ncurses: Fix CVE-2022-29458

ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library. Backported from the link below, extracting only the relevant changes. https://github.com/ThomasDickey/ncurses-snapshots/commit/9d1d651878d4bf0695872a64cc65ba0acb825f36 (From OE-Core rev: 2287d591cf32f5580ea6679805d04c3a5146ecd5) Signed-off-by: Gustavo Lima Chaves <gustavo.chaves@microsoft.com> Signed-off-by: Dan Tran <dantran@microsoft.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Dan Tran <MSFT.DanTran@gmail.com> 2022-05-31 10:15:17 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-06-04 12:16:59 +0100
commit: 396373610c759109e71da14ff0d03c9656f04bc8 (patch)
tree: df6d5eb25b098c5f97bb7cec85caba05aa77392c
parent: 38b588a1a12faa62fb09d55f5fbcf891915262c9 (diff)
download: poky-396373610c759109e71da14ff0d03c9656f04bc8.tar.gz
2 files changed, 136 insertions, 0 deletions
diff --git a/meta/recipes-core/ncurses/files/CVE-2022-29458.patch b/meta/recipes-core/ncurses/files/CVE-2022-29458.patch
new file mode 100644
index 0000000000..eb1b7c96f9
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/CVE-2022-29458.patch
@@ -0,0 +1,135 @@
+From 5f40697e37e195069f55528fc7a1d77e619ad104 Mon Sep 17 00:00:00 2001
+From: Dan Tran <dantran@microsoft.com>
+Date: Fri, 13 May 2022 13:28:41 -0700
+Subject: [PATCH] ncurses 6.3 before patch 20220416 has an out-of-bounds read
+ and segmentation violation in convert_strings in tinfo/read_entry.c in the
+ terminfo library.
+CVE: CVE-2022-29458
+Upstream-Status: Backport
+[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009870]
+Signed-off-by: Gustavo Lima Chaves <gustavo.chaves@microsoft.com>
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ ncurses/tinfo/alloc_entry.c | 14 ++++++--------
+ ncurses/tinfo/read_entry.c  | 25 +++++++++++++++++++------
+ 2 files changed, 25 insertions(+), 14 deletions(-)
+diff --git a/ncurses/tinfo/alloc_entry.c b/ncurses/tinfo/alloc_entry.c
+index 4bf7d6c8..b49ad6aa 100644
+--- a/ncurses/tinfo/alloc_entry.c
+++ b/ncurses/tinfo/alloc_entry.c
+@@ -48,13 +48,11 @@
+ 
+ #include <tic.h>
+ 
+-MODULE_ID("$Id: alloc_entry.c,v 1.64 2020/02/02 23:34:34 tom Exp $")
+MODULE_ID("$Id: alloc_entry.c,v 1.69 2022/04/16 22:46:53 tom Exp $")
+ 
+ #define ABSENT_OFFSET    -1
+ #define CANCELLED_OFFSET -2
+ 
+-#define MAX_STRTAB     4096    /* documented maximum entry size */
+-
+ static char *stringbuf;                /* buffer for string capabilities */
+ static size_t next_free;       /* next free character in stringbuf */
+ 
+@@ -71,8 +69,8 @@ _nc_init_entry(ENTRY * const tp)
+     }
+ #endif
+ 
+-    if (stringbuf == 0)
+-       TYPE_MALLOC(char, (size_t) MAX_STRTAB, stringbuf);
+    if (stringbuf == NULL)
+       TYPE_MALLOC(char, (size_t) MAX_ENTRY_SIZE, stringbuf);
+ 
+     next_free = 0;
+ 
+@@ -108,11 +106,11 @@ _nc_save_str(const char *const string)
+         * Cheat a little by making an empty string point to the end of the
+         * previous string.
