diff options
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0002-Fix-added-to-mitigate-CVE-2022-29458.patch')
| -rw-r--r-- | meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0002-Fix-added-to-mitigate-CVE-2022-29458.patch | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0002-Fix-added-to-mitigate-CVE-2022-29458.patch b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0002-Fix-added-to-mitigate-CVE-2022-29458.patch new file mode 100644 index 000000000..1cef2e810 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0002-Fix-added-to-mitigate-CVE-2022-29458.patch @@ -0,0 +1,65 @@ +From 0ed8a4953f9179d0f077f24779f1cb51c8e9a126 Mon Sep 17 00:00:00 2001 +From: ankita prasad <ankita.prasad@intel.com> +Date: Tue, 12 Jul 2022 17:51:01 +0000 +Subject: [PATCH] Fix added to mitigate CVE-2022-29458 + +ncurses 6.3 before patch 20220416 has an out-of-bounds read +and segmentation violation in convert_strings in tinfo/read_entry.c +in the terminfo library. +The fix is picked from - https://github.com/mirror/ncurses/commit/4c9f63c460cb7134f142aa65f6866c175ed77605 +for the file tinfo/read_entry.c. + +Signed-off-by: Ankita Prasad <ankita.prasad@intel.com> +--- + ncurses/tinfo/read_entry.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c +index 5b570b0f..06c0c437 100644 +--- a/ncurses/tinfo/read_entry.c ++++ b/ncurses/tinfo/read_entry.c +@@ -145,6 +145,7 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table) + { + int i; + char *p; ++ bool corrupt = FALSE; + + for (i = 0; i < count; i++) { + if (IS_NEG1(buf + 2 * i)) { +@@ -154,17 +155,29 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table) + } else if (MyNumber(buf + 2 * i) > size) { + Strings[i] = ABSENT_STRING; + } else { +- Strings[i] = (MyNumber(buf + 2 * i) + table); +- TR(TRACE_DATABASE, ("Strings[%d] = %s", i, _nc_visbuf(Strings[i]))); ++ int nn = MyNumber(buf + 2 * i); ++ if (nn >= 0 && nn < size) { ++ Strings[i] = (nn + table); ++ TR(TRACE_DATABASE, ("Strings[%d] = %s", i, ++ _nc_visbuf(Strings[i]))); ++ } else { ++ if (!corrupt) { ++ corrupt = TRUE; ++ TR(TRACE_DATABASE, ++ ("ignore out-of-range index %d to Strings[]", nn)); ++ _nc_warning("corrupt data found in convert_strings"); ++ } ++ Strings[i] = ABSENT_STRING; ++ } + } + + /* make sure all strings are NUL terminated */ + if (VALID_STRING(Strings[i])) { +- for (p = Strings[i]; p <= table + size; p++) ++ for (p = Strings[i]; p < table + size; p++) + if (*p == '\0') + break; + /* if there is no NUL, ignore the string */ +- if (p > table + size) ++ if (p >= table + size) + Strings[i] = ABSENT_STRING; + } + } +-- +2.25.1 + |