ncurses: CVE-2017-13732, CVE-2017-13734, CVE-2017-13730, CVE-2017-13729, CVE-2017-13728, CVE-2017-13731

Submitted by Ovidiu Panait on Sept. 20, 2017, 10:13 a.m. | Patch ID: 144338

Details

Message ID 20170920101349.31351-1-ovidiu.panait@windriver.com
State Master Next
Commit 52d0f351062da730055ffc6b953ff4e68ddb437f
Headers show

Commit Message

Ovidiu Panait Sept. 20, 2017, 10:13 a.m.
There is an illegal address access in the function dump_uses() in progs/dump_entry.c 
in ncurses 6.0 that might lead to a remote denial of service attack.

There is an illegal address access in the _nc_safe_strcat function in 
strings.c in ncurses 6.0 that will lead to a remote denial of service attack.

There is an illegal address access in the function _nc_read_entry_source() 
in progs/tic.c in ncurses 6.0 that might lead to a remote denial of service attack.

There is an illegal address access in the _nc_save_str function in 
alloc_entry.c in ncurses 6.0. It will lead to a remote denial of service attack.

There is an infinite loop in the next_char function in comp_scan.c in 
ncurses 6.0, related to libtic. A crafted input will lead to a remote denial of service attack.

There is an illegal address access in the function postprocess_termcap() 
in parse_entry.c in ncurses 6.0 that will lead to a remote denial of service attack.

References:
https://nvd.nist.gov/vuln/detail/CVE-2017-13734
https://nvd.nist.gov/vuln/detail/CVE-2017-13732
https://nvd.nist.gov/vuln/detail/CVE-2017-13731
https://nvd.nist.gov/vuln/detail/CVE-2017-13730
https://nvd.nist.gov/vuln/detail/CVE-2017-13729
https://nvd.nist.gov/vuln/detail/CVE-2017-13728

Upstream patch:
https://anonscm.debian.org/cgit/collab-maint/ncurses.git/commit/?id=129aac80802d997b86ab0663836b7fdafb8e3926

Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
---
 ...-2017-13729-CVE-2017-13728-CVE-2017-13731.patch | 541 +++++++++++++++++++++
 meta/recipes-core/ncurses/ncurses_6.0+20170715.bb  |   1 +
 2 files changed, 542 insertions(+)
 create mode 100644 meta/recipes-core/ncurses/files/CVE-2017-13732-CVE-2017-13734-CVE-2017-13730-CVE-2017-13729-CVE-2017-13728-CVE-2017-13731.patch

