From 89a81f46695a8c36acf03206b467a742cd163707 Mon Sep 17 00:00:00 2001 From: jslobodzian Date: Wed, 21 Sep 2022 12:32:44 -0700 Subject: [PATCH] Upgrade ncurses to 6.3 [patch 20220612] to fix CVE-2022-29458 (#3193) (#3805) * Upgrade ncurses to 6.3 [patch 20220612] to fix CVE-2022-29458 (#3193) --- SPECS/ncurses/CVE-2022-29458.nopatch | 3 ++ SPECS/ncurses/ncurses.signatures.json | 2 +- SPECS/ncurses/ncurses.spec | 37 +++++++++++++++++-- cgmanifest.json | 2 +- .../manifests/package/pkggen_core_aarch64.txt | 10 ++--- .../manifests/package/pkggen_core_x86_64.txt | 10 ++--- .../manifests/package/toolchain_aarch64.txt | 12 +++--- .../manifests/package/toolchain_x86_64.txt | 12 +++--- 8 files changed, 61 insertions(+), 27 deletions(-) create mode 100644 SPECS/ncurses/CVE-2022-29458.nopatch diff --git a/SPECS/ncurses/CVE-2022-29458.nopatch b/SPECS/ncurses/CVE-2022-29458.nopatch new file mode 100644 index 0000000000..94ee2ef54b --- /dev/null +++ b/SPECS/ncurses/CVE-2022-29458.nopatch @@ -0,0 +1,3 @@ +This nopatch file is required to clear the CVE. +ncurses 6.3.20220416 or greater has the patch. +See the SPEC file for more details on ncurses versioning diff --git a/SPECS/ncurses/ncurses.signatures.json b/SPECS/ncurses/ncurses.signatures.json index 9eeab83e02..d6897c6622 100644 --- a/SPECS/ncurses/ncurses.signatures.json +++ b/SPECS/ncurses/ncurses.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "ncurses-6.3.tar.gz": "97fc51ac2b085d4cde31ef4d2c3122c21abc217e9090a43a30fc5ec21684e059" + "ncurses-6.3-20220612.tgz": "e7de8893348bd0172aea87853b0a042cd1b19e8c5bd68bfabf95e3edcef44122" } } \ No newline at end of file diff --git a/SPECS/ncurses/ncurses.spec b/SPECS/ncurses/ncurses.spec index e4e4d94e4f..0abab5bd42 100644 --- a/SPECS/ncurses/ncurses.spec +++ b/SPECS/ncurses/ncurses.spec @@ -1,15 +1,42 @@ +%global patchlevel 20220612 + Summary: Libraries for terminal handling of character screens Name: ncurses Version: 6.3 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner Group: Applications/System URL: https://invisible-island.net/ncurses/ -Source0: https://invisible-mirror.net/archives/%{name}/%{name}-%{version}.tar.gz +# +# Please note that it is very important to select the ncurses package +# with the highest available patch level in the name when fixing CVE's +# +# For example, the original 6.3 ncurses release is available here: +# https://invisible-mirror.net/archives/ncurses/ncurses-6.3.tar.gz +# +# However there are rollling patch versions of the package available under this folder: +# https://invisible-mirror.net/archives/ncurses/current/ +# +# So, when upgrading choose the appropriate patch version +# Also note that at least one CVE on NIST had unusual matching rules +# where the patch number is not specified in the version, +# but was described in the textual description. +# +# Description showed: +# ncurses 6.3 before patch 20220416 has an out-of-bounds.... +# +# Matching rules showed: +# cpe:2.3:a:gnu:ncurses:*:*:*:*:*:*:*:* Up to (excluding) 6.3 +# cpe:2.3:a:gnu:ncurses:6.3:-:*:*:*:*:*:* [and this line says including 6.3?!] +# +# Use a nopatch file to clear the CVE after choosing the correct patch level +# +Source0: https://invisible-mirror.net/archives/%{name}/current/%{name}-%{version}-%{patchlevel}.tgz Requires: %{name}-libs = %{version}-%{release} + %description The Ncurses package contains libraries for terminal-independent handling of character screens. @@ -44,7 +71,7 @@ Requires: %{name} = %{version}-%{release} It contains all terminfo files %prep -%autosetup -p1 +%autosetup -p1 -n %{name}-%{version}-%{patchlevel} %build common_options="\ @@ -206,6 +233,10 @@ xz NEWS %files term -f terms.term %changelog +* Tue Sep 