Upgrade ncurses to 6.3 [patch 20220612] to fix CVE-2022-29458 (#3193) (#3805)

* Upgrade ncurses to 6.3 [patch 20220612] to fix CVE-2022-29458 (#3193)
2022-09-21 12:32:44 -07:00 · 2022-09-21 12:32:44 -07:00 · 89a81f4669
--- a/SPECS/ncurses/CVE-2022-29458.nopatch
+++ b/SPECS/ncurses/CVE-2022-29458.nopatch
@ -0,0 +1,3 @@
+This nopatch file is required to clear the CVE.
+ncurses 6.3.20220416 or greater has the patch.
+See the SPEC file for more details on ncurses versioning
--- a/SPECS/ncurses/ncurses.signatures.json
+++ b/SPECS/ncurses/ncurses.signatures.json
@ -1,5 +1,5 @@
 {
 "Signatures": {
-  "ncurses-6.3.tar.gz": "97fc51ac2b085d4cde31ef4d2c3122c21abc217e9090a43a30fc5ec21684e059"
+  "ncurses-6.3-20220612.tgz": "e7de8893348bd0172aea87853b0a042cd1b19e8c5bd68bfabf95e3edcef44122"
 }
 }
--- a/SPECS/ncurses/ncurses.spec
+++ b/SPECS/ncurses/ncurses.spec
@ -1,15 +1,42 @@
+%global patchlevel     20220612
+
 Summary:        Libraries for terminal handling of character screens
 Name:           ncurses
 Version:        6.3
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Applications/System
 URL:            https://invisible-island.net/ncurses/
-Source0:        https://invisible-mirror.net/archives/%{name}/%{name}-%{version}.tar.gz
+#
+# Please note that it is very important to select the ncurses package 
+# with the highest available patch level in the name when fixing CVE's
+#
+# For example, the original 6.3 ncurses release is available here:
+# https://invisible-mirror.net/archives/ncurses/ncurses-6.3.tar.gz
+#
+# However there are rollling patch versions of the package available under this folder:
+# https://invisible-mirror.net/archives/ncurses/current/
+#
+# So, when upgrading choose the appropriate patch version
+# Also note that at least one CVE on NIST had unusual matching rules 
+# where the patch number is not specified in the version,
+# but was described in the textual description.
+#
+# Description showed:
+#   ncurses 6.3 before patch 20220416 has an out-of-bounds....
+#
+# Matching rules showed:
+#   cpe:2.3:a:gnu:ncurses:*:*:*:*:*:*:*:*  	    Up to (excluding)  6.3
+#   cpe:2.3:a:gnu:ncurses:6.3:-:*:*:*:*:*:*     [and this line says including 6.3?!]
+# 
+# Use a nopatch file to clear the CVE after choosing the correct patch level
+#
+Source0:        https://invisible-mirror.net/archives/%{name}/current/%{name}-%{version}-%{patchlevel}.tgz
 Requires:       %{name}-libs = %{version}-%{release}

+
 %description
 The Ncurses package contains libraries for terminal-independent
 handling of character screens.
@ -44,7 +71,7 @@ Requires:       %{name} = %{version}-%{release}
 It contains all terminfo files

 %prep
-%autosetup -p1
+%autosetup -p1 -n %{name}-%{version}-%{patchlevel}

 %build
 common_options="\
@ -206,6 +233,10 @@ xz NEWS
 %files term -f terms.term

 %changelog
+* Tue Sep 20 2022 Jon Slobodzian <joslobo@microsoft.com> - 6.3-2
+- Update to version 6.3-20220612 to fix CVE-2022-29458
+- Cherry-picked from Mariner 1.0
+
 * Mon Jun 13 2022 Andrew Phelps <anphel@microsoft.com> - 6.3-1
 - Update to version 6.3

