diff options
Diffstat (limited to 'meta/recipes-core/ncurses')
-rw-r--r-- | meta/recipes-core/ncurses/files/CVE-2021-39537.patch | 30 | ||||
-rw-r--r-- | meta/recipes-core/ncurses/files/CVE-2022-29458.patch | 135 | ||||
-rw-r--r-- | meta/recipes-core/ncurses/files/CVE-2023-29491.patch | 45 | ||||
-rw-r--r-- | meta/recipes-core/ncurses/files/CVE-2023-50495.patch | 79 | ||||
-rw-r--r-- | meta/recipes-core/ncurses/ncurses.inc | 2 | ||||
-rw-r--r-- | meta/recipes-core/ncurses/ncurses_6.2.bb | 6 |
6 files changed, 295 insertions, 2 deletions
diff --git a/meta/recipes-core/ncurses/files/CVE-2021-39537.patch b/meta/recipes-core/ncurses/files/CVE-2021-39537.patch new file mode 100644 index 0000000000..7655200350 --- /dev/null +++ b/meta/recipes-core/ncurses/files/CVE-2021-39537.patch | |||
@@ -0,0 +1,30 @@ | |||
1 | $NetBSD: patch-ncurses_tinfo_captoinfo.c,v 1.1 2021/10/09 07:52:36 wiz Exp $ | ||
2 | |||
3 | Fix for CVE-2021-39537 from upstream: | ||
4 | https://github.com/ThomasDickey/ncurses-snapshots/commit/63ca9e061f4644795d6f3f559557f3e1ed8c738b#diff-7e95c7bc5f213e9be438e69a9d5d0f261a14952bcbd692f7b9014217b8047340 | ||
5 | |||
6 | CVE: CVE-2021-39537 | ||
7 | Upstream-Status: Backport [http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/devel/ncurses/patches/Attic/patch-ncurses_tinfo_captoinfo.c?rev=1.1&content-type=text/x-cvsweb-markup] | ||
8 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
9 | |||
10 | --- a/ncurses/tinfo/captoinfo.c 2020-02-02 23:34:34.000000000 +0000 | ||
11 | +++ b/ncurses/tinfo/captoinfo.c | ||
12 | @@ -216,12 +216,15 @@ cvtchar(register const char *sp) | ||
13 | } | ||
14 | break; | ||
15 | case '^': | ||
16 | + len = 2; | ||
17 | c = UChar(*++sp); | ||
18 | - if (c == '?') | ||
19 | + if (c == '?') { | ||
20 | c = 127; | ||
21 | - else | ||
22 | + } else if (c == '\0') { | ||
23 | + len = 1; | ||
24 | + } else { | ||
25 | c &= 0x1f; | ||
26 | - len = 2; | ||
27 | + } | ||
28 | break; | ||
29 | default: | ||
30 | c = UChar(*sp); | ||
diff --git a/meta/recipes-core/ncurses/files/CVE-2022-29458.patch b/meta/recipes-core/ncurses/files/CVE-2022-29458.patch new file mode 100644 index 0000000000..eb1b7c96f9 --- /dev/null +++ b/meta/recipes-core/ncurses/files/CVE-2022-29458.patch | |||
@@ -0,0 +1,135 @@ | |||
1 | From 5f40697e37e195069f55528fc7a1d77e619ad104 Mon Sep 17 00:00:00 2001 | ||
2 | From: Dan Tran <dantran@microsoft.com> | ||
3 | Date: Fri, 13 May 2022 13:28:41 -0700 | ||
4 | Subject: [PATCH] ncurses 6.3 before patch 20220416 has an out-of-bounds read | ||
5 | and segmentation violation in convert_strings in tinfo/read_entry.c in the | ||
6 | terminfo library. | ||
7 | |||
8 | CVE: CVE-2022-29458 | ||
9 | Upstream-Status: Backport | ||
10 | [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009870] | ||
11 | |||
12 | Signed-off-by: Gustavo Lima Chaves <gustavo.chaves@microsoft.com> | ||
13 | Signed-off-by: Dan Tran <dantran@microsoft.com> | ||
14 | --- | ||
15 | ncurses/tinfo/alloc_entry.c | 14 ++++++-------- | ||
16 | ncurses/tinfo/read_entry.c | 25 +++++++++++++++++++------ | ||
17 | 2 files changed, 25 insertions(+), 14 deletions(-) | ||
18 | |||
19 | diff --git a/ncurses/tinfo/alloc_entry.c b/ncurses/tinfo/alloc_entry.c | ||
20 | index 4bf7d6c8..b49ad6aa 100644 | ||
21 | --- a/ncurses/tinfo/alloc_entry.c | ||