Patch hide | download patch | download mbox

diff --git a/meta/recipes-core/ncurses/files/CVE-2017-13732-CVE-2017-13734-CVE-2017-13730-CVE-2017-13729-CVE-2017-13728-CVE-2017-13731.patch b/meta/recipes-core/ncurses/files/CVE-2017-13732-CVE-2017-13734-CVE-2017-13730-CVE-2017-13729-CVE-2017-13728-CVE-2017-13731.patch
new file mode 100644
index 0000000..3024e96
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/CVE-2017-13732-CVE-2017-13734-CVE-2017-13730-CVE-2017-13729-CVE-2017-13728-CVE-2017-13731.patch
@@ -0,0 +1,541 @@ 
+From 4bf72cb8f1d3aa5f33c31eb817a5f0338f4aaf6f Mon Sep 17 00:00:00 2001
+From: Ovidiu Panait <ovidiu.panait@windriver.com>
+Date: Wed, 20 Sep 2017 05:02:00 +0000
+Subject: [PATCH] Import upstream patch 20170826
+
+20170826
+	+ fixes for "iterm2" (report by Leonardo Brondani Schenkel) -TD
+	+ corrected a warning from tic about keys which are the same, to skip
+	  over missing/cancelled values.
+	+ add check in tic for unnecessary use of "2" to denote a shifted
+	  special key.
+	+ improve checks in trim_sgr0, comp_parse.c and parse_entry.c, for
+	  cancelled string capabilities.
+	+ add check in _nc_parse_entry() for invalid entry name, setting the
+	  name to "invalid" to avoid problems storing entries.
+	+ add/improve checks in tic's parser to address invalid input
+	  + add a check in comp_scan.c to handle the special case where a
+	    nontext file ending with a NUL rather than newline is given to tic
+	    as input (Redhat #1484274).
+	  + allow for cancelled capabilities in _nc_save_str (Redhat #1484276).
+	  + add validity checks for "use=" target in _nc_parse_entry (Redhat
+	    #1484284).
+	  + check for invalid strings in postprocess_termcap (Redhat #1484285)
+	  + reset secondary pointers on EOF in next_char() (Redhat #1484287).
+	  + guard _nc_safe_strcpy() and _nc_safe_strcat() against calls using
+	    cancelled strings (Redhat #1484291).
+	+ correct typo in curs_memleaks.3x (Sven Joachim).
+	+ improve test/configure checks for some curses variants not based on
+	  X/Open Curses.
+	+ add options for test/configure to disable checks for form, menu and
+	  panel libraries.
+
+Upstream-Status: Backport
+CVE: CVE-2017-13732, CVE-2017-13734, CVE-2017-13730, CVE-2017-13729, CVE-2017-13728, CVE-2017-13731
+ 
+
+Author: Sven Joachim <svenjoac@gmx.de>
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+---
+ dist.mk                     |  4 +-
+ include/ncurses_defs        |  4 +-
+ ncurses/tinfo/alloc_entry.c |  4 +-
+ ncurses/tinfo/comp_parse.c  | 10 ++---
+ ncurses/tinfo/comp_scan.c   |  6 ++-
+ ncurses/tinfo/parse_entry.c | 91 ++++++++++++++++++++++++++++++---------------
+ ncurses/tinfo/strings.c     |  9 +++--
+ ncurses/tinfo/trim_sgr0.c   |  4 +-
+ progs/tic.c                 | 75 ++++++++++++++++++++++++++++++++++++-
+ 9 files changed, 157 insertions(+), 50 deletions(-)
+
+diff --git a/dist.mk b/dist.mk
+index 9af2699..2c70472 100644
+--- a/dist.mk
++++ b/dist.mk
+@@ -25,7 +25,7 @@
+ # use or other dealings in this Software without prior written               #
+ # authorization.                                                             #
+ ##############################################################################
