[Buildroot] [PATCHv2] package/ncurses: add upstream (security) patches up to 20200118
Peter Korsgaard
peter at korsgaard.com
Tue Mar 10 21:32:00 UTC 2020
>>>>> "Thomas" == Thomas De Schampheleire <patrickdepinguin at gmail.com> writes:
> From: Peter Korsgaard <peter at korsgaard.com>
> Fixes the following security issues:
> - CVE-2018-10754: In ncurses before 6.1.20180414, there is a NULL Pointer
> Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It
> could lead to a remote denial of service if the terminfo library code is
> used to process untrusted terminfo data in which a use-name is invalid
> syntax (REJECTED).
> - CVE-2018-19211: In ncurses 6.1, there is a NULL pointer dereference at
> function _nc_parse_entry in parse_entry.c that will lead to a denial of
> service attack. The product proceeds to the dereference code path even
> after a "dubious character `*' in name or alias field" detection.
> - CVE-2018-19217: In ncurses, possibly a 6.x version, there is a NULL
> pointer dereference at the function _nc_name_match that will lead to a
> denial of service attack. NOTE: the original report stated version 6.1,
> but the issue did not reproduce for that version according to the
> maintainer or a reliable third-party.
> - CVE-2019-17594: There is a heap-based buffer over-read in the
> _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in
> ncurses before 6.1-20191012.
> - CVE-2019-17595: There is a heap-based buffer over-read in the fmt_entry
> function in tinfo/comp_hash.c in the terminfo library in ncurses before
> 6.1-20191012.
> Ncurses upstream uses a fairly special way of releasing (security) bugfixes.
> Approximately once a week an incremental .patch.gz is released, and once in
> a while these incremental patches are bundled up to a bigger patch relative
> to the current release in .patch.sh.bz2 format (a bzip2 compressed patch
> with a small shell script prepended, luckily apply-patches can handle that),
> and the relative patch files deleted.
> For details of this process, see the upstream FAQ:
> https://invisible-island.net/ncurses/ncurses.faq.html#applying_patches
> Apply the latest .patch.sh.bz2 and incremental patches up to 20200118 to fix
> a number of (security) issues. Notice that these patch files are NOT
> available on the GNU mirrors.
> While we are at it, adjust the white space in the .hash file to match
> sha256sum output for consistency.
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
> [fix whitespace inconsistency after 'sha256' keyword]
> Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire at nokia.com>
Committed to 2019.02.x and 2019.11.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list