22 | +++ b/ncurses/tinfo/alloc_entry.c | ||
23 | @@ -48,13 +48,11 @@ | ||
24 | |||
25 | #include <tic.h> | ||
26 | |||
27 | -MODULE_ID("$Id: alloc_entry.c,v 1.64 2020/02/02 23:34:34 tom Exp $") | ||
28 | +MODULE_ID("$Id: alloc_entry.c,v 1.69 2022/04/16 22:46:53 tom Exp $") | ||
29 | |||
30 | #define ABSENT_OFFSET -1 | ||
31 | #define CANCELLED_OFFSET -2 | ||
32 | |||
33 | -#define MAX_STRTAB 4096 /* documented maximum entry size */ | ||
34 | - | ||
35 | static char *stringbuf; /* buffer for string capabilities */ | ||
36 | static size_t next_free; /* next free character in stringbuf */ | ||
37 | |||
38 | @@ -71,8 +69,8 @@ _nc_init_entry(ENTRY * const tp) | ||
39 | } | ||
40 | #endif | ||
41 | |||
42 | - if (stringbuf == 0) | ||
43 | - TYPE_MALLOC(char, (size_t) MAX_STRTAB, stringbuf); | ||
44 | + if (stringbuf == NULL) | ||
45 | + TYPE_MALLOC(char, (size_t) MAX_ENTRY_SIZE, stringbuf); | ||
46 | |||
47 | next_free = 0; | ||
48 | |||
49 | @@ -108,11 +106,11 @@ _nc_save_str(const char *const string) | ||
50 | * Cheat a little by making an empty string point to the end of the | ||
51 | * previous string. | ||
52 | */ | ||
53 | - if (next_free < MAX_STRTAB) { | ||
54 | + if (next_free < MAX_ENTRY_SIZE) { | ||
55 | result = (stringbuf + next_free - 1); | ||
56 | } | ||
57 | - } else if (next_free + len < MAX_STRTAB) { | ||
58 | - _nc_STRCPY(&stringbuf[next_free], string, MAX_STRTAB); | ||
59 | + } else if (next_free + len < MAX_ENTRY_SIZE) { | ||
60 | + _nc_STRCPY(&stringbuf[next_free], string, MAX_ENTRY_SIZE); | ||
61 | DEBUG(7, ("Saved string %s", _nc_visbuf(string))); | ||
62 | DEBUG(7, ("at location %d", (int) next_free)); | ||
63 | next_free += len; | ||
64 | diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c | ||
65 | index 5b570b0f..23c2cebc 100644 | ||
66 | --- a/ncurses/tinfo/read_entry.c | ||
67 | +++ b/ncurses/tinfo/read_entry.c | ||
68 | @@ -1,5 +1,5 @@ | ||
69 | /**************************************************************************** | ||
70 | - * Copyright 2018-2019,2020 Thomas E. Dickey * | ||
71 | + * Copyright 2018-2021,2022 Thomas E. Dickey * | ||
72 | * Copyright 1998-2016,2017 Free Software Foundation, Inc. * | ||
73 | * * | ||
74 | * Permission is hereby granted, free of charge, to any person obtaining a * | ||
75 | @@ -42,7 +42,7 @@ | ||
76 | |||
77 | #include <tic.h> | ||
78 | |||
79 | -MODULE_ID("$Id: read_entry.c,v 1.157 2020/02/02 23:34:34 tom Exp $") | ||
80 | +MODULE_ID("$Id: read_entry.c,v 1.162 2022/04/16 21:00:00 tom Exp $") | ||
81 | |||
82 | #define TYPE_CALLOC(type,elts) typeCalloc(type, (unsigned)(elts)) | ||
83 | |||
84 | @@ -145,6 +145,7 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table) | ||
85 | { | ||
86 | int i; | ||
87 | char *p; | ||
88 | + bool corrupt = FALSE; | ||
89 | |||
90 | for (i = 0; i < count; i++) { | ||
91 | if (IS_NEG1(buf + 2 * i)) { | ||
92 | @@ -154,8 +155,20 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table) | ||
93 | } else if (MyNumber(buf + 2 * i) > size) { | ||
94 | Strings[i] = ABSENT_STRING; | ||
95 | } else { | ||
96 | - Strings[i] = (MyNumber(buf + 2 * i) + table); | ||
97 | - TR(TRACE_DATABASE, ("Strings[%d] = %s", i, _nc_visbuf(Strings[i]))); | ||
98 | + int nn = MyNumber(buf + 2 * i); | ||
99 | + if (nn >= 0 && nn < size) { | ||
