[Buildroot] [PATCHv2] package/ncurses: add upstream (security) patches up to 20200118

Peter Korsgaard peter at korsgaard.com
Tue Mar 10 21:32:00 UTC 2020 

>>>>> "Thomas" == Thomas De Schampheleire <patrickdepinguin at gmail.com> writes:

 > From: Peter Korsgaard <peter at korsgaard.com>
 > Fixes the following security issues:

 > - CVE-2018-10754: In ncurses before 6.1.20180414, there is a NULL Pointer
 >   Dereference in the _nc_parse_entry function of tinfo/parse_entry.c.  It
 >   could lead to a remote denial of service if the terminfo library code is
 >   used to process untrusted terminfo data in which a use-name is invalid
 >   syntax (REJECTED).

 > - CVE-2018-19211: In ncurses 6.1, there is a NULL pointer dereference at
 >   function _nc_parse_entry in parse_entry.c that will lead to a denial of
 >   service attack.  The product proceeds to the dereference code path even
 >   after a "dubious character `*' in name or alias field" detection.

 > - CVE-2018-19217: In ncurses, possibly a 6.x version, there is a NULL
 >   pointer dereference at the function _nc_name_match that will lead to a
 >   denial of service attack.  NOTE: the original report stated version 6.1,
 >   but the issue did not reproduce for that version according to the
 >   maintainer or a reliable third-party.

 > - CVE-2019-17594: There is a heap-based buffer over-read in the
 >   _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in
 >   ncurses before 6.1-20191012.

 > - CVE-2019-17595: There is a heap-based buffer over-read in the fmt_entry
 >   function in tinfo/comp_hash.c in the terminfo library in ncurses before
 >   6.1-20191012.

 > Ncurses upstream uses a fairly special way of releasing (security) bugfixes.
 > Approximately once a week an incremental .patch.gz is released, and once in
 > a while these incremental patches are bundled up to a bigger patch relative
 > to the current release in .patch.sh.bz2 format (a bzip2 compressed patch
 > with a small shell script prepended, luckily apply-patches can handle that),
 > and the relative patch files deleted.

 > For details of this process, see the upstream FAQ:
 > https://invisible-island.net/ncurses/ncurses.faq.html#applying_patches

 > Apply the latest .patch.sh.bz2 and incremental patches up to 20200118 to fix
 > a number of (security) issues.  Notice that these patch files are NOT
 > available on the GNU mirrors.

 > While we are at it, adjust the white space in the .hash file to match
 > sha256sum output for consistency.

 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
 > [fix whitespace inconsistency after 'sha256' keyword]
 > Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire at nokia.com>

Committed to 2019.02.x and 2019.11.x, thanks.

-- 
Bye, Peter Korsgaard

More information about the buildroot mailing list