[OE-core] [poky][sumo][PATCH] ncurses: fix CVE-2019-17594, CVE-2019-17595
From: Trevor Gamblin
Backport changes to tinfo/comp_hash.c, tinfo/parse_entry.c,
and progs/dump_entry.c from upstream to fix CVEs.
(From OE-Core rev: 7ec70aeb0c6f6080523efa0f983fa36b92cb5558)
Signed-off-by: Trevor Gamblin
Signed-off-by: Armin Kuster
Signed-off-by: Richard Purdie
Signed-off-by: Sana Kazi
---
...selective-backport-of-20191012-patch.patch | 158 ++
.../ncurses/ncurses_6.0+20171125.bb | 1 +
2 files changed, 159 insertions(+)
create mode 100644
meta/recipes-core/ncurses/files/0001-ncurses-selective-backport-of-20191012-patch.patch
diff --git
a/meta/recipes-core/ncurses/files/0001-ncurses-selective-backport-of-20191012-patch.patch
b/meta/recipes-core/ncurses/files/0001-ncurses-selective-backport-of-20191012-patch.patch
new file mode 100644
index 00..989a8ccd4e
--- /dev/null
+++
b/meta/recipes-core/ncurses/files/0001-ncurses-selective-backport-of-20191012-patch.patch
@@ -0,0 +1,158 @@
+From 064b77f173337aa790f1cec0d741bfbc61a33d31 Mon Sep 17 00:00:00 2001
+From: Trevor Gamblin
+Date: Fri, 18 Oct 2019 09:57:43 -0400
+Subject: [PATCH] ncurses: selective backport of 20191012 patch
+
+Upstream-Status: Backport
[https://salsa.debian.org/debian/ncurses/commit/243908b1e3d81]
+
+Contents of the upstream patch that are not applied to comp_hash.c,
+parse_entry.c, or dump_entry.c have been omitted.
+
+CVE: CVE-2019-17594
+CVE: CVE-2019-17595
+
+Signed-off-by: Trevor Gamblin
+
+---
+ ncurses/tinfo/comp_hash.c | 14 ++
+ ncurses/tinfo/parse_entry.c | 32
+ progs/dump_entry.c | 7 ---
+ 3 files changed, 30 insertions(+), 23 deletions(-)
+
+diff --git a/ncurses/tinfo/comp_hash.c b/ncurses/tinfo/comp_hash.c
+index 21f165ca..a62d38f9 100644
+--- a/ncurses/tinfo/comp_hash.c
b/ncurses/tinfo/comp_hash.c
+@@ -44,7 +44,7 @@
+ #include
+ #include
+
+-MODULE_ID("$Id: comp_hash.c,v 1.48 2009/08/08 17:36:21 tom Exp $")
++MODULE_ID("$Id: comp_hash.c,v 1.51 2019/10/12 16:32:13 tom Exp $")
+
+ /*
+ * Finds the entry for the given string in the hash table if present.
+@@ -63,7 +63,9 @@ _nc_find_entry(const char *string,
+
+ hashvalue = data->hash_of(string);
+
+-if (data->table_data[hashvalue] >= 0) {
++if (hashvalue >= 0
++ && (unsigned) hashvalue < data->table_size
++ && data->table_data[hashvalue] >= 0) {
+
+ real_table = _nc_get_table(termcap);
+ ptr = real_table + data->table_data[hashvalue];
+@@ -96,7 +98,9 @@ _nc_find_type_entry(const char *string,
+ const HashData *data = _nc_get_hash_info(termcap);
+ int hashvalue = data->hash_of(string);
+
+-if (data->table_data[hashvalue] >= 0) {
++if (hashvalue >= 0
++ && (unsigned) hashvalue < data->table_size
++ && data->table_data[hashvalue] >= 0) {
+ const struct name_table_entry *const table = _nc_get_table(termcap);
+
+ ptr = table + data->table_data[hashvalue];
+diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c
+index f8cca8b5..064376c5 100644
+--- a/ncurses/tinfo/parse_entry.c
b/ncurses/tinfo/parse_entry.c
+@@ -47,7 +47,7 @@
+ #include
+ #include
+
+-MODULE_ID("$Id: parse_entry.c,v 1.91 2017/08/26 16:13:34 tom Exp $")
++MODULE_ID("$Id: parse_entry.c,v 1.98 2019/10/12 00:50:31 tom Exp $")
+
+ #ifdef LINT
+ static short const parametrized[] =
+@@ -654,12 +654,12 @@ _nc_capcmp(const char *s, const char *t)
+ }
+
+ static void
+-append_acs0(string_desc * dst, int code, int src)