100 | + Strings[i] = (nn + table); | ||
101 | + TR(TRACE_DATABASE, ("Strings[%d] = %s", i, | ||
102 | + _nc_visbuf(Strings[i]))); | ||
103 | + } else { | ||
104 | + if (!corrupt) { | ||
105 | + corrupt = TRUE; | ||
106 | + TR(TRACE_DATABASE, | ||
107 | + ("ignore out-of-range index %d to Strings[]", nn)); | ||
108 | + _nc_warning("corrupt data found in convert_strings"); | ||
109 | + } | ||
110 | + Strings[i] = ABSENT_STRING; | ||
111 | + } | ||
112 | } | ||
113 | |||
114 | /* make sure all strings are NUL terminated */ | ||
115 | @@ -776,7 +789,7 @@ _nc_read_tic_entry(char *filename, | ||
116 | * looking for compiled (binary) terminfo data. | ||
117 | * | ||
118 | * cgetent uses a two-level lookup. On the first it uses the given | ||
119 | - * name to return a record containing only the aliases for an entry. | ||
120 | + * name to return a record containing only the aliases for an entry. | ||
121 | * On the second (using that list of aliases as a key), it returns the | ||
122 | * content of the terminal description. We expect second lookup to | ||
123 | * return data beginning with the same set of aliases. | ||
124 | @@ -833,7 +846,7 @@ _nc_read_tic_entry(char *filename, | ||
125 | #endif /* NCURSES_USE_DATABASE */ | ||
126 | |||
127 | /* | ||
128 | - * Find and read the compiled entry for a given terminal type, if it exists. | ||
129 | + * Find and read the compiled entry for a given terminal type, if it exists. | ||
130 | * We take pains here to make sure no combination of environment variables and | ||
131 | * terminal type name can be used to overrun the file buffer. | ||
132 | */ | ||
133 | -- | ||
134 | 2.36.1 | ||
135 | |||
diff --git a/meta/recipes-core/ncurses/files/CVE-2023-29491.patch b/meta/recipes-core/ncurses/files/CVE-2023-29491.patch new file mode 100644 index 0000000000..0a0497723f --- /dev/null +++ b/meta/recipes-core/ncurses/files/CVE-2023-29491.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | Backport of: | ||
2 | |||
3 | Author: Sven Joachim <svenjoac@gmx.de> | ||
4 | Description: Change the --disable-root-environ configure option behavior | ||
5 | By default, the --disable-root-environ option forbids program run by | ||
6 | the superuser to load custom terminfo entries. This patch changes | ||
7 | that to only restrict programs running with elevated privileges, | ||
8 | matching the behavior of the --disable-setuid-environ option | ||
9 | introduced in the 20230423 upstream patchlevel. | ||
10 | Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034372#29 | ||
11 | Bug: https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00018.html | ||
12 | Forwarded: not-needed | ||
13 | Last-Update: 2023-05-01 | ||
14 | |||
15 | Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/ncurses/6.2-0ubuntu2.1/ncurses_6.2-0ubuntu2.1.debian.tar.xz] | ||
16 | CVE: CVE-2023-29491 | ||
17 | Signed-off-by: Virendra Thakur <virendrak@kpit.com> | ||
18 | |||
19 | --- | ||
20 | ncurses/tinfo/access.c | 2 -- | ||
21 | 1 file changed, 2 deletions(-) | ||
22 | |||
23 | --- a/ncurses/tinfo/access.c | ||
24 | +++ b/ncurses/tinfo/access.c | ||
25 | @@ -178,15 +178,16 @@ _nc_is_file_path(const char *path) | ||
26 | NCURSES_EXPORT(int) | ||
27 | _nc_env_access(void) | ||
28 | { | ||
29 | + int result = TRUE; | ||
30 | + | ||
31 | #if HAVE_ISSETUGID | ||
