[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[poky][sumo][PATCH] ncurses: fix CVE-2019-17594, CVE-2019-17595
|
From: |
Sana Kazi |
|
Subject: |
[poky][sumo][PATCH] ncurses: fix CVE-2019-17594, CVE-2019-17595 |
|
Date: |
Wed, 6 Jan 2021 14:27:55 +0530 |
From: Trevor Gamblin <trevor.gamblin@windriver.com>
Backport changes to tinfo/comp_hash.c, tinfo/parse_entry.c,
and progs/dump_entry.c from upstream to fix CVEs.
(From OE-Core rev: 7ec70aeb0c6f6080523efa0f983fa36b92cb5558)
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
---
...selective-backport-of-20191012-patch.patch | 158 ++++++++++++++++++
.../ncurses/ncurses_6.0+20171125.bb | 1 +
2 files changed, 159 insertions(+)
create mode 100644
meta/recipes-core/ncurses/files/0001-ncurses-selective-backport-of-20191012-patch.patch
diff --git
a/meta/recipes-core/ncurses/files/0001-ncurses-selective-backport-of-20191012-patch.patch
b/meta/recipes-core/ncurses/files/0001-ncurses-selective-backport-of-20191012-patch.patch
new file mode 100644
index 0000000000..989a8ccd4e
--- /dev/null
+++
b/meta/recipes-core/ncurses/files/0001-ncurses-selective-backport-of-20191012-patch.patch
@@ -0,0 +1,158 @@
+From 064b77f173337aa790f1cec0d741bfbc61a33d31 Mon Sep 17 00:00:00 2001
+From: Trevor Gamblin <trevor.gamblin@windriver.com>
+Date: Fri, 18 Oct 2019 09:57:43 -0400
+Subject: [PATCH] ncurses: selective backport of 20191012 patch
+
+Upstream-Status: Backport
[https://salsa.debian.org/debian/ncurses/commit/243908b1e3d81]
+
+Contents of the upstream patch that are not applied to comp_hash.c,
+parse_entry.c, or dump_entry.c have been omitted.
+
+CVE: CVE-2019-17594
+CVE: CVE-2019-17595
+
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+
+---
+ ncurses/tinfo/comp_hash.c | 14 ++++++++++----
+ ncurses/tinfo/parse_entry.c | 32 ++++++++++++++++----------------
+ progs/dump_entry.c | 7 ++++---
+ 3 files changed, 30 insertions(+), 23 deletions(-)
+
+diff --git a/ncurses/tinfo/comp_hash.c b/ncurses/tinfo/comp_hash.c
+index 21f165ca..a62d38f9 100644
+--- a/ncurses/tinfo/comp_hash.c
++++ b/ncurses/tinfo/comp_hash.c
+@@ -44,7 +44,7 @@
+ #include <tic.h>
+ #include <hashsize.h>
+
+-MODULE_ID("$Id: comp_hash.c,v 1.48 2009/08/08 17:36:21 tom Exp $")
++MODULE_ID("$Id: comp_hash.c,v 1.51 2019/10/12 16:32:13 tom Exp $")
+
+ /*
+ * Finds the entry for the given string in the hash table if present.
+@@ -63,7 +63,9 @@ _nc_find_entry(const char *string,
+
+ hashvalue = data->hash_of(string);
+
+- if (data->table_data[hashvalue] >= 0) {
++ if (hashvalue >= 0
++ && (unsigned) hashvalue < data->table_size
++ && data->table_data[hashvalue] >= 0) {
+
+ real_table = _nc_get_table(termcap);
+ ptr = real_table + data->table_data[hashvalue];
+@@ -96,7 +98,9 @@ _nc_find_type_entry(const char *string,
+ const HashData *data = _nc_get_hash_info(termcap);
+ int hashvalue = data->hash_of(string);
+
+- if (data->table_data[hashvalue] >= 0) {
++ if (hashvalue >= 0
++ && (unsigned) hashvalue < data->table_size
++ && data->table_data[hashvalue] >= 0) {
+ const struct name_table_entry *const table = _nc_get_table(termcap);
+
+ ptr = table + data->table_data[hashvalue];
+diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c
+index f8cca8b5..064376c5 100644
+--- a/ncurses/tinfo/parse_entry.c
++++ b/ncurses/tinfo/parse_entry.c
+@@ -47,7 +47,7 @@
+ #include <ctype.h>
+ #include <tic.h>
+
+-MODULE_ID("$Id: parse_entry.c,v 1.91 2017/08/26 16:13:34 tom Exp $")
++MODULE_ID("$Id: parse_entry.c,v 1.98 2019/10/12 00:50:31 tom Exp $")
+
+ #ifdef LINT
+ static short const parametrized[] =
+@@ -654,12 +654,12 @@ _nc_capcmp(const char *s, const char *t)
+ }
+
+ static void
+-append_acs0(string_desc * dst, int code, int src)
++append_acs0(string_desc * dst, int code, char *src, size_t off)
+ {
+- if (src != 0) {
++ if (src != 0 && off < strlen(src)) {
+ char temp[3];
+ temp[0] = (char) code;
+- temp[1] = (char) src;
++ temp[1] = src[off];
+ temp[2] = 0;
+ _nc_safe_strcat(dst, temp);
+ }
