fix CVE-2023-45918

2024-01-30 08:25:28 +00:00 · 2024-01-30 08:25:28 +00:00 · 8481c89d7a
commit 8481c89d7a
parent bd71516580
2 changed files with 202 additions and 1 deletions
--- a/backport-CVE-2023-45918.patch
+++ b/backport-CVE-2023-45918.patch
@ -0,0 +1,194 @@
 From 6107f670972c4bb79b5f8cfb1f12cc037271a7ee Mon Sep 17 00:00:00 2001
 From: "Thomas E. Dickey" <dickey@invisible-island.net>
 Date: Thu, 15 Jun 2023 20:51:06 +0000
 Subject: [PATCH] snapshot of project "ncurses", label v6_4_20230615
 Conflict:remove unnecessary modifications
 Reference:https://github.com/ThomasDickey/ncurses-snapshots/commit/6107f670972c4bb79b5f8cfb1f12cc037271a7ee
 ---
 ncurses/tinfo/comp_error.c       | 17 +++++---
 ncurses/tinfo/read_entry.c       | 67 ++++++++++++++++++++++----------
 2 files changed, 57 insertions(+), 27 deletions(-)
 diff --git a/ncurses/tinfo/comp_error.c b/ncurses/tinfo/comp_error.c
 index aa745a6df..3e6b4022a 100644
 --- a/ncurses/tinfo/comp_error.c
 +++ b/ncurses/tinfo/comp_error.c
@@ -42,7 +42,7 @@
 #include <tic.h>
 -MODULE_ID("$Id: comp_error.c,v 1.40 2020/02/02 23:34:34 tom Exp $")
 +MODULE_ID("$Id: comp_error.c,v 1.44 2023/06/15 20:27:02 tom Exp $")
 NCURSES_EXPORT_VAR(bool) _nc_suppress_warnings = FALSE;
 NCURSES_EXPORT_VAR(int) _nc_curr_line = 0; /* current line # in input */
@@ -60,8 +60,15 @@ _nc_get_source(void)
 NCURSES_EXPORT(void)
 _nc_set_source(const char *const name)
 {
 -    FreeIfNeeded(SourceName);
 -    SourceName = strdup(name);
 +    if (name == NULL) {
 +	free(SourceName);
 +	SourceName = NULL;
 +    } else if (SourceName == NULL) {
 +	SourceName = strdup(name);
 +    } else if (strcmp(name, SourceName)) {
 +	free(SourceName);
 +	SourceName = strdup(name);
 +    }
 }
 NCURSES_EXPORT(void)
@@ -95,9 +102,9 @@ static NCURSES_INLINE void
 where_is_problem(void)
 {
     fprintf(stderr, "\"%s\"", SourceName ? SourceName : "?");
 -    if (_nc_curr_line >= 0)
 +    if (_nc_curr_line > 0)
 	fprintf(stderr, ", line %d", _nc_curr_line);
 -    if (_nc_curr_col >= 0)
 +    if (_nc_curr_col > 0)
 	fprintf(stderr, ", col %d", _nc_curr_col);
     if (TermType != 0 && TermType[0] != '\0')
 	fprintf(stderr, ", terminal '%s'", TermType);
 diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c
 index 87e422aee..762c6c68c 100644
 --- a/ncurses/tinfo/read_entry.c
 +++ b/ncurses/tinfo/read_entry.c
@@ -42,7 +42,7 @@
 #include <tic.h>
 -MODULE_ID("$Id: read_entry.c,v 1.164 2022/05/08 00:11:44 tom Exp $")
 +MODULE_ID("$Id: read_entry.c,v 1.169 2023/06/15 20:51:06 tom Exp $")
 #define MyNumber(n) (short) LOW_MSB(n)
@@ -138,12 +138,13 @@ convert_16bits(char *buf, NCURSES_INT2 *Numbers, int count)
 }
 #endif
 -static void
 -convert_strings(char *buf, char **Strings, int count, int size, char *table)
 +static bool
 +convert_strings(char *buf, char **Strings, int count, int size,
 +		char *table, bool always)
 {
     int i;
     char *p;
 -    bool corrupt = FALSE;
 +    bool success = TRUE;
     for (i = 0; i < count; i++) {
 	if (IS_NEG1(buf + 2 * i)) {
@@ -159,13 +160,10 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table)
 		TR(TRACE_DATABASE, ("Strings[%d] = %s", i,
 				    _nc_visbuf(Strings[i])));
 	    } else {
 -		if (!corrupt) {
 -		    corrupt = TRUE;
 -		    TR(TRACE_DATABASE,
 -		       ("ignore out-of-range index %d to Strings[]", nn));
 -		    _nc_warning("corrupt data found in convert_strings");
 -		}
 -		Strings[i] = ABSENT_STRING;
 +		TR(TRACE_DATABASE,
 +		   ("found out-of-range index %d to Strings[%d]", nn, i));
 +		success = FALSE;
 +		break;
 	    }
 	}
@@ -175,10 +173,25 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table)
 		if (*p == '\0')
 		    break;
 	    /* if there is no NUL, ignore the string */
