From be1fa980b5a73036a2be94ab8a345c858b577844 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 26 Jun 2025 11:40:24 +0200 Subject: [PATCH] guard against corrupt terminfo data in string conversion (CVE-2022-29458 RHEL-100135) Resolves: CVE-2022-29458 RHEL-100135 --- ncurses-cve-2022-29458.patch | 77 ++++++++++++++++++++++++++++++++++++ ncurses.spec | 2 + 2 files changed, 79 insertions(+) create mode 100644 ncurses-cve-2022-29458.patch diff --git a/ncurses-cve-2022-29458.patch b/ncurses-cve-2022-29458.patch new file mode 100644 index 0000000..f207350 --- /dev/null +++ b/ncurses-cve-2022-29458.patch @@ -0,0 +1,77 @@ +diff -up ncurses-6.2-20210508/ncurses/tinfo/alloc_entry.c.cve-2022-29458 ncurses-6.2-20210508/ncurses/tinfo/alloc_entry.c +--- ncurses-6.2-20210508/ncurses/tinfo/alloc_entry.c.cve-2022-29458 2021-05-05 01:15:34.000000000 +0200 ++++ ncurses-6.2-20210508/ncurses/tinfo/alloc_entry.c 2025-06-25 16:26:30.667252829 +0200 +@@ -53,8 +53,6 @@ MODULE_ID("$Id: alloc_entry.c,v 1.65 202 + #define ABSENT_OFFSET -1 + #define CANCELLED_OFFSET -2 + +-#define MAX_STRTAB 4096 /* documented maximum entry size */ +- + static char *stringbuf; /* buffer for string capabilities */ + static size_t next_free; /* next free character in stringbuf */ + +@@ -72,7 +70,7 @@ _nc_init_entry(ENTRY * const tp) + #endif + + if (stringbuf == 0) +- TYPE_MALLOC(char, (size_t) MAX_STRTAB, stringbuf); ++ TYPE_MALLOC(char, (size_t) MAX_ENTRY_SIZE, stringbuf); + + next_free = 0; + +@@ -108,11 +106,11 @@ _nc_save_str(const char *const string) + * Cheat a little by making an empty string point to the end of the + * previous string. + */ +- if (next_free < MAX_STRTAB) { ++ if (next_free < MAX_ENTRY_SIZE) { + result = (stringbuf + next_free - 1); + } +- } else if (next_free + len < MAX_STRTAB) { +- _nc_STRCPY(&stringbuf[next_free], string, MAX_STRTAB); ++ } else if (next_free + len < MAX_ENTRY_SIZE) { ++ _nc_STRCPY(&stringbuf[next_free], string, MAX_ENTRY_SIZE); + DEBUG(7, ("Saved string %s", _nc_visbuf(string))); + DEBUG(7, ("at location %d", (int) next_free)); + next_free += len; +diff -up ncurses-6.2-20210508/ncurses/tinfo/read_entry.c.cve-2022-29458 ncurses-6.2-20210508/ncurses/tinfo/read_entry.c +--- ncurses-6.2-20210508/ncurses/tinfo/read_entry.c.cve-2022-29458 2025-06-25 16:19:46.663763114 +0200 ++++ ncurses-6.2-20210508/ncurses/tinfo/read_entry.c 2025-06-25 16:19:46.668872395 +0200 +@@ -1,5 +1,5 @@ + /**************************************************************************** +- * Copyright 2018-2020,2021 Thomas E. Dickey * ++ * Copyright 2018-2021,2022 Thomas E. Dickey * + * Copyright 1998-2016,2017 Free Software Foundation, Inc. * + * * + * Permission is hereby granted, free of charge, to any person obtaining a * +@@ -145,6 +145,7 @@ convert_strings(char *buf, char **String + { + int i; + char *p; ++ bool corrupt = FALSE; + + for (i = 0; i < count; i++) { + if (IS_NEG1(buf + 2 * i)) { +@@ -154,8 +155,20 @@ convert_strings(char *buf, char **String + } else if (MyNumber(buf + 2 * i) > size) { + Strings[i] = ABSENT_STRING; + } else { +- Strings[i] = (MyNumber(buf + 2 * i) + table); +- TR(TRACE_DATABASE, ("Strings[%d] = %s", i, _nc_visbuf(Strings[i]))); ++ int nn = MyNumber(buf + 2 * i); ++ if (nn >= 0 && nn < size) { ++ Strings[i] = (nn + table); ++ TR(TRACE_DATABASE, ("Strings[%d] = %s", i, ++ _nc_visbuf(Strings[i]))); ++ } else { ++ if (!corrupt) { ++ corrupt = TRUE; ++ TR(TRACE_DATABASE, ++ ("ignore out-of-range index %d to Strings[]", nn)); ++ _nc_warning("corrupt data found in convert_strings"); ++ } ++ Strings[i] = ABSENT_STRING; ++ } + } + + /* make sure all strings are NUL terminated */ diff --git a/ncurses.spec b/ncurses.spec index f6a1b87..84c0119 100644 --- a/ncurses.spec +++ b/ncurses.spec @@ -15,6 +15,7 @@ Patch11: ncurses-urxvt.patch Patch12: ncurses-kbs.patch Patch13: ncurses-cve-2023-29491.patch Patch14: ncurses-setuid.patch +Patch15: ncurses-cve-2022-29458.patch BuildRequires: gcc gcc-c++ gpm-devel gnupg2 make pkgconfig Requires: %{name}-libs%{?_isa} = %{version}-%{release} @@ -118,6 +119,7 @@ The ncurses-static package includes static libraries of the ncurses library. %patch12 -p1 -b .kbs %patch13 -p1 -b .cve-2023-29491 %patch14 -p1 -b .setuid +%patch15 -p1 -b .cve-2022-29458 for f in ANNOUNCE; do iconv -f iso8859-1 -t utf8 -o ${f}{_,} &&