ncurses: CVE-2017-13732, CVE-2017-13734, CVE-2017-13730, CVE-2017-13729, CVE-2017-13728, CVE-2017-13731

There is an illegal address access in the function dump_uses() in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack. There is an illegal address access in the _nc_safe_strcat function in strings.c in ncurses 6.0 that will lead to a remote denial of service attack. There is an illegal address access in the function _nc_read_entry_source() in progs/tic.c in ncurses 6.0 that might lead to a remote denial of service attack. There is an illegal address access in the _nc_save_str function in alloc_entry.c in ncurses 6.0. It will lead to a remote denial of service attack. There is an infinite loop in the next_char function in comp_scan.c in ncurses 6.0, related to libtic. A crafted input will lead to a remote denial of service attack. There is an illegal address access in the function postprocess_termcap() in parse_entry.c in ncurses 6.0 that will lead to a remote denial of service attack. References: https://nvd.nist.gov/vuln/detail/CVE-2017-13734 https://nvd.nist.gov/vuln/detail/CVE-2017-13732 https://nvd.nist.gov/vuln/detail/CVE-2017-13731 https://nvd.nist.gov/vuln/detail/CVE-2017-13730 https://nvd.nist.gov/vuln/detail/CVE-2017-13729 https://nvd.nist.gov/vuln/detail/CVE-2017-13728 Upstream patch: https://anonscm.debian.org/cgit/collab-maint/ncurses.git/commit/?id=129aac80802d997b86ab0663836b7fdafb8e3926 (From OE-Core rev: 52d0f351062da730055ffc6b953ff4e68ddb437f) Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ovidiu Panait <ovidiu.panait@windriver.com> 2017-09-20 13:13:49 +0300
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-09-21 09:24:25 +0100
commit: 455877548e7a685f0dacf3b10056ff85c7aeedf2 (patch)
tree: cb53bf66b49a2df64ecee67b5fa2933fdee3addf
parent: 59106e5dce83abfd3d5c58883df4cee028cea5e0 (diff)
download: poky-455877548e7a685f0dacf3b10056ff85c7aeedf2.tar.gz
2 files changed, 542 insertions, 0 deletions
diff --git a/meta/recipes-core/ncurses/files/CVE-2017-13732-CVE-2017-13734-CVE-2017-13730-CVE-2017-13729-CVE-2017-13728-CVE-2017-13731.patch b/meta/recipes-core/ncurses/files/CVE-2017-13732-CVE-2017-13734-CVE-2017-13730-CVE-2017-13729-CVE-2017-13728-CVE-2017-13731.patch
new file mode 100644
index 0000000000..a19332c4b2
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/CVE-2017-13732-CVE-2017-13734-CVE-2017-13730-CVE-2017-13729-CVE-2017-13728-CVE-2017-13731.patch
@@ -0,0 +1,541 @@
+From 4bf72cb8f1d3aa5f33c31eb817a5f0338f4aaf6f Mon Sep 17 00:00:00 2001
+From: Ovidiu Panait <ovidiu.panait@windriver.com>
+Date: Wed, 20 Sep 2017 05:02:00 +0000
+Subject: [PATCH] Import upstream patch 20170826
+20170826
+        + fixes for "iterm2" (report by Leonardo Brondani Schenkel) -TD
+        + corrected a warning from tic about keys which are the same, to skip
+          over missing/cancelled values.
+        + add check in tic for unnecessary use of "2" to denote a shifted
+          special key.
+        + improve checks in trim_sgr0, comp_parse.c and parse_entry.c, for
+          cancelled string capabilities.
+        + add check in _nc_parse_entry() for invalid entry name, setting the
+          name to "invalid" to avoid problems storing entries.
+        + add/improve checks in tic's parser to address invalid input
+          + add a check in comp_scan.c to handle the special case where a
+            nontext file ending with a NUL rather than newline is given to tic
+            as input (Redhat #1484274).
+          + allow for cancelled capabilities in _nc_save_str (Redhat #1484276).
+          + add validity checks for "use=" target in _nc_parse_entry (Redhat
+            #1484284).
+          + check for invalid strings in postprocess_termcap (Redhat #1484285)
+          + reset secondary pointers on EOF in next_char() (Redhat #1484287).
+          + guard _nc_safe_strcpy() and _nc_safe_strcat() against calls using
+            cancelled strings (Redhat #1484291).
+        + correct typo in curs_memleaks.3x (Sven Joachim).
+        + improve test/configure checks for some curses variants not based on
+          X/Open Curses.
+        + add options for test/configure to disable checks for form, menu and
+          panel libraries.
+Upstream-Status: Backport
+CVE: CVE-2017-13732, CVE-2017-13734, CVE-2017-13730, CVE-2017-13729, CVE-2017-13728, CVE-2017-13731
+ 
+Author: Sven Joachim <svenjoac@gmx.de>
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+---
+ dist.mk                     |  4 +-
+ include/ncurses_defs        |  4 +-
+ ncurses/tinfo/alloc_entry.c |  4 +-
+ ncurses/tinfo/comp_parse.c  | 10 ++---
+ ncurses/tinfo/comp_scan.c   |  6 ++-
+ ncurses/tinfo/parse_entry.c | 91 ++++++++++++++++++++++++++++++---------------
+ ncurses/tinfo/strings.c     |  9 +++--
+ ncurses/tinfo/trim_sgr0.c   |  4 +-
+ progs/tic.c                 | 75 ++++++++++++++++++++++++++++++++++++-
+ 9 files changed, 157 insertions(+), 50 deletions(-)
+diff --git a/dist.mk b/dist.mk
+index 9af2699..2c70472 100644
+--- a/dist.mk
+++ b/dist.mk
+@@ -25,7 +25,7 @@
+ # use or other dealings in this Software without prior written               #
+ # authorization.                                                             #
+ ##############################################################################
+-# $Id: dist.mk,v 1.1172 2017/07/13 00:15:27 tom Exp $
+# $Id: dist.mk,v 1.1179 2017/08/20 15:33:41 tom Exp $
+ # Makefile for creating ncurses distributions.
+ #
+ # This only needs to be used directly as a makefile by developers, but
+@@ -37,7 +37,7 @@ SHELL = /bin/sh
+ # These define the major/minor/patch versions of ncurses.
