[CRITICAL] Patch ncurses for CVE-2025-69720 (#16295)

Author: archana25-ms

SPECS/ncurses/CVE-2025-69720.patch

@@ -0,0 +1,144 @@
+From 3f157eac006b4c80b17e43d3c9d776b3f05c01d8 Mon Sep 17 00:00:00 2001
+From: Archana Shettigar <v-shettigara@microsoft.com>
+Date: Wed, 25 Mar 2026 10:04:19 +0530
+Subject: [PATCH] Address CVE-2025-69720
+
+Upstream Patch Reference: https://invisible-island.net/archives/ncurses/6.5/ncurses-6.5-20251213.patch.gz
+---
+ include/nc_win32.h         |  8 +++++++-
+ ncurses/tinfo/comp_parse.c | 20 ++++++++++++++++++
+ progs/infocmp.c            |  5 +++--
+ progs/tic.c                |  5 ++---
+ test/railroad.c            |  2 +-
+ 5 files changed, 33 insertions(+), 7 deletions(-)
+
+diff --git a/include/nc_win32.h b/include/nc_win32.h
+index e67b8e0..c0b3882 100644
+--- a/include/nc_win32.h
++++ b/include/nc_win32.h
+@@ -111,8 +111,14 @@ extern NCURSES_EXPORT(int)    _nc_console_vt_supported(void);
+ extern NCURSES_EXPORT(int)    _nc_console_checkmintty(int fd, LPHANDLE pMinTTY);
+ #endif
+ 
+-#undef VALID_TERM_ENV
++/*
++ * Allow for build-override, e.g., MinGW used "cygwin".
++ */
++#ifndef MS_TERMINAL
+ #define MS_TERMINAL "ms-terminal"
++#endif
++
++#undef VALID_TERM_ENV
+ #define VALID_TERM_ENV(term_env, no_terminal) \
+ 	(term_env = (NonEmpty(term_env) \
+ 		      ? term_env \
+diff --git a/ncurses/tinfo/comp_parse.c b/ncurses/tinfo/comp_parse.c
+index 4244df4..21e28a8 100644
+--- a/ncurses/tinfo/comp_parse.c
++++ b/ncurses/tinfo/comp_parse.c
+@@ -539,8 +539,12 @@ _nc_resolve_uses2(bool fullresolve, bool literal)
+     if (fullresolve) {
+ 	do {
+ 	    ENTRY merged;
++	    bool progress;
++	    bool attempts;
+ 
+ 	    keepgoing = FALSE;
++	    progress = FALSE;
++	    attempts = FALSE;
+ 
+ 	    for_entry_list(qp) {
+ 		if (qp->nuses > 0) {
+@@ -599,6 +601,7 @@ _nc_resolve_uses2(bool fullresolve, bool literal)
+ #endif
+ 		    qp->tterm = merged.tterm;
+ 		    _nc_wrap_entry(qp, TRUE);
++		    progress = TRUE;
+ 
+ 		    /*
+ 		     * We know every entry is resolvable because name resolution
+@@ -609,6 +612,21 @@ _nc_resolve_uses2(bool fullresolve, bool literal)
+ 		    keepgoing = TRUE;
+ 		}
+ 	    }
++	    /*
++	     * If we went all the way through the list without making any
++	     * changes, while there were remaining use-linkages, something went