+-# $Id: dist.mk,v 1.1172 2017/07/13 00:15:27 tom Exp $
++# $Id: dist.mk,v 1.1179 2017/08/20 15:33:41 tom Exp $
+ # Makefile for creating ncurses distributions.
+ #
+ # This only needs to be used directly as a makefile by developers, but
+@@ -37,7 +37,7 @@ SHELL = /bin/sh
+ # These define the major/minor/patch versions of ncurses.
+ NCURSES_MAJOR = 6
+ NCURSES_MINOR = 0
+-NCURSES_PATCH = 20170715
++NCURSES_PATCH = 20170826
+ 
+ # We don't append the patch to the version, since this only applies to releases
+ VERSION = $(NCURSES_MAJOR).$(NCURSES_MINOR)
+diff --git a/include/ncurses_defs b/include/ncurses_defs
+index e6611b7..d237db1 100644
+--- a/include/ncurses_defs
++++ b/include/ncurses_defs
+@@ -1,4 +1,4 @@
+-# $Id: ncurses_defs,v 1.73 2017/06/24 14:20:57 tom Exp $
++# $Id: ncurses_defs,v 1.75 2017/08/20 16:50:04 tom Exp $
+ ##############################################################################
+ # Copyright (c) 2000-2016,2017 Free Software Foundation, Inc.                #
+ #                                                                            #
+@@ -50,7 +50,9 @@ HAVE_BSD_STRING_H
+ HAVE_BTOWC 
+ HAVE_BUILTIN_H
+ HAVE_CHGAT	1
++HAVE_COLOR_CONTENT	1
+ HAVE_COLOR_SET	1
++HAVE_CURSCR	1
+ HAVE_DIRENT_H
+ HAVE_ERRNO
+ HAVE_FCNTL_H
+diff --git a/ncurses/tinfo/alloc_entry.c b/ncurses/tinfo/alloc_entry.c
+index 5de09f1..09374d6 100644
+--- a/ncurses/tinfo/alloc_entry.c
++++ b/ncurses/tinfo/alloc_entry.c
+@@ -47,7 +47,7 @@
+ 
+ #include <tic.h>
+ 
+-MODULE_ID("$Id: alloc_entry.c,v 1.60 2017/06/27 23:48:55 tom Exp $")
++MODULE_ID("$Id: alloc_entry.c,v 1.61 2017/08/25 09:09:08 tom Exp $")
+ 
+ #define ABSENT_OFFSET    -1
+ #define CANCELLED_OFFSET -2
+@@ -98,7 +98,7 @@ _nc_save_str(const char *const string)
+     size_t old_next_free = next_free;
+     size_t len;
+ 
+-    if (string == 0)
++    if (!VALID_STRING(string))
+ 	return _nc_save_str("");
+     len = strlen(string) + 1;
+ 
+diff --git a/ncurses/tinfo/comp_parse.c b/ncurses/tinfo/comp_parse.c
+index 34e6216..580d4df 100644
+--- a/ncurses/tinfo/comp_parse.c
++++ b/ncurses/tinfo/comp_parse.c
+@@ -47,7 +47,7 @@
+ 
+ #include <tic.h>
+ 
+-MODULE_ID("$Id: comp_parse.c,v 1.96 2017/04/15 15:36:58 tom Exp $")
++MODULE_ID("$Id: comp_parse.c,v 1.99 2017/08/26 16:15:50 tom Exp $")
+ 
+ static void sanity_check2(TERMTYPE2 *, bool);
+ NCURSES_IMPEXP void NCURSES_API(*_nc_check_termtype2) (TERMTYPE2 *, bool) = sanity_check2;
+@@ -510,9 +510,9 @@ static void
+ fixup_acsc(TERMTYPE2 *tp, int literal)
+ {
+     if (!literal) {
+-	if (acs_chars == 0
+-	    && enter_alt_charset_mode != 0
+-	    && exit_alt_charset_mode != 0)
++	if (acs_chars == ABSENT_STRING
++	    && PRESENT(enter_alt_charset_mode)
++	    && PRESENT(exit_alt_charset_mode))
+ 	    acs_chars = strdup(VT_ACSC);
+     }
+ }
+@@ -568,9 +568,7 @@ sanity_check2(TERMTYPE2 *tp, bool literal)
+     PAIRED(enter_xon_mode, exit_xon_mode);
+     PAIRED(enter_am_mode, exit_am_mode);
+     ANDMISSING(label_off, label_on);
+-#ifdef remove_clock
+     PAIRED(display_clock, remove_clock);
+-#endif
+     ANDMISSING(set_color_pair, initialize_pair);
+ }
+ 
+diff --git a/ncurses/tinfo/comp_scan.c b/ncurses/tinfo/comp_scan.c
+index 40d7f6a..b207257 100644
+--- a/ncurses/tinfo/comp_scan.c
