Package: release.debian.org Severity: normal Tags: bullseye d-i User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: ncur...@packages.debian.org, debian-boot@lists.debian.org Control: affects -1 + src:ncurses
I would like to fix two crash bugs in tic(1) & friends for Bullseye.
There have been various similar issues in the previous years which we
usually fixed in point releases.
[ Reason ]
1. Bug #10098701[1] aka CVE-2022-29458[2]
2. Bug #1029399[3]
[ Impact ]
1. Out-of-bounds read in the tinfo library could lead to crashes and
potential code execution on crafted input. This usually requires
the victim's assistance.
2. Stack buffer overflow can lead to a crash in tic on crafted input.
This usually requires the victim's assistance.
[ Tests ]
1. The upstream bug report contains a reproducer[4]. It requires
building ncurses with -fsanitize=address which I did. This confirmed
that the original code has the bug, and the patch seems to fix it.
2. The upstream bug report contains a reproducer[5]. It crashes
Bullseye's tic version, but not the patched one.
Additionally, I verified that the terminfo database in the ncurses-base
and ncurses-term packages is identical to the one in version
6.2+20201114-2.
[ Risks ]
1. The upstream fixes in the 20220416 patchlevel do not apply cleanly
and needed to be backported, which Thorsten Alteholz did in
DLA-3167-1[6] for Bullseye LTS. This obviously increases the risk of
something going wrong, however the same change has been in Buster LTS
for over three months, and I have not heard of any complaints.
While this fix touches the tinfo library, the code in question is, to
the best of my knowledge, only used by tic and its aliases as it
deals with terminfo source files.
2. The upstream fix from the 20230121 applies cleanly and is fairly
small, so I think the risk is low. This issue only affects the tic
program, not the library.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issues are verified as fixed in unstable
[ Changes ]
1. Backport fixes from the 20220416 patchlevel. This has been done by
Thorsten Alteholz in 6.1+20181013-2+deb10u3 for Buster LTS, and his
patch applys cleanly to the Bullseye version. I have reviewed and
fixed up mior issues with the patch such as trailing leading spaces
followed by tabs.
2. Cherry-pick bug fix from the 20230121 upstream patchlevel. This is
identical to the patch that went into ncurses 6.4-2.
3. Two small changes that help with CI and do not affect the binary
packages: Set the release to bullseye in the Salsa CI, and add a
lintian override for false-positive errors triggered by lintian 2.115
and newer.
[ Other info ]
Since ncurses builds a udeb, I have put debian-boot in X-Debbugs-Cc.
The changes should not affect the installer.
Cheers,
Sven
1. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009870
2. https://security-tracker.debian.org/tracker/CVE-2022-29458
3. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029399
4. https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00014.html
5. https://lists.gnu.org/archive/html/bug-ncurses/2023-01/msg00035.html
6. https://security-tracker.debian.org/tracker/DLA-3167-1
