[OE-core][dunfell][PATCH] ncurses: Backport fix for CVE-2023-50495

Vijay Anusuri via lists.openembedded.org Tue, 02 Apr 2024 22:13:53 -0700

From: Vijay Anusuri <vanus...@mvista.com>

Upstream-Status: Backport from 
https://github.com/ThomasDickey/ncurses-snapshots/commit/efe9674ee14b14b788f9618941f97d31742f0adc


Reference: 
https://invisible-island.net/archives/ncurses/6.4/ncurses-6.4-20230424.patch.gz

Signed-off-by: Vijay Anusuri <vanus...@mvista.com>
---
 .../ncurses/files/CVE-2023-50495.patch        | 79 +++++++++++++++++++
 meta/recipes-core/ncurses/ncurses_6.2.bb      |  1 +
 2 files changed, 80 insertions(+)
 create mode 100644 meta/recipes-core/ncurses/files/CVE-2023-50495.patch

diff --git a/meta/recipes-core/ncurses/files/CVE-2023-50495.patch 
b/meta/recipes-core/ncurses/files/CVE-2023-50495.patch
new file mode 100644
index 0000000000..58c23866d1
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/CVE-2023-50495.patch
@@ -0,0 +1,79 @@
+Fix for CVE-2023-50495 from upstream:
+https://github.com/ThomasDickey/ncurses-snapshots/commit/efe9674ee14b14b788f9618941f97d31742f0adc
+
+Reference:
+https://invisible-island.net/archives/ncurses/6.4/ncurses-6.4-20230424.patch.gz
+
+Upstream-Status: Backport [import from suse 
ftp.pbone.net/mirror/ftp.opensuse.org/update/leap-micro/5.3/sle/src/ncurses-6.1-150000.5.20.1.src.rpm
+Upstream commit 
https://github.com/ThomasDickey/ncurses-snapshots/commit/efe9674ee14b14b788f9618941f97d31742f0adc]
+CVE: CVE-2023-50495
+Signed-off-by: Vijay Anusuri <vanus...@mvista.com>
+---
+ ncurses/tinfo/parse_entry.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c
+index 23574b66..56ba9ae6 100644
+--- a/ncurses/tinfo/parse_entry.c
++++ b/ncurses/tinfo/parse_entry.c
+@@ -110,7 +110,7 @@ _nc_extend_names(ENTRY * entryp, const char *name, int 
token_type)
+       /* Well, we are given a cancel for a name that we don't recognize */
+       return _nc_extend_names(entryp, name, STRING);
+     default:
+-      return 0;
++      return NULL;
+     }
+ 
+     /* Adjust the 'offset' (insertion-point) to keep the lists of extended
+@@ -142,6 +142,11 @@ _nc_extend_names(ENTRY * entryp, const char *name, int 
token_type)
+       for (last = (unsigned) (max - 1); last > tindex; last--)
+ 
+     if (!found) {
++      char *saved;
++
++      if ((saved = _nc_save_str(name)) == NULL)
++          return NULL;
++
+       switch (token_type) {
+       case BOOLEAN:
+           tp->ext_Booleans++;
+@@ -169,7 +174,7 @@ _nc_extend_names(ENTRY * entryp, const char *name, int 
token_type)
+       TYPE_REALLOC(char *, actual, tp->ext_Names);
+       while (--actual > offset)
+           tp->ext_Names[actual] = tp->ext_Names[actual - 1];
+-      tp->ext_Names[offset] = _nc_save_str(name);
++      tp->ext_Names[offset] = saved;
+     }
+ 
+     temp.nte_name = tp->ext_Names[offset];
+@@ -337,6 +342,8 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
+       bool is_use = (strcmp(_nc_curr_token.tk_name, "use") == 0);
+       bool is_tc = !is_use && (strcmp(_nc_curr_token.tk_name, "tc") == 0);
+       if (is_use || is_tc) {
++          char *saved;
++
+           if (!VALID_STRING(_nc_curr_token.tk_valstring)
+               || _nc_curr_token.tk_valstring[0] == '\0') {
+               _nc_warning("missing name for use-clause");
+@@ -350,11 +357,13 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
+                           _nc_curr_token.tk_valstring);
+               continue;
+           }
+-          entryp->uses[entryp->nuses].name = 
_nc_save_str(_nc_curr_token.tk_valstring);
+-          entryp->uses[entryp->nuses].line = _nc_curr_line;
+-          entryp->nuses++;
+-          if (entryp->nuses > 1 && is_tc) {
+-              BAD_TC_USAGE
++          if ((saved = _nc_save_str(_nc_curr_token.tk_valstring)) != NULL) {
++              entryp->uses[entryp->nuses].name = saved;
++              entryp->uses[entryp->nuses].line = _nc_curr_line;
++              entryp->nuses++;
++              if (entryp->nuses > 1 && is_tc) {
++                  BAD_TC_USAGE
++              }
+           }
+       } else {
+           /* normal token lookup */
+-- 
+2.25.1
+
diff --git a/meta/recipes-core/ncurses/ncurses_6.2.bb 
b/meta/recipes-core/ncurses/ncurses_6.2.bb
index 33285bcb5b..dbff149f55 100644
--- a/meta/recipes-core/ncurses/ncurses_6.2.bb
+++ b/meta/recipes-core/ncurses/ncurses_6.2.bb
@@ -6,6 +6,7 @@ SRC_URI += "file://0001-tic-hang.patch \
            file://CVE-2021-39537.patch \
            file://CVE-2022-29458.patch \
            file://CVE-2023-29491.patch \
+           file://CVE-2023-50495.patch \
            "
 # commit id corresponds to the revision in package version
 SRCREV = "a669013cd5e9d6434e5301348ea51baf306c93c4"
-- 
2.25.1

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#197903): 
https://lists.openembedded.org/g/openembedded-core/message/197903
Mute This Topic: https://lists.openembedded.org/mt/105303486/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell][PATCH] ncurses: Backport fix for CVE-2023-50495

Reply via email to