In ncurses before 6.1.20180414, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service if the terminfo library code is used to process untrusted terminfo data in which a use-name is invalid syntax.
Upstream patch: ftp://ftp.invisible-island.net/ncurses/6.1/ncurses-6.1-20180414.patch.gz References: https://nvd.nist.gov/vuln/detail/CVE-2018-10754 https://bugzilla.redhat.com/show_bug.cgi?id=1576119 https://bugzilla.redhat.com/show_bug.cgi?id=1566575 Signed-off-by: Ovidiu Panait <[email protected]> --- .../ncurses/files/CVE-2018-10754.patch | 449 +++++++++++++++++++++ meta/recipes-core/ncurses/ncurses_6.0+20170715.bb | 1 + 2 files changed, 450 insertions(+) create mode 100644 meta/recipes-core/ncurses/files/CVE-2018-10754.patch diff --git a/meta/recipes-core/ncurses/files/CVE-2018-10754.patch b/meta/recipes-core/ncurses/files/CVE-2018-10754.patch new file mode 100644 index 0000000000..f6542cf2b3 --- /dev/null +++ b/meta/recipes-core/ncurses/files/CVE-2018-10754.patch @@ -0,0 +1,449 @@ +From cc24cd13a8637fdc3228347152cbaea7dd8f56e2 Mon Sep 17 00:00:00 2001 +From: Ovidiu Panait <[email protected]> +Date: Fri, 18 May 2018 08:32:42 +0000 +Subject: [PATCH] ncurses: CVE-2018-10754 + +# ncurses 6.1 - patch 20180414 - Thomas E. Dickey +# +# ------------------------------------------------------------------------------ +# +# Ncurses 6.1 is at +# ftp.gnu.org:/pub/gnu +# +# Patches for ncurses 6.1 can be found at +# ftp://ftp.invisible-island.net/ncurses/6.1 +# http://invisible-mirror.net/archives/ncurses/6.1 +# +# ------------------------------------------------------------------------------ +# ftp://ftp.invisible-island.net/ncurses/6.1/ncurses-6.1-20180414.patch.gz +# patch by Thomas E. Dickey <[email protected]> +# created Sat Apr 14 22:50:05 UTC 2018 + +Upstream-Status: Backport +CVE: CVE-2018-10754 + +Signed-off-by: Ovidiu Panait <[email protected]> +--- + form/form.h | 5 +++-- + form/form.priv.h | 7 ++++--- + form/frm_driver.c | 24 +++++++++++++++++++----- + ncurses/curses.priv.h | 2 -- + ncurses/llib-lncursestw | 9 ++------- + ncurses/llib-lncursesw | 8 +------- + ncurses/llib-ltinfotw | 8 +------- + ncurses/llib-ltinfow | 8 +------- + ncurses/tinfo/alloc_entry.c | 7 +++++-- + ncurses/tinfo/alloc_ttype.c | 24 ++++++++++-------------- + ncurses/tinfo/comp_parse.c | 6 +++++- + ncurses/tinfo/parse_entry.c | 8 +++++--- + ncurses/tinfo/read_entry.c | 3 +++ + 13 files changed, 59 insertions(+), 60 deletions(-) + +diff --git a/form/form.h b/form/form.h +index f11807f5..1d4c241d 100644 +--- a/form/form.h ++++ b/form/form.h +@@ -1,5 +1,5 @@ + /**************************************************************************** +- * Copyright (c) 1998-2016,2017 Free Software Foundation, Inc. * ++ * Copyright (c) 1998-2017,2018 Free Software Foundation, Inc. * + * * + * Permission is hereby granted, free of charge, to any person obtaining a * + * copy of this software and associated documentation files (the * +@@ -30,7 +30,7 @@ + * Author: Juergen Pfeifer, 1995,1997 * + ****************************************************************************/ + +-/* $Id: form.h,v 0.27 2017/02/11 16:35:42 tom Exp $ */ ++/* $Id: form.h,v 0.28 2018/04/14 21:06:21 Leon.Winter Exp $ */ + + #ifndef FORM_H + #define FORM_H +@@ -222,6 +222,7 @@ typedef void (*Form_Hook)(FORM *); + #define O_STATIC (0x0200U) + #define O_DYNAMIC_JUSTIFY (0x0400U) /* ncurses extension */ + #define O_NO_LEFT_STRIP (0x0800U) /* ncurses extension */ ++#define O_EDGE_INSERT_STAY (0x1000U) /* ncurses extension */ + + /* form options */ + #define O_NL_OVERLOAD (0x0001U) +diff --git a/form/form.priv.h b/form/form.priv.h +index ad25ec2d..e48a9f26 100644 +--- a/form/form.priv.h ++++ b/form/form.priv.h +@@ -1,5 +1,5 @@ + /**************************************************************************** +- * Copyright (c) 1998-2016,2017 Free Software Foundation, Inc. * ++ * Copyright (c) 1998-2017,2018 Free Software Foundation, Inc. * + * * + * Permission is hereby granted, free of charge, to any person obtaining a * + * copy of this software and associated documentation files (the * +@@ -30,7 +30,7 @@ + * Author: Juergen Pfeifer, 1995,1997 * + ****************************************************************************/ + +-/* $Id: form.priv.h,v 0.42 2017/02/11 16:12:19 tom Exp $ */ ++/* $Id: form.priv.h,v 0.43 2018/04/14 21:06:14 Leon.Winter Exp $ */ + + #ifndef FORM_PRIV_H + #define FORM_PRIV_H 1 +@@ -166,7 +166,8 @@ TypeArgument; + #define ALL_FIELD_OPTS (Field_Options)( \ + STD_FIELD_OPTS |\ + O_DYNAMIC_JUSTIFY |\ +- O_NO_LEFT_STRIP) ++ O_NO_LEFT_STRIP |\ ++ O_EDGE_INSERT_STAY) + + #define C_BLANK ' ' + #define is_blank(c) ((c)==C_BLANK) +diff --git a/form/frm_driver.c b/form/frm_driver.c +index 45e323f7..7ed06ef7 100644 +--- a/form/frm_driver.c ++++ b/form/frm_driver.c +@@ -1,5 +1,5 @@ + /**************************************************************************** +- * Copyright (c) 1998-2016,2017 Free Software Foundation, Inc. * ++ * Copyright (c) 1998-2017,2018 Free Software Foundation, Inc. * + * * + * Permission is hereby granted, free of charge, to any person obtaining a * + * copy of this software and associated documentation files (the * +@@ -808,6 +808,7 @@ _nc_Position_Form_Cursor(FORM *form) + { + FIELD *field; + WINDOW *formwin; ++ int row, col; + + if (!form) + return (E_BAD_ARGUMENT); +@@ -818,14 +819,17 @@ _nc_Position_Form_Cursor(FORM *form) + field = form->current; + formwin = Get_Form_Window(form); + +- wmove(form->w, form->currow, form->curcol); ++ col = Field_Has_Option(field, O_PUBLIC) ? form->curcol : form->begincol; ++ row = Field_Has_Option(field, O_PUBLIC) ? form->currow : form->toprow; ++ ++ wmove(form->w, row, col); + if (Has_Invisible_Parts(field)) + { + /* in this case fieldwin isn't derived from formwin, so we have + to move the cursor in formwin by hand... */ + wmove(formwin, +- field->frow + form->currow - form->toprow, +- field->fcol + form->curcol - form->begincol); ++ field->frow + row - form->toprow, ++ field->fcol + col - form->begincol); + wcursyncup(formwin); + } + else +@@ -844,6 +848,7 @@ _nc_Position_Form_Cursor(FORM *form) + | E_BAD_ARGUMENT - invalid form pointer + | E_SYSTEM_ERROR - general error + +--------------------------------------------------------------------------*/ ++static bool move_after_insert = true; + NCURSES_EXPORT(int) + _nc_Refresh_Current_Field(FORM *form) + { +@@ -875,7 +880,8 @@ _nc_Refresh_Current_Field(FORM *form) + else + { + if (form->curcol >= (form->begincol + field->cols)) +- form->begincol = form->curcol - field->cols + 1; ++ form->begincol = form->curcol - field->cols ++ + (move_after_insert ? 1 : 0); + } + copywin(form->w, + formwin, +@@ -4158,6 +4164,12 @@ Data_Entry(FORM *form, int c) + bool End_Of_Field = (((field->drows - 1) == form->currow) && + ((field->dcols - 1) == form->curcol)); + ++ if (Field_Has_Option(field, O_EDGE_INSERT_STAY)) ++ move_after_insert = !!