++++ b/ncurses/tinfo/comp_scan.c
+@@ -50,7 +50,7 @@
+ #include <ctype.h>
+ #include <tic.h>
+ 
+-MODULE_ID("$Id: comp_scan.c,v 1.106 2017/04/22 11:41:12 tom Exp $")
++MODULE_ID("$Id: comp_scan.c,v 1.108 2017/08/25 22:57:21 tom Exp $")
+ 
+ /*
+  * Maximum length of string capability we'll accept before raising an error.
+@@ -168,6 +168,8 @@ next_char(void)
+ 	if (result != 0) {
+ 	    FreeAndNull(result);
+ 	    FreeAndNull(pushname);
++	    bufptr = 0;
++	    bufstart = 0;
+ 	    allocated = 0;
+ 	}
+ 	/*
+@@ -222,6 +224,8 @@ next_char(void)
+ 		}
+ 		if ((bufptr = bufstart) != 0) {
+ 		    used = strlen(bufptr);
++		    if (used == 0)
++			return (EOF);
+ 		    while (iswhite(*bufptr)) {
+ 			if (*bufptr == '\t') {
+ 			    _nc_curr_col = (_nc_curr_col | 7) + 1;
+diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c
+index 3fa2f25..bbbfcb2 100644
+--- a/ncurses/tinfo/parse_entry.c
++++ b/ncurses/tinfo/parse_entry.c
+@@ -47,7 +47,7 @@
+ #include <ctype.h>
+ #include <tic.h>
+ 
+-MODULE_ID("$Id: parse_entry.c,v 1.86 2017/06/28 00:53:12 tom Exp $")
++MODULE_ID("$Id: parse_entry.c,v 1.91 2017/08/26 16:13:34 tom Exp $")
+ 
+ #ifdef LINT
+ static short const parametrized[] =
+@@ -180,6 +180,20 @@ _nc_extend_names(ENTRY * entryp, char *name, int token_type)
+ }
+ #endif /* NCURSES_XNAMES */
+ 
++static bool
++valid_entryname(const char *name)
++{
++    bool result = TRUE;
++    int ch;
++    while ((ch = UChar(*name++)) != '\0') {
++	if (ch <= ' ' || ch > '~' || ch == '/') {
++	    result = FALSE;
++	    break;
++	}
++    }
++    return result;
++}
++
+ /*
+  *	int
+  *	_nc_parse_entry(entry, literal, silent)
+@@ -211,6 +225,7 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
+     int token_type;
+     struct name_table_entry const *entry_ptr;
+     char *ptr, *base;
++    const char *name;
+     bool bad_tc_usage = FALSE;
+ 
+     token_type = _nc_get_token(silent);
+@@ -261,7 +276,12 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
+      * results in the terminal type getting prematurely set to correspond
+      * to that of the next entry.
+      */
+-    _nc_set_type(_nc_first_name(entryp->tterm.term_names));
++    name = _nc_first_name(entryp->tterm.term_names);
++    if (!valid_entryname(name)) {
++	_nc_warning("invalid entry name \"%s\"", name);
++	name = "invalid";
++    }
++    _nc_set_type(name);
+ 
+     /* check for overly-long names and aliases */
+     for (base = entryp->tterm.term_names; (ptr = strchr(base, '|')) != 0;
+@@ -283,13 +303,24 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
+ 	bool is_use = (strcmp(_nc_curr_token.tk_name, "use") == 0);
+ 	bool is_tc = !is_use && (strcmp(_nc_curr_token.tk_name, "tc") == 0);
+ 	if (is_use || is_tc) {
++	    if (!VALID_STRING(_nc_curr_token.tk_valstring)
++		|| _nc_curr_token.tk_valstring[0] == '\0') {
++		_nc_warning("missing name for use-clause");
++		continue;
++	    } else if (!valid_entryname(_nc_curr_token.tk_valstring)) {
++		_nc_warning("invalid name for use-clause \"%s\"",
++			    _nc_curr_token.tk_valstring);
++		continue;
++	    } else if (entryp->nuses >= MAX_USES) {
++		_nc_warning("too many use-clauses, ignored \"%s\"",
++			    _nc_curr_token.tk_valstring);
++		continue;
