diff options
author | Leonardo Arena <rnalrd@alpinelinux.org> | 2017-10-23 13:03:19 +0000 |
---|---|---|
committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2017-10-23 13:09:47 +0000 |
commit | a3baab138582d2f05cff25bc57995344dbc1b0ff (patch) | |
tree | 3553f4eb2360540beb5ded7e6a2eeaef521ae5c3 | |
parent | 7b82312acce4259459d23ed5cdf2d83b7187aab6 (diff) |
main/ncurses: security fixes
(CVE-2017-11112, CVE-2017-11113, CVE-2017-13728, CVE-2017-13729, CVE-2017-13730,
CVE-2017-13731, CVE-2017-13732, CVE-2017-13733, CVE-2017-13734)
fixes #7970
-rw-r--r-- | main/ncurses/APKBUILD | 30 | ||||
-rw-r--r-- | main/ncurses/CVE-2017-10684-10685.patch | 200 |
2 files changed, 19 insertions, 211 deletions
diff --git a/main/ncurses/APKBUILD b/main/ncurses/APKBUILD index e0276895c13..6070355482e 100644 --- a/main/ncurses/APKBUILD +++ b/main/ncurses/APKBUILD @@ -1,21 +1,32 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=ncurses -pkgver=6.0 -pkgrel=7 +pkgver=6.0_p20170701 +_ver=${pkgver%_p*}-${pkgver#*_p} +pkgrel=0 pkgdesc="Console display library" url="http://www.gnu.org/software/ncurses/" arch="all" license=MIT depends= -source="http://ftp.gnu.org/pub/gnu/ncurses/ncurses-${pkgver}.tar.gz - CVE-2017-10684-10685.patch" +makedepends_build="ncurses" +source="http://invisible-mirror.net/archives/ncurses/current/ncurses-${_ver}.tgz" subpackages="$pkgname-static $pkgname-dev $pkgname-doc $pkgname-terminfo-base:base $pkgname-terminfo $pkgname-libs" -_builddir="$srcdir"/ncurses-$pkgver +_builddir="$srcdir"/ncurses-$_ver # secfixes: +# 6.0_p20170701-r0: +# - CVE-2017-11112 +# - CVE-2017-11113 +# - CVE-2017-13728 +# - CVE-2017-13729 +# - CVE-2017-13730 +# - CVE-2017-13731 +# - CVE-2017-13732 +# - CVE-2017-13733 +# - CVE-2017-13734 # 6.0-r7: # - CVE-2017-10684 # - CVE-2017-10685 @@ -107,9 +118,6 @@ static() { mv "$pkgdir"/usr/lib/*.a "$subpkgdir"/usr/lib/ } -md5sums="ee13d052e1ead260d7c28071f46eefb1 ncurses-6.0.tar.gz -dd326fdf7c384bf8328b780fd622ffd8 CVE-2017-10684-10685.patch" -sha256sums="f551c24b30ce8bfb6e96d9f59b42fbea30fa3a6123384172f9e7284bcf647260 ncurses-6.0.tar.gz -a21c9b353b501dbe8f8e13c4b9c3317af74f9d7c1e958ac53fdd5aa5a653eeab CVE-2017-10684-10685.patch" -sha512sums="9ec194f4783dae6de8c529cac31b5cfbfcfea212c5d47b1f87cd49df013e38f8580a9e7aa1384918df0921b4ba999d5e73eb6d6362cce2d7287e64308b673963 ncurses-6.0.tar.gz -242f68a56e18f049aa12881a2aba86c9eb8ceaf272abaf2d917af74ded50420de20bb2125b1437f863198977afa6781b56e277dfa20dd7df109a746f1b9139ca CVE-2017-10684-10685.patch" +md5sums="1e60b9e5e8256e03638fb9f086552ab9 ncurses-6.0-20170701.tgz" +sha256sums="26ba91258d0d1fbf9df5f6d8bd269c74969af09a5ba89c8f1bdcc43eefae7561 ncurses-6.0-20170701.tgz" +sha512sums="01a30d217a6328db197b68385cd7a16ed45f42589b7fd49271c30c475300ae97cc377811df3dd95fe7d1855c0978291a7ae0c2f5ee9a14a96cc2a6b8972b4ddc ncurses-6.0-20170701.tgz" diff --git a/main/ncurses/CVE-2017-10684-10685.patch b/main/ncurses/CVE-2017-10684-10685.patch deleted file mode 100644 index 1f1b26801d4..00000000000 --- a/main/ncurses/CVE-2017-10684-10685.patch +++ /dev/null @@ -1,200 +0,0 @@ -Fix