--- a/cgmanifest.json
+++ b/cgmanifest.json
@ -12534,7 +12534,7 @@
        "other": {
          "name": "ncurses",
          "version": "6.3",
-          "downloadUrl": "https://invisible-mirror.net/archives/ncurses/ncurses-6.3.tar.gz"
+          "downloadUrl": "https://invisible-mirror.net/archives/ncurses/current/ncurses-6.3-20220612.tgz"
        }
      }
    },
--- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@ -33,11 +33,11 @@ libpkgconf-1.8.0-2.cm2.aarch64.rpm
 pkgconf-1.8.0-2.cm2.aarch64.rpm
 pkgconf-m4-1.8.0-2.cm2.noarch.rpm
 pkgconf-pkg-config-1.8.0-2.cm2.aarch64.rpm
-ncurses-6.3-1.cm2.aarch64.rpm
-ncurses-compat-6.3-1.cm2.aarch64.rpm
-ncurses-devel-6.3-1.cm2.aarch64.rpm
-ncurses-libs-6.3-1.cm2.aarch64.rpm
-ncurses-term-6.3-1.cm2.aarch64.rpm
+ncurses-6.3-2.cm2.aarch64.rpm
+ncurses-compat-6.3-2.cm2.aarch64.rpm
+ncurses-devel-6.3-2.cm2.aarch64.rpm
+ncurses-libs-6.3-2.cm2.aarch64.rpm
+ncurses-term-6.3-2.cm2.aarch64.rpm
 readline-8.1-1.cm2.aarch64.rpm
 readline-devel-8.1-1.cm2.aarch64.rpm
 coreutils-8.32-5.cm2.aarch64.rpm
--- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@ -33,11 +33,11 @@ libpkgconf-1.8.0-2.cm2.x86_64.rpm
 pkgconf-1.8.0-2.cm2.x86_64.rpm
 pkgconf-m4-1.8.0-2.cm2.noarch.rpm
 pkgconf-pkg-config-1.8.0-2.cm2.x86_64.rpm
-ncurses-6.3-1.cm2.x86_64.rpm
-ncurses-compat-6.3-1.cm2.x86_64.rpm
-ncurses-devel-6.3-1.cm2.x86_64.rpm
-ncurses-libs-6.3-1.cm2.x86_64.rpm
-ncurses-term-6.3-1.cm2.x86_64.rpm
+ncurses-6.3-2.cm2.x86_64.rpm
+ncurses-compat-6.3-2.cm2.x86_64.rpm
+ncurses-devel-6.3-2.cm2.x86_64.rpm
+ncurses-libs-6.3-2.cm2.x86_64.rpm
+ncurses-term-6.3-2.cm2.x86_64.rpm
 readline-8.1-1.cm2.x86_64.rpm
 readline-devel-8.1-1.cm2.x86_64.rpm
 coreutils-8.32-5.cm2.x86_64.rpm
--- a/toolkit/resources/manifests/package/toolchain_aarch64.txt
+++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@ -244,12 +244,12 @@ mpfr-4.1.0-1.cm2.aarch64.rpm
 mpfr-debuginfo-4.1.0-1.cm2.aarch64.rpm
 mpfr-devel-4.1.0-1.cm2.aarch64.rpm
 msopenjdk-11-11.0.14.1+1-LTS-31207.aarch64.rpm
-ncurses-6.3-1.cm2.aarch64.rpm
-ncurses-compat-6.3-1.cm2.aarch64.rpm
-ncurses-debuginfo-6.3-1.cm2.aarch64.rpm
-ncurses-devel-6.3-1.cm2.aarch64.rpm
-ncurses-libs-6.3-1.cm2.aarch64.rpm
-ncurses-term-6.3-1.cm2.aarch64.rpm
+ncurses-6.3-2.cm2.aarch64.rpm
+ncurses-compat-6.3-2.cm2.aarch64.rpm
+ncurses-debuginfo-6.3-2.cm2.aarch64.rpm
+ncurses-devel-6.3-2.cm2.aarch64.rpm
+ncurses-libs-6.3-2.cm2.aarch64.rpm
+ncurses-term-6.3-2.cm2.aarch64.rpm
 newt-0.52.21-4.cm2.aarch64.rpm
 newt-debuginfo-0.52.21-4.cm2.aarch64.rpm
 newt-devel-0.52.21-4.cm2.aarch64.rpm
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@ -244,12 +244,12 @@ mpfr-4.1.0-1.cm2.x86_64.rpm
 mpfr-debuginfo-4.1.0-1.cm2.x86_64.rpm
 mpfr-devel-4.1.0-1.cm2.x86_64.rpm
 msopenjdk-11-11.0.14.1+1-LTS-31207.x86_64.rpm
-ncurses-6.3-1.cm2.x86_64.rpm
-ncurses-compat-6.3-1.cm2.x86_64.rpm
-ncurses-debuginfo-6.3-1.cm2.x86_64.rpm
-ncurses-devel-6.3-1.cm2.x86_64.rpm
-ncurses-libs-6.3-1.cm2.x86_64.rpm
-ncurses-term-6.3-1.cm2.x86_64.rpm
+ncurses-6.3-2.cm2.x86_64.rpm
+ncurses-compat-6.3-2.cm2.x86_64.rpm
+ncurses-debuginfo-6.3-2.cm2.x86_64.rpm
+ncurses-devel-6.3-2.cm2.x86_64.rpm
+ncurses-libs-6.3-2.cm2.x86_64.rpm
+ncurses-term-6.3-2.cm2.x86_64.rpm
 newt-0.52.21-4.cm2.x86_64.rpm
 newt-debuginfo-0.52.21-4.cm2.x86_64.rpm
 newt-devel-0.52.21-4.cm2.x86_64.rpm