diff options
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0002-Fix-added-to-mitigate-CVE-2022-29458.patch')
| -rw-r--r-- | meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0002-Fix-added-to-mitigate-CVE-2022-29458.patch | 65 |
1 files changed, 0 insertions, 65 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0002-Fix-added-to-mitigate-CVE-2022-29458.patch b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0002-Fix-added-to-mitigate-CVE-2022-29458.patch deleted file mode 100644 index 1cef2e810..000000000 --- a/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0002-Fix-added-to-mitigate-CVE-2022-29458.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 0ed8a4953f9179d0f077f24779f1cb51c8e9a126 Mon Sep 17 00:00:00 2001 -From: ankita prasad <ankita.prasad@intel.com> -Date: Tue, 12 Jul 2022 17:51:01 +0000 -Subject: [PATCH] Fix added to mitigate CVE-2022-29458 - -ncurses 6.3 before patch 20220416 has an out-of-bounds read -and segmentation violation in convert_strings in tinfo/read_entry.c -in the terminfo library. -The fix is picked from - https://github.com/mirror/ncurses/commit/4c9f63c460cb7134f142aa65f6866c175ed77605 -for the file tinfo/read_entry.c. - -Signed-off-by: Ankita Prasad <ankita.prasad@intel.com> ---- - ncurses/tinfo/read_entry.c | 21 +++++++++++++++++---- - 1 file changed, 17 insertions(+), 4 deletions(-) - -diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c -index 5b570b0f..06c0c437 100644 ---- a/ncurses/tinfo/read_entry.c -+++ b/ncurses/tinfo/read_entry.c -@@ -145,6 +145,7 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table) - { - int i; - char *p; -+ bool corrupt = FALSE; - - for (i = 0; i < count; i++) { - if (IS_NEG1(buf + 2 * i)) { -@@ -154,17 +155,29 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table) - } else if (MyNumber(buf + 2 * i) > size) { - Strings[i] = ABSENT_STRING; - } else { -- Strings[i] = (MyNumber(buf + 2 * i) + table); -- TR(TRACE_DATABASE, ("Strings[%d] = %s", i, _nc_visbuf(Strings[i]))); -+ int nn = MyNumber(buf + 2 * i); -+ if (nn >= 0 && nn < size) { -+ Strings[i] = (nn + table); -+ TR(TRACE_DATABASE, ("Strings[%d] = %s", i, -+ _nc_visbuf(Strings[i]))); -+ } else { -+ if (!corrupt) { -+ corrupt = TRUE; -+ TR(TRACE_DATABASE, -+ ("ignore out-of-range index %d to Strings[]", nn)); -+ _nc_warning("corrupt data found in convert_strings"); -+ } -+ Strings[i] = ABSENT_STRING; -+ } - } - - /* make sure all strings are NUL terminated */ - if (VALID_STRING(Strings[i])) { -- for (p = Strings[i]; p <= table + size; p++) -+ for (p = Strings[i]; p < table + size; p++) - if (*p == '\0') - break; - /* if there is no NUL, ignore the string */ -- if (p > table + size) -+ if (p >= table + size) - Strings[i] = ABSENT_STRING; - } - } --- -2.25.1 - |