Skip to content
Snippets Groups Projects
Verified Commit f14965f6 authored by alice's avatar alice
Browse files

main/ncurses: fix CVE-2022-29458

ncurses does not keep old tarballs.. the github mirror ones are
file-identical (only file access time differs, actual file contents are
bit identical)
parent 101563a3
No related merge requests found
......@@ -2,7 +2,8 @@
pkgname=ncurses
pkgver=6.2_p20210109
_ver=${pkgver/_p/-}
pkgrel=0
_mirror_commit=152c5a605234b7ea36ba3a03ec07e124bb6aac75
pkgrel=1
pkgdesc="Console display library"
url="https://invisible-island.net/ncurses/"
arch="all"
......@@ -11,10 +12,14 @@ license="MIT"
makedepends_build="ncurses"
subpackages="$pkgname-static $pkgname-dev $pkgname-doc $pkgname-libs
$pkgname-terminfo-base:base:noarch $pkgname-terminfo:terminfo:noarch"
source="https://invisible-mirror.net/archives/ncurses/current/ncurses-$_ver.tgz"
builddir="$srcdir"/ncurses-$_ver
source="$pkgname-$pkgver.tar.gz::https://github.com/mirror/ncurses/archive/$_mirror_commit.tar.gz
CVE-2022-29458.patch
"
builddir="$srcdir"/ncurses-$_mirror_commit
# secfixes:
# 6.2_p20210109-r1:
# - CVE-2022-29458
# 6.2_p20200530-r0:
# - CVE-2021-39537
# 6.1_p20180414-r0:
......@@ -112,4 +117,7 @@ static() {
mv "$pkgdir"/usr/lib/*.a "$subpkgdir"/usr/lib/
}
sha512sums="a4adb1000632261f5e42e768051bb4d2cae47d994b13d8e7416ffca048445b09fa96155cb3690000b2725e500b469cce051efc74fe0bcde72b91005586db3c47 ncurses-6.2-20210109.tgz"
sha512sums="
889c014b6fc393c91b2803653c31ece553782afadf9d485345bb81c05ee4865297aad2cca6f3f02b6c8403210e87ac7d3979c6b81aade34c19617a873b8cf5c1 ncurses-6.2_p20210109.tar.gz
b7904866af8afc7a163151a803ca506981d87f58ce9a720a28c27aa6fa1ac1cf43dad8916a8265779ff2253d2dbacb2793733cadf44dbe10f6cf894944042708 CVE-2022-29458.patch
"
--- a/ncurses/tinfo/read_entry.c
+++ b/ncurses/tinfo/read_entry.c
@@ -145,6 +145,7 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table)
{
int i;
char *p;
+ bool corrupt = FALSE;
for (i = 0; i < count; i++) {
if (IS_NEG1(buf + 2 * i)) {
@@ -154,8 +155,20 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table)
} else if (MyNumber(buf + 2 * i) > size) {
Strings[i] = ABSENT_STRING;
} else {
- Strings[i] = (MyNumber(buf + 2 * i) + table);
- TR(TRACE_DATABASE, ("Strings[%d] = %s", i, _nc_visbuf(Strings[i])));
+ int nn = MyNumber(buf + 2 * i);
+ if (nn >= 0 && nn < size) {
+ Strings[i] = (nn + table);
+ TR(TRACE_DATABASE, ("Strings[%d] = %s", i,
+ _nc_visbuf(Strings[i])));
+ } else {
+ if (!corrupt) {
+ corrupt = TRUE;
+ TR(TRACE_DATABASE,
+ ("ignore out-of-range index %d to Strings[]", nn));
+ _nc_warning("corrupt data found in convert_strings");
+ }
+ Strings[i] = ABSENT_STRING;
+ }
}
/* make sure all strings are NUL terminated */
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment