[2.0] Upgrade ncurses to 6.3 to fix CVE-2022-29458 (#3160)

* update ncurses to 6.3 * update manifests
2022-06-14 22:56:38 -07:00 · 2022-06-14 22:56:38 -07:00 · 2d0dfa2124
parent 831aab2008
commit 2d0dfa2124
8 changed files with 30 additions and 51 deletions
--- a/SPECS/ncurses/CVE-2021-39537.patch
+++ b/SPECS/ncurses/CVE-2021-39537.patch
@ -1,23 +0,0 @@
-diff --git a/ncurses/tinfo/captoinfo.c b/ncurses/tinfo/captoinfo.c
-index 8b3b83d1..9362105a 100644
--- a/ncurses/tinfo/captoinfo.c
-+++ b/ncurses/tinfo/captoinfo.c
-@@ -216,12 +216,15 @@ cvtchar(register const char *sp)
- 	}
- 	break;
-     case '^':
-+	len = 2;
- 	c = UChar(*++sp);
-	if (c == '?')
-+	if (c == '?') {
- 	    c = 127;
-	else
-+	} else if (c == '\0') {
-+	    len = 1;
-+	} else {
- 	    c &= 0x1f;
-	len = 2;
-+	}
- 	break;
-     default:
- 	c = UChar(*sp);
--- a/SPECS/ncurses/ncurses.signatures.json
+++ b/SPECS/ncurses/ncurses.signatures.json
@ -1,5 +1,5 @@
 {
 "Signatures": {
-  "ncurses-6.2.tar.gz": "30306e0c76e0f9f1f0de987cf1c82a5c21e1ce6568b9227f7da5b71cbea86c9d"
+  "ncurses-6.3.tar.gz": "97fc51ac2b085d4cde31ef4d2c3122c21abc217e9090a43a30fc5ec21684e059"
 }
 }
--- a/SPECS/ncurses/ncurses.spec
+++ b/SPECS/ncurses/ncurses.spec
@ -1,14 +1,13 @@
 Summary:        Libraries for terminal handling of character screens
 Name:           ncurses
-Version:        6.2
-Release:        6%{?dist}
+Version:        6.3
+Release:        1%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Applications/System
 URL:            https://invisible-island.net/ncurses/
 Source0:        https://invisible-mirror.net/archives/%{name}/%{name}-%{version}.tar.gz
-Patch0:         CVE-2021-39537.patch
 Requires:       %{name}-libs = %{version}-%{release}

