main/ncurses: backport security fix (CVE-2018-10754)

fixes #9284
author: Natanael Copa <ncopa@alpinelinux.org> 2018-08-21 16:48:02 +0200
committer: Natanael Copa <ncopa@alpinelinux.org> 2018-08-21 16:50:24 +0200
commit: d510fa929a7f6ede654295930273de33fd0e9b15 (patch)
tree: 563b966a324f8bfd882599e53773d562eba024a9
parent: d87903ef0e2c9558f9ca6a23af7eb28438a10ccf (diff)
download: alpine_aports-d510fa929a7f6ede654295930273de33fd0e9b15.tar.bz2
alpine_aports-d510fa929a7f6ede654295930273de33fd0e9b15.tar.xz
alpine_aports-d510fa929a7f6ede654295930273de33fd0e9b15.zip
2 files changed, 25 insertions, 4 deletions
diff --git a/main/ncurses/APKBUILD b/main/ncurses/APKBUILD
index 8335265258..69e149a738 100644
--- a/main/ncurses/APKBUILD
+++ b/main/ncurses/APKBUILD
@@ -2,21 +2,24 @@
 pkgname=ncurses
 pkgver=6.0_p20171125
 _ver=${pkgver%_p*}-${pkgver#*_p}
-pkgrel=0
+pkgrel=1
 pkgdesc="Console display library"
 url="http://www.gnu.org/software/ncurses/"
 arch="all"
 license=MIT
 depends=
 makedepends_build="ncurses"
-source="http://invisible-mirror.net/archives/ncurses/current/ncurses-$_ver.tgz"
+source="http://invisible-mirror.net/archives/ncurses/current/ncurses-$_ver.tgz
+        CVE-2018-10754.patch
+        "
 subpackages="$pkgname-static $pkgname-dev $pkgname-doc
        $pkgname-terminfo-base:base $pkgname-terminfo $pkgname-libs"
 builddir="$srcdir"/ncurses-$_ver
 # secfixes:
+#   6.0_p20171125-r1:
+#     - CVE-2018-10754
 #   6.0_p20171125-r0:
 #     - CVE-2017-16879
 #   6.0_p20170930-r0:
@@ -112,4 +115,5 @@ static() {
        mv "$pkgdir"/usr/lib/*.a "$subpkgdir"/usr/lib/
 }
-sha512sums="b06336a4696d5d5195177c0226f34aefebff05035247d43e1b958fb2098efb0fc2bf5a3c9d402c7c5e8fec65d03f5f290a84ef624f4a2f9348499551c5f4f09b  ncurses-6.0-20171125.tgz"
+sha512sums="b06336a4696d5d5195177c0226f34aefebff05035247d43e1b958fb2098efb0fc2bf5a3c9d402c7c5e8fec65d03f5f290a84ef624f4a2f9348499551c5f4f09b  ncurses-6.0-20171125.tgz
+215c93fcb9ff1dd112454262b0b42bfc9c27b17cb46950899451f515a862e3db78e5bd021f1cd13bccb032d8a1f8ca17e07cfe9c940457d309a1c3895819138f  CVE-2018-10754.patch"
diff --git a/main/ncurses/CVE-2018-10754.patch b/main/ncurses/CVE-2018-10754.patch
new file mode 100644
index 0000000000..377caa3b40
--- /dev/null
+++ b/main/ncurses/CVE-2018-10754.patch
@@ -0,0 +1,17 @@
+Index: ncurses/tinfo/parse_entry.c
+--- ncurses-6.1-20180407+/ncurses/tinfo/parse_entry.c   2017-08-26 19:49:50.000000000 +0000
+++ ncurses-6.1-20180414/ncurses/tinfo/parse_entry.c    2018-04-14 17:41:12.000000000 +0000
+@@ -543,9 +543,11 @@
+                 * Otherwise, look for a base entry that will already
+                 * have picked up defaults via translation.
+                 */
+-               for (i = 0; i < entryp->nuses; i++)
+-                   if (!strchr((char *) entryp->uses[i].name, '+'))
+               for (i = 0; i < entryp->nuses; i++) {
+                   if (entryp->uses[i].name != 0
+                       && !strchr(entryp->uses[i].name, '+'))
+                        has_base_entry = TRUE;
+               }
+            }
+ 
+            postprocess_termcap(&entryp->tterm, has_base_entry);
author	Natanael Copa <ncopa@alpinelinux.org>	2018-08-21 16:48:02 +0200
committer	Natanael Copa <ncopa@alpinelinux.org>	2018-08-21 16:50:24 +0200
commit	d510fa929a7f6ede654295930273de33fd0e9b15 (patch)
tree	563b966a324f8bfd882599e53773d562eba024a9
parent	d87903ef0e2c9558f9ca6a23af7eb28438a10ccf (diff)
download	alpine_aports-d510fa929a7f6ede654295930273de33fd0e9b15.tar.bz2 alpine_aports-d510fa929a7f6ede654295930273de33fd0e9b15.tar.xz alpine_aports-d510fa929a7f6ede654295930273de33fd0e9b15.zip

