| Message ID | 20260407054403.21041-1-hprajapati@mvista.com |
|---|---|
| State | New |
| Headers | show |
| Series | [kirkstone] ncurses: fix for CVE-2025-69720 | expand |
On Tue Apr 7, 2026 at 7:44 AM CEST, Hitendra Prajapati via lists.openembedded.org wrote: > Pick relevant part of snapshot commit 20251213, see [1]. > > That has: > add a limit-check in infocmp -i option (report/example by Yixuan Cao). > > [1] https://invisible-island.net/ncurses/NEWS.html#index-t20251213 > > References: > 1. https://github.com/Cao-Wuhui/CVE-2025-69720 > 2. https://nvd.nist.gov/vuln/detail/CVE-2025-69720 > 3. https://access.redhat.com/errata/RHSA-2026:5913 > > Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > --- Hello, Sorry, but this might come too late for kirkstone. See "End of kirkstone LTS support" https://lore.kernel.org/yocto/DH8I3C005I7I.EAFAABGT2FJL@smile.fr/T/#u I will try to include it but no promises. Regards, > .../ncurses/files/CVE-2025-69720.patch | 42 +++++++++++++++++++ > .../ncurses/ncurses_6.3+20220423.bb | 1 + > 2 files changed, 43 insertions(+) > create mode 100644 meta/recipes-core/ncurses/files/CVE-2025-69720.patch > > diff --git a/meta/recipes-core/ncurses/files/CVE-2025-69720.patch b/meta/recipes-core/ncurses/files/CVE-2025-69720.patch > new file mode 100644 > index 0000000000..d570b2007a > --- /dev/null > +++ b/meta/recipes-core/ncurses/files/CVE-2025-69720.patch > @@ -0,0 +1,42 @@ > +From 6f6db0e8fd14e40096a0ee6f8bdf32dedbd3fc9e Mon Sep 17 00:00:00 2001 > +From: Hitendra Prajapati <hprajapati@mvista.com> > +Date: Mon, 6 Apr 2026 18:08:09 +0530 > +Subject: [PATCH] add limit-check in infocmp > + > +origin : https://invisible-island.net/archives/ncurses/6.5/ncurses-6.5-20251213.patch.gz > +Refer: https://github.com/Cao-Wuhui/CVE-2025-69720 > +patch by : Thomas E. Dickey <dickey@invisible-island.net> > + > +CVE: CVE-2025-69720 > +Upstream-Status: Backport [https://github.com/ThomasDickey/ncurses-snapshots/commit/6f6db0e8fd14e40096a0ee6f8bdf32dedbd3fc9e] > +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > +--- > + progs/infocmp.c | 5 +++-- > + 1 file changed, 3 insertions(+), 2 deletions(-) > + > +diff --git a/progs/infocmp.c b/progs/infocmp.c > +index 0ee0b958..538aca5a 100644 > +--- a/progs/infocmp.c > ++++ b/progs/infocmp.c > +@@ -816,7 +816,7 @@ lookup_params(const assoc * table, char *dst, char *src) > + static void > + analyze_string(const char *name, const char *cap, TERMTYPE2 *tp) > + { > +- char buf2[MAX_TERMINFO_LENGTH]; > ++ char buf2[MAX_TERMINFO_LENGTH + 1]; > + const char *sp; > + const assoc *ap; > + int tp_lines = tp->Numbers[2]; > +@@ -846,7 +846,8 @@ analyze_string(const char *name, const char *cap, TERMTYPE2 *tp) > + if (VALID_STRING(cp) && > + cp[0] != '\0' && > + cp != cap) { > +- len = strlen(cp); > ++ if ((len = strlen(cp)) > MAX_TERMINFO_LENGTH) > ++ len = MAX_TERMINFO_LENGTH; > + _nc_STRNCPY(buf2, sp, len); > + buf2[len] = '\0'; > + > +-- > +2.50.1 > + > diff --git a/meta/recipes-core/ncurses/ncurses_6.3+20220423.bb b/meta/recipes-core/ncurses/ncurses_6.3+20220423.bb > index 68a845f27c..15ea2756cd 100644 > --- a/meta/recipes-core/ncurses/ncurses_6.3+20220423.bb > +++ b/meta/recipes-core/ncurses/ncurses_6.3+20220423.bb > @@ -7,6 +7,7 @@ SRC_URI += "file://0001-tic-hang.patch \ > file://CVE-2023-50495.patch \ > file://CVE-2023-45918.patch \ > file://CVE-2025-6141.patch \ > + file://CVE-2025-69720.patch \ > " > # commit id corresponds to the revision in package version > SRCREV = "a0bc708bc6954b5d3c0a38d92b683c3ec3135260"
