (IS_NEG1(buf + 2 * i)) {
+@@ -154,8 +155,20 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table)
+        } else if (MyNumber(buf + 2 * i) > size) {
+            Strings[i] = ABSENT_STRING;
+        } else {
+-           Strings[i] = (MyNumber(buf + 2 * i) + table);
+-           TR(TRACE_DATABASE, ("Strings[%d] = %s", i, _nc_visbuf(Strings[i])));
+           int nn = MyNumber(buf + 2 * i);
+           if (nn >= 0 && nn < size) {
+               Strings[i] = (nn + table);
+               TR(TRACE_DATABASE, ("Strings[%d] = %s", i,
+                                   _nc_visbuf(Strings[i])));
+           } else {
+               if (!corrupt) {
+                   corrupt = TRUE;
+                   TR(TRACE_DATABASE,
+                      ("ignore out-of-range index %d to Strings[]", nn));
+                   _nc_warning("corrupt data found in convert_strings");
+               }
+               Strings[i] = ABSENT_STRING;
+           }
+        }
+ 
+        /* make sure all strings are NUL terminated */
+@@ -776,7 +789,7 @@ _nc_read_tic_entry(char *filename,
+         * looking for compiled (binary) terminfo data.
+         *
+         * cgetent uses a two-level lookup.  On the first it uses the given
+-        * name to return a record containing only the aliases for an entry. 
+        * name to return a record containing only the aliases for an entry.
+         * On the second (using that list of aliases as a key), it returns the
+         * content of the terminal description.  We expect second lookup to
+         * return data beginning with the same set of aliases.
+@@ -833,7 +846,7 @@ _nc_read_tic_entry(char *filename,
+ #endif /* NCURSES_USE_DATABASE */
+ 
+ /*
+- * Find and read the compiled entry for a given terminal type, if it exists. 
+ * Find and read the compiled entry for a given terminal type, if it exists.
+  * We take pains here to make sure no combination of environment variables and
+  * terminal type name can be used to overrun the file buffer.
+  */
+-- 
+2.36.1
diff --git a/meta/recipes-core/ncurses/files/CVE-2023-29491.patch b/meta/recipes-core/ncurses/files/CVE-2023-29491.patch
new file mode 100644
index 0000000000..0a0497723f
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/CVE-2023-29491.patch
@@ -0,0 +1,45 @@
+Backport of:
+Author: Sven Joachim <svenjoac@gmx.de>
+Description: Change the --disable-root-environ configure option behavior
+ By default, the --disable-root-environ option forbids program run by
+ the superuser to load custom terminfo entries.  This patch changes
+ that to only restrict programs running with elevated privileges,
+ matching the behavior of the --disable-setuid-environ option
+ introduced in the 20230423 upstream patchlevel.
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034372#29
+Bug: https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00018.html
+Forwarded: not-needed
+Last-Update: 2023-05-01
+Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/ncurses/6.2-0ubuntu2.1/ncurses_6.2-0ubuntu2.1.debian.tar.xz]
+CVE: CVE-2023-29491
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+---
+ ncurses/tinfo/access.c |    2 --
+ 1 file changed, 2 deletions(-)
+--- a/ncurses/tinfo/access.c
+++ b/ncurses/tinfo/access.c
+@@ -178,15 +178,16 @@ _nc_is_file_path(const char *path)
+ NCURSES_EXPORT(int)
+ _nc_env_access(void)
+ {
+    int result = TRUE;
+
+ #if HAVE_ISSETUGID
+     if (issetugid())
+-       return FALSE;
+       result = FALSE;
+ #elif HAVE_GETEUID && HAVE_GETEGID
+     if (getuid() != geteuid()
+        || getgid() != getegid())
