Version in base suite: 6.2+20201114-2 Base version: ncurses_6.2+20201114-2 Target version: ncurses_6.2+20201114-2+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/ncurses/ncurses_6.2+20201114-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/ncurses/ncurses_6.2+20201114-2+deb11u1.dsc changelog | 15 ++++ gitlab-ci.yml | 3 patches/CVE-2022-29458.diff | 82 ++++++++++++++++++++++ patches/fix_crash_on_very_long_tc-use_clause.diff | 44 +++++++++++ patches/series | 2 source/lintian-overrides | 3 6 files changed, 149 insertions(+) diff -Nru ncurses-6.2+20201114/debian/changelog ncurses-6.2+20201114/debian/changelog --- ncurses-6.2+20201114/debian/changelog 2021-01-01 15:02:10.000000000 +0000 +++ ncurses-6.2+20201114/debian/changelog 2023-02-08 19:16:03.000000000 +0000 @@ -1,3 +1,18 @@ +ncurses (6.2+20201114-2+deb11u1) bullseye; urgency=medium + + * New patch CVE-2022-29458.diff: add a limit-check to guard against + corrupt terminfo data (report/testcase by NCNIPC of China, + CVE-2022-29458), fix backported from the 20220416 upstream patchlevel + (Closes: #1009870). Thanks to Thorsten Alteholz for the patch. + * New patch fix_crash_on_very_long_tc-use_clause.diff, cherry-picked + from the 20230121 patchlevel: correct limit-check when dumping tc/use + clause via tic -I (report by Gabriel Ravier, Closes: #1029399). + * Use bullseye as the release in the Salsa CI pipeline. + * Add a lintian override for source-is-missing in the Ada documentation + (see #1019980). + + -- Sven Joachim Wed, 08 Feb 2023 20:16:03 +0100 + ncurses (6.2+20201114-2) unstable; urgency=medium * New patch 02-fix-mlterm.diff, cherry-picked from the 20201205 upstream diff -Nru ncurses-6.2+20201114/debian/gitlab-ci.yml ncurses-6.2+20201114/debian/gitlab-ci.yml --- ncurses-6.2+20201114/debian/gitlab-ci.yml 2021-01-01 09:31:15.000000000 +0000 +++ ncurses-6.2+20201114/debian/gitlab-ci.yml 2023-01-28 11:24:41.000000000 +0000 @@ -1,3 +1,6 @@ include: - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + +variables: + RELEASE: 'bullseye' diff -Nru ncurses-6.2+20201114/debian/patches/CVE-2022-29458.diff ncurses-6.2+20201114/debian/patches/CVE-2022-29458.diff --- ncurses-6.2+20201114/debian/patches/CVE-2022-29458.diff 1970-01-01 00:00:00.000000000 +0000 +++ ncurses-6.2+20201114/debian/patches/CVE-2022-29458.diff 2023-01-28 11:03:58.000000000 +0000 @@ -0,0 +1,82 @@ +Author: Thorsten Alteholz +Description: Backport upstream fix for CVE-2022-29458 + Add a limit-check to guard against corrupt terminfo data + (report/testcase by NCNIPC of China), fix backported from the + 20220416 upstream patchlevel. +Bug-Debian: https://bugs.debian.org/1009870 +Forwarded: Not-needed +Last-Update: 2023-01-28 + +--- + ncurses/tinfo/alloc_entry.c | 10 ++++------ + ncurses/tinfo/read_entry.c | 17 +++++++++++++++-- + 2 files changed, 19 insertions(+), 8 deletions(-) + +--- a/ncurses/tinfo/alloc_entry.c ++++ b/ncurses/tinfo/alloc_entry.c +@@ -53,8 +53,6 @@ MODULE_ID("$Id: alloc_entry.c,v 1.64 202 + #define ABSENT_OFFSET -1 + #define CANCELLED_OFFSET -2 + +-#define MAX_STRTAB 4096 /* documented maximum entry size */ +- + static char *stringbuf; /* buffer for string capabilities */ + static size_t next_free; /* next free character in stringbuf */ + +@@ -72,7 +70,7 @@ _nc_init_entry(ENTRY * const tp) + #endif + + if (stringbuf == 0) +- TYPE_MALLOC(char, (size_t) MAX_STRTAB, stringbuf); ++ TYPE_MALLOC(char, (size_t) MAX_ENTRY_SIZE, stringbuf); + + next_free = 0; + +@@ -108,11 +106,11 @@ _nc_save_str(const char *const string) + * Cheat a little by making an empty string point to the end of the + * previous string. + */ +- if (next_free < MAX_STRTAB) { ++ if (next_free < MAX_ENTRY_SIZE) { + result = (stringbuf + next_free - 1); + } +- } else if (next_free + len < MAX_STRTAB) { +- _nc_STRCPY(&stringbuf[next_free], string, MAX_STRTAB); ++ } else if (next_free + len < MAX_ENTRY_SIZE) { ++ _nc_STRCPY(&stringbuf[next_free], string, MAX_ENTRY_SIZE); + DEBUG(7, ("Saved