 %description
@ -207,6 +206,9 @@ xz NEWS
 %files term -f terms.term

 %changelog
+* Mon Jun 13 2022 Andrew Phelps <anphel@microsoft.com> - 6.3-1
+- Update to version 6.3
+
 * Wed Apr 20 2022 Olivia Crain <oliviacrain@microsoft.com> - 6.2-6
 - Patch CVE-2021-39537
 - Change FTP source url to HTTPS mirror
--- a/cgmanifest.json
+++ b/cgmanifest.json
@ -12223,8 +12223,8 @@
        "type": "other",
        "other": {
          "name": "ncurses",
-          "version": "6.2",
-          "downloadUrl": "https://invisible-mirror.net/archives/ncurses/ncurses-6.2.tar.gz"
+          "version": "6.3",
+          "downloadUrl": "https://invisible-mirror.net/archives/ncurses/ncurses-6.3.tar.gz"
        }
      }
    },
--- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@ -33,11 +33,11 @@ libpkgconf-1.8.0-2.cm2.aarch64.rpm
 pkgconf-1.8.0-2.cm2.aarch64.rpm
 pkgconf-m4-1.8.0-2.cm2.noarch.rpm
 pkgconf-pkg-config-1.8.0-2.cm2.aarch64.rpm
-ncurses-6.2-6.cm2.aarch64.rpm
-ncurses-compat-6.2-6.cm2.aarch64.rpm
-ncurses-devel-6.2-6.cm2.aarch64.rpm
-ncurses-libs-6.2-6.cm2.aarch64.rpm
-ncurses-term-6.2-6.cm2.aarch64.rpm
+ncurses-6.3-1.cm2.aarch64.rpm
+ncurses-compat-6.3-1.cm2.aarch64.rpm
+ncurses-devel-6.3-1.cm2.aarch64.rpm
+ncurses-libs-6.3-1.cm2.aarch64.rpm
+ncurses-term-6.3-1.cm2.aarch64.rpm
 readline-8.1-1.cm2.aarch64.rpm
 readline-devel-8.1-1.cm2.aarch64.rpm
 coreutils-8.32-3.cm2.aarch64.rpm
--- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@ -33,11 +33,11 @@ libpkgconf-1.8.0-2.cm2.x86_64.rpm
 pkgconf-1.8.0-2.cm2.x86_64.rpm
 pkgconf-m4-1.8.0-2.cm2.noarch.rpm
 pkgconf-pkg-config-1.8.0-2.cm2.x86_64.rpm
-ncurses-6.2-6.cm2.x86_64.rpm
-ncurses-compat-6.2-6.cm2.x86_64.rpm
-ncurses-devel-6.2-6.cm2.x86_64.rpm
-ncurses-libs-6.2-6.cm2.x86_64.rpm
-ncurses-term-6.2-6.cm2.x86_64.rpm
+ncurses-6.3-1.cm2.x86_64.rpm
+ncurses-compat-6.3-1.cm2.x86_64.rpm
+ncurses-devel-6.3-1.cm2.x86_64.rpm
+ncurses-libs-6.3-1.cm2.x86_64.rpm
+ncurses-term-6.3-1.cm2.x86_64.rpm
 readline-8.1-1.cm2.x86_64.rpm
 readline-devel-8.1-1.cm2.x86_64.rpm
 coreutils-8.32-3.cm2.x86_64.rpm
--- a/toolkit/resources/manifests/package/toolchain_aarch64.txt
+++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@ -240,12 +240,12 @@ mpfr-4.1.0-1.cm2.aarch64.rpm
 mpfr-debuginfo-4.1.0-1.cm2.aarch64.rpm
 mpfr-devel-4.1.0-1.cm2.aarch64.rpm
 msopenjdk-11-11.0.14.1+1-LTS-31207.aarch64.rpm
-ncurses-6.2-6.cm2.aarch64.rpm
-ncurses-compat-6.2-6.cm2.aarch64.rpm
-ncurses-debuginfo-6.2-6.cm2.aarch64.rpm
-ncurses-devel-6.2-6.cm2.aarch64.rpm
-ncurses-libs-6.2-6.cm2.aarch64.rpm
-ncurses-term-6.2-6.cm2.aarch64.rpm
+ncurses-6.3-1.cm2.aarch64.rpm
+ncurses-compat-6.3-1.cm2.aarch64.rpm
+ncurses-debuginfo-6.3-1.cm2.aarch64.rpm
+ncurses-devel-6.3-1.cm2.aarch64.rpm
+ncurses-libs-6.3-1.cm2.aarch64.rpm
+ncurses-term-6.3-1.cm2.aarch64.rpm
 newt-0.52.21-4.cm2.aarch64.rpm
 newt-debuginfo-0.52.21-4.cm2.aarch64.rpm
 newt-devel-0.52.21-4.cm2.aarch64.rpm
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@ -240,12 +240,12 @@ mpfr-4.1.0-1.cm2.x86_64.rpm
 mpfr-debuginfo-4.1.0-1.cm2.x86_64.rpm
 mpfr-devel-4.1.0-1.cm2.x86_64.rpm
 msopenjdk-11-11.0.14.1+1-LTS-31207.x86_64.rpm
-ncurses-6.2-6.cm2.x86_64.rpm
-ncurses-compat-6.2-6.cm2.x86_64.rpm
-ncurses-debuginfo-6.2-6.cm2.x86_64.rpm
-ncurses-devel-6.2-6.cm2.x86_64.rpm
-ncurses-libs-6.2-6.cm2.x86_64.rpm
-ncurses-term-6.2-6.cm2.x86_64.rpm
+ncurses-6.3-1.cm2.x86_64.rpm
+ncurses-compat-6.3-1.cm2.x86_64.rpm
+ncurses-debuginfo-6.3-1.cm2.x86_64.rpm
+ncurses-devel-6.3-1.cm2.x86_64.rpm
+ncurses-libs-6.3-1.cm2.x86_64.rpm
+ncurses-term-6.3-1.cm2.x86_64.rpm
 newt-0.52.21-4.cm2.x86_64.rpm
 newt-debuginfo-0.52.21-4.cm2.x86_64.rpm
 newt-devel-0.52.21-4.cm2.x86_64.rpm