 -	    if (p >= table + size)
 +	    if (p >= table + size) {
 		Strings[i] = ABSENT_STRING;
 +	    } else if (p == Strings[i] && always) {
 +		TR(TRACE_DATABASE,
 +		   ("found empty but required Strings[%d]", i));
 +		success = FALSE;
 +		break;
 +	    }
 +	} else if (always) {	/* names are always needed */
 +	    TR(TRACE_DATABASE,
 +	       ("found invalid but required Strings[%d]", i));
 +	    success = FALSE;
 +	    break;
 	}
     }
 +    if (!success) {
 +	_nc_warning("corrupt data found in convert_strings");
 +    }
 +    return success;
 }
 static int
@@ -382,7 +395,10 @@ _nc_read_termtype(TERMTYPE2 *ptr, char *buffer, int limit)
 	if (Read(string_table, (unsigned) str_size) != str_size) {
 	    returnDB(TGETENT_NO);
 	}
 -	convert_strings(buf, ptr->Strings, str_count, str_size, string_table);
 +	if (!convert_strings(buf, ptr->Strings, str_count, str_size,
 +			     string_table, FALSE)) {
 +	    returnDB(TGETENT_NO);
 +	}
     }
 #if NCURSES_XNAMES
@@ -483,8 +499,10 @@ _nc_read_termtype(TERMTYPE2 *ptr, char *buffer, int limit)
 	       ("Before computing extended-string capabilities "
 		"str_count=%d, ext_str_count=%d",
 		str_count, ext_str_count));
 -	    convert_strings(buf, ptr->Strings + str_count, ext_str_count,
 -			    ext_str_limit, ptr->ext_str_table);
 +	    if (!convert_strings(buf, ptr->Strings + str_count, ext_str_count,
 +				 ext_str_limit, ptr->ext_str_table, FALSE)) {
 +		returnDB(TGETENT_NO);
 +	    }
 	    for (i = ext_str_count - 1; i >= 0; i--) {
 		TR(TRACE_DATABASE, ("MOVE from [%d:%d] %s",
 				    i, i + str_count,
@@ -516,10 +534,13 @@ _nc_read_termtype(TERMTYPE2 *ptr, char *buffer, int limit)
 	    TR(TRACE_DATABASE,
 	       ("ext_NAMES starting @%d in extended_strings, first = %s",
 		base, _nc_visbuf(ptr->ext_str_table + base)));
 -	    convert_strings(buf + (2 * ext_str_count),
 -			    ptr->ext_Names,
 -			    (int) need,
 -			    ext_str_limit, ptr->ext_str_table + base);
 +	    if (!convert_strings(buf + (2 * ext_str_count),
 +				 ptr->ext_Names,
 +				 (int) need,
 +				 ext_str_limit, ptr->ext_str_table + base,
 +				 TRUE)) {
 +		returnDB(TGETENT_NO);
 +	    }
 	}
 	TR(TRACE_DATABASE,
@@ -572,13 +593,17 @@ _nc_read_file_entry(const char *const filename, TERMTYPE2 *ptr)
 	int limit;
 	char buffer[MAX_ENTRY_SIZE + 1];
 -	if ((limit = (int) fread(buffer, sizeof(char), sizeof(buffer), fp))
 -	    > 0) {
 +	limit = (int) fread(buffer, sizeof(char), sizeof(buffer), fp);
 +	if (limit > 0) {
 +	    const char *old_source = _nc_get_source();
 	    TR(TRACE_DATABASE, ("read terminfo %s", filename));
 +	    if (old_source == NULL)
 +		_nc_set_source(filename);
 	    if ((code = _nc_read_termtype(ptr, buffer, limit)) == TGETENT_NO) {
 		_nc_free_termtype2(ptr);
 	    }
 +	    _nc_set_source(old_source);
 	} else {
 	    code = TGETENT_NO;
 	}
--- a/ncurses.spec
+++ b/ncurses.spec
@ -6,7 +6,7 @@
 name:          ncurses
 Version:       6.4
-Release:       6
+Release:       7
 Summary:       Terminal control library
 License:       MIT
 URL:           https://invisible-island.net/ncurses/ncurses.html
@ -21,6 +21,7 @@ Patch14:       backport-0002-CVE-2023-29491-env-access.patch
 Patch15:       backport-fix-for-out-of-memory-condition.patch
 Patch16:       backport-fix-coredump-when-use-Memmove.patch
 Patch17:       backport-CVE-2023-50495.patch
 Patch18:       backport-CVE-2023-45918.patch
 BuildRequires: make gcc gcc-c++ gpm-devel pkgconfig
@ -278,6 +279,12 @@ xz NEWS
 %endif
 %changelog
 * Tue Jan 30 2024 yanglu <yanglu72@h-partners.com> - 6.4-7
 - Type:CVE
 - CVE:CVE-2023-45918
 - SUG:NA
 - DESC:fix CVE-2023-45918
 * Fri Dec 15 2023 yanglu <yanglu72@huawei.com> - 6.4-6
 - Type:CVE
 - CVE:CVE-2023-50495