Message ID | 20200229232016.4174325-1-aduskett@gmail.com |
---|---|
State | Rejected, archived |
Headers | show |
Series | [PATCH/next,1/1] package/ncurses: bump to version 6.2 | expand |
Hello, +Thomas DS, since he added all the patches for ncurses 6.1 On Sat, 29 Feb 2020 15:20:15 -0800 aduskett@gmail.com wrote: > From: Adam Duskett <Aduskett@gmail.com> > > Other changes: > - Update hash for the license file due to copyright year changes. > - Remove patches that are incorporated in this version. > > Signed-off-by: Adam Duskett <Aduskett@gmail.com> But then, shouldn't we add all of the ncurses-6.2 patches available at https://invisible-mirror.net/archives/ncurses/6.2/. I remember Thomas DS discussed ncurses patches during the latest Buildroot meeting, and a number of them (at least for ncurses 6.1) contained security fixes. It's not clear what those patches are though, as they seem to contain also the 6.1 -> 6.2 changes. Thomas
Hello; On Tue, Apr 21, 2020 at 2:26 PM Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote: > > Hello, > > +Thomas DS, since he added all the patches for ncurses 6.1 > > On Sat, 29 Feb 2020 15:20:15 -0800 > aduskett@gmail.com wrote: > > > From: Adam Duskett <Aduskett@gmail.com> > > > > Other changes: > > - Update hash for the license file due to copyright year changes. > > - Remove patches that are incorporated in this version. > > > > Signed-off-by: Adam Duskett <Aduskett@gmail.com> > > But then, shouldn't we add all of the ncurses-6.2 patches available at > https://invisible-mirror.net/archives/ncurses/6.2/. I remember Thomas > DS discussed ncurses patches during the latest Buildroot meeting, and a > number of them (at least for ncurses 6.1) contained security fixes. > Sure, but this patch is quite old, and only 4 of those patches were available at the time of this patch. Do you want me to respin again? It seems like if the next patch sits for another 2 or three months I would then have to respin again as well. Let me know! Adam > It's not clear what those patches are though, as they seem to contain > also the 6.1 -> 6.2 changes. > > Thomas > -- > Thomas Petazzoni, CTO, Bootlin > Embedded Linux and Kernel engineering > https://bootlin.com
Hi, On Tue, Apr 21, 2020, 23:26 Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote: > Hello, > > +Thomas DS, since he added all the patches for ncurses 6.1 > > On Sat, 29 Feb 2020 15:20:15 -0800 > aduskett@gmail.com wrote: > > > From: Adam Duskett <Aduskett@gmail.com> > > > > Other changes: > > - Update hash for the license file due to copyright year changes. > > - Remove patches that are incorporated in this version. > > > > Signed-off-by: Adam Duskett <Aduskett@gmail.com> > > But then, shouldn't we add all of the ncurses-6.2 patches available at > https://invisible-mirror.net/archives/ncurses/6.2/. I remember Thomas > DS discussed ncurses patches during the latest Buildroot meeting, and a > number of them (at least for ncurses 6.1) contained security fixes. > Yes, unfortunately the patches themselves do not always clearly indicate whether it's the case. Are there already any CVEs for ncurses 6.2? From my perspective, if the 6.2 code includes the CVE fixes of 6.1, and there are no new CVEs, then no additional patches are needed now. > It's not clear what those patches are though, as they seem to contain > also the 6.1 -> 6.2 changes. > Yes, the first patch is normally the upgrade to 6.2. This was similar in 6.1. Thanks Thomas