+ NCURSES_MAJOR = 6
+ NCURSES_MINOR = 0
+-NCURSES_PATCH = 20170715
+NCURSES_PATCH = 20170826
+ 
+ # We don't append the patch to the version, since this only applies to releases
+ VERSION = $(NCURSES_MAJOR).$(NCURSES_MINOR)
+diff --git a/include/ncurses_defs b/include/ncurses_defs
+index e6611b7..d237db1 100644
+--- a/include/ncurses_defs
+++ b/include/ncurses_defs
+@@ -1,4 +1,4 @@
+-# $Id: ncurses_defs,v 1.73 2017/06/24 14:20:57 tom Exp $
+# $Id: ncurses_defs,v 1.75 2017/08/20 16:50:04 tom Exp $
+ ##############################################################################
+ # Copyright (c) 2000-2016,2017 Free Software Foundation, Inc.                #
+ #                                                                            #
+@@ -50,7 +50,9 @@ HAVE_BSD_STRING_H
+ HAVE_BTOWC 
+ HAVE_BUILTIN_H
+ HAVE_CHGAT     1
+HAVE_COLOR_CONTENT     1
+ HAVE_COLOR_SET 1
+HAVE_CURSCR    1
+ HAVE_DIRENT_H
+ HAVE_ERRNO
+ HAVE_FCNTL_H
+diff --git a/ncurses/tinfo/alloc_entry.c b/ncurses/tinfo/alloc_entry.c
+index 5de09f1..09374d6 100644
+--- a/ncurses/tinfo/alloc_entry.c
+++ b/ncurses/tinfo/alloc_entry.c
+@@ -47,7 +47,7 @@
+ 
+ #include <tic.h>
+ 
+-MODULE_ID("$Id: alloc_entry.c,v 1.60 2017/06/27 23:48:55 tom Exp $")
+MODULE_ID("$Id: alloc_entry.c,v 1.61 2017/08/25 09:09:08 tom Exp $")
+ 
+ #define ABSENT_OFFSET    -1
+ #define CANCELLED_OFFSET -2
+@@ -98,7 +98,7 @@ _nc_save_str(const char *const string)
+     size_t old_next_free = next_free;
+     size_t len;
+ 
+-    if (string == 0)
+    if (!VALID_STRING(string))
+        return _nc_save_str("");
+     len = strlen(string) + 1;
+ 
+diff --git a/ncurses/tinfo/comp_parse.c b/ncurses/tinfo/comp_parse.c
+index 34e6216..580d4df 100644
+--- a/ncurses/tinfo/comp_parse.c
+++ b/ncurses/tinfo/comp_parse.c
+@@ -47,7 +47,7 @@
+ 
+ #include <tic.h>
+ 
+-MODULE_ID("$Id: comp_parse.c,v 1.96 2017/04/15 15:36:58 tom Exp $")
+MODULE_ID("$Id: comp_parse.c,v 1.99 2017/08/26 16:15:50 tom Exp $")
+ 
+ static void sanity_check2(TERMTYPE2 *, bool);
+ NCURSES_IMPEXP void NCURSES_API(*_nc_check_termtype2) (TERMTYPE2 *, bool) = sanity_check2;
+@@ -510,9 +510,9 @@ static void
+ fixup_acsc(TERMTYPE2 *tp, int literal)
+ {
+     if (!literal) {
+-       if (acs_chars == 0
+-           && enter_alt_charset_mode != 0
+-           && exit_alt_charset_mode != 0)
+       if (acs_chars == ABSENT_STRING
+           && PRESENT(enter_alt_charset_mode)
+           && PRESENT(exit_alt_charset_mode))
+            acs_chars = strdup(VT_ACSC);
+     }
+ }
+@@ -568,9 +568,7 @@ sanity_check2(TERMTYPE2 *tp, bool literal)
+     PAIRED(enter_xon_mode, exit_xon_mode);
+     PAIRED(enter_am_mode, exit_am_mode);
+     ANDMISSING(label_off, label_on);
+-#ifdef remove_clock
+     PAIRED(display_clock, remove_clock);
+-#endif
+     ANDMISSING(set_color_pair, initialize_pair);
+ }
+ 
+diff --git a/ncurses/tinfo/comp_scan.c b/ncurses/tinfo/comp_scan.c
+index 40d7f6a..b207257 100644
+--- a/ncurses/tinfo/comp_scan.c
+++ b/ncurses/tinfo/comp_scan.c
+@@ -50,7 +50,7 @@
+ #include <ctype.h>
+ #include <tic.h>
+ 
+-MODULE_ID("$Id: comp_scan.c,v 1.106 2017/04/22 11:41:12 tom Exp $")
+MODULE_ID("$Id: comp_scan.c,v 1.108 2017/08/25 22:57:21 tom Exp $")
+ 
+ /*
+  * Maximum length of string capability we'll accept before raising an error.
+@@ -168,6 +168,8 @@ next_char(void)
+        if (result != 0) {
+            FreeAndNull(result);
+            FreeAndNull(pushname);
+           bufptr = 0;
+           bufstart = 0;
+            allocated = 0;
+        }
+        /*
+@@ -222,6 +224,8 @@ next_char(void)
+                }
+                if ((bufptr = bufstart) != 0) {
+                    used = strlen(bufptr);
+                   if (used == 0)
+                       return (EOF);
+                    while (iswhite(*bufptr)) {
+                        if (*bufptr == '\t') {
+                            _nc_curr_col = (_nc_curr_col | 7) + 1;
+diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c
+index 3fa2f25..bbbfcb2 100644
+--- a/ncurses/tinfo/parse_entry.c
+++ b/ncurses/tinfo/parse_entry.c
+@@ -47,7 +47,7 @@
+ #include <ctype.h>
+ #include <tic.h>
+ 
+-MODULE_ID("$Id: parse_entry.c,v 1.86 2017/06/28 00:53:12 tom Exp $")
+MODULE_ID("$Id: parse_entry.c,v 1.91 2017/08/26 16:13:34 tom Exp $")
+ 
+ #ifdef LINT
+ static short const parametrized[] =
+@@ -180,6 +180,20 @@ _nc_extend_names(ENTRY * entryp, char *name, int token_type)
+ }
+ #endif /* NCURSES_XNAMES */
+ 
+static bool
+valid_entryname(const char *name)
+{
+    bool result = TRUE;
+    int ch;
+    while ((ch = UChar(*name++)) != '\0') {
+       if (ch <= ' ' || ch > '~' || ch == '/') {
+           result = FALSE;
+           break;
+       }
+    }
+    return result;
+}
+
+ /*
+  *     int
+  *     _nc_parse_entry(entry, literal, silent)
+@@ -211,6 +225,7 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
+     int token_type;
+     struct name_table_entry const *entry_ptr;
+     char *ptr, *base;
+    const char *name;
+     bool bad_tc_usage = FALSE;
+ 
+     token_type = _nc_get_token(silent);
+@@ -261,7 +276,12 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
+      * results in the terminal type getting prematurely set to correspond
+      * to that of the next entry.
