diff options
| author | dheerajpdsk <p.dheeraj.srujan.kumar@intel.com> | 2023-12-31 18:41:27 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-12-31 18:41:27 +0300 |
| commit | 0127bdba37b5e22adcc423d170589211de377e2e (patch) | |
| tree | c4e595e183ef7500206e30f687bb384f73f58fa8 /meta-openbmc-mods/meta-common/recipes-core | |
| parent | 2561f0aabb8c6a13475d56b5a14bde1f18909d7f (diff) | |
| parent | 7f53998bd3726c808abf8b0c4950e25db29d9ea2 (diff) | |
| download | openbmc-0127bdba37b5e22adcc423d170589211de377e2e.tar.xz | |
Merge pull request #129 from Intel-BMC/update1-1.11-1
Update to internal 1-1.11-1
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-core')
26 files changed, 3320 insertions, 116 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-30065.patch b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-30065.patch new file mode 100644 index 000000000..2f23931be --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-30065.patch @@ -0,0 +1,48 @@ +From 4bae4300986d0ed3d43f92600bd291ae3d302a99 Mon Sep 17 00:00:00 2001 +From: Yaswanth Reddy M <yaswanthx.reddy.munukuru@intel.com> +Date: Fri, 5 May 2023 08:55:31 +0000 +Subject: [PATCH] Subject: awk: fix use after free (CVE-2022-30065) + +fixes https://bugs.busybox.net/show_bug.cgi?id=14781 + +function old new delta +evaluate 3343 3357 +14 + +Signed-off-by: Yaswanth Reddy M <yaswanthx.reddy.munukuru@intel.com> +--- + editors/awk.c | 3 +++ + testsuite/awk.tests | 5 +++++ + 2 files changed, 8 insertions(+) + +diff --git a/editors/awk.c b/editors/awk.c +index 3adbca7..43a17c0 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -3094,6 +3094,9 @@ static var *evaluate(node *op, var *res) + + case XC( OC_MOVE ): + debug_printf_eval("MOVE\n"); ++ /* make sure that we never return a temp var */ ++ if (L.v == TMPVAR0) ++ L.v = res; + /* if source is a temporary string, jusk relink it to dest */ + if (R.v == TMPVAR1 + && !(R.v->type & VF_NUMBER) +diff --git a/testsuite/awk.tests b/testsuite/awk.tests +index dc2ae2e..072c8fc 100755 +--- a/testsuite/awk.tests ++++ b/testsuite/awk.tests +@@ -462,5 +462,10 @@ testing "awk \"cmd\" | getline" \ + "awk 'BEGIN { \"echo HELLO\" | getline; print }'" \ + "HELLO\n" \ + '' '' ++testing 'awk assign while test' \ ++ "awk '\$1==\$1=\"foo\" {print \$1}'" \ ++ "foo\n" \ ++ "" \ ++ "foo" + + exit $FAILCOUNT +-- +2.25.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox_%.bbappend index 42a52e0d7..b9c654068 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox_%.bbappend @@ -4,6 +4,7 @@ SRC_URI += " \ file://enable.cfg \ file://CVE-2022-28391_1.patch \ file://CVE-2022-28391_2.patch \ + file://CVE-2022-30065.patch \ " SRC_URI += "${@bb.utils.contains('EXTRA_IMAGE_FEATURES', 'debug-tweaks','file://dev-only.cfg','',d)}" diff --git a/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42010.patch b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42010.patch new file mode 100644 index 000000000..d2693ed69 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42010.patch @@ -0,0 +1,114 @@ +From 9d07424e9011e3bbe535e83043d335f3093d2916 Mon Sep 17 00:00:00 2001 +From: Simon McVittie <smcv@collabora.com> +Date: Tue, 13 Sep 2022 15:10:22 +0100 +Subject: [PATCH] dbus-marshal-validate: Check brackets in signature nest +correctly + +In debug builds with assertions enabled, a signature with incorrectly +nested `()` and `{}`, for example `a{i(u}` or `(a{ii)}`, could result +in an assertion failure. + +In production builds without assertions enabled, a signature with +incorrectly nested `()` and `{}` could potentially result in a crash +or incorrect message parsing, although we do not have a concrete example +of either of these failure modes. + +Thanks: Evgeny Vereshchagin +Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/418 +Resolves: CVE-2022-42010 +Signed-off-by: Simon McVittie <smcv@collabora.com> +--- + dbus/dbus-marshal-validate.c | 38 +++++++++++++++++++++++++++++++++++- + 1 file changed, 37 insertions(+), 1 deletion(-) + +diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c +index 4d492f3f3..ae68414dd 100644 +--- a/dbus/dbus-marshal-validate.c ++++ b/dbus/dbus-marshal-validate.c +@@ -62,6 +62,8 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, + + int element_count; + DBusList *element_count_stack; ++ char opened_brackets[DBUS_MAXIMUM_TYPE_RECURSION_DEPTH * 2 + 1] = { '\0' }; ++ char last_bracket; + + result = DBUS_VALID; + element_count_stack = NULL; +@@ -93,6 +95,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, + + while (p != end) + { ++ _dbus_assert (struct_depth + dict_entry_depth >= 0); ++ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); ++ _dbus_assert (opened_brackets[struct_depth + dict_entry_depth] == '\0'); ++ + switch (*p) + { + case DBUS_TYPE_BYTE: +@@ -136,6 +142,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, + goto out; + } + ++ _dbus_assert (struct_depth + dict_entry_depth >= 1); ++ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); ++ _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0'); ++ opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_STRUCT_BEGIN_CHAR; + break; + + case DBUS_STRUCT_END_CHAR: +@@ -151,9 +161,20 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, + goto out; + } + ++ _dbus_assert (struct_depth + dict_entry_depth >= 1); ++ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); ++ last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1]; ++ ++ if (last_bracket != DBUS_STRUCT_BEGIN_CHAR) ++ { ++ result = DBUS_INVALID_STRUCT_ENDED_BUT_NOT_STARTED; ++ goto out; ++ } ++ + _dbus_list_pop_last (&element_count_stack); + + struct_depth -= 1; ++ opened_brackets[struct_depth + dict_entry_depth] = '\0'; + break; + + case DBUS_DICT_ENTRY_BEGIN_CHAR: +@@ -178,6 +199,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, + goto out; + } + ++ _dbus_assert (struct_depth + dict_entry_depth >= 1); ++ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); ++ _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0'); ++ opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_DICT_ENTRY_BEGIN_CHAR; + break; + + case DBUS_DICT_ENTRY_END_CHAR: +@@ -186,8 +211,19 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, + result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED; + goto out; + } +- ++ ++ _dbus_assert (struct_depth + dict_entry_depth >= 1); ++ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); ++ last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1]; ++ ++ if (last_bracket != DBUS_DICT_ENTRY_BEGIN_CHAR) ++ { ++ result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED; ++ goto out; ++ } ++ + dict_entry_depth -= 1; ++ opened_brackets[struct_depth + dict_entry_depth] = '\0'; + + element_count = + _DBUS_POINTER_TO_INT (_dbus_list_pop_last (&element_count_stack)); +-- +GitLab + diff --git a/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42011.patch b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42011.patch new file mode 100644 index 000000000..9284dd666 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42011.patch @@ -0,0 +1,55 @@ +From 079bbf16186e87fb0157adf8951f19864bc2ed69 Mon Sep 17 00:00:00 2001 +From: Simon McVittie <smcv@collabora.com> +Date: Mon, 12 Sep 2022 13:14:18 +0100 +Subject: [PATCH] dbus-marshal-validate: Validate length of arrays of + fixed-length items + +This fast-path previously did not check that the array was made up +of an integer number of items. This could lead to assertion failures +and out-of-bounds accesses during subsequent message processing (which +assumes that the message has already been validated), particularly after +the addition of _dbus_header_remove_unknown_fields(), which makes it +more likely that dbus-daemon will apply non-trivial edits to messages. + +Thanks: Evgeny Vereshchagin +Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays" +Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413 +Resolves: CVE-2022-42011 +Signed-off-by: Simon McVittie <smcv@collabora.com> +--- + dbus/dbus-marshal-validate.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c +index ae68414dd..7d0d6cf72 100644 +--- a/dbus/dbus-marshal-validate.c ++++ b/dbus/dbus-marshal-validate.c +@@ -503,13 +503,24 @@ validate_body_helper (DBusTypeReader *reader, + */ + if (dbus_type_is_fixed (array_elem_type)) + { ++ /* Note that fixed-size types all have sizes equal to ++ * their alignments, so this is really the item size. */ ++ alignment = _dbus_type_get_alignment (array_elem_type); ++ _dbus_assert (alignment == 1 || alignment == 2 || ++ alignment == 4 || alignment == 8); ++ ++ /* Because the alignment is a power of 2, this is ++ * equivalent to: (claimed_len % alignment) != 0, ++ * but avoids slower integer division */ ++ if ((claimed_len & (alignment - 1)) != 0) ++ return DBUS_INVALID_ARRAY_LENGTH_INCORRECT; ++ + /* bools need to be handled differently, because they can + * have an invalid value + */ + if (array_elem_type == DBUS_TYPE_BOOLEAN) + { + dbus_uint32_t v; +- alignment = _dbus_type_get_alignment (array_elem_type); + + while (p < array_end) + { +-- +GitLab + diff --git a/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42012.patch b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42012.patch new file mode 100644 index 000000000..53b0e92ff --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42012.patch @@ -0,0 +1,71 @@ +From 236f16e444e88a984cf12b09225e0f8efa6c5b44 Mon Sep 17 00:00:00 2001 +From: Simon McVittie <smcv@collabora.com> +Date: Fri, 30 Sep 2022 13:46:31 +0100 +Subject: [PATCH] dbus-marshal-byteswap: Byte-swap Unix fd indexes if needed + +When a D-Bus message includes attached file descriptors, the body of the +message contains unsigned 32-bit indexes pointing into an out-of-band +array of file descriptors. Some D-Bus APIs like GLib's GDBus refer to +these indexes as "handles" for the associated fds (not to be confused +with a Windows HANDLE, which is a kernel object). + +The assertion message removed by this commit is arguably correct up to +a point: fd-passing is only reasonable on a local machine, and no known +operating system allows processes of differing endianness even on a +multi-endian ARM or PowerPC CPU, so it makes little sense for the sender +to specify a byte-order that differs from the byte-order of the recipient. + +However, this doesn't account for the fact that a malicious sender +doesn't have to restrict itself to only doing things that make sense. +On a system with untrusted local users, a message sender could crash +the system dbus-daemon (a denial of service) by sending a message in +the opposite endianness that contains handles to file descriptors. + +Before this commit, if assertions are enabled, attempting to byteswap +a fd index would cleanly crash the message recipient with an assertion +failure. If assertions are disabled, attempting to byteswap a fd index +would silently do nothing without advancing the pointer p, causing the +message's type and the pointer into its contents to go out of sync, which +can result in a subsequent crash (the crash demonstrated by fuzzing was +a use-after-free, but other failure modes might be possible). + +In principle we could resolve this by rejecting wrong-endianness messages +from a local sender, but it's actually simpler and less code to treat +wrong-endianness messages as valid and byteswap them. + +Thanks: Evgeny Vereshchagin +Fixes: ba7daa60 "unix-fd: add basic marshalling code for unix fds" +Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/417 +Resolves: CVE-2022-42012 +Signed-off-by: Simon McVittie <smcv@collabora.com> +--- + dbus/dbus-marshal-byteswap.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/dbus/dbus-marshal-byteswap.c b/dbus/dbus-marshal-byteswap.c +index e9de6f02a..9dd1246f9 100644 +--- a/dbus/dbus-marshal-byteswap.c ++++ b/dbus/dbus-marshal-byteswap.c +@@ -62,6 +62,7 @@ byteswap_body_helper (DBusTypeReader *reader, + case DBUS_TYPE_BOOLEAN: + case DBUS_TYPE_INT32: + case DBUS_TYPE_UINT32: ++ case DBUS_TYPE_UNIX_FD: + { + p = _DBUS_ALIGN_ADDRESS (p, 4); + *((dbus_uint32_t*)p) = DBUS_UINT32_SWAP_LE_BE (*((dbus_uint32_t*)p)); +@@ -192,11 +193,6 @@ byteswap_body_helper (DBusTypeReader *reader, + } + break; + +- case DBUS_TYPE_UNIX_FD: +- /* fds can only be passed on a local machine, so byte order must always match */ +- _dbus_assert_not_reached("attempted to byteswap unix fds which makes no sense"); +- break; +- + default: + _dbus_assert_not_reached ("invalid typecode in supposedly-validated signature"); + break; +-- +GitLab + diff --git a/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus_%.bbappend new file mode 100644 index 000000000..af073e92a --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus_%.bbappend @@ -0,0 +1,6 @@ +FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" +SRC_URI += " \ + file://CVE-2022-42010.patch \ + file://CVE-2022-42011.patch \ + file://CVE-2022-42012.patch \ + " diff --git a/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-43680.patch b/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-43680.patch new file mode 100644 index 000000000..b19647736 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-43680.patch @@ -0,0 +1,109 @@ +From 5290462a7ea1278a8d5c0d5b2860d4e244f997e4 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Tue, 20 Sep 2022 02:44:34 +0200 +Subject: [PATCH 1/3] lib: Fix overeager DTD destruction in + XML_ExternalEntityParserCreate + +--- + lib/xmlparse.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index aacd6e7fc..57bf103cc 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -1068,6 +1068,14 @@ parserCreate(const XML_Char *encodingName, + parserInit(parser, encodingName); + + if (encodingName && ! parser->m_protocolEncodingName) { ++ if (dtd) { ++ // We need to stop the upcoming call to XML_ParserFree from happily ++ // destroying parser->m_dtd because the DTD is shared with the parent ++ // parser and the only guard that keeps XML_ParserFree from destroying ++ // parser->m_dtd is parser->m_isParamEntity but it will be set to ++ // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all). ++ parser->m_dtd = NULL; ++ } + XML_ParserFree(parser); + return NULL; + } + +From 43992e4ae25fc3dc0eec0cd3a29313555d56aee2 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Mon, 19 Sep 2022 18:16:15 +0200 +Subject: [PATCH 2/3] tests: Cover overeager DTD destruction in + XML_ExternalEntityParserCreate + +--- + tests/runtests.c | 49 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 49 insertions(+) + +diff --git a/tests/runtests.c b/tests/runtests.c +index 245fe9bda..acb744dd4 100644 +--- a/tests/runtests.c ++++ b/tests/runtests.c +@@ -10208,6 +10208,53 @@ START_TEST(test_alloc_long_notation) { + } + END_TEST + ++static int XMLCALL ++external_entity_parser_create_alloc_fail_handler(XML_Parser parser, ++ const XML_Char *context, ++ const XML_Char *base, ++ const XML_Char *systemId, ++ const XML_Char *publicId) { ++ UNUSED_P(base); ++ UNUSED_P(systemId); ++ UNUSED_P(publicId); ++ ++ if (context != NULL) ++ fail("Unexpected non-NULL context"); ++ ++ // The following number intends to fail the upcoming allocation in line ++ // "parser->m_protocolEncodingName = copyString(encodingName, ++ // &(parser->m_mem));" in function parserInit. ++ allocation_count = 3; ++ ++ const XML_Char *const encodingName = XCS("UTF-8"); // needs something non-NULL ++ const XML_Parser ext_parser ++ = XML_ExternalEntityParserCreate(parser, context, encodingName); ++ if (ext_parser != NULL) ++ fail( ++ "Call to XML_ExternalEntityParserCreate was expected to fail out-of-memory"); ++ ++ allocation_count = ALLOC_ALWAYS_SUCCEED; ++ return XML_STATUS_ERROR; ++} ++ ++START_TEST(test_alloc_reset_after_external_entity_parser_create_fail) { ++ const char *const text = "<!DOCTYPE doc SYSTEM 'foo'><doc/>"; ++ ++ XML_SetExternalEntityRefHandler( ++ g_parser, external_entity_parser_create_alloc_fail_handler); ++ XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS); ++ ++ if (XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE) ++ != XML_STATUS_ERROR) ++ fail("Call to parse was expected to fail"); ++ ++ if (XML_GetErrorCode(g_parser) != XML_ERROR_EXTERNAL_ENTITY_HANDLING) ++ fail("Call to parse was expected to fail from the external entity handler"); ++ ++ XML_ParserReset(g_parser, NULL); ++} ++END_TEST ++ + static void + nsalloc_setup(void) { + XML_Memory_Handling_Suite memsuite = {duff_allocator, duff_reallocator, free}; +@@ -12401,6 +12448,8 @@ make_suite(void) { + tcase_add_test(tc_alloc, test_alloc_long_public_id); + tcase_add_test(tc_alloc, test_alloc_long_entity_value); + tcase_add_test(tc_alloc, test_alloc_long_notation); ++ tcase_add_test__ifdef_xml_dtd( ++ tc_alloc, test_alloc_reset_after_external_entity_parser_create_fail); + + suite_add_tcase(s, tc_nsalloc); + tcase_add_checked_fixture(tc_nsalloc, nsalloc_setup, nsalloc_teardown); + + diff --git a/meta-openbmc-mods/meta-common/recipes-core/expat/expat_2.4.5.bb b/meta-openbmc-mods/meta-common/recipes-core/expat/expat_2.4.5.bb index 852ba0baf..616838aa3 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/expat/expat_2.4.5.bb +++ b/meta-openbmc-mods/meta-common/recipes-core/expat/expat_2.4.5.bb @@ -12,6 +12,7 @@ SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TA file://run-ptest \ file://CVE-2022-40674_1.patch \ file://CVE-2022-40674_2.patch \ + file://CVE-2022-43680.patch \ " UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/" diff --git a/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/CVE-2021-3998.patch b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/CVE-2021-3998.patch new file mode 100644 index 000000000..8a6533070 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/CVE-2021-3998.patch @@ -0,0 +1,173 @@ +From a48cfb100aa47d349cd1b80d0efcca3231b6bfcd Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar <siddhesh@sourceware.org> +Date: Thu, 13 Jan 2022 11:28:36 +0530 +Subject: [PATCH 1/2] realpath: Set errno to ENAMETOOLONG for result larger + than PATH_MAX [BZ #28770] + +realpath returns an allocated string when the result exceeds PATH_MAX, +which is unexpected when its second argument is not NULL. This results +in the second argument (resolved) being uninitialized and also results +in a memory leak since the caller expects resolved to be the same as the +returned value. + +Return NULL and set errno to ENAMETOOLONG if the result exceeds +PATH_MAX. This fixes [BZ #28770], which is CVE-2021-3998. + +Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> +Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> +(cherry picked from commit ee8d5e33adb284601c00c94687bc907e10aec9bb) +(cherry picked from commit f7a79879c0b2bef0dadd6caaaeeb0d26423e04e5 + with conflict resoluation in stdlib/Makefile and NEWS) +--- + NEWS | 4 +++ + stdlib/Makefile | 2 +- + stdlib/canonicalize.c | 12 +++++++-- + stdlib/tst-realpath-toolong.c | 49 +++++++++++++++++++++++++++++++++++ + 4 files changed, 64 insertions(+), 3 deletions(-) + create mode 100644 stdlib/tst-realpath-toolong.c + +diff --git a/NEWS b/NEWS +index 028ed04ca2..0c3b1c2556 100644 +--- a/NEWS ++++ b/NEWS +@@ -210,6 +210,10 @@ Security related changes: + legacy function could result in a stack-based buffer overflow when + using the "unix" protocol. Reported by Martin Sebor. + ++ CVE-2021-3998: Passing a path longer than PATH_MAX to the realpath ++ function could result in a memory leak and potential access of ++ uninitialized memory. Reported by Qualys. ++ + The following bugs are resolved with this release: + + [4737] libc: fork is not async-signal-safe +diff --git a/stdlib/Makefile b/stdlib/Makefile +index 7c15549caf..22de3867be 100644 +--- a/stdlib/Makefile ++++ b/stdlib/Makefile +@@ -88,7 +88,7 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \ + tst-swapcontext1 tst-setcontext4 tst-setcontext5 \ + tst-setcontext6 tst-setcontext7 tst-setcontext8 \ + tst-setcontext9 tst-bz20544 tst-canon-bz26341 \ +- tst-realpath ++ tst-realpath tst-realpath-toolong + + tests-internal := tst-strtod1i tst-strtod3 tst-strtod4 tst-strtod5i \ + tst-tls-atexit tst-tls-atexit-nodelete +diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c +index cac1f73d74..20033b4885 100644 +--- a/stdlib/canonicalize.c ++++ b/stdlib/canonicalize.c +@@ -400,8 +400,16 @@ realpath_stk (const char *name, char *resolved, + + error: + *dest++ = '\0'; +- if (resolved != NULL && dest - rname <= get_path_max ()) +- rname = strcpy (resolved, rname); ++ if (resolved != NULL) ++ { ++ if (dest - rname <= get_path_max ()) ++ rname = strcpy (resolved, rname); ++ else ++ { ++ failed = true; ++ __set_errno (ENAMETOOLONG); ++ } ++ } + + error_nomem: + scratch_buffer_free (&extra_buffer); +diff --git a/stdlib/tst-realpath-toolong.c b/stdlib/tst-realpath-toolong.c +new file mode 100644 +index 0000000000..8bed772460 +--- /dev/null ++++ b/stdlib/tst-realpath-toolong.c +@@ -0,0 +1,49 @@ ++/* Verify that realpath returns NULL with ENAMETOOLONG if the result exceeds ++ NAME_MAX. ++ Copyright The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <https://www.gnu.org/licenses/>. */ ++ ++#include <errno.h> ++#include <limits.h> ++#include <stdlib.h> ++#include <string.h> ++#include <unistd.h> ++#include <support/check.h> ++#include <support/temp_file.h> ++#include <sys/types.h> ++#include <sys/stat.h> ++ ++#define BASENAME "tst-realpath-toolong." ++ ++int ++do_test (void) ++{ ++ char *base = support_create_and_chdir_toolong_temp_directory (BASENAME); ++ ++ char buf[PATH_MAX + 1]; ++ const char *res = realpath (".", buf); ++ ++ /* canonicalize.c states that if the real path is >= PATH_MAX, then ++ realpath returns NULL and sets ENAMETOOLONG. */ ++ TEST_VERIFY (res == NULL); ++ TEST_VERIFY (errno == ENAMETOOLONG); ++ ++ free (base); ++ return 0; ++} ++ ++#include <support/test-driver.c> +-- +2.25.1 + + +From a4bc5841640e57f8d216e818b07cdd4c74f62815 Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar <siddhesh@sourceware.org> +Date: Mon, 24 Jan 2022 21:36:41 +0530 +Subject: [PATCH 2/2] realpath: Avoid overwriting preexisting error + (CVE-2021-3998) + +Set errno and failure for paths that are too long only if no other error +occurred earlier. + +Related: BZ #28770 + +Reviewed-by: Andreas Schwab <schwab@linux-m68k.org> +Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> +(cherry picked from commit 84d2d0fe20bdf94feed82b21b4d7d136db471f03) +(cherry picked from commit d084965adc7baa8ea804427cccf973cea556d697) +--- + stdlib/canonicalize.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c +index 20033b4885..fdeca42b83 100644 +--- a/stdlib/canonicalize.c ++++ b/stdlib/canonicalize.c +@@ -404,7 +404,7 @@ error: + { + if (dest - rname <= get_path_max ()) + rname = strcpy (resolved, rname); +- else ++ else if (!failed) + { + failed = true; + __set_errno (ENAMETOOLONG); +-- +2.25.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/CVE-2023-0687.patch b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/CVE-2023-0687.patch new file mode 100644 index 000000000..da0e43686 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/CVE-2023-0687.patch @@ -0,0 +1,77 @@ +From 801af9fafd4689337ebf27260aa115335a0cb2bc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=D0=9B=D0=B5=D0=BE=D0=BD=D0=B8=D0=B4=20=D0=AE=D1=80=D1=8C?= + =?UTF-8?q?=D0=B5=D0=B2=20=28Leonid=20Yuriev=29?= <leo@yuriev.ru> +Date: Sat, 4 Feb 2023 14:41:38 +0300 +Subject: [PATCH] gmon: Fix allocated buffer overflow (bug 29444) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The `__monstartup()` allocates a buffer used to store all the data +accumulated by the monitor. + +The size of this buffer depends on the size of the internal structures +used and the address range for which the monitor is activated, as well +as on the maximum density of call instructions and/or callable functions +that could be potentially on a segment of executable code. + +In particular a hash table of arcs is placed at the end of this buffer. +The size of this hash table is calculated in bytes as + p->fromssize = p->textsize / HASHFRACTION; + +but actually should be + p->fromssize = ROUNDUP(p->textsize / HASHFRACTION, sizeof(*p->froms)); + +This results in writing beyond the end of the allocated buffer when an +added arc corresponds to a call near from the end of the monitored +address range, since `_mcount()` check the incoming caller address for +monitored range but not the intermediate result hash-like index that +uses to write into the table. + +It should be noted that when the results are output to `gmon.out`, the +table is read to the last element calculated from the allocated size in +bytes, so the arcs stored outside the buffer boundary did not fall into +`gprof` for analysis. Thus this "feature" help me to found this bug +during working with https://sourceware.org/bugzilla/show_bug.cgi?id=29438 + +Just in case, I will explicitly note that the problem breaks the +`make test t=gmon/tst-gmon-dso` added for Bug 29438. +There, the arc of the `f3()` call disappears from the output, since in +the DSO case, the call to `f3` is located close to the end of the +monitored range. + +Signed-off-by: Леонид Юрьев (Leonid Yuriev) <leo@yuriev.ru> + +Another minor error seems a related typo in the calculation of +`kcountsize`, but since kcounts are smaller than froms, this is +actually to align the p->froms data. + +Co-authored-by: DJ Delorie <dj@redhat.com> +Reviewed-by: Carlos O'Donell <carlos@redhat.com> +--- + gmon/gmon.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/gmon/gmon.c b/gmon/gmon.c +index dee64803ada..bf76358d5b1 100644 +--- a/gmon/gmon.c ++++ b/gmon/gmon.c +@@ -132,6 +132,8 @@ __monstartup (u_long lowpc, u_long highpc) + p->lowpc = ROUNDDOWN(lowpc, HISTFRACTION * sizeof(HISTCOUNTER)); + p->highpc = ROUNDUP(highpc, HISTFRACTION * sizeof(HISTCOUNTER)); + p->textsize = p->highpc - p->lowpc; ++ /* This looks like a typo, but it's here to align the p->froms ++ section. */ + p->kcountsize = ROUNDUP(p->textsize / HISTFRACTION, sizeof(*p->froms)); + p->hashfraction = HASHFRACTION; + p->log_hashfraction = -1; +@@ -142,7 +144,7 @@ __monstartup (u_long lowpc, u_long highpc) + instead of integer division. Precompute shift amount. */ + p->log_hashfraction = ffs(p->hashfraction * sizeof(*p->froms)) - 1; + } +- p->fromssize = p->textsize / HASHFRACTION; ++ p->fromssize = ROUNDUP(p->textsize / HASHFRACTION, sizeof(*p->froms)); + p->tolimit = p->textsize * ARCDENSITY / 100; + if (p->tolimit < MINARCS) + p->tolimit = MINARCS; + diff --git a/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc_%.bbappend index be793e5e8..96c4947ad 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc_%.bbappend @@ -8,4 +8,6 @@ SRC_URI += " \ file://0001-CVE-2022-23219.patch \ file://0002-CVE-2022-23219.patch \ file://CVE-2021-43396.patch \ + file://CVE-2021-3998.patch \ + file://CVE-2023-0687.patch \ " diff --git a/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2/CVE-2022-40303.patch b/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2/CVE-2022-40303.patch new file mode 100644 index 000000000..ecb134edf --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2/CVE-2022-40303.patch @@ -0,0 +1,618 @@ +From c846986356fc149915a74972bf198abc266bc2c0 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Thu, 25 Aug 2022 17:43:08 +0200 +Subject: [PATCH] [CVE-2022-40303] Fix integer overflows with XML_PARSE_HUGE + +Also impose size limits when XML_PARSE_HUGE is set. Limit size of names +to XML_MAX_TEXT_LENGTH (10 million bytes) and other content to +XML_MAX_HUGE_LENGTH (1 billion bytes). + +Move some the length checks to the end of the respective loop to make +them strict. + +xmlParseEntityValue didn't have a length limitation at all. But without +XML_PARSE_HUGE, this should eventually trigger an error in xmlGROW. + +Thanks to Maddie Stone working with Google Project Zero for the report! +--- + parser.c | 233 +++++++++++++++++++++++++++++-------------------------- + 1 file changed, 121 insertions(+), 112 deletions(-) + +diff --git a/parser.c b/parser.c +index 93f031be..79479979 100644 +--- a/parser.c ++++ b/parser.c +@@ -102,6 +102,8 @@ xmlParseElementEnd(xmlParserCtxtPtr ctxt); + * * + ************************************************************************/ + ++#define XML_MAX_HUGE_LENGTH 1000000000 ++ + #define XML_PARSER_BIG_ENTITY 1000 + #define XML_PARSER_LOT_ENTITY 5000 + +@@ -552,7 +554,7 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info) + errmsg = "Malformed declaration expecting version"; + break; + case XML_ERR_NAME_TOO_LONG: +- errmsg = "Name too long use XML_PARSE_HUGE option"; ++ errmsg = "Name too long"; + break; + #if 0 + case: +@@ -3202,6 +3204,9 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { + int len = 0, l; + int c; + int count = 0; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + + #ifdef DEBUG + nbParseNameComplex++; +@@ -3267,7 +3272,8 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); + } +- len += l; ++ if (len <= INT_MAX - l) ++ len += l; + NEXTL(l); + c = CUR_CHAR(l); + } +@@ -3293,13 +3299,13 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); + } +- len += l; ++ if (len <= INT_MAX - l) ++ len += l; + NEXTL(l); + c = CUR_CHAR(l); + } + } +- if ((len > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (len > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); + return(NULL); + } +@@ -3338,7 +3344,10 @@ const xmlChar * + xmlParseName(xmlParserCtxtPtr ctxt) { + const xmlChar *in; + const xmlChar *ret; +- int count = 0; ++ size_t count = 0; ++ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + + GROW; + +@@ -3362,8 +3371,7 @@ xmlParseName(xmlParserCtxtPtr ctxt) { + in++; + if ((*in > 0) && (*in < 0x80)) { + count = in - ctxt->input->cur; +- if ((count > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (count > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); + return(NULL); + } +@@ -3384,6 +3392,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + int len = 0, l; + int c; + int count = 0; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + size_t startPosition = 0; + + #ifdef DEBUG +@@ -3404,17 +3415,13 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + while ((c != ' ') && (c != '>') && (c != '/') && /* test bigname.xml */ + (xmlIsNameChar(ctxt, c) && (c != ':'))) { + if (count++ > XML_PARSER_CHUNK_SIZE) { +- if ((len > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); +- return(NULL); +- } + count = 0; + GROW; + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); + } +- len += l; ++ if (len <= INT_MAX - l) ++ len += l; + NEXTL(l); + c = CUR_CHAR(l); + if (c == 0) { +@@ -3432,8 +3439,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + c = CUR_CHAR(l); + } + } +- if ((len > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (len > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); + return(NULL); + } +@@ -3459,7 +3465,10 @@ static const xmlChar * + xmlParseNCName(xmlParserCtxtPtr ctxt) { + const xmlChar *in, *e; + const xmlChar *ret; +- int count = 0; ++ size_t count = 0; ++ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + + #ifdef DEBUG + nbParseNCName++; +@@ -3484,8 +3493,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) { + goto complex; + if ((*in > 0) && (*in < 0x80)) { + count = in - ctxt->input->cur; +- if ((count > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (count > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); + return(NULL); + } +@@ -3567,6 +3575,9 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { + const xmlChar *cur = *str; + int len = 0, l; + int c; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + + #ifdef DEBUG + nbParseStringName++; +@@ -3602,12 +3613,6 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { + if (len + 10 > max) { + xmlChar *tmp; + +- if ((len > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); +- xmlFree(buffer); +- return(NULL); +- } + max *= 2; + tmp = (xmlChar *) xmlRealloc(buffer, + max * sizeof(xmlChar)); +@@ -3621,14 +3626,18 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { + COPY_BUF(l,buffer,len,c); + cur += l; + c = CUR_SCHAR(cur, l); ++ if (len > maxLength) { ++ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); ++ xmlFree(buffer); ++ return(NULL); ++ } + } + buffer[len] = 0; + *str = cur; + return(buffer); + } + } +- if ((len > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (len > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); + return(NULL); + } +@@ -3655,6 +3664,9 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { + int len = 0, l; + int c; + int count = 0; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + + #ifdef DEBUG + nbParseNmToken++; +@@ -3706,12 +3718,6 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { + if (len + 10 > max) { + xmlChar *tmp; + +- if ((max > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); +- xmlFree(buffer); +- return(NULL); +- } + max *= 2; + tmp = (xmlChar *) xmlRealloc(buffer, + max * sizeof(xmlChar)); +@@ -3725,6 +3731,11 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { + COPY_BUF(l,buffer,len,c); + NEXTL(l); + c = CUR_CHAR(l); ++ if (len > maxLength) { ++ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); ++ xmlFree(buffer); ++ return(NULL); ++ } + } + buffer[len] = 0; + return(buffer); +@@ -3732,8 +3743,7 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { + } + if (len == 0) + return(NULL); +- if ((len > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (len > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); + return(NULL); + } +@@ -3759,6 +3769,9 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) { + int len = 0; + int size = XML_PARSER_BUFFER_SIZE; + int c, l; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + xmlChar stop; + xmlChar *ret = NULL; + const xmlChar *cur = NULL; +@@ -3818,6 +3831,12 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) { + GROW; + c = CUR_CHAR(l); + } ++ ++ if (len > maxLength) { ++ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_NOT_FINISHED, ++ "entity value too long\n"); ++ goto error; ++ } + } + buf[len] = 0; + if (ctxt->instate == XML_PARSER_EOF) +@@ -3905,6 +3924,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + xmlChar *rep = NULL; + size_t len = 0; + size_t buf_size = 0; ++ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + int c, l, in_space = 0; + xmlChar *current = NULL; + xmlEntityPtr ent; +@@ -3936,16 +3958,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + while (((NXT(0) != limit) && /* checked */ + (IS_CHAR(c)) && (c != '<')) && + (ctxt->instate != XML_PARSER_EOF)) { +- /* +- * Impose a reasonable limit on attribute size, unless XML_PARSE_HUGE +- * special option is given +- */ +- if ((len > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, +- "AttValue length too long\n"); +- goto mem_error; +- } + if (c == '&') { + in_space = 0; + if (NXT(1) == '#') { +@@ -4093,6 +4105,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + } + GROW; + c = CUR_CHAR(l); ++ if (len > maxLength) { ++ xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, ++ "AttValue length too long\n"); ++ goto mem_error; ++ } + } + if (ctxt->instate == XML_PARSER_EOF) + goto error; +@@ -4114,16 +4131,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + } else + NEXT; + +- /* +- * There we potentially risk an overflow, don't allow attribute value of +- * length more than INT_MAX it is a very reasonable assumption ! +- */ +- if (len >= INT_MAX) { +- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, +- "AttValue length too long\n"); +- goto mem_error; +- } +- + if (attlen != NULL) *attlen = (int) len; + return(buf); + +@@ -4194,6 +4201,9 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { + int len = 0; + int size = XML_PARSER_BUFFER_SIZE; + int cur, l; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + xmlChar stop; + int state = ctxt->instate; + int count = 0; +@@ -4221,13 +4231,6 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { + if (len + 5 >= size) { + xmlChar *tmp; + +- if ((size > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral"); +- xmlFree(buf); +- ctxt->instate = (xmlParserInputState) state; +- return(NULL); +- } + size *= 2; + tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar)); + if (tmp == NULL) { +@@ -4256,6 +4259,12 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { + SHRINK; + cur = CUR_CHAR(l); + } ++ if (len > maxLength) { ++ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral"); ++ xmlFree(buf); ++ ctxt->instate = (xmlParserInputState) state; ++ return(NULL); ++ } + } + buf[len] = 0; + ctxt->instate = (xmlParserInputState) state; +@@ -4283,6 +4292,9 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { + xmlChar *buf = NULL; + int len = 0; + int size = XML_PARSER_BUFFER_SIZE; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + xmlChar cur; + xmlChar stop; + int count = 0; +@@ -4310,12 +4322,6 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { + if (len + 1 >= size) { + xmlChar *tmp; + +- if ((size > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID"); +- xmlFree(buf); +- return(NULL); +- } + size *= 2; + tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar)); + if (tmp == NULL) { +@@ -4343,6 +4349,11 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { + SHRINK; + cur = CUR; + } ++ if (len > maxLength) { ++ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID"); ++ xmlFree(buf); ++ return(NULL); ++ } + } + buf[len] = 0; + if (cur != stop) { +@@ -4742,6 +4753,9 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, + int r, rl; + int cur, l; + size_t count = 0; ++ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + int inputid; + + inputid = ctxt->input->id; +@@ -4787,13 +4801,6 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, + if ((r == '-') && (q == '-')) { + xmlFatalErr(ctxt, XML_ERR_HYPHEN_IN_COMMENT, NULL); + } +- if ((len > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, +- "Comment too big found", NULL); +- xmlFree (buf); +- return; +- } + if (len + 5 >= size) { + xmlChar *new_buf; + size_t new_size; +@@ -4831,6 +4838,13 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, + GROW; + cur = CUR_CHAR(l); + } ++ ++ if (len > maxLength) { ++ xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, ++ "Comment too big found", NULL); ++ xmlFree (buf); ++ return; ++ } + } + buf[len] = 0; + if (cur == 0) { +@@ -4875,6 +4889,9 @@ xmlParseComment(xmlParserCtxtPtr ctxt) { + xmlChar *buf = NULL; + size_t size = XML_PARSER_BUFFER_SIZE; + size_t len = 0; ++ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + xmlParserInputState state; + const xmlChar *in; + size_t nbchar = 0; +@@ -4958,8 +4975,7 @@ get_more: + buf[len] = 0; + } + } +- if ((len > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (len > maxLength) { + xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, + "Comment too big found", NULL); + xmlFree (buf); +@@ -5159,6 +5175,9 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { + xmlChar *buf = NULL; + size_t len = 0; + size_t size = XML_PARSER_BUFFER_SIZE; ++ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + int cur, l; + const xmlChar *target; + xmlParserInputState state; +@@ -5234,14 +5253,6 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { + return; + } + count = 0; +- if ((len > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, +- "PI %s too big found", target); +- xmlFree(buf); +- ctxt->instate = state; +- return; +- } + } + COPY_BUF(l,buf,len,cur); + NEXTL(l); +@@ -5251,15 +5262,14 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { + GROW; + cur = CUR_CHAR(l); + } ++ if (len > maxLength) { ++ xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, ++ "PI %s too big found", target); ++ xmlFree(buf); ++ ctxt->instate = state; ++ return; ++ } + } +- if ((len > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, +- "PI %s too big found", target); +- xmlFree(buf); +- ctxt->instate = state; +- return; +- } + buf[len] = 0; + if (cur != '?') { + xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, +@@ -8954,6 +8964,9 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + const xmlChar *in = NULL, *start, *end, *last; + xmlChar *ret = NULL; + int line, col; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + + GROW; + in = (xmlChar *) CUR_PTR; +@@ -8993,8 +9006,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + start = in; + if (in >= end) { + GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) +- if (((in - start) > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if ((in - start) > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue length too long\n"); + return(NULL); +@@ -9007,8 +9019,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + if ((*in++ == 0x20) && (*in == 0x20)) break; + if (in >= end) { + GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) +- if (((in - start) > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if ((in - start) > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue length too long\n"); + return(NULL); +@@ -9041,16 +9052,14 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + last = last + delta; + } + end = ctxt->input->end; +- if (((in - start) > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if ((in - start) > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue length too long\n"); + return(NULL); + } + } + } +- if (((in - start) > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if ((in - start) > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue length too long\n"); + return(NULL); +@@ -9063,8 +9072,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + col++; + if (in >= end) { + GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) +- if (((in - start) > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if ((in - start) > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue length too long\n"); + return(NULL); +@@ -9072,8 +9080,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + } + } + last = in; +- if (((in - start) > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if ((in - start) > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue length too long\n"); + return(NULL); +@@ -9763,6 +9770,9 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { + int s, sl; + int cur, l; + int count = 0; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + + /* Check 2.6.0 was NXT(0) not RAW */ + if (CMP9(CUR_PTR, '<', '!', '[', 'C', 'D', 'A', 'T', 'A', '[')) { +@@ -9796,13 +9806,6 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { + if (len + 5 >= size) { + xmlChar *tmp; + +- if ((size > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErrMsgStr(ctxt, XML_ERR_CDATA_NOT_FINISHED, +- "CData section too big found", NULL); +- xmlFree (buf); +- return; +- } + tmp = (xmlChar *) xmlRealloc(buf, size * 2 * sizeof(xmlChar)); + if (tmp == NULL) { + xmlFree(buf); +@@ -9829,6 +9832,12 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { + } + NEXTL(l); + cur = CUR_CHAR(l); ++ if (len > maxLength) { ++ xmlFatalErrMsg(ctxt, XML_ERR_CDATA_NOT_FINISHED, ++ "CData section too big found\n"); ++ xmlFree(buf); ++ return; ++ } + } + buf[len] = 0; + ctxt->instate = XML_PARSER_CONTENT; +-- +GitLab + diff --git a/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2/CVE-2022-40304.patch b/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2/CVE-2022-40304.patch new file mode 100644 index 000000000..b6a48587d --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2/CVE-2022-40304.patch @@ -0,0 +1,101 @@ +From 1b41ec4e9433b05bb0376be4725804c54ef1d80b Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Wed, 31 Aug 2022 22:11:25 +0200 +Subject: [PATCH] [CVE-2022-40304] Fix dict corruption caused by entity + reference cycles + +When an entity reference cycle is detected, the entity content is +cleared by setting its first byte to zero. But the entity content might +be allocated from a dict. In this case, the dict entry becomes corrupted +leading to all kinds of logic errors, including memory errors like +double-frees. + +Stop storing entity content, orig, ExternalID and SystemID in a dict. +These values are unlikely to occur multiple times in a document, so they +shouldn't have been stored in a dict in the first place. + +Thanks to Ned Williamson and Nathan Wachholz working with Google Project +Zero for the report! +--- + entities.c | 55 ++++++++++++++++-------------------------------------- + 1 file changed, 16 insertions(+), 39 deletions(-) + +diff --git a/entities.c b/entities.c +index 84435515..d4e5412e 100644 +--- a/entities.c ++++ b/entities.c +@@ -128,36 +128,19 @@ xmlFreeEntity(xmlEntityPtr entity) + if ((entity->children) && (entity->owner == 1) && + (entity == (xmlEntityPtr) entity->children->parent)) + xmlFreeNodeList(entity->children); +- if (dict != NULL) { +- if ((entity->name != NULL) && (!xmlDictOwns(dict, entity->name))) +- xmlFree((char *) entity->name); +- if ((entity->ExternalID != NULL) && +- (!xmlDictOwns(dict, entity->ExternalID))) +- xmlFree((char *) entity->ExternalID); +- if ((entity->SystemID != NULL) && +- (!xmlDictOwns(dict, entity->SystemID))) +- xmlFree((char *) entity->SystemID); +- if ((entity->URI != NULL) && (!xmlDictOwns(dict, entity->URI))) +- xmlFree((char *) entity->URI); +- if ((entity->content != NULL) +- && (!xmlDictOwns(dict, entity->content))) +- xmlFree((char *) entity->content); +- if ((entity->orig != NULL) && (!xmlDictOwns(dict, entity->orig))) +- xmlFree((char *) entity->orig); +- } else { +- if (entity->name != NULL) +- xmlFree((char *) entity->name); +- if (entity->ExternalID != NULL) +- xmlFree((char *) entity->ExternalID); +- if (entity->SystemID != NULL) +- xmlFree((char *) entity->SystemID); +- if (entity->URI != NULL) +- xmlFree((char *) entity->URI); +- if (entity->content != NULL) +- xmlFree((char *) entity->content); +- if (entity->orig != NULL) +- xmlFree((char *) entity->orig); +- } ++ if ((entity->name != NULL) && ++ ((dict == NULL) || (!xmlDictOwns(dict, entity->name)))) ++ xmlFree((char *) entity->name); ++ if (entity->ExternalID != NULL) ++ xmlFree((char *) entity->ExternalID); ++ if (entity->SystemID != NULL) ++ xmlFree((char *) entity->SystemID); ++ if (entity->URI != NULL) ++ xmlFree((char *) entity->URI); ++ if (entity->content != NULL) ++ xmlFree((char *) entity->content); ++ if (entity->orig != NULL) ++ xmlFree((char *) entity->orig); + xmlFree(entity); + } + +@@ -193,18 +176,12 @@ xmlCreateEntity(xmlDictPtr dict, const xmlChar *name, int type, + ret->SystemID = xmlStrdup(SystemID); + } else { + ret->name = xmlDictLookup(dict, name, -1); +- if (ExternalID != NULL) +- ret->ExternalID = xmlDictLookup(dict, ExternalID, -1); +- if (SystemID != NULL) +- ret->SystemID = xmlDictLookup(dict, SystemID, -1); ++ ret->ExternalID = xmlStrdup(ExternalID); ++ ret->SystemID = xmlStrdup(SystemID); + } + if (content != NULL) { + ret->length = xmlStrlen(content); +- if ((dict != NULL) && (ret->length < 5)) +- ret->content = (xmlChar *) +- xmlDictLookup(dict, content, ret->length); +- else +- ret->content = xmlStrndup(content, ret->length); ++ ret->content = xmlStrndup(content, ret->length); + } else { + ret->length = 0; + ret->content = NULL; +-- +GitLab + diff --git a/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2_%.bbappend index 4011c8759..1d2993a8d 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2_%.bbappend @@ -2,4 +2,6 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" SRC_URI += "file://CVE-2022-23308-Use-after-free-of-ID-and-IDREF.patch \ file://CVE-2022-29824-Fix-integer-overflows-in-xmlBuf-and-xmlBuffer.patch \ + file://CVE-2022-40303.patch \ + file://CVE-2022-40304.patch \ " diff --git a/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses.inc b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses.inc new file mode 100644 index 000000000..367f3b19f --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses.inc @@ -0,0 +1,327 @@ +SUMMARY = "The New Curses library" +DESCRIPTION = "SVr4 and XSI-Curses compatible curses library and terminfo tools including tic, infocmp, captoinfo. Supports color, multiple highlights, forms-drawing characters, and automatic recognition of keypad and function-key sequences. Extensions include resizable windows and mouse support on both xterm and Linux console using the gpm library." +HOMEPAGE = "http://www.gnu.org/software/ncurses/ncurses.html" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://COPYING;md5=c5a4600fdef86384c41ca33ecc70a4b8;endline=27" +SECTION = "libs" +DEPENDS = "ncurses-native" +DEPENDS:class-native = "" + +BINCONFIG = "${bindir}/ncurses5-config ${bindir}/ncursesw5-config \ + ${bindir}/ncurses6-config ${bindir}/ncursesw6-config" + +inherit autotools binconfig-disabled multilib_header pkgconfig + +# Upstream has useful patches at times at ftp://invisible-island.net/ncurses/ +SRC_URI = "git://github.com/mirror/ncurses.git;protocol=https;branch=master" + +EXTRA_AUTORECONF = "-I m4" + +CACHED_CONFIGUREVARS = "cf_cv_func_nanosleep=yes" +CACHED_CONFIGUREVARS:append:linux = " cf_cv_working_poll=yes" + +EXTRASITECONFIG = "CFLAGS='${CFLAGS} -I${SYSROOT_DESTDIR}${includedir}'" + +# Whether to enable separate widec libraries; must be 'true' or 'false' +# +# TODO: remove this variable when widec is supported in every setup? +ENABLE_WIDEC ?= "true" + +# _GNU_SOURCE is required for widec stuff and is detected automatically +# for target objects. But it must be set manually for native and sdk +# builds. +BUILD_CPPFLAGS += "-D_GNU_SOURCE" + +# natives don't generally look in base_libdir +base_libdir:class-native = "${libdir}" + +# Display corruption occurs on 64 bit hosts without these settings +# This was derrived from the upstream debian ncurses which uses +# these settings for 32 and 64 bit hosts. +EXCONFIG_ARGS = "" +EXCONFIG_ARGS:class-native = " \ + --disable-lp64 \ + --with-chtype='long' \ + --with-mmask-t='long'" +EXCONFIG_ARGS:class-nativesdk = " \ + --disable-lp64 \ + --with-chtype='long' \ + --with-mmask-t='long'" + +PACKAGES_DYNAMIC = "^${PN}-lib.