[pkgsrc/trunk]: pkgsrc/devel/ncurses ncurses: fix for CVE-2021-39537 from ups...

[wiz <wiz%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/9a48e08c6482
branches:  trunk
changeset: 459544:9a48e08c6482
user:      wiz <wiz%pkgsrc.org@localhost>
date:      Sat Oct 09 07:52:36 2021 +0000

description:
ncurses: fix for CVE-2021-39537 from upstream

Many thanks to Thomas Dickey for help in tracking down the bugfix patch!

PKGREVISION++

diffstat:

 devel/ncurses/Makefile                                |   4 +-
 devel/ncurses/distinfo                                |   3 +-
 devel/ncurses/patches/patch-ncurses_tinfo_captoinfo.c |  26 +++++++++++++++++++
 3 files changed, 30 insertions(+), 3 deletions(-)

diffs (58 lines):

diff -r 2f1166a449a2 -r 9a48e08c6482 devel/ncurses/Makefile
--- a/devel/ncurses/Makefile    Sat Oct 09 07:52:31 2021 +0000
+++ b/devel/ncurses/Makefile    Sat Oct 09 07:52:36 2021 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.110 2021/05/24 19:50:02 wiz Exp $
+# $NetBSD: Makefile,v 1.111 2021/10/09 07:52:36 wiz Exp $
 
 .include "Makefile.common"
-PKGREVISION=   3
+PKGREVISION=   4
 
 COMMENT=       CRT screen handling and optimization package
 
diff -r 2f1166a449a2 -r 9a48e08c6482 devel/ncurses/distinfo
--- a/devel/ncurses/distinfo    Sat Oct 09 07:52:31 2021 +0000
+++ b/devel/ncurses/distinfo    Sat Oct 09 07:52:36 2021 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.47 2021/10/07 13:40:36 nia Exp $
+$NetBSD: distinfo,v 1.48 2021/10/09 07:52:36 wiz Exp $
 
 RMD160 (ncurses-6.2.tar.gz) = bedfe81f33b3e55e44d14126c9c2821d7f222701
 SHA512 (ncurses-6.2.tar.gz) = 4c1333dcc30e858e8a9525d4b9aefb60000cfc727bc4a1062bace06ffc4639ad9f6e54f6bdda0e3a0e5ea14de995f96b52b3327d9ec633608792c99a1e8d840d
@@ -9,4 +9,5 @@
 SHA1 (patch-misc_terminfo.src) = d9eede4b159358f396693141ed9d9c2a76647917
 SHA1 (patch-mk-1st.awk) = adf9d68ee565da80078cfcfa8969a4ef806d65de
 SHA1 (patch-ncurses_base_lib_initscr.c) = e514e2bb4862a2617b30c6ad715bc1c50cb76f0e
+SHA1 (patch-ncurses_tinfo_captoinfo.c) = d0c39b510b44088d5ea26be10711fc21de1d2ecd
 SHA1 (patch-ncurses_tinfo_lib_raw.c) = 5aa2d439b8f5c3ce87863095396848c923c864d0
diff -r 2f1166a449a2 -r 9a48e08c6482 devel/ncurses/patches/patch-ncurses_tinfo_captoinfo.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/devel/ncurses/patches/patch-ncurses_tinfo_captoinfo.c     Sat Oct 09 07:52:36 2021 +0000
@@ -0,0 +1,26 @@
+$NetBSD: patch-ncurses_tinfo_captoinfo.c,v 1.1 2021/10/09 07:52:36 wiz Exp $
+
+Fix for CVE-2021-39537 from upstream:
+https://github.com/ThomasDickey/ncurses-snapshots/commit/63ca9e061f4644795d6f3f559557f3e1ed8c738b#diff-7e95c7bc5f213e9be438e69a9d5d0f261a14952bcbd692f7b9014217b8047340
+
+--- ncurses/tinfo/captoinfo.c.orig     2020-02-02 23:34:34.000000000 +0000
++++ ncurses/tinfo/captoinfo.c
+@@ -216,12 +216,15 @@ cvtchar(register const char *sp)
+       }
+       break;
+     case '^':
++      len = 2;
+       c = UChar(*++sp);
+-      if (c == '?')
++        if (c == '?') {
+           c = 127;
+-      else
++        } else if (c == '\0') {
++            len = 1;
++        } else {
+           c &= 0x1f;
+-      len = 2;
++      }
+       break;
+     default:
+       c = UChar(*sp);