+      */
+-    _nc_set_type(_nc_first_name(entryp->tterm.term_names));
+    name = _nc_first_name(entryp->tterm.term_names);
+    if (!valid_entryname(name)) {
+       _nc_warning("invalid entry name \"%s\"", name);
+       name = "invalid";
+    }
+    _nc_set_type(name);
+ 
+     /* check for overly-long names and aliases */
+     for (base = entryp->tterm.term_names; (ptr = strchr(base, '|')) != 0;
+@@ -283,13 +303,24 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
+        bool is_use = (strcmp(_nc_curr_token.tk_name, "use") == 0);
+        bool is_tc = !is_use && (strcmp(_nc_curr_token.tk_name, "tc") == 0);
+        if (is_use || is_tc) {
+           if (!VALID_STRING(_nc_curr_token.tk_valstring)
+               || _nc_curr_token.tk_valstring[0] == '\0') {
+               _nc_warning("missing name for use-clause");
+               continue;
+           } else if (!valid_entryname(_nc_curr_token.tk_valstring)) {
+               _nc_warning("invalid name for use-clause \"%s\"",
+                           _nc_curr_token.tk_valstring);
+               continue;
+           } else if (entryp->nuses >= MAX_USES) {
+               _nc_warning("too many use-clauses, ignored \"%s\"",
+                           _nc_curr_token.tk_valstring);
+               continue;
+           }
+            entryp->uses[entryp->nuses].name = _nc_save_str(_nc_curr_token.tk_valstring);
+            entryp->uses[entryp->nuses].line = _nc_curr_line;
+-           if (VALID_STRING(entryp->uses[entryp->nuses].name)) {
+-               entryp->nuses++;
+-               if (entryp->nuses > 1 && is_tc) {
+-                   BAD_TC_USAGE
+-               }
+           entryp->nuses++;
+           if (entryp->nuses > 1 && is_tc) {
+               BAD_TC_USAGE
+            }
+        } else {
+            /* normal token lookup */
+@@ -641,13 +672,6 @@ static const char C_BS[] = "\b";
+ static const char C_HT[] = "\t";
+ 
+ /*
+- * Note that WANTED and PRESENT are not simple inverses!  If a capability
+- * has been explicitly cancelled, it's not considered WANTED.
+- */
+-#define WANTED(s)      ((s) == ABSENT_STRING)
+-#define PRESENT(s)     (((s) != ABSENT_STRING) && ((s) != CANCELLED_STRING))
+-
+-/*
+  * This bit of legerdemain turns all the terminfo variable names into
+  * references to locations in the arrays Booleans, Numbers, and Strings ---
+  * precisely what's needed.
+@@ -672,10 +696,10 @@ postprocess_termcap(TERMTYPE2 *tp, bool has_base)
+ 
+     /* if there was a tc entry, assume we picked up defaults via that */
+     if (!has_base) {
+-       if (WANTED(init_3string) && termcap_init2)
+       if (WANTED(init_3string) && PRESENT(termcap_init2))
+            init_3string = _nc_save_str(termcap_init2);
+ 
+-       if (WANTED(reset_2string) && termcap_reset)
+       if (WANTED(reset_2string) && PRESENT(termcap_reset))
+            reset_2string = _nc_save_str(termcap_reset);
+ 
+        if (WANTED(carriage_return)) {
+@@ -790,7 +814,7 @@ postprocess_termcap(TERMTYPE2 *tp, bool has_base)
+        if (init_tabs != 8 && init_tabs != ABSENT_NUMERIC)
+            _nc_warning("hardware tabs with a width other than 8: %d", init_tabs);
+        else {
+-           if (tab && _nc_capcmp(tab, C_HT))
+           if (PRESENT(tab) && _nc_capcmp(tab, C_HT))
+                _nc_warning("hardware tabs with a non-^I tab string %s",
+                            _nc_visbuf(tab));
+            else {
+@@ -867,17 +891,22 @@ postprocess_termcap(TERMTYPE2 *tp, bool has_base)
+             * The magic moment -- copy the mapped key string over,
+             * stripping out padding.
+             */
+-           for (dp = buf2, bp = tp->Strings[from_ptr->nte_index]; *bp; bp++) {
+-               if (bp[0] == '$' && bp[1] == '<') {
+-                   while (*bp && *bp != '>') {
+-                       ++bp;
+-                   }
+-               } else
+-                   *dp++ = *bp;
+-           }
+-           *dp = '\0';
+           bp = tp->Strings[from_ptr->nte_index];
+           if (VALID_STRING(bp)) {
+               for (dp = buf2; *bp; bp++) {
+                   if (bp[0] == '$' && bp[1] == '<') {
+                       while (*bp && *bp != '>') {
+                           ++bp;
+                       }
+                   } else
+                       *dp++ = *bp;
+               }
+               *dp = '\0';
+ 
+-           tp->Strings[to_ptr->nte_index] = _nc_save_str(buf2);
+               tp->Strings[to_ptr->nte_index] = _nc_save_str(buf2);
+           } else {
+               tp->Strings[to_ptr->nte_index] = bp;
+           }
+        }
+ 
+        /*
+@@ -886,7 +915,7 @@ postprocess_termcap(TERMTYPE2 *tp, bool has_base)
+         * got mapped to kich1 and im to kIC to avoid a collision.
+         * If the description has im but not ic, hack kIC back to kich1.
+         */
+-       if (foundim && WANTED(key_ic) && key_sic) {
+       if (foundim && WANTED(key_ic) && PRESENT(key_sic)) {
+            key_ic = key_sic;
+            key_sic = ABSENT_STRING;
+        }
+@@ -938,9 +967,9 @@ postprocess_termcap(TERMTYPE2 *tp, bool has_base)
+            acs_chars = _nc_save_str(buf2);
+            _nc_warning("acsc string synthesized from XENIX capabilities");
+        }
+-    } else if (acs_chars == 0
+-              && enter_alt_charset_mode != 0
+-              && exit_alt_charset_mode != 0) {
+    } else if (acs_chars == ABSENT_STRING
+              && PRESENT(enter_alt_charset_mode)
+              && PRESENT(exit_alt_charset_mode)) {
+        acs_chars = _nc_save_str(VT_ACSC);
+     }
+ }
+diff --git a/ncurses/tinfo/strings.c b/ncurses/tinfo/strings.c
+index 393d8e7..10ec6c8 100644
+--- a/ncurses/tinfo/strings.c
+++ b/ncurses/tinfo/strings.c
+@@ -1,5 +1,5 @@
+ /****************************************************************************
+- * Copyright (c) 2000-2007,2012 Free Software Foundation, Inc.              *
+ * Copyright (c) 2000-2012,2017 Free Software Foundation, Inc.              *
+  *                                                                          *
+  * Permission is hereby granted, free of charge, to any person obtaining a  *
+  * copy of this software and associated documentation files (the            *
+@@ -35,8 +35,9 @@
+ **/
+ 
+ #include <curses.priv.h>
+#include <tic.h>
+ 
+-MODULE_ID("$Id: strings.c,v 1.8 2012/02/22 22:34:31 tom Exp $")
+MODULE_ID("$Id: strings.c,v 1.9 2017/08/26 13:16:11 tom Exp $")
+ 
+ /****************************************************************************
+  * Useful string functions (especially for mvcur)
+@@ -105,7 +106,7 @@ _nc_str_copy(string_desc * dst, string_desc * src)
+ NCURSES_EXPORT(bool)
+ _nc_safe_strcat(string_desc * dst, const char *src)
+ {
+-    if (src != 0) {
+    if (PRESENT(src)) {
+        size_t len = strlen(src);
+ 
+        if (len < dst->s_size) {
+@@ -126,7 +127,7 @@ _nc_safe_strcat(string_desc * dst, const char *src)
+ NCURSES_EXPORT(bool)
+ _nc_safe_strcpy(string_desc * dst, const char *src)
+ {
+-    if (src != 0) {
+    if (PRESENT(src)) {
+        size_t len = strlen(src);
+ 
+        if (len < dst->s_size) {
+diff --git a/ncurses/tinfo/trim_sgr0.c b/ncurses/tinfo/trim_sgr0.c
+index 4cbcb65..4d92d15 100644
+--- a/ncurses/tinfo/trim_sgr0.c
+++ b/ncurses/tinfo/trim_sgr0.c
+@@ -36,7 +36,7 @@
+ 
+ #include <tic.h>
+ 
+-MODULE_ID("$Id: trim_sgr0.c,v 1.16 2017/04/05 22:33:07 tom Exp $")
+MODULE_ID("$Id: trim_sgr0.c,v 1.17 2017/08/26 14:54:16 tom Exp $")
+ 
+ #undef CUR
+ #define CUR tp->
+@@ -263,7 +263,7 @@ _nc_trim_sgr0(TERMTYPE2 *tp)
+            /*
+             * If rmacs is a substring of sgr(0), remove that chunk.
