diff --git a/SOURCES/ncurses-cve-2019-17594.patch b/SOURCES/ncurses-cve-2019-17594.patch new file mode 100644 index 0000000..ea9f208 --- /dev/null +++ b/SOURCES/ncurses-cve-2019-17594.patch @@ -0,0 +1,28 @@ +From snapshot 6.1-20191012 + +diff --git a/ncurses/tinfo/comp_hash.c b/ncurses/tinfo/comp_hash.c +index 21f165ca..a62d38f9 100644 +--- a/ncurses/tinfo/comp_hash.c ++++ b/ncurses/tinfo/comp_hash.c +@@ -63,7 +63,9 @@ _nc_find_entry(const char *string, + + hashvalue = data->hash_of(string); + +- if (data->table_data[hashvalue] >= 0) { ++ if (hashvalue >= 0 ++ && (unsigned) hashvalue < data->table_size ++ && data->table_data[hashvalue] >= 0) { + + real_table = _nc_get_table(termcap); + ptr = real_table + data->table_data[hashvalue]; +@@ -96,7 +98,9 @@ _nc_find_type_entry(const char *string, + const HashData *data = _nc_get_hash_info(termcap); + int hashvalue = data->hash_of(string); + +- if (data->table_data[hashvalue] >= 0) { ++ if (hashvalue >= 0 ++ && (unsigned) hashvalue < data->table_size ++ && data->table_data[hashvalue] >= 0) { + const struct name_table_entry *const table = _nc_get_table(termcap); + + ptr = table + data->table_data[hashvalue]; diff --git a/SOURCES/ncurses-cve-2019-17595.patch b/SOURCES/ncurses-cve-2019-17595.patch new file mode 100644 index 0000000..eacf479 --- /dev/null +++ b/SOURCES/ncurses-cve-2019-17595.patch @@ -0,0 +1,16 @@ +From snapshot 6.1-20191012 + +diff --git a/progs/dump_entry.c b/progs/dump_entry.c +index d0e420ec..8a47084a 100644 +--- a/progs/dump_entry.c ++++ b/progs/dump_entry.c +@@ -1136,7 +1136,8 @@ fmt_entry(TERMTYPE2 *tterm, + *d++ = '\\'; + *d = ':'; + } else if (*d == '\\') { +- *++d = *s++; ++ if ((*++d = *s++) == '\0') ++ break; + } + d++; + *d = '\0'; diff --git a/SOURCES/ncurses-tputx.patch b/SOURCES/ncurses-tputx.patch new file mode 100644 index 0000000..1f61580 --- /dev/null +++ b/SOURCES/ncurses-tputx.patch @@ -0,0 +1,15 @@ +From snapshot 6.1-20180630 + +diff --git a/progs/tput.c b/progs/tput.c +index fd051eb4..88e75799 100644 +--- a/progs/tput.c ++++ b/progs/tput.c +@@ -293,7 +293,7 @@ main(int argc, char **argv) + + term = getenv("TERM"); + +- while ((c = getopt(argc, argv, "ST:V")) != -1) { ++ while ((c = getopt(argc, argv, "ST:Vx")) != -1) { + switch (c) { + case 'S': + cmdline = FALSE; diff --git a/SPECS/ncurses.spec b/SPECS/ncurses.spec index 4dfad01..ea8c22f 100644 --- a/SPECS/ncurses.spec +++ b/SPECS/ncurses.spec @@ -2,7 +2,7 @@ Summary: Ncurses support utilities Name: ncurses Version: 6.1 -Release: 7.%{revision}%{?dist} +Release: 9.%{revision}%{?dist} License: MIT Group: System Environment/Base URL: https://invisible-island.net/ncurses/ncurses.html @@ -13,6 +13,9 @@ Patch8: ncurses-config.patch Patch9: ncurses-libs.patch Patch11: ncurses-urxvt.patch Patch12: ncurses-kbs.patch +Patch13: ncurses-cve-2019-17594.patch +Patch14: ncurses-cve-2019-17595.patch +Patch15: ncurses-tputx.patch BuildRequires: gcc gcc-c++ gpm-devel pkgconfig Requires: %{name}-libs%{?_isa} = %{version}-%{release} @@ -127,6 +130,9 @@ The ncurses-static package includes static libraries of the ncurses library. %patch9 -p1 -b .libs %patch11 -p1 -b .urxvt %patch12 -p1 -b .kbs +%patch13 -p1 -b .cve-2019-17594 +%patch14 -p1 -b .cve-2019-17595 +%patch15 -p1 -b .tputx for f in ANNOUNCE; do iconv -f iso8859-1 -t utf8 -o ${f}{_,} && @@ -293,6 +299,13 @@ bzip2 NEWS %{_libdir}/lib*.a %changelog +* Tue May 18 2021 Miroslav Lichvar 6.1-9.20180224 +- fix tput to accept -x option (#1916340) + +* Tue May 18 2021 Miroslav Lichvar 6.1-8.20180224 +- fix buffer overflow in terminfo entry hashtable (CVE-2019-17594) +- handle missing character after backslash in terminfo entry (CVE-2019-17595) + * Wed Jan 16 2019 Miroslav Lichvar 6.1-7.20180224 - disable stripping on program installation (#1665177)