From: Dan Tran <msft.dantran@gmail.com>
To: openembedded-core@lists.openembedded.org
Cc: Dan Tran <dantran@microsoft.com>,
Gustavo Lima Chaves <gustavo.chaves@microsoft.com>
Subject: [oe-core][dunfell][PATCH] ncurses: Fix CVE-2022-29458
Date: Tue, 31 May 2022 10:15:17 -0700 [thread overview]
Message-ID: <20220531171517.27876-1-dantran@microsoft.com> (raw)
ncurses 6.3 before patch 20220416 has an out-of-bounds read and
segmentation violation in convert_strings in tinfo/read_entry.c in the
terminfo library.
Backported from the link below, extracting only the relevant changes.
https://github.com/ThomasDickey/ncurses-snapshots/commit/9d1d651878d4bf0695872a64cc65ba0acb825f36
Signed-off-by: Gustavo Lima Chaves <gustavo.chaves@microsoft.com>
Signed-off-by: Dan Tran <dantran@microsoft.com>
---
.../ncurses/files/CVE-2022-29458.patch | 135 ++++++++++++++++++
meta/recipes-core/ncurses/ncurses_6.2.bb | 1 +
2 files changed, 136 insertions(+)
create mode 100644 meta/recipes-core/ncurses/files/CVE-2022-29458.patch
diff --git a/meta/recipes-core/ncurses/files/CVE-2022-29458.patch b/meta/recipes-core/ncurses/files/CVE-2022-29458.patch
new file mode 100644
index 0000000000..eb1b7c96f9
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/CVE-2022-29458.patch
@@ -0,0 +1,135 @@
+From 5f40697e37e195069f55528fc7a1d77e619ad104 Mon Sep 17 00:00:00 2001
+From: Dan Tran <dantran@microsoft.com>
+Date: Fri, 13 May 2022 13:28:41 -0700
+Subject: [PATCH] ncurses 6.3 before patch 20220416 has an out-of-bounds read
+ and segmentation violation in convert_strings in tinfo/read_entry.c in the
+ terminfo library.
+
+CVE: CVE-2022-29458
+Upstream-Status: Backport
+[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009870]
+
+Signed-off-by: Gustavo Lima Chaves <gustavo.chaves@microsoft.com>
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ ncurses/tinfo/alloc_entry.c | 14 ++++++--------
+ ncurses/tinfo/read_entry.c | 25 +++++++++++++++++++------
+ 2 files changed, 25 insertions(+), 14 deletions(-)
+
+diff --git a/ncurses/tinfo/alloc_entry.c b/ncurses/tinfo/alloc_entry.c
+index 4bf7d6c8..b49ad6aa 100644
+--- a/ncurses/tinfo/alloc_entry.c
++++ b/ncurses/tinfo/alloc_entry.c
+@@ -48,13 +48,11 @@
+
+ #include <tic.h>
+
+-MODULE_ID("$Id: alloc_entry.c,v 1.64 2020/02/02 23:34:34 tom Exp $")
++MODULE_ID("$Id: alloc_entry.c,v 1.69 2022/04/16 22:46:53 tom Exp $")
+
+ #define ABSENT_OFFSET -1
+ #define CANCELLED_OFFSET -2
+
+-#define MAX_STRTAB 4096 /* documented maximum entry size */
+-
+ static char *stringbuf; /* buffer for string capabilities */
+ static size_t next_free; /* next free character in stringbuf */
+
+@@ -71,8 +69,8 @@ _nc_init_entry(ENTRY * const tp)
+ }
+ #endif
+
+- if (stringbuf == 0)
+- TYPE_MALLOC(char, (size_t) MAX_STRTAB, stringbuf);
++ if (stringbuf == NULL)
++ TYPE_MALLOC(char, (size_t) MAX_ENTRY_SIZE, stringbuf);
+
+ next_free = 0;
+
+@@ -108,11 +106,11 @@ _nc_save_str(const char *const string)
+ * Cheat a little by making an empty string point to the end of the
+ * previous string.