+-       return FALSE;
+       result = FALSE;
+ #endif
+-    /* ...finally, disallow root */
+-    return (getuid() != ROOT_UID) && (geteuid() != ROOT_UID);
+    return result;
+ }
+ #endif
diff --git a/meta/recipes-core/ncurses/files/CVE-2023-50495.patch b/meta/recipes-core/ncurses/files/CVE-2023-50495.patch
new file mode 100644
index 0000000000..58c23866d1
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/CVE-2023-50495.patch
@@ -0,0 +1,79 @@
+Fix for CVE-2023-50495 from upstream:
+https://github.com/ThomasDickey/ncurses-snapshots/commit/efe9674ee14b14b788f9618941f97d31742f0adc
+Reference:
+https://invisible-island.net/archives/ncurses/6.4/ncurses-6.4-20230424.patch.gz
+Upstream-Status: Backport [import from suse ftp.pbone.net/mirror/ftp.opensuse.org/update/leap-micro/5.3/sle/src/ncurses-6.1-150000.5.20.1.src.rpm
+Upstream commit https://github.com/ThomasDickey/ncurses-snapshots/commit/efe9674ee14b14b788f9618941f97d31742f0adc]
+CVE: CVE-2023-50495
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ ncurses/tinfo/parse_entry.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c
+index 23574b66..56ba9ae6 100644
+--- a/ncurses/tinfo/parse_entry.c
+++ b/ncurses/tinfo/parse_entry.c
+@@ -110,7 +110,7 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type)
+        /* Well, we are given a cancel for a name that we don't recognize */
+        return _nc_extend_names(entryp, name, STRING);
+     default:
+-       return 0;
+       return NULL;
+     }
+ 
+     /* Adjust the 'offset' (insertion-point) to keep the lists of extended
+@@ -142,6 +142,11 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type)
+        for (last = (unsigned) (max - 1); last > tindex; last--)
+ 
+     if (!found) {
+       char *saved;
+
+       if ((saved = _nc_save_str(name)) == NULL)
+           return NULL;
+
+        switch (token_type) {
+        case BOOLEAN:
+            tp->ext_Booleans++;
+@@ -169,7 +174,7 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type)
+        TYPE_REALLOC(char *, actual, tp->ext_Names);
+        while (--actual > offset)
+            tp->ext_Names[actual] = tp->ext_Names[actual - 1];
+-       tp->ext_Names[offset] = _nc_save_str(name);
+       tp->ext_Names[offset] = saved;
+     }
+ 
+     temp.nte_name = tp->ext_Names[offset];
+@@ -337,6 +342,8 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
+        bool is_use = (strcmp(_nc_curr_token.tk_name, "use") == 0);
+        bool is_tc = !is_use && (strcmp(_nc_curr_token.tk_name, "tc") == 0);
+        if (is_use || is_tc) {
+           char *saved;
+
+            if (!VALID_STRING(_nc_curr_token.tk_valstring)
+                || _nc_curr_token.tk_valstring[0] == '\0') {
+                _nc_warning("missing name for use-clause");
+@@ -350,11 +357,13 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
+                            _nc_curr_token.tk_valstring);
+                continue;
+            }
+-           entryp->uses[entryp->nuses].name = _nc_save_str(_nc_curr_token.tk_valstring);
+-           entryp->uses[entryp->nuses].line = _nc_curr_line;
+-           entryp->nuses++;
+-           if (entryp->nuses > 1 && is_tc) {
+-               BAD_TC_USAGE
+           if ((saved = _nc_save_str(_nc_curr_token.tk_valstring)) != NULL) {
+               entryp->uses[entryp->nuses].name = saved;
+               entryp->uses[entryp->nuses].line = _nc_curr_line;
+               entryp->nuses++;
+               if (entryp->nuses > 1 && is_tc) {
+                   BAD_TC_USAGE
+               }
+            }
+        } else {
