Package: release.debian.org Severity: normal Tags: buster d-i User: release.debian.org@packages.debian.org Usertags: pu I would like to upload ncurses 6.1+20181013-2+deb10u2 to buster, fixing several bugs in tic's parser which have been reported last month. Two of them are heap buffer overflows that have been assigned CVE numbers and a Debian bug[1], two others are out-of-bound-reads and one an infinite loop. I have verified that the reported crashes and the infinite loop which I could reproduce in ncurses 6.1+20181013-2+deb10u1 appear to be fixed, at least with the submitted corrupt input files. Also, the compiled terminfo files in ncurses-base and ncurses-term are identical to the ones currently in buster. This upload touches the tinfo library which is used in the installer, however to the best of my knowledge the changed functions are only used by tic and not by any other packages. Thanks for your consideration. 1. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401
diff -Nru ncurses-6.1+20181013/debian/changelog ncurses-6.1+20181013/debian/changelog
--- ncurses-6.1+20181013/debian/changelog 2019-08-05 20:03:21.000000000 +0200
+++ ncurses-6.1+20181013/debian/changelog 2019-11-02 19:16:19.000000000 +0100
@@ -1,3 +1,20 @@
+ncurses (6.1+20181013-2+deb10u2) buster; urgency=medium
+
+ * Cherry-pick tic fixes from upstream patchlevels 20191012,
+ 20191015 and 20191019 (Closes: #942401).
+ - Check for invalid hashcode in _nc_find_type_entry and
+ nc_find_entry (CVE-2019-17594).
+ - Check for missing character after backslash in fmt_entry
+ (CVE-2019-17595).
+ - Check for acsc with odd length in dump_entry in check for
+ one-one mapping.
+ - Check for missing character after backslash in write_it.
+ - Modify tic to exit if it cannot remove a conflicting name, because
+ treating that as a partial success can cause an infinite loop in
+ use-resolution.
+
+ -- Sven Joachim <svenjoac@gmx.de> Sat, 02 Nov 2019 19:16:19 +0100
+
ncurses (6.1+20181013-2+deb10u1) buster; urgency=medium
* Drop "rep" from xterm-new and derived terminfo descriptions
diff -Nru ncurses-6.1+20181013/debian/patches/CVE-2019-17594.diff ncurses-6.1+20181013/debian/patches/CVE-2019-17594.diff
--- ncurses-6.1+20181013/debian/patches/CVE-2019-17594.diff 1970-01-01 01:00:00.000000000 +0100
+++ ncurses-6.1+20181013/debian/patches/CVE-2019-17594.diff 2019-11-02 17:21:09.000000000 +0100
@@ -0,0 +1,37 @@
+Author: Sven Joachim <svenjoac@gmx.de>
+Description: Fix for CVE-2019-17594
+ Check for invalid hashcode in _nc_find_type_entry and nc_find_entry,
+ fix cherry-picked from upstream patchlevel 20191012.
+Bug-Debian: https://bugs.debian.org/942401
+Bug: https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html
+Forwarded: not-needed
+Last-Update: 2019-11-02
+
+---
+ ncurses/tinfo/comp_hash.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/ncurses/tinfo/comp_hash.c
++++ b/ncurses/tinfo/comp_hash.c
+@@ -63,7 +63,9 @@ _nc_find_entry(const char *string,
+
+ hashvalue = data->hash_of(string);
+
+- if (data->table_data[hashvalue] >= 0) {
++ if (hashvalue >= 0
++ && (unsigned) hashvalue < data->table_size
++ && data->table_data[hashvalue] >= 0) {
+
+ real_table = _nc_get_table(termcap);
+ ptr = real_table + data->table_data[hashvalue];
+@@ -96,7 +98,9 @@ _nc_find_type_entry(const char *string,
+ const HashData *data = _nc_get_hash_info(termcap);
+ int hashvalue = data->hash_of(string);
+
+- if (data->table_data[hashvalue] >= 0) {
++ if (hashvalue >= 0
++ && (unsigned) hashvalue < data->table_size
++ && data->table_data[hashvalue] >= 0) {
+ const struct name_table_entry *const table = _nc_get_table(termcap);
+
+ ptr = table + data->table_data[hashvalue];
diff -Nru ncurses-6.1+20181013/debian/patches/CVE-2019-17595.diff ncurses-6.1+20181013/debian/patches/CVE-2019-17595.diff
--- ncurses-6.1+20181013/debian/patches/CVE-2019-17595.diff 1970-01-01 01:00:00.000000000 +0100
+++ ncurses-6.1+20181013/debian/patches/CVE-2019-17595.diff 2019-11-02 17:22:34.000000000 +0100
@@ -0,0 +1,36 @@
+Author: Sven Joachim <svenjoac@gmx.de>
+Description: Fix for CVE-2019-17595
+ Fix for CVE-2019-17595 cherry-picked from upstream patchlevel
+ 20191012. Additionally to the CVE fix, this contains a check for
+ acsc with odd length in dump_entry in check for one-one mapping.