++append_acs0(string_desc * dst, int code, char *src, size_t off)
+ {
+-if (src != 0) {
++if (src != 0 && off < strlen(src)) {
+ char temp[3];
+ temp[0] = (char) code;
+- temp[1] = (char) src;
++ temp[1] = src[off];
+ temp[2] = 0;
+ _nc_safe_strcat(dst, temp);
+ }
+@@ -669,7 +669,7 @@ static void
+ append_acs(string_desc * dst, int code, char *src)
+ {
+ if (VALID_STRING(src) && strlen(src) == 1) {
+- append_acs0(dst, code, *src);
++ append_acs0(dst, code, src, 0);
+ }
+ }
+
+@@ -1038,17 +1038,17 @@ postprocess_terminfo(TERMTYPE2 *tp)
+ _nc_str_init(, buf2, sizeof(buf2));
+ _nc_safe_strcat(, acs_chars);
+
+- append_acs0(, 'l', box_chars_1[0]); /* ACS_ULCORNER */
+- append_acs0(, 'q', box_chars_1[1]); /* ACS_HLINE */
+- append_acs0(, 'k', box_chars_1[2]); /* ACS_URCORNER */
+- append_acs0(, 'x', box_chars_1[3]); /* ACS_VLINE */
+- append_acs0(, 'j', box_chars_1[4]); /* ACS_LRCORNER */
+- append_acs0(, 'm', box_chars_1[5]); /* ACS_LLCORNER */
+- append_acs0(, 'w', box_chars_1[6]); /* ACS_TTEE */
+- append_acs0(, 'u', box_chars_1[7]); /* ACS_RTEE */
+- append_acs0(, 'v', box_chars_1[8]); /* ACS_BTEE */
+- append_acs0(, 't', box_chars_1[9]); /* ACS_LTEE */
+- append_acs0(, 'n', box_chars_1[10]); /* ACS_PLUS */
++ append_acs0(, 'l', box_chars_1, 0); /* ACS_ULCORNER */
++ append_acs0(, 'q',
Re: [OE-core] [poky][sumo][PATCH] ncurses: fix CVE-2019-17594, CVE-2019-17595
Regards,
Sana Kazi
From: Sana Kazi
Sent: Wednesday, January 6, 2021 2:39 PM
To: openembedded-core@lists.openembedded.org
; raj.k...@gmail.com
Cc: Nisha Parrakat ; Aditya Tayade
; Trevor Gamblin ; Armin
Kuster ; Richard Purdie
; Sana Kazi
Subject: [poky][sumo][PATCH] ncurses: fix CVE-2019-17594, CVE-2019-17595
From: Trevor Gamblin
Backport changes to tinfo/comp_hash.c, tinfo/parse_entry.c,
and progs/dump_entry.c from upstream to fix CVEs.
(From OE-Core rev: 7ec70aeb0c6f6080523efa0f983fa36b92cb5558)
Signed-off-by: Trevor Gamblin
Signed-off-by: Armin Kuster
Signed-off-by: Richard Purdie
Signed-off-by: Sana Kazi
---
...selective-backport-of-20191012-patch.patch | 158 ++
.../ncurses/ncurses_6.0+20171125.bb | 1 +
2 files changed, 159 insertions(+)
create mode 100644
meta/recipes-core/ncurses/files/0001-ncurses-selective-backport-of-20191012-patch.patch
diff --git
a/meta/recipes-core/ncurses/files/0001-ncurses-selective-backport-of-20191012-patch.patch
b/meta/recipes-core/ncurses/files/0001-ncurses-selective-backport-of-20191012-patch.patch
new file mode 100644
index 00..989a8ccd4e
--- /dev/null
+++
b/meta/recipes-core/ncurses/files/0001-ncurses-selective-backport-of-20191012-patch.patch
@@ -0,0 +1,158 @@
+From 064b77f173337aa790f1cec0d741bfbc61a33d31 Mon Sep 17 00:00:00 2001
+From: Trevor Gamblin
+Date: Fri, 18 Oct 2019 09:57:43 -0400
+Subject: [PATCH] ncurses: selective backport of 20191012 patch
+
+Upstream-Status: Backport
[https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsalsa.debian.org%2Fdebian%2Fncurses%2Fcommit%2F243908b1e3d81data=04%7C01%7CSana.Kazi%40kpit.com%7C80550d084ab7442c06d508d8b222cd4c%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637455209903558555%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=J%2FrCRcik47L1Q0BQfVRWutz%2FObINAgtgrEv4sIYVj%2FM%3Dreserved=0]
+
+Contents of the upstream patch that are not applied to comp_hash.c,
+parse_entry.c, or dump_entry.c have been omitted.
