aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2021-12-08 12:46:35 +0100
committerNatanael Copa <ncopa@alpinelinux.org>2021-12-08 12:46:35 +0100
commitca9c7d10bb3ca7a0095b3848ae13703b73d7bed8 (patch)
treedc1d911526573b3053b8aa8fa6608be51f55d8c7
parentc6a9183bf4a6712ac4cb081bb388d2a7dbbc2685 (diff)
downloadaports-ca9c7d10bb3ca7a0095b3848ae13703b73d7bed8.tar.gz
aports-ca9c7d10bb3ca7a0095b3848ae13703b73d7bed8.tar.bz2
aports-ca9c7d10bb3ca7a0095b3848ae13703b73d7bed8.tar.xz
main/ncurses: backport fix for CVE-2021-39537
ref: http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/devel/ncurses/patches/Attic/patch-ncurses_tinfo_captoinfo.c?rev=1.1&content-type=text/x-cvsweb-markup upstream commit: https://github.com/ThomasDickey/ncurses-snapshots/commit/63ca9e061f4644795d6f3f559557f3e1ed8c738b
-rw-r--r--main/ncurses/APKBUILD10
-rw-r--r--main/ncurses/CVE-2021-39537.patch26
2 files changed, 32 insertions, 4 deletions
diff --git a/main/ncurses/APKBUILD b/main/ncurses/APKBUILD
index 803804b735..62557c5ecf 100644
--- a/main/ncurses/APKBUILD
+++ b/main/ncurses/APKBUILD
@@ -2,7 +2,7 @@
pkgname=ncurses
pkgver=6.2_p20200523
_ver=${pkgver/_p/-}
-pkgrel=0
+pkgrel=1
pkgdesc="Console display library"
url="https://invisible-island.net/ncurses/"
arch="all"
@@ -11,11 +11,12 @@ license="MIT"
makedepends_build="ncurses"
subpackages="$pkgname-static $pkgname-dev $pkgname-doc $pkgname-libs
$pkgname-terminfo-base:base:noarch $pkgname-terminfo:terminfo:noarch"
-source="https://invisible-mirror.net/archives/ncurses/current/ncurses-$_ver.tgz"
+source="https://invisible-mirror.net/archives/ncurses/current/ncurses-$_ver.tgz
+ CVE-2021-39537.patch"
builddir="$srcdir"/ncurses-$_ver
# secfixes:
-# 6.2_p20200530-r0:
+# 6.2_p20200523-r1:
# - CVE-2021-39537
# 6.1_p20180414-r0:
# - CVE-2018-10754
@@ -112,4 +113,5 @@ static() {
mv "$pkgdir"/usr/lib/*.a "$subpkgdir"/usr/lib/
}
-sha512sums="bcfee078ba4b4152909aad636dc6e354a9a0499e228db4c710d73d171fa73e208b4e62f403e0f90d16f8e367414bf2b6297f1acd47d9ba58e60b88d560862fb4 ncurses-6.2-20200523.tgz"
+sha512sums="bcfee078ba4b4152909aad636dc6e354a9a0499e228db4c710d73d171fa73e208b4e62f403e0f90d16f8e367414bf2b6297f1acd47d9ba58e60b88d560862fb4 ncurses-6.2-20200523.tgz
+8019db1f739c5e8ad0078d8266875bb1132a063406403ff1fd0686b6650eccd44cc3381a16adf89f3476fdf708bbac73cb29cf1fb48c28ab224637869c1e7714 CVE-2021-39537.patch"
diff --git a/main/ncurses/CVE-2021-39537.patch b/main/ncurses/CVE-2021-39537.patch
new file mode 100644
index 0000000000..f37cca2145
--- /dev/null
+++ b/main/ncurses/CVE-2021-39537.patch
@@ -0,0 +1,26 @@
+$NetBSD: patch-ncurses_tinfo_captoinfo.c,v 1.1 2021/10/09 07:52:36 wiz Exp $
+
+Fix for CVE-2021-39537 from upstream:
+https://github.com/ThomasDickey/ncurses-snapshots/commit/63ca9e061f4644795d6f3f559557f3e1ed8c738b#diff-7e95c7bc5f213e9be438e69a9d5d0f261a14952bcbd692f7b9014217b8047340
+
+--- ./ncurses/tinfo/captoinfo.c.orig 2020-02-02 23:34:34.000000000 +0000
++++ ./ncurses/tinfo/captoinfo.c
+@@ -216,12 +216,15 @@ cvtchar(register const char *sp)
+ }
+ break;
+ case '^':
++ len = 2;
+ c = UChar(*++sp);
+- if (c == '?')
++ if (c == '?') {
+ c = 127;
+- else
++ } else if (c == '\0') {
++ len = 1;
++ } else {
+ c &= 0x1f;
+- len = 2;
++ }
+ break;
+ default:
+ c = UChar(*sp);