++	    }
+ 	    entryp->uses[entryp->nuses].name = _nc_save_str(_nc_curr_token.tk_valstring);
+ 	    entryp->uses[entryp->nuses].line = _nc_curr_line;
+-	    if (VALID_STRING(entryp->uses[entryp->nuses].name)) {
+-		entryp->nuses++;
+-		if (entryp->nuses > 1 && is_tc) {
+-		    BAD_TC_USAGE
+-		}
++	    entryp->nuses++;
++	    if (entryp->nuses > 1 && is_tc) {
++		BAD_TC_USAGE
+ 	    }
+ 	} else {
+ 	    /* normal token lookup */
+@@ -641,13 +672,6 @@ static const char C_BS[] = "\b";
+ static const char C_HT[] = "\t";
+ 
+ /*
+- * Note that WANTED and PRESENT are not simple inverses!  If a capability
+- * has been explicitly cancelled, it's not considered WANTED.
+- */
+-#define WANTED(s)	((s) == ABSENT_STRING)
+-#define PRESENT(s)	(((s) != ABSENT_STRING) && ((s) != CANCELLED_STRING))
+-
+-/*
+  * This bit of legerdemain turns all the terminfo variable names into
+  * references to locations in the arrays Booleans, Numbers, and Strings ---
+  * precisely what's needed.
+@@ -672,10 +696,10 @@ postprocess_termcap(TERMTYPE2 *tp, bool has_base)
+ 
+     /* if there was a tc entry, assume we picked up defaults via that */
+     if (!has_base) {
+-	if (WANTED(init_3string) && termcap_init2)
++	if (WANTED(init_3string) && PRESENT(termcap_init2))
+ 	    init_3string = _nc_save_str(termcap_init2);
+ 
+-	if (WANTED(reset_2string) && termcap_reset)
++	if (WANTED(reset_2string) && PRESENT(termcap_reset))
+ 	    reset_2string = _nc_save_str(termcap_reset);
+ 
+ 	if (WANTED(carriage_return)) {
+@@ -790,7 +814,7 @@ postprocess_termcap(TERMTYPE2 *tp, bool has_base)
+ 	if (init_tabs != 8 && init_tabs != ABSENT_NUMERIC)
+ 	    _nc_warning("hardware tabs with a width other than 8: %d", init_tabs);
+ 	else {
+-	    if (tab && _nc_capcmp(tab, C_HT))
++	    if (PRESENT(tab) && _nc_capcmp(tab, C_HT))
+ 		_nc_warning("hardware tabs with a non-^I tab string %s",
+ 			    _nc_visbuf(tab));
+ 	    else {
+@@ -867,17 +891,22 @@ postprocess_termcap(TERMTYPE2 *tp, bool has_base)
+ 	     * The magic moment -- copy the mapped key string over,
+ 	     * stripping out padding.
+ 	     */
+-	    for (dp = buf2, bp = tp->Strings[from_ptr->nte_index]; *bp; bp++) {
+-		if (bp[0] == '$' && bp[1] == '<') {
+-		    while (*bp && *bp != '>') {
+-			++bp;
+-		    }
+-		} else
+-		    *dp++ = *bp;
+-	    }
+-	    *dp = '\0';
++	    bp = tp->Strings[from_ptr->nte_index];
++	    if (VALID_STRING(bp)) {
++		for (dp = buf2; *bp; bp++) {
++		    if (bp[0] == '$' && bp[1] == '<') {
++			while (*bp && *bp != '>') {
++			    ++bp;
++			}
++		    } else
++			*dp++ = *bp;
++		}
++		*dp = '\0';
+ 
+-	    tp->Strings[to_ptr->nte_index] = _nc_save_str(buf2);
++		tp->Strings[to_ptr->nte_index] = _nc_save_str(buf2);
++	    } else {
++		tp->Strings[to_ptr->nte_index] = bp;
++	    }
+ 	}
+ 
+ 	/*
+@@ -886,7 +915,7 @@ postprocess_termcap(TERMTYPE2 *tp, bool has_base)
+ 	 * got mapped to kich1 and im to kIC to avoid a collision.
+ 	 * If the description has im but not ic, hack kIC back to kich1.
+ 	 */
+-	if (foundim && WANTED(key_ic) && key_sic) {
++	if (foundim && WANTED(key_ic) && PRESENT(key_sic)) {
+ 	    key_ic = key_sic;
+ 	    key_sic = ABSENT_STRING;
+ 	}
+@@ -938,9 +967,9 @@ postprocess_termcap(TERMTYPE2 *tp, bool has_base)
