On 2017-07-11 10:17 -0400, Roberto C. Sánchez wrote:
> On Sun, Jul 09, 2017 at 03:14:33PM +0100, Chris Lamb wrote:
>> The Debian LTS team would like to fix the security issues which are
>> currently open in the Wheezy version of ncurses:
>> https://security-tracker.debian.org/tracker/source-package/ncurses
>>
>
> All the open ncurses issues are marked no-dsa for jessie and stretch.
> Should we do the same for wheezy?
That would be logical. The bugs only affect the tic program and the tic
library which is used by about three programs in the world (tic, infocmp
and tack), and most of our users never run any of these programs.
Anyway, I have attempted to backport the patches I sent to the release
team (bugs #867814 and #867817). The changes to the library applied
cleanly, but I had to edit progs/dump_entry.c by hand since two hunks
failed to apply there. If anybody wants to upload a fixed package to
wheezy (I won't), please review carefully.
Also attached are the testcases for the six bugs in the Red Hat
bugtracker. You had better verify that the script to run them exits
successfully with the fixed libtinfo5 and ncurses-bin packages.
Cheers,
Sven
>From 0ac89a314f89dfe33314df934d9e32954bcb21dc Mon Sep 17 00:00:00 2001
From: Sven Joachim <svenjoac@gmx.de>
Date: Tue, 11 Jul 2017 20:37:27 +0200
Subject: [PATCH] Cherry-pick/backport upstream fixes for various crash bugs
Several crash bugs in the tic binary and library have been reported to
the Red Hat bugtracker, with four CVEs assigned to them. The new
patch cve-fixes.diff contains these changes. It is derived from the
same patch jessie, with two hunks for progs/dump_entry.c edited so
that they apply.
---
debian/changelog | 9 +++
debian/patches/cve-fixes.diff | 173 ++++++++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 183 insertions(+)
create mode 100644 debian/patches/cve-fixes.diff
diff --git a/debian/changelog b/debian/changelog
index 9149be12..52aa94fa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+ncurses (5.9-10+deb7u1) wheezy; urgency=medium
+
+ * Cherry-pick/backport upstream fixes from the 20170701 and 20170708
+ patchlevels for various crash bugs in the tic library and the tic
+ binary (CVE-2017-10684, CVE-2017-10685, CVE-2017-11112,
+ CVE-2017-11113).
+
+ -- Sven Joachim <svenjoac@gmx.de> Tue, 11 Jul 2017 20:35:12 +0200
+
ncurses (5.9-10) unstable; urgency=low
* Drop the dependency of the biarch packages on libtinfo5
diff --git a/debian/patches/cve-fixes.diff b/debian/patches/cve-fixes.diff
new file mode 100644
index 00000000..0d9cb89e
--- /dev/null
+++ b/debian/patches/cve-fixes.diff
@@ -0,0 +1,173 @@
+Author: Sven Joachim <svenjoac@gmx.de>
+Description: Fixes for four CVEs
+ Fixes for CVE 2017-10684, CVE-2017-10685, CVE-2017-11112,
+ CVE-2017-11113 cherry-picked from upstream patchlevels 20170701 and
+ 20170708.
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464684
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464685
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464686
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464687
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464691
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464692
+Forwarded: not-needed
+Last-Update: 2017-07-09
+
+---
+ ncurses/tinfo/alloc_entry.c | 6 +++++-
+ ncurses/tinfo/parse_entry.c | 22 ++++++++++++----------
+ progs/dump_entry.c | 29 +++++++++++++++++++----------
+ 3 files changed, 36 insertions(+), 21 deletions(-)
+
+--- a/ncurses/tinfo/alloc_entry.c
++++ b/ncurses/tinfo/alloc_entry.c
+@@ -120,7 +120,11 @@ _nc_save_str(const char *const string)
+ {
+ char *result = 0;
+ size_t old_next_free = next_free;
+- size_t len = strlen(string) + 1;
++ size_t len;
++
++ if (string == 0)
++ return _nc_save_str("");
++ len = strlen(string) + 1;
+
+ if (len == 1 && next_free != 0) {
+ /*
+--- a/ncurses/tinfo/parse_entry.c
++++ b/ncurses/tinfo/parse_entry.c
+@@ -234,13 +234,14 @@ _nc_parse_entry(struct entry *entryp, in
+ * implemented it. Note that the resulting terminal type was never the
+ * 2-character name, but was instead the first alias after that.