++	     * wrong.  Give up.
++	     */
++	    if (!progress && attempts) {
++		for_entry_list(qp) {
++		    for (i = 0; i < qp->nuses; ++i) {
++			_nc_warning("problem with use=%s", qp->uses[i].name);
++		    }
++		}
++		_nc_warning("merge failed, infinite loop");
++		DEBUG(2, (T_RETURN("false")));
++		return FALSE;
++	    }
+ 	} while
+ 	    (keepgoing);
+ 
+diff --git a/progs/infocmp.c b/progs/infocmp.c
+index 8178455..260769f 100644
+--- a/progs/infocmp.c
++++ b/progs/infocmp.c
+@@ -823,7 +823,7 @@ lookup_params(const assoc * table, char *dst, char *src)
+ static void
+ analyze_string(const char *name, const char *cap, TERMTYPE2 *tp)
+ {
+-    char buf2[MAX_TERMINFO_LENGTH];
++    char buf2[MAX_TERMINFO_LENGTH + 1];
+     const char *sp;
+     const assoc *ap;
+     int tp_lines = tp->Numbers[2];
+@@ -853,7 +853,8 @@ analyze_string(const char *name, const char *cap, TERMTYPE2 *tp)
+ 	    if (VALID_STRING(cp) &&
+ 		cp[0] != '\0' &&
+ 		cp != cap) {
+-		len = strlen(cp);
++		if ((len = strlen(cp)) > MAX_TERMINFO_LENGTH)
++		    len = MAX_TERMINFO_LENGTH;
+ 		_nc_STRNCPY(buf2, sp, len);
+ 		buf2[len] = '\0';
+ 
+diff --git a/progs/tic.c b/progs/tic.c
+index ae65e63..4e4ae4c 100644
+--- a/progs/tic.c
++++ b/progs/tic.c
+@@ -3274,9 +3274,9 @@ check_termtype(TERMTYPE2 *tp, bool literal)
+ 
+ 	_nc_tparm_err = 0;
+ 	if (PRESENT(exit_attribute_mode)) {
+-	    zero = strdup(CHECK_SGR(0, exit_attribute_mode));
++	    zero = CHECK_SGR(0, exit_attribute_mode);
+ 	} else {
+-	    zero = strdup(TIPARM_9(set_attributes, 0, 0, 0, 0, 0, 0, 0, 0, 0));
++	    zero = TIPARM_9(set_attributes, 0, 0, 0, 0, 0, 0, 0, 0, 0);
+ 	}
+ 	check_tparm_err(0);
+ 
+@@ -3290,7 +3290,6 @@ check_termtype(TERMTYPE2 *tp, bool literal)
+ 	    CHECK_SGR(7, enter_secure_mode);
+ 	    CHECK_SGR(8, enter_protected_mode);
+ 	    CHECK_SGR(9, enter_alt_charset_mode);
+-	    free(zero);
+ 	} else {
+ 	    _nc_warning("sgr(0) did not return a value");
+ 	}
+diff --git a/test/railroad.c b/test/railroad.c
+index 4d7c070..10fccd2 100644
+--- a/test/railroad.c
++++ b/test/railroad.c
+@@ -192,7 +192,7 @@ railroad(char **args)
+ 
+     if (name == 0)
+ #ifdef EXP_WIN32_DRIVER
+-	name = "ms-terminal";
++	name = MS_TERMINAL;
+ #else
+ 	name = "dumb";
+ #endif
+-- 
+2.45.4
+

