CVE-2022-29458 (https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00016.html): ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library. Fixed according to [1] but I can't find a git repo. [1] https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00018.html
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=638b787bdb4744f8ea4357388110a5c7f226e3b5 commit 638b787bdb4744f8ea4357388110a5c7f226e3b5 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-04-28 00:45:15 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-04-28 00:46:37 +0000 sys-libs/ncurses: add 6.3_p20220423{,-r1} (unkeyworded) Includes FORTIFY_SOURCE=3 (glibc-2.35 + gcc 12+ or Clang 13(?)+ needed for that, plus not on by default) and a buffer overflow fix too. Includes -r1 w/ dropped curses symlink too. Unkeyworded for now. Bug: https://bugs.gentoo.org/839351 Signed-off-by: Sam James <sam@gentoo.org> sys-libs/ncurses/Manifest | 52 +++ sys-libs/ncurses/ncurses-6.3_p20220423-r1.ebuild | 386 +++++++++++++++++++++++ sys-libs/ncurses/ncurses-6.3_p20220423.ebuild | 383 ++++++++++++++++++++++ 3 files changed, 821 insertions(+)
Note that I'm stabling an earlier version in bug 841398 which doesn't fix this in order to reduce the jumps because that version has been well tested. Then we can see about unleashing this version into ~arch.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a6b2461de765e25d009178b6c14a678eb6ed6cbf commit a6b2461de765e25d009178b6c14a678eb6ed6cbf Author: Sam James <sam@gentoo.org> AuthorDate: 2022-05-03 02:46:48 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-05-03 02:46:48 +0000 sys-libs/ncurses: keyword 6.3_p20220423 Bug: https://bugs.gentoo.org/839351 Signed-off-by: Sam James <sam@gentoo.org> sys-libs/ncurses/ncurses-6.3_p20220423.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Please cleanup
commit 7a8c3fa265d02fa74b8881a4dca3cfeb9d8a938c Author: Sam James <sam@gentoo.org> Date: Thu Jun 29 07:17:05 2023 +0100 sys-libs/ncurses: drop 6.3_p20221203-r2
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=6c6eeaac04ac4b0a613b8259d0714ae4ffb8c4d7 commit 6c6eeaac04ac4b0a613b8259d0714ae4ffb8c4d7 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-08-09 11:05:25 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-08-09 11:05:36 +0000 [ GLSA 202408-19 ] ncurses: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/839351 Bug: https://bugs.gentoo.org/904247 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202408-19.xml | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+)