On Tue Apr 7, 2026 at 7:44 AM CEST, Hitendra Prajapati via lists.openembedded.org wrote: > Pick relevant part of snapshot commit 20251213, see [1]. > > That has: > add a limit-check in infocmp -i option (report/example by Yixuan Cao). > > [1] https://invisible-island.net/ncurses/NEWS.html#index-t20251213 > > References: > 1. https://github.com/Cao-Wuhui/CVE-2025-69720 > 2. https://nvd.nist.gov/vuln/detail/CVE-2025-69720 > 3. https://access.redhat.com/errata/RHSA-2026:5913 > > Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > --- Hello, As far as I can tell, this CVE applies to scarthgap. Since this is the end of kirkstone soon, I'll take it into the reviews series but can only merge it if there is a patch sent for this CVE for scarthgap. Regards, > .../ncurses/files/CVE-2025-69720.patch | 42 +++++++++++++++++++ > .../ncurses/ncurses_6.3+20220423.bb | 1 + > 2 files changed, 43 insertions(+) > create mode 100644 meta/recipes-core/ncurses/files/CVE-2025-69720.patch > > diff --git a/meta/recipes-core/ncurses/files/CVE-2025-69720.patch b/meta/recipes-core/ncurses/files/CVE-2025-69720.patch > new file mode 100644 > index 0000000000..d570b2007a > --- /dev/null > +++ b/meta/recipes-core/ncurses/files/CVE-2025-69720.patch > @@ -0,0 +1,42 @@ > +From 6f6db0e8fd14e40096a0ee6f8bdf32dedbd3fc9e Mon Sep 17 00:00:00 2001 > +From: Hitendra Prajapati <hprajapati@mvista.com> > +Date: Mon, 6 Apr 2026 18:08:09 +0530 > +Subject: [PATCH] add limit-check in infocmp > + > +origin : https://invisible-island.net/archives/ncurses/6.5/ncurses-6.5-20251213.patch.gz > +Refer: https://github.com/Cao-Wuhui/CVE-2025-69720 > +patch by : Thomas E. Dickey <dickey@invisible-island.net> > + > +CVE: CVE-2025-69720 > +Upstream-Status: Backport [https://github.com/ThomasDickey/ncurses-snapshots/commit/6f6db0e8fd14e40096a0ee6f8bdf32dedbd3fc9e] > +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > +--- > + progs/infocmp.c | 5 +++-- > + 1 file changed, 3 insertions(+), 2 deletions(-) > + > +diff --git a/progs/infocmp.c b/progs/infocmp.c > +index 0ee0b958..538aca5a 100644 > +--- a/progs/infocmp.c > ++++ b/progs/infocmp.c > +@@ -816,7 +816,7 @@ lookup_params(const assoc * table, char *dst, char *src) > + static void > + analyze_string(const char *name, const char *cap, TERMTYPE2 *tp) > + { > +- char buf2[MAX_TERMINFO_LENGTH]; > ++ char buf2[MAX_TERMINFO_LENGTH + 1]; > + const char *sp; > + const assoc *ap; > + int tp_lines = tp->Numbers[2]; > +@@ -846,7 +846,8 @@ analyze_string(const char *name, const char *cap, TERMTYPE2 *tp) > + if (VALID_STRING(cp) && > + cp[0] != '\0' && > + cp != cap) { > +- len = strlen(cp); > ++ if ((len = strlen(cp)) > MAX_TERMINFO_LENGTH) > ++ len = MAX_TERMINFO_LENGTH; > + _nc_STRNCPY(buf2, sp, len); > + buf2[len] = '\0'; > + > +-- > +2.50.1 > + > diff --git a/meta/recipes-core/ncurses/ncurses_6.3+20220423.bb b/meta/recipes-core/ncurses/ncurses_6.3+20220423.bb > index 68a845f27c..15ea2756cd 100644 > --- a/meta/recipes-core/ncurses/ncurses_6.3+20220423.bb > +++ b/meta/recipes-core/ncurses/ncurses_6.3+20220423.bb > @@ -7,6 +7,7 @@ SRC_URI += "file://0001-tic-hang.patch \ > file://CVE-2023-50495.patch \ > file://CVE-2023-45918.patch \ > file://CVE-2025-6141.patch \ > + file://CVE-2025-69720.patch \ > " > # commit id corresponds to the revision in package version > SRCREV = "a0bc708bc6954b5d3c0a38d92b683c3ec3135260"