+Bug-Debian: https://bugs.debian.org/942401
+Bug: https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html
+Bug: https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00018.html
+Forwarded: not-needed
+Last-Update: 2019-11-02
+
+---
+ progs/dump_entry.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/progs/dump_entry.c
++++ b/progs/dump_entry.c
+@@ -1110,7 +1110,8 @@ fmt_entry(TERMTYPE2 *tterm,
+ *d++ = '\\';
+ *d = ':';
+ } else if (*d == '\\') {
+- *++d = *s++;
++ if ((*++d = *s++) == '\0')
++ break;
+ }
+ d++;
+ *d = '\0';
+@@ -1370,7 +1371,7 @@ one_one_mapping(const char *mapping)
+
+ if (VALID_STRING(mapping)) {
+ int n = 0;
+- while (mapping[n] != '\0') {
++ while (mapping[n] != '\0' && mapping[n + 1] != '\0') {
+ if (isLine(mapping[n]) &&
+ mapping[n] != mapping[n + 1]) {
+ result = FALSE;
diff -Nru ncurses-6.1+20181013/debian/patches/fix-tic-infloop.diff ncurses-6.1+20181013/debian/patches/fix-tic-infloop.diff
--- ncurses-6.1+20181013/debian/patches/fix-tic-infloop.diff 1970-01-01 01:00:00.000000000 +0100
+++ ncurses-6.1+20181013/debian/patches/fix-tic-infloop.diff 2019-11-02 17:31:13.000000000 +0100
@@ -0,0 +1,30 @@
+Author: Sven Joachim <svenjoac@gmx.de>
+Description: Fix an infinite loop in tic on invalid input
+ Modify tic to exit if it cannot remove a conflicting name, because
+ treating that as a partial success can cause an infinite loop in
+ use-resolution.
+ .
+ Fix cherry-picked from upstream patchlevel 20191019.
+Bug: https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00050.html
+Forwarded: not-needed
+Last-Update: 2019-11-02
+
+---
+ ncurses/tinfo/comp_parse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/ncurses/tinfo/comp_parse.c
++++ b/ncurses/tinfo/comp_parse.c
+@@ -180,11 +180,11 @@ remove_collision(char *n1, char *n2)
+ ++qend;
+ while ((*qstart++ = *qend++) != '\0') ;
+ fprintf(stderr, "...now\t%s\n", p2);
++ removed = TRUE;
+ } else {
+ fprintf(stderr, "Cannot remove alias '%.*s'\n",
+ (int) (qend - qstart), qstart);
+ }
+- removed = TRUE;
+ break;
+ }
+ }
diff -Nru ncurses-6.1+20181013/debian/patches/fix-write_it.diff ncurses-6.1+20181013/debian/patches/fix-write_it.diff
--- ncurses-6.1+20181013/debian/patches/fix-write_it.diff 1970-01-01 01:00:00.000000000 +0100
+++ ncurses-6.1+20181013/debian/patches/fix-write_it.diff 2019-11-02 17:24:47.000000000 +0100
@@ -0,0 +1,23 @@
+Author: Sven Joachim <svenjoac@gmx.de>
+Description: Check for missing character after backslash in write_it
+ Fix cherry-picked from upstream patchlevel 20191015.
+Bug: https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00046.html
+Forwarded: not-needed
+Last-Update: 2019-11-02
+
+---
+ progs/tic.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/progs/tic.c
++++ b/progs/tic.c
+@@ -217,7 +217,8 @@ write_it(ENTRY * ep)
+ while ((ch = *t++) != 0) {
+ *d++ = (char) ch;
+ if (ch == '\\') {
+- *d++ = *t++;
++ if ((*d++ = *t++) == '\0')
++ break;
+ } else if ((ch == '%')
+ && (*t == L_BRACE)) {
+ char *v = 0;
diff -Nru ncurses-6.1+20181013/debian/patches/series ncurses-6.1+20181013/debian/patches/series
--- ncurses-6.1+20181013/debian/patches/series 2019-08-04 11:15:46.000000000 +0200
+++ ncurses-6.1+20181013/debian/patches/series 2019-11-02 17:31:13.000000000 +0100
@@ -1,3 +1,7 @@
01-debian-no-ada-doc.diff
02-debian-backspace.diff
03-debian-ncursesconfig-omit-L.diff
+CVE-2019-17594.diff
+CVE-2019-17595.diff
+fix-write_it.diff
+fix-tic-infloop.diff
Attachment:
signature.asc
Description: PGP signature