diff -Nru ncurses-6.2+20201114/debian/changelog ncurses-6.2+20201114/debian/changelog --- ncurses-6.2+20201114/debian/changelog 2021-01-01 16:02:10.000000000 +0100 +++ ncurses-6.2+20201114/debian/changelog 2023-02-08 20:16:03.000000000 +0100 @@ -1,3 +1,18 @@ +ncurses (6.2+20201114-2+deb11u1) bullseye; urgency=medium + + * New patch CVE-2022-29458.diff: add a limit-check to guard against + corrupt terminfo data (report/testcase by NCNIPC of China, + CVE-2022-29458), fix backported from the 20220416 upstream patchlevel + (Closes: #1009870). Thanks to Thorsten Alteholz for the patch. + * New patch fix_crash_on_very_long_tc-use_clause.diff, cherry-picked + from the 20230121 patchlevel: correct limit-check when dumping tc/use + clause via tic -I (report by Gabriel Ravier, Closes: #1029399). + * Use bullseye as the release in the Salsa CI pipeline. + * Add a lintian override for source-is-missing in the Ada documentation + (see #1019980). + + -- Sven Joachim <svenj...@gmx.de> Wed, 08 Feb 2023 20:16:03 +0100 + ncurses (6.2+20201114-2) unstable; urgency=medium * New patch 02-fix-mlterm.diff, cherry-picked from the 20201205 upstream diff -Nru ncurses-6.2+20201114/debian/gitlab-ci.yml ncurses-6.2+20201114/debian/gitlab-ci.yml --- ncurses-6.2+20201114/debian/gitlab-ci.yml 2021-01-01 10:31:15.000000000 +0100 +++ ncurses-6.2+20201114/debian/gitlab-ci.yml 2023-01-28 12:24:41.000000000 +0100 @@ -1,3 +1,6 @@ include: - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + +variables: + RELEASE: 'bullseye' diff -Nru ncurses-6.2+20201114/debian/patches/CVE-2022-29458.diff ncurses-6.2+20201114/debian/patches/CVE-2022-29458.diff --- ncurses-6.2+20201114/debian/patches/CVE-2022-29458.diff 1970-01-01 01:00:00.000000000 +0100 +++ ncurses-6.2+20201114/debian/patches/CVE-2022-29458.diff 2023-01-28 12:03:58.000000000 +0100 @@ -0,0 +1,82 @@ +Author: Thorsten Alteholz <deb...@alteholz.de> +Description: Backport upstream fix for CVE-2022-29458 + Add a limit-check to guard against corrupt terminfo data + (report/testcase by NCNIPC of China), fix backported from the + 20220416 upstream patchlevel. +Bug-Debian: https://bugs.debian.org/1009870 +Forwarded: Not-needed +Last-Update: 2023-01-28 + +--- + ncurses/tinfo/alloc_entry.c | 10 ++++------ + ncurses/tinfo/read_entry.c | 17 +++++++++++++++-- + 2 files changed, 19 insertions(+), 8 deletions(-) + +--- a/ncurses/tinfo/alloc_entry.c ++++ b/ncurses/tinfo/alloc_entry.c +@@ -53,8 +53,6 @@ MODULE_ID("$Id: alloc_entry.c,v 1.64 202 + #define ABSENT_OFFSET -1 + #define CANCELLED_OFFSET -2 + +-#define MAX_STRTAB 4096 /* documented maximum entry size */ +- + static char *stringbuf; /* buffer for string capabilities */ + static size_t next_free; /* next free character in stringbuf */ + +@@ -72,7 +70,7 @@ _nc_init_entry(ENTRY * const tp) + #endif + + if (stringbuf == 0) +- TYPE_MALLOC(char, (size_t) MAX_STRTAB, stringbuf); ++ TYPE_MALLOC(char, (size_t) MAX_ENTRY_SIZE, stringbuf); + + next_free = 0; + +@@ -108,11 +106,11 @@ _nc_save_str(const char *const string) + * Cheat a little by making an empty string point to the end of the + * previous string. + */ +- if (next_free < MAX_STRTAB) { ++ if (next_free < MAX_ENTRY_SIZE) { + result = (stringbuf + next_free - 1); + } +- } else if (next_free + len < MAX_STRTAB) { +- _nc_STRCPY(&stringbuf[next_free], string, MAX_STRTAB); ++ } else if (next_free + len < MAX_ENTRY_SIZE) { ++ _nc_STRCPY(&stringbuf[next_free], string, MAX_ENTRY_SIZE); + DEBUG(7, ("Saved string %s", _nc_visbuf(string))); + DEBUG(7, ("at location %d", (int) next_free)); + next_free += len; +--- a/ncurses/tinfo/read_entry.c ++++ b/ncurses/tinfo/read_entry.c +@@ -145,6 +145,7 @@ convert_strings(char *buf, char **String + { + int i; + char *p; ++ bool corrupt = FALSE; + + for (i = 0; i < count; i++) { + if (IS_NEG1(buf + 2 * i)) { +@@ -154,8 +155,20 @@ convert_strings(char *buf, char **String + } else if (MyNumber(buf + 2 * i) > size) { + Strings[i] = ABSENT_STRING; + } else { +- Strings[i] = (MyNumber(buf + 2 * i) + table); +- TR(TRACE_DATABASE, ("Strings[%d] = %s", i, _nc_visbuf(Strings[i]))); ++ int nn = MyNumber(buf + 2 * i); ++ if (nn >= 0 && nn < size) { ++ Strings[i] = (nn + table); ++ TR(TRACE_DATABASE, ("Strings[%d] = %s", i, ++ _nc_visbuf(Strings[i]))); ++ } else { ++ if (!corrupt) { ++ corrupt = TRUE; ++ TR(TRACE_DATABASE, ++ ("ignore out-of-range index %d to Strings[]", nn)); ++ _nc_warning("corrupt data found in convert_strings"); ++ } ++ Strings[i] = ABSENT_STRING; ++ } + } + + /* make sure all strings are NUL terminated */ diff -Nru ncurses-6.2+20201114/debian/patches/fix_crash_on_very_long_tc-use_clause.diff ncurses-6.2+20201114/debian/patches/fix_crash_on_very_long_tc-use_clause.diff --- ncurses-6.2+20201114/debian/patches/fix_crash_on_very_long_tc-use_clause.diff 1970-01-01 01:00:00.000000000 +0100 +++ ncurses-6.2+20201114/debian/patches/fix_crash_on_very_long_tc-use_clause.diff 2023-01-28 12:16:18.000000000 +0100 @@ -0,0 +1,44 @@ +Author: Sven Joachim <svenj...@gmx.de> +Description: Fix tic crash on very long tc/use clauses + Correct limit-check when dumping tc/use clause via tic -I (report by + Gabriel Ravier), fix cherry-picked from the 20230121 upstream patchlevel. +Bug: https://lists.gnu.org/archive/html/bug-ncurses/2023-01/msg00035.html +Bug-Debian: https://bugs.debian.org/1029399 +Forwarded: not-needed +Last-Update: 2023-01-22 + +--- + progs/dump_entry.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/progs/dump_entry.c ++++ b/progs/dump_entry.c +@@ -1641,15 +1641,25 @@ dump_entry(TERMTYPE2 *tterm, + } + + void +-dump_uses(const char *name, bool infodump) ++dump_uses(const char *value, bool infodump) + /* dump "use=" clauses in the appropriate format */ + { +- char buffer[MAX_TERMINFO_LENGTH]; ++ char buffer[MAX_TERMINFO_LENGTH + EXTRA_CAP]; ++ int limit = (VALID_STRING(value) ? (int) strlen(value) : 0); ++ const char *cap = infodump ? "use" : "tc"; + + if (TcOutput()) + trim_trailing(); ++ if (limit == 0) { ++ _nc_warning("empty \"%s\" field", cap); ++ value = ""; ++ } else if (limit > MAX_ALIAS) { ++ _nc_warning("\"%s\" field too long (%d), limit to %d", ++ cap, limit, MAX_ALIAS); ++ limit = MAX_ALIAS; ++ } + _nc_SPRINTF(buffer, _nc_SLIMIT(sizeof(buffer)) +- "%s%s", infodump ? "use=" : "tc=", name); ++ "%s=%.*s", cap, limit, value); + wrap_concat1(buffer); + } + diff -Nru ncurses-6.2+20201114/debian/patches/series ncurses-6.2+20201114/debian/patches/series --- ncurses-6.2+20201114/debian/patches/series 2021-01-01 11:23:09.000000000 +0100 +++ ncurses-6.2+20201114/debian/patches/series 2023-01-28 12:16:18.000000000 +0100 @@ -4,3 +4,5 @@ 02-debian-xterm.diff 02-fix-mlterm.diff 03-debian-ncursesconfig-omit-L.diff +CVE-2022-29458.diff +fix_crash_on_very_long_tc-use_clause.diff diff -Nru ncurses-6.2+20201114/debian/source/lintian-overrides ncurses-6.2+20201114/debian/source/lintian-overrides --- ncurses-6.2+20201114/debian/source/lintian-overrides 2021-01-01 10:31:15.000000000 +0100 +++ ncurses-6.2+20201114/debian/source/lintian-overrides 2023-02-06 18:30:22.000000000 +0100 @@ -2,3 +2,6 @@ # package, no point in describing them differently. ncurses source: duplicate-short-description libncurses5-dev libncursesw5-dev libtinfo-dev ncurses source: duplicate-long-description libncurses5-dev libncursesw5-dev libtinfo-dev + +# Silence overzealousness, see https://bugs.debian.org/1019980 +ncurses source: source-is-missing [doc/html/ada/*]
signature.asc
Description: PGP signature