SPECS/ncurses/ncurses.spec

@@ -3,7 +3,7 @@
 Summary:        Libraries for terminal handling of character screens
 Name:           ncurses
 Version:        6.4
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -34,6 +34,7 @@ URL:            https://invisible-island.net/ncurses/
 # Use a nopatch file to clear the CVE after choosing the correct patch level
 #
 Source0:        https://invisible-mirror.net/archives/%{name}/current/%{name}-%{version}-%{patchlevel}.tgz
+Patch0:         CVE-2025-69720.patch
 Requires:       %{name}-libs = %{version}-%{release}
 
 
@@ -233,6 +234,9 @@ xz NEWS
 %files term -f terms.term
 
 %changelog
+* Wed Mar 25 2026 Archana Shettigar <v-shettigara@microsoft.com> - 6.4-4
+- Patch CVE-2025-69720
+
 * Mon Dec 02 2024 Sandeep Karambelkar <skarambelkar@microsoft.com> - 6.4-3
 - Update to version 6.4-20230520 to fix CVE-2023-50495
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -33,11 +33,11 @@ libpkgconf-1.8.0-3.cm2.aarch64.rpm
 pkgconf-1.8.0-3.cm2.aarch64.rpm
 pkgconf-m4-1.8.0-3.cm2.noarch.rpm
 pkgconf-pkg-config-1.8.0-3.cm2.aarch64.rpm
-ncurses-6.4-3.cm2.aarch64.rpm
-ncurses-compat-6.4-3.cm2.aarch64.rpm
-ncurses-devel-6.4-3.cm2.aarch64.rpm
-ncurses-libs-6.4-3.cm2.aarch64.rpm
-ncurses-term-6.4-3.cm2.aarch64.rpm
+ncurses-6.4-4.cm2.aarch64.rpm
+ncurses-compat-6.4-4.cm2.aarch64.rpm
+ncurses-devel-6.4-4.cm2.aarch64.rpm
+ncurses-libs-6.4-4.cm2.aarch64.rpm
+ncurses-term-6.4-4.cm2.aarch64.rpm
 readline-8.1-1.cm2.aarch64.rpm
 readline-devel-8.1-1.cm2.aarch64.rpm
 coreutils-8.32-7.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -33,11 +33,11 @@ libpkgconf-1.8.0-3.cm2.x86_64.rpm
 pkgconf-1.8.0-3.cm2.x86_64.rpm
 pkgconf-m4-1.8.0-3.cm2.noarch.rpm
 pkgconf-pkg-config-1.8.0-3.cm2.x86_64.rpm
-ncurses-6.4-3.cm2.x86_64.rpm
-ncurses-compat-6.4-3.cm2.x86_64.rpm
-ncurses-devel-6.4-3.cm2.x86_64.rpm
-ncurses-libs-6.4-3.cm2.x86_64.rpm
-ncurses-term-6.4-3.cm2.x86_64.rpm
+ncurses-6.4-4.cm2.x86_64.rpm
+ncurses-compat-6.4-4.cm2.x86_64.rpm
+ncurses-devel-6.4-4.cm2.x86_64.rpm
+ncurses-libs-6.4-4.cm2.x86_64.rpm
+ncurses-term-6.4-4.cm2.x86_64.rpm
 readline-8.1-1.cm2.x86_64.rpm
 readline-devel-8.1-1.cm2.x86_64.rpm
 coreutils-8.32-7.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -251,12 +251,12 @@ mpfr-4.1.0-2.cm2.aarch64.rpm
 mpfr-debuginfo-4.1.0-2.cm2.aarch64.rpm
 mpfr-devel-4.1.0-2.cm2.aarch64.rpm
 msopenjdk-11-11.0.18-1.aarch64.rpm
-ncurses-6.4-3.cm2.aarch64.rpm
-ncurses-compat-6.4-3.cm2.aarch64.rpm
-ncurses-debuginfo-6.4-3.cm2.aarch64.rpm
-ncurses-devel-6.4-3.cm2.aarch64.rpm
-ncurses-libs-6.4-3.cm2.aarch64.rpm
-ncurses-term-6.4-3.cm2.aarch64.rpm
+ncurses-6.4-4.cm2.aarch64.rpm
+ncurses-compat-6.4-4.cm2.aarch64.rpm
+ncurses-debuginfo-6.4-4.cm2.aarch64.rpm
+ncurses-devel-6.4-4.cm2.aarch64.rpm
+ncurses-libs-6.4-4.cm2.aarch64.rpm
+ncurses-term-6.4-4.cm2.aarch64.rpm
 newt-0.52.21-5.cm2.aarch64.rpm
 newt-debuginfo-0.52.21-5.cm2.aarch64.rpm
 newt-devel-0.52.21-5.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -257,12 +257,12 @@ mpfr-4.1.0-2.cm2.x86_64.rpm
 mpfr-debuginfo-4.1.0-2.cm2.x86_64.rpm
 mpfr-devel-4.1.0-2.cm2.x86_64.rpm
 msopenjdk-11-11.0.18-1.x86_64.rpm
-ncurses-6.4-3.cm2.x86_64.rpm
-ncurses-compat-6.4-3.cm2.x86_64.rpm
-ncurses-debuginfo-6.4-3.cm2.x86_64.rpm
-ncurses-devel-6.4-3.cm2.x86_64.rpm
-ncurses-libs-6.4-3.cm2.x86_64.rpm
-ncurses-term-6.4-3.cm2.x86_64.rpm
+ncurses-6.4-4.cm2.x86_64.rpm
+ncurses-compat-6.4-4.cm2.x86_64.rpm
+ncurses-debuginfo-6.4-4.cm2.x86_64.rpm
+ncurses-devel-6.4-4.cm2.x86_64.rpm
+ncurses-libs-6.4-4.cm2.x86_64.rpm
+ncurses-term-6.4-4.cm2.x86_64.rpm
 newt-0.52.21-5.cm2.x86_64.rpm
 newt-debuginfo-0.52.21-5.cm2.x86_64.rpm
 newt-devel-0.52.21-5.cm2.x86_64.rpm