+            /* normal token lookup */
+-- 
+2.25.1
diff --git a/meta/recipes-core/ncurses/ncurses.inc b/meta/recipes-core/ncurses/ncurses.inc
index 7f1834f0dc..ee0b15ecf0 100644
--- a/meta/recipes-core/ncurses/ncurses.inc
+++ b/meta/recipes-core/ncurses/ncurses.inc
@@ -13,7 +13,7 @@ BINCONFIG = "${bindir}/ncurses5-config ${bindir}/ncursesw5-config \
 inherit autotools binconfig-disabled multilib_header pkgconfig
 # Upstream has useful patches at times at ftp://invisible-island.net/ncurses/
-SRC_URI = "git://salsa.debian.org/debian/ncurses.git;protocol=https"
+SRC_URI = "git://salsa.debian.org/debian/ncurses.git;protocol=https;branch=master"
 EXTRA_AUTORECONF = "-I m4"
diff --git a/meta/recipes-core/ncurses/ncurses_6.2.bb b/meta/recipes-core/ncurses/ncurses_6.2.bb
index 76f0cf97f4..dbff149f55 100644
--- a/meta/recipes-core/ncurses/ncurses_6.2.bb
+++ b/meta/recipes-core/ncurses/ncurses_6.2.bb
@@ -3,11 +3,15 @@ require ncurses.inc
 SRC_URI += "file://0001-tic-hang.patch \
           file://0002-configure-reproducible.patch \
           file://0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch \
+           file://CVE-2021-39537.patch \
+           file://CVE-2022-29458.patch \
+           file://CVE-2023-29491.patch \
+           file://CVE-2023-50495.patch \
           "
 # commit id corresponds to the revision in package version
 SRCREV = "a669013cd5e9d6434e5301348ea51baf306c93c4"
 S = "${WORKDIR}/git"
-EXTRA_OECONF += "--with-abi-version=5"
+EXTRA_OECONF += "--with-abi-version=5 --disable-root-environ"
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+(\+\d+)*)"
 # This is needed when using patchlevel versions like 6.1+20181013

diff --git a/meta/recipes-core/ncurses/files/CVE-2021-39537.patch b/meta/recipes-core/ncurses/files/CVE-2021-39537.patch new file mode 100644 index 0000000000..7655200350 --- /dev/null +++ b/meta/recipes-core/ncurses/files/CVE-2021-39537.patch
@@ -0,0 +1,30 @@
		1	$NetBSD: patch-ncurses_tinfo_captoinfo.c,v 1.1 2021/10/09 07:52:36 wiz Exp $
		2
		3	Fix for CVE-2021-39537 from upstream:
		4	https://github.com/ThomasDickey/ncurses-snapshots/commit/63ca9e061f4644795d6f3f559557f3e1ed8c738b#diff-7e95c7bc5f213e9be438e69a9d5d0f261a14952bcbd692f7b9014217b8047340
		5
		6	CVE: CVE-2021-39537
		7	Upstream-Status: Backport [http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/devel/ncurses/patches/Attic/patch-ncurses_tinfo_captoinfo.c?rev=1.1&content-type=text/x-cvsweb-markup]
		8	Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
		9
		10	--- a/ncurses/tinfo/captoinfo.c 2020-02-02 23:34:34.000000000 +0000
		11	+++ b/ncurses/tinfo/captoinfo.c
		12	@@ -216,12 +216,15 @@ cvtchar(register const char *sp)
		13	}
		14	break;
		15	case '^':
		16	+ len = 2;
		17	c = UChar(*++sp);
		18	- if (c == '?')
		19	+ if (c == '?') {
		20	c = 127;
		21	- else
		22	+ } else if (c == '\0') {
		23	+ len = 1;
		24	+ } else {
		25	c &= 0x1f;
		26	- len = 2;
		27	+ }
		28	break;
		29	default:
		30	c = UChar(*sp);


diff --git a/meta/recipes-core/ncurses/files/CVE-2022-29458.patch b/meta/recipes-core/ncurses/files/CVE-2022-29458.patch new file mode 100644 index 0000000000..eb1b7c96f9 --- /dev/null +++ b/meta/recipes-core/ncurses/files/CVE-2022-29458.patch
@@ -0,0 +1,135 @@
		1	From 5f40697e37e195069f55528fc7a1d77e619ad104 Mon Sep 17 00:00:00 2001
		2	From: Dan Tran <dantran@microsoft.com>
		3	Date: Fri, 13 May 2022 13:28:41 -0700
		4	Subject: [PATCH] ncurses 6.3 before patch 20220416 has an out-of-bounds read
		5	and segmentation violation in convert_strings in tinfo/read_entry.c in the
		6	terminfo library.