+@@ -669,7 +669,7 @@ static void
+ append_acs(string_desc * dst, int code, char *src)
+ {
+ if (VALID_STRING(src) && strlen(src) == 1) {
+- append_acs0(dst, code, *src);
++ append_acs0(dst, code, src, 0);
+ }
+ }
+
+@@ -1038,17 +1038,17 @@ postprocess_terminfo(TERMTYPE2 *tp)
+ _nc_str_init(&result, buf2, sizeof(buf2));
+ _nc_safe_strcat(&result, acs_chars);
+
+- append_acs0(&result, 'l', box_chars_1[0]); /* ACS_ULCORNER */
+- append_acs0(&result, 'q', box_chars_1[1]); /* ACS_HLINE */
+- append_acs0(&result, 'k', box_chars_1[2]); /* ACS_URCORNER */
+- append_acs0(&result, 'x', box_chars_1[3]); /* ACS_VLINE */
+- append_acs0(&result, 'j', box_chars_1[4]); /* ACS_LRCORNER */
+- append_acs0(&result, 'm', box_chars_1[5]); /* ACS_LLCORNER */
+- append_acs0(&result, 'w', box_chars_1[6]); /* ACS_TTEE */
+- append_acs0(&result, 'u', box_chars_1[7]); /* ACS_RTEE */
+- append_acs0(&result, 'v', box_chars_1[8]); /* ACS_BTEE */
+- append_acs0(&result, 't', box_chars_1[9]); /* ACS_LTEE */
+- append_acs0(&result, 'n', box_chars_1[10]); /* ACS_PLUS */
++ append_acs0(&result, 'l', box_chars_1, 0); /* ACS_ULCORNER */
++ append_acs0(&result, 'q', box_chars_1, 1); /* ACS_HLINE */
++ append_acs0(&result, 'k', box_chars_1, 2); /* ACS_URCORNER */
++ append_acs0(&result, 'x', box_chars_1, 3); /* ACS_VLINE */
++ append_acs0(&result, 'j', box_chars_1, 4); /* ACS_LRCORNER */
++ append_acs0(&result, 'm', box_chars_1, 5); /* ACS_LLCORNER */
++ append_acs0(&result, 'w', box_chars_1, 6); /* ACS_TTEE */
++ append_acs0(&result, 'u', box_chars_1, 7); /* ACS_RTEE */
++ append_acs0(&result, 'v', box_chars_1, 8); /* ACS_BTEE */
++ append_acs0(&result, 't', box_chars_1, 9); /* ACS_LTEE */
++ append_acs0(&result, 'n', box_chars_1, 10); /* ACS_PLUS */
+
+ if (buf2[0]) {
+ acs_chars = _nc_save_str(buf2);
+diff --git a/progs/dump_entry.c b/progs/dump_entry.c
+index d0e420ec..8a47084a 100644
+--- a/progs/dump_entry.c
++++ b/progs/dump_entry.c
+@@ -39,7 +39,7 @@
+ #include "termsort.c" /* this C file is generated */
+ #include <parametrized.h> /* so is this */
+
+-MODULE_ID("$Id: dump_entry.c,v 1.168 2017/09/02 21:01:54 tom Exp $")
++MODULE_ID("$Id: dump_entry.c,v 1.175 2019/10/12 15:59:07 tom Exp $")
+
+ #define DISCARD(string) string = ABSENT_STRING
+ #define PRINTF (void) printf
+@@ -1136,7 +1136,8 @@ fmt_entry(TERMTYPE2 *tterm,
+ *d++ = '\\';
+ *d = ':';
+ } else if (*d == '\\') {
+- *++d = *s++;
++ if ((*++d = *s++) == '\0')
++ break;
+ }
+ d++;
+ *d = '\0';
+@@ -1396,7 +1397,7 @@ one_one_mapping(const char *mapping)
+
+ if (VALID_STRING(mapping)) {
+ int n = 0;
+- while (mapping[n] != '\0') {
++ while (mapping[n] != '\0' && mapping[n + 1] != '\0') {
+ if (isLine(mapping[n]) &&
+ mapping[n] != mapping[n + 1]) {
+ result = FALSE;
+--
+2.17.1
+
diff --git a/meta/recipes-core/ncurses/ncurses_6.0+20171125.bb
b/meta/recipes-core/ncurses/ncurses_6.0+20171125.bb
index 6c4b96f428..ed5181f74f 100644
--- a/meta/recipes-core/ncurses/ncurses_6.0+20171125.bb
+++ b/meta/recipes-core/ncurses/ncurses_6.0+20171125.bb
@@ -3,6 +3,7 @@ require ncurses.inc
SRC_URI += "file://0001-tic-hang.patch \
file://0002-configure-reproducible.patch \
file://config.cache \
+ file://0001-ncurses-selective-backport-of-20191012-patch.patch \
"
# commit id corresponds to the revision in package version
SRCREV = "5d849e836052459901cfe0b85a0b2939ff8d2b2a"
--
2.17.1
This message contains information that may be privileged or confidential and is
the property of the KPIT Technologies Ltd. It is intended only for the person
to whom it is addressed. If you are not the intended recipient, you are not
authorized to read, print, retain copy, disseminate, distribute, or use this
message or any part thereof. If you receive this message in error, please
notify the sender immediately and delete all copies of this message. KPIT
Technologies Ltd. does not accept any liability for virus infected mails.
- [poky][sumo][PATCH] ncurses: fix CVE-2019-17594, CVE-2019-17595,
Sana Kazi <=