+ 	    acs_chars = _nc_save_str(buf2);
+ 	    _nc_warning("acsc string synthesized from XENIX capabilities");
+ 	}
+-    } else if (acs_chars == 0
+-	       && enter_alt_charset_mode != 0
+-	       && exit_alt_charset_mode != 0) {
++    } else if (acs_chars == ABSENT_STRING
++	       && PRESENT(enter_alt_charset_mode)
++	       && PRESENT(exit_alt_charset_mode)) {
+ 	acs_chars = _nc_save_str(VT_ACSC);
+     }
+ }
+diff --git a/ncurses/tinfo/strings.c b/ncurses/tinfo/strings.c
+index 393d8e7..10ec6c8 100644
+--- a/ncurses/tinfo/strings.c
++++ b/ncurses/tinfo/strings.c
+@@ -1,5 +1,5 @@
+ /****************************************************************************
+- * Copyright (c) 2000-2007,2012 Free Software Foundation, Inc.              *
++ * Copyright (c) 2000-2012,2017 Free Software Foundation, Inc.              *
+  *                                                                          *
+  * Permission is hereby granted, free of charge, to any person obtaining a  *
+  * copy of this software and associated documentation files (the            *
+@@ -35,8 +35,9 @@
+ **/
+ 
+ #include <curses.priv.h>
++#include <tic.h>
+ 
+-MODULE_ID("$Id: strings.c,v 1.8 2012/02/22 22:34:31 tom Exp $")
++MODULE_ID("$Id: strings.c,v 1.9 2017/08/26 13:16:11 tom Exp $")
+ 
+ /****************************************************************************
+  * Useful string functions (especially for mvcur)
+@@ -105,7 +106,7 @@ _nc_str_copy(string_desc * dst, string_desc * src)
+ NCURSES_EXPORT(bool)
+ _nc_safe_strcat(string_desc * dst, const char *src)
+ {
+-    if (src != 0) {
++    if (PRESENT(src)) {
+ 	size_t len = strlen(src);
+ 
+ 	if (len < dst->s_size) {
+@@ -126,7 +127,7 @@ _nc_safe_strcat(string_desc * dst, const char *src)
+ NCURSES_EXPORT(bool)
+ _nc_safe_strcpy(string_desc * dst, const char *src)
+ {
+-    if (src != 0) {
++    if (PRESENT(src)) {
+ 	size_t len = strlen(src);
+ 
+ 	if (len < dst->s_size) {
+diff --git a/ncurses/tinfo/trim_sgr0.c b/ncurses/tinfo/trim_sgr0.c
+index 4cbcb65..4d92d15 100644
+--- a/ncurses/tinfo/trim_sgr0.c
++++ b/ncurses/tinfo/trim_sgr0.c
+@@ -36,7 +36,7 @@
+ 
+ #include <tic.h>
+ 
+-MODULE_ID("$Id: trim_sgr0.c,v 1.16 2017/04/05 22:33:07 tom Exp $")
++MODULE_ID("$Id: trim_sgr0.c,v 1.17 2017/08/26 14:54:16 tom Exp $")
+ 
+ #undef CUR
+ #define CUR tp->
+@@ -263,7 +263,7 @@ _nc_trim_sgr0(TERMTYPE2 *tp)
+ 	    /*
+ 	     * If rmacs is a substring of sgr(0), remove that chunk.
+ 	     */
+-	    if (exit_alt_charset_mode != 0) {
++	    if (PRESENT(exit_alt_charset_mode)) {
+ 		TR(TRACE_DATABASE, ("scan for rmacs %s", _nc_visbuf(exit_alt_charset_mode)));
+ 		j = strlen(off);
+ 		k = strlen(exit_alt_charset_mode);
+diff --git a/progs/tic.c b/progs/tic.c
+index c5d78e5..6dd4678 100644
+--- a/progs/tic.c
++++ b/progs/tic.c
+@@ -48,7 +48,7 @@
+ #include <parametrized.h>
+ #include <transform.h>
+ 
+-MODULE_ID("$Id: tic.c,v 1.233 2017/07/15 17:40:19 tom Exp $")
++MODULE_ID("$Id: tic.c,v 1.243 2017/08/26 20:56:55 tom Exp $")
+ 
+ #define STDIN_NAME "<stdin>"
+ 
+@@ -62,6 +62,10 @@ static bool showsummary = FALSE;
+ static char **namelst = 0;
+ static const char *to_remove;
+ 
++#if NCURSES_XNAMES
++static bool using_extensions = FALSE;
++#endif
++
