2 files changed, 26 insertions, 0 deletions
diff --git a/meta/recipes-core/ncurses/files/CVE-2025-6141.patch b/meta/recipes-core/ncurses/files/CVE-2025-6141.patch
new file mode 100644
index 0000000000..ec7e8a94e4
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/CVE-2025-6141.patch
@@ -0,0 +1,25 @@
+From 27d1493340d714e7be6e08c0a8f43e48276149c4 Mon Sep 17 00:00:00 2001
+From: "Thomas E. Dickey" <dickey@invisible-island.net>
+Date: Sat, 29 Mar 2025 22:52:37 +0000
+Subject: [PATCH] snapshot of project "ncurses", label v6_5_20250329
+CVE: CVE-2025-6141
+Upstream-Status: Backport [https://github.com/ThomasDickey/ncurses-snapshots/commit/27d1493340d714e7be6e08c0a8f43e48276149c4]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ ncurses/tinfo/parse_entry.c | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c
+index a2278c07..c551c780 100644
+--- a/ncurses/tinfo/parse_entry.c
+++ b/ncurses/tinfo/parse_entry.c
+@@ -985,6 +985,8 @@ postprocess_termcap(TERMTYPE2 *tp, bool has_base)
+            bp = tp->Strings[from_ptr->nte_index];
+            if (VALID_STRING(bp)) {
+                for (dp = buf2; *bp; bp++) {
+                   if ((size_t) (dp - buf2) >= (sizeof(buf2) - sizeof(TERMTYPE2)))
+                         break;
+                    if (bp[0] == '$' && bp[1] == '<') {
+                        while (*bp && *bp != '>') {
+                            ++bp;
diff --git a/meta/recipes-core/ncurses/ncurses_6.4.bb b/meta/recipes-core/ncurses/ncurses_6.4.bb
index 61558ecfa8..d3b4106118 100644
--- a/meta/recipes-core/ncurses/ncurses_6.4.bb
+++ b/meta/recipes-core/ncurses/ncurses_6.4.bb
@@ -8,6 +8,7 @@ SRC_URI += "file://0001-tic-hang.patch \
           file://0001-Updating-reset-code-ncurses-6.4-patch-20231104.patch \
           file://CVE-2023-50495.patch \
           file://CVE-2023-45918.patch \
+           file://CVE-2025-6141.patch \
           "
 # commit id corresponds to the revision in package version
 SRCREV = "1003914e200fd622a27237abca155ce6bf2e6030"

diff --git a/meta/recipes-core/ncurses/files/CVE-2025-6141.patch b/meta/recipes-core/ncurses/files/CVE-2025-6141.patch new file mode 100644 index 0000000000..ec7e8a94e4 --- /dev/null +++ b/meta/recipes-core/ncurses/files/CVE-2025-6141.patch
@@ -0,0 +1,25 @@
		1	From 27d1493340d714e7be6e08c0a8f43e48276149c4 Mon Sep 17 00:00:00 2001
		2	From: "Thomas E. Dickey" <dickey@invisible-island.net>
		3	Date: Sat, 29 Mar 2025 22:52:37 +0000
		4	Subject: [PATCH] snapshot of project "ncurses", label v6_5_20250329
		5
		6	CVE: CVE-2025-6141
		7	Upstream-Status: Backport [https://github.com/ThomasDickey/ncurses-snapshots/commit/27d1493340d714e7be6e08c0a8f43e48276149c4]
		8	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		9	---
		10	ncurses/tinfo/parse_entry.c \| 2 ++
		11	1 file changed, 2 insertions(+)
		12
		13	diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c
		14	index a2278c07..c551c780 100644
		15	--- a/ncurses/tinfo/parse_entry.c
		16	+++ b/ncurses/tinfo/parse_entry.c
		17	@@ -985,6 +985,8 @@ postprocess_termcap(TERMTYPE2 *tp, bool has_base)
		18	bp = tp->Strings[from_ptr->nte_index];
		19	if (VALID_STRING(bp)) {
		20	for (dp = buf2; *bp; bp++) {
		21	+ if ((size_t) (dp - buf2) >= (sizeof(buf2) - sizeof(TERMTYPE2)))
		22	+ break;
		23	if (bp[0] == '$' && bp[1] == '<') {
		24	while (bp && bp != '>') {
		25	++bp;


diff --git a/meta/recipes-core/ncurses/ncurses_6.4.bb b/meta/recipes-core/ncurses/ncurses_6.4.bb index 61558ecfa8..d3b4106118 100644 --- a/meta/recipes-core/ncurses/ncurses_6.4.bb +++ b/meta/recipes-core/ncurses/ncurses_6.4.bb
@@ -8,6 +8,7 @@ SRC_URI += "file://0001-tic-hang.patch \
8	file://0001-Updating-reset-code-ncurses-6.4-patch-20231104.patch \	8	file://0001-Updating-reset-code-ncurses-6.4-patch-20231104.patch \
9	file://CVE-2023-50495.patch \	9	file://CVE-2023-50495.patch \
10	file://CVE-2023-45918.patch \	10	file://CVE-2023-45918.patch \
		11	file://CVE-2025-6141.patch \
11	"	12	"
12	# commit id corresponds to the revision in package version	13	# commit id corresponds to the revision in package version
13	SRCREV = "1003914e200fd622a27237abca155ce6bf2e6030"	14	SRCREV = "1003914e200fd622a27237abca155ce6bf2e6030"