*" + +# Fall back to the host termcap / terminfo for -nativesdk and -native +# The reality is a work around for strange problems with things like +# "bitbake -c menuconfig busybox" where it cannot find the terminfo +# because the sstate had a hard coded search path. Until this is fixed +# another way this is deemed good enough. +EX_TERMCAP = "" +EX_TERMCAP:class-native = ":/etc/termcap:/usr/share/misc/termcap" +EX_TERMCAP:class-nativesdk = ":/etc/termcap:/usr/share/misc/termcap" +EX_TERMINFO = "" +EX_TERMINFO:class-native = ":/etc/terminfo:/usr/share/terminfo:/usr/share/misc/terminfo:/lib/terminfo" +EX_TERMINFO:class-nativesdk = ":/etc/terminfo:/usr/share/terminfo:/usr/share/misc/terminfo:/lib/terminfo" +EX_TERMLIB ?= "tinfo" + +# Helper function for do_configure to allow multiple configurations +# $1 the directory to run configure in +# $@ the arguments to pass to configure +ncurses_configure() { + mkdir -p $1 + cd $1 + shift + oe_runconf \ + --without-debug \ + --without-ada \ + --without-gpm \ + --enable-hard-tabs \ + --enable-xmc-glitch \ + --enable-colorfgbg \ + --with-termpath='${sysconfdir}/termcap:${datadir}/misc/termcap${EX_TERMCAP}' \ + --with-terminfo-dirs='${sysconfdir}/terminfo:${datadir}/terminfo${EX_TERMINFO}' \ + --with-shared \ + --disable-big-core \ + --program-prefix= \ + --with-ticlib \ + --with-termlib=${EX_TERMLIB} \ + --enable-sigwinch \ + --enable-pc-files \ + --disable-rpath-hack \ + ${EXCONFIG_ARGS} \ + --with-manpage-format=normal \ + --without-manpage-renames \ + --disable-stripping \ + "$@" || return 1 + cd .. +} + +# Override the function from the autotools class; ncurses requires a +# patched autoconf213 to generate the configure script. This autoconf +# is not available so that the shipped script will be used. +do_configure() { + #Remove ${includedir} from CPPFLAGS, need for cross compile + sed -i 's#-I${cf_includedir}##g' ${S}/configure || die "sed CPPFLAGS" + + # The --enable-pc-files requires PKG_CONFIG_LIBDIR existed + mkdir -p ${PKG_CONFIG_LIBDIR} + ( cd ${S}; gnu-configize --force ) + ncurses_configure "narrowc" || \ + return 1 + ! ${ENABLE_WIDEC} || \ + ncurses_configure "widec" "--enable-widec" "--without-progs" + +} + +do_compile() { + oe_runmake -C narrowc libs + oe_runmake -C narrowc/progs + + ! ${ENABLE_WIDEC} || \ + oe_runmake -C widec libs +} + +# set of expected differences between narrowc and widec header +# +# TODO: the NCURSES_CH_T difference can cause real problems :( +_unifdef_cleanup = " \ + -e '\!/\* \$Id: curses.wide,v!,\!/\* \$Id: curses.tail,v!d' \ + -e '/^#define NCURSES_CH_T /d' \ + -e '/^#include <wchar.h>/d' \ + -e '\!^/\* .* \*/!d' \ +" + +do_test[depends] = "unifdef-native:do_populate_sysroot" +do_test[dirs] = "${S}" +do_test() { + ${ENABLE_WIDEC} || return 0 + + # make sure that the narrow and widec header are compatible + # and differ only in minor details. + unifdef -k narrowc/include/curses.h | \ + sed ${_unifdef_cleanup} > curses-narrowc.h + unifdef -k widec/include/curses.h | \ + sed ${_unifdef_cleanup} > curses-widec.h + + diff curses-narrowc.h curses-widec.h +} + +# Split original _install_opts to two parts. +# One is the options to install contents, the other is the parameters \ +# when running command "make install" +# Note that install.libs will also implicitly install header files, +# so we do not need to explicitly specify install.includes. +# Doing so could in fact result in a race condition, as both targets +# (install.libs and install.includes) would install the same headers +# at the same time + +_install_opts = " install.libs install.man " + +_install_cfgs = "\ + DESTDIR='${D}' \ + PKG_CONFIG_LIBDIR='${libdir}/pkgconfig' \ +" + +do_install() { + # Order of installation is important; widec installs a 'curses.h' + # header with more definitions and must be installed last hence. + # Compatibility of these headers will be checked in 'do_test()'. + oe_runmake -C narrowc ${_install_cfgs} ${_install_opts} \ + install.progs + + # The install.data should run after install.libs, otherwise + # there would be a race issue in a very critical conditon, since + # tic will be run by install.data, and tic needs libtinfo.so + # which would be regenerated by install.libs. + oe_runmake -C narrowc ${_install_cfgs} \ + install.data + + + ! ${ENABLE_WIDEC} || \ + oe_runmake -C widec ${_install_cfgs} ${_install_opts} + + cd narrowc + + # include some basic terminfo files + # stolen ;) from gentoo and modified a bit + for x in ansi console dumb linux rxvt screen screen-256color sun vt52 vt100 vt102 vt200 vt220 xterm-color xterm-xfree86 xterm-256color + do + local termfile="$(find "${D}${datadir}/terminfo/" -name "${x}" 2>/dev/null)" + local basedir="$(basename $(dirname "${termfile}"))" + + if [ -n "${termfile}" ] + then + install -d ${D}${sysconfdir}/terminfo/${basedir} + mv ${termfile} ${D}${sysconfdir}/terminfo/${basedir}/ + ln -s /etc/terminfo/${basedir}/${x} \ + ${D}${datadir}/terminfo/${basedir}/${x} + fi + done + # i think we can use xterm-color as default xterm + if [ -e ${D}${sysconfdir}/terminfo/x/xterm-color ] + then + ln -sf xterm-color ${D}${sysconfdir}/terminfo/x/xterm + fi + + # When changing ${libdir} to e.g. /usr/lib/myawesomelib/ ncurses + # still installs '/usr/lib/terminfo', so try to rm both + # the proper path and a slightly hardcoded one + rm -f ${D}${libdir}/terminfo ${D}${prefix}/lib/terminfo + + # create linker scripts for libcurses.so and libncurses to + # link against -ltinfo when needed. Some builds might break + # else when '-Wl,--no-copy-dt-needed-entries' has been set in + # linker flags. + for i in libncurses libncursesw; do + f=${D}${libdir}/$i.so + test -h $f || continue + rm -f $f + echo '/* GNU ld script */' >$f + echo "INPUT($i.so.5 AS_NEEDED(-ltinfo))" >>$f + done + + # Make sure that libcurses is linked so that it gets -ltinfo + # also, this should be addressed upstream really. + ln -sf libncurses.so ${D}${libdir}/libcurses.so + + # create libtermcap.so linker script for backward compatibility + f=${D}${libdir}/libtermcap.so + echo '/* GNU ld script */' >$f + echo 'INPUT(AS_NEEDED(-ltinfo))' >>$f + + if [ ! -d "${D}${base_libdir}" ]; then + # Setting base_libdir to libdir as is done in the -native + # case will skip this code + mkdir -p ${D}${base_libdir} + mv ${D}${libdir}/libncurses.so.* ${D}${base_libdir} + ! ${ENABLE_WIDEC} || \ + mv ${D}${libdir}/libncursesw.so.* ${D}${base_libdir} + + mv ${D}${libdir}/libtinfo.so.* ${D}${base_libdir} + rm ${D}${libdir}/libtinfo.so + + # Use ln -rs to ensure this is a relative link despite absolute paths + # (as we can't know the relationship between base_libdir and libdir). + ln -rs ${D}${base_libdir}/libtinfo.so.5 ${D}${libdir}/libtinfo.so + fi + if [ -d "${D}${includedir}/ncurses" ]; then + for f in `find ${D}${includedir}/ncurses -name "*.h"` + do + f=`basename $f` + test -e ${D}${includedir}/$f && continue + ln -sf ncurses/$f ${D}${includedir}/$f + done + fi + oe_multilib_header curses.h +} + +python populate_packages:prepend () { + libdir = d.expand("${libdir}") + base_libdir = d.expand("${base_libdir}") + pnbase = d.expand("${PN}-lib%s") + do_split_packages(d, libdir, r'^lib(.*)\.so\..*', pnbase, 'ncurses %s library', prepend=True, extra_depends = '', allow_links=True) + if libdir is not base_libdir: + do_split_packages(d, base_libdir, r'^lib(.*)\.so\..*', pnbase, 'ncurses %s library', prepend=True, extra_depends = '', allow_links=True) +} + + +inherit update-alternatives + +ALTERNATIVE_PRIORITY = "100" + +ALTERNATIVE:ncurses-tools:class-target = "clear reset" +ALTERNATIVE:ncurses-terminfo:class-target = "st st-256color" + +ALTERNATIVE_LINK_NAME[st] = "${datadir}/terminfo/s/st" + +ALTERNATIVE_LINK_NAME[st-256color] = "${datadir}/terminfo/s/st-256color" + +BBCLASSEXTEND = "native nativesdk" + +PACKAGES += " \ + ${PN}-tools \ + ${PN}-terminfo-base \ + ${PN}-terminfo \ +" + +FILES:${PN} = "\ + ${bindir}/tput \ + ${bindir}/tset \ + ${bindir}/ncurses5-config \ + ${bindir}/ncursesw5-config \ + ${bindir}/ncurses6-config \ + ${bindir}/ncursesw6-config \ + ${datadir}/tabset \ +" + +# This keeps only tput/tset in ncurses +# clear/reset are in already busybox +FILES:${PN}-tools = "\ + ${bindir}/tic \ + ${bindir}/toe \ + ${bindir}/infotocap \ + ${bindir}/captoinfo \ + ${bindir}/infocmp \ + ${bindir}/clear${@['', '.${BPN}']['${CLASSOVERRIDE}' == 'class-target']} \ + ${bindir}/reset${@['', '.${BPN}']['${CLASSOVERRIDE}' == 'class-target']} \ + ${bindir}/tack \ + ${bindir}/tabs \ +" + +# 'reset' is a symlink to 'tset' which is in the 'ncurses' package +RDEPENDS:${PN}-tools = "${PN} ${PN}-terminfo-base" + +FILES:${PN}-terminfo = "\ + ${datadir}/terminfo \ +" + +FILES:${PN}-terminfo-base = "\ + ${sysconfdir}/terminfo \ +" + +RSUGGESTS:${PN}-libtinfo = "${PN}-terminfo" +RRECOMMENDS:${PN}-libtinfo = "${PN}-terminfo-base" + +# Putting terminfo into the sysroot adds around 2800 files to +# each recipe specific sysroot. We can live without this, particularly +# as many recipes may have native and target copies. +SYSROOT_DIRS:remove = "${datadir}" diff --git a/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0001-Fix-heap-buffer-overflow-in-captoinfo.patch b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0001-Fix-heap-buffer-overflow-in-captoinfo.patch deleted file mode 100644 index 420a19b41..000000000 --- a/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0001-Fix-heap-buffer-overflow-in-captoinfo.patch +++ /dev/null @@ -1,47 +0,0 @@ -From ad135388ac66b7c8276b0899d9b43433e2faffa6 Mon Sep 17 00:00:00 2001 -From: P Dheeraj Srujan Kumar <p.dheeraj.srujan.kumar@intel.com> -Date: Tue, 7 Dec 2021 23:58:53 +0000 -Subject: [PATCH] Fix heap-buffer-overflow in captoinfo - -This has been picked up from http://cvsweb.netbsd.org/ -bsdweb.cgi/pkgsrc/devel/ncurses/patches/Attic/ -patch-ncurses_tinfo_captoinfo.c -?rev=1.1&content-type=text/x-cvsweb-markup - -Thomas Dickey is the owner of this patch. -This fix is a part of -https://github.com/ThomasDickey/ncurses-snapshots/ -commit/63ca9e061f4644795d6f3f559557f3e1ed8c738b#diff- -7e95c7bc5f213e9be438e69a9d5d0f261a14952bcbd692f7b9014217b8047340 - -Signed-off-by: P Dheeraj Srujan Kumar <p.dheeraj.srujan.kumar@intel.com> ---- - ncurses/tinfo/captoinfo.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/ncurses/tinfo/captoinfo.c b/ncurses/tinfo/captoinfo.c -index 8b3b83d1..c9741405 100644 ---- a/ncurses/tinfo/captoinfo.c -+++ b/ncurses/tinfo/captoinfo.c -@@ -216,12 +216,15 @@ cvtchar(register const char *sp) - } - break; - case '^': -+ len = 2; - c = UChar(*++sp); -- if (c == '?') -+ if (c == '?') { - c = 127; -- else -+ } else if (c == '\0') { -+ len = 1; -+ } else { - c &= 0x1f; -- len = 2; -+ } - break; - default: - c = UChar(*sp); --- -2.17.1 - diff --git a/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0001-patch-20230408-CVE-2023-29491.patch b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0001-patch-20230408-CVE-2023-29491.patch new file mode 100644 index 000000000..6e4301e35 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0001-patch-20230408-CVE-2023-29491.patch @@ -0,0 +1,1432 @@ +From 50dd6dac94847a1aec06deb324eedef627f1829c Mon Sep 17 00:00:00 2001 +From: Saravanan Palanisamy <saravanan.palanisamy@intel.com> +Date: Wed, 24 May 2023 12:45:20 +0000 +Subject: [PATCH] ncurses 6.4 - patch 20230408 (for CVE-2023-29491) + +From eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56 Mon Sep 17 00:00:00 2001 +From: "Thomas E. Dickey" <dickey@invisible-island.net> +Date: Sun, 9 Apr 2023 00:08:25 +0000 +Subject: [PATCH 1/1] ncurses 6.4 - patch 20230408 + ++ document limitations of tparm, and error-returns in curs_terminfo.3x ++ document limitations of tgoto, and error-returns in curs_termcap.3x ++ add xterm+focus to alacritty+common (patch by Christian Duerr). ++ add "-v" option to tput, to show warnings. +> improve checks for malformed terminfo data (report/analysis by + Jonathan Bar Or, Michael Pearse, Emanuele Cozzi). + + make the parameter type/count checks in _nc_tiparm() more stringent + + update tgoto() to account for _nc_tiparm() changes + + add checks in tparm() and tiparm() for misuse of string parameters + + add special cases in tput to handle extensions Cs/Ms parameters + + ignore compiled-terminfo where the array sizes exceed the standard + +Note: +Did not cherrypick below changes from original patch as it is not applicable +Intel OpenBMC: + package/debian-mingw/changelog + package/debian-mingw64/changelog + package/debian/changelog + package/mingw-ncurses.nsi + package/mingw-ncurses.spec +--- + NEWS | 15 ++- + VERSION | 2 +- + dist.mk | 4 +- + doc/html/man/adacurses6-config.1.html | 2 +- + doc/html/man/captoinfo.1m.html | 2 +- + doc/html/man/clear.1.html | 2 +- + doc/html/man/curs_termcap.3x.html | 141 +++++++++++++++----------- + doc/html/man/curs_terminfo.3x.html | 41 +++++++- + doc/html/man/form.3x.html | 2 +- + doc/html/man/infocmp.1m.html | 2 +- + doc/html/man/infotocap.1m.html | 2 +- + doc/html/man/menu.3x.html | 2 +- + doc/html/man/ncurses.3x.html | 2 +- + doc/html/man/ncurses6-config.1.html | 2 +- + doc/html/man/panel.3x.html | 2 +- + doc/html/man/tabs.1.html | 2 +- + doc/html/man/terminfo.5.html | 2 +- + doc/html/man/tic.1m.html | 2 +- + doc/html/man/toe.1m.html | 2 +- + doc/html/man/tput.1.html | 2 +- + doc/html/man/tset.1.html | 2 +- + man/curs_termcap.3x | 26 ++++- + man/curs_terminfo.3x | 41 +++++++- + misc/terminfo.src | 9 +- + ncurses/tinfo/lib_tgoto.c | 14 ++- + ncurses/tinfo/lib_tparm.c | 120 +++++++++++++++++++--- + ncurses/tinfo/read_entry.c | 7 +- + package/ncurses.spec | 2 +- + package/ncursest.spec | 2 +- + progs/tic.c | 10 +- + progs/tparm_type.c | 13 ++- + progs/tparm_type.h | 6 +- + progs/tput.c | 61 +++++++++-- + 33 files changed, 418 insertions(+), 128 deletions(-) + +diff --git a/NEWS b/NEWS +index 66e63a39..ab0c10a2 100644 +--- a/NEWS ++++ b/NEWS +@@ -26,7 +26,7 @@ + -- sale, use or other dealings in this Software without prior written -- + -- authorization. -- + ------------------------------------------------------------------------------- +--- $Id: NEWS,v 1.3895 2022/12/31 20:43:21 tom Exp $ ++-- $Id: NEWS,v 1.3929 2023/04/08 22:24:09 tom Exp $ + ------------------------------------------------------------------------------- + + This is a log of changes that ncurses has gone through since Zeyd started +@@ -46,6 +46,19 @@ See the AUTHORS file for the corresponding full names. + Changes through 1.9.9e did not credit all contributions; + it is not possible to add this information. + ++20230408 ++ + document limitations of tparm, and error-returns in curs_terminfo.3x ++ + document limitations of tgoto, and error-returns in curs_termcap.3x ++ + add xterm+focus to alacritty+common (patch by Christian Duerr). ++ + add "-v" option to tput, to show warnings. ++ > improve checks for malformed terminfo data (report/analysis by ++ Jonathan Bar Or, Michael Pearse, Emanuele Cozzi). ++ + make the parameter type/count checks in _nc_tiparm() more stringent ++ + update tgoto() to account for _nc_tiparm() changes ++ + add checks in tparm() and tiparm() for misuse of string parameters ++ + add special cases in tput to handle extensions Cs/Ms parameters ++ + ignore compiled-terminfo where the array sizes exceed the standard ++ + 20221231 6.4 release for upload to ftp.gnu.org + + update release notes + + regenerate llib-* files. +diff --git a/VERSION b/VERSION +index e2dff67c..78269eab 100644 +--- a/VERSION ++++ b/VERSION +@@ -1 +1 @@ +-5:0:10 6.4 20221231 ++5:0:10 6.4 20230408 +diff --git a/dist.mk b/dist.mk +index ee07796b..a2986a57 100644 +--- a/dist.mk ++++ b/dist.mk +@@ -26,7 +26,7 @@ + # use or other dealings in this Software without prior written # + # authorization. # + ############################################################################## +-# $Id: dist.mk,v 1.1519 2022/12/31 20:43:21 tom Exp $ ++# $Id: dist.mk,v 1.1534 2023/04/08 13:33:20 tom Exp $ + # Makefile for creating ncurses distributions. + # + # This only needs to be used directly as a makefile by developers, but +@@ -38,7 +38,7 @@ SHELL = /bin/sh + # These define the major/minor/patch versions of ncurses. + NCURSES_MAJOR = 6 + NCURSES_MINOR = 4 +-NCURSES_PATCH = 20221231 ++NCURSES_PATCH = 20230408 + + # We don't append the patch to the version, since this only applies to releases + VERSION = $(NCURSES_MAJOR).