+             */
+-           if (exit_alt_charset_mode != 0) {
+           if (PRESENT(exit_alt_charset_mode)) {
+                TR(TRACE_DATABASE, ("scan for rmacs %s", _nc_visbuf(exit_alt_charset_mode)));
+                j = strlen(off);
+                k = strlen(exit_alt_charset_mode);
+diff --git a/progs/tic.c b/progs/tic.c
+index c5d78e5..6dd4678 100644
+--- a/progs/tic.c
+++ b/progs/tic.c
+@@ -48,7 +48,7 @@
+ #include <parametrized.h>
+ #include <transform.h>
+ 
+-MODULE_ID("$Id: tic.c,v 1.233 2017/07/15 17:40:19 tom Exp $")
+MODULE_ID("$Id: tic.c,v 1.243 2017/08/26 20:56:55 tom Exp $")
+ 
+ #define STDIN_NAME "<stdin>"
+ 
+@@ -62,6 +62,10 @@ static bool showsummary = FALSE;
+ static char **namelst = 0;
+ static const char *to_remove;
+ 
+#if NCURSES_XNAMES
+static bool using_extensions = FALSE;
+#endif
+
+ static void (*save_check_termtype) (TERMTYPE2 *, bool);
+ static void check_termtype(TERMTYPE2 *tt, bool);
+ 
+@@ -850,6 +854,7 @@ main(int argc, char *argv[])
+            /* FALLTHRU */
+        case 'x':
+            use_extended_names(TRUE);
+           using_extensions = TRUE;
+            break;
+ #endif
+        default:
+@@ -2405,10 +2410,17 @@ check_conflict(TERMTYPE2 *tp)
+            const char *a = given[j].value;
+            bool first = TRUE;
+ 
+           if (!VALID_STRING(a))
+               continue;
+
+            for (k = j + 1; given[k].keycode; k++) {
+                const char *b = given[k].value;
+
+               if (!VALID_STRING(b))
+                   continue;
+                if (check[k])
+                    continue;
+
+                if (!_nc_capcmp(a, b)) {
+                    check[j] = 1;
+                    check[k] = 1;
+@@ -2431,6 +2443,67 @@ check_conflict(TERMTYPE2 *tp)
+            if (!first)
+                fprintf(stderr, "\n");
+        }
+#if NCURSES_XNAMES
+       if (using_extensions) {
+           /* *INDENT-OFF* */
+           static struct {
+               const char *xcurses;
+               const char *shifted;
+           } table[] = {
+               { "kDC",  NULL },
+               { "kDN",  "kind" },
+               { "kEND", NULL },
+               { "kHOM", NULL },
+               { "kLFT", NULL },
+               { "kNXT", NULL },
+               { "kPRV", NULL },
+               { "kRIT", NULL },
+               { "kUP",  "kri" },
+               { NULL,   NULL },
+           };
+           /* *INDENT-ON* */
+
+           /*
+            * SVr4 curses defines the "xcurses" names listed above except for
+            * the special cases in the "shifted" column.  When using these
+            * names for xterm's extensions, that was confusing, and resulted
+            * in adding extended capabilities with "2" (shift) suffix.  This
+            * check warns about unnecessary use of extensions for this quirk.
+            */
+           for (j = 0; given[j].keycode; ++j) {
+               const char *find = given[j].name;
+               int value;
+               char ch;
+
+               if (!VALID_STRING(given[j].value))
+                   continue;
+
+               for (k = 0; table[k].xcurses; ++k) {
+                   const char *test = table[k].xcurses;
+                   size_t size = strlen(test);
+
+                   if (!strncmp(find, test, size) && strcmp(find, test)) {
+                       switch (sscanf(find + size, "%d%c", &value, &ch)) {
+                       case 1:
+                           if (value == 2) {
+                               _nc_warning("expected '%s' rather than '%s'",
+                                           (table[k].shifted
+                                            ? table[k].shifted
+                                            : test), find);
+                           } else if (value < 2 || value > 15) {
+                               _nc_warning("expected numeric 2..15 '%s'", find);
+                           }
+                           break;
+                       default:
+                           _nc_warning("expected numeric suffix for '%s'", find);
+                           break;
+                       }
+                       break;
+                   }
+               }
+           }
+       }
+#endif
+        free(given);
+        free(check);
+     }
+-- 
+2.10.2
diff --git a/meta/recipes-core/ncurses/ncurses_6.0+20170715.bb b/meta/recipes-core/ncurses/ncurses_6.0+20170715.bb
index 127394c006..d1da5d16e0 100644
--- a/meta/recipes-core/ncurses/ncurses_6.0+20170715.bb
+++ b/meta/recipes-core/ncurses/ncurses_6.0+20170715.bb
@@ -3,6 +3,7 @@ require ncurses.inc
 SRC_URI += "file://0001-tic-hang.patch \
            file://0002-configure-reproducible.patch \
            file://config.cache \
+            file://CVE-2017-13732-CVE-2017-13734-CVE-2017-13730-CVE-2017-13729-CVE-2017-13728-CVE-2017-13731.patch \
 "
 # commit id corresponds to the revision in package version
 SRCREV = "52681a6a1a18b4d6eb1a716512d0dd827bd71c87"
author	Ovidiu Panait <ovidiu.panait@windriver.com>	2017-09-20 13:13:49 +0300
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-09-21 09:24:25 +0100
commit	455877548e7a685f0dacf3b10056ff85c7aeedf2 (patch)
tree	cb53bf66b49a2df64ecee67b5fa2933fdee3addf
parent	59106e5dce83abfd3d5c58883df4cee028cea5e0 (diff)
download	poky-455877548e7a685f0dacf3b10056ff85c7aeedf2.tar.gz

diff --git a/meta/recipes-core/ncurses/files/CVE-2017-13732-CVE-2017-13734-CVE-2017-13730-CVE-2017-13729-CVE-2017-13728-CVE-2017-13731.patch b/meta/recipes-core/ncurses/files/CVE-2017-13732-CVE-2017-13734-CVE-2017-13730-CVE-2017-13729-CVE-2017-13728-CVE-2017-13731.patch new file mode 100644 index 0000000000..a19332c4b2 --- /dev/null +++ b/meta/recipes-core/ncurses/files/CVE-2017-13732-CVE-2017-13734-CVE-2017-13730-CVE-2017-13729-CVE-2017-13728-CVE-2017-13731.patch
@@ -0,0 +1,541 @@
		1	From 4bf72cb8f1d3aa5f33c31eb817a5f0338f4aaf6f Mon Sep 17 00:00:00 2001
		2	From: Ovidiu Panait <ovidiu.panait@windriver.com>
		3	Date: Wed, 20 Sep 2017 05:02:00 +0000
		4	Subject: [PATCH] Import upstream patch 20170826
		5
		6	20170826
		7	+ fixes for "iterm2" (report by Leonardo Brondani Schenkel) -TD
		8	+ corrected a warning from tic about keys which are the same, to skip
		9	over missing/cancelled values.