On Thu, 23 Apr 2020 07:38:18 +0200 Thomas De Schampheleire <patrickdepinguin+buildroot@gmail.com> wrote: > > But then, shouldn't we add all of the ncurses-6.2 patches available at > > https://invisible-mirror.net/archives/ncurses/6.2/. I remember Thomas > > DS discussed ncurses patches during the latest Buildroot meeting, and a > > number of them (at least for ncurses 6.1) contained security fixes. > > Yes, unfortunately the patches themselves do not always clearly indicate > whether it's the case. > > Are there already any CVEs for ncurses 6.2? Here are the changes from 6.2 to the latest patch version: == 20200418 + improve tracemunch logic for "RUN" compaction. + fix a special case in wresize() where copying the old text did not check if the last cell on a row was the beginning of a fullwidth character (adapted from patch by Benno Schulenberg). + use vt52+keypad in xterm-vt52, from xterm #354 -TD + improve see-also section of user_caps.5 20200411 + fix find_pair(), overlooked when refactoring for _nc_reserve_pairs() (report/testcase by Brad Town, cf: 20170812). + add a trailing null for magic-string in putwin, flagged by gcc 10 + update check for gcc version versus gnat to work with gcc 10.x 20200404 + modify -fvisibility check to work with g++ > fixes for building with Visual Studio C++ and msys2 (patches by "Maarten Anonymous"): + add configure option and check for gcc -fvisibility=hidden feature + define NCURSES_NOMACROS in lib_gen.c to work around Visual Studio C++ preprocessor limitations. + modify some of the configure-macros, as well as mk-1st.awk to work with Visual Studio C++ default filenaming. 20200328 + correct length of buffer copied in dup_field(). + remove "$(srcdir)/" from path of library.gpr, needed for out-of-tree builds of Ada95 (patch by Adam Van Ymeren). 20200321 + improve configure-checks to reduce warnings about unused variables. + improve description of error-returns in waddch and waddnstr manual pages (prompted by patch by Benno Schulenberg). + add test/move_field.c to demonstrate move_field(), and a stub for a corresponding demo of dup_field(). 20200314 + add history note to curs_scanw.3x for <stdarg.h> and <varargs.h> + add history note to curs_printw.3x for <stdarg.h> and <varargs.h> + add portability note to ncurses.3x regarding <stdarg.h> 20200308 + update copyright notices in test-packages. + modify tracemunch to guard against errors in its known_p1 table. + add several --with-xxx-libname options, to help with pkgsrc (prompted by discussion with Thomas Klausner). 20200301 + modify wbkgd() and wbkgrnd() to avoid storing a null in the background character, because it may be used in cases where the corresponding 0x80 is not treated as a null (report by Marc Rechte, cf: 20181208). 20200229 + modify CF_NCURSES_CONFIG to work around xcode's c99 "-W" option, which conflicts with conventional use for passing linker options. > fixes for building with Visual Studio C++ and msys2 (patches by "Maarten Anonymous"): + check for pcre2posix.h instead of pcre2-posix.h + add case in CF_SHARED_OPTS for msys2 + msvc + add fallback definition for STDIN_FILENO in progs.priv.h + modify win_driver.c to use _alloca() rather than gcc's variable length array feature. + add NCURSES_IMPEXP to ncurses wrapped-variable declarations + remove NCURSES_IMPEXP from class variables in c++/cursslk.h + remove fallback prototype for exit() from c++/etip.h.in + use configured check for <sys/time.h> in a couple of places + conditionally include winsock.h in ncurses/win32con/gettimeofday.c, because Visual Studio needs this for the timestruct declaration. + adjust syntax in a couple of files using the NCURSES_API symbol. 