diff --git a/meta/recipes-core/ncurses/files/CVE-2025-69720.patch b/meta/recipes-core/ncurses/files/CVE-2025-69720.patch new file mode 100644 index 0000000000..d570b2007a --- /dev/null +++ b/meta/recipes-core/ncurses/files/CVE-2025-69720.patch @@ -0,0 +1,42 @@ +From 6f6db0e8fd14e40096a0ee6f8bdf32dedbd3fc9e Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Mon, 6 Apr 2026 18:08:09 +0530 +Subject: [PATCH] add limit-check in infocmp + +origin : https://invisible-island.net/archives/ncurses/6.5/ncurses-6.5-20251213.patch.gz +Refer: https://github.com/Cao-Wuhui/CVE-2025-69720 +patch by : Thomas E. Dickey <dickey@invisible-island.net> + +CVE: CVE-2025-69720 +Upstream-Status: Backport [https://github.com/ThomasDickey/ncurses-snapshots/commit/6f6db0e8fd14e40096a0ee6f8bdf32dedbd3fc9e] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + progs/infocmp.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/progs/infocmp.c b/progs/infocmp.c +index 0ee0b958..538aca5a 100644 +--- a/progs/infocmp.c ++++ b/progs/infocmp.c +@@ -816,7 +816,7 @@ lookup_params(const assoc * table, char *dst, char *src) + static void + analyze_string(const char *name, const char *cap, TERMTYPE2 *tp) + { +- char buf2[MAX_TERMINFO_LENGTH]; ++ char buf2[MAX_TERMINFO_LENGTH + 1]; + const char *sp; + const assoc *ap; + int tp_lines = tp->Numbers[2]; +@@ -846,7 +846,8 @@ analyze_string(const char *name, const char *cap, TERMTYPE2 *tp) + if (VALID_STRING(cp) && + cp[0] != '\0' && + cp != cap) { +- len = strlen(cp); ++ if ((len = strlen(cp)) > MAX_TERMINFO_LENGTH) ++ len = MAX_TERMINFO_LENGTH; + _nc_STRNCPY(buf2, sp, len); + buf2[len] = '\0'; + +-- +2.50.1 + diff --git a/meta/recipes-core/ncurses/ncurses_6.3+20220423.bb b/meta/recipes-core/ncurses/ncurses_6.3+20220423.bb index 68a845f27c..15ea2756cd 100644 --- a/meta/recipes-core/ncurses/ncurses_6.3+20220423.bb +++ b/meta/recipes-core/ncurses/ncurses_6.3+20220423.bb @@ -7,6 +7,7 @@ SRC_URI += "file://0001-tic-hang.patch \ file://CVE-2023-50495.patch \ file://CVE-2023-45918.patch \ file://CVE-2025-6141.patch \ + file://CVE-2025-69720.patch \ " # commit id corresponds to the revision in package version SRCREV = "a0bc708bc6954b5d3c0a38d92b683c3ec3135260"
Pick relevant part of snapshot commit 20251213, see [1]. That has: add a limit-check in infocmp -i option (report/example by Yixuan Cao). [1] https://invisible-island.net/ncurses/NEWS.html#index-t20251213 References: 1. https://github.com/Cao-Wuhui/CVE-2025-69720 2. https://nvd.nist.gov/vuln/detail/CVE-2025-69720 3. https://access.redhat.com/errata/RHSA-2026:5913 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> --- .../ncurses/files/CVE-2025-69720.patch | 42 +++++++++++++++++++ .../ncurses/ncurses_6.3+20220423.bb | 1 + 2 files changed, 43 insertions(+) create mode 100644 meta/recipes-core/ncurses/files/CVE-2025-69720.patch