		10	+ add check in tic for unnecessary use of "2" to denote a shifted
		11	special key.
		12	+ improve checks in trim_sgr0, comp_parse.c and parse_entry.c, for
		13	cancelled string capabilities.
		14	+ add check in _nc_parse_entry() for invalid entry name, setting the
		15	name to "invalid" to avoid problems storing entries.
		16	+ add/improve checks in tic's parser to address invalid input
		17	+ add a check in comp_scan.c to handle the special case where a
		18	nontext file ending with a NUL rather than newline is given to tic
		19	as input (Redhat #1484274).
		20	+ allow for cancelled capabilities in _nc_save_str (Redhat #1484276).
		21	+ add validity checks for "use=" target in _nc_parse_entry (Redhat
		22	#1484284).
		23	+ check for invalid strings in postprocess_termcap (Redhat #1484285)
		24	+ reset secondary pointers on EOF in next_char() (Redhat #1484287).
		25	+ guard _nc_safe_strcpy() and _nc_safe_strcat() against calls using
		26	cancelled strings (Redhat #1484291).
		27	+ correct typo in curs_memleaks.3x (Sven Joachim).
		28	+ improve test/configure checks for some curses variants not based on
		29	X/Open Curses.
		30	+ add options for test/configure to disable checks for form, menu and
		31	panel libraries.
		32
		33	Upstream-Status: Backport
		34	CVE: CVE-2017-13732, CVE-2017-13734, CVE-2017-13730, CVE-2017-13729, CVE-2017-13728, CVE-2017-13731
		35
		36
		37	Author: Sven Joachim <svenjoac@gmx.de>
		38	Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
		39	---
		40	dist.mk \| 4 +-
		41	include/ncurses_defs \| 4 +-
		42	ncurses/tinfo/alloc_entry.c \| 4 +-
		43	ncurses/tinfo/comp_parse.c \| 10 ++---
		44	ncurses/tinfo/comp_scan.c \| 6 ++-
		45	ncurses/tinfo/parse_entry.c \| 91 ++++++++++++++++++++++++++++++---------------
		46	ncurses/tinfo/strings.c \| 9 +++--
		47	ncurses/tinfo/trim_sgr0.c \| 4 +-
		48	progs/tic.c \| 75 ++++++++++++++++++++++++++++++++++++-
		49	9 files changed, 157 insertions(+), 50 deletions(-)
		50
		51	diff --git a/dist.mk b/dist.mk
		52	index 9af2699..2c70472 100644
		53	--- a/dist.mk
		54	+++ b/dist.mk
		55	@@ -25,7 +25,7 @@
		56	# use or other dealings in this Software without prior written #
		57	# authorization. #
		58	##############################################################################
		59	-# $Id: dist.mk,v 1.1172 2017/07/13 00:15:27 tom Exp $
		60	+# $Id: dist.mk,v 1.1179 2017/08/20 15:33:41 tom Exp $
		61	# Makefile for creating ncurses distributions.
		62	#
		63	# This only needs to be used directly as a makefile by developers, but
		64	@@ -37,7 +37,7 @@ SHELL = /bin/sh
		65	# These define the major/minor/patch versions of ncurses.
		66	NCURSES_MAJOR = 6
		67	NCURSES_MINOR = 0
		68	-NCURSES_PATCH = 20170715
		69	+NCURSES_PATCH = 20170826
		70
		71	# We don't append the patch to the version, since this only applies to releases
		72	VERSION = $(NCURSES_MAJOR).$(NCURSES_MINOR)
		73	diff --git a/include/ncurses_defs b/include/ncurses_defs
		74	index e6611b7..d237db1 100644
		75	--- a/include/ncurses_defs
		76	+++ b/include/ncurses_defs
		77	@@ -1,4 +1,4 @@
		78	-# $Id: ncurses_defs,v 1.73 2017/06/24 14:20:57 tom Exp $
		79	+# $Id: ncurses_defs,v 1.75 2017/08/20 16:50:04 tom Exp $
		80	##############################################################################
		81	# Copyright (c) 2000-2016,2017 Free Software Foundation, Inc. #
		82	# #
		83	@@ -50,7 +50,9 @@ HAVE_BSD_STRING_H
		84	HAVE_BTOWC
		85	HAVE_BUILTIN_H
		86	HAVE_CHGAT 1
		87	+HAVE_COLOR_CONTENT 1
		88	HAVE_COLOR_SET 1
		89	+HAVE_CURSCR 1
		90	HAVE_DIRENT_H
		91	HAVE_ERRNO
		92	HAVE_FCNTL_H
		93	diff --git a/ncurses/tinfo/alloc_entry.c b/ncurses/tinfo/alloc_entry.c
		94	index 5de09f1..09374d6 100644
		95	--- a/ncurses/tinfo/alloc_entry.c
		96	+++ b/ncurses/tinfo/alloc_entry.c
		97	@@ -47,7 +47,7 @@
		98
		99	#include <tic.h>
		100
		101	-MODULE_ID("$Id: alloc_entry.c,v 1.60 2017/06/27 23:48:55 tom Exp $")
		102	+MODULE_ID("$Id: alloc_entry.c,v 1.61 2017/08/25 09:09:08 tom Exp $")
		103
		104	#define ABSENT_OFFSET -1
		105	#define CANCELLED_OFFSET -2
		106	@@ -98,7 +98,7 @@ _nc_save_str(const char *const string)
		107	size_t old_next_free = next_free;
		108	size_t len;
		109
		110	- if (string == 0)
		111	+ if (!VALID_STRING(string))
		112	return _nc_save_str("");
		113	len = strlen(string) + 1;
		114
		115	diff --git a/ncurses/tinfo/comp_parse.c b/ncurses/tinfo/comp_parse.c
		116	index 34e6216..580d4df 100644
		117	--- a/ncurses/tinfo/comp_parse.c
		118	+++ b/ncurses/tinfo/comp_parse.c
		119	@@ -47,7 +47,7 @@
		120
		121	#include <tic.h>
		122
		123	-MODULE_ID("$Id: comp_parse.c,v 1.96 2017/04/15 15:36:58 tom Exp $")
		124	+MODULE_ID("$Id: comp_parse.c,v 1.99 2017/08/26 16:15:50 tom Exp $")
		125
		126	static void sanity_check2(TERMTYPE2 *, bool);
		127	NCURSES_IMPEXP void NCURSES_API(_nc_check_termtype2) (TERMTYPE2 , bool) = sanity_check2;
		128	@@ -510,9 +510,9 @@ static void
		129	fixup_acsc(TERMTYPE2 *tp, int literal)
		130	{
		131	if (!literal) {
