10fae9624b
Fixes the following security issues: - CVE-2018-10754: In ncurses before 6.1.20180414, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service if the terminfo library code is used to process untrusted terminfo data in which a use-name is invalid syntax (REJECTED). - CVE-2018-19211: In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a "dubious character `*' in name or alias field" detection. - CVE-2018-19217: In ncurses, possibly a 6.x version, there is a NULL pointer dereference at the function _nc_name_match that will lead to a denial of service attack. NOTE: the original report stated version 6.1, but the issue did not reproduce for that version according to the maintainer or a reliable third-party. - CVE-2019-17594: There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012. - CVE-2019-17595: There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012. Ncurses upstream uses a fairly special way of releasing (security) bugfixes. Approximately once a week an incremental .patch.gz is released, and once in a while these incremental patches are bundled up to a bigger patch relative to the current release in .patch.sh.bz2 format (a bzip2 compressed patch with a small shell script prepended, luckily apply-patches can handle that), and the relative patch files deleted. For details of this process, see the upstream FAQ: https://invisible-island.net/ncurses/ncurses.faq.html#applying_patches Apply the latest .patch.sh.bz2 and incremental patches up to 20200118 to fix a number of (security) issues. Notice that these patch files are NOT available on the GNU mirrors. The license file COPYING is updated with the new Copyright year (2019 -> 2020), so update the hash accordingly. While we are at it, adjust the white space in the .hash file to match sha256sum output for consistency. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> [fix whitespace inconsistency after 'sha256' keyword] Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> [yann.morin.1998@free.fr: fix license hash for (C) year] Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> |
||
|---|---|---|
| arch | ||
| board | ||
| boot | ||
| configs | ||
| docs | ||
| fs | ||
| linux | ||
| package | ||
| support | ||
| system | ||
| toolchain | ||
| utils | ||
| .defconfig | ||
| .flake8 | ||
| .gitignore | ||
| .gitlab-ci.yml | ||
| .gitlab-ci.yml.in | ||
| CHANGES | ||
| Config.in | ||
| Config.in.legacy | ||
| COPYING | ||
| DEVELOPERS | ||
| Makefile | ||
| Makefile.legacy | ||
| README | ||
Buildroot is a simple, efficient and easy-to-use tool to generate embedded Linux systems through cross-compilation. The documentation can be found in docs/manual. You can generate a text document with 'make manual-text' and read output/docs/manual/manual.text. Online documentation can be found at http://buildroot.org/docs.html To build and use the buildroot stuff, do the following: 1) run 'make menuconfig' 2) select the target architecture and the packages you wish to compile 3) run 'make' 4) wait while it compiles 5) find the kernel, bootloader, root filesystem, etc. in output/images You do not need to be root to build or run buildroot. Have fun! Buildroot comes with a basic configuration for a number of boards. Run 'make list-defconfigs' to view the list of provided configurations. Please feed suggestions, bug reports, insults, and bribes back to the buildroot mailing list: buildroot@buildroot.org You can also find us on #buildroot on Freenode IRC. If you would like to contribute patches, please read https://buildroot.org/manual.html#submitting-patches