20200222 + expanded note in ncurses.3x regarding automatically-included headers + improve vt50h and vt52 based on DECScope manual -TD + add/use vt52+keypad and vt52-basic -TD + check/workaround for line-too-long in Ada95 generate utility when building out-of-tree. + improve/update HEADER_DEPS in */Makefile.in + add "check" rule to include/Makefile, to demonstrate that the headers include all of the required headers for the types used. 20200215 + improve manual page for panel library, extending the portability section as well as documenting error-returns. + show tic's version when installing terminal database in run_tic.sh + correct check for gcc vs other compilers used in ncurses 6.0, from FreeBSD patch by Kyle Evans (cf: 20150725). + add notes for 6.2 to INSTALL. 20200212 6.2 release for upload to ftp.gnu.org + update release notes + minor build-fixes, mostly to test-package scripts == It is worth noting that ftp://ftp.invisible-island.net/ncurses/current/ has complete tarballs for each of the "updated" 6.2 versions. Unfortunately the name of the folder, current/ and the fact that the 6.1 tarballs are not there makes me think such tarballs might disappear over time from this location. However using those tarballs would allow us to use 6.2-20200418 as the version, which would match what release-monitoring.org has: https://release-monitoring.org/project/2057/. Otherwise, we can also do something like this: NCURSES_BASE_VERSION = 6.2 NCURSES_PATCH_VERSIONS = \ 20200215 \ 20200222 \ 20200229 \ 20200301 \ 20200308 \ 20200314 \ 20200321 \ 20200328 \ 20200404 \ 20200411 \ 20200418 NCURSES_SOURCE = ncurses-$(NCURSES_BASE_VERSION).tar.gz NCURSES_PATCH = \ $(patsubst %,https://invisible-mirror.net/archives/ncurses/$(NCURSES_BASE_VERSION)/ncurses-$(NCURSES_BASE_VERSION)-%.patch.gz,$(NCURSES_PATCH_VERSIONS)) NCURSES_VERSION = $(NCURSES_BASE_VERSION)-$(lastword $(NCURSES_PATCH_VERSIONS)) Best regards, Thomas
Hello, Seems I hadn't replied to this mail yet, sorry... El jue., 23 abr. 2020 a las 8:16, Thomas Petazzoni (<thomas.petazzoni@bootlin.com>) escribió: ... > > It is worth noting that ftp://ftp.invisible-island.net/ncurses/current/ > has complete tarballs for each of the "updated" 6.2 versions. > Unfortunately the name of the folder, current/ and the fact that the > 6.1 tarballs are not there makes me think such tarballs might disappear > over time from this location. Yes exactly, I don't think these links are stable and they will be removed later. The FAQ gives an insight on the process used (even though this line is about development patches, not the tarballs you mentioned): https://invisible-island.net/ncurses/ncurses.faq.html#applying_patches "After providing a rollup patch, I remove the development patches to reduce clutter. Beginning in May 2013, I modified the process to provide all of the development patches since the release in "dev-patches.zip". " > > However using those tarballs would allow us to use 6.2-20200418 as the > version, which would match what release-monitoring.org has: > https://release-monitoring.org/project/2057/. > > Otherwise, we can also do something like this: > > NCURSES_BASE_VERSION = 6.2 > NCURSES_PATCH_VERSIONS = \ > 20200215 \ > 20200222 \ > 20200229 \ > 20200301 \ > 20200308 \ > 20200314 \ > 20200321 \ > 20200328 \ > 20200404 \ > 20200411 \ > 20200418 > NCURSES_SOURCE = ncurses-$(NCURSES_BASE_VERSION).tar.gz > NCURSES_PATCH = \ > $(patsubst %,https://invisible-mirror.net/archives/ncurses/$(NCURSES_BASE_VERSION)/ncurses-$(NCURSES_BASE_VERSION)-%.patch.gz,$(NCURSES_PATCH_VERSIONS)) > NCURSES_VERSION = $(NCURSES_BASE_VERSION)-$(lastword $(NCURSES_PATCH_VERSIONS)) In the 6.1 case, we first had to apply a .sh.bz2 file and