		132	- if (acs_chars == 0
		133	- && enter_alt_charset_mode != 0
		134	- && exit_alt_charset_mode != 0)
		135	+ if (acs_chars == ABSENT_STRING
		136	+ && PRESENT(enter_alt_charset_mode)
		137	+ && PRESENT(exit_alt_charset_mode))
		138	acs_chars = strdup(VT_ACSC);
		139	}
		140	}
		141	@@ -568,9 +568,7 @@ sanity_check2(TERMTYPE2 *tp, bool literal)
		142	PAIRED(enter_xon_mode, exit_xon_mode);
		143	PAIRED(enter_am_mode, exit_am_mode);
		144	ANDMISSING(label_off, label_on);
		145	-#ifdef remove_clock
		146	PAIRED(display_clock, remove_clock);
		147	-#endif
		148	ANDMISSING(set_color_pair, initialize_pair);
		149	}
		150
		151	diff --git a/ncurses/tinfo/comp_scan.c b/ncurses/tinfo/comp_scan.c
		152	index 40d7f6a..b207257 100644
		153	--- a/ncurses/tinfo/comp_scan.c
		154	+++ b/ncurses/tinfo/comp_scan.c
		155	@@ -50,7 +50,7 @@
		156	#include <ctype.h>
		157	#include <tic.h>
		158
		159	-MODULE_ID("$Id: comp_scan.c,v 1.106 2017/04/22 11:41:12 tom Exp $")
		160	+MODULE_ID("$Id: comp_scan.c,v 1.108 2017/08/25 22:57:21 tom Exp $")
		161
		162	/*
		163	* Maximum length of string capability we'll accept before raising an error.
		164	@@ -168,6 +168,8 @@ next_char(void)
		165	if (result != 0) {
		166	FreeAndNull(result);
		167	FreeAndNull(pushname);
		168	+ bufptr = 0;
		169	+ bufstart = 0;
		170	allocated = 0;
		171	}
		172	/*
		173	@@ -222,6 +224,8 @@ next_char(void)
		174	}
		175	if ((bufptr = bufstart) != 0) {
		176	used = strlen(bufptr);
		177	+ if (used == 0)
		178	+ return (EOF);
		179	while (iswhite(*bufptr)) {
		180	if (*bufptr == '\t') {
		181	_nc_curr_col = (_nc_curr_col \| 7) + 1;
		182	diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c
		183	index 3fa2f25..bbbfcb2 100644
		184	--- a/ncurses/tinfo/parse_entry.c
		185	+++ b/ncurses/tinfo/parse_entry.c
		186	@@ -47,7 +47,7 @@
		187	#include <ctype.h>
		188	#include <tic.h>
		189
		190	-MODULE_ID("$Id: parse_entry.c,v 1.86 2017/06/28 00:53:12 tom Exp $")
		191	+MODULE_ID("$Id: parse_entry.c,v 1.91 2017/08/26 16:13:34 tom Exp $")
		192
		193	#ifdef LINT
		194	static short const parametrized[] =
		195	@@ -180,6 +180,20 @@ _nc_extend_names(ENTRY * entryp, char *name, int token_type)
		196	}
		197	#endif /* NCURSES_XNAMES */
		198
		199	+static bool
		200	+valid_entryname(const char *name)
		201	+{
		202	+ bool result = TRUE;
		203	+ int ch;
		204	+ while ((ch = UChar(*name++)) != '\0') {
		205	+ if (ch <= ' ' \|\| ch > '~' \|\| ch == '/') {
		206	+ result = FALSE;
		207	+ break;
		208	+ }
		209	+ }
		210	+ return result;
		211	+}
		212	+
		213	/*
		214	* int
		215	* _nc_parse_entry(entry, literal, silent)
		216	@@ -211,6 +225,7 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
		217	int token_type;
		218	struct name_table_entry const *entry_ptr;
		219	char ptr, base;
		220	+ const char *name;
		221	bool bad_tc_usage = FALSE;
		222
		223	token_type = _nc_get_token(silent);
		224	@@ -261,7 +276,12 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
		225	* results in the terminal type getting prematurely set to correspond
		226	* to that of the next entry.
		227	*/
		228	- _nc_set_type(_nc_first_name(entryp->tterm.term_names));
		229	+ name = _nc_first_name(entryp->tterm.term_names);
		230	+ if (!valid_entryname(name)) {
		231	+ _nc_warning("invalid entry name \"%s\"", name);
		232	+ name = "invalid";
		233	+ }
		234	+ _nc_set_type(name);
		235
		236	/* check for overly-long names and aliases */
		237	for (base = entryp->tterm.term_names; (ptr = strchr(base, '\|')) != 0;
		238	@@ -283,13 +303,24 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
		239	bool is_use = (strcmp(_nc_curr_token.tk_name, "use") == 0);
		240	bool is_tc = !is_use && (strcmp(_nc_curr_token.tk_name, "tc") == 0);
		241	if (is_use \|\| is_tc) {
		242	+ if (!VALID_STRING(_nc_curr_token.tk_valstring)
		243	+ \|\| _nc_curr_token.tk_valstring[0] == '\0') {
		244	+ _nc_warning("missing name for use-clause");
		245	+ continue;
		246	+ } else if (!valid_entryname(_nc_curr_token.tk_valstring)) {
		247	+ _nc_warning("invalid name for use-clause \"%s\"",
		248	+ _nc_curr_token.tk_valstring);
		249	+ continue;
		250	+ } else if (entryp->nuses >= MAX_USES) {
		251	+ _nc_warning("too many use-clauses, ignored \"%s\"",
		252	+ _nc_curr_token.tk_valstring);
		253	+ continue;
		254	+ }
		255	entryp->uses[entryp->nuses].name = _nc_save_str(_nc_curr_token.tk_valstring);
		256	entryp->uses[entryp->nuses].line = _nc_curr_line;
		257	- if (VALID_STRING(entryp->uses[entryp->nuses].name)) {
		258	- entryp->nuses++;
		259	- if (entryp->nuses > 1 && is_tc) {
		260	- BAD_TC_USAGE
		261	- }
		262	+ entryp->nuses++;
		263	+ if (entryp->nuses > 1 && is_tc) {
		264	+ BAD_TC_USAGE
		265	}
		266	} else {
		267	/* normal token lookup */
		268	@@ -641,13 +672,6 @@ static const char C_BS[] = "\b";
		269	static const char C_HT[] = "\t";
		270
		271	/*
		272	- * Note that WANTED and PRESENT are not simple inverses! If a capability
		273	- * has been explicitly cancelled, it's not considered WANTED.