+ */
++#define ok_TC2(s) (isgraph(UChar(s)) && (s) != '|')
+ ptr = _nc_curr_token.tk_name;
+ if (_nc_syntax == SYN_TERMCAP
+ #if NCURSES_XNAMES
+ && !_nc_user_definable
+ #endif
+ ) {
+- if (ptr[2] == '|') {
++ if (ok_TC2(ptr[0]) && ok_TC2(ptr[1]) && (ptr[2] == '|')) {
+ ptr += 3;
+ _nc_curr_token.tk_name[2] = '\0';
+ }
+@@ -282,9 +283,11 @@ _nc_parse_entry(struct entry *entryp, in
+ if (is_use || is_tc) {
+ entryp->uses[entryp->nuses].name = _nc_save_str(_nc_curr_token.tk_valstring);
+ entryp->uses[entryp->nuses].line = _nc_curr_line;
+- entryp->nuses++;
+- if (entryp->nuses > 1 && is_tc) {
+- BAD_TC_USAGE
++ if (VALID_STRING(entryp->uses[entryp->nuses].name)) {
++ entryp->nuses++;
++ if (entryp->nuses > 1 && is_tc) {
++ BAD_TC_USAGE
++ }
+ }
+ } else {
+ /* normal token lookup */
+@@ -565,7 +568,7 @@ append_acs0(string_desc * dst, int code,
+ static void
+ append_acs(string_desc * dst, int code, char *src)
+ {
+- if (src != 0 && strlen(src) == 1) {
++ if (VALID_STRING(src) && strlen(src) == 1) {
+ append_acs0(dst, code, *src);
+ }
+ }
+@@ -817,15 +820,14 @@ postprocess_termcap(TERMTYPE *tp, bool h
+ }
+
+ if (tp->Strings[to_ptr->nte_index]) {
++ const char *s = tp->Strings[from_ptr->nte_index];
++ const char *t = tp->Strings[to_ptr->nte_index];
+ /* There's no point in warning about it if it's the same
+ * string; that's just an inefficiency.
+ */
+- if (strcmp(
+- tp->Strings[from_ptr->nte_index],
+- tp->Strings[to_ptr->nte_index]) != 0)
++ if (VALID_STRING(s) && VALID_STRING(t) && strcmp(s, t) != 0)
+ _nc_warning("%s (%s) already has an explicit value %s, ignoring ko",
+- ap->to, ap->from,
+- _nc_visbuf(tp->Strings[to_ptr->nte_index]));
++ ap->to, ap->from, t);
+ continue;
+ }
+
+--- a/progs/dump_entry.c
++++ b/progs/dump_entry.c
+@@ -577,9 +577,10 @@ fmt_entry(TERMTYPE *tterm,
+ PredIdx num_strings = 0;
+ bool outcount = 0;
+
+-#define WRAP_CONCAT \
+- wrap_concat(buffer); \
+- outcount = TRUE
++#define WRAP_CONCAT1(s) wrap_concat(s); outcount = TRUE
++#define WRAP_CONCAT2(a,b) wrap_concat(a); WRAP_CONCAT1(b)
++#define WRAP_CONCAT3(a,b,c) wrap_concat(a); WRAP_CONCAT2(b,c)
++#define WRAP_CONCAT WRAP_CONCAT1(buffer)
+
+ len = 12; /* terminfo file-header */
+
+@@ -752,13 +753,21 @@ fmt_entry(TERMTYPE *tterm,
+ if (outform == F_TCONVERR) {
+ sprintf(buffer, "%s=!!! %s WILL NOT CONVERT !!!",
+ name, srccap);
++ WRAP_CONCAT;
+ } else if (suppress_untranslatable) {
+ continue;
+ } else {
+ char *s = srccap, *d = buffer;
+- sprintf(d, "..%s=", name);
+- d += strlen(d);
++ WRAP_CONCAT3("..", name, "=");
+ while ((*d = *s++) != 0) {
++ if ((d - buffer + 1) >= (int) sizeof(buffer)) {
++ fprintf(stderr,
++ "%s: value for %s is too long\n",
++ _nc_progname,
++ name);
++ *d = '\0';
++ break;
++ }
+ if (*d == ':') {
+ *d++ = '\\';
+ *d = ':';
+@@ -766,13 +775,13 @@ fmt_entry(TERMTYPE *tterm,
+ *++d = *s++;
+ }
+ d++;
++ WRAP_CONCAT;
+ }
+ }
+ } else {
+- sprintf(buffer, "%s=%s", name, cv);
++ WRAP_CONCAT3(name, "=", cv);
+ }
+ len += (int) strlen(capability) + 1;
+- WRAP_CONCAT;
+ } else {
+ char *src = _nc_tic_expand(capability,
+ outform == F_TERMINFO, numbers);
+@@ -788,8 +797,7 @@ fmt_entry(TERMTYPE *tterm,
+ strcpy_DYN(&tmpbuf, src);
+ }
+ len += (int) strlen(capability) + 1;
+- wrap_concat(tmpbuf.text);
+- outcount = TRUE;
++ WRAP_CONCAT1(tmpbuf.text);
+ }
+ }
+ /* e.g., trimmed_sgr0 */
+@@ -1116,7 +1124,8 @@ dump_entry(TERMTYPE *tterm,
+ }
+ if (len > critlen) {
+ (void) fprintf(stderr,
+- "warning: %s entry is %d bytes long\n",
++ "%s: %s entry is %d bytes long\n",
++ _nc_progname,
+ _nc_first_name(tterm->term_names),
+ len);
+ SHOW_WHY("# WARNING: this entry, %d bytes long, may core-dump %s libraries!\n",
diff --git a/debian/patches/series b/debian/patches/series
index a4f81b34..e955e5f1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@
03-debian-ncursesconfig-omit-L.diff
04-fix-tabset-directory.diff
05-fix-poll-test.diff
+cve-fixes.diff
--
2.13.2
Attachment:
tic-tests.tar.xz
Description: application/xz