+ static void (*save_check_termtype) (TERMTYPE2 *, bool);
+ static void check_termtype(TERMTYPE2 *tt, bool);
+ 
+@@ -850,6 +854,7 @@ main(int argc, char *argv[])
+ 	    /* FALLTHRU */
+ 	case 'x':
+ 	    use_extended_names(TRUE);
++	    using_extensions = TRUE;
+ 	    break;
+ #endif
+ 	default:
+@@ -2405,10 +2410,17 @@ check_conflict(TERMTYPE2 *tp)
+ 	    const char *a = given[j].value;
+ 	    bool first = TRUE;
+ 
++	    if (!VALID_STRING(a))
++		continue;
++
+ 	    for (k = j + 1; given[k].keycode; k++) {
+ 		const char *b = given[k].value;
++
++		if (!VALID_STRING(b))
++		    continue;
+ 		if (check[k])
+ 		    continue;
++
+ 		if (!_nc_capcmp(a, b)) {
+ 		    check[j] = 1;
+ 		    check[k] = 1;
+@@ -2431,6 +2443,67 @@ check_conflict(TERMTYPE2 *tp)
+ 	    if (!first)
+ 		fprintf(stderr, "\n");
+ 	}
++#if NCURSES_XNAMES
++	if (using_extensions) {
++	    /* *INDENT-OFF* */
++	    static struct {
++		const char *xcurses;
++		const char *shifted;
++	    } table[] = {
++		{ "kDC",  NULL },
++		{ "kDN",  "kind" },
++		{ "kEND", NULL },
++		{ "kHOM", NULL },
++		{ "kLFT", NULL },
++		{ "kNXT", NULL },
++		{ "kPRV", NULL },
++		{ "kRIT", NULL },
++		{ "kUP",  "kri" },
++		{ NULL,   NULL },
++	    };
++	    /* *INDENT-ON* */
++
++	    /*
++	     * SVr4 curses defines the "xcurses" names listed above except for
++	     * the special cases in the "shifted" column.  When using these
++	     * names for xterm's extensions, that was confusing, and resulted
++	     * in adding extended capabilities with "2" (shift) suffix.  This
++	     * check warns about unnecessary use of extensions for this quirk.
++	     */
++	    for (j = 0; given[j].keycode; ++j) {
++		const char *find = given[j].name;
++		int value;
++		char ch;
++
++		if (!VALID_STRING(given[j].value))
++		    continue;
++
++		for (k = 0; table[k].xcurses; ++k) {
++		    const char *test = table[k].xcurses;
++		    size_t size = strlen(test);
++
++		    if (!strncmp(find, test, size) && strcmp(find, test)) {
++			switch (sscanf(find + size, "%d%c", &value, &ch)) {
++			case 1:
++			    if (value == 2) {
++				_nc_warning("expected '%s' rather than '%s'",
++					    (table[k].shifted
++					     ? table[k].shifted
++					     : test), find);
++			    } else if (value < 2 || value > 15) {
++				_nc_warning("expected numeric 2..15 '%s'", find);
++			    }
++			    break;
++			default:
++			    _nc_warning("expected numeric suffix for '%s'", find);
++			    break;
++			}
++			break;
++		    }
++		}
++	    }
++	}
++#endif
+ 	free(given);
+ 	free(check);
+     }
+-- 
+2.10.2
+
diff --git a/meta/recipes-core/ncurses/ncurses_6.0+20170715.bb b/meta/recipes-core/ncurses/ncurses_6.0+20170715.bb
index 127394c..d1da5d1 100644
--- a/meta/recipes-core/ncurses/ncurses_6.0+20170715.bb
+++ b/meta/recipes-core/ncurses/ncurses_6.0+20170715.bb
@@ -3,6 +3,7 @@  require ncurses.inc
 SRC_URI += "file://0001-tic-hang.patch \
             file://0002-configure-reproducible.patch \
             file://config.cache \
+            file://CVE-2017-13732-CVE-2017-13734-CVE-2017-13730-CVE-2017-13729-CVE-2017-13728-CVE-2017-13731.patch \
 "
 # commit id corresponds to the revision in package version
 SRCREV = "52681a6a1a18b4d6eb1a716512d0dd827bd71c87"