		7
		8	CVE: CVE-2022-29458
		9	Upstream-Status: Backport
		10	[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009870]
		11
		12	Signed-off-by: Gustavo Lima Chaves <gustavo.chaves@microsoft.com>
		13	Signed-off-by: Dan Tran <dantran@microsoft.com>
		14	---
		15	ncurses/tinfo/alloc_entry.c \| 14 ++++++--------
		16	ncurses/tinfo/read_entry.c \| 25 +++++++++++++++++++------
		17	2 files changed, 25 insertions(+), 14 deletions(-)
		18
		19	diff --git a/ncurses/tinfo/alloc_entry.c b/ncurses/tinfo/alloc_entry.c
		20	index 4bf7d6c8..b49ad6aa 100644
		21	--- a/ncurses/tinfo/alloc_entry.c
		22	+++ b/ncurses/tinfo/alloc_entry.c
		23	@@ -48,13 +48,11 @@
		24
		25	#include <tic.h>
		26
		27	-MODULE_ID("$Id: alloc_entry.c,v 1.64 2020/02/02 23:34:34 tom Exp $")
		28	+MODULE_ID("$Id: alloc_entry.c,v 1.69 2022/04/16 22:46:53 tom Exp $")
		29
		30	#define ABSENT_OFFSET -1
		31	#define CANCELLED_OFFSET -2
		32
		33	-#define MAX_STRTAB 4096 /* documented maximum entry size */
		34	-
		35	static char stringbuf; / buffer for string capabilities */
		36	static size_t next_free; /* next free character in stringbuf */
		37
		38	@@ -71,8 +69,8 @@ _nc_init_entry(ENTRY * const tp)
		39	}
		40	#endif
		41
		42	- if (stringbuf == 0)
		43	- TYPE_MALLOC(char, (size_t) MAX_STRTAB, stringbuf);
		44	+ if (stringbuf == NULL)
		45	+ TYPE_MALLOC(char, (size_t) MAX_ENTRY_SIZE, stringbuf);
		46
		47	next_free = 0;
		48
		49	@@ -108,11 +106,11 @@ _nc_save_str(const char *const string)
		50	* Cheat a little by making an empty string point to the end of the
		51	* previous string.
		52	*/
		53	- if (next_free < MAX_STRTAB) {
		54	+ if (next_free < MAX_ENTRY_SIZE) {
		55	result = (stringbuf + next_free - 1);
		56	}
		57	- } else if (next_free + len < MAX_STRTAB) {
		58	- _nc_STRCPY(&stringbuf[next_free], string, MAX_STRTAB);
		59	+ } else if (next_free + len < MAX_ENTRY_SIZE) {
		60	+ _nc_STRCPY(&stringbuf[next_free], string, MAX_ENTRY_SIZE);
		61	DEBUG(7, ("Saved string %s", _nc_visbuf(string)));
		62	DEBUG(7, ("at location %d", (int) next_free));
		63	next_free += len;
		64	diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c
		65	index 5b570b0f..23c2cebc 100644
		66	--- a/ncurses/tinfo/read_entry.c
		67	+++ b/ncurses/tinfo/read_entry.c
		68	@@ -1,5 +1,5 @@
		69	/****************************************************************************
		70	- * Copyright 2018-2019,2020 Thomas E. Dickey *
		71	+ * Copyright 2018-2021,2022 Thomas E. Dickey *
		72	* Copyright 1998-2016,2017 Free Software Foundation, Inc. *
		73	* *
		74	* Permission is hereby granted, free of charge, to any person obtaining a *
		75	@@ -42,7 +42,7 @@
		76
		77	#include <tic.h>
		78
		79	-MODULE_ID("$Id: read_entry.c,v 1.157 2020/02/02 23:34:34 tom Exp $")
		80	+MODULE_ID("$Id: read_entry.c,v 1.162 2022/04/16 21:00:00 tom Exp $")
		81
		82	#define TYPE_CALLOC(type,elts) typeCalloc(type, (unsigned)(elts))