		274	- */
		275	-#define WANTED(s) ((s) == ABSENT_STRING)
		276	-#define PRESENT(s) (((s) != ABSENT_STRING) && ((s) != CANCELLED_STRING))
		277	-
		278	-/*
		279	* This bit of legerdemain turns all the terminfo variable names into
		280	* references to locations in the arrays Booleans, Numbers, and Strings ---
		281	* precisely what's needed.
		282	@@ -672,10 +696,10 @@ postprocess_termcap(TERMTYPE2 *tp, bool has_base)
		283
		284	/* if there was a tc entry, assume we picked up defaults via that */
		285	if (!has_base) {
		286	- if (WANTED(init_3string) && termcap_init2)
		287	+ if (WANTED(init_3string) && PRESENT(termcap_init2))
		288	init_3string = _nc_save_str(termcap_init2);
		289
		290	- if (WANTED(reset_2string) && termcap_reset)
		291	+ if (WANTED(reset_2string) && PRESENT(termcap_reset))
		292	reset_2string = _nc_save_str(termcap_reset);
		293
		294	if (WANTED(carriage_return)) {
		295	@@ -790,7 +814,7 @@ postprocess_termcap(TERMTYPE2 *tp, bool has_base)
		296	if (init_tabs != 8 && init_tabs != ABSENT_NUMERIC)
		297	_nc_warning("hardware tabs with a width other than 8: %d", init_tabs);
		298	else {
		299	- if (tab && _nc_capcmp(tab, C_HT))
		300	+ if (PRESENT(tab) && _nc_capcmp(tab, C_HT))
		301	_nc_warning("hardware tabs with a non-^I tab string %s",
		302	_nc_visbuf(tab));
		303	else {
		304	@@ -867,17 +891,22 @@ postprocess_termcap(TERMTYPE2 *tp, bool has_base)
		305	* The magic moment -- copy the mapped key string over,
		306	* stripping out padding.
		307	*/
		308	- for (dp = buf2, bp = tp->Strings[from_ptr->nte_index]; *bp; bp++) {
		309	- if (bp[0] == '$' && bp[1] == '<') {
		310	- while (bp && bp != '>') {
		311	- ++bp;
		312	- }
		313	- } else
		314	- dp++ = bp;
		315	- }
		316	- *dp = '\0';
		317	+ bp = tp->Strings[from_ptr->nte_index];
		318	+ if (VALID_STRING(bp)) {
		319	+ for (dp = buf2; *bp; bp++) {
		320	+ if (bp[0] == '$' && bp[1] == '<') {
		321	+ while (bp && bp != '>') {
		322	+ ++bp;
		323	+ }
		324	+ } else
		325	+ dp++ = bp;
		326	+ }
		327	+ *dp = '\0';
		328
		329	- tp->Strings[to_ptr->nte_index] = _nc_save_str(buf2);
		330	+ tp->Strings[to_ptr->nte_index] = _nc_save_str(buf2);
		331	+ } else {
		332	+ tp->Strings[to_ptr->nte_index] = bp;
		333	+ }
		334	}
		335
		336	/*
		337	@@ -886,7 +915,7 @@ postprocess_termcap(TERMTYPE2 *tp, bool has_base)
		338	* got mapped to kich1 and im to kIC to avoid a collision.
		339	* If the description has im but not ic, hack kIC back to kich1.
		340	*/
		341	- if (foundim && WANTED(key_ic) && key_sic) {
		342	+ if (foundim && WANTED(key_ic) && PRESENT(key_sic)) {
		343	key_ic = key_sic;
		344	key_sic = ABSENT_STRING;
		345	}
		346	@@ -938,9 +967,9 @@ postprocess_termcap(TERMTYPE2 *tp, bool has_base)
		347	acs_chars = _nc_save_str(buf2);
		348	_nc_warning("acsc string synthesized from XENIX capabilities");
		349	}
		350	- } else if (acs_chars == 0
		351	- && enter_alt_charset_mode != 0
		352	- && exit_alt_charset_mode != 0) {
		353	+ } else if (acs_chars == ABSENT_STRING
		354	+ && PRESENT(enter_alt_charset_mode)
		355	+ && PRESENT(exit_alt_charset_mode)) {
		356	acs_chars = _nc_save_str(VT_ACSC);
		357	}
		358	}
		359	diff --git a/ncurses/tinfo/strings.c b/ncurses/tinfo/strings.c
		360	index 393d8e7..10ec6c8 100644
		361	--- a/ncurses/tinfo/strings.c
		362	+++ b/ncurses/tinfo/strings.c
		363	@@ -1,5 +1,5 @@
		364	/****************************************************************************
		365	- * Copyright (c) 2000-2007,2012 Free Software Foundation, Inc. *
		366	+ * Copyright (c) 2000-2012,2017 Free Software Foundation, Inc. *
		367	* *
		368	* Permission is hereby granted, free of charge, to any person obtaining a *
		369	* copy of this software and associated documentation files (the *
		370	@@ -35,8 +35,9 @@
		371	**/
		372
		373	#include <curses.priv.h>
		374	+#include <tic.h>
		375
		376	-MODULE_ID("$Id: strings.c,v 1.8 2012/02/22 22:34:31 tom Exp $")
		377	+MODULE_ID("$Id: strings.c,v 1.9 2017/08/26 13:16:11 tom Exp $")
		378
		379	/****************************************************************************
		380	* Useful string functions (especially for mvcur)
		381	@@ -105,7 +106,7 @@ _nc_str_copy(string_desc * dst, string_desc * src)
		382	NCURSES_EXPORT(bool)
		383	_nc_safe_strcat(string_desc * dst, const char *src)
		384	{
		385	- if (src != 0) {
		386	+ if (PRESENT(src)) {
		387	size_t len = strlen(src);
		388
		389	if (len < dst->s_size) {
		390	@@ -126,7 +127,7 @@ _nc_safe_strcat(string_desc * dst, const char *src)
		391	NCURSES_EXPORT(bool)
		392	_nc_safe_strcpy(string_desc * dst, const char *src)
		393	{
		394	- if (src != 0) {
		395	+ if (PRESENT(src)) {
		396	size_t len = strlen(src);
		397
		398	if (len < dst->s_size) {
		399	diff --git a/ncurses/tinfo/trim_sgr0.c b/ncurses/tinfo/trim_sgr0.c
		400	index 4cbcb65..4d92d15 100644
		401	--- a/ncurses/tinfo/trim_sgr0.c
		402	+++ b/ncurses/tinfo/trim_sgr0.c
		403	@@ -36,7 +36,7 @@
		404
		405	#include <tic.h>
		406
		407	-MODULE_ID("$Id: trim_sgr0.c,v 1.16 2017/04/05 22:33:07 tom Exp $")
		408	+MODULE_ID("$Id: trim_sgr0.c,v 1.17 2017/08/26 14:54:16 tom Exp $")
		409
		410	#undef CUR
		411	#define CUR tp->
		412	@@ -263,7 +263,7 @@ _nc_trim_sgr0(TERMTYPE2 *tp)
		413	/*
		414	* If rmacs is a substring of sgr(0), remove that chunk.