$(NCURSES_MINOR) +diff --git a/doc/html/man/adacurses6-config.1.html b/doc/html/man/adacurses6-config.1.html +index 90587e45..fe563fe2 100644 +--- a/doc/html/man/adacurses6-config.1.html ++++ b/doc/html/man/adacurses6-config.1.html +@@ -126,7 +126,7 @@ + </PRE><H2><a name="h2-SEE-ALSO">SEE ALSO</a></H2><PRE> + <STRONG><A HREF="ncurses.3x.html">curses(3x)</A></STRONG> + +- This describes <STRONG>ncurses</STRONG> version 6.4 (patch 20221231). ++ This describes <STRONG>ncurses</STRONG> version 6.4 (patch 20230408). + + + +diff --git a/doc/html/man/captoinfo.1m.html b/doc/html/man/captoinfo.1m.html +index ab99a7cf..2c914951 100644 +--- a/doc/html/man/captoinfo.1m.html ++++ b/doc/html/man/captoinfo.1m.html +@@ -199,7 +199,7 @@ + </PRE><H2><a name="h2-SEE-ALSO">SEE ALSO</a></H2><PRE> + <STRONG><A HREF="infocmp.1m.html">infocmp(1m)</A></STRONG>, <STRONG><A HREF="ncurses.3x.html">curses(3x)</A></STRONG>, <STRONG><A HREF="terminfo.5.html">terminfo(5)</A></STRONG> + +- This describes <STRONG>ncurses</STRONG> version 6.4 (patch 20221231). ++ This describes <STRONG>ncurses</STRONG> version 6.4 (patch 20230408). + + + </PRE><H2><a name="h2-AUTHOR">AUTHOR</a></H2><PRE> +diff --git a/doc/html/man/clear.1.html b/doc/html/man/clear.1.html +index 74f5198b..243d57ed 100644 +--- a/doc/html/man/clear.1.html ++++ b/doc/html/man/clear.1.html +@@ -150,7 +150,7 @@ + </PRE><H2><a name="h2-SEE-ALSO">SEE ALSO</a></H2><PRE> + <STRONG><A HREF="tput.1.html">tput(1)</A></STRONG>, <STRONG><A HREF="terminfo.5.html">terminfo(5)</A></STRONG>, <STRONG>xterm(1)</STRONG>. + +- This describes <STRONG>ncurses</STRONG> version 6.4 (patch 20221231). ++ This describes <STRONG>ncurses</STRONG> version 6.4 (patch 20230408). + + + +diff --git a/doc/html/man/curs_termcap.3x.html b/doc/html/man/curs_termcap.3x.html +index 9cd555ec..32699b3c 100644 +--- a/doc/html/man/curs_termcap.3x.html ++++ b/doc/html/man/curs_termcap.3x.html +@@ -1,6 +1,6 @@ + <!-- + **************************************************************************** +- * Copyright 2018-2022,2022 Thomas E. Dickey * ++ * Copyright 2018-2022,2023 Thomas E. Dickey * + * Copyright 1998-2017,2018 Free Software Foundation, Inc. * + * * + * Permission is hereby granted, free of charge, to any person obtaining a * +@@ -27,7 +27,7 @@ + * sale, use or other dealings in this Software without prior written * + * authorization. * + **************************************************************************** +- * @Id: curs_termcap.3x,v 1.56 2022/02/12 20:05:11 tom Exp @ ++ * @Id: curs_termcap.3x,v 1.57 2023/04/08 21:43:01 tom Exp @ + --> + <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN"> + <HTML> +@@ -148,27 +148,32 @@ + first parameter is merely a placeholder. + + <STRONG>o</STRONG> Normally the ncurses library is compiled with terminfo support. In +- that case, <STRONG>tgoto</STRONG> uses <STRONG><A HREF="curs_terminfo.3x.html">tparm(3x)</A></STRONG> (a more capable formatter). ++ that case, <STRONG>tgoto</STRONG> uses an internal version of <STRONG><A HREF="curs_terminfo.3x.html">tparm(3x)</A></STRONG> (a more ca- ++ pable formatter). + +- However, <STRONG>tparm</STRONG> is not a <EM>termcap</EM> feature, and portable <EM>termcap</EM> ap- ++ With terminfo support, <STRONG>tgoto</STRONG> is able to use some of the terminfo ++ features, but not all. In particular, it allows only numeric pa- ++ rameters; <STRONG>tparm</STRONG> supports string parameters. ++ ++ However, <STRONG>tparm</STRONG> is not a <EM>termcap</EM> feature, and portable <EM>termcap</EM> ap- + plications should not rely upon its availability. + +- The <STRONG>tputs</STRONG> routine is described on the <STRONG><A HREF="curs_terminfo.3x.html">curs_terminfo(3x)</A></STRONG> manual page. ++ The <STRONG>tputs</STRONG> routine is described on the <STRONG><A HREF="curs_terminfo.3x.html">curs_terminfo(3x)</A></STRONG> manual page. + It can retrieve capabilities by either termcap or terminfo name. + + + </PRE><H3><a name="h3-Global-Variables">Global Variables</a></H3><PRE> +- The variables <STRONG>PC</STRONG>, <STRONG>UP</STRONG> and <STRONG>BC</STRONG> are set by <STRONG>tgetent</STRONG> to the terminfo entry's ++ The variables <STRONG>PC</STRONG>, <STRONG>UP</STRONG> and <STRONG>BC</STRONG> are set by <STRONG>tgetent</STRONG> to the terminfo entry's + data for <STRONG>pad_char</STRONG>, <STRONG>cursor_up</STRONG> and <STRONG>backspace_if_not_bs</STRONG>, respectively. <STRONG>UP</STRONG> +- is not used by ncurses. <STRONG>PC</STRONG> is used in the <STRONG>tdelay_output</STRONG> function. <STRONG>BC</STRONG> +- is used in the <STRONG>tgoto</STRONG> emulation. The variable <STRONG>ospeed</STRONG> is set by ncurses ++ is not used by ncurses. <STRONG>PC</STRONG> is used in the <STRONG>tdelay_output</STRONG> function. <STRONG>BC</STRONG> ++ is used in the <STRONG>tgoto</STRONG> emulation. The variable <STRONG>ospeed</STRONG> is set by ncurses + in a system-specific coding to reflect the terminal speed. + + + </PRE><H3><a name="h3-Releasing-Memory">Releasing Memory</a></H3><PRE> +- The termcap functions provide no means for freeing memory, because +- legacy termcap implementations used only the buffer areas provided by +- the caller via <STRONG>tgetent</STRONG> and <STRONG>tgetstr</STRONG>. Those buffers are unused in ter- ++ The termcap functions provide no means for freeing memory, because ++ legacy termcap implementations used only the buffer areas provided by ++ the caller via <STRONG>tgetent</STRONG> and <STRONG>tgetstr</STRONG>. Those buffers are unused in ter- + minfo. + + On the other hand, terminfo allocates memory. It uses <STRONG>setupterm</STRONG> to re- +@@ -178,41 +183,55 @@ + <STRONG>del_curterm(cur_term);</STRONG> + + +- to free this memory, but there is an additional complication with +- ncurses. It uses a fixed-size <EM>pool</EM> of storage locations, one per set- +- ting of the <STRONG>TERM</STRONG> variable when <STRONG>tgetent</STRONG> is called. The <STRONG>screen(1)</STRONG> pro- ++ to free this memory, but there is an additional complication with ++ ncurses. It uses a fixed-size <EM>pool</EM> of storage locations, one per set- ++ ting of the <STRONG>TERM</STRONG> variable when <STRONG>tgetent</STRONG> is called. The <STRONG>screen(1)</STRONG> pro- + gram relies upon this arrangement, to improve its performance. + +- An application which uses only the low-level termcap functions could ++ An application which uses only the low-level termcap functions could + free the memory using <STRONG>del_curterm</STRONG>, because the pool is freed using oth- + er functions (see <STRONG><A HREF="curs_memleaks.3x.html">curs_memleaks(3x)</A></STRONG>). + + + </PRE><H2><a name="h2-RETURN-VALUE">RETURN VALUE</a></H2><PRE> +- Except where explicitly noted, routines that return an integer return +- <STRONG>ERR</STRONG> upon failure and <STRONG>OK</STRONG> (SVr4 only specifies "an integer value other ++ Except where explicitly noted, routines that return an integer return ++ <STRONG>ERR</STRONG> upon failure and <STRONG>OK</STRONG> (SVr4 only specifies "an integer value other + than <STRONG>ERR</STRONG>") upon successful completion. + + Routines that return pointers return <STRONG>NULL</STRONG> on error. + ++ A few special cases apply: ++ ++ <STRONG>o</STRONG> If the terminal database has not been initialized, these return an ++ error. ++ ++ <STRONG>o</STRONG> The calls with a string parameter (<STRONG>tgoto</STRONG>, <STRONG>tputs</STRONG>) check if the ++ string is null, or cancelled. Those return an error. ++ ++ <STRONG>o</STRONG> A call to <STRONG>tgoto</STRONG> using a capability with string parameters is an er- ++ ror. ++ ++ <STRONG>o</STRONG> A call to <STRONG>tgoto</STRONG> using a capability with no parameters, or more than ++ two is an error. ++ + + </PRE><H2><a name="h2-BUGS">BUGS</a></H2><PRE> +- If you call <STRONG>tgetstr</STRONG> to fetch <STRONG>ca</STRONG> or any other parameterized string, be +- aware that it will be returned in terminfo notation, not the older and ++ If you call <STRONG>tgetstr</STRONG> to fetch <STRONG>ca</STRONG> or any other parameterized string, be ++ aware that it will be returned in terminfo notation, not the older and + not-quite-compatible termcap notation. This will not cause problems if +- all you do with it is call <STRONG>tgoto</STRONG> or <STRONG>tparm</STRONG>, which both expand terminfo- +- style strings as terminfo. (The <STRONG>tgoto</STRONG> function, if configured to sup- +- port termcap, will check if the string is indeed terminfo-style by +- looking for "%p" parameters or "$<..>" delays, and invoke a termcap- ++ all you do with it is call <STRONG>tgoto</STRONG> or <STRONG>tparm</STRONG>, which both expand terminfo- ++ style strings as terminfo. (The <STRONG>tgoto</STRONG> function, if configured to sup- ++ port termcap, will check if the string is indeed terminfo-style by ++ looking for "%p" parameters or "$<..>" delays, and invoke a termcap- + style parser if the string does not appear to be terminfo). + +- Because terminfo conventions for representing padding in string capa- ++ Because terminfo conventions for representing padding in string capa- + bilities differ from termcap's, users can be surprised: + + <STRONG>o</STRONG> <STRONG>tputs("50")</STRONG> in a terminfo system will put out a literal "50" rather + than busy-waiting for 50 milliseconds. + +- <STRONG>o</STRONG> However, if ncurses is configured to support termcap, it may also ++ <STRONG>o</STRONG> However, if ncurses is configured to support termcap, it may also + have been configured to support the BSD-style padding. + + In that case, <STRONG>tputs</STRONG> inspects strings passed to it, looking for dig- +@@ -221,9 +240,9 @@ + <STRONG>tputs("50")</STRONG> in a termcap system may wait for 50 milliseconds rather + than put out a literal "50" + +- Note that termcap has nothing analogous to terminfo's <STRONG>sgr</STRONG> string. One +- consequence of this is that termcap applications assume <STRONG>me</STRONG> (terminfo +- <STRONG>sgr0</STRONG>) does not reset the alternate character set. This implementation ++ Note that termcap has nothing analogous to terminfo's <STRONG>sgr</STRONG> string. One ++ consequence of this is that termcap applications assume <STRONG>me</STRONG> (terminfo ++ <STRONG>sgr0</STRONG>) does not reset the alternate character set. This implementation + checks for, and modifies the data shown to the termcap interface to ac- + commodate termcap's limitation in this respect. + +@@ -231,22 +250,22 @@ + </PRE><H2><a name="h2-PORTABILITY">PORTABILITY</a></H2><PRE> + + </PRE><H3><a name="h3-Standards">Standards</a></H3><PRE> +- These functions are provided for supporting legacy applications, and ++ These functions are provided for supporting legacy applications, and + should not be used in new programs: + + <STRONG>o</STRONG> The XSI Curses standard, Issue 4 describes these functions. Howev- +- er, they are marked TO BE WITHDRAWN and may be removed in future ++ er, they are marked TO BE WITHDRAWN and may be removed in future + versions. + + <STRONG>o</STRONG> X/Open Curses, Issue 5 (December 2007) marked the termcap interface + (along with <STRONG>vwprintw</STRONG> and <STRONG>vwscanw</STRONG>) as withdrawn. + +- Neither the XSI Curses standard nor the SVr4 man pages documented the +- return values of <STRONG>tgetent</STRONG> correctly, though all three were in fact re- +- turned ever since SVr1. In particular, an omission in the XSI Curses +- documentation has been misinterpreted to mean that <STRONG>tgetent</STRONG> returns <STRONG>OK</STRONG> +- or <STRONG>ERR</STRONG>. Because the purpose of these functions is to provide compati- +- bility with the <EM>termcap</EM> library, that is a defect in XCurses, Issue 4, ++ Neither the XSI Curses standard nor the SVr4 man pages documented the ++ return values of <STRONG>tgetent</STRONG> correctly, though all three were in fact re- ++ turned ever since SVr1. In particular, an omission in the XSI Curses ++ documentation has been misinterpreted to mean that <STRONG>tgetent</STRONG> returns <STRONG>OK</STRONG> ++ or <STRONG>ERR</STRONG>. Because the purpose of these functions is to provide compati- ++ bility with the <EM>termcap</EM> library, that is a defect in XCurses, Issue 4, + Version 2 rather than in ncurses. + + +@@ -254,68 +273,68 @@ + External variables are provided for support of certain termcap applica- + tions. However, termcap applications' use of those variables is poorly + documented, e.g., not distinguishing between input and output. In par- +- ticular, some applications are reported to declare and/or modify <STRONG>os-</STRONG> ++ ticular, some applications are reported to declare and/or modify <STRONG>os-</STRONG> + <STRONG>peed</STRONG>. + +- The comment that only the first two characters of the <STRONG>id</STRONG> parameter are ++ The comment that only the first two characters of the <STRONG>id</STRONG> parameter are + used escapes many application developers. The original BSD 4.2 termcap + library (and historical relics thereof) did not require a trailing null +- NUL on the parameter name passed to <STRONG>tgetstr</STRONG>, <STRONG>tgetnum</STRONG> and <STRONG>tgetflag</STRONG>. +- Some applications assume that the termcap interface does not require ++ NUL on the parameter name passed to <STRONG>tgetstr</STRONG>, <STRONG>tgetnum</STRONG> and <STRONG>tgetflag</STRONG>. ++ Some applications assume that the termcap interface does not require + the trailing NUL for the parameter name. Taking into account these is- + sues: + +- <STRONG>o</STRONG> As a special case, <STRONG>tgetflag</STRONG> matched against a single-character +- identifier provided that was at the end of the terminal descrip- ++ <STRONG>o</STRONG> As a special case, <STRONG>tgetflag</STRONG> matched against a single-character ++ identifier provided that was at the end of the terminal descrip- + tion. You should not rely upon this behavior in portable programs. +- This implementation disallows matches against single-character ca- ++ This implementation disallows matches against single-character ca- + pability names. + +- <STRONG>o</STRONG> This implementation disallows matches by the termcap interface ++ <STRONG>o</STRONG> This implementation disallows matches by the termcap interface + against extended capability names which are longer than two charac- + ters. + + The BSD termcap function <STRONG>tgetent</STRONG> returns the text of a termcap entry in +- the buffer passed as an argument. This library (like other terminfo ++ the buffer passed as an argument. This library (like other terminfo + implementations) does not store terminal descriptions as text. It sets + the buffer contents to a null-terminated string. + + + </PRE><H3><a name="h3-Other-Compatibility">Other Compatibility</a></H3><PRE> +- This library includes a termcap.h header, for compatibility with other +- implementations. But the header is rarely used because the other im- ++ This library includes a termcap.h header, for compatibility with other ++ implementations. But the header is rarely used because the other im- + plementations are not strictly compatible. + + The original BSD termcap (through 4.3BSD) had no header file which gave + function prototypes, because that was a feature of ANSI C. BSD termcap +- was written several years before C was standardized. However, there ++ was written several years before C was standardized. However, there + were two different termcap.h header files in the BSD sources: + +- <STRONG>o</STRONG> One was used internally by the <STRONG>jove</STRONG> editor in 2BSD through 4.4BSD. ++ <STRONG>o</STRONG> One was used internally by the <STRONG>jove</STRONG> editor in 2BSD through 4.4BSD. + It defined global symbols for the termcap variables which it used. + +- <STRONG>o</STRONG> The other appeared in 4.4BSD Lite Release 2 (mid-1993) as part of ++ <STRONG>o</STRONG> The other appeared in 4.4BSD Lite Release 2 (mid-1993) as part of + <EM>libedit</EM> (also known as the <EM>editline</EM> library). The CSRG source his- +- tory shows that this was added in mid-1992. The <EM>libedit</EM> header +- file was used internally, as a convenience for compiling the <EM>edit-</EM> ++ tory shows that this was added in mid-1992. The <EM>libedit</EM> header ++ file was used internally, as a convenience for compiling the <EM>edit-</EM> + <EM>line</EM> library. It declared function prototypes, but no global vari- + ables. + +- The header file from <EM>libedit</EM> was added to NetBSD's termcap library in ++ The header file from <EM>libedit</EM> was added to NetBSD's termcap library in + mid-1994. + +- Meanwhile, GNU termcap was under development, starting in 1990. The +- first release (termcap 1.0) in 1991 included a termcap.h header. The +- second release (termcap 1.1) in September 1992 modified the header to ++ Meanwhile, GNU termcap was under development, starting in 1990. The ++ first release (termcap 1.0) in 1991 included a termcap.h header. The ++ second release (termcap 1.1) in September 1992 modified the header to + use <STRONG>const</STRONG> for the function prototypes in the header where one would ex- +- pect the parameters to be read-only. This was a difference versus the +- original BSD termcap. The prototype for <STRONG>tputs</STRONG> also differed, but in ++ pect the parameters to be read-only. This was a difference versus the ++ original BSD termcap. The prototype for <STRONG>tputs</STRONG> also differed, but in + that instance, it was <EM>libedit</EM> which differed from BSD termcap. + + A copy of GNU termcap 1.3 was bundled with <EM>bash</EM> in mid-1993, to support + the <STRONG>readline(3)</STRONG> library. + +- A termcap.h file was provided in ncurses 1.8.1 (November 1993). That ++ A termcap.h file was provided in ncurses 1.8.1 (November 1993). That + reflected influence by <STRONG>emacs(1)</STRONG> (rather than <STRONG>jove(1)</STRONG>) and GNU termcap: + + <STRONG>o</STRONG> it provided declarations for a few global symbols used by <STRONG>emacs</STRONG> +@@ -325,8 +344,8 @@ + <STRONG>o</STRONG> a prototype for <STRONG>tparam</STRONG> (a GNU termcap feature) was provided. + + Later (in mid-1996) the <STRONG>tparam</STRONG> function was removed from ncurses. As a +- result, there are differences between any of the four implementations, +- which must be taken into account by programs which can work with all ++ result, there are differences between any of the four implementations, ++ which must be taken into account by programs which can work with all + termcap library interfaces. + + +diff --git a/doc/html/man/curs_terminfo.3x.html b/doc/html/man/curs_terminfo.3x.html +index c50d7db3..480cafce 100644 +--- a/doc/html/man/curs_terminfo.3x.html ++++ b/doc/html/man/curs_terminfo.3x.html +@@ -1,6 +1,6 @@ + <!