diff --git a/main/ncurses/APKBUILD b/main/ncurses/APKBUILD index 8335265258..69e149a738 100644 --- a/main/ncurses/APKBUILD +++ b/main/ncurses/APKBUILD
@@ -2,21 +2,24 @@
2	pkgname=ncurses	2	pkgname=ncurses
3	pkgver=6.0_p20171125	3	pkgver=6.0_p20171125
4	_ver=${pkgver%_p}-${pkgver#_p}	4	_ver=${pkgver%_p}-${pkgver#_p}
5	pkgrel=0	5	pkgrel=1
6	pkgdesc="Console display library"	6	pkgdesc="Console display library"
7	url="http://www.gnu.org/software/ncurses/"	7	url="http://www.gnu.org/software/ncurses/"
8	arch="all"	8	arch="all"
9	license=MIT	9	license=MIT
10	depends=	10	depends=
11	makedepends_build="ncurses"	11	makedepends_build="ncurses"
12	source="http://invisible-mirror.net/archives/ncurses/current/ncurses-$_ver.tgz"	12	source="http://invisible-mirror.net/archives/ncurses/current/ncurses-$_ver.tgz
13		13	CVE-2018-10754.patch
		14	"
14	subpackages="$pkgname-static $pkgname-dev $pkgname-doc	15	subpackages="$pkgname-static $pkgname-dev $pkgname-doc
15	$pkgname-terminfo-base:base $pkgname-terminfo $pkgname-libs"	16	$pkgname-terminfo-base:base $pkgname-terminfo $pkgname-libs"
16		17
17	builddir="$srcdir"/ncurses-$_ver	18	builddir="$srcdir"/ncurses-$_ver
18		19
19	# secfixes:	20	# secfixes:
		21	# 6.0_p20171125-r1:
		22	# - CVE-2018-10754
20	# 6.0_p20171125-r0:	23	# 6.0_p20171125-r0:
21	# - CVE-2017-16879	24	# - CVE-2017-16879
22	# 6.0_p20170930-r0:	25	# 6.0_p20170930-r0:
@@ -112,4 +115,5 @@ static() {
112	mv "$pkgdir"/usr/lib/*.a "$subpkgdir"/usr/lib/	115	mv "$pkgdir"/usr/lib/*.a "$subpkgdir"/usr/lib/
113	}	116	}
114		117
115	sha512sums="b06336a4696d5d5195177c0226f34aefebff05035247d43e1b958fb2098efb0fc2bf5a3c9d402c7c5e8fec65d03f5f290a84ef624f4a2f9348499551c5f4f09b ncurses-6.0-20171125.tgz"	118	sha512sums="b06336a4696d5d5195177c0226f34aefebff05035247d43e1b958fb2098efb0fc2bf5a3c9d402c7c5e8fec65d03f5f290a84ef624f4a2f9348499551c5f4f09b ncurses-6.0-20171125.tgz
		119	215c93fcb9ff1dd112454262b0b42bfc9c27b17cb46950899451f515a862e3db78e5bd021f1cd13bccb032d8a1f8ca17e07cfe9c940457d309a1c3895819138f CVE-2018-10754.patch"


diff --git a/main/ncurses/CVE-2018-10754.patch b/main/ncurses/CVE-2018-10754.patch new file mode 100644 index 0000000000..377caa3b40 --- /dev/null +++ b/main/ncurses/CVE-2018-10754.patch
@@ -0,0 +1,17 @@
		1	Index: ncurses/tinfo/parse_entry.c
		2	--- ncurses-6.1-20180407+/ncurses/tinfo/parse_entry.c 2017-08-26 19:49:50.000000000 +0000
		3	+++ ncurses-6.1-20180414/ncurses/tinfo/parse_entry.c 2018-04-14 17:41:12.000000000 +0000
		4	@@ -543,9 +543,11 @@
		5	* Otherwise, look for a base entry that will already
		6	* have picked up defaults via translation.
		7	*/
		8	- for (i = 0; i < entryp->nuses; i++)
		9	- if (!strchr((char *) entryp->uses[i].name, '+'))
		10	+ for (i = 0; i < entryp->nuses; i++) {
		11	+ if (entryp->uses[i].name != 0
		12	+ && !strchr(entryp->uses[i].name, '+'))
		13	has_base_entry = TRUE;
		14	+ }
		15	}
		16
		17	postprocess_termcap(&entryp->tterm, has_base_entry);