4b21273d71
Fixes the following security issues:
- CVE-2018-10754: In ncurses before 6.1.20180414, there is a NULL Pointer
Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It
could lead to a remote denial of service if the terminfo library code is
used to process untrusted terminfo data in which a use-name is invalid
syntax (REJECTED).
- CVE-2018-19211: In ncurses 6.1, there is a NULL pointer dereference at
function _nc_parse_entry in parse_entry.c that will lead to a denial of
service attack. The product proceeds to the dereference code path even
after a "dubious character `*' in name or alias field" detection.
- CVE-2018-19217: In ncurses, possibly a 6.x version, there is a NULL
pointer dereference at the function _nc_name_match that will lead to a
denial of service attack. NOTE: the original report stated version 6.1,
but the issue did not reproduce for that version according to the
maintainer or a reliable third-party.
- CVE-2019-17594: There is a heap-based buffer over-read in the
_nc_find_entry function in tinfo/comp_hash.c in the terminfo library in
ncurses before 6.1-20191012.
- CVE-2019-17595: There is a heap-based buffer over-read in the fmt_entry
function in tinfo/comp_hash.c in the terminfo library in ncurses before
6.1-20191012.
Ncurses upstream uses a fairly special way of releasing (security) bugfixes.
Approximately once a week an incremental .patch.gz is released, and once in
a while these incremental patches are bundled up to a bigger patch relative
to the current release in .patch.sh.bz2 format (a bzip2 compressed patch
with a small shell script prepended, luckily apply-patches can handle that),
and the relative patch files deleted.
For details of this process, see the upstream FAQ:
https://invisible-island.net/ncurses/ncurses.faq.html#applying_patches
Apply the latest .patch.sh.bz2 and incremental patches up to 20200118 to fix
a number of (security) issues. Notice that these patch files are NOT
available on the GNU mirrors.
The license file COPYING is updated with the new Copyright year (2019 ->
2020), so update the hash accordingly.
While we are at it, adjust the white space in the .hash file to match
sha256sum output for consistency.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[fix whitespace inconsistency after 'sha256' keyword]
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
[yann.morin.1998@free.fr: fix license hash for (C) year]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit
|
||
|---|---|---|
| arch | ||
| board | ||
| boot | ||
| configs | ||
| docs | ||
| fs | ||
| linux | ||
| package | ||
| support | ||
| system | ||
| toolchain | ||
| utils | ||
| .defconfig | ||
| .flake8 | ||
| .gitignore | ||
| .gitlab-ci.yml | ||
| .gitlab-ci.yml.in | ||
| CHANGES | ||
| Config.in | ||
| Config.in.legacy | ||
| COPYING | ||
| DEVELOPERS | ||
| Makefile | ||
| Makefile.legacy | ||
| README | ||
Buildroot is a simple, efficient and easy-to-use tool to generate embedded Linux systems through cross-compilation. The documentation can be found in docs/manual. You can generate a text document with 'make manual-text' and read output/docs/manual/manual.text. Online documentation can be found at http://buildroot.org/docs.html To build and use the buildroot stuff, do the following: 1) run 'make menuconfig' 2) select the target architecture and the packages you wish to compile 3) run 'make' 4) wait while it compiles 5) find the kernel, bootloader, root filesystem, etc. in output/images You do not need to be root to build or run buildroot. Have fun! Buildroot comes with a basic configuration for a number of boards. Run 'make list-defconfigs' to view the list of provided configurations. Please feed suggestions, bug reports, insults, and bribes back to the buildroot mailing list: buildroot@buildroot.org You can also find us on #buildroot on Freenode IRC. If you would like to contribute patches, please read https://buildroot.org/manual.html#submitting-patches