string %s", _nc_visbuf(string))); + DEBUG(7, ("at location %d", (int) next_free)); + next_free += len; +--- a/ncurses/tinfo/read_entry.c ++++ b/ncurses/tinfo/read_entry.c +@@ -145,6 +145,7 @@ convert_strings(char *buf, char **String + { + int i; + char *p; ++ bool corrupt = FALSE; + + for (i = 0; i < count; i++) { + if (IS_NEG1(buf + 2 * i)) { +@@ -154,8 +155,20 @@ convert_strings(char *buf, char **String + } else if (MyNumber(buf + 2 * i) > size) { + Strings[i] = ABSENT_STRING; + } else { +- Strings[i] = (MyNumber(buf + 2 * i) + table); +- TR(TRACE_DATABASE, ("Strings[%d] = %s", i, _nc_visbuf(Strings[i]))); ++ int nn = MyNumber(buf + 2 * i); ++ if (nn >= 0 && nn < size) { ++ Strings[i] = (nn + table); ++ TR(TRACE_DATABASE, ("Strings[%d] = %s", i, ++ _nc_visbuf(Strings[i]))); ++ } else { ++ if (!corrupt) { ++ corrupt = TRUE; ++ TR(TRACE_DATABASE, ++ ("ignore out-of-range index %d to Strings[]", nn)); ++ _nc_warning("corrupt data found in convert_strings"); ++ } ++ Strings[i] = ABSENT_STRING; ++ } + } + + /* make sure all strings are NUL terminated */ diff -Nru ncurses-6.2+20201114/debian/patches/fix_crash_on_very_long_tc-use_clause.diff ncurses-6.2+20201114/debian/patches/fix_crash_on_very_long_tc-use_clause.diff --- ncurses-6.2+20201114/debian/patches/fix_crash_on_very_long_tc-use_clause.diff 1970-01-01 00:00:00.000000000 +0000 +++ ncurses-6.2+20201114/debian/patches/fix_crash_on_very_long_tc-use_clause.diff 2023-01-28 11:16:18.000000000 +0000 @@ -0,0 +1,44 @@ +Author: Sven Joachim +Description: Fix tic crash on very long tc/use clauses + Correct limit-check when dumping tc/use clause via tic -I (report by + Gabriel Ravier), fix cherry-picked from the 20230121 upstream patchlevel. +Bug: https://lists.gnu.org/archive/html/bug-ncurses/2023-01/msg00035.html +Bug-Debian: https://bugs.debian.org/1029399 +Forwarded: not-needed +Last-Update: 2023-01-22 + +--- + progs/dump_entry.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/progs/dump_entry.c ++++ b/progs/dump_entry.c +@@ -1641,15 +1641,25 @@ dump_entry(TERMTYPE2 *tterm, + } + + void +-dump_uses(const char *name, bool infodump) ++dump_uses(const char *value, bool infodump) + /* dump "use=" clauses in the appropriate format */ + { +- char buffer[MAX_TERMINFO_LENGTH]; ++ char buffer[MAX_TERMINFO_LENGTH + EXTRA_CAP]; ++ int limit = (VALID_STRING(value) ? (int) strlen(value) : 0); ++ const char *cap = infodump ? "use" : "tc"; + + if (TcOutput()) + trim_trailing(); ++ if (limit == 0) { ++ _nc_warning("empty \"%s\" field", cap); ++ value = ""; ++ } else if (limit > MAX_ALIAS) { ++ _nc_warning("\"%s\" field too long (%d), limit to %d", ++ cap, limit, MAX_ALIAS); ++ limit = MAX_ALIAS; ++ } + _nc_SPRINTF(buffer, _nc_SLIMIT(sizeof(buffer)) +- "%s%s", infodump ? "use=" : "tc=", name); ++ "%s=%.*s", cap, limit, value); + wrap_concat1(buffer); + } + diff -Nru ncurses-6.2+20201114/debian/patches/series ncurses-6.2+20201114/debian/patches/series --- ncurses-6.2+20201114/debian/patches/series 2021-01-01 10:23:09.000000000 +0000 +++ ncurses-6.2+20201114/debian/patches/series 2023-01-28 11:16:18.000000000 +0000 @@ -4,3 +4,5 @@ 02-debian-xterm.diff 02-fix-mlterm.diff 03-debian-ncursesconfig-omit-L.diff +CVE-2022-29458.diff +fix_crash_on_very_long_tc-use_clause.diff diff -Nru ncurses-6.2+20201114/debian/source/lintian-overrides ncurses-6.2+20201114/debian/source/lintian-overrides --- ncurses-6.2+20201114/debian/source/lintian-overrides 2021-01-01 09:31:15.000000000 +0000 +++ ncurses-6.2+20201114/debian/source/lintian-overrides 2023-02-06 17:30:22.000000000 +0000 @@ -2,3 +2,6 @@ # package, no point in describing them differently. ncurses source: duplicate-short-description libncurses5-dev libncursesw5-dev libtinfo-dev ncurses source: duplicate-long-description libncurses5-dev libncursesw5-dev libtinfo-dev + +# Silence overzealousness, see https://bugs.debian.org/1019980 +ncurses source: source-is-missing [doc/html/ada/*]