-- + **************************************************************************** +- * Copyright 2018-2022,2022 Thomas E. Dickey * ++ * Copyright 2018-2022,2023 Thomas E. Dickey * + * Copyright 1998-2016,2017 Free Software Foundation, Inc. * + * * + * Permission is hereby granted, free of charge, to any person obtaining a * +@@ -27,7 +27,7 @@ + * sale, use or other dealings in this Software without prior written * + * authorization. * + **************************************************************************** +- * @Id: curs_terminfo.3x,v 1.82 2022/06/04 22:47:05 tom Exp @ ++ * @Id: curs_terminfo.3x,v 1.83 2023/04/08 22:54:21 tom Exp @ + * *************************************************************************** + * *************************************************************************** + * *************************************************************************** +@@ -83,6 +83,9 @@ + <STRONG>int</STRONG> <STRONG>restartterm(const</STRONG> <STRONG>char</STRONG> <STRONG>*</STRONG><EM>term</EM><STRONG>,</STRONG> <STRONG>int</STRONG> <EM>filedes</EM><STRONG>,</STRONG> <STRONG>int</STRONG> <STRONG>*</STRONG><EM>errret</EM><STRONG>);</STRONG> + + <STRONG>char</STRONG> <STRONG>*tparm(const</STRONG> <STRONG>char</STRONG> <STRONG>*</STRONG><EM>str</EM><STRONG>,</STRONG> <STRONG>...);</STRONG> ++ <EM>or</EM> ++ <STRONG>char</STRONG> <STRONG>*tparm(const</STRONG> <STRONG>char</STRONG> <STRONG>*</STRONG><EM>str</EM><STRONG>,</STRONG> <STRONG>long</STRONG> <EM>p1</EM> <EM>...</EM> <STRONG>long</STRONG> <EM>p9</EM><STRONG>);</STRONG> ++ + <STRONG>int</STRONG> <STRONG>tputs(const</STRONG> <STRONG>char</STRONG> <STRONG>*</STRONG><EM>str</EM><STRONG>,</STRONG> <STRONG>int</STRONG> <EM>affcnt</EM><STRONG>,</STRONG> <STRONG>int</STRONG> <STRONG>(*</STRONG><EM>putc</EM><STRONG>)(int));</STRONG> + <STRONG>int</STRONG> <STRONG>putp(const</STRONG> <STRONG>char</STRONG> <STRONG>*</STRONG><EM>str</EM><STRONG>);</STRONG> + +@@ -398,6 +401,11 @@ + the initial windows (stdscr, curscr, newscr). Other error con- + ditions are documented above. + ++ <STRONG>tparm</STRONG> ++ returns a null if the capability would require unexpected pa- ++ rameters, e.g., too many, too few, or incorrect types (strings ++ where integers are expected, or vice versa). ++ + <STRONG>tputs</STRONG> + returns an error if the string parameter is null. It does not + detect I/O errors: X/Open states that <STRONG>tputs</STRONG> ignores the return +@@ -466,7 +474,6 @@ + <STRONG>Function</STRONG> <STRONG>Description</STRONG> + ------------------------------------------- + tigetflag get boolean entry for given <EM>id</EM> +- + tigetnum get numeric entry for given <EM>id</EM> + tigetstr get string entry for given <EM>id</EM> + +@@ -568,6 +575,34 @@ + In response to review comments by Thomas E. Dickey, X/Open Curses + Issue 7 proposed the <STRONG>tiparm</STRONG> function in mid-2009. + ++ While <STRONG>tiparm</STRONG> is always provided in ncurses, the older form is only ++ available as a build-time configuration option. If not specially ++ configured, <STRONG>tparm</STRONG> is the same as <STRONG>tiparm</STRONG>. ++ ++ Both forms of <STRONG>tparm</STRONG> have drawbacks: ++ ++ <STRONG>o</STRONG> Most of the calls to <STRONG>tparm</STRONG> use only one or two parameters. Passing ++ nine on each call is awkward. ++ ++ Using <STRONG>long</STRONG> for the numeric parameter type is a workaround to make ++ the parameter use the same amount of stack as a pointer. That ap- ++ proach dates back to the mid-1980s, before C was standarized. ++ Since then, there is a standard (and pointers are not required to ++ fit in a long). ++ ++ <STRONG>o</STRONG> Providing the right number of parameters for a variadic function ++ such as <STRONG>tiparm</STRONG> can be a problem, in particular for string parame- ++ ters. However, only a few terminfo capabilities use string parame- ++ ters (e.g., the ones used for programmable function keys). ++ ++ The ncurses library checks usage of these capabilities, and returns ++ an error if the capability mishandles string parameters. But it ++ cannot check if a calling program provides strings in the right ++ places for the <STRONG>tparm</STRONG> calls. ++ ++ The <STRONG><A HREF="tput.3x.html">tput(3x)</A></STRONG> program checks its use of these capabilities with a ++ table, so that it calls <STRONG>tparm</STRONG> correctly. ++ + + </PRE><H3><a name="h3-Special-TERM-treatment">Special TERM treatment</a></H3><PRE> + If configured to use the terminal-driver, e.g., for the MinGW port, +diff --git a/doc/html/man/form.3x.html b/doc/html/man/form.3x.html +index 422171c8..9551b458 100644 +--- a/doc/html/man/form.3x.html ++++ b/doc/html/man/form.3x.html +@@ -248,7 +248,7 @@ + <STRONG><A HREF="ncurses.3x.html">curses(3x)</A></STRONG> and related pages whose names begin "form_" for detailed + descriptions of the entry points. + +- This describes <STRONG>ncurses</STRONG> version 6.4 (patch 20221231). ++ This describes <STRONG>ncurses</STRONG> version 6.4 (patch 20230408). + + + +diff --git a/doc/html/man/infocmp.1m.html b/doc/html/man/infocmp.1m.html +index 81b95ac5..a72af34b 100644 +--- a/doc/html/man/infocmp.1m.html ++++ b/doc/html/man/infocmp.1m.html +@@ -514,7 +514,7 @@ + + https://invisible-island.net/ncurses/tctest.html + +- This describes <STRONG>ncurses</STRONG> version 6.4 (patch 20221231). ++ This describes <STRONG>ncurses</STRONG> version 6.4 (patch 20230408). + + + </PRE><H2><a name="h2-AUTHOR">AUTHOR</a></H2><PRE> +diff --git a/doc/html/man/infotocap.1m.html b/doc/html/man/infotocap.1m.html +index 1ea690cb..1ab52071 100644 +--- a/doc/html/man/infotocap.1m.html ++++ b/doc/html/man/infotocap.1m.html +@@ -91,7 +91,7 @@ + </PRE><H2><a name="h2-SEE-ALSO">SEE ALSO</a></H2><PRE> + <STRONG><A HREF="infocmp.1m.html">infocmp(1m)</A></STRONG>, <STRONG><A HREF="tic.1m.html">tic(1m)</A></STRONG>, <STRONG><A HREF="ncurses.3x.html">curses(3x)</A></STRONG>, <STRONG><A HREF="terminfo.5.html">terminfo(5)</A></STRONG> + +- This describes <STRONG>ncurses</STRONG> version 6.4 (patch 20221231). ++ This describes <STRONG>ncurses</STRONG> version 6.4 (patch 20230408). + + + </PRE><H2><a name="h2-AUTHOR">AUTHOR</a></H2><PRE> +diff --git a/doc/html/man/menu.3x.html b/doc/html/man/menu.3x.html +index a8f2c961..8f4641bf 100644 +--- a/doc/html/man/menu.3x.html ++++ b/doc/html/man/menu.3x.html +@@ -223,7 +223,7 @@ + <STRONG><A HREF="ncurses.3x.html">curses(3x)</A></STRONG> and related pages whose names begin "menu_" for detailed + descriptions of the entry points. + +- This describes <STRONG>ncurses</STRONG> version 6.4 (patch 20221231). ++ This describes <STRONG>ncurses</STRONG> version 6.4 (patch 20230408). + + + +diff --git a/doc/html/man/ncurses.3x.html b/doc/html/man/ncurses.3x.html +index ab2b69d1..9cf27bf5 100644 +--- a/doc/html/man/ncurses.3x.html ++++ b/doc/html/man/ncurses.3x.html +@@ -60,7 +60,7 @@ + method of updating character screens with reasonable optimization. + This implementation is "new curses" (ncurses) and is the approved + replacement for 4.4BSD classic curses, which has been discontinued. +- This describes <STRONG>ncurses</STRONG> version 6.4 (patch 20221231). ++ This describes <STRONG>ncurses</STRONG> version 6.4 (patch 20230408). + + The <STRONG>ncurses</STRONG> library emulates the curses library of System V Release 4 + UNIX, and XPG4 (X/Open Portability Guide) curses (also known as XSI +diff --git a/doc/html/man/ncurses6-config.1.html b/doc/html/man/ncurses6-config.1.html +index 0f64e3de..9cd27f50 100644 +--- a/doc/html/man/ncurses6-config.1.html ++++ b/doc/html/man/ncurses6-config.1.html +@@ -113,7 +113,7 @@ + </PRE><H2><a name="h2-SEE-ALSO">SEE ALSO</a></H2><PRE> + <STRONG><A HREF="ncurses.3x.html">curses(3x)</A></STRONG> + +- This describes <STRONG>ncurses</STRONG> version 6.4 (patch 20221231). ++ This describes <STRONG>ncurses</STRONG> version 6.4 (patch 20230408). + + + +diff --git a/doc/html/man/panel.3x.html b/doc/html/man/panel.3x.html +index 761a0fbd..0fd84723 100644 +--- a/doc/html/man/panel.3x.html ++++ b/doc/html/man/panel.3x.html +@@ -281,7 +281,7 @@ + </PRE><H2><a name="h2-SEE-ALSO">SEE ALSO</a></H2><PRE> + <STRONG><A HREF="ncurses.3x.html">curses(3x)</A></STRONG>, <STRONG><A HREF="curs_variables.3x.html">curs_variables(3x)</A></STRONG>, + +- This describes <STRONG>ncurses</STRONG> version 6.4 (patch 20221231). ++ This describes <STRONG>ncurses</STRONG> version 6.4 (patch 20230408). + + + </PRE><H2><a name="h2-AUTHOR">AUTHOR</a></H2><PRE> +diff --git a/doc/html/man/tabs.1.html b/doc/html/man/tabs.1.html +index 3e9f0f9d..228e17d8 100644 +--- a/doc/html/man/tabs.1.html ++++ b/doc/html/man/tabs.1.html +@@ -252,7 +252,7 @@ + </PRE><H2><a name="h2-SEE-ALSO">SEE ALSO</a></H2><PRE> + <STRONG><A HREF="infocmp.1m.html">infocmp(1m)</A></STRONG>, <STRONG><A HREF="tset.1.html">tset(1)</A></STRONG>, <STRONG><A HREF="ncurses.3x.html">curses(3x)</A></STRONG>, <STRONG><A HREF="terminfo.5.html">terminfo(5)</A></STRONG>. + +- This describes <STRONG>ncurses</STRONG> version 6.4 (patch 20221231). ++ This describes <STRONG>ncurses</STRONG> version 6.4 (patch 20230408). + + + +diff --git a/doc/html/man/terminfo.5.html b/doc/html/man/terminfo.5.html +index 23b27bfb..88986bf7 100644 +--- a/doc/html/man/terminfo.5.html ++++ b/doc/html/man/terminfo.5.html +@@ -106,7 +106,7 @@ + have, by specifying how to perform screen operations, and by specifying + padding requirements and initialization sequences. + +- This manual describes <STRONG>ncurses</STRONG> version 6.4 (patch 20221231). ++ This manual describes <STRONG>ncurses</STRONG> version 6.4 (patch 20230408). + + + </PRE><H3><a name="h3-Terminfo-Entry-Syntax">Terminfo Entry Syntax</a></H3><PRE> +diff --git a/doc/html/man/tic.1m.html b/doc/html/man/tic.1m.html +index cced3343..6c12f037 100644 +--- a/doc/html/man/tic.1m.html ++++ b/doc/html/man/tic.1m.html +@@ -469,7 +469,7 @@ + <STRONG><A HREF="captoinfo.1m.html">captoinfo(1m)</A></STRONG>, <STRONG><A HREF="infocmp.1m.html">infocmp(1m)</A></STRONG>, <STRONG><A HREF="infotocap.1m.html">infotocap(1m)</A></STRONG>, <STRONG><A HREF="toe.1m.html">toe(1m)</A></STRONG>, <STRONG><A HREF="ncurses.3x.html">curses(3x)</A></STRONG>, + <STRONG><A HREF="term.5.html">term(5)</A></STRONG>. <STRONG><A HREF="terminfo.5.html">terminfo(5)</A></STRONG>. <STRONG><A HREF="user_caps.5.html">user_caps(5)</A></STRONG>. + +- This describes <STRONG>ncurses</STRONG> version 6.4 (patch 20221231). ++ This describes <STRONG>ncurses</STRONG> version 6.4 (patch 20230408). + + + </PRE><H2><a name="h2-AUTHOR">AUTHOR</a></H2><PRE> +diff --git a/doc/html/man/toe.1m.html b/doc/html/man/toe.1m.html +index a9151184..38859624 100644 +--- a/doc/html/man/toe.1m.html ++++ b/doc/html/man/toe.1m.html +@@ -171,7 +171,7 @@ + <STRONG><A HREF="captoinfo.1m.html">captoinfo(1m)</A></STRONG>, <STRONG><A HREF="infocmp.1m.html">infocmp(1m)</A></STRONG>, <STRONG><A HREF="infotocap.1m.html">infotocap(1m)</A></STRONG>, <STRONG><A HREF="tic.1m.html">tic(1m)</A></STRONG>, <STRONG><A HREF="ncurses.3x.html">curses(3x)</A></STRONG>, + <STRONG><A HREF="terminfo.5.html">terminfo(5)</A></STRONG>. + +- This describes <STRONG>ncurses</STRONG> version 6.4 (patch 20221231). ++ This describes <STRONG>ncurses</STRONG> version 6.4 (patch 20230408). + + + +diff --git a/doc/html/man/tput.1.html b/doc/html/man/tput.1.html +index 6a330a55..ee231640 100644 +--- a/doc/html/man/tput.1.html ++++ b/doc/html/man/tput.1.html +@@ -545,7 +545,7 @@ + </PRE><H2><a name="h2-SEE-ALSO">SEE ALSO</a></H2><PRE> + <STRONG><A HREF="clear.1.html">clear(1)</A></STRONG>, <STRONG>stty(1)</STRONG>, <STRONG><A HREF="tabs.1.html">tabs(1)</A></STRONG>, <STRONG><A HREF="tset.1.html">tset(1)</A></STRONG>, <STRONG><A HREF="curs_termcap.3x.html">curs_termcap(3x)</A></STRONG>, <STRONG><A HREF="terminfo.5.html">terminfo(5)</A></STRONG>. + +- This describes <STRONG>ncurses</STRONG> version 6.4 (patch 20221231). ++ This describes <STRONG>ncurses</STRONG> version 6.4 (patch 20230408). + + + +diff --git a/doc/html/man/tset.1.html b/doc/html/man/tset.1.html +index c610a8c8..19396d91 100644 +--- a/doc/html/man/tset.1.html ++++ b/doc/html/man/tset.1.html +@@ -391,7 +391,7 @@ + <STRONG>csh(1)</STRONG>, <STRONG>sh(1)</STRONG>, <STRONG>stty(1)</STRONG>, <STRONG><A HREF="curs_terminfo.3x.html">curs_terminfo(3x)</A></STRONG>, <STRONG>tty(4)</STRONG>, <STRONG><A HREF="terminfo.5.html">terminfo(5)</A></STRONG>, + <STRONG>ttys(5)</STRONG>, <STRONG>environ(7)</STRONG> + +- This describes <STRONG>ncurses</STRONG> version 6.4 (patch 20221231). ++ This describes <STRONG>ncurses</STRONG> version 6.4 (patch 20230408). + + + +diff --git a/man/curs_termcap.3x b/man/curs_termcap.3x +index e073d940..1630658d 100644 +--- a/man/curs_termcap.3x ++++ b/man/curs_termcap.3x +@@ -1,5 +1,5 @@ + .\"*************************************************************************** +-.\" Copyright 2018-2022,2022 Thomas E. Dickey * ++.\" Copyright 2018-2022,2023 Thomas E. Dickey * + .\" Copyright 1998-2017,2018 Free Software Foundation, Inc. * + .\" * + .\" Permission is hereby granted, free of charge, to any person obtaining a * +@@ -27,7 +27,7 @@ + .\" authorization. * + .\"*************************************************************************** + .\" +-.\" $Id: curs_termcap.3x,v 1.56 2022/02/12 20:05:11 tom Exp $ ++.