32 | if (issetugid()) | ||
33 | - return FALSE; | ||
34 | + result = FALSE; | ||
35 | #elif HAVE_GETEUID && HAVE_GETEGID | ||
36 | if (getuid() != geteuid() | ||
37 | || getgid() != getegid()) | ||
38 | - return FALSE; | ||
39 | + result = FALSE; | ||
40 | #endif | ||
41 | - /* ...finally, disallow root */ | ||
42 | - return (getuid() != ROOT_UID) && (geteuid() != ROOT_UID); | ||
43 | + return result; | ||
44 | } | ||
45 | #endif | ||
diff --git a/meta/recipes-core/ncurses/files/CVE-2023-50495.patch b/meta/recipes-core/ncurses/files/CVE-2023-50495.patch new file mode 100644 index 0000000000..58c23866d1 --- /dev/null +++ b/meta/recipes-core/ncurses/files/CVE-2023-50495.patch | |||
@@ -0,0 +1,79 @@ | |||
1 | Fix for CVE-2023-50495 from upstream: | ||
2 | https://github.com/ThomasDickey/ncurses-snapshots/commit/efe9674ee14b14b788f9618941f97d31742f0adc | ||
3 | |||
4 | Reference: | ||
5 | https://invisible-island.net/archives/ncurses/6.4/ncurses-6.4-20230424.patch.gz | ||
6 | |||
7 | Upstream-Status: Backport [import from suse ftp.pbone.net/mirror/ftp.opensuse.org/update/leap-micro/5.3/sle/src/ncurses-6.1-150000.5.20.1.src.rpm | ||
8 | Upstream commit https://github.com/ThomasDickey/ncurses-snapshots/commit/efe9674ee14b14b788f9618941f97d31742f0adc] | ||
9 | CVE: CVE-2023-50495 | ||
10 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
11 | --- | ||
12 | ncurses/tinfo/parse_entry.c | 23 ++++++++++++++++------- | ||
13 | 1 file changed, 16 insertions(+), 7 deletions(-) | ||
14 | |||
15 | diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c | ||
16 | index 23574b66..56ba9ae6 100644 | ||
17 | --- a/ncurses/tinfo/parse_entry.c | ||
18 | +++ b/ncurses/tinfo/parse_entry.c | ||
19 | @@ -110,7 +110,7 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type) | ||
20 | /* Well, we are given a cancel for a name that we don't recognize */ | ||
21 | return _nc_extend_names(entryp, name, STRING); | ||
22 | default: | ||
23 | - return 0; | ||
24 | + return NULL; | ||
25 | } | ||
26 | |||
27 | /* Adjust the 'offset' (insertion-point) to keep the lists of extended | ||
28 | @@ -142,6 +142,11 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type) | ||
29 | for (last = (unsigned) (max - 1); last > tindex; last--) | ||
30 | |||
31 | if (!found) { | ||
32 | + char *saved; | ||
33 | + | ||
34 | + if ((saved = _nc_save_str(name)) == NULL) | ||
35 | + return NULL; | ||
36 | + | ||
37 | switch (token_type) { | ||
38 | case BOOLEAN: | ||
39 | tp->ext_Booleans++; | ||
40 | @@ -169,7 +174,7 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type) | ||
41 | TYPE_REALLOC(char *, actual, tp->ext_Names); | ||
42 | while (--actual > offset) | ||
43 | tp->ext_Names[actual] = tp->ext_Names[actual - 1]; | ||
44 | - tp->ext_Names[offset] = _nc_save_str(name); | ||
45 | + tp->ext_Names[offset] = saved; | ||
46 | } | ||
47 | |||
48 | temp.nte_name = tp->ext_Names[offset]; | ||
49 | @@ -337,6 +342,8 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent) | ||
50 | bool is_use = (strcmp(_nc_curr_token.tk_name, "use") == 0); | ||
51 | bool is_tc = !is_use && (strcmp(_nc_curr_token.tk_name, "tc") == 0); | ||
52 | if (is_use || is_tc) { | ||
53 | + char *saved; | ||
54 | + | ||
55 | if (!VALID_STRING(_nc_curr_token.tk_valstring) | ||
56 | || _nc_curr_token.tk_valstring[0] == '\0') { | ||
