From 10c3d010bf04c697f8cfbd2327a58b850d6cb0ac Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Tue, 5 Aug 2025 08:38:43 +0000
Subject: [PATCH] import UBI ncurses-6.2-10.20210508.el9_6.2

---
 SOURCES/ncurses-cve-2022-29458.patch | 77 ++++++++++++++++++++++++++++
 SPECS/ncurses.spec                   | 16 +++---
 2 files changed, 87 insertions(+), 6 deletions(-)
 create mode 100644 SOURCES/ncurses-cve-2022-29458.patch

diff --git a/SOURCES/ncurses-cve-2022-29458.patch b/SOURCES/ncurses-cve-2022-29458.patch
new file mode 100644
index 0000000..f207350
--- /dev/null
+++ b/SOURCES/ncurses-cve-2022-29458.patch
@@ -0,0 +1,77 @@
+diff -up ncurses-6.2-20210508/ncurses/tinfo/alloc_entry.c.cve-2022-29458 ncurses-6.2-20210508/ncurses/tinfo/alloc_entry.c
+--- ncurses-6.2-20210508/ncurses/tinfo/alloc_entry.c.cve-2022-29458	2021-05-05 01:15:34.000000000 +0200
++++ ncurses-6.2-20210508/ncurses/tinfo/alloc_entry.c	2025-06-25 16:26:30.667252829 +0200
+@@ -53,8 +53,6 @@ MODULE_ID("$Id: alloc_entry.c,v 1.65 202
+ #define ABSENT_OFFSET    -1
+ #define CANCELLED_OFFSET -2
+ 
+-#define MAX_STRTAB	4096	/* documented maximum entry size */
+-
+ static char *stringbuf;		/* buffer for string capabilities */
+ static size_t next_free;	/* next free character in stringbuf */
+ 
+@@ -72,7 +70,7 @@ _nc_init_entry(ENTRY * const tp)
+ #endif
+ 
+     if (stringbuf == 0)
+-	TYPE_MALLOC(char, (size_t) MAX_STRTAB, stringbuf);
++	TYPE_MALLOC(char, (size_t) MAX_ENTRY_SIZE, stringbuf);
+ 
+     next_free = 0;
+ 
+@@ -108,11 +106,11 @@ _nc_save_str(const char *const string)
+ 	 * Cheat a little by making an empty string point to the end of the
+ 	 * previous string.
+ 	 */
+-	if (next_free < MAX_STRTAB) {
++	if (next_free < MAX_ENTRY_SIZE) {
+ 	    result = (stringbuf + next_free - 1);
+ 	}
+-    } else if (next_free + len < MAX_STRTAB) {
+-	_nc_STRCPY(&stringbuf[next_free], string, MAX_STRTAB);
++    } else if (next_free + len < MAX_ENTRY_SIZE) {
++	_nc_STRCPY(&stringbuf[next_free], string, MAX_ENTRY_SIZE);
+ 	DEBUG(7, ("Saved string %s", _nc_visbuf(string)));
+ 	DEBUG(7, ("at location %d", (int) next_free));
+ 	next_free += len;
+diff -up ncurses-6.2-20210508/ncurses/tinfo/read_entry.c.cve-2022-29458 ncurses-6.2-20210508/ncurses/tinfo/read_entry.c
+--- ncurses-6.2-20210508/ncurses/tinfo/read_entry.c.cve-2022-29458	2025-06-25 16:19:46.663763114 +0200
++++ ncurses-6.2-20210508/ncurses/tinfo/read_entry.c	2025-06-25 16:19:46.668872395 +0200
+@@ -1,5 +1,5 @@
+ /****************************************************************************
+- * Copyright 2018-2020,2021 Thomas E. Dickey                                *
++ * Copyright 2018-2021,2022 Thomas E. Dickey                                *
+  * Copyright 1998-2016,2017 Free Software Foundation, Inc.                  *
+  *                                                                          *
+  * Permission is hereby granted, free of charge, to any person obtaining a  *
+@@ -145,6 +145,7 @@ convert_strings(char *buf, char **String
+ {
+     int i;
+     char *p;
++    bool corrupt = FALSE;
+ 
+     for (i = 0; i < count; i++) {
+ 	if (IS_NEG1(buf + 2 * i)) {
+@@ -154,8 +155,20 @@ convert_strings(char *buf, char **String
+ 	} else if (MyNumber(buf + 2 * i) > size) {
+ 	    Strings[i] = ABSENT_STRING;
+ 	} else {
+-	    Strings[i] = (MyNumber(buf + 2 * i) + table);
+-	    TR(TRACE_DATABASE, ("Strings[%d] = %s", i, _nc_visbuf(Strings[i])));
++	    int nn = MyNumber(buf + 2 * i);
++	    if (nn >= 0 && nn < size) {
++		Strings[i] = (nn + table);
++		TR(TRACE_DATABASE, ("Strings[%d] = %s", i,
++				    _nc_visbuf(Strings[i])));
++	    } else {
++		if (!corrupt) {
++		    corrupt = TRUE;
++		    TR(TRACE_DATABASE,
++		       ("ignore out-of-range index %d to Strings[]", nn));
++		    _nc_warning("corrupt data found in convert_strings");
++		}
++		Strings[i] = ABSENT_STRING;
++	    }
+ 	}
+ 
+ 	/* make sure all strings are NUL terminated */
diff --git a/SPECS/ncurses.spec b/SPECS/ncurses.spec
index f6a1b87..a1b191d 100644
--- a/SPECS/ncurses.spec
+++ b/SPECS/ncurses.spec
@@ -2,7 +2,7 @@
 Summary: Ncurses support utilities
 Name: ncurses
 Version: 6.2
-Release: 10.%{revision}%{?dist}
+Release: 10.%{revision}%{?dist}.2
 License: MIT
 URL: https://invisible-island.net/ncurses/ncurses.html
 Source0: https://invisible-mirror.net/archives/ncurses/current/ncurses-%{version}-%{revision}.tgz
@@ -15,6 +15,7 @@ Patch11: ncurses-urxvt.patch
 Patch12: ncurses-kbs.patch
 Patch13: ncurses-cve-2023-29491.patch
 Patch14: ncurses-setuid.patch
+Patch15: ncurses-cve-2022-29458.patch
 BuildRequires: gcc gcc-c++ gpm-devel gnupg2 make pkgconfig
 
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@@ -118,11 +119,7 @@ The ncurses-static package includes static libraries of the ncurses library.
 %patch12 -p1 -b .kbs
 %patch13 -p1 -b .cve-2023-29491
 %patch14 -p1 -b .setuid
-
-for f in ANNOUNCE; do
-    iconv -f iso8859-1 -t utf8 -o ${f}{_,} &&
-        touch -r ${f}{,_} && mv -f ${f}{_,}
-done
+%patch15 -p1 -b .cve-2022-29458
 
 %build
 common_options="\
@@ -286,6 +283,13 @@ xz NEWS
 %{_libdir}/lib*.a
 
 %changelog
+* Thu Jul 10 2025 Miroslav Lichvar <mlichvar@redhat.com> 6.2-10.20210508.el9_6.2
+- remove execute permissions from ANNOUNCE file (RHEL-102738)
+
+* Thu Jun 26 2025 Miroslav Lichvar <mlichvar@redhat.com> 6.2-10.20210508.el9_6.1
+- guard against corrupt terminfo data in string conversion (CVE-2022-29458
+  RHEL-100139)
+
 * Mon Aug 21 2023 Miroslav Lichvar <mlichvar@redhat.com> 6.2-10.20210508
 - ignore TERMINFO and HOME only if setuid/setgid/capability (#2211666)