+
+CVE: CVE-2019-17594
+CVE: CVE-2019-17595
+
+Signed-off-by: Trevor Gamblin
+
+---
+ ncurses/tinfo/comp_hash.c | 14 ++
+ ncurses/tinfo/parse_entry.c | 32
+ progs/dump_entry.c | 7 ---
+ 3 files changed, 30 insertions(+), 23 deletions(-)
+
+diff --git a/ncurses/tinfo/comp_hash.c b/ncurses/tinfo/comp_hash.c
+index 21f165ca..a62d38f9 100644
+--- a/ncurses/tinfo/comp_hash.c
b/ncurses/tinfo/comp_hash.c
+@@ -44,7 +44,7 @@
+ #include
+ #include
+
+-MODULE_ID("$Id: comp_hash.c,v 1.48 2009/08/08 17:36:21 tom Exp $")
++MODULE_ID("$Id: comp_hash.c,v 1.51 2019/10/12 16:32:13 tom Exp $")
+
+ /*
+ * Finds the entry for the given string in the hash table if present.
+@@ -63,7 +63,9 @@ _nc_find_entry(const char *string,
+
+ hashvalue = data->hash_of(string);
+
+-if (data->table_data[hashvalue] >= 0) {
++if (hashvalue >= 0
++ && (unsigned) hashvalue < data->table_size
++ && data->table_data[hashvalue] >= 0) {
+
+real_table = _nc_get_table(termcap);
+ptr = real_table + data->table_data[hashvalue];
+@@ -96,7 +98,9 @@ _nc_find_type_entry(const char *string,
+ const HashData *data = _nc_get_hash_info(termcap);
+ int hashvalue = data->hash_of(string);
+
+-if (data->table_data[hashvalue] >= 0) {
++if (hashvalue >= 0
++ && (unsigned) hashvalue < data->table_size
++ && data->table_data[hashvalue] >= 0) {
+const struct name_table_entry *const table = _nc_get_table(termcap);
+
+ptr = table + data->table_data[hashvalue];
+diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c
+index f8cca8b5..064376c5 100644
+--- a/ncurses/tinfo/parse_entry.c
b/ncurses/tinfo/parse_entry.c
+@@ -47,7 +47,7 @@
+ #include
+ #include
+
+-MODULE_ID("$Id: parse_entry.c,v 1.91 2017/08/26 16:13:34 tom Exp $")
++MODULE_ID("$Id: parse_entry.c,v 1.98 2019/10/12 00:50:31 tom Exp $")
+
+ #ifdef LINT
+ static short const parametrized[] =
+@@ -654,12 +654,12 @@ _nc_capcmp(const char *s, const char *t)
+ }
+
+ static void
+-append_acs0(string_desc * dst, int code, int src)
++append_acs0(string_desc * dst, int code, char *src, size_t off)
+ {
+-if (src != 0) {
++if (src != 0 && off < strlen(src)) {
+char temp[3];
+temp[0] = (char) code;
+- temp[1] = (char) src;
++ temp[1] = src[off];
+temp[2] = 0;
+_nc_safe_strcat(dst, temp);
+ }
+@@ -669,7 +669,7 @@ static void
+ append_acs(string_desc * dst, int code, char *src)
+ {
+ if (VALID_STRING(src) && strlen(src) == 1) {
+- append_acs0(dst, code, *src);
++ append_acs0(dst, code, src, 0);
+ }
+ }
+
+@@ -1038,17 +1038,17 @@ postprocess_terminfo(TERMTYPE2 *tp)
+_nc_str_init(, buf2, sizeof(buf2));
+_nc_safe_strcat(, acs_chars);
+
+- append_acs0(, 'l', box_chars_1[0]); /* ACS_ULCORNER */
+-