+         */
+-       if (next_free < MAX_STRTAB) {
+       if (next_free < MAX_ENTRY_SIZE) {
+            result = (stringbuf + next_free - 1);
+        }
+-    } else if (next_free + len < MAX_STRTAB) {
+-       _nc_STRCPY(&stringbuf[next_free], string, MAX_STRTAB);
+    } else if (next_free + len < MAX_ENTRY_SIZE) {
+       _nc_STRCPY(&stringbuf[next_free], string, MAX_ENTRY_SIZE);
+        DEBUG(7, ("Saved string %s", _nc_visbuf(string)));
+        DEBUG(7, ("at location %d", (int) next_free));
+        next_free += len;
+diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c
+index 5b570b0f..23c2cebc 100644
+--- a/ncurses/tinfo/read_entry.c
+++ b/ncurses/tinfo/read_entry.c
+@@ -1,5 +1,5 @@
+ /****************************************************************************
+- * Copyright 2018-2019,2020 Thomas E. Dickey                                *
+ * Copyright 2018-2021,2022 Thomas E. Dickey                                *
+  * Copyright 1998-2016,2017 Free Software Foundation, Inc.                  *
+  *                                                                          *
+  * Permission is hereby granted, free of charge, to any person obtaining a  *
+@@ -42,7 +42,7 @@
+ 
+ #include <tic.h>
+ 
+-MODULE_ID("$Id: read_entry.c,v 1.157 2020/02/02 23:34:34 tom Exp $")
+MODULE_ID("$Id: read_entry.c,v 1.162 2022/04/16 21:00:00 tom Exp $")
+ 
+ #define TYPE_CALLOC(type,elts) typeCalloc(type, (unsigned)(elts))
+ 
+@@ -145,6 +145,7 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table)
+ {
+     int i;
+     char *p;
+    bool corrupt = FALSE;
+ 
+     for (i = 0; i < count; i++) {
+        if (IS_NEG1(buf + 2 * i)) {
+@@ -154,8 +155,20 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table)
+        } else if (MyNumber(buf + 2 * i) > size) {
+            Strings[i] = ABSENT_STRING;
+        } else {
+-           Strings[i] = (MyNumber(buf + 2 * i) + table);
+-           TR(TRACE_DATABASE, ("Strings[%d] = %s", i, _nc_visbuf(Strings[i])));
+           int nn = MyNumber(buf + 2 * i);
+           if (nn >= 0 && nn < size) {
+               Strings[i] = (nn + table);
+               TR(TRACE_DATABASE, ("Strings[%d] = %s", i,
+                                   _nc_visbuf(Strings[i])));
+           } else {
+               if (!corrupt) {
+                   corrupt = TRUE;
+                   TR(TRACE_DATABASE,
+                      ("ignore out-of-range index %d to Strings[]", nn));
+                   _nc_warning("corrupt data found in convert_strings");
+               }
+               Strings[i] = ABSENT_STRING;
+           }
+        }
+ 
+        /* make sure all strings are NUL terminated */
+@@ -776,7 +789,7 @@ _nc_read_tic_entry(char *filename,
+         * looking for compiled (binary) terminfo data.
+         *
+         * cgetent uses a two-level lookup.  On the first it uses the given
+-        * name to return a record containing only the aliases for an entry. 
+        * name to return a record containing only the aliases for an entry.
+         * On the second (using that list of aliases as a key), it returns the
+         * content of the terminal description.  We expect second lookup to
+         * return data beginning with the same set of aliases.
+@@ -833,7 +846,7 @@ _nc_read_tic_entry(char *filename,
+ #endif /* NCURSES_USE_DATABASE */
+ 
+ /*
+- * Find and read the compiled entry for a given terminal type, if it exists. 
+ * Find and read the compiled entry for a given terminal type, if it exists.
+  * We take pains here to make sure no combination of environment variables and
+  * terminal type name can be used to overrun the file buffer.