		83
		84	@@ -145,6 +145,7 @@ convert_strings(char buf, char Strings, int count, int size, char table)
		85	{
		86	int i;
		87	char *p;
		88	+ bool corrupt = FALSE;
		89
		90	for (i = 0; i < count; i++) {
		91	if (IS_NEG1(buf + 2 * i)) {
		92	@@ -154,8 +155,20 @@ convert_strings(char buf, char Strings, int count, int size, char table)
		93	} else if (MyNumber(buf + 2 * i) > size) {
		94	Strings[i] = ABSENT_STRING;
		95	} else {
		96	- Strings[i] = (MyNumber(buf + 2 * i) + table);
		97	- TR(TRACE_DATABASE, ("Strings[%d] = %s", i, _nc_visbuf(Strings[i])));
		98	+ int nn = MyNumber(buf + 2 * i);
		99	+ if (nn >= 0 && nn < size) {
		100	+ Strings[i] = (nn + table);
		101	+ TR(TRACE_DATABASE, ("Strings[%d] = %s", i,
		102	+ _nc_visbuf(Strings[i])));
		103	+ } else {
		104	+ if (!corrupt) {
		105	+ corrupt = TRUE;
		106	+ TR(TRACE_DATABASE,
		107	+ ("ignore out-of-range index %d to Strings[]", nn));
		108	+ _nc_warning("corrupt data found in convert_strings");
		109	+ }
		110	+ Strings[i] = ABSENT_STRING;
		111	+ }
		112	}
		113
		114	/* make sure all strings are NUL terminated */
		115	@@ -776,7 +789,7 @@ _nc_read_tic_entry(char *filename,
		116	* looking for compiled (binary) terminfo data.
		117	*
		118	* cgetent uses a two-level lookup. On the first it uses the given
		119	- * name to return a record containing only the aliases for an entry.
		120	+ * name to return a record containing only the aliases for an entry.
		121	* On the second (using that list of aliases as a key), it returns the
		122	* content of the terminal description. We expect second lookup to
		123	* return data beginning with the same set of aliases.
		124	@@ -833,7 +846,7 @@ _nc_read_tic_entry(char *filename,
		125	#endif /* NCURSES_USE_DATABASE */
		126
		127	/*
		128	- * Find and read the compiled entry for a given terminal type, if it exists.
		129	+ * Find and read the compiled entry for a given terminal type, if it exists.
		130	* We take pains here to make sure no combination of environment variables and
		131	* terminal type name can be used to overrun the file buffer.
		132	*/
		133	--
		134	2.36.1
		135


diff --git a/meta/recipes-core/ncurses/files/CVE-2023-29491.patch b/meta/recipes-core/ncurses/files/CVE-2023-29491.patch new file mode 100644 index 0000000000..0a0497723f --- /dev/null +++ b/meta/recipes-core/ncurses/files/CVE-2023-29491.patch
@@ -0,0 +1,45 @@
		1	Backport of:
		2
		3	Author: Sven Joachim <svenjoac@gmx.de>
		4	Description: Change the --disable-root-environ configure option behavior
		5	By default, the --disable-root-environ option forbids program run by
		6	the superuser to load custom terminfo entries. This patch changes
		7	that to only restrict programs running with elevated privileges,
		8	matching the behavior of the --disable-setuid-environ option
		9	introduced in the 20230423 upstream patchlevel.
