|
| 1 | +From 3f157eac006b4c80b17e43d3c9d776b3f05c01d8 Mon Sep 17 00:00:00 2001 |
| 2 | +From: Archana Shettigar <v-shettigara@microsoft.com> |
| 3 | +Date: Wed, 25 Mar 2026 10:04:19 +0530 |
| 4 | +Subject: [PATCH] Address CVE-2025-69720 |
| 5 | + |
| 6 | +Upstream Patch Reference: https://invisible-island.net/archives/ncurses/6.5/ncurses-6.5-20251213.patch.gz |
| 7 | +--- |
| 8 | + include/nc_win32.h | 8 +++++++- |
| 9 | + ncurses/tinfo/comp_parse.c | 20 ++++++++++++++++++ |
| 10 | + progs/infocmp.c | 5 +++-- |
| 11 | + progs/tic.c | 5 ++--- |
| 12 | + test/railroad.c | 2 +- |
| 13 | + 5 files changed, 33 insertions(+), 7 deletions(-) |
| 14 | + |
| 15 | +diff --git a/include/nc_win32.h b/include/nc_win32.h |
| 16 | +index e67b8e0..c0b3882 100644 |
| 17 | +--- a/include/nc_win32.h |
| 18 | ++++ b/include/nc_win32.h |
| 19 | +@@ -111,8 +111,14 @@ extern NCURSES_EXPORT(int) _nc_console_vt_supported(void); |
| 20 | + extern NCURSES_EXPORT(int) _nc_console_checkmintty(int fd, LPHANDLE pMinTTY); |
| 21 | + #endif |
| 22 | + |
| 23 | +-#undef VALID_TERM_ENV |
| 24 | ++/* |
| 25 | ++ * Allow for build-override, e.g., MinGW used "cygwin". |
| 26 | ++ */ |
| 27 | ++#ifndef MS_TERMINAL |
| 28 | + #define MS_TERMINAL "ms-terminal" |
| 29 | ++#endif |
| 30 | ++ |
| 31 | ++#undef VALID_TERM_ENV |
| 32 | + #define VALID_TERM_ENV(term_env, no_terminal) \ |
| 33 | + (term_env = (NonEmpty(term_env) \ |
| 34 | + ? term_env \ |
| 35 | +diff --git a/ncurses/tinfo/comp_parse.c b/ncurses/tinfo/comp_parse.c |
| 36 | +index 4244df4..21e28a8 100644 |
| 37 | +--- a/ncurses/tinfo/comp_parse.c |
| 38 | ++++ b/ncurses/tinfo/comp_parse.c |
| 39 | +@@ -539,8 +539,12 @@ _nc_resolve_uses2(bool fullresolve, bool literal) |
| 40 | + if (fullresolve) { |
| 41 | + do { |
| 42 | + ENTRY merged; |
| 43 | ++ bool progress; |
| 44 | ++ bool attempts; |
| 45 | + |
| 46 | + keepgoing = FALSE; |
| 47 | ++ progress = FALSE; |
| 48 | ++ attempts = FALSE; |
| 49 | + |
| 50 | + for_entry_list(qp) { |
| 51 | + if (qp->nuses > 0) { |
| 52 | +@@ -599,6 +601,7 @@ _nc_resolve_uses2(bool fullresolve, bool literal) |
| 53 | + #endif |
| 54 | + qp->tterm = merged.tterm; |
| 55 | + _nc_wrap_entry(qp, TRUE); |
| 56 | ++ progress = TRUE; |
| 57 | + |
| 58 | + /* |
| 59 | + * We know every entry is resolvable because name resolution |
| 60 | +@@ -609,6 +612,21 @@ _nc_resolve_uses2(bool fullresolve, bool literal) |
| 61 | + keepgoing = TRUE; |
| 62 | + } |
| 63 | + } |
| 64 | ++ /* |
| 65 | ++ * If we went all the way through the list without making any |
| 66 | ++ * changes, while there were remaining use-linkages, something went |
| 67 | ++ * wrong. Give up. |
| 68 | ++ */ |
| 69 | ++ if (!progress && attempts) { |
| 70 | ++ for_entry_list(qp) { |