+  */
+-- 
+2.36.1
diff --git a/meta/recipes-core/ncurses/ncurses_6.2.bb b/meta/recipes-core/ncurses/ncurses_6.2.bb
index 700464f70b..451bfbcb5d 100644
--- a/meta/recipes-core/ncurses/ncurses_6.2.bb
+++ b/meta/recipes-core/ncurses/ncurses_6.2.bb
@@ -4,6 +4,7 @@ SRC_URI += "file://0001-tic-hang.patch \
           file://0002-configure-reproducible.patch \
           file://0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch \
           file://CVE-2021-39537.patch \
+           file://CVE-2022-29458.patch \
           "
 # commit id corresponds to the revision in package version
 SRCREV = "a669013cd5e9d6434e5301348ea51baf306c93c4"
author	Dan Tran <MSFT.DanTran@gmail.com>	2022-05-31 10:15:17 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-06-04 12:16:59 +0100
commit	396373610c759109e71da14ff0d03c9656f04bc8 (patch)
tree	df6d5eb25b098c5f97bb7cec85caba05aa77392c
parent	38b588a1a12faa62fb09d55f5fbcf891915262c9 (diff)
download	poky-396373610c759109e71da14ff0d03c9656f04bc8.tar.gz

diff --git a/meta/recipes-core/ncurses/files/CVE-2022-29458.patch b/meta/recipes-core/ncurses/files/CVE-2022-29458.patch new file mode 100644 index 0000000000..eb1b7c96f9 --- /dev/null +++ b/meta/recipes-core/ncurses/files/CVE-2022-29458.patch
@@ -0,0 +1,135 @@
		1	From 5f40697e37e195069f55528fc7a1d77e619ad104 Mon Sep 17 00:00:00 2001
		2	From: Dan Tran <dantran@microsoft.com>
		3	Date: Fri, 13 May 2022 13:28:41 -0700
		4	Subject: [PATCH] ncurses 6.3 before patch 20220416 has an out-of-bounds read
		5	and segmentation violation in convert_strings in tinfo/read_entry.c in the
		6	terminfo library.
		7
		8	CVE: CVE-2022-29458
		9	Upstream-Status: Backport
		10	[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009870]
		11
		12	Signed-off-by: Gustavo Lima Chaves <gustavo.chaves@microsoft.com>
		13	Signed-off-by: Dan Tran <dantran@microsoft.com>
		14	---
		15	ncurses/tinfo/alloc_entry.c \| 14 ++++++--------
		16	ncurses/tinfo/read_entry.c \| 25 +++++++++++++++++++------
		17	2 files changed, 25 insertions(+), 14 deletions(-)
		18
		19	diff --git a/ncurses/tinfo/alloc_entry.c b/ncurses/tinfo/alloc_entry.c
		20	index 4bf7d6c8..b49ad6aa 100644
		21	--- a/ncurses/tinfo/alloc_entry.c
		22	+++ b/ncurses/tinfo/alloc_entry.c
		23	@@ -48,13 +48,11 @@
		24
		25	#include <tic.h>
		26
		27	-MODULE_ID("$Id: alloc_entry.c,v 1.64 2020/02/02 23:34:34 tom Exp $")
		28	+MODULE_ID("$Id: alloc_entry.c,v 1.69 2022/04/16 22:46:53 tom Exp $")
		29
		30	#define ABSENT_OFFSET -1
		31	#define CANCELLED_OFFSET -2
		32
		33	-#define MAX_STRTAB 4096 /* documented maximum entry size */
		34	-
		35	static char stringbuf; / buffer for string capabilities */
		36	static size_t next_free; /* next free character in stringbuf */
		37
		38	@@ -71,8 +69,8 @@ _nc_init_entry(ENTRY * const tp)
		39	}
		40	#endif
		41
		42	- if (stringbuf == 0)
		43	- TYPE_MALLOC(char, (size_t) MAX_STRTAB, stringbuf);
		44	+ if (stringbuf == NULL)
		45	+ TYPE_MALLOC(char, (size_t) MAX_ENTRY_SIZE, stringbuf);
		46
		47	next_free = 0;
		48
		49	@@ -108,11 +106,11 @@ _nc_save_str(const char *const string)
		50	* Cheat a little by making an empty string point to the end of the
		51	* previous string.