+ */
+- if (next_free < MAX_STRTAB) {
++ if (next_free < MAX_ENTRY_SIZE) {
+ result = (stringbuf + next_free - 1);
+ }
+- } else if (next_free + len < MAX_STRTAB) {
+- _nc_STRCPY(&stringbuf[next_free], string, MAX_STRTAB);
++ } else if (next_free + len < MAX_ENTRY_SIZE) {
++ _nc_STRCPY(&stringbuf[next_free], string, MAX_ENTRY_SIZE);
+ DEBUG(7, ("Saved string %s", _nc_visbuf(string)));
+ DEBUG(7, ("at location %d", (int) next_free));
+ next_free += len;
+diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c
+index 5b570b0f..23c2cebc 100644
+--- a/ncurses/tinfo/read_entry.c
++++ b/ncurses/tinfo/read_entry.c
+@@ -1,5 +1,5 @@
+ /****************************************************************************
+- * Copyright 2018-2019,2020 Thomas E. Dickey *
++ * Copyright 2018-2021,2022 Thomas E. Dickey *
+ * Copyright 1998-2016,2017 Free Software Foundation, Inc. *
+ * *
+ * Permission is hereby granted, free of charge, to any person obtaining a *
+@@ -42,7 +42,7 @@
+
+ #include <tic.h>
+
+-MODULE_ID("$Id: read_entry.c,v 1.157 2020/02/02 23:34:34 tom Exp $")
++MODULE_ID("$Id: read_entry.c,v 1.162 2022/04/16 21:00:00 tom Exp $")
+
+ #define TYPE_CALLOC(type,elts) typeCalloc(type, (unsigned)(elts))
+
+@@ -145,6 +145,7 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table)
+ {
+ int i;
+ char *p;
++ bool corrupt = FALSE;
+
+ for (i = 0; i < count; i++) {
+ if (IS_NEG1(buf + 2 * i)) {
+@@ -154,8 +155,20 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table)
+ } else if (MyNumber(buf + 2 * i) > size) {
+ Strings[i] = ABSENT_STRING;
+ } else {
+- Strings[i] = (MyNumber(buf + 2 * i) + table);
+- TR(TRACE_DATABASE, ("Strings[%d] = %s", i, _nc_visbuf(Strings[i])));
++ int nn = MyNumber(buf + 2 * i);
++ if (nn >= 0 && nn < size) {
++ Strings[i] = (nn + table);
++ TR(TRACE_DATABASE, ("Strings[%d] = %s", i,
++ _nc_visbuf(Strings[i])));
++ } else {
++ if (!corrupt) {
++ corrupt = TRUE;
++ TR(TRACE_DATABASE,
++ ("ignore out-of-range index %d to Strings[]", nn));
++ _nc_warning("corrupt data found in convert_strings");
++ }
++ Strings[i] = ABSENT_STRING;
++ }
+ }
+
+ /* make sure all strings are NUL terminated */
+@@ -776,7 +789,7 @@ _nc_read_tic_entry(char *filename,
+ * looking for compiled (binary) terminfo data.
+ *
+ * cgetent uses a two-level lookup. On the first it uses the given
+- * name to return a record containing only the aliases for an entry.
++ * name to return a record containing only the aliases for an entry.
+ * On the second (using that list of aliases as a key), it returns the
+ * content of the terminal description. We expect second lookup to
+ * return data beginning with the same set of aliases.
+@@ -833,7 +846,7 @@ _nc_read_tic_entry(char *filename,
+ #endif /* NCURSES_USE_DATABASE */
+
+ /*
+- * Find and read the compiled entry for a given terminal type, if it exists.
++ * Find and read the compiled entry for a given terminal type, if it exists.
+ * We take pains here to make sure no combination of environment variables and
+ * terminal type name can be used to overrun the file buffer.
+ */
+--
+2.36.1
+
diff --git a/meta/recipes-core/ncurses/ncurses_6.2.bb b/meta/recipes-core/ncurses/ncurses_6.2.bb
index 700464f70b..451bfbcb5d 100644
--- a/meta/recipes-core/ncurses/ncurses_6.2.bb
+++ b/meta/recipes-core/ncurses/ncurses_6.2.bb
@@ -4,6 +4,7 @@ SRC_URI += "file://0001-tic-hang.patch \
file://0002-configure-reproducible.patch \
file://0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch \
file://CVE-2021-39537.patch \
+ file://CVE-2022-29458.patch \
"
# commit id corresponds to the revision in package version
SRCREV = "a669013cd5e9d6434e5301348ea51baf306c93c4"
--
2.22.0.vfs.1.1.57.gbaf16c8
reply other threads:[~2022-05-31 17:15 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220531171517.27876-1-dantran@microsoft.com \
--to=msft.dantran@gmail.com \
--cc=dantran@microsoft.com \
--cc=gustavo.chaves@microsoft.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.