(form->curcol ++ - form->begincol ++ - field->cols ++ + 1); ++ + SetStatus(form, _WINDOW_MODIFIED); + if (End_Of_Field && !Growable(field) && (Field_Has_Option(field, O_AUTOSKIP))) + result = Inter_Field_Navigation(FN_Next_Field, form); +@@ -4322,6 +4334,8 @@ form_driver(FORM *form, int c) + const Binding_Info *BI = (Binding_Info *) 0; + int res = E_UNKNOWN_COMMAND; + ++ move_after_insert = true; ++ + T((T_CALLED("form_driver(%p,%d)"), (void *)form, c)); + + if (!form) +diff --git a/ncurses/curses.priv.h b/ncurses/curses.priv.h +index 839d5b35..aec86543 100644 +--- a/ncurses/curses.priv.h ++++ b/ncurses/curses.priv.h +@@ -2170,11 +2170,9 @@ extern NCURSES_EXPORT(const TERMTYPE2 *) _nc_fallback2 (const char *); + #if NCURSES_EXT_NUMBERS + extern NCURSES_EXPORT(void) _nc_copy_termtype2 (TERMTYPE2 *, const TERMTYPE2 *); + extern NCURSES_EXPORT(void) _nc_export_termtype2(TERMTYPE *, const TERMTYPE2 *); +-extern NCURSES_EXPORT(void) _nc_import_termtype2(TERMTYPE2 *, const TERMTYPE *); + #else + #define _nc_copy_termtype2(dst,src) _nc_copy_termtype((dst),(src)) + #define _nc_export_termtype2(dst,src) /* nothing */ +-#define _nc_import_termtype2(dst,src) /* nothing */ + #define _nc_free_termtype2(t) _nc_free_termtype(t) + /* also... */ + #define _nc_read_entry2 _nc_read_entry +diff --git a/ncurses/llib-lncursestw b/ncurses/llib-lncursestw +index f4c211d3..e056ce55 100644 +--- a/ncurses/llib-lncursestw ++++ b/ncurses/llib-lncursestw +@@ -1,5 +1,5 @@ + /**************************************************************************** +- * Copyright (c) 2009-2016,2017 Free Software Foundation, Inc. * ++ * Copyright (c) 2009-2017,2018 Free Software Foundation, Inc. * + * * + * Permission is hereby granted, free of charge, to any person obtaining a * + * copy of this software and associated documentation files (the * +@@ -34,6 +34,7 @@ + /* ./tty/hardscroll.c */ + + #include <curses.priv.h> ++ + #undef _nc_oldnums + int *_nc_oldnums; + +@@ -3741,12 +3742,6 @@ void _nc_export_termtype2( + const TERMTYPE2 *src) + { /* void */ } + +-#undef _nc_import_termtype2 +-void _nc_import_termtype2( +- TERMTYPE2 *dst, +- const TERMTYPE *src) +- { /* void */ } +- + /* ./codes.c */ + + #undef _nc_boolcodes +diff --git a/ncurses/llib-lncursesw b/ncurses/llib-lncursesw +index 8aacf053..c16f0783 100644 +--- a/ncurses/llib-lncursesw ++++ b/ncurses/llib-lncursesw +@@ -1,5 +1,5 @@ + /**************************************************************************** +- * Copyright (c) 2001-2016,2017 Free Software Foundation, Inc. * ++ * Copyright (c) 2001-2017,2018 Free Software Foundation, Inc. * + * * + * Permission is hereby granted, free of charge, to any person obtaining a * + * copy of this software and associated documentation files (the * +@@ -3732,12 +3732,6 @@ void _nc_export_termtype2( + const TERMTYPE2 *src) + { /* void */ } + +-#undef _nc_import_termtype2 +-void _nc_import_termtype2( +- TERMTYPE2 *dst, +- const TERMTYPE *src) +- { /* void */ } +- + /* ./codes.c */ + + #undef boolcodes +diff --git a/ncurses/llib-ltinfotw b/ncurses/llib-ltinfotw +index 31376b54..eba1d95c 100644 +--- a/ncurses/llib-ltinfotw ++++ b/ncurses/llib-ltinfotw +@@ -1,5 +1,5 @@ + /**************************************************************************** +- * Copyright (c) 2012-2016,2017 Free Software Foundation, Inc. * ++ * Copyright (c) 2012-2017,2018 Free Software Foundation, Inc. * + * * + * Permission is hereby granted, free of charge, to any person obtaining a * + * copy of this software and associated documentation files (the * +@@ -110,12 +110,6 @@ void _nc_export_termtype2( + const TERMTYPE2 *src) + { /* void */ } + +-#undef _nc_import_termtype2 +-void _nc_import_termtype2( +- TERMTYPE2 *dst, +- const TERMTYPE *src) +- { /* void */ } +- + /* ./codes.c */ + + #undef _nc_boolcodes +diff --git a/ncurses/llib-ltinfow b/ncurses/llib-ltinfow +index 5b8411c2..9ab9de0b 100644 +--- a/ncurses/llib-ltinfow ++++ b/ncurses/llib-ltinfow +@@ -1,5 +1,5 @@ + /**************************************************************************** +- * Copyright (c) 2012-2016,2017 Free Software Foundation, Inc. * ++ * Copyright (c) 2012-2017,2018 Free Software Foundation, Inc. * + * * + * Permission is hereby granted, free of charge, to any person obtaining a * + * copy of this software and associated documentation files (the * +@@ -110,12 +110,6 @@ void _nc_export_termtype2( + const TERMTYPE2 *src) + { /* void */ } + +-#undef _nc_import_termtype2 +-void _nc_import_termtype2( +- TERMTYPE2 *dst, +- const TERMTYPE *src) +- { /* void */ } +- + /* ./codes.c */ + + #undef boolcodes +diff --git a/ncurses/tinfo/alloc_entry.c b/ncurses/tinfo/alloc_entry.c +index 09374d6e..fe7892f4 100644 +--- a/ncurses/tinfo/alloc_entry.c ++++ b/ncurses/tinfo/alloc_entry.c +@@ -1,5 +1,5 @@ + /**************************************************************************** +- * Copyright (c) 1998-2013,2017 Free Software Foundation, Inc. * ++ * Copyright (c) 1998-2017,2018 Free Software Foundation, Inc. * + * * + * Permission is hereby granted, free of charge, to any person obtaining a * + * copy of this software and associated documentation files (the * +@@ -47,7 +47,7 @@ + + #include <tic.h> + +-MODULE_ID("$Id: alloc_entry.c,v 1.61 2017/08/25 09:09:08 tom Exp $") ++MODULE_ID("$Id: alloc_entry.c,v 1.62 2018/04/14 20:32:09 tom Exp $") + + #define ABSENT_OFFSET -1 + #define CANCELLED_OFFSET -2 +@@ -229,6 +229,9 @@ _nc_merge_entry(ENTRY * const target, ENTRY * const source) + TERMTYPE2 *from = &(source->tterm); + unsigned i; + ++ if (source == 0 || from == 0 || target == 0 || to == 0) ++ return; ++ + #if NCURSES_XNAMES + _nc_align_termtype(to, from); + #endif +diff --git a/ncurses/tinfo/alloc_ttype.c b/ncurses/tinfo/alloc_ttype.c +index 4a1b6913..6e830d0f 100644 +--- a/ncurses/tinfo/alloc_ttype.c ++++ b/ncurses/tinfo/alloc_ttype.c +@@ -1,5 +1,5 @@ + /**************************************************************************** +- * Copyright (c) 1999-2016,2017 Free Software Foundation, Inc. * ++ * Copyright (c) 1999-2017,2018 Free Software Foundation, Inc. * + * * + * Permission is hereby granted, free of charge, to any person obtaining a * + * copy of this software and associated documentation files (the * +@@ -42,7 +42,7 @@ + + #include <tic.h> + +-MODULE_ID("$Id: alloc_ttype.c,v 1.29 2017/04/09 23:15:34 tom Exp $") ++MODULE_ID("$Id: alloc_ttype.c,v 1.30 2018/04/14 19:24:54 tom Exp $") + + #if NCURSES_XNAMES + /* +@@ -388,12 +388,16 @@ adjust_cancels(TERMTYPE2 *to, TERMTYPE2 *from) + NCURSES_EXPORT(void) + _nc_align_termtype(TERMTYPE2 *to, TERMTYPE2 *from) + { +- int na = (int) NUM_EXT_NAMES(to); +- int nb = (int) NUM_EXT_NAMES(from); ++ int na; ++ int nb; + char **ext_Names; + +- DEBUG(2, ("align_termtype to(%d:%s), from(%d:%s)", na, to->term_names, +- nb, from->term_names)); ++ na = to ? ((int) NUM_EXT_NAMES(to)) : 0; ++ nb = from ? ((int) NUM_EXT_NAMES(from)) : 0; ++ ++ DEBUG(2, ("align_termtype to(%d:%s), from(%d:%s)", ++ na, to ? NonNull(to->term_names) : "?", ++ nb, from ? NonNull(from->term_names) : "?")); + + if (na != 0 || nb != 0) { + int ext_Booleans, ext_Numbers, ext_Strings; +@@ -592,12 +596,4 @@ _nc_export_termtype2(TERMTYPE *dst, const TERMTYPE2 *src) + DEBUG(2, ("_nc_export_termtype2...")); + copy_termtype((TERMTYPE2 *) dst, src, srcINT); + } +- +-/* FIXME - this will go away when conversion is complete */ +-NCURSES_EXPORT(void) +-_nc_import_termtype2(TERMTYPE2 *dst, const TERMTYPE *src) +-{ +- DEBUG(2, ("_nc_import_termtype2...")); +- copy_termtype(dst, (const TERMTYPE2 *) src, dstINT); +-} + #endif /* NCURSES_EXT_NUMBERS */ +diff --git a/ncurses/tinfo/comp_parse.c b/ncurses/tinfo/comp_parse.c +index 580d4df2..d4875b27 100644 +--- a/ncurses/tinfo/comp_parse.c ++++ b/ncurses/tinfo/comp_parse.c +@@ -317,6 +317,9 @@ _nc_resolve_uses2(bool fullresolve, bool literal) + char *lookfor = qp->uses[i].name; + long lookline = qp->uses[i].line; + ++ if (lookfor == 0) ++ continue; ++ + foundit = FALSE; + + _nc_set_type(child); +@@ -394,7 +397,8 @@ _nc_resolve_uses2(bool fullresolve, bool literal) + * subsequent pass. + */ + for (i = 0; i < qp->nuses; i++) +- if (qp->uses[i].link->nuses) { ++ if (qp->uses[i].link ++ && qp->uses[i].link->nuses) { + DEBUG(2, ("%s: use entry %d unresolved", + _nc_first_name(qp->tterm.term_names), i)); + goto incomplete; +diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c +index bbbfcb27..0389767b 100644 +--- a/ncurses/tinfo/parse_entry.c ++++ b/ncurses/tinfo/parse_entry.c +@@ -1,5 +1,5 @@ + /**************************************************************************** +- * Copyright (c) 1998-2016,2017 Free Software Foundation, Inc. * ++ * Copyright (c) 1998-2017,2018 Free Software Foundation, Inc. * + * * + * Permission is hereby granted, free of charge, to any person obtaining a * + * copy of this software and associated documentation files (the * +@@ -543,9 +543,11 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent) + * Otherwise, look for a base entry that will already + * have picked up defaults via translation. + */ +- for (i = 0; i < entryp->nuses; i++) +- if (!strchr((char *) entryp->uses[i].name, '+')) ++ for (i = 0; i < entryp->nuses; i++) { ++ if (entryp->uses[i].name != 0 ++ && !strchr(entryp->uses[i].name, '+')) + has_base_entry = TRUE; ++ } + } + + postprocess_termcap(&entryp->tterm, has_base_entry); +diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c +index 3cb02410..dc8ddba8 100644 +--- a/ncurses/tinfo/read_entry.c ++++ b/ncurses/tinfo/read_entry.c +@@ -717,6 +717,9 @@ _nc_read_entry2(const char *const name, char *const filename, TERMTYPE2 *const t + { + int code = TGETENT_NO; + ++ if (name == 0) ++ return _nc_read_entry2("", filename, tp); ++ + _nc_SPRINTF(filename, _nc_SLIMIT(PATH_MAX) + "%.*s", PATH_MAX - 1, name); + +-- +2.13.3 + diff --git a/meta/recipes-core/ncurses/ncurses_6.0+20170715.bb b/meta/recipes-core/ncurses/ncurses_6.0+20170715.bb index d1da5d16e0..9e453ec410 100644 --- a/meta/recipes-core/ncurses/ncurses_6.0+20170715.bb +++ b/meta/recipes-core/ncurses/ncurses_6.0+20170715.bb @@ -4,6 +4,7 @@ SRC_URI += "file://0001-tic-hang.patch \ file://0002-configure-reproducible.patch \ file://config.cache \ file://CVE-2017-13732-CVE-2017-13734-CVE-2017-13730-CVE-2017-13729-CVE-2017-13728-CVE-2017-13731.patch \ + file://CVE-2018-10754.patch \ " # commit id corresponds to the revision in package version SRCREV = "52681a6a1a18b4d6eb1a716512d0dd827bd71c87" -- 2.16.2 -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