20 2022 Jon Slobodzian - 6.3-2 +- Update to version 6.3-20220612 to fix CVE-2022-29458 +- Cherry-picked from Mariner 1.0 + * Mon Jun 13 2022 Andrew Phelps - 6.3-1 - Update to version 6.3 diff --git a/cgmanifest.json b/cgmanifest.json index 03b0a456f7..0283701ef0 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -12534,7 +12534,7 @@ "other": { "name": "ncurses", "version": "6.3", - "downloadUrl": "https://invisible-mirror.net/archives/ncurses/ncurses-6.3.tar.gz" + "downloadUrl": "https://invisible-mirror.net/archives/ncurses/current/ncurses-6.3-20220612.tgz" } } }, diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 8913d40c6b..16cd6539c0 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -33,11 +33,11 @@ libpkgconf-1.8.0-2.cm2.aarch64.rpm pkgconf-1.8.0-2.cm2.aarch64.rpm pkgconf-m4-1.8.0-2.cm2.noarch.rpm pkgconf-pkg-config-1.8.0-2.cm2.aarch64.rpm -ncurses-6.3-1.cm2.aarch64.rpm -ncurses-compat-6.3-1.cm2.aarch64.rpm -ncurses-devel-6.3-1.cm2.aarch64.rpm -ncurses-libs-6.3-1.cm2.aarch64.rpm -ncurses-term-6.3-1.cm2.aarch64.rpm +ncurses-6.3-2.cm2.aarch64.rpm +ncurses-compat-6.3-2.cm2.aarch64.rpm +ncurses-devel-6.3-2.cm2.aarch64.rpm +ncurses-libs-6.3-2.cm2.aarch64.rpm +ncurses-term-6.3-2.cm2.aarch64.rpm readline-8.1-1.cm2.aarch64.rpm readline-devel-8.1-1.cm2.aarch64.rpm coreutils-8.32-5.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index e370e03ce3..d4def08e97 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -33,11 +33,11 @@ libpkgconf-1.8.0-2.cm2.x86_64.rpm pkgconf-1.8.0-2.cm2.x86_64.rpm pkgconf-m4-1.8.0-2.cm2.noarch.rpm pkgconf-pkg-config-1.8.0-2.cm2.x86_64.rpm -ncurses-6.3-1.cm2.x86_64.rpm -ncurses-compat-6.3-1.cm2.x86_64.rpm -ncurses-devel-6.3-1.cm2.x86_64.rpm -ncurses-libs-6.3-1.cm2.x86_64.rpm -ncurses-term-6.3-1.cm2.x86_64.rpm +ncurses-6.3-2.cm2.x86_64.rpm +ncurses-compat-6.3-2.cm2.x86_64.rpm +ncurses-devel-6.3-2.cm2.x86_64.rpm +ncurses-libs-6.3-2.cm2.x86_64.rpm +ncurses-term-6.3-2.cm2.x86_64.rpm readline-8.1-1.cm2.x86_64.rpm readline-devel-8.1-1.cm2.x86_64.rpm coreutils-8.32-5.cm2.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index e688d2c9a9..1ca8e79a11 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -244,12 +244,12 @@ mpfr-4.1.0-1.cm2.aarch64.rpm mpfr-debuginfo-4.1.0-1.cm2.aarch64.rpm mpfr-devel-4.1.0-1.cm2.aarch64.rpm msopenjdk-11-11.0.14.1+1-LTS-31207.aarch64.rpm -ncurses-6.3-1.cm2.aarch64.rpm -ncurses-compat-6.3-1.cm2.aarch64.rpm -ncurses-debuginfo-6.3-1.cm2.aarch64.rpm -ncurses-devel-6.3-1.cm2.aarch64.rpm -ncurses-libs-6.3-1.cm2.aarch64.rpm -ncurses-term-6.3-1.cm2.aarch64.rpm +ncurses-6.3-2.cm2.aarch64.rpm +ncurses-compat-6.3-2.cm2.aarch64.rpm +ncurses-debuginfo-6.3-2.cm2.aarch64.rpm +ncurses-devel-6.3-2.cm2.aarch64.rpm +ncurses-libs-6.3-2.cm2.aarch64.rpm +ncurses-term-6.3-2.cm2.aarch64.rpm newt-0.52.21-4.cm2.aarch64.rpm newt-debuginfo-0.52.21-4.cm2.aarch64.rpm newt-devel-0.52.21-4.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 8af0449a55..3838098c21 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -244,12 +244,12 @@ mpfr-4.1.0-1.cm2.x86_64.rpm mpfr-debuginfo-4.1.0-1.cm2.x86_64.rpm mpfr-devel-4.1.0-1.cm2.x86_64.rpm msopenjdk-11-11.0.14.1+1-LTS-31207.x86_64.rpm -ncurses-6.3-1.cm2.x86_64.rpm -ncurses-compat-6.3-1.cm2.x86_64.rpm -ncurses-debuginfo-6.3-1.cm2.x86_64.rpm -ncurses-devel-6.3-1.cm2.x86_64.rpm -ncurses-libs-6.3-1.cm2.x86_64.rpm -ncurses-term-6.3-1.cm2.x86_64.rpm +ncurses-6.3-2.cm2.x86_64.rpm +ncurses-compat-6.3-2.cm2.x86_64.rpm +ncurses-debuginfo-6.3-2.cm2.x86_64.rpm +ncurses-devel-6.3-2.cm2.x86_64.rpm +ncurses-libs-6.3-2.cm2.x86_64.rpm +ncurses-term-6.3-2.cm2.x86_64.rpm newt-0.52.21-4.cm2.x86_64.rpm newt-debuginfo-0.52.21-4.cm2.x86_64.rpm newt-devel-0.52.21-4.cm2.x86_64.rpm