Google Git
Sign in
cos / third_party / overlays / portage-stable / 66bcc3454d2190717604d99c6c885b157c7016b5^! / .
commit66bcc3454d2190717604d99c6c885b157c7016b5[log] [tgz]
authorOleksandr Tymoshenko <ovt@google.com>Tue Oct 05 20:55:34 2021 +0000
committerOleksandr Tymoshenko <ovt@google.com>Tue Oct 12 04:29:25 2021 +0000
tree2fff09efdf21375165346fb8739fbc7c5817372d
parent072a77692a86b8b98c2861a5a2c774273f6d76ba [diff]
LAKITU: Backport fix for CVE-2021-39537 from ncurses 6.2

Backport fix for heap-based stack overflow in _nc_captoinfo
from the upstream commit 790a85db ("ncurses 6.2 - patch 20200531")

BUG=b/202124389
TEST=presubmit
RELEASE_NOTE=Fixed CVE-2021-39537 in ncurses package

cos-patch: security-moderate
Change-Id: I8801b549fc78bf03937d0f525ef70393b2cd4dbd
Reviewed-on: https://cos-review.googlesource.com/c/third_party/overlays/portage-stable/+/23411
Reviewed-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
Reviewed-by: Robert Kolchmeyer <rkolchmeyer@google.com>
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Main-Branch-Verified: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>

diff --git a/sys-libs/ncurses/files/ncurses-5.9-fix-cve-2021-39537.patch b/sys-libs/ncurses/files/ncurses-5.9-fix-cve-2021-39537.patch
new file mode 100644
index 0000000..a932e66
--- /dev/null
+++ b/sys-libs/ncurses/files/ncurses-5.9-fix-cve-2021-39537.patch

@@ -0,0 +1,19 @@
+diff --git a/ncurses/tinfo/captoinfo.c b/ncurses/tinfo/captoinfo.c
+index a0da44d..83c5216 100644
+--- a/ncurses/tinfo/captoinfo.c
++++ b/ncurses/tinfo/captoinfo.c
+@@ -207,8 +207,13 @@ cvtchar(register const char *sp)
+ 	}
+ 	break;
+     case '^':
+-	c = (unsigned char) (*++sp & 0x1f);
+ 	len = 2;
++	c = (unsigned char) (*++sp);
++	if (c == '\0') {
++	    len = 1;
++	} else {
++	    c &= 0x1f;
++	}
+ 	break;
+     default:
+ 	c = (unsigned char) (*sp);

diff --git a/sys-libs/ncurses/ncurses-5.9-r8.ebuild b/sys-libs/ncurses/ncurses-5.9-r9.ebuild
similarity index 96%
rename from sys-libs/ncurses/ncurses-5.9-r8.ebuild
rename to sys-libs/ncurses/ncurses-5.9-r9.ebuild
index f387160..1768380 100644
--- a/sys-libs/ncurses/ncurses-5.9-r8.ebuild
+++ b/sys-libs/ncurses/ncurses-5.9-r9.ebuild

@@ -37,6 +37,8 @@
 S=${WORKDIR}/${MY_P}
 HOSTTIC_DIR=${WORKDIR}/${P}-host
 
+# CVE-2021-39537 fix was adopted from the upstream patch 20200531
+# https://github.com/mirror/ncurses/commit/790a85dbd4a81d5f5d8dd02a44d84f01512ef443
 src_prepare() {
 	[[ -n ${PV_SNAP} ]] && epatch "${WORKDIR}"/${MY_P}-${PV_SNAP}-patch.sh
 	epatch "${FILESDIR}"/${PN}-5.8-gfbsd.patch
@@ -46,6 +48,7 @@
 	epatch "${FILESDIR}"/${PN}-5.9-pkg-config.patch
 	# Fixes CVE-2019-17594 and CVE-2019-17595
 	epatch "${FILESDIR}/${PN}"-6.1-fix-heap-based-over-read.patch
+	epatch "${FILESDIR}/${PN}"-5.9-fix-cve-2021-39537.patch
 	epatch "${FILESDIR}"/${P}-no-I-usr-include.patch #522586
 	epatch "${FILESDIR}"/${P}-gcc-5.patch #545114
 }