\" $Id: curs_termcap.3x,v 1.57 2023/04/08 21:43:01 tom Exp $ + .TH curs_termcap 3X "" + .ie \n(.g .ds `` \(lq + .el .ds `` `` +@@ -173,7 +173,13 @@ It does this also for calls requiring only a single parameter. + In that case, the first parameter is merely a placeholder. + .bP + Normally the ncurses library is compiled with terminfo support. +-In that case, \fBtgoto\fP uses \fBtparm\fP(3X) (a more capable formatter). ++In that case, \fBtgoto\fP uses an internal version of ++\fBtparm\fP(3X) (a more capable formatter). ++.IP ++With terminfo support, \fBtgoto\fP is able to use some of the terminfo ++features, but not all. ++In particular, it allows only numeric parameters; ++\fBtparm\fP supports string parameters. + .IP + However, \fBtparm\fP is not a \fItermcap\fP feature, + and portable \fItermcap\fP applications should not rely upon its availability. +@@ -229,6 +235,20 @@ routines that return an integer return \fBERR\fP upon failure and \fBOK\fP + completion. + .PP + Routines that return pointers return \fBNULL\fP on error. ++.PP ++A few special cases apply: ++.bP ++If the terminal database has not been initialized, ++these return an error. ++.bP ++The calls with a string parameter (\fBtgoto\fP, \fBtputs\fP) ++check if the string is null, or cancelled. ++Those return an error. ++.bP ++A call to \fBtgoto\fP using a capability with string parameters is an error. ++.bP ++A call to \fBtgoto\fP using a capability with no parameters, ++or more than two is an error. + .SH BUGS + If you call \fBtgetstr\fP to fetch \fBca\fP or any other parameterized string, + be aware that it will be returned in terminfo notation, not the older and +diff --git a/man/curs_terminfo.3x b/man/curs_terminfo.3x +index 00ae1349..5ea01ee6 100644 +--- a/man/curs_terminfo.3x ++++ b/man/curs_terminfo.3x +@@ -1,5 +1,5 @@ + .\"*************************************************************************** +-.\" Copyright 2018-2022,2022 Thomas E. Dickey * ++.\" Copyright 2018-2022,2023 Thomas E. Dickey * + .\" Copyright 1998-2016,2017 Free Software Foundation, Inc. * + .\" * + .\" Permission is hereby granted, free of charge, to any person obtaining a * +@@ -27,7 +27,7 @@ + .\" authorization. * + .\"*************************************************************************** + .\" +-.\" $Id: curs_terminfo.3x,v 1.82 2022/06/04 22:47:05 tom Exp $ ++.\" $Id: curs_terminfo.3x,v 1.83 2023/04/08 22:54:21 tom Exp $ + .TH curs_terminfo 3X "" + .ie \n(.g .ds `` \(lq + .el .ds `` `` +@@ -86,6 +86,10 @@ + .sp + \fBchar *tparm(const char *\fIstr\fB, ...);\fR + .br ++ \fIor\fP ++.br ++\fBchar *tparm(const char *\fIstr\fB, long \fIp1 ... \fBlong \fIp9\fB);\fR ++.sp + \fBint tputs(const char *\fIstr\fB, int \fIaffcnt\fB, int (*\fIputc\fB)(int));\fR + .br + \fBint putp(const char *\fIstr\fB);\fR +@@ -463,6 +467,11 @@ if it cannot allocate enough memory, or + create the initial windows (stdscr, curscr, newscr). + Other error conditions are documented above. + .TP 5 ++\fBtparm\fP ++returns a null if the capability would require unexpected parameters, ++e.g., too many, too few, or incorrect types ++(strings where integers are expected, or vice versa). ++.TP 5 + \fBtputs\fP + returns an error if the string parameter is null. + It does not detect I/O errors: +@@ -663,6 +672,34 @@ zeroes are fine for this purpose. + .IP + In response to review comments by Thomas E. Dickey, + X/Open Curses Issue 7 proposed the \fBtiparm\fP function in mid-2009. ++.IP ++While \fBtiparm\fP is always provided in ncurses, ++the older form is only available as a build-time configuration option. ++If not specially configured, \fBtparm\fP is the same as \fBtiparm\fP. ++.PP ++Both forms of \fBtparm\fP have drawbacks: ++.bP ++Most of the calls to \fBtparm\fP use only one or two parameters. ++Passing nine on each call is awkward. ++.IP ++Using \fBlong\fP for the numeric parameter type is a workaround ++to make the parameter use the same amount of stack as a pointer. ++That approach dates back to the mid-1980s, before C was standarized. ++Since then, there is a standard ++(and pointers are not required to fit in a long). ++.bP ++Providing the right number of parameters for a variadic function ++such as \fBtiparm\fP can be a problem, in particular for string parameters. ++However, only a few terminfo capabilities use string parameters ++(e.g., the ones used for programmable function keys). ++.IP ++The ncurses library checks usage of these capabilities, ++and returns an error if the capability mishandles string parameters. ++But it cannot check if a calling program provides strings in the right ++places for the \fBtparm\fP calls. ++.IP ++The \fBtput\fR(3X) program checks its use of these capabilities with a table, ++so that it calls \fBtparm\fP correctly. + .SS Special TERM treatment + .PP + If configured to use the terminal-driver, +diff --git a/misc/terminfo.src b/misc/terminfo.src +index ef78948a..07713a81 100644 +--- a/misc/terminfo.src ++++ b/misc/terminfo.src +@@ -6,8 +6,8 @@ + # Report bugs and new terminal descriptions to + # bug-ncurses@gnu.org + # +-# $Revision: 1.1041 $ +-# $Date: 2022/12/29 20:11:56 $ ++# $Revision: 1.1057 $ ++# $Date: 2023/04/08 21:08:00 $ + # + # The original header is preserved below for reference. It is noted that there + # is a "newer" version which differs in some cosmetic details (but actually +@@ -7756,7 +7756,7 @@ alacritty+common|base fragment for alacritty, + use=xterm-basic, use=xterm+app, use=ansi+rep, + use=xterm+tmux, use=ecma+strikeout, use=xterm+sl-twm, + use=ecma+italics, use=xterm+pce2, use=xterm+pcc2, +- use=xterm+pcf2, use=bracketed+paste, ++ use=xterm+pcf2, use=bracketed+paste, use=xterm+focus, + + #### Kitty + # https://github.com/kovidgoyal/kitty +@@ -27717,4 +27717,7 @@ v3220|LANPAR Vision II model 3220/3221/3222, + # + correct PS vs PE names in bracketed+paste (report by Bram Moolenaar) + # -TD + # ++# 2023-04-08 ++# + add xterm+focus to alacritty+common (patch by Christian Duerr). ++# + ######## SHANTIH! SHANTIH! SHANTIH! +diff --git a/ncurses/tinfo/lib_tgoto.c b/ncurses/tinfo/lib_tgoto.c +index 9cf5e100..084a322f 100644 +--- a/ncurses/tinfo/lib_tgoto.c ++++ b/ncurses/tinfo/lib_tgoto.c +@@ -1,5 +1,5 @@ + /**************************************************************************** +- * Copyright 2018-2019,2020 Thomas E. Dickey * ++ * Copyright 2018-2020,2023 Thomas E. Dickey * + * Copyright 2000-2008,2012 Free Software Foundation, Inc. * + * * + * Permission is hereby granted, free of charge, to any person obtaining a * +@@ -36,7 +36,7 @@ + #include <ctype.h> + #include <termcap.h> + +-MODULE_ID("$Id: lib_tgoto.c,v 1.21 2020/05/27 23:55:56 tom Exp $") ++MODULE_ID("$Id: lib_tgoto.c,v 1.22 2023/04/08 13:48:58 tom Exp $") + + #if !PURE_TERMINFO + static bool +@@ -207,6 +207,14 @@ tgoto(const char *string, int x, int y) + result = tgoto_internal(string, x, y); + else + #endif +- result = TIPARM_2(string, y, x); ++ if ((result = TIPARM_2(string, y, x)) == NULL) { ++ /* ++ * Because termcap did not provide a more general solution such as ++ * tparm(), it was necessary to handle single-parameter capabilities ++ * using tgoto(). The internal _nc_tiparm() function returns a NULL ++ * for that case; retry for the single-parameter case. ++ */ ++ result = TIPARM_1(string, y); ++ } + returnPtr(result); + } +diff --git a/ncurses/tinfo/lib_tparm.c b/ncurses/tinfo/lib_tparm.c +index d9bdfd8f..8988a3d4 100644 +--- a/ncurses/tinfo/lib_tparm.c ++++ b/ncurses/tinfo/lib_tparm.c +@@ -1,5 +1,5 @@ + /**************************************************************************** +- * Copyright 2018-2020,2021 Thomas E. Dickey * ++ * Copyright 2018-2021,2023 Thomas E. Dickey * + * Copyright 1998-2016,2017 Free Software Foundation, Inc. * + * * + * Permission is hereby granted, free of charge, to any person obtaining a * +@@ -53,7 +53,7 @@ + #include <ctype.h> + #include <tic.h> + +-MODULE_ID("$Id: lib_tparm.c,v 1.137 2021/11/20 23:29:15 tom Exp $") ++MODULE_ID("$Id: lib_tparm.c,v 1.141 2023/04/08 18:24:18 tom Exp $") + + /* + * char * +@@ -1086,6 +1086,64 @@ tparam_internal(TPARM_STATE *tps, const char *string, TPARM_DATA *data) + return (TPS(out_buff)); + } + ++#ifdef CUR ++/* ++ * Only a few standard capabilities accept string parameters. The others that ++ * are parameterized accept only numeric parameters. ++ */ ++static bool ++check_string_caps(TPARM_DATA *data, const char *string) ++{ ++ bool result = FALSE; ++ ++#define CHECK_CAP(name) (VALID_STRING(name) && !strcmp(name, string)) ++ ++ /* ++ * Disallow string parameters unless we can check them against a terminal ++ * description. ++ */ ++ if (cur_term != NULL) { ++ int want_type = 0; ++ ++ if (CHECK_CAP(pkey_key)) ++ want_type = 2; /* function key #1, type string #2 */ ++ else if (CHECK_CAP(pkey_local)) ++ want_type = 2; /* function key #1, execute string #2 */ ++ else if (CHECK_CAP(pkey_xmit)) ++ want_type = 2; /* function key #1, transmit string #2 */ ++ else if (CHECK_CAP(plab_norm)) ++ want_type = 2; /* label #1, show string #2 */ ++ else if (CHECK_CAP(pkey_plab)) ++ want_type = 6; /* function key #1, type string #2, show string #3 */ ++#if NCURSES_XNAMES ++ else { ++ char *check; ++ ++ check = tigetstr("Cs"); ++ if (CHECK_CAP(check)) ++ want_type = 1; /* style #1 */ ++ ++ check = tigetstr("Ms"); ++ if (CHECK_CAP(check)) ++ want_type = 3; /* storage unit #1, content #2 */ ++ } ++#endif ++ ++ if (want_type == data->tparm_type) { ++ result = TRUE; ++ } else { ++ T(("unexpected string-parameter")); ++ } ++ } ++ return result; ++} ++ ++#define ValidCap() (myData.tparm_type == 0 || \ ++ check_string_caps(&myData, string)) ++#else ++#define ValidCap() 1 ++#endif ++ + #if NCURSES_TPARM_VARARGS + + NCURSES_EXPORT(char *) +@@ -1100,7 +1158,7 @@ tparm(const char *string, ...) + tps->tname = "tparm"; + #endif /* TRACE */ + +- if (tparm_setup(cur_term, string, &myData) == OK) { ++ if (tparm_setup(cur_term, string, &myData) == OK && ValidCap()) { + va_list ap; + + va_start(ap, string); +@@ -1135,7 +1193,7 @@ tparm(const char *string, + tps->tname = "tparm"; + #endif /* TRACE */ + +- if (tparm_setup(cur_term, string, &myData) == OK) { ++ if (tparm_setup(cur_term, string, &myData) == OK && ValidCap()) { + + myData.param[0] = a1; + myData.param[1] = a2; +@@ -1166,7 +1224,7 @@ tiparm(const char *string, ...) + tps->tname = "tiparm"; + #endif /* TRACE */ + +- if (tparm_setup(cur_term, string, &myData) == OK) { ++ if (tparm_setup(cur_term, string, &myData) == OK && ValidCap()) { + va_list ap; + + va_start(ap, string); +@@ -1179,7 +1237,25 @@ tiparm(const char *string, ...) + } + + /* +- * The internal-use flavor ensures that the parameters are numbers, not strings ++ * The internal-use flavor ensures that parameters are numbers, not strings. ++ * In addition to ensuring that they are numbers, it ensures that the parameter ++ * count is consistent with intended usage. ++ * ++ * Unlike the general-purpose tparm/tiparm, these internal calls are fairly ++ * well defined: ++ * ++ * expected == 0 - not applicable ++ * expected == 1 - set color, or vertical/horizontal addressing ++ * expected == 2 - cursor addressing ++ * expected == 4 - initialize color or color pair ++ * expected == 9 - set attributes ++ * ++ * Only for the last case (set attributes) should a parameter be optional. ++ * Also, a capability which calls for more parameters than expected should be ++ * ignored. ++ * ++ * Return a null if the parameter-checks fail. Otherwise, return a pointer to ++ * the formatted capability string. + */ + NCURSES_EXPORT(char *) + _nc_tiparm(int expected, const char *string, ...) +@@ -1189,22 +1265,36 @@ _nc_tiparm(int expected, const char *string, ...) + char *result = NULL; + + _nc_tparm_err = 0; ++ T((T_CALLED("_nc_tiparm(%d, %s, ...)"), expected, _nc_visbuf(string))); + #ifdef TRACE + tps->tname = "_nc_tiparm"; + #endif /* TRACE */ + +- if (tparm_setup(cur_term, string, &myData) == OK +- && myData.num_actual <= expected +- && myData.tparm_type == 0) { +- va_list ap; ++ if (tparm_setup(cur_term, string, &myData) == OK && ValidCap()) { ++ if (myData.num_actual == 0) { ++ T(("missing parameter%s, expected %s%d", ++ expected > 1 ? "s" : "", ++ expected == 9 ? "up to " : "", ++ expected)); ++ } else if (myData.num_actual > expected) { ++ T(("too many parameters, have %d, expected %d", ++ myData.num_actual, ++ expected)); ++ } else if (expected != 9 && myData.num_actual != expected) { ++ T(("expected %d parameters, have %d", ++ myData.num_actual, ++ expected)); ++ } else { ++ va_list ap; + +- va_start(ap, string); +- tparm_copy_valist(&myData, FALSE, ap); +- va_end(ap); ++ va_start(ap, string); ++ tparm_copy_valist(&myData, FALSE, ap); ++ va_end(ap); + +- result = tparam_internal(tps, string, &myData); ++ result = tparam_internal(tps, string, &myData); ++ } + } +- return result; ++ returnPtr(result); + } + + /* +diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c +index 2b1875ed..9c6e9b0e 100644 +--- a/ncurses/tinfo/read_entry.c ++++ b/ncurses/tinfo/read_entry.c +@@ -1,5 +1,5 @@ + /**************************************************************************** +- * Copyright 2018-2021,2022 Thomas E. Dickey * ++ * Copyright 2018-2022,2023 Thomas E. Dickey * + * Copyright 1998-2016,2017 Free Software Foundation, Inc. * + * * + * Permission is hereby granted, free of charge, to any person obtaining a * +@@ -42,7 +42,7 @@ + + #include <tic.h> + +-MODULE_ID("$Id: read_entry.c,v 1.164 2022/05/08 00:11:44 tom Exp $") ++MODULE_ID("$Id: read_entry.c,v 1.165 2023/04/08 20:14:49 tom Exp $") + + #define MyNumber(n) (short) LOW_MSB(n) + +@@ -323,6 +323,9 @@ _nc_read_termtype(TERMTYPE2 *ptr, char *buffer, int limit) + || bool_count < 0 + || num_count < 0 + || str_count < 0 ++ || bool_count > BOOLCOUNT ++ || num_count > NUMCOUNT ++ || str_count > STRCOUNT + || str_size < 0) { + returnDB(TGETENT_NO); + } +diff --git a/package/ncurses.spec b/package/ncurses.spec +index 72d4e245..a7572864 100644 +--- a/package/ncurses.spec ++++ b/package/ncurses.spec +@@ -1,7 +1,7 @@ + Summary: shared libraries for terminal handling + Name: ncurses6 + Version: 6.4 +-Release: 20221231 ++Release: 20230408 + License: X11 + Group: Development/Libraries + Source: ncurses-%{version}-%{release}.tgz +diff --git a/package/ncursest.spec b/package/ncursest.spec +index 8729842d..f1d073d1 100644 +--- a/package/ncursest.spec ++++ b/package/ncursest.spec +@@ -1,7 +1,7 @@ + Summary: Curses library with POSIX thread support. + Name: ncursest6 + Version: 6.4 +-Release: 20221231 ++Release: 20230408 + License: X11 + Group: Development/Libraries + Source: ncurses-%{version}-%{release}.tgz +diff --git a/progs/tic.c b/progs/tic.c +index 93a0b491..7ae61677 100644 +--- a/progs/tic.c ++++ b/progs/tic.c +@@ -1,5 +1,5 @@ + /**************************************************************************** +- * Copyright 2018-2021,2022 Thomas E. Dickey * ++ * Copyright 2018-2022,2023 Thomas E. Dickey * + * Copyright 1998-2017,2018 Free Software Foundation, Inc. * + * * + * Permission is hereby granted, free of charge, to any person obtaining a * +@@ -49,7 +49,7 @@ + #include <parametrized.h> + #include <transform.h> + +-MODULE_ID("$Id: tic.c,v 1.320 2022/09/17 18:55:28 tom Exp $") ++MODULE_ID("$Id: tic.c,v 1.321 2023/04/08 15:51:57 tom Exp $") + + #define STDIN_NAME "<stdin>" + +@@ -2270,9 +2270,15 @@ check_1_infotocap(const char *name, NCURSES_CONST char *value, int count) + + _nc_reset_tparm(NULL); + switch (actual) { ++ case Str: ++ result = TPARM_1(value, strings[1]); ++ break; + case Num_Str: + result = TPARM_2(value, numbers[1], strings[2]); + break; ++ case Str_Str: ++ result = TPARM_2(value, strings[1], strings[2]); ++ break; + case Num_Str_Str: + result = TPARM_3(value, numbers[1], strings[2], strings[3]); + break; +diff --git a/progs/tparm_type.c b/progs/tparm_type.c +index 3da4a077..4fed96a5 100644 +--- a/progs/tparm_type.c ++++ b/progs/tparm_type.c +@@ -1,5 +1,5 @@ + /**************************************************************************** +- * Copyright 2020 Thomas E. Dickey * ++ * Copyright 2020,2023 Thomas E. Dickey * + * Copyright 2014,2015 Free Software Foundation, Inc. * + * * + * Permission is hereby granted, free of charge, to any person obtaining a * +@@ -33,7 +33,7 @@ + + #include <tparm_type.h> + +-MODULE_ID("$Id: tparm_type.c,v 1.4 2020/10/24 17:30:32 tom Exp $") ++MODULE_ID("$Id: tparm_type.c,v 1.5 2023/04/08 15:57:01 tom Exp $") + + /* + * Lookup the type of call we should make to tparm(). This ignores the actual +@@ -47,6 +47,7 @@ tparm_type(const char *name) + {code, {longname} }, \ + {code, {ti} }, \ + {code, {tc} } ++#define XD(code, onlyname) TD(code, onlyname, onlyname, onlyname) + TParams result = Numbers; + /* *INDENT-OFF* */ + static const struct { +@@ -58,6 +59,10 @@ tparm_type(const char *name) + TD(Num_Str, "pkey_xmit", "pfx", "px"), + TD(Num_Str, "plab_norm", "pln", "pn"), + TD(Num_Str_Str, "pkey_plab", "pfxl", "xl"), ++#if NCURSES_XNAMES ++ XD(Str, "Cs"), ++ XD(Str_Str, "Ms"), ++#endif + }; + /* *INDENT-ON* */ + +@@ -80,12 +85,16 @@ guess_tparm_type(int nparam, char **p_is_s) + case 1: + if (!p_is_s[0]) + result = Numbers; ++ if (p_is_s[0]) ++ result = Str; + break; + case 2: + if (!p_is_s[0] && !p_is_s[1]) + result = Numbers; + if (!p_is_s[0] && p_is_s[1]) + result = Num_Str; ++ if (p_is_s[0] && p_is_s[1]) ++ result = Str_Str; + break; + case 3: + if (!p_is_s[0] && !p_is_s[1] && !p_is_s[2]) +diff --git a/progs/tparm_type.h b/progs/tparm_type.h +index 7c102a30..2f7bd077 100644 +--- a/progs/tparm_type.h ++++ b/progs/tparm_type.h +@@ -1,5 +1,5 @@ + /**************************************************************************** +- * Copyright 2020 Thomas E. Dickey * ++ * Copyright 2020,2023 Thomas E. Dickey * + * Copyright 2014 Free Software Foundation, Inc. * + * * + * Permission is hereby granted, free of charge, to any person obtaining a * +@@ -32,7 +32,7 @@ + ****************************************************************************/ + + /* +- * $Id: tparm_type.h,v 1.3 2020/10/24 17:11:33 tom Exp $ ++ * $Id: tparm_type.h,v 1.4 2023/04/08 15:41:20 tom Exp $ + * + * determine expected/actual number of parameters to setup for tparm + */ +@@ -45,8 +45,10 @@ + typedef enum { + Other = -1 + ,Numbers = 0 ++ ,Str + ,Num_Str + ,Num_Str_Str ++ ,Str_Str + } TParams; + + extern TParams tparm_type(const char *name); +diff --git a/progs/tput.c b/progs/tput.c +index 4cd0c5ba..41508b72 100644 +--- a/progs/tput.c ++++ b/progs/tput.c +@@ -1,5 +1,5 @@ + /**************************************************************************** +- * Copyright 2018-2021,2022 Thomas E. Dickey * ++ * Copyright 2018-2022,2023 Thomas E. Dickey * + * Copyright 1998-2016,2017 Free Software Foundation, Inc. * + * * + * Permission is hereby granted, free of charge, to any person obtaining a * +@@ -47,12 +47,15 @@ + #include <transform.h> + #include <tty_settings.h> + +-MODULE_ID("$Id: tput.c,v 1.99 2022/02/26 23:19:31 tom Exp $") ++MODULE_ID("$Id: tput.c,v 1.102 2023/04/08 16:26:36 tom Exp $") + + #define PUTS(s) fputs(s, stdout) + + const char *_nc_progname = "tput"; + ++static bool opt_v = FALSE; /* quiet, do not show warnings */ ++static bool opt_x = FALSE; /* clear scrollback if possible */ ++ + static bool is_init = FALSE; + static bool is_reset = FALSE; + static bool is_clear = FALSE; +@@ -81,6 +84,7 @@ usage(const char *optstring) + KEEP(" -S << read commands from standard input") + KEEP(" -T TERM use this instead of $TERM") + KEEP(" -V print curses-version") ++ KEEP(" -v verbose, show warnings") + KEEP(" -x do not try to clear scrollback") + KEEP("") + KEEP("Commands:") +@@ -148,7 +152,7 @@ exit_code(int token, int value) + * Returns nonzero on error. + */ + static int +-tput_cmd(int fd, TTY * settings, bool opt_x, int argc, char **argv, int *used) ++tput_cmd(int fd, TTY * settings, int argc, char **argv, int *used) + { + NCURSES_CONST char *name; + char *s; +@@ -231,7 +235,9 @@ tput_cmd(int fd, TTY * settings, bool opt_x, int argc, char **argv, int *used) + } else if (VALID_STRING(s)) { + if (argc > 1) { + int k; ++ int narg; + int analyzed; ++ int provided; + int popcount; + long numbers[1 + NUM_PARM]; + char *strings[1 + NUM_PARM]; +@@ -271,14 +277,45 @@ tput_cmd(int fd, TTY * settings, bool opt_x, int argc, char **argv, int *used) + + popcount = 0; + _nc_reset_tparm(NULL); ++ /* ++ * Count the number of numeric parameters which are provided. ++ */ ++ provided = 0; ++ for (narg = 1; narg < argc; ++narg) { ++ char *ending = NULL; ++ long check = strtol(argv[narg], &ending, 10); ++ if (check < 0 || ending == argv[narg] || *ending != '\0') ++ break; ++ provided = narg; ++ } + switch (paramType) { ++ case Str: ++ s = TPARM_1(s, strings[1]); ++ analyzed = 1; ++ if (provided == 0 && argc >= 1) ++ provided++; ++ break; ++ case Str_Str: ++ s = TPARM_2(s, strings[1], strings[2]); ++ analyzed = 2; ++ if (provided == 0 && argc >= 1) ++ provided++; ++ if (provided == 1 && argc >= 2) ++ provided++; ++ break; + case Num_Str: + s = TPARM_2(s, numbers[1], strings[2]); + analyzed = 2; ++ if (provided == 1 && argc >= 2) ++ provided++; + break; + case Num_Str_Str: + s = TPARM_3(s, numbers[1], strings[2], strings[3]); + analyzed = 3; ++ if (provided == 1 && argc >= 2) ++ provided++; ++ if (provided == 2 && argc >= 3) ++ provided++; + break; + case Numbers: + analyzed = _nc_tparm_analyze(NULL, s, p_is_s, &popcount); +@@ -316,7 +353,13 @@ tput_cmd(int fd, TTY * settings, bool opt_x, int argc, char **argv, int *used) + if (analyzed < popcount) { + analyzed = popcount; + } +- *used += analyzed; ++ if (opt_v && (analyzed != provided)) { ++ fprintf(stderr, "%s: %s parameters for \"%s\"\n", ++ _nc_progname, ++ (analyzed < provided ? "extra" : "missing"), ++ argv[0]); ++ } ++ *used += provided; + } + + /* use putp() in order to perform padding */ +@@ -339,7 +382,6 @@ main(int argc, char **argv) + int used; + TTY old_settings; + TTY tty_settings; +- bool opt_x = FALSE; /* clear scrollback if possible */ + bool is_alias; + bool need_tty; + +@@ -348,7 +390,7 @@ main(int argc, char **argv) + + term = getenv("TERM"); + +- while ((c = getopt(argc, argv, is_alias ? "T:Vx" : "ST:Vx")) != -1) { ++ while ((c = getopt(argc, argv, is_alias ? "T:Vvx" : "ST:Vvx")) != -1) { + switch (c) { + case 'S': + cmdline = FALSE; +@@ -361,6 +403,9 @@ main(int argc, char **argv) + case 'V': + puts(curses_version()); + ExitProgram(EXIT_SUCCESS); ++ case 'v': /* verbose */ ++ opt_v = TRUE; ++ break; + case 'x': /* do not try to clear scrollback */ + opt_x = TRUE; + break; +@@ -404,7 +449,7 @@ main(int argc, char **argv) + usage(NULL); + while (argc > 0) { + tty_settings = old_settings; +- code = tput_cmd(fd, &tty_settings, opt_x, argc, argv, &used); ++ code = tput_cmd(fd, &tty_settings, argc, argv, &used); + if (code != 0) + break; + argc -= used; +@@ -439,7 +484,7 @@ main(int argc, char **argv) + while (argnum > 0) { + int code; + tty_settings = old_settings; +- code = tput_cmd(fd, &tty_settings, opt_x, argnum, argnow, &used); ++ code = tput_cmd(fd, &tty_settings, argnum, argnow, &used); + if (code != 0) { + if (result == 0) + result = ErrSystem(0); /* will return value >4 */ +-- +2.17.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0001-tic-hang.patch b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0001-tic-hang.patch new file mode 100644 index 000000000..f98a943e5 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0001-tic-hang.patch @@ -0,0 +1,43 @@ +From 168ba7a681be73ac024438e33e14fde1d5aea97d Mon Sep 17 00:00:00 2001 +From: Hongxu Jia <hongxu.jia@windriver.com> +Date: Fri, 30 Mar 2018 10:02:24 +0800 +Subject: [PATCH 1/2] tic hang + +Upstream-Status: Inappropriate [configuration] + +'tic' of some linux distributions (e.g. fedora 11) hang in an infinite +loop when processing the original file. + +Signed-off-by: anonymous + +Rebase to 6.1 +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> +--- + misc/terminfo.src | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/misc/terminfo.src b/misc/terminfo.src +index 84f4810..6b385ec 100644 +--- a/misc/terminfo.src ++++ b/misc/terminfo.src +@@ -5562,12 +5562,11 @@ konsole-xf3x|KDE console window with keyboard for XFree86 3.x xterm, + # The value for kbs (see konsole-vt100) reflects local customization rather + # than the settings used for XFree86 xterm. + konsole-xf4x|KDE console window with keyboard for XFree86 4.x xterm, +- kend=\EOF, khome=\EOH, use=konsole+pcfkeys, +- use=konsole-vt100, +- +-konsole+pcfkeys|konsole subset of xterm+pcfkeys, +- kcbt=\E[Z, use=xterm+pcc2, use=xterm+pcf0, +- use=xterm+pce2, ++ kend=\EOF, kf1=\EOP, kf13=\EO2P, kf14=\EO2Q, kf15=\EO2R, ++ kf16=\EO2S, kf17=\E[15;2~, kf18=\E[17;2~, kf19=\E[18;2~, ++ kf2=\EOQ, kf20=\E[19;2~, kf21=\E[20;2~, kf22=\E[21;2~, ++ kf23=\E[23;2~, kf24=\E[24;2~, kf3=\EOR, kf4=\EOS, ++ khome=\EOH, use=konsole-vt100, + + # Obsolete: vt100.keymap + # KDE's "vt100" keyboard has no relationship to any terminal that DEC made, but +-- +1.8.3.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0002-Fix-added-to-mitigate-CVE-2022-29458.patch b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0002-Fix-added-to-mitigate-CVE-2022-29458.patch deleted file mode 100644 index 1cef2e810..000000000 --- a/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0002-Fix-added-to-mitigate-CVE-2022-29458.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 0ed8a4953f9179d0f077f24779f1cb51c8e9a126 Mon Sep 17 00:00:00 2001 -From: ankita prasad <ankita.prasad@intel.com> -Date: Tue, 12 Jul 2022 17:51:01 +0000 -Subject: [PATCH] Fix added to mitigate CVE-2022-29458 - -ncurses 6.3 before patch 20220416 has an out-of-bounds read -and segmentation violation in convert_strings in tinfo/read_entry.c -in the terminfo library. -The fix is picked from - https://github.com/mirror/ncurses/commit/4c9f63c460cb7134f142aa65f6866c175ed77605 -for the file tinfo/read_entry.c. - -Signed-off-by: Ankita Prasad <ankita.prasad@intel.com> ---- - ncurses/tinfo/read_entry.c | 21 +++++++++++++++++---- - 1 file changed, 17 insertions(+), 4 deletions(-) - -diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c -index 5b570b0f..06c0c437 100644 ---- a/ncurses/tinfo/read_entry.c -+++ b/ncurses/tinfo/read_entry.c -@@ -145,6 +145,7 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table) - { - int i; - char *p; -+ bool corrupt = FALSE; - - for (i = 0; i < count; i++) { - if (IS_NEG1(buf + 2 * i)) { -@@ -154,17 +155,29 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table) - } else if (MyNumber(buf + 2 * i) > size) { - Strings[i] = ABSENT_STRING; - } else { -- Strings[i] = (MyNumber(buf + 2 * i) + table); -- TR(TRACE_DATABASE, ("Strings[%d] = %s", i, _nc_visbuf(Strings[i]))); -+ int nn = MyNumber(buf + 2 * i); -+ if (nn >= 0 && nn < size) { -+ Strings[i] = (nn + table); -+ TR(TRACE_DATABASE, ("Strings[%d] = %s", i, -+ _nc_visbuf(Strings[i]))); -+ } else { -+ if (!corrupt) { -+ corrupt = TRUE; -+ TR(TRACE_DATABASE, -+ ("ignore out-of-range index %d to Strings[]", nn)); -+ _nc_warning("corrupt data found in convert_strings"); -+ } -+ Strings[i] = ABSENT_STRING; -+ } - } - - /* make sure all strings are NUL terminated */ - if (VALID_STRING(Strings[i])) { -- for (p = Strings[i]; p <= table + size; p++) -+ for (p = Strings[i]; p < table + size; p++) - if (*p == '\0') - break; - /* if there is no NUL, ignore the string */ -- if (p > table + size) -+ if (p >= table + size) - Strings[i] = ABSENT_STRING; - } - } --- -2.25.1 - diff --git a/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0002-configure-reproducible.patch b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0002-configure-reproducible.patch new file mode 100644 index 000000000..66f26c06a --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0002-configure-reproducible.patch @@ -0,0 +1,33 @@ +From ec87e53066a9942e9aaba817d71268342f5e83b9 Mon Sep 17 00:00:00 2001 +From: Hongxu Jia <hongxu.jia@windriver.com> +Date: Wed, 16 Aug 2017 14:45:27 +0800 +Subject: [PATCH] configure: reproducible + +"configure" enforces -U for ar flags, breaking deterministic builds. +The flag was added to fix some vaguely specified "recent POSIX binutil +build problems" in 2015. + +Upstream-Status: Pending +Signed-off-by: Juro Bystricky <juro.bystricky@intel.com> + +Rebase to 6.1 + +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> + +--- + configure | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure b/configure +index 421cf859..a1b7840d 100755 +--- a/configure ++++ b/configure +@@ -5072,7 +5072,7 @@ else + ;; + (*) + cf_cv_ar_flags=unknown +- for cf_ar_flags in -curvU -curv curv -crv crv -cqv cqv -rv rv ++ for cf_ar_flags in -curv curv -crv crv -cqv cqv -rv rv + do + + # check if $ARFLAGS already contains this choice diff --git a/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch new file mode 100644 index 000000000..a15694d4d --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch @@ -0,0 +1,30 @@ +From 10cd0c12a6e14fb4f0498c299c1dd32720b710da Mon Sep 17 00:00:00 2001 +From: Nathan Rossi <nathan@nathanrossi.com> +Date: Mon, 14 Dec 2020 13:39:02 +1000 +Subject: [PATCH] gen-pkgconfig.in: Do not include LDFLAGS in generated pc + files + +Including the LDFLAGS in the pkgconfig output is problematic as OE +includes build host specific paths and options (e.g. uninative and +'-Wl,--dynamic-linker='). + +Upstream-Status: Inappropriate [OE Specific] +Signed-off-by: Nathan Rossi <nathan@nathanrossi.com> + +--- + misc/gen-pkgconfig.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/misc/gen-pkgconfig.in b/misc/gen-pkgconfig.in +index a45dd54f..85273054 100644 +--- a/misc/gen-pkgconfig.in ++++ b/misc/gen-pkgconfig.in +@@ -83,7 +83,7 @@ if [ "$includedir" != "/usr/include" ]; then + fi + + lib_flags= +-for opt in -L$libdir @EXTRA_PKG_LDFLAGS@ @LIBS@ ++for opt in -L$libdir @LIBS@ + do + case $opt in + -l*) # LIBS is handled specially below diff --git a/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/exit_prototype.patch b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/exit_prototype.patch new file mode 100644 index 000000000..fd961512e --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/exit_prototype.patch @@ -0,0 +1,32 @@ +From 4a769a441d7e57a23017c3037cde3e53fb9f35fe Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Tue, 30 Aug 2022 15:58:32 -0700 +Subject: [PATCH] Add needed headers for including mbstate_t and exit() + +Upstream-Status: Inappropriate [Reconfigure will solve it] +Signed-off-by: Khem Raj <raj.khem@gmail.com> + +--- + configure | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/configure b/configure +index f377f551..163f8899 100755 +--- a/configure ++++ b/configure +@@ -3423,6 +3423,7 @@ rm -f "conftest.$ac_objext" "conftest.$ac_ext" + cat >"conftest.$ac_ext" <<_ACEOF + #line 3424 "configure" + #include "confdefs.h" ++#include <stdlib.h> + $ac_declaration + int + main (void) +@@ -13111,6 +13112,7 @@ cat >"conftest.$ac_ext" <<_ACEOF + #include <stdlib.h> + #include <stdarg.h> + #include <stdio.h> ++#include <wchar.h> + #ifdef HAVE_LIBUTF8_H + #include <libutf8.h> + #endif diff --git a/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses_%.bbappend deleted file mode 100644 index 7f1ce36c2..000000000 --- a/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses_%.bbappend +++ /dev/null @@ -1,4 +0,0 @@ -FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" -SRC_URI += "file://0001-Fix-heap-buffer-overflow-in-captoinfo.patch \ - file://0002-Fix-added-to-mitigate-CVE-2022-29458.patch \ - " diff --git a/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses_6.4.bb b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses_6.4.bb new file mode 100644 index 000000000..c72c3e30e --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses_6.4.bb @@ -0,0 +1,20 @@ +require ncurses.inc + +SRC_URI += "file://0001-tic-hang.patch \ + file://0002-configure-reproducible.patch \ + file://0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch \ + file://exit_prototype.patch \ + " + +#Include CVE mitigation patches. +SRC_URI += "file://0001-patch-20230408-CVE-2023-29491.patch \ + " + +# commit id corresponds to the revision in package version +SRCREV = "79b9071f2be20a24c7be031655a5638f6032f29f" +S = "${WORKDIR}/git" +EXTRA_OECONF += "--with-abi-version=5" +UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+)$" + +# This is needed when using patchlevel versions like 6.1+20181013 +#CVE_VERSION = "${@d.getVar("PV").split('+')[0]}.${@d.getVar("PV").split('+')[1]}" diff --git a/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd/CVE-2022-3821.patch b/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd/CVE-2022-3821.patch new file mode 100644 index 000000000..5e32866f1 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd/CVE-2022-3821.patch @@ -0,0 +1,24 @@ +From 8d2d0895229cfbe39c1c5c16e61e426812a72e8b Mon Sep 17 00:00:00 2001 +From: Yu Watanabe <watanabe.yu+github@gmail.com> +Date: Thu, 7 Jul 2022 18:27:02 +0900 +Subject: [PATCH] time-util: fix buffer-over-run + +Fixes #23928. +--- + src/basic/time-util.c | 2 +- + src/test/test-time-util.c | 5 +++++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/basic/time-util.c b/src/basic/time-util.c +index abbc4ad5cd70..26d59de12348 100644 +--- a/src/basic/time-util.c ++++ b/src/basic/time-util.c +@@ -591,7 +591,7 @@ char *format_timespan(char *buf, size_t l, usec_t t, usec_t accuracy) { + t = b; + } + +- n = MIN((size_t) k, l); ++ n = MIN((size_t) k, l-1); + + l -= n; + p += n; diff --git a/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd_%.bbappend index 262f557e0..66d3a9bdc 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd_%.bbappend @@ -4,6 +4,7 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" SRC_URI += "file://0002-Add-event-log-for-system-time-synchronization.patch \ file://0003-Added-timeout-to-systemd-networkd-wait-online.servic.patch \ + file://CVE-2022-3821.patch \ " # We don't support loadable modules in kernel config |