From e9073cd1e86941f32dd720902d37467c4519d0b2 Mon Sep 17 00:00:00 2001 From: yangl777 Date: Fri, 15 Dec 2023 14:50:19 +0800 Subject: [PATCH] fix CVE-2023-50495 (cherry picked from commit 589c64697663b16afa8c35a88df8c92dc2c6c895) --- backport-CVE-2023-50495.patch | 92 +++++++++++++++++++++++++++++++++++ ncurses.spec | 9 +++- 2 files changed, 100 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2023-50495.patch diff --git a/backport-CVE-2023-50495.patch b/backport-CVE-2023-50495.patch new file mode 100644 index 0000000..514f5e1 --- /dev/null +++ b/backport-CVE-2023-50495.patch @@ -0,0 +1,92 @@ +From efe9674ee14b14b788f9618941f97d31742f0adc Mon Sep 17 00:00:00 2001 +From: "Thomas E. Dickey" +Date: Mon, 24 Apr 2023 23:14:45 +0000 +Subject: [PATCH] snapshot of project "ncurses", label v6_4_20230424 + +Conflict:remove unnecessary modifications +Reference:https://github.com/ThomasDickey/ncurses-snapshots/commit/efe9674ee14b14b788f9618941f97d31742f0adc#diff-92910179510f7aaf9b70441f3c70521140faa34a192f9e28671ee40bbf052dc4 +--- + ncurses/tinfo/parse_entry.c | 27 ++++++++++++++++++--------- + 1 file changed, 18 insertions(+), 9 deletions(-) + +diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c +index a77cd0b..5390146 100644 +--- a/ncurses/tinfo/parse_entry.c ++++ b/ncurses/tinfo/parse_entry.c +@@ -1,5 +1,5 @@ + /**************************************************************************** +- * Copyright 2018-2020,2021 Thomas E. Dickey * ++ * Copyright 2018-2022,2023 Thomas E. Dickey * + * Copyright 1998-2016,2017 Free Software Foundation, Inc. * + * * + * Permission is hereby granted, free of charge, to any person obtaining a * +@@ -48,7 +48,7 @@ + #include + #include + +-MODULE_ID("$Id: parse_entry.c,v 1.102 2021/09/04 10:54:35 tom Exp $") ++MODULE_ID("$Id: parse_entry.c,v 1.108 2023/04/24 22:32:33 tom Exp $") + + #ifdef LINT + static short const parametrized[] = +@@ -110,7 +110,7 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type) + /* Well, we are given a cancel for a name that we don't recognize */ + return _nc_extend_names(entryp, name, STRING); + default: +- return 0; ++ return NULL; + } + + /* Adjust the 'offset' (insertion-point) to keep the lists of extended +@@ -142,6 +142,11 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type) + for (last = (unsigned) (max - 1); last > tindex; last--) + + if (!found) { ++ char *saved; ++ ++ if ((saved = _nc_save_str(name)) == NULL) ++ return NULL; ++ + switch (token_type) { + case BOOLEAN: + tp->ext_Booleans++; +@@ -169,7 +174,7 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type) + TYPE_REALLOC(char *, actual, tp->ext_Names); + while (--actual > offset) + tp->ext_Names[actual] = tp->ext_Names[actual - 1]; +- tp->ext_Names[offset] = _nc_save_str(name); ++ tp->ext_Names[offset] = saved; + } + + temp.nte_name = tp->ext_Names[offset]; +@@ -337,6 +342,8 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent) + bool is_use = (strcmp(_nc_curr_token.tk_name, "use") == 0); + bool is_tc = !is_use && (strcmp(_nc_curr_token.tk_name, "tc") == 0); + if (is_use || is_tc) { ++ char *saved; ++ + if (!VALID_STRING(_nc_curr_token.tk_valstring) + || _nc_curr_token.tk_valstring[0] == '\0') { + _nc_warning("missing name for use-clause"); +@@ -350,11 +357,13 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent) + _nc_curr_token.tk_valstring); + continue; + } +- entryp->uses[entryp->nuses].name = _nc_save_str(_nc_curr_token.tk_valstring); +- entryp->uses[entryp->nuses].line = _nc_curr_line; +- entryp->nuses++; +- if (entryp->nuses > 1 && is_tc) { +- BAD_TC_USAGE ++ if ((saved = _nc_save_str(_nc_curr_token.tk_valstring)) != NULL) { ++ entryp->uses[entryp->nuses].name = saved; ++ entryp->uses[entryp->nuses].line = _nc_curr_line; ++ entryp->nuses++; ++ if (entryp->nuses > 1 && is_tc) { ++ BAD_TC_USAGE ++ } + } + } else { + /* normal token lookup */ +-- +2.33.0 + diff --git a/ncurses.spec b/ncurses.spec index 533ab82..be871c8 100644 --- a/ncurses.spec +++ b/ncurses.spec @@ -9,7 +9,7 @@ Name: ncurses Version: 6.3 -Release: 12 +Release: 13 Summary: Terminal control library License: MIT URL: https://invisible-island.net/ncurses/ncurses.html @@ -24,6 +24,7 @@ Patch14: backport-0001-CVE-2023-29491-fix-configure-root-args-option.patch Patch15: backport-0002-CVE-2023-29491-env-access.patch Patch16: backport-fix-for-out-of-memory-condition.patch Patch17: backport-fix-coredump-when-use-Memmove.patch +Patch18: backport-CVE-2023-50495.patch BuildRequires: gcc gcc-c++ gpm-devel pkgconfig @@ -285,6 +286,12 @@ xz NEWS %endif %changelog +* Fri Dec 15 2023 yanglu - 6.3-13 +- Type:CVE +- ID:CVE-2023-50495 +- SUG:NA +- DESC:fix CVE-2023-50495 + * Tue Jul 04 2023 yanglu - 6.3-12 - Type:bugfix - ID:NA -- Gitee