From 709c2999acf3741602717df3c2006112e15b162c Mon Sep 17 00:00:00 2001 From: eaglegai Date: Thu, 28 Apr 2022 20:04:39 +0800 Subject: [PATCH] fix CVE-2022-29458 (cherry picked from commit bf362dd4357b8efa6e4f615c4e3c657186f3a9d8) --- backport-CVE-2022-29458.patch | 81 +++++++++++++++++++++++++++++++++++ ncurses.spec | 11 ++++- 2 files changed, 90 insertions(+), 2 deletions(-) create mode 100644 backport-CVE-2022-29458.patch diff --git a/backport-CVE-2022-29458.patch b/backport-CVE-2022-29458.patch new file mode 100644 index 0000000..1830758 --- /dev/null +++ b/backport-CVE-2022-29458.patch @@ -0,0 +1,81 @@ +From 4c9f63c460cb7134f142aa65f6866c175ed77605 Mon Sep 17 00:00:00 2001 +From: "Thomas E. Dickey" +Date: Sun, 17 Apr 2022 00:27:48 +0000 +Subject: [PATCH] ncurses 6.3 - patch 20220416 + + ncurses/tinfo/alloc_entry.c | 12 +- + ncurses/tinfo/read_entry.c | 21 +- + 2 files changed, 19 insertions(+), 8 deletions(-) + +diff --git a/ncurses/tinfo/alloc_entry.c b/ncurses/tinfo/alloc_entry.c +index 0bc93942c..aed739436 100644 +--- a/ncurses/tinfo/alloc_entry.c ++++ b/ncurses/tinfo/alloc_entry.c +@@ -48,8 +48,6 @@ + #define ABSENT_OFFSET -1 + #define CANCELLED_OFFSET -2 + +-#define MAX_STRTAB 4096 /* documented maximum entry size */ +- + static char *stringbuf; /* buffer for string capabilities */ + static size_t next_free; /* next free character in stringbuf */ + +@@ -74,7 +72,7 @@ _nc_init_entry(ENTRY * const tp) + #endif + + if (stringbuf == 0) +- TYPE_MALLOC(char, (size_t) MAX_STRTAB, stringbuf); ++ TYPE_MALLOC(char, (size_t) MAX_ENTRY_SIZE, stringbuf); + + next_free = 0; + +@@ -111,11 +109,11 @@ _nc_save_str(const char *string) + * Cheat a little by making an empty string point to the end of the + * previous string. + */ +- if (next_free < MAX_STRTAB) { ++ if (next_free < MAX_ENTRY_SIZE) { + result = (stringbuf + next_free - 1); + } +- } else if (next_free + len < MAX_STRTAB) { +- _nc_STRCPY(&stringbuf[next_free], string, MAX_STRTAB); ++ } else if (next_free + len < MAX_ENTRY_SIZE) { ++ _nc_STRCPY(&stringbuf[next_free], string, MAX_ENTRY_SIZE); + DEBUG(7, ("Saved string %s", _nc_visbuf(string))); + DEBUG(7, ("at location %d", (int) next_free)); + next_free += len; +diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c +index 41ef0d0aa..66e3d31ee 100644 +--- a/ncurses/tinfo/read_entry.c ++++ b/ncurses/tinfo/read_entry.c +@@ -145,6 +145,7 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table) + { + int i; + char *p; ++ bool corrupt = FALSE; + + for (i = 0; i < count; i++) { + if (IS_NEG1(buf + 2 * i)) { +@@ -154,8 +155,20 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table) + } else if (MyNumber(buf + 2 * i) > size) { + Strings[i] = ABSENT_STRING; + } else { +- Strings[i] = (MyNumber(buf + 2 * i) + table); +- TR(TRACE_DATABASE, ("Strings[%d] = %s", i, _nc_visbuf(Strings[i]))); ++ int nn = MyNumber(buf + 2 * i); ++ if (nn >= 0 && nn < size) { ++ Strings[i] = (nn + table); ++ TR(TRACE_DATABASE, ("Strings[%d] = %s", i, ++ _nc_visbuf(Strings[i]))); ++ } else { ++ if (!corrupt) { ++ corrupt = TRUE; ++ TR(TRACE_DATABASE, ++ ("ignore out-of-range index %d to Strings[]", nn)); ++ _nc_warning("corrupt data found in convert_strings"); ++ } ++ Strings[i] = ABSENT_STRING; ++ } + } + + /* make sure all strings are NUL terminated */ diff --git a/ncurses.spec b/ncurses.spec index 9c4377f..cf7f5fc 100644 --- a/ncurses.spec +++ b/ncurses.spec @@ -1,7 +1,7 @@ %global revision 20200411 Name: ncurses Version: 6.2 -Release: 2 +Release: 3 Summary: Terminal control library License: MIT URL: https://invisible-island.net/ncurses/ncurses.html @@ -12,7 +12,8 @@ Patch9: ncurses-libs.patch Patch11: ncurses-urxvt.patch Patch12: ncurses-kbs.patch -Patch6000: backport-CVE-2021-39537-add-check-for-end-of-string-in-cvtchar-to-handle-a-malformed.patch +Patch13: backport-CVE-2021-39537-add-check-for-end-of-string-in-cvtchar-to-handle-a-malformed.patch +Patch14: backport-CVE-2022-29458.patch BuildRequires: gcc gcc-c++ gpm-devel pkgconfig @@ -223,6 +224,12 @@ xz NEWS %{_mandir}/man7/* %changelog +* Thu Apr 28 2022 gaihuiying - 6.2-3 +- Type:CVE +- CVE:CVE-2022-29458 +- SUG:NA +- DESC:fix CVE-2022-29458 + * Tue Oct 12 2021 xihaochen - 6.2-2 - Type:CVE - CVE:CVE-2021-39537 -- Gitee