		52	*/
		53	- if (next_free < MAX_STRTAB) {
		54	+ if (next_free < MAX_ENTRY_SIZE) {
		55	result = (stringbuf + next_free - 1);
		56	}
		57	- } else if (next_free + len < MAX_STRTAB) {
		58	- _nc_STRCPY(&stringbuf[next_free], string, MAX_STRTAB);
		59	+ } else if (next_free + len < MAX_ENTRY_SIZE) {
		60	+ _nc_STRCPY(&stringbuf[next_free], string, MAX_ENTRY_SIZE);
		61	DEBUG(7, ("Saved string %s", _nc_visbuf(string)));
		62	DEBUG(7, ("at location %d", (int) next_free));
		63	next_free += len;
		64	diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c
		65	index 5b570b0f..23c2cebc 100644
		66	--- a/ncurses/tinfo/read_entry.c
		67	+++ b/ncurses/tinfo/read_entry.c
		68	@@ -1,5 +1,5 @@
		69	/****************************************************************************
		70	- * Copyright 2018-2019,2020 Thomas E. Dickey *
		71	+ * Copyright 2018-2021,2022 Thomas E. Dickey *
		72	* Copyright 1998-2016,2017 Free Software Foundation, Inc. *
		73	* *
		74	* Permission is hereby granted, free of charge, to any person obtaining a *
		75	@@ -42,7 +42,7 @@
		76
		77	#include <tic.h>
		78
		79	-MODULE_ID("$Id: read_entry.c,v 1.157 2020/02/02 23:34:34 tom Exp $")
		80	+MODULE_ID("$Id: read_entry.c,v 1.162 2022/04/16 21:00:00 tom Exp $")
		81
		82	#define TYPE_CALLOC(type,elts) typeCalloc(type, (unsigned)(elts))
		83
		84	@@ -145,6 +145,7 @@ convert_strings(char buf, char Strings, int count, int size, char table)
		85	{
		86	int i;
		87	char *p;
		88	+ bool corrupt = FALSE;
		89
		90	for (i = 0; i < count; i++) {
		91	if (IS_NEG1(buf + 2 * i)) {
		92	@@ -154,8 +155,20 @@ convert_strings(char buf, char Strings, int count, int size, char table)
		93	} else if (MyNumber(buf + 2 * i) > size) {
		94	Strings[i] = ABSENT_STRING;
		95	} else {
		96	- Strings[i] = (MyNumber(buf + 2 * i) + table);
		97	- TR(TRACE_DATABASE, ("Strings[%d] = %s", i, _nc_visbuf(Strings[i])));
		98	+ int nn = MyNumber(buf + 2 * i);
		99	+ if (nn >= 0 && nn < size) {
		100	+ Strings[i] = (nn + table);
		101	+ TR(TRACE_DATABASE, ("Strings[%d] = %s", i,
		102	+ _nc_visbuf(Strings[i])));
		103	+ } else {
		104	+ if (!corrupt) {
		105	+ corrupt = TRUE;
		106	+ TR(TRACE_DATABASE,
		107	+ ("ignore out-of-range index %d to Strings[]", nn));
		108	+ _nc_warning("corrupt data found in convert_strings");
		109	+ }
		110	+ Strings[i] = ABSENT_STRING;
		111	+ }
		112	}
		113
		114	/* make sure all strings are NUL terminated */
		115	@@ -776,7 +789,7 @@ _nc_read_tic_entry(char *filename,
		116	* looking for compiled (binary) terminfo data.
		117	*
		118	* cgetent uses a two-level lookup. On the first it uses the given
		119	- * name to return a record containing only the aliases for an entry.
		120	+ * name to return a record containing only the aliases for an entry.
		121	* On the second (using that list of aliases as a key), it returns the
		122	* content of the terminal description. We expect second lookup to
		123	* return data beginning with the same set of aliases.
		124	@@ -833,7 +846,7 @@ _nc_read_tic_entry(char *filename,
		125	#endif /* NCURSES_USE_DATABASE */
		126
		127	/*
		128	- * Find and read the compiled entry for a given terminal type, if it exists.
		129	+ * Find and read the compiled entry for a given terminal type, if it exists.
		130	* We take pains here to make sure no combination of environment variables and
		131	* terminal type name can be used to overrun the file buffer.
		132	*/
		133	--
		134	2.36.1
		135


diff --git a/meta/recipes-core/ncurses/ncurses_6.2.bb b/meta/recipes-core/ncurses/ncurses_6.2.bb index 700464f70b..451bfbcb5d 100644 --- a/meta/recipes-core/ncurses/ncurses_6.2.bb +++ b/meta/recipes-core/ncurses/ncurses_6.2.bb
@@ -4,6 +4,7 @@ SRC_URI += "file://0001-tic-hang.patch \
4	file://0002-configure-reproducible.patch \	4	file://0002-configure-reproducible.patch \
5	file://0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch \	5	file://0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch \
6	file://CVE-2021-39537.patch \	6	file://CVE-2021-39537.patch \
		7	file://CVE-2022-29458.patch \
7	"	8	"
8	# commit id corresponds to the revision in package version	9	# commit id corresponds to the revision in package version
9	SRCREV = "a669013cd5e9d6434e5301348ea51baf306c93c4"	10	SRCREV = "a669013cd5e9d6434e5301348ea51baf306c93c4"