CVE-2017-10684 and CVE-2017-10685: - -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10684 -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10685 - -Bug reports included proof of concept reproducer inputs: - -https://bugzilla.redhat.com/show_bug.cgi?id=1464684 -https://bugzilla.redhat.com/show_bug.cgi?id=1464685 -https://bugzilla.redhat.com/show_bug.cgi?id=1464686 -https://bugzilla.redhat.com/show_bug.cgi?id=1464687 -https://bugzilla.redhat.com/show_bug.cgi?id=1464688 -https://bugzilla.redhat.com/show_bug.cgi?id=1464691 -https://bugzilla.redhat.com/show_bug.cgi?id=1464692 - -Patches copied from ncurses patch release 20170701: - -ftp://invisible-island.net/ncurses/6.0/ncurses-6.0-20170701.patch.gz - -Excerpt from patch release announcement: - - + add/improve checks in tic's parser to address invalid input - (Redhat #1464684, #1464685, #1464686, #1464691). - + alloc_entry.c, add a check for a null-pointer. - + parse_entry.c, add several checks for valid pointers as well as - one check to ensure that a single character on a line is not - treated as the 2-character termcap short-name. - + the fixes for Redhat #1464685 obscured a problem subsequently - reported in Redhat #1464687; the given test-case was no longer - reproducible. Testing without the fixes for the earlier reports - showed a problem with buffer overflow in dump_entry.c, which is - addressed by reducing the use of a fixed-size buffer. - -https://lists.gnu.org/archive/html/bug-ncurses/2017-07/msg00001.html - ---- ncurses-6.0-20170624+/ncurses/tinfo/alloc_entry.c 2017-04-09 23:33:51.000000000 +0000 -+++ ncurses-6.0-20170701/ncurses/tinfo/alloc_entry.c 2017-06-27 23:48:55.000000000 +0000 -@@ -96,7 +96,11 @@ - { - char *result = 0; - size_t old_next_free = next_free; -- size_t len = strlen(string) + 1; -+ size_t len; -+ -+ if (string == 0) -+ return _nc_save_str(""); -+ len = strlen(string) + 1; - - if (len == 1 && next_free != 0) { - /* ---- ncurses-6.0-20170624+/ncurses/tinfo/parse_entry.c 2017-06-24 22:59:46.000000000 +0000 -+++ ncurses-6.0-20170701/ncurses/tinfo/parse_entry.c 2017-06-28 00:53:12.000000000 +0000 -@@ -236,13 +236,14 @@ - * implemented it. Note that the resulting terminal type was never the - * 2-character name, but was instead the first alias after that. - */ -+#define ok_TC2(s) (isgraph(UChar(s)) && (s) != '|') - ptr = _nc_curr_token.tk_name; - if (_nc_syntax == SYN_TERMCAP - #if NCURSES_XNAMES - && !_nc_user_definable - #endif - ) { -- if (ptr[2] == '|') { -+ if (ok_TC2(ptr[0]) && ok_TC2(ptr[1]) && (ptr[2] == '|')) { - ptr += 3; - _nc_curr_token.tk_name[2] = '\0'; - } -@@ -284,9 +285,11 @@ - if (is_use || is_tc) { - entryp->uses[entryp->nuses].name = _nc_save_str(_nc_curr_token.tk_valstring); - entryp->uses[entryp->nuses].line = _nc_curr_line; -- entryp->nuses++; -- if (entryp->nuses > 1 && is_tc) { -- BAD_TC_USAGE -+ if (VALID_STRING(entryp->uses[entryp->nuses].name)) { -+ entryp->nuses++; -+ if (entryp->nuses > 1 && is_tc) { -+ BAD_TC_USAGE -+ } - } - } else { - /* normal token lookup */ -@@ -588,7 +591,7 @@ - static void - append_acs(string_desc * dst, int code, char *src) - { -- if (src != 0 && strlen(src) == 1) { -+ if (VALID_STRING(src) && strlen(src) == 1) { - append_acs0(dst, code, *src); - } - } -@@ -849,15 +852,14 @@ - } - - if (tp->Strings[to_ptr->nte_index]) { -+ const char *s = tp->Strings[from_ptr->nte_index]; -+ const char *t = tp->Strings[to_ptr->nte_index]; - /* There's no point in warning about it if it's the same - * string; that's just an inefficiency. - */ -- if (strcmp( -- tp->Strings[from_ptr->nte_index], -- tp->Strings[to_ptr->nte_index]) != 0) -+ if (VALID_STRING(s) && VALID_STRING(t) && strcmp(s, t) != 0) - _nc_warning("%s (%s) already has an explicit value %s, ignoring ko", -- ap->to, ap->from, -- _nc_visbuf(tp->Strings[to_ptr->nte_index])); -+ ap->to, ap->from, t); - continue; - } - ---- ncurses-6.0-20170624+/progs/dump_entry.c 2017-06-23 22:47:43.000000000 +0000 -+++ ncurses-6.0-20170701/progs/dump_entry.c 2017-07-01 11:27:29.000000000 +0000 -@@ -841,9 +841,10 @@ - PredIdx num_strings = 0; - bool outcount = 0; - --#define WRAP_CONCAT \ -- wrap_concat(buffer); \ -- outcount = TRUE -+#define WRAP_CONCAT1(s) wrap_concat(s); outcount = TRUE -+#define WRAP_CONCAT2(a,b) wrap_concat(a); WRAP_CONCAT1(b) -+#define WRAP_CONCAT3(a,b,c) wrap_concat(a); WRAP_CONCAT2(b,c) -+#define WRAP_CONCAT WRAP_CONCAT1(buffer) - - len = 12; /* terminfo file-header */ - -@@ -1007,9 +1008,9 @@ - set_attributes = save_sgr; - - trimmed_sgr0 = _nc_trim_sgr0(tterm); -- if (strcmp(capability, trimmed_sgr0)) -+ if (strcmp(capability, trimmed_sgr0)) { - capability = trimmed_sgr0; -- else { -+ } else { - if (trimmed_sgr0 != exit_attribute_mode) - free(trimmed_sgr0); - } -@@ -1046,13 +1047,21 @@ - _nc_SPRINTF(buffer, _nc_SLIMIT(sizeof(buffer)) - "%s=!!! %s WILL NOT CONVERT !!!", - name, srccap); -+ WRAP_CONCAT; - } else if (suppress_untranslatable) { - continue; - } else { - char *s = srccap, *d = buffer; -- _nc_SPRINTF(d, _nc_SLIMIT(sizeof(buffer)) "..%s=", name); -- d += strlen(d); -+ WRAP_CONCAT3("..", name, "="); - while ((*d = *s++) != 0) { -+ if ((d - buffer - 1) >= (int) sizeof(buffer)) { -+ fprintf(stderr, -+ "%s: value for %s is too long\n", -+ _nc_progname, -+ name); -+ *d = '\0'; -+ break; -+ } - if (*d == ':') { - *d++ = '\\'; - *d = ':'; -@@ -1061,13 +1070,12 @@ - } - d++; - } -+ WRAP_CONCAT; - } - } else { -- _nc_SPRINTF(buffer, _nc_SLIMIT(sizeof(buffer)) -- "%s=%s", name, cv); -+ WRAP_CONCAT3(name, "=", cv); - } - len += (int) strlen(capability) + 1; -- WRAP_CONCAT; - } else { - char *src = _nc_tic_expand(capability, - outform == F_TERMINFO, numbers); -@@ -1083,8 +1091,7 @@ - strcpy_DYN(&tmpbuf, src); - } - len += (int) strlen(capability) + 1; -- wrap_concat(tmpbuf.text); -- outcount = TRUE; -+ WRAP_CONCAT1(tmpbuf.text); - } - } - /* e.g., trimmed_sgr0 */ -@@ -1526,7 +1533,8 @@ - } - if (len > critlen) { - (void) fprintf(stderr, -- "warning: %s entry is %d bytes long\n", -+ "%s: %s entry is %d bytes long\n", -+ _nc_progname, - _nc_first_name(tterm->term_names), - len); - SHOW_WHY("# WARNING: this entry, %d bytes long, may core-dump %s libraries!\n", |