[pkgsrc/pkgsrc-2021Q3]: pkgsrc/devel/ncurses Pullup ticket #6517 - requested ...

[tm <tm%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/3769348c45a3
branches:  pkgsrc-2021Q3
changeset: 768245:3769348c45a3
user:      tm <tm%pkgsrc.org@localhost>
date:      Sat Oct 16 18:52:07 2021 +0000

description:
Pullup ticket #6517 - requested by wiz
devel/ncurses: security fix

Revisions pulled up:
- devel/ncurses/Makefile                                        1.111
- devel/ncurses/distinfo                                        1.48
- devel/ncurses/patches/patch-ncurses_tinfo_captoinfo.c         1.1

---
   Module Name: pkgsrc
   Committed By:        wiz
   Date:                Sat Oct  9 07:52:36 UTC 2021

   Modified Files:
        pkgsrc/devel/ncurses: Makefile distinfo
   Added Files:
        pkgsrc/devel/ncurses/patches: patch-ncurses_tinfo_captoinfo.c

   Log Message:
   ncurses: fix for CVE-2021-39537 from upstream

   Many thanks to Thomas Dickey for help in tracking down the bugfix patch!

   PKGREVISION++

diffstat:

 devel/ncurses/Makefile                                |   4 +-
 devel/ncurses/distinfo                                |   3 +-
 devel/ncurses/patches/patch-ncurses_tinfo_captoinfo.c |  26 +++++++++++++++++++
 3 files changed, 30 insertions(+), 3 deletions(-)

diffs (58 lines):

diff -r 082f204329db -r 3769348c45a3 devel/ncurses/Makefile
--- a/devel/ncurses/Makefile    Sat Oct 16 18:10:15 2021 +0000
+++ b/devel/ncurses/Makefile    Sat Oct 16 18:52:07 2021 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.110 2021/05/24 19:50:02 wiz Exp $
+# $NetBSD: Makefile,v 1.110.4.1 2021/10/16 18:52:07 tm Exp $
 
 .include "Makefile.common"
-PKGREVISION=   3
+PKGREVISION=   4
 
 COMMENT=       CRT screen handling and optimization package
 
diff -r 082f204329db -r 3769348c45a3 devel/ncurses/distinfo
--- a/devel/ncurses/distinfo    Sat Oct 16 18:10:15 2021 +0000
+++ b/devel/ncurses/distinfo    Sat Oct 16 18:52:07 2021 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.46 2020/09/07 11:11:41 schmonz Exp $
+$NetBSD: distinfo,v 1.46.10.1 2021/10/16 18:52:07 tm Exp $
 
 SHA1 (ncurses-6.2.tar.gz) = 56e410fb77f2b5501a0b2f6a995376f3cefe1097
 RMD160 (ncurses-6.2.tar.gz) = bedfe81f33b3e55e44d14126c9c2821d7f222701
@@ -10,4 +10,5 @@
 SHA1 (patch-misc_terminfo.src) = d9eede4b159358f396693141ed9d9c2a76647917
 SHA1 (patch-mk-1st.awk) = adf9d68ee565da80078cfcfa8969a4ef806d65de
 SHA1 (patch-ncurses_base_lib_initscr.c) = e514e2bb4862a2617b30c6ad715bc1c50cb76f0e
+SHA1 (patch-ncurses_tinfo_captoinfo.c) = d0c39b510b44088d5ea26be10711fc21de1d2ecd
 SHA1 (patch-ncurses_tinfo_lib_raw.c) = 5aa2d439b8f5c3ce87863095396848c923c864d0
diff -r 082f204329db -r 3769348c45a3 devel/ncurses/patches/patch-ncurses_tinfo_captoinfo.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/devel/ncurses/patches/patch-ncurses_tinfo_captoinfo.c     Sat Oct 16 18:52:07 2021 +0000
@@ -0,0 +1,26 @@
+$NetBSD: patch-ncurses_tinfo_captoinfo.c,v 1.1.2.2 2021/10/16 18:52:07 tm Exp $
+
+Fix for CVE-2021-39537 from upstream:
+https://github.com/ThomasDickey/ncurses-snapshots/commit/63ca9e061f4644795d6f3f559557f3e1ed8c738b#diff-7e95c7bc5f213e9be438e69a9d5d0f261a14952bcbd692f7b9014217b8047340
+
+--- ncurses/tinfo/captoinfo.c.orig     2020-02-02 23:34:34.000000000 +0000
++++ ncurses/tinfo/captoinfo.c
+@@ -216,12 +216,15 @@ cvtchar(register const char *sp)
+       }
+       break;
+     case '^':
++      len = 2;
+       c = UChar(*++sp);
+-      if (c == '?')
++        if (c == '?') {
+           c = 127;
+-      else
++        } else if (c == '\0') {
++            len = 1;
++        } else {
+           c &= 0x1f;
+-      len = 2;
++      }
+       break;
+     default:
+       c = UChar(*sp);