Regards, Sana Kazi ________________________________ From: Sana Kazi <sana.k...@kpit.com> Sent: Wednesday, January 6, 2021 2:39 PM To: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>; raj.k...@gmail.com <raj.k...@gmail.com> Cc: Nisha Parrakat <nisha.parra...@kpit.com>; Aditya Tayade <aditya.tay...@kpit.com>; Trevor Gamblin <trevor.gamb...@windriver.com>; Armin Kuster <akuster...@gmail.com>; Richard Purdie <richard.pur...@linuxfoundation.org>; Sana Kazi <sana.k...@kpit.com> Subject: [poky][sumo][PATCH] ncurses: fix CVE-2019-17594, CVE-2019-17595 From: Trevor Gamblin <trevor.gamb...@windriver.com> Backport changes to tinfo/comp_hash.c, tinfo/parse_entry.c, and progs/dump_entry.c from upstream to fix CVEs. (From OE-Core rev: 7ec70aeb0c6f6080523efa0f983fa36b92cb5558) Signed-off-by: Trevor Gamblin <trevor.gamb...@windriver.com> Signed-off-by: Armin Kuster <akuster...@gmail.com> Signed-off-by: Richard Purdie <richard.pur...@linuxfoundation.org> Signed-off-by: Sana Kazi <sana.k...@kpit.com> --- ...selective-backport-of-20191012-patch.patch | 158 ++++++++++++++++++ .../ncurses/ncurses_6.0+20171125.bb | 1 + 2 files changed, 159 insertions(+) create mode 100644 meta/recipes-core/ncurses/files/0001-ncurses-selective-backport-of-20191012-patch.patch diff --git a/meta/recipes-core/ncurses/files/0001-ncurses-selective-backport-of-20191012-patch.patch b/meta/recipes-core/ncurses/files/0001-ncurses-selective-backport-of-20191012-patch.patch new file mode 100644 index 0000000000..989a8ccd4e --- /dev/null +++ b/meta/recipes-core/ncurses/files/0001-ncurses-selective-backport-of-20191012-patch.patch @@ -0,0 +1,158 @@ +From 064b77f173337aa790f1cec0d741bfbc61a33d31 Mon Sep 17 00:00:00 2001 +From: Trevor Gamblin <trevor.gamb...@windriver.com> +Date: Fri, 18 Oct 2019 09:57:43 -0400 +Subject: [PATCH] ncurses: selective backport of 20191012 patch + +Upstream-Status: Backport [https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsalsa.debian.org%2Fdebian%2Fncurses%2Fcommit%2F243908b1e3d81&data=04%7C01%7CSana.Kazi%40kpit.com%7C80550d084ab7442c06d508d8b222cd4c%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637455209903558555%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=J%2FrCRcik47L1Q0BQfVRWutz%2FObINAgtgrEv4sIYVj%2FM%3D&reserved=0] + +Contents of the upstream patch that are not applied to comp_hash.c, +parse_entry.c, or dump_entry.c have been omitted. + +CVE: CVE-2019-17594 +CVE: CVE-2019-17595 + +Signed-off-by: Trevor Gamblin <trevor.gamb...@windriver.com> + +--- + ncurses/tinfo/comp_hash.c | 14 ++++++++++---- + ncurses/tinfo/parse_entry.c | 32 ++++++++++++++++---------------- + progs/dump_entry.c | 7 ++++--- + 3 files changed, 30 insertions(+), 23 deletions(-) + +diff --git a/ncurses/tinfo/comp_hash.c b/ncurses/tinfo/comp_hash.c +index 21f165ca..a62d38f9 100644 +--- a/ncurses/tinfo/comp_hash.c ++++ b/ncurses/tinfo/comp_hash.c +@@ -44,7 +44,7 @@ + #include <tic.h> + #include <hashsize.h> + +-MODULE_ID("$Id: comp_hash.c,v 1.48 2009/08/08 17:36:21 tom Exp $") ++MODULE_ID("$Id: comp_hash.c,v 1.51 2019/10/12 16:32:13 tom Exp $") + + /* + * Finds the entry for the given string in the hash table if present. +@@ -63,7 +63,9 @@ _nc_find_entry(const char *string, + + hashvalue = data->hash_of(string); + +- if (data->table_data[hashvalue] >= 0) { ++ if (hashvalue >= 0 ++ && (unsigned) hashvalue < data->table_size ++ && data->table_data[hashvalue] >= 0) { + + real_table = _nc_get_table(termcap); + ptr = real_table + data->table_data[hashvalue]; +@@ -96,7 +98,9 @@ _nc_find_type_entry(const char *string, + const HashData *data = _nc_get_hash_info(termcap); + int hashvalue = data->hash_of(string); + +- if (data->table_data[hashvalue] >= 0) { ++ if (hashvalue >= 0 ++ && (unsigned) hashvalue < data->table_size ++ && data->table_data[hashvalue] >= 0) { + const struct name_table_entry *const table = _nc_get_table(termcap); + + ptr = table + data->table_data[hashvalue]; +diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c +index f8cca8b5..064376c5 100644 +--- a/ncurses/tinfo/parse_entry.c ++++ b/ncurses/tinfo/parse_entry.c +@@ -47,7 +47,7 @@ + #include <ctype.h> + #include <tic.h> + +-MODULE_ID("$Id: parse_entry.c,v 1.91 2017/08/26 16:13:34 tom Exp $") ++MODULE_ID("$Id: parse_entry.c,v 1.98 2019/10/12 00:50:31 tom Exp $") + + #ifdef LINT + static short const parametrized[] = +@@ -654,12 +654,12 @@ _nc_capcmp(const char *s, const char *t) + } + + static void +-append_acs0(string_desc * dst, int code, int src) ++append_acs0(string_desc * dst, int code, char *src, size_t off) + { +- if (src != 0) { ++ if (src != 0 && off < strlen(src)) { + char temp[3]; + temp[0] = (char) code; +- temp[1] = (char) src; ++ temp[1] = src[off]; + temp[2] = 0; + _nc_safe_strcat(dst, temp); + } +@@ -669,7 +669,7 @@ static void + append_acs(string_desc * dst, int code, char *src) + { + if (VALID_STRING(src) && strlen(src) == 1) { +- append_acs0(dst, code, *src); ++ append_acs0(dst, code, src, 0); + } + } + +@@ -1038,17 +1038,17 @@ postprocess_terminfo(TERMTYPE2 *tp) + _nc_str_init(&result, buf2, sizeof(buf2)); + _nc_safe_strcat(&result, acs_chars); + +- append_acs0(&result, 'l', box_chars_1[0]); /* ACS_ULCORNER */ +- append_acs0(&result, 'q', box_chars_1[1]); /* ACS_HLINE */ +- append_acs0(&result, 'k', box_chars_1[2]); /* ACS_URCORNER */ +- append_acs0(&result, 'x', box_chars_1[3]); /* ACS_VLINE */ +- append_acs0(&result, 'j', box_chars_1[4]); /* ACS_LRCORNER */ +- append_acs0(&result, 'm', box_chars_1[5]); /* ACS_LLCORNER */ +- append_acs0(&result, 'w', box_chars_1[6]); /* ACS_TTEE */ +- append_acs0(&result, 'u', box_chars_1[7]); /* ACS_RTEE */ +- append_acs0(&result, 'v', box_chars_1[8]); /* ACS_BTEE */ +- append_acs0(&result, 't', box_chars_1[9]); /* ACS_LTEE */ +- append_acs0(&result, 'n', box_chars_1[10]); /* ACS_PLUS */ ++ append_acs0(&result, 'l', box_chars_1, 0); /* ACS_ULCORNER */ ++ append_acs0(&result, 'q', box_chars_1, 1); /* ACS_HLINE */ ++ append_acs0(&result, 'k', box_chars_1, 2); /* ACS_URCORNER */ ++ append_acs0(&result, 'x', box_chars_1, 3); /* ACS_VLINE */ ++ append_acs0(&result, 'j', box_chars_1, 4); /* ACS_LRCORNER */ ++ append_acs0(&result, 'm', box_chars_1, 5); /* ACS_LLCORNER */ ++ append_acs0(&result, 'w', box_chars_1, 6); /* ACS_TTEE */ ++ append_acs0(&result, 'u', box_chars_1, 7); /* ACS_RTEE */ ++ append_acs0(&result, 'v', box_chars_1, 8); /* ACS_BTEE */ ++ append_acs0(&result, 't', box_chars_1, 9); /* ACS_LTEE */ ++ append_acs0(&result, 'n', box_chars_1, 10); /* ACS_PLUS */ + + if (buf2[0]) { + acs_chars = _nc_save_str(buf2); +diff --git a/progs/dump_entry.c b/progs/dump_entry.c +index d0e420ec..8a47084a 100644 +--- a/progs/dump_entry.c ++++ b/progs/dump_entry.c +@@ -39,7 +39,7 @@ + #include "termsort.c" /* this C file is generated */ + #include <parametrized.h> /* so is this */ + +-MODULE_ID("$Id: dump_entry.c,v 1.168 2017/09/02 21:01:54 tom Exp $") ++MODULE_ID("$Id: dump_entry.c,v 1.175 2019/10/12 15:59:07 tom Exp $") + + #define DISCARD(string) string = ABSENT_STRING + #define PRINTF (void) printf +@@ -1136,7 +1136,8 @@ fmt_entry(TERMTYPE2 *tterm, + *d++ = '\\'; + *d = ':'; + } else if (*d == '\\') { +- *++d = *s++; ++ if ((*++d = *s++) == '\0') ++ break; + } + d++; + *d = '\0'; +@@ -1396,7 +1397,7 @@ one_one_mapping(const char *mapping) + + if (VALID_STRING(mapping)) { + int n = 0; +- while (mapping[n] != '\0') { ++ while (mapping[n] != '\0' && mapping[n + 1] != '\0') { + if (isLine(mapping[n]) && + mapping[n] != mapping[n + 1]) { + result = FALSE; +-- +2.17.1 + diff --git a/meta/recipes-core/ncurses/ncurses_6.0+20171125.bb b/meta/recipes-core/ncurses/ncurses_6.0+20171125.bb index 6c4b96f428..ed5181f74f 100644 --- a/meta/recipes-core/ncurses/ncurses_6.0+20171125.bb +++ b/meta/recipes-core/ncurses/ncurses_6.0+20171125.bb @@ -3,6 +3,7 @@ require ncurses.inc SRC_URI += "file://0001-tic-hang.patch \ file://0002-configure-reproducible.patch \ file://config.cache \ + file://0001-ncurses-selective-backport-of-20191012-patch.patch \ " # commit id corresponds to the revision in package version SRCREV = "5d849e836052459901cfe0b85a0b2939ff8d2b2a" -- 2.17.1 This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#146421): https://lists.openembedded.org/g/openembedded-core/message/146421 Mute This Topic: https://lists.openembedded.org/mt/79472112/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
