diff --git a/CVE-2019-17594.patch b/CVE-2019-17594.patch new file mode 100644 index 0000000..8bc4175 --- /dev/null +++ b/CVE-2019-17594.patch @@ -0,0 +1,39 @@ +From e414438ddee26bcb081881d035dc9e247ddba0c3 Mon Sep 17 00:00:00 2001 +Date: Wed, 16 Oct 2019 11:01:37 +0800 +Subject: [PATCH] ncurses: fix CVE-2019-17594 + +reason:fix CVE-2019-17594 +check for invalid hashcode in _nc_find_entry + +CVE-2019-17594 reference: +http://invisible-mirror.net/archives/ncurses/6.1/ncurses-6.1-20191012.patch.gz +--- + ncurses/tinfo/comp_hash.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/ncurses/tinfo/comp_hash.c b/ncurses/tinfo/comp_hash.c +index 959c6e1..4183f68 100644 +--- a/ncurses/tinfo/comp_hash.c ++++ b/ncurses/tinfo/comp_hash.c +@@ -63,7 +63,9 @@ _nc_find_entry(const char *string, + + hashvalue = data->hash_of(string); + +- if (data->table_data[hashvalue] >= 0) { ++ if (hashvalue >= 0 ++ && (unsigned) hashvalue < data->table_size ++ && data->table_data[hashvalue] >= 0) { + + real_table = _nc_get_table(termcap); + ptr = real_table + data->table_data[hashvalue]; +@@ -96,7 +98,9 @@ _nc_find_type_entry(const char *string, + const HashData *data = _nc_get_hash_info(termcap); + int hashvalue = data->hash_of(string); + +- if (data->table_data[hashvalue] >= 0) { ++ if (hashvalue >= 0 ++ && (unsigned) hashvalue < data->table_size ++ && data->table_data[hashvalue] >= 0) { + const struct name_table_entry *const table = _nc_get_table(termcap); + + ptr = table + data->table_data[hashvalue]; diff --git a/CVE-2019-17595.patch b/CVE-2019-17595.patch new file mode 100644 index 0000000..e1951f1 --- /dev/null +++ b/CVE-2019-17595.patch @@ -0,0 +1,37 @@ +From 07d64f8350b0c0f04ef7f3a43349c188acb4ddd8 Mon Sep 17 00:00:00 2001 +Date: Wed, 16 Oct 2019 11:20:17 +0800 +Subject: [PATCH] ncurses: fix CVE-2019-17595 + +reason: fix CVE-2019-17595 +check for missing character after backslash in fmt_entry + +CVE-2019-17595 reference: +http://invisible-mirror.net/archives/ncurses/6.1/ncurses-6.1-20191012.patch.g +z +--- + progs/dump_entry.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/progs/dump_entry.c b/progs/dump_entry.c +index 3b1fcb1..67ff5f4 100644 +--- a/progs/dump_entry.c ++++ b/progs/dump_entry.c +@@ -1110,7 +1110,8 @@ fmt_entry(TERMTYPE2 *tterm, + *d++ = '\\'; + *d = ':'; + } else if (*d == '\\') { +- *++d = *s++; ++ if ((*++d = *s++) == '\0') ++ break; + } + d++; + *d = '\0'; +@@ -1370,7 +1371,7 @@ one_one_mapping(const char *mapping) + + if (VALID_STRING(mapping)) { + int n = 0; +- while (mapping[n] != '\0') { ++ while (mapping[n] != '\0' && mapping[n + 1] != '\0') { + if (isLine(mapping[n]) && + mapping[n] != mapping[n + 1]) { + result = FALSE; diff --git a/ncurses.spec b/ncurses.spec index cacfe3d..7a8b4ef 100644 --- a/ncurses.spec +++ b/ncurses.spec @@ -1,7 +1,7 @@ %global revision 20180923 Name: ncurses Version: 6.1 -Release: 11 +Release: 12 Summary: Terminal control library License: MIT URL: https://invisible-island.net/ncurses/ncurses.html @@ -11,6 +11,10 @@ Patch8: ncurses-config.patch Patch9: ncurses-libs.patch Patch11: ncurses-urxvt.patch Patch12: ncurses-kbs.patch + +Patch6000: CVE-2019-17594.patch +Patch6001: CVE-2019-17595.patch + BuildRequires: gcc gcc-c++ gpm-devel pkgconfig Obsoletes: ncurses < 5.6-13 @@ -201,6 +205,12 @@ bzip2 NEWS %changelog +* Sat Dec 21 2019 openEuler Buildteam - 6.1-12 +- Type:cves +- ID:CVE-2019-17594 CVE-2019-17595 +- SUG:NA +- DESC:fix CVE-2019-17594 and CVE-2019-17595 + * Wed Oct 30 2019 shenyangyang - 6.1-11 - Type:enhancement - ID:NA @@ -211,7 +221,6 @@ bzip2 NEWS - Type:enhancement - ID:NA - SUG:NA -- DESC:add ncurses-compat-libs%{?isa} that required by redhat-lsb-core - +- DESC:add ncurses-compat-libs%{?isa} * Wed Sep 18 2019 openEuler Buildteam - 6.1-9 - Package init