		415	*/
		416	- if (exit_alt_charset_mode != 0) {
		417	+ if (PRESENT(exit_alt_charset_mode)) {
		418	TR(TRACE_DATABASE, ("scan for rmacs %s", _nc_visbuf(exit_alt_charset_mode)));
		419	j = strlen(off);
		420	k = strlen(exit_alt_charset_mode);
		421	diff --git a/progs/tic.c b/progs/tic.c
		422	index c5d78e5..6dd4678 100644
		423	--- a/progs/tic.c
		424	+++ b/progs/tic.c
		425	@@ -48,7 +48,7 @@
		426	#include <parametrized.h>
		427	#include <transform.h>
		428
		429	-MODULE_ID("$Id: tic.c,v 1.233 2017/07/15 17:40:19 tom Exp $")
		430	+MODULE_ID("$Id: tic.c,v 1.243 2017/08/26 20:56:55 tom Exp $")
		431
		432	#define STDIN_NAME "<stdin>"
		433
		434	@@ -62,6 +62,10 @@ static bool showsummary = FALSE;
		435	static char **namelst = 0;
		436	static const char *to_remove;
		437
		438	+#if NCURSES_XNAMES
		439	+static bool using_extensions = FALSE;
		440	+#endif
		441	+
		442	static void (save_check_termtype) (TERMTYPE2 , bool);
		443	static void check_termtype(TERMTYPE2 *tt, bool);
		444
		445	@@ -850,6 +854,7 @@ main(int argc, char *argv[])
		446	/* FALLTHRU */
		447	case 'x':
		448	use_extended_names(TRUE);
		449	+ using_extensions = TRUE;
		450	break;
		451	#endif
		452	default:
		453	@@ -2405,10 +2410,17 @@ check_conflict(TERMTYPE2 *tp)
		454	const char *a = given[j].value;
		455	bool first = TRUE;
		456
		457	+ if (!VALID_STRING(a))
		458	+ continue;
		459	+
		460	for (k = j + 1; given[k].keycode; k++) {
		461	const char *b = given[k].value;
		462	+
		463	+ if (!VALID_STRING(b))
		464	+ continue;
		465	if (check[k])
		466	continue;
		467	+
		468	if (!_nc_capcmp(a, b)) {
		469	check[j] = 1;
		470	check[k] = 1;
		471	@@ -2431,6 +2443,67 @@ check_conflict(TERMTYPE2 *tp)
		472	if (!first)
		473	fprintf(stderr, "\n");
		474	}
		475	+#if NCURSES_XNAMES
		476	+ if (using_extensions) {
		477	+ /* INDENT-OFF */
		478	+ static struct {
		479	+ const char *xcurses;
		480	+ const char *shifted;
		481	+ } table[] = {
		482	+ { "kDC", NULL },
		483	+ { "kDN", "kind" },
		484	+ { "kEND", NULL },
		485	+ { "kHOM", NULL },
		486	+ { "kLFT", NULL },
		487	+ { "kNXT", NULL },
		488	+ { "kPRV", NULL },
		489	+ { "kRIT", NULL },
		490	+ { "kUP", "kri" },
		491	+ { NULL, NULL },
		492	+ };
		493	+ /* INDENT-ON */
		494	+
		495	+ /*
		496	+ * SVr4 curses defines the "xcurses" names listed above except for
		497	+ * the special cases in the "shifted" column. When using these
		498	+ * names for xterm's extensions, that was confusing, and resulted
		499	+ * in adding extended capabilities with "2" (shift) suffix. This
		500	+ * check warns about unnecessary use of extensions for this quirk.
		501	+ */
		502	+ for (j = 0; given[j].keycode; ++j) {
		503	+ const char *find = given[j].name;
		504	+ int value;
		505	+ char ch;
		506	+
		507	+ if (!VALID_STRING(given[j].value))
		508	+ continue;
		509	+
		510	+ for (k = 0; table[k].xcurses; ++k) {
		511	+ const char *test = table[k].xcurses;
		512	+ size_t size = strlen(test);
		513	+
		514	+ if (!strncmp(find, test, size) && strcmp(find, test)) {
		515	+ switch (sscanf(find + size, "%d%c", &value, &ch)) {
		516	+ case 1:
		517	+ if (value == 2) {
		518	+ _nc_warning("expected '%s' rather than '%s'",
		519	+ (table[k].shifted
		520	+ ? table[k].shifted
		521	+ : test), find);
		522	+ } else if (value < 2 \|\| value > 15) {
		523	+ _nc_warning("expected numeric 2..15 '%s'", find);
		524	+ }
		525	+ break;
		526	+ default:
		527	+ _nc_warning("expected numeric suffix for '%s'", find);
		528	+ break;
		529	+ }
		530	+ break;
		531	+ }
		532	+ }
		533	+ }
		534	+ }
		535	+#endif
		536	free(given);
		537	free(check);
		538	}
		539	--
		540	2.10.2
		541


diff --git a/meta/recipes-core/ncurses/ncurses_6.0+20170715.bb b/meta/recipes-core/ncurses/ncurses_6.0+20170715.bb index 127394c006..d1da5d16e0 100644 --- a/meta/recipes-core/ncurses/ncurses_6.0+20170715.bb +++ b/meta/recipes-core/ncurses/ncurses_6.0+20170715.bb
@@ -3,6 +3,7 @@ require ncurses.inc
3	SRC_URI += "file://0001-tic-hang.patch \	3	SRC_URI += "file://0001-tic-hang.patch \
4	file://0002-configure-reproducible.patch \	4	file://0002-configure-reproducible.patch \
5	file://config.cache \	5	file://config.cache \
		6	file://CVE-2017-13732-CVE-2017-13734-CVE-2017-13730-CVE-2017-13729-CVE-2017-13728-CVE-2017-13731.patch \
6	"	7	"
7	# commit id corresponds to the revision in package version	8	# commit id corresponds to the revision in package version
8	SRCREV = "52681a6a1a18b4d6eb1a716512d0dd827bd71c87"	9	SRCREV = "52681a6a1a18b4d6eb1a716512d0dd827bd71c87"