		10	Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034372#29
		11	Bug: https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00018.html
		12	Forwarded: not-needed
		13	Last-Update: 2023-05-01
		14
		15	Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/ncurses/6.2-0ubuntu2.1/ncurses_6.2-0ubuntu2.1.debian.tar.xz]
		16	CVE: CVE-2023-29491
		17	Signed-off-by: Virendra Thakur <virendrak@kpit.com>
		18
		19	---
		20	ncurses/tinfo/access.c \| 2 --
		21	1 file changed, 2 deletions(-)
		22
		23	--- a/ncurses/tinfo/access.c
		24	+++ b/ncurses/tinfo/access.c
		25	@@ -178,15 +178,16 @@ _nc_is_file_path(const char *path)
		26	NCURSES_EXPORT(int)
		27	_nc_env_access(void)
		28	{
		29	+ int result = TRUE;
		30	+
		31	#if HAVE_ISSETUGID
		32	if (issetugid())
		33	- return FALSE;
		34	+ result = FALSE;
		35	#elif HAVE_GETEUID && HAVE_GETEGID
		36	if (getuid() != geteuid()
		37	\|\| getgid() != getegid())
		38	- return FALSE;
		39	+ result = FALSE;
		40	#endif
		41	- /* ...finally, disallow root */
		42	- return (getuid() != ROOT_UID) && (geteuid() != ROOT_UID);
		43	+ return result;
		44	}
		45	#endif


diff --git a/meta/recipes-core/ncurses/files/CVE-2023-50495.patch b/meta/recipes-core/ncurses/files/CVE-2023-50495.patch new file mode 100644 index 0000000000..58c23866d1 --- /dev/null +++ b/meta/recipes-core/ncurses/files/CVE-2023-50495.patch
@@ -0,0 +1,79 @@
		1	Fix for CVE-2023-50495 from upstream:
		2	https://github.com/ThomasDickey/ncurses-snapshots/commit/efe9674ee14b14b788f9618941f97d31742f0adc
		3
		4	Reference:
		5	https://invisible-island.net/archives/ncurses/6.4/ncurses-6.4-20230424.patch.gz
		6
		7	Upstream-Status: Backport [import from suse ftp.pbone.net/mirror/ftp.opensuse.org/update/leap-micro/5.3/sle/src/ncurses-6.1-150000.5.20.1.src.rpm
		8	Upstream commit https://github.com/ThomasDickey/ncurses-snapshots/commit/efe9674ee14b14b788f9618941f97d31742f0adc]
		9	CVE: CVE-2023-50495
		10	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		11	---
		12	ncurses/tinfo/parse_entry.c \| 23 ++++++++++++++++-------
		13	1 file changed, 16 insertions(+), 7 deletions(-)
		14
		15	diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c
		16	index 23574b66..56ba9ae6 100644
		17	--- a/ncurses/tinfo/parse_entry.c
		18	+++ b/ncurses/tinfo/parse_entry.c
		19	@@ -110,7 +110,7 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type)
		20	/* Well, we are given a cancel for a name that we don't recognize */
		21	return _nc_extend_names(entryp, name, STRING);
		22	default:
		23	- return 0;
		24	+ return NULL;
		25	}
		26
		27	/* Adjust the 'offset' (insertion-point) to keep the lists of extended
		28	@@ -142,6 +142,11 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type)
		29	for (last = (unsigned) (max - 1); last > tindex; last--)
		30
		31	if (!found) {
		32	+ char *saved;
		33	+
		34	+ if ((saved = _nc_save_str(name)) == NULL)
		35	+ return NULL;
		36	+
		37	switch (token_type) {
		38	case BOOLEAN:
		39	tp->ext_Booleans++;
		40	@@ -169,7 +174,7 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type)
		41	TYPE_REALLOC(char *, actual, tp->ext_Names);
		42	while (--actual > offset)
		43	tp->ext_Names[actual] = tp->ext_Names[actual - 1];
		44	- tp->ext_Names[offset] = _nc_save_str(name);
		45	+ tp->ext_Names[offset] = saved;
		46	}
		47
		48	temp.nte_name = tp->ext_Names[offset];
