rpms/ncurses
6
0
Fork 0
Code Issues Pull Requests Releases Activity

guard against corrupt terminfo data in string conversion (CVE-2022-29458 RHEL-100135)

Browse Source 
Resolves: CVE-2022-29458 RHEL-100135
This commit is contained in:
Miroslav Lichvar 2025-06-26 11:40:24 +02:00
parent 98deb1ab40
commit be1fa980b5
2 changed files with 79 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
ncurses-cve-2022-29458.patch Normal file
View File

@ -0,0 +1,77 @@
diff -up ncurses-6.2-20210508/ncurses/tinfo/alloc_entry.c.cve-2022-29458 ncurses-6.2-20210508/ncurses/tinfo/alloc_entry.c
--- ncurses-6.2-20210508/ncurses/tinfo/alloc_entry.c.cve-2022-29458 2021-05-05 01:15:34.000000000 +0200
+++ ncurses-6.2-20210508/ncurses/tinfo/alloc_entry.c 2025-06-25 16:26:30.667252829 +0200
@@ -53,8 +53,6 @@ MODULE_ID("$Id: alloc_entry.c,v 1.65 202
#define ABSENT_OFFSET -1
#define CANCELLED_OFFSET -2
-#define MAX_STRTAB 4096 /* documented maximum entry size */
-
static char *stringbuf; /* buffer for string capabilities */
static size_t next_free; /* next free character in stringbuf */
@@ -72,7 +70,7 @@ _nc_init_entry(ENTRY * const tp)
#endif
if (stringbuf == 0)
- TYPE_MALLOC(char, (size_t) MAX_STRTAB, stringbuf);
+ TYPE_MALLOC(char, (size_t) MAX_ENTRY_SIZE, stringbuf);
next_free = 0;
@@ -108,11 +106,11 @@ _nc_save_str(const char *const string)
* Cheat a little by making an empty string point to the end of the
* previous string.
*/
- if (next_free < MAX_STRTAB) {
+ if (next_free < MAX_ENTRY_SIZE) {
result = (stringbuf + next_free - 1);
}
- } else if (next_free + len < MAX_STRTAB) {
- _nc_STRCPY(&stringbuf[next_free], string, MAX_STRTAB);
+ } else if (next_free + len < MAX_ENTRY_SIZE) {
+ _nc_STRCPY(&stringbuf[next_free], string, MAX_ENTRY_SIZE);
DEBUG(7, ("Saved string %s", _nc_visbuf(string)));
DEBUG(7, ("at location %d", (int) next_free));
next_free += len;
diff -up ncurses-6.2-20210508/ncurses/tinfo/read_entry.c.cve-2022-29458 ncurses-6.2-20210508/ncurses/tinfo/read_entry.c
--- ncurses-6.2-20210508/ncurses/tinfo/read_entry.c.cve-2022-29458 2025-06-25 16:19:46.663763114 +0200
+++ ncurses-6.2-20210508/ncurses/tinfo/read_entry.c 2025-06-25 16:19:46.668872395 +0200
@@ -1,5 +1,5 @@
/****************************************************************************
- * Copyright 2018-2020,2021 Thomas E. Dickey *
+ * Copyright 2018-2021,2022 Thomas E. Dickey *
* Copyright 1998-2016,2017 Free Software Foundation, Inc. *
* *
* Permission is hereby granted, free of charge, to any person obtaining a *
@@ -145,6 +145,7 @@ convert_strings(char *buf, char **String
{
int i;
char *p;
+ bool corrupt = FALSE;
for (i = 0; i < count; i++) {
if (IS_NEG1(buf + 2 * i)) {
@@ -154,8 +155,20 @@ convert_strings(char *buf, char **String
} else if (MyNumber(buf + 2 * i) > size) {
Strings[i] = ABSENT_STRING;
} else {
- Strings[i] = (MyNumber(buf + 2 * i) + table);
- TR(TRACE_DATABASE, ("Strings[%d] = %s", i, _nc_visbuf(Strings[i])));
+ int nn = MyNumber(buf + 2 * i);
+ if (nn >= 0 && nn < size) {
+ Strings[i] = (nn + table);
+ TR(TRACE_DATABASE, ("Strings[%d] = %s", i,
+ _nc_visbuf(Strings[i])));
+ } else {
+ if (!corrupt) {
+ corrupt = TRUE;
+ TR(TRACE_DATABASE,
+ ("ignore out-of-range index %d to Strings[]", nn));
+ _nc_warning("corrupt data found in convert_strings");
+ }
+ Strings[i] = ABSENT_STRING;
+ }
}
/* make sure all strings are NUL terminated */

2
ncurses.spec
View File

@ -15,6 +15,7 @@ Patch11: ncurses-urxvt.patch
Patch12: ncurses-kbs.patch
Patch13: ncurses-cve-2023-29491.patch
Patch14: ncurses-setuid.patch
Patch15: ncurses-cve-2022-29458.patch
BuildRequires: gcc gcc-c++ gpm-devel gnupg2 make pkgconfig
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@ -118,6 +119,7 @@ The ncurses-static package includes static libraries of the ncurses library.
%patch12 -p1 -b .kbs
%patch13 -p1 -b .cve-2023-29491
%patch14 -p1 -b .setuid
%patch15 -p1 -b .cve-2022-29458
for f in ANNOUNCE; do
iconv -f iso8859-1 -t utf8 -o ${f}{_,} &&