| 71 | ++ for (i = 0; i < qp->nuses; ++i) { |
| 72 | ++ _nc_warning("problem with use=%s", qp->uses[i].name); |
| 73 | ++ } |
| 74 | ++ } |
| 75 | ++ _nc_warning("merge failed, infinite loop"); |
| 76 | ++ DEBUG(2, (T_RETURN("false"))); |
| 77 | ++ return FALSE; |
| 78 | ++ } |
| 79 | + } while |
| 80 | + (keepgoing); |
| 81 | + |
| 82 | +diff --git a/progs/infocmp.c b/progs/infocmp.c |
| 83 | +index 8178455..260769f 100644 |
| 84 | +--- a/progs/infocmp.c |
| 85 | ++++ b/progs/infocmp.c |
| 86 | +@@ -823,7 +823,7 @@ lookup_params(const assoc * table, char *dst, char *src) |
| 87 | + static void |
| 88 | + analyze_string(const char *name, const char *cap, TERMTYPE2 *tp) |
| 89 | + { |
| 90 | +- char buf2[MAX_TERMINFO_LENGTH]; |
| 91 | ++ char buf2[MAX_TERMINFO_LENGTH + 1]; |
| 92 | + const char *sp; |
| 93 | + const assoc *ap; |
| 94 | + int tp_lines = tp->Numbers[2]; |
| 95 | +@@ -853,7 +853,8 @@ analyze_string(const char *name, const char *cap, TERMTYPE2 *tp) |
| 96 | + if (VALID_STRING(cp) && |
| 97 | + cp[0] != '\0' && |
| 98 | + cp != cap) { |
| 99 | +- len = strlen(cp); |
| 100 | ++ if ((len = strlen(cp)) > MAX_TERMINFO_LENGTH) |
| 101 | ++ len = MAX_TERMINFO_LENGTH; |
| 102 | + _nc_STRNCPY(buf2, sp, len); |
| 103 | + buf2[len] = '\0'; |
| 104 | + |
| 105 | +diff --git a/progs/tic.c b/progs/tic.c |
| 106 | +index ae65e63..4e4ae4c 100644 |
| 107 | +--- a/progs/tic.c |
| 108 | ++++ b/progs/tic.c |
| 109 | +@@ -3274,9 +3274,9 @@ check_termtype(TERMTYPE2 *tp, bool literal) |
| 110 | + |
| 111 | + _nc_tparm_err = 0; |
| 112 | + if (PRESENT(exit_attribute_mode)) { |
| 113 | +- zero = strdup(CHECK_SGR(0, exit_attribute_mode)); |
| 114 | ++ zero = CHECK_SGR(0, exit_attribute_mode); |
| 115 | + } else { |
| 116 | +- zero = strdup(TIPARM_9(set_attributes, 0, 0, 0, 0, 0, 0, 0, 0, 0)); |
| 117 | ++ zero = TIPARM_9(set_attributes, 0, 0, 0, 0, 0, 0, 0, 0, 0); |
| 118 | + } |
| 119 | + check_tparm_err(0); |
| 120 | + |
| 121 | +@@ -3290,7 +3290,6 @@ check_termtype(TERMTYPE2 *tp, bool literal) |
| 122 | + CHECK_SGR(7, enter_secure_mode); |
| 123 | + CHECK_SGR(8, enter_protected_mode); |
| 124 | + CHECK_SGR(9, enter_alt_charset_mode); |
| 125 | +- free(zero); |
| 126 | + } else { |
| 127 | + _nc_warning("sgr(0) did not return a value"); |
| 128 | + } |
| 129 | +diff --git a/test/railroad.c b/test/railroad.c |
| 130 | +index 4d7c070..10fccd2 100644 |
| 131 | +--- a/test/railroad.c |
| 132 | ++++ b/test/railroad.c |
| 133 | +@@ -192,7 +192,7 @@ railroad(char **args) |
| 134 | + |
| 135 | + if (name == 0) |
| 136 | + #ifdef EXP_WIN32_DRIVER |
| 137 | +- name = "ms-terminal"; |
| 138 | ++ name = MS_TERMINAL; |
| 139 | + #else |
| 140 | + name = "dumb"; |
| 141 | + #endif |
| 142 | +-- |
| 143 | +2.45.4 |
| 144 | + |
0 commit comments