then on top of that a list of .gz patches. NCURSES_PATCH = \ $(addprefix https://invisible-mirror.net/archives/ncurses/$(NCURSES_VERSION)/, \ ncurses-6.1-20190609-patch.sh.bz2 \ ncurses-6.1-20190615.patch.gz \ ncurses-6.1-20190623.patch.gz \ so if reducing the list to only dates, then this could not be achieved. From Buildroot commit 10fae9624b3c58e00e5406e8b489c4674d680380: Ncurses upstream uses a fairly special way of releasing (security) bugfixes. Approximately once a week an incremental .patch.gz is released, and once in a while these incremental patches are bundled up to a bigger patch relative to the current release in .patch.sh.bz2 format (a bzip2 compressed patch with a small shell script prepended, luckily apply-patches can handle that), and the relative patch files deleted. For details of this process, see the upstream FAQ: https://invisible-island.net/ncurses/ncurses.faq.html#applying_patches Apply the latest .patch.sh.bz2 and incremental patches up to 20200118 to fix a number of (security) issues. Notice that these patch files are NOT available on the GNU mirrors. Best regards, Thomas
diff --git a/package/ncurses/ncurses.hash b/package/ncurses/ncurses.hash index 69115f5caf..429395c0f7 100644 --- a/package/ncurses/ncurses.hash +++ b/package/ncurses/ncurses.hash @@ -1,39 +1,4 @@ # Locally calculated after checking pgp signature -sha256 aa057eeeb4a14d470101eff4597d5833dcef5965331be3528c08d99cebaa0d17 ncurses-6.1.tar.gz -sha256 cf9038be62c49a6b5fe93f33b32f983649b2f4c4c31cc99bd18e1e5871c31443 ncurses-6.1-20190609-patch.sh.bz2 -sha256 4b0a4c6abce4543ac4fd4c3389b14825e73b7cddcbb01a687c5dd837f21a3b04 ncurses-6.1-20190615.patch.gz -sha256 b2302625ec2fa6dce79622670452e56ff6130dc02e655b52177264cfeff84c51 ncurses-6.1-20190623.patch.gz -sha256 48b004a3e5409a02a5e751f996fe487f5ce45be1fff38572f7cc8167b22179bf ncurses-6.1-20190630.patch.gz -sha256 faf849eed92161ac09782badf84a19ad6beae472e87d460905865e08a6ed46e4 ncurses-6.1-20190706.patch.gz -sha256 62d4954bf818659105aa1c21cc27cb2c133e02bdc7d3f6aa548caae2d1db7440 ncurses-6.1-20190713.patch.gz -sha256 0c1a54bd5de9c890d1fabcfa92bf5bf46f7eccc54a48051367e82bdb29636450 ncurses-6.1-20190720.patch.gz -sha256 0bbd08d3bd12686d4427c242d6a8fde2e299698039cd597303af713c5f538f17 ncurses-6.1-20190727.patch.gz -sha256 40e5f350a921dbd03e3d9ff93bc477ec4f1f65878f307c534882fba3b0b40507 ncurses-6.1-20190728.patch.gz -sha256 9648104311e209d17db9556d6efc898d5c80ed5fc80e8aa3cd08769544c839b8 ncurses-6.1-20190803.patch.gz -sha256 fa1f583575717b2538d3a4ea59a67bc17dd07ed46cb99fe2beaf23d1b006e9df ncurses-6.1-20190810.patch.gz -sha256 5e9ae4f1b3e2e2d567a01a8fb2c9b7f3804cae97f28cd483d239afee781b8c2b ncurses-6.1-20190817.patch.gz -sha256 7592e5e610b3e9eeca78897da2330b7518f00e0a59d20df873c88a9b26bc4da9 ncurses-6.1-20190824.patch.gz -sha256 1a9800a5ccc4f2cb572b63cdc8f1431642e014a58a30151af73977614d5c4aac ncurses-6.1-20190831.patch.gz -sha256 87685a6b90225efcd03375eb11b124fd9e95ee4b0f36bcbc82e56a70cd466b33 ncurses-6.1-20190907.patch.gz -sha256 4ddebb6e0e5a67028eb3aca2352c9bd48cf122a512719f93e449e00a3c6634f8 ncurses-6.1-20190914.patch.gz -sha256 4c725fa729d754f4e75af78fda4cf67d60e71c1625b5f4f49b7930c95bb8dd36 ncurses-6.1-20190921.patch.gz -sha256 a830b879b57906b1e480e4785b32cec05081b7849c06c4b116459c4d343ba21b ncurses-6.1-20190928.patch.gz -sha256 d5eae35d920409613f565825e1e215fed89828040aab541328455da38e1a9b7c ncurses-6.1-20191005.patch.gz -sha256 136dbd07254810728c1fcb7614b566e7c3cb6af8c0783019bbb6b4b5e3c1e2c6 ncurses-6.1-20191012.patch.gz -sha256 1d5125b20792e9f534432c3ef2aa68984c713416addeb2c4364c5ae897a3b8b7 ncurses-6.1-20191015.patch.gz -sha256 a6475c05312ba0b12b72b83529c1d283a14c4470414c505fa45451e35f3ffcf5 ncurses-6.1-20191019.patch.gz -sha256 f6c7469f33065faf1d04ac9e9bea1a88142b00b82e3db3674cca9ec24920b4af ncurses-6.1-20191026.patch.gz -sha256 0d0443937b9c04663de25b405bb95e658e7c87e1dd7a726b3813aa7f9b55f69a ncurses-6.1-20191102.patch.gz -sha256 f3b75787918d2f02a2005877e81fdc054c45b8249b43aabb531e3b817bcf7576 ncurses-6.1-20191109.patch.gz -sha256 801d138b55986719aea7f42dc8c0cb618fa9a6edf92d1789a6ba5d61678f7761 ncurses-6.1-20191116.patch.gz -sha256 45f447cf2c7a24295c7b9210473e943a238c57ca80581d121c9a1a3aa05332a6 ncurses-6.1-20191123.patch.gz -sha256 ea758e3b0162348c4d5d6dac56f95809da3b7d0589205661a13430eb93f72f75 ncurses-6.1-20191130.patch.gz -sha256 16b5a588c56a53c468d2359b21d5d8a007c4ef7696de12c964a1b661ed185f72 ncurses-6.1-20191207.patch.gz -sha256 8725a2dc8f1cfdab41cb5fe56f930e070f8cdc81a77f303ef2658f65cd0b8edd ncurses-6.1-20191214.patch.gz -sha256 7e2a06fb0af6c84269d23ffe06c689bf1a8a57af39369690ee0698778d4b6cda ncurses-6.1-20191221.patch.gz -sha256 d052bcdb38f8b45a00c0a3190dec7ac1e72d5682f3a16d8accda239308aad62f ncurses-6.1-20191228.patch.gz -sha256 7b6253bae438154a88c7f3e301b872ed7ad71f943c873f4e6c82d8d36a5df72b ncurses-6.1-20200104.patch.gz -sha256 e438f28025c7d97c7f8fabf40eeab68bbf8ca871a0ba349e3fdec9165efe85cb ncurses-6.1-20200111.patch.gz -sha256 06d002c33f727c4a36a0b502c226ea3c3c5b80770703d2f783fffa6a0db04d92 ncurses-6.1-20200118.patch.gz +sha256 30306e0c76e0f9f1f0de987cf1c82a5c21e1ce6568b9227f7da5b71cbea86c9d ncurses-6.2.tar.gz # Locally computed -sha256 4d1fde61868c73776a539366dccf5d5a4857e7fd7299efb1f02e07c2afe9ea87 COPYING +sha256 8d8caaec335cbd1da15d5e9c12cd559f6d0d5566273077cc6f651684092606b5 COPYING diff --git a/package/ncurses/ncurses.mk b/package/ncurses/ncurses.mk index c11650c766..43f8972b95 100644 --- a/package/ncurses/ncurses.mk +++ b/package/ncurses/ncurses.mk @@ -4,51 +4,13 @@ # ################################################################################ -NCURSES_VERSION = 6.1 +NCURSES_VERSION = 6.2 NCURSES_SITE = $(BR2_GNU_MIRROR)/ncurses NCURSES_INSTALL_STAGING = YES NCURSES_DEPENDENCIES = host-ncurses NCURSES_LICENSE = MIT with advertising clause NCURSES_LICENSE_FILES = COPYING NCURSES_CONFIG_SCRIPTS = ncurses$(NCURSES_LIB_SUFFIX)6-config -NCURSES_PATCH = \ - $(addprefix https://invisible-mirror.net/archives/ncurses/$(NCURSES_VERSION)/, \ - ncurses-6.1-20190609-patch.sh.bz2 \ - ncurses-6.1-20190615.patch.gz \ - ncurses-6.1-20190623.patch.gz \ - ncurses-6.1-20190630.patch.gz \ - ncurses-6.1-20190706.patch.gz \ - ncurses-6.1-20190713.patch.gz \ - ncurses-6.1-20190720.patch.gz \ - ncurses-6.1-20190727.patch.gz \ - ncurses-6.1-20190728.patch.gz \ - ncurses-6.1-20190803.patch.gz \ - ncurses-6.1-20190810.patch.gz \ - ncurses-6.1-20190817.patch.gz \ - ncurses-6.1-20190824.patch.gz \ - ncurses-6.1-20190831.patch.gz \ - ncurses-6.1-20190907.patch.gz \ - ncurses-6.1-20190914.patch.gz \ - ncurses-6.1-20190921.patch.gz \ - ncurses-6.1-20190928.patch.gz \ - ncurses-6.1-20191005.patch.gz \ - ncurses-6.1-20191012.patch.gz \ - ncurses-6.1-20191015.patch.gz \ - ncurses-6.1-20191019.patch.gz \ - ncurses-6.1-20191026.patch.gz \ - ncurses-6.1-20191102.patch.gz \ - ncurses-6.1-20191109.patch.gz \ - ncurses-6.1-20191116.patch.gz \ - ncurses-6.1-20191123.patch.gz \ - ncurses-6.1-20191130.patch.gz \ - ncurses-6.1-20191207.patch.gz \ - ncurses-6.1-20191214.patch.gz \ - ncurses-6.1-20191221.patch.gz \ - ncurses-6.1-20191228.patch.gz \ - ncurses-6.1-20200104.patch.gz \ - ncurses-6.1-20200111.patch.gz \ - ncurses-6.1-20200118.patch.gz \ - ) NCURSES_CONF_OPTS = \ --without-cxx \