ncurses: patch CVE-2025-6141

Pick relevant part of snapshot commit 20250329, see [1]. That has: add a buffer-limit check in postprocess_termcap (report/testcase by Yifan Zhang). [1] https://invisible-island.net/ncurses/NEWS.html#index-t20250329 (From OE-Core rev: 8d09a78a79d7f4b4ae9654bdcdf5f33dab9a8b95) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Peter Marko <peter.marko@siemens.com> 2025-07-25 00:12:13 +0200
committer: Steve Sakoman <steve@sakoman.com> 2025-07-30 07:47:48 -0700
commit: 7103a733a185d9a23aceda183fd8b50421631ac7 (patch)
tree: b3d283a53a9dcc140d98a125aa1dcd3b36597c45
parent: 8fa7ff501e27a0ccd9bfc3f3e58a26949cdfc1f0 (diff)
download: poky-7103a733a185d9a23aceda183fd8b50421631ac7.tar.gz
2 files changed, 26 insertions, 0 deletions
diff --git a/meta/recipes-core/ncurses/files/CVE-2025-6141.patch b/meta/recipes-core/ncurses/files/CVE-2025-6141.patch
new file mode 100644
index 0000000000..331535e4d2
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/CVE-2025-6141.patch
@@ -0,0 +1,25 @@
+From 27d1493340d714e7be6e08c0a8f43e48276149c4 Mon Sep 17 00:00:00 2001
+From: "Thomas E. Dickey" <dickey@invisible-island.net>
+Date: Sat, 29 Mar 2025 22:52:37 +0000
+Subject: [PATCH] snapshot of project "ncurses", label v6_5_20250329
+CVE: CVE-2025-6141
+Upstream-Status: Backport [https://github.com/ThomasDickey/ncurses-snapshots/commit/27d1493340d714e7be6e08c0a8f43e48276149c4]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ ncurses/tinfo/parse_entry.c | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c
+index a2278c07..c551c780 100644
+--- a/ncurses/tinfo/parse_entry.c
+++ b/ncurses/tinfo/parse_entry.c
+@@ -954,6 +954,8 @@ postprocess_termcap(TERMTYPE2 *tp, bool has_base)
+            bp = tp->Strings[from_ptr->nte_index];
+            if (VALID_STRING(bp)) {
+                for (dp = buf2; *bp; bp++) {
+                   if ((size_t) (dp - buf2) >= (sizeof(buf2) - sizeof(TERMTYPE2)))
+                         break;
+                    if (bp[0] == '$' && bp[1] == '<') {
+                        while (*bp && *bp != '>') {
+                            ++bp;
diff --git a/meta/recipes-core/ncurses/ncurses_6.3+20220423.bb b/meta/recipes-core/ncurses/ncurses_6.3+20220423.bb
index 1fa5e036e9..68a845f27c 100644
--- a/meta/recipes-core/ncurses/ncurses_6.3+20220423.bb
+++ b/meta/recipes-core/ncurses/ncurses_6.3+20220423.bb
@@ -6,6 +6,7 @@ SRC_URI += "file://0001-tic-hang.patch \
           file://CVE-2023-29491.patch \
           file://CVE-2023-50495.patch \
           file://CVE-2023-45918.patch \
+           file://CVE-2025-6141.patch \
           "
 # commit id corresponds to the revision in package version
 SRCREV = "a0bc708bc6954b5d3c0a38d92b683c3ec3135260"
author	Peter Marko <peter.marko@siemens.com>	2025-07-25 00:12:13 +0200
committer	Steve Sakoman <steve@sakoman.com>	2025-07-30 07:47:48 -0700
commit	7103a733a185d9a23aceda183fd8b50421631ac7 (patch)
tree	b3d283a53a9dcc140d98a125aa1dcd3b36597c45
parent	8fa7ff501e27a0ccd9bfc3f3e58a26949cdfc1f0 (diff)
download	poky-7103a733a185d9a23aceda183fd8b50421631ac7.tar.gz

diff --git a/meta/recipes-core/ncurses/files/CVE-2025-6141.patch b/meta/recipes-core/ncurses/files/CVE-2025-6141.patch new file mode 100644 index 0000000000..331535e4d2 --- /dev/null +++ b/meta/recipes-core/ncurses/files/CVE-2025-6141.patch
@@ -0,0 +1,25 @@
		1	From 27d1493340d714e7be6e08c0a8f43e48276149c4 Mon Sep 17 00:00:00 2001
		2	From: "Thomas E. Dickey" <dickey@invisible-island.net>
		3	Date: Sat, 29 Mar 2025 22:52:37 +0000
		4	Subject: [PATCH] snapshot of project "ncurses", label v6_5_20250329
		5
		6	CVE: CVE-2025-6141
		7	Upstream-Status: Backport [https://github.com/ThomasDickey/ncurses-snapshots/commit/27d1493340d714e7be6e08c0a8f43e48276149c4]
		8	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		9	---
		10	ncurses/tinfo/parse_entry.c \| 2 ++
		11	1 file changed, 2 insertions(+)
		12
		13	diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c
		14	index a2278c07..c551c780 100644
		15	--- a/ncurses/tinfo/parse_entry.c
		16	+++ b/ncurses/tinfo/parse_entry.c
		17	@@ -954,6 +954,8 @@ postprocess_termcap(TERMTYPE2 *tp, bool has_base)
		18	bp = tp->Strings[from_ptr->nte_index];
		19	if (VALID_STRING(bp)) {
		20	for (dp = buf2; *bp; bp++) {
		21	+ if ((size_t) (dp - buf2) >= (sizeof(buf2) - sizeof(TERMTYPE2)))
		22	+ break;
		23	if (bp[0] == '$' && bp[1] == '<') {
		24	while (bp && bp != '>') {
		25	++bp;


diff --git a/meta/recipes-core/ncurses/ncurses_6.3+20220423.bb b/meta/recipes-core/ncurses/ncurses_6.3+20220423.bb index 1fa5e036e9..68a845f27c 100644 --- a/meta/recipes-core/ncurses/ncurses_6.3+20220423.bb +++ b/meta/recipes-core/ncurses/ncurses_6.3+20220423.bb
@@ -6,6 +6,7 @@ SRC_URI += "file://0001-tic-hang.patch \
6	file://CVE-2023-29491.patch \	6	file://CVE-2023-29491.patch \
7	file://CVE-2023-50495.patch \	7	file://CVE-2023-50495.patch \
8	file://CVE-2023-45918.patch \	8	file://CVE-2023-45918.patch \
		9	file://CVE-2025-6141.patch \
9	"	10	"
10	# commit id corresponds to the revision in package version	11	# commit id corresponds to the revision in package version
11	SRCREV = "a0bc708bc6954b5d3c0a38d92b683c3ec3135260"	12	SRCREV = "a0bc708bc6954b5d3c0a38d92b683c3ec3135260"