		49	@@ -337,6 +342,8 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
		50	bool is_use = (strcmp(_nc_curr_token.tk_name, "use") == 0);
		51	bool is_tc = !is_use && (strcmp(_nc_curr_token.tk_name, "tc") == 0);
		52	if (is_use \|\| is_tc) {
		53	+ char *saved;
		54	+
		55	if (!VALID_STRING(_nc_curr_token.tk_valstring)
		56	\|\| _nc_curr_token.tk_valstring[0] == '\0') {
		57	_nc_warning("missing name for use-clause");
		58	@@ -350,11 +357,13 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
		59	_nc_curr_token.tk_valstring);
		60	continue;
		61	}
		62	- entryp->uses[entryp->nuses].name = _nc_save_str(_nc_curr_token.tk_valstring);
		63	- entryp->uses[entryp->nuses].line = _nc_curr_line;
		64	- entryp->nuses++;
		65	- if (entryp->nuses > 1 && is_tc) {
		66	- BAD_TC_USAGE
		67	+ if ((saved = _nc_save_str(_nc_curr_token.tk_valstring)) != NULL) {
		68	+ entryp->uses[entryp->nuses].name = saved;
		69	+ entryp->uses[entryp->nuses].line = _nc_curr_line;
		70	+ entryp->nuses++;
		71	+ if (entryp->nuses > 1 && is_tc) {
		72	+ BAD_TC_USAGE
		73	+ }
		74	}
		75	} else {
		76	/* normal token lookup */
		77	--
		78	2.25.1
		79


diff --git a/meta/recipes-core/ncurses/ncurses.inc b/meta/recipes-core/ncurses/ncurses.inc index 7f1834f0dc..ee0b15ecf0 100644 --- a/meta/recipes-core/ncurses/ncurses.inc +++ b/meta/recipes-core/ncurses/ncurses.inc
@@ -13,7 +13,7 @@ BINCONFIG = "${bindir}/ncurses5-config ${bindir}/ncursesw5-config \
13	inherit autotools binconfig-disabled multilib_header pkgconfig	13	inherit autotools binconfig-disabled multilib_header pkgconfig
14		14
15	# Upstream has useful patches at times at ftp://invisible-island.net/ncurses/	15	# Upstream has useful patches at times at ftp://invisible-island.net/ncurses/
16	SRC_URI = "git://salsa.debian.org/debian/ncurses.git;protocol=https"	16	SRC_URI = "git://salsa.debian.org/debian/ncurses.git;protocol=https;branch=master"
17		17
18	EXTRA_AUTORECONF = "-I m4"	18	EXTRA_AUTORECONF = "-I m4"
19		19


diff --git a/meta/recipes-core/ncurses/ncurses_6.2.bb b/meta/recipes-core/ncurses/ncurses_6.2.bb index 76f0cf97f4..dbff149f55 100644 --- a/meta/recipes-core/ncurses/ncurses_6.2.bb +++ b/meta/recipes-core/ncurses/ncurses_6.2.bb
@@ -3,11 +3,15 @@ require ncurses.inc
3	SRC_URI += "file://0001-tic-hang.patch \	3	SRC_URI += "file://0001-tic-hang.patch \
4	file://0002-configure-reproducible.patch \	4	file://0002-configure-reproducible.patch \
5	file://0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch \	5	file://0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch \
		6	file://CVE-2021-39537.patch \
		7	file://CVE-2022-29458.patch \
		8	file://CVE-2023-29491.patch \
		9	file://CVE-2023-50495.patch \
6	"	10	"
7	# commit id corresponds to the revision in package version	11	# commit id corresponds to the revision in package version
8	SRCREV = "a669013cd5e9d6434e5301348ea51baf306c93c4"	12	SRCREV = "a669013cd5e9d6434e5301348ea51baf306c93c4"
9	S = "${WORKDIR}/git"	13	S = "${WORKDIR}/git"
10	EXTRA_OECONF += "--with-abi-version=5"	14	EXTRA_OECONF += "--with-abi-version=5 --disable-root-environ"
11	UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+(\+\d+)*)"	15	UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+(\+\d+)*)"
12		16
13	# This is needed when using patchlevel versions like 6.1+20181013	17	# This is needed when using patchlevel versions like 6.1+20181013