[OE-core] [poky][sumo][PATCH] ncurses: fix CVE-2019-17594, CVE-2019-17595
From: Trevor Gamblin Backport changes to tinfo/comp_hash.c, tinfo/parse_entry.c, and progs/dump_entry.c from upstream to fix CVEs. (From OE-Core rev: 7ec70aeb0c6f6080523efa0f983fa36b92cb5558) Signed-off-by: Trevor Gamblin Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie Signed-off-by: Sana Kazi --- ...selective-backport-of-20191012-patch.patch | 158 ++ .../ncurses/ncurses_6.0+20171125.bb | 1 + 2 files changed, 159 insertions(+) create mode 100644 meta/recipes-core/ncurses/files/0001-ncurses-selective-backport-of-20191012-patch.patch diff --git a/meta/recipes-core/ncurses/files/0001-ncurses-selective-backport-of-20191012-patch.patch b/meta/recipes-core/ncurses/files/0001-ncurses-selective-backport-of-20191012-patch.patch new file mode 100644 index 00..989a8ccd4e --- /dev/null +++ b/meta/recipes-core/ncurses/files/0001-ncurses-selective-backport-of-20191012-patch.patch @@ -0,0 +1,158 @@ +From 064b77f173337aa790f1cec0d741bfbc61a33d31 Mon Sep 17 00:00:00 2001 +From: Trevor Gamblin +Date: Fri, 18 Oct 2019 09:57:43 -0400 +Subject: [PATCH] ncurses: selective backport of 20191012 patch + +Upstream-Status: Backport [https://salsa.debian.org/debian/ncurses/commit/243908b1e3d81] + +Contents of the upstream patch that are not applied to comp_hash.c, +parse_entry.c, or dump_entry.c have been omitted. + +CVE: CVE-2019-17594 +CVE: CVE-2019-17595 + +Signed-off-by: Trevor Gamblin + +--- + ncurses/tinfo/comp_hash.c | 14 ++ + ncurses/tinfo/parse_entry.c | 32 + progs/dump_entry.c | 7 --- + 3 files changed, 30 insertions(+), 23 deletions(-) + +diff --git a/ncurses/tinfo/comp_hash.c b/ncurses/tinfo/comp_hash.c +index 21f165ca..a62d38f9 100644 +--- a/ncurses/tinfo/comp_hash.c b/ncurses/tinfo/comp_hash.c +@@ -44,7 +44,7 @@ + #include + #include + +-MODULE_ID("$Id: comp_hash.c,v 1.48 2009/08/08 17:36:21 tom Exp $") ++MODULE_ID("$Id: comp_hash.c,v 1.51 2019/10/12 16:32:13 tom Exp $") + + /* + * Finds the entry for the given string in the hash table if present. +@@ -63,7 +63,9 @@ _nc_find_entry(const char *string, + + hashvalue = data->hash_of(string); + +-if (data->table_data[hashvalue] >= 0) { ++if (hashvalue >= 0 ++ && (unsigned) hashvalue < data->table_size ++ && data->table_data[hashvalue] >= 0) { + + real_table = _nc_get_table(termcap); + ptr = real_table + data->table_data[hashvalue]; +@@ -96,7 +98,9 @@ _nc_find_type_entry(const char *string, + const HashData *data = _nc_get_hash_info(termcap); + int hashvalue = data->hash_of(string); + +-if (data->table_data[hashvalue] >= 0) { ++if (hashvalue >= 0 ++ && (unsigned) hashvalue < data->table_size ++ && data->table_data[hashvalue] >= 0) { + const struct name_table_entry *const table = _nc_get_table(termcap); + + ptr = table + data->table_data[hashvalue]; +diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c +index f8cca8b5..064376c5 100644 +--- a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c +@@ -47,7 +47,7 @@ + #include + #include + +-MODULE_ID("$Id: parse_entry.c,v 1.91 2017/08/26 16:13:34 tom Exp $") ++MODULE_ID("$Id: parse_entry.c,v 1.98 2019/10/12 00:50:31 tom Exp $") + + #ifdef LINT + static short const parametrized[] = +@@ -654,12 +654,12 @@ _nc_capcmp(const char *s, const char *t) + } + + static void +-append_acs0(string_desc * dst, int code, int src) ++append_acs0(string_desc * dst, int code, char *src, size_t off) + { +-if (src != 0) { ++if (src != 0 && off < strlen(src)) { + char temp[3]; + temp[0] = (char) code; +- temp[1] = (char) src; ++ temp[1] = src[off]; + temp[2] = 0; + _nc_safe_strcat(dst, temp); + } +@@ -669,7 +669,7 @@ static void + append_acs(string_desc * dst, int code, char *src) + { + if (VALID_STRING(src) && strlen(src) == 1) { +- append_acs0(dst, code, *src); ++ append_acs0(dst, code, src, 0); + } + } + +@@ -1038,17 +1038,17 @@ postprocess_terminfo(TERMTYPE2 *tp) + _nc_str_init(, buf2, sizeof(buf2)); + _nc_safe_strcat(, acs_chars); + +- append_acs0(, 'l', box_chars_1[0]); /* ACS_ULCORNER */ +- append_acs0(, 'q', box_chars_1[1]); /* ACS_HLINE */ +- append_acs0(, 'k', box_chars_1[2]); /* ACS_URCORNER */ +- append_acs0(, 'x', box_chars_1[3]); /* ACS_VLINE */ +- append_acs0(, 'j', box_chars_1[4]); /* ACS_LRCORNER */ +- append_acs0(, 'm', box_chars_1[5]); /* ACS_LLCORNER */ +- append_acs0(, 'w', box_chars_1[6]); /* ACS_TTEE */ +- append_acs0(, 'u', box_chars_1[7]); /* ACS_RTEE */ +- append_acs0(, 'v', box_chars_1[8]); /* ACS_BTEE */ +- append_acs0(, 't', box_chars_1[9]); /* ACS_LTEE */ +- append_acs0(, 'n', box_chars_1[10]); /* ACS_PLUS */ ++ append_acs0(, 'l', box_chars_1, 0); /* ACS_ULCORNER */ ++ append_acs0(, 'q',
Re: [OE-core] [poky][sumo][PATCH] ncurses: fix CVE-2019-17594, CVE-2019-17595
Regards, Sana Kazi From: Sana Kazi Sent: Wednesday, January 6, 2021 2:39 PM To: openembedded-core@lists.openembedded.org ; raj.k...@gmail.com Cc: Nisha Parrakat ; Aditya Tayade ; Trevor Gamblin ; Armin Kuster ; Richard Purdie ; Sana Kazi Subject: [poky][sumo][PATCH] ncurses: fix CVE-2019-17594, CVE-2019-17595 From: Trevor Gamblin Backport changes to tinfo/comp_hash.c, tinfo/parse_entry.c, and progs/dump_entry.c from upstream to fix CVEs. (From OE-Core rev: 7ec70aeb0c6f6080523efa0f983fa36b92cb5558) Signed-off-by: Trevor Gamblin Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie Signed-off-by: Sana Kazi --- ...selective-backport-of-20191012-patch.patch | 158 ++ .../ncurses/ncurses_6.0+20171125.bb | 1 + 2 files changed, 159 insertions(+) create mode 100644 meta/recipes-core/ncurses/files/0001-ncurses-selective-backport-of-20191012-patch.patch diff --git a/meta/recipes-core/ncurses/files/0001-ncurses-selective-backport-of-20191012-patch.patch b/meta/recipes-core/ncurses/files/0001-ncurses-selective-backport-of-20191012-patch.patch new file mode 100644 index 00..989a8ccd4e --- /dev/null +++ b/meta/recipes-core/ncurses/files/0001-ncurses-selective-backport-of-20191012-patch.patch @@ -0,0 +1,158 @@ +From 064b77f173337aa790f1cec0d741bfbc61a33d31 Mon Sep 17 00:00:00 2001 +From: Trevor Gamblin +Date: Fri, 18 Oct 2019 09:57:43 -0400 +Subject: [PATCH] ncurses: selective backport of 20191012 patch + +Upstream-Status: Backport [https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsalsa.debian.org%2Fdebian%2Fncurses%2Fcommit%2F243908b1e3d81data=04%7C01%7CSana.Kazi%40kpit.com%7C80550d084ab7442c06d508d8b222cd4c%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637455209903558555%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=J%2FrCRcik47L1Q0BQfVRWutz%2FObINAgtgrEv4sIYVj%2FM%3Dreserved=0] + +Contents of the upstream patch that are not applied to comp_hash.c, +parse_entry.c, or dump_entry.c have been omitted. + +CVE: CVE-2019-17594 +CVE: CVE-2019-17595 + +Signed-off-by: Trevor Gamblin + +--- + ncurses/tinfo/comp_hash.c | 14 ++ + ncurses/tinfo/parse_entry.c | 32 + progs/dump_entry.c | 7 --- + 3 files changed, 30 insertions(+), 23 deletions(-) + +diff --git a/ncurses/tinfo/comp_hash.c b/ncurses/tinfo/comp_hash.c +index 21f165ca..a62d38f9 100644 +--- a/ncurses/tinfo/comp_hash.c b/ncurses/tinfo/comp_hash.c +@@ -44,7 +44,7 @@ + #include + #include + +-MODULE_ID("$Id: comp_hash.c,v 1.48 2009/08/08 17:36:21 tom Exp $") ++MODULE_ID("$Id: comp_hash.c,v 1.51 2019/10/12 16:32:13 tom Exp $") + + /* + * Finds the entry for the given string in the hash table if present. +@@ -63,7 +63,9 @@ _nc_find_entry(const char *string, + + hashvalue = data->hash_of(string); + +-if (data->table_data[hashvalue] >= 0) { ++if (hashvalue >= 0 ++ && (unsigned) hashvalue < data->table_size ++ && data->table_data[hashvalue] >= 0) { + +real_table = _nc_get_table(termcap); +ptr = real_table + data->table_data[hashvalue]; +@@ -96,7 +98,9 @@ _nc_find_type_entry(const char *string, + const HashData *data = _nc_get_hash_info(termcap); + int hashvalue = data->hash_of(string); + +-if (data->table_data[hashvalue] >= 0) { ++if (hashvalue >= 0 ++ && (unsigned) hashvalue < data->table_size ++ && data->table_data[hashvalue] >= 0) { +const struct name_table_entry *const table = _nc_get_table(termcap); + +ptr = table + data->table_data[hashvalue]; +diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c +index f8cca8b5..064376c5 100644 +--- a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c +@@ -47,7 +47,7 @@ + #include + #include + +-MODULE_ID("$Id: parse_entry.c,v 1.91 2017/08/26 16:13:34 tom Exp $") ++MODULE_ID("$Id: parse_entry.c,v 1.98 2019/10/12 00:50:31 tom Exp $") + + #ifdef LINT + static short const parametrized[] = +@@ -654,12 +654,12 @@ _nc_capcmp(const char *s, const char *t) + } + + static void +-append_acs0(string_desc * dst, int code, int src) ++append_acs0(string_desc * dst, int code, char *src, size_t off) + { +-if (src != 0) { ++if (src != 0 && off < strlen(src)) { +char temp[3]; +temp[0] = (char) code; +- temp[1] = (char) src; ++ temp[1] = src[off]; +temp[2] = 0; +_nc_safe_strcat(dst, temp); + } +@@ -669,7 +669,7 @@ static void + append_acs(string_desc * dst, int code, char *src) + { + if (VALID_STRING(src) && strlen(src) == 1) { +- append_acs0(dst, code, *src); ++ append_acs0(dst, code, src, 0); + } + } + +@@ -1038,17 +1038,17 @@ postprocess_terminfo(TERMTYPE2 *tp) +_nc_str_init(, buf2, sizeof(buf2)); +_nc_safe_strcat(, acs_chars); + +- append_acs0(, 'l', box_chars_1[0]); /* ACS_ULCORNER */ +-