57 | _nc_warning("missing name for use-clause"); | ||
58 | @@ -350,11 +357,13 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent) | ||
59 | _nc_curr_token.tk_valstring); | ||
60 | continue; | ||
61 | } | ||
62 | - entryp->uses[entryp->nuses].name = _nc_save_str(_nc_curr_token.tk_valstring); | ||
63 | - entryp->uses[entryp->nuses].line = _nc_curr_line; | ||
64 | - entryp->nuses++; | ||
65 | - if (entryp->nuses > 1 && is_tc) { | ||
66 | - BAD_TC_USAGE | ||
67 | + if ((saved = _nc_save_str(_nc_curr_token.tk_valstring)) != NULL) { | ||
68 | + entryp->uses[entryp->nuses].name = saved; | ||
69 | + entryp->uses[entryp->nuses].line = _nc_curr_line; | ||
70 | + entryp->nuses++; | ||
71 | + if (entryp->nuses > 1 && is_tc) { | ||
72 | + BAD_TC_USAGE | ||
73 | + } | ||
74 | } | ||
75 | } else { | ||
76 | /* normal token lookup */ | ||
77 | -- | ||
78 | 2.25.1 | ||
79 | |||
diff --git a/meta/recipes-core/ncurses/ncurses.inc b/meta/recipes-core/ncurses/ncurses.inc index 7f1834f0dc..ee0b15ecf0 100644 --- a/meta/recipes-core/ncurses/ncurses.inc +++ b/meta/recipes-core/ncurses/ncurses.inc | |||
@@ -13,7 +13,7 @@ BINCONFIG = "${bindir}/ncurses5-config ${bindir}/ncursesw5-config \ | |||
13 | inherit autotools binconfig-disabled multilib_header pkgconfig | 13 | inherit autotools binconfig-disabled multilib_header pkgconfig |
14 | 14 | ||
15 | # Upstream has useful patches at times at ftp://invisible-island.net/ncurses/ | 15 | # Upstream has useful patches at times at ftp://invisible-island.net/ncurses/ |
16 | SRC_URI = "git://salsa.debian.org/debian/ncurses.git;protocol=https" | 16 | SRC_URI = "git://salsa.debian.org/debian/ncurses.git;protocol=https;branch=master" |
17 | 17 | ||
18 | EXTRA_AUTORECONF = "-I m4" | 18 | EXTRA_AUTORECONF = "-I m4" |
19 | 19 | ||
diff --git a/meta/recipes-core/ncurses/ncurses_6.2.bb b/meta/recipes-core/ncurses/ncurses_6.2.bb index 76f0cf97f4..dbff149f55 100644 --- a/meta/recipes-core/ncurses/ncurses_6.2.bb +++ b/meta/recipes-core/ncurses/ncurses_6.2.bb | |||
@@ -3,11 +3,15 @@ require ncurses.inc | |||
3 | SRC_URI += "file://0001-tic-hang.patch \ | 3 | SRC_URI += "file://0001-tic-hang.patch \ |
4 | file://0002-configure-reproducible.patch \ | 4 | file://0002-configure-reproducible.patch \ |
5 | file://0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch \ | 5 | file://0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch \ |
6 | file://CVE-2021-39537.patch \ | ||
7 | file://CVE-2022-29458.patch \ | ||
8 | file://CVE-2023-29491.patch \ | ||
9 | file://CVE-2023-50495.patch \ | ||
6 | " | 10 | " |
7 | # commit id corresponds to the revision in package version | 11 | # commit id corresponds to the revision in package version |
8 | SRCREV = "a669013cd5e9d6434e5301348ea51baf306c93c4" | 12 | SRCREV = "a669013cd5e9d6434e5301348ea51baf306c93c4" |
9 | S = "${WORKDIR}/git" | 13 | S = "${WORKDIR}/git" |
10 | EXTRA_OECONF += "--with-abi-version=5" | 14 | EXTRA_OECONF += "--with-abi-version=5 --disable-root-environ" |
11 | UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+(\+\d+)*)" | 15 | UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+(\+\d+)*)" |
12 | 16 | ||
13 | # This is needed when using patchlevel versions like 6.1+20181013 | 17 | # This is needed when using patchlevel versions like 6.1+20181013 |