[kirkstone,1/1] ncurses: Fix CVE-2023-45918

Message ID	20240506043340.1002974-1-soumya.sambu@windriver.com
State	Accepted, archived
Commit	60b34c34351833f0a9be4b31c5bc3b94ad960c60
Delegated to:	Steve Sakoman
Headers	show Return-Path: <soumya.sambu@windriver.com> ip: 205.220.178.238, mailfrom: prvs=585624214a=soumya.sambu@windriver.com) From: ssambu <soumya.sambu@windriver.com> To: <openembedded-core@lists.openembedded.org> Subject: [OE-core][kirkstone][PATCH 1/1] ncurses: Fix CVE-2023-45918 Date: Mon, 6 May 2024 04:33:40 +0000 Message-ID: <20240506043340.1002974-1-soumya.sambu@windriver.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	[kirkstone,1/1] ncurses: Fix CVE-2023-45918 \| expand [kirkstone,1/1] ncurses: Fix CVE-2023-45918

diff --git a/meta/recipes-core/ncurses/files/CVE-2023-45918.patch b/meta/recipes-core/ncurses/files/CVE-2023-45918.patch new file mode 100644 index 0000000000..172b3f8859 --- /dev/null +++ b/meta/recipes-core/ncurses/files/CVE-2023-45918.patch @@ -0,0 +1,180 @@ +From bcf02d3242f1c7d57224a95f7903fcf4b5e7695d Mon Sep 17 00:00:00 2001 +From: Thomas E. Dickey <dickey@invisible-island.net> +Date: Fri, 16 Jun 2023 02:54:29 +0530 +Subject: [PATCH] Fix CVE-2023-45918 + +CVE: CVE-2023-45918 + +Upstream-Status: Backport [https://ncurses.scripts.mit.edu/?p=ncurses.git;a=commit;h=bcf02d3242f1c7d57224a95f7903fcf4b5e7695d] + +Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> +--- + ncurses/tinfo/comp_error.c | 15 ++++++--- + ncurses/tinfo/read_entry.c | 65 ++++++++++++++++++++++++++------------ + 2 files changed, 56 insertions(+), 24 deletions(-) + +diff --git a/ncurses/tinfo/comp_error.c b/ncurses/tinfo/comp_error.c +index 48f48784..ee518e28 100644 +--- a/ncurses/tinfo/comp_error.c ++++ b/ncurses/tinfo/comp_error.c +@@ -60,8 +60,15 @@ _nc_get_source(void) + NCURSES_EXPORT(void) + _nc_set_source(const char *const name) + { +- FreeIfNeeded(SourceName); +- SourceName = strdup(name); ++ if (name == NULL) { ++ free(SourceName); ++ SourceName = NULL; ++ } else if (SourceName == NULL) { ++ SourceName = strdup(name); ++ } else if (strcmp(name, SourceName)) { ++ free(SourceName); ++ SourceName = strdup(name); ++ } + } + + NCURSES_EXPORT(void) +@@ -95,9 +102,9 @@ static NCURSES_INLINE void + where_is_problem(void) + { + fprintf(stderr, "\"%s\"", SourceName ? SourceName : "?"); +- if (_nc_curr_line >= 0) ++ if (_nc_curr_line > 0) + fprintf(stderr, ", line %d", _nc_curr_line); +- if (_nc_curr_col >= 0) ++ if (_nc_curr_col > 0) + fprintf(stderr, ", col %d", _nc_curr_col); + if (TermType != 0 && TermType[0] != '\0') + fprintf(stderr, ", terminal '%s'", TermType); +diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c +index 8ccb1570..101bbe09 100644 +--- a/ncurses/tinfo/read_entry.c ++++ b/ncurses/tinfo/read_entry.c +@@ -140,12 +140,13 @@ convert_16bits(char *buf, NCURSES_INT2 *Numbers, int count) + } + #endif + +-static void +-convert_strings(char *buf, char **Strings, int count, int size, char *table) ++static bool ++convert_strings(char *buf, char **Strings, int count, int size, ++ char *table, bool always) + { + int i; + char *p; +- bool corrupt = FALSE; ++ bool success = TRUE; + + for (i = 0; i < count; i++) { + if (IS_NEG1(buf + 2 * i)) { +@@ -161,13 +162,10 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table) + TR(TRACE_DATABASE, ("Strings[%d] = %s", i, + _nc_visbuf(Strings[i]))); + } else { +- if (!corrupt) { +- corrupt = TRUE; +- TR(TRACE_DATABASE, +- ("ignore out-of-range index %d to Strings[]", nn)); +- _nc_warning("corrupt data found in convert_strings"); +- } +- Strings[i] = ABSENT_STRING; ++ TR(TRACE_DATABASE, ++ ("found out-of-range index %d to Strings[%d]", nn, i)); ++ success = FALSE; ++ break; + } + } + +@@ -177,10 +175,25 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table) + if (*p == '\0') + break; + /* if there is no NUL, ignore the string */ +- if (p >= table + size) ++ if (p >= table + size) { + Strings[i] = ABSENT_STRING; ++ } else if (p == Strings[i] && always) { ++ TR(TRACE_DATABASE, ++ ("found empty but required Strings[%d]", i)); ++ success = FALSE; ++ break; ++ } ++ } else if (always) { /* names are always needed */ ++ TR(TRACE_DATABASE, ++ ("found invalid but required Strings[%d]", i)); ++ success = FALSE; ++ break; + } + } ++ if (!success) { ++ _nc_warning("corrupt data found in convert_strings"); ++ } ++ return success; + } + + static int +@@ -383,7 +396,10 @@ _nc_read_termtype(TERMTYPE2 *ptr, char *buffer, int limit) + if (Read(string_table, (unsigned) str_size) != str_size) { + returnDB(TGETENT_NO); + } +- convert_strings(buf, ptr->Strings, str_count, str_size, string_table); ++ if (!convert_strings(buf, ptr->Strings, str_count, str_size, ++ string_table, FALSE)) { ++ returnDB(TGETENT_NO); ++ } + } + #if NCURSES_XNAMES + +@@ -484,8 +500,10 @@ _nc_read_termtype(TERMTYPE2 *ptr, char *buffer, int limit) + ("Before computing extended-string capabilities " + "str_count=%d, ext_str_count=%d", + str_count, ext_str_count)); +- convert_strings(buf, ptr->Strings + str_count, ext_str_count, +- ext_str_limit, ptr->ext_str_table); ++ if (!convert_strings(buf, ptr->Strings + str_count, ext_str_count, ++ ext_str_limit, ptr->ext_str_table, FALSE)) { ++ returnDB(TGETENT_NO); ++ } + for (i = ext_str_count - 1; i >= 0; i--) { + TR(TRACE_DATABASE, ("MOVE from [%d:%d] %s", + i, i + str_count, +@@ -519,10 +537,13 @@ _nc_read_termtype(TERMTYPE2 *ptr, char *buffer, int limit) + TR(TRACE_DATABASE, + ("ext_NAMES starting @%d in extended_strings, first = %s", + base, _nc_visbuf(ptr->ext_str_table + base))); +- convert_strings(buf + (2 * ext_str_count), +- ptr->ext_Names, +- (int) need, +- ext_str_limit, ptr->ext_str_table + base); ++ if (!convert_strings(buf + (2 * ext_str_count), ++ ptr->ext_Names, ++ (int) need, ++ ext_str_limit, ptr->ext_str_table + base, ++ TRUE)) { ++ returnDB(TGETENT_NO); ++ } + } + + TR(TRACE_DATABASE, +@@ -575,13 +596,17 @@ _nc_read_file_entry(const char *const filename, TERMTYPE2 *ptr) + int limit; + char buffer[MAX_ENTRY_SIZE + 1]; + +- if ((limit = (int) fread(buffer, sizeof(char), sizeof(buffer), fp)) +- > 0) { ++ limit = (int) fread(buffer, sizeof(char), sizeof(buffer), fp); ++ if (limit > 0) { ++ const char *old_source = _nc_get_source(); + + TR(TRACE_DATABASE, ("read terminfo %s", filename)); ++ if (old_source == NULL) ++ _nc_set_source(filename); + if ((code = _nc_read_termtype(ptr, buffer, limit)) == TGETENT_NO) { + _nc_free_termtype2(ptr); + } ++ _nc_set_source(old_source); + } else { + code = TGETENT_NO; + } +-- +2.40.0 diff --git a/meta/recipes-core/ncurses/ncurses_6.3+20220423.bb b/meta/recipes-core/ncurses/ncurses_6.3+20220423.bb index da1e6d838d..1fa5e036e9 100644 --- a/meta/recipes-core/ncurses/ncurses_6.3+20220423.bb +++ b/meta/recipes-core/ncurses/ncurses_6.3+20220423.bb @@ -5,6 +5,7 @@ SRC_URI += "file://0001-tic-hang.patch \ file://0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch \ file://CVE-2023-29491.patch \ file://CVE-2023-50495.patch \ + file://CVE-2023-45918.patch \ " # commit id corresponds to the revision in package version SRCREV = "a0bc708bc6954b5d3c0a38d92b683c3ec3135260"

[kirkstone,1/1] ncurses: Fix CVE-2023-45918

Commit Message

Patch