From ef5fadd6dd744e051cae4b6cade857c78bb6fd16 Mon Sep 17 00:00:00 2001
From: yangl777 <yanglu72@h-partners.com>
Date: Fri, 15 Dec 2023 15:33:58 +0800
Subject: [PATCH] fix CVE-2023-50495

(cherry picked from commit 08abd29244b0b5b9b798c8363e509e16f0ffbc27)
---
 backport-CVE-2023-50495.patch | 92 +++++++++++++++++++++++++++++++++++
 ncurses.spec                  |  9 +++-
 2 files changed, 100 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2023-50495.patch

diff --git a/backport-CVE-2023-50495.patch b/backport-CVE-2023-50495.patch
new file mode 100644
index 0000000..68ba885
--- /dev/null
+++ b/backport-CVE-2023-50495.patch
@@ -0,0 +1,92 @@
+From efe9674ee14b14b788f9618941f97d31742f0adc Mon Sep 17 00:00:00 2001
+From: "Thomas E. Dickey" <dickey@invisible-island.net>
+Date: Mon, 24 Apr 2023 23:14:45 +0000
+Subject: [PATCH] snapshot of project "ncurses", label v6_4_20230424
+
+Conflict:remove unnecessary modifications
+Reference:https://github.com/ThomasDickey/ncurses-snapshots/commit/efe9674ee14b14b788f9618941f97d31742f0adc#diff-92910179510f7aaf9b70441f3c70521140faa34a192f9e28671ee40bbf052dc4
+---
+ ncurses/tinfo/parse_entry.c | 27 ++++++++++++++++++---------
+ 1 file changed, 18 insertions(+), 9 deletions(-)
+
+diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c
+index a77cd0b..5390146 100644
+--- a/ncurses/tinfo/parse_entry.c
++++ b/ncurses/tinfo/parse_entry.c
+@@ -1,5 +1,5 @@
+ /****************************************************************************
+- * Copyright 2018-2019,2020 Thomas E. Dickey                                *
++ * Copyright 2018-2022,2023 Thomas E. Dickey                                *
+  * Copyright 1998-2016,2017 Free Software Foundation, Inc.                  *
+  *                                                                          *
+  * Permission is hereby granted, free of charge, to any person obtaining a  *
+@@ -48,7 +48,7 @@
+ #include <ctype.h>
+ #include <tic.h>
+ 
+-MODULE_ID("$Id: parse_entry.c,v 1.99 2020/02/02 23:34:34 tom Exp $")
++MODULE_ID("$Id: parse_entry.c,v 1.108 2023/04/24 22:32:33 tom Exp $")
+ 
+ #ifdef LINT
+ static short const parametrized[] =
+@@ -110,7 +110,7 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type)
+ 	/* Well, we are given a cancel for a name that we don't recognize */
+ 	return _nc_extend_names(entryp, name, STRING);
+     default:
+-	return 0;
++	return NULL;
+     }
+ 
+     /* Adjust the 'offset' (insertion-point) to keep the lists of extended
+@@ -142,6 +142,11 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type)
+ 	for (last = (unsigned) (max - 1); last > tindex; last--)
+ 
+     if (!found) {
++	char *saved;
++
++	if ((saved = _nc_save_str(name)) == NULL)
++	    return NULL;
++
+ 	switch (token_type) {
+ 	case BOOLEAN:
+ 	    tp->ext_Booleans++;
+@@ -169,7 +174,7 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type)
+ 	TYPE_REALLOC(char *, actual, tp->ext_Names);
+ 	while (--actual > offset)
+ 	    tp->ext_Names[actual] = tp->ext_Names[actual - 1];
+-	tp->ext_Names[offset] = _nc_save_str(name);
++	tp->ext_Names[offset] = saved;
+     }
+ 
+     temp.nte_name = tp->ext_Names[offset];
+@@ -337,6 +342,8 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
+ 	bool is_use = (strcmp(_nc_curr_token.tk_name, "use") == 0);
+ 	bool is_tc = !is_use && (strcmp(_nc_curr_token.tk_name, "tc") == 0);
+ 	if (is_use || is_tc) {
++	    char *saved;
++
+ 	    if (!VALID_STRING(_nc_curr_token.tk_valstring)
+ 		|| _nc_curr_token.tk_valstring[0] == '\0') {
+ 		_nc_warning("missing name for use-clause");
+@@ -350,11 +357,13 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
+ 			    _nc_curr_token.tk_valstring);
+ 		continue;
+ 	    }
+-	    entryp->uses[entryp->nuses].name = _nc_save_str(_nc_curr_token.tk_valstring);
+-	    entryp->uses[entryp->nuses].line = _nc_curr_line;
+-	    entryp->nuses++;
+-	    if (entryp->nuses > 1 && is_tc) {
+-		BAD_TC_USAGE
++	    if ((saved = _nc_save_str(_nc_curr_token.tk_valstring)) != NULL) {
++		entryp->uses[entryp->nuses].name = saved;
++		entryp->uses[entryp->nuses].line = _nc_curr_line;
++		entryp->nuses++;
++		if (entryp->nuses > 1 && is_tc) {
++		    BAD_TC_USAGE
++		}
+ 	    }
+ 	} else {
+ 	    /* normal token lookup */
+-- 
+2.33.0
+
diff --git a/ncurses.spec b/ncurses.spec
index 26c5909..ef66942 100644
--- a/ncurses.spec
+++ b/ncurses.spec
@@ -1,7 +1,7 @@
 %global revision 20200411
 Name:          ncurses
 Version:       6.2
-Release:       4
+Release:       5
 Summary:       Terminal control library
 License:       MIT
 URL:           https://invisible-island.net/ncurses/ncurses.html
@@ -15,6 +15,7 @@ Patch12:       ncurses-kbs.patch
 Patch13:       backport-CVE-2021-39537-add-check-for-end-of-string-in-cvtchar-to-handle-a-malformed.patch
 Patch14:       backport-CVE-2022-29458.patch
 Patch15:       backport-CVE-2023-29491-mitigation.patch
+Patch16:       backport-CVE-2023-50495.patch
 
 BuildRequires: gcc gcc-c++ gpm-devel pkgconfig
 
@@ -225,6 +226,12 @@ xz NEWS
 %{_mandir}/man7/*
 
 %changelog
+* Fri Dec 15 2023 yanglu <yanglu72@h-partners.com> - 6.2-5
+- Type:CVE
+- CVE:CVE-2023-50495
+- SUG:NA
+- DESC:fix CVE-2023-50495
+
 * Mon Jul 03 2023 yanglu <yanglu72@h-partners.com> - 6.2-4
 - Type:CVE
 - CVE:CVE-2023-29491
-- 
Gitee