[PATCH/next,1/1] package/ncurses: bump to version 6.2

From: Adam Duskett <Aduskett@gmail.com>

Other changes:
  - Update hash for the license file due to copyright year changes.
  - Remove patches that are incorporated in this version.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
---
All checks pass:
          br-arm-full [1/6]: OK
br-arm-cortex-a9-glibc [2/6]: OK
 br-arm-cortex-m4-full [3/6]: OK
        br-x86-64-musl [4/6]: OK
    br-arm-full-static [5/6]: OK
          sourcery-arm [6/6]: OK

 package/ncurses/ncurses.hash | 39 ++---------------------------------
 package/ncurses/ncurses.mk   | 40 +-----------------------------------
 2 files changed, 3 insertions(+), 76 deletions(-)

Hello,

+Thomas DS, since he added all the patches for ncurses 6.1

On Sat, 29 Feb 2020 15:20:15 -0800
aduskett@gmail.com wrote:

> From: Adam Duskett <Aduskett@gmail.com>
> 
> Other changes:
>   - Update hash for the license file due to copyright year changes.
>   - Remove patches that are incorporated in this version.
> 
> Signed-off-by: Adam Duskett <Aduskett@gmail.com>

But then, shouldn't we add all of the ncurses-6.2 patches available at
https://invisible-mirror.net/archives/ncurses/6.2/. I remember Thomas
DS discussed ncurses patches during the latest Buildroot meeting, and a
number of them (at least for ncurses 6.1) contained security fixes.

It's not clear what those patches are though, as they seem to contain
also the 6.1 -> 6.2 changes.

Thomas

Hello;

On Tue, Apr 21, 2020 at 2:26 PM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> Hello,
>
> +Thomas DS, since he added all the patches for ncurses 6.1
>
> On Sat, 29 Feb 2020 15:20:15 -0800
> aduskett@gmail.com wrote:
>
> > From: Adam Duskett <Aduskett@gmail.com>
> >
> > Other changes:
> >   - Update hash for the license file due to copyright year changes.
> >   - Remove patches that are incorporated in this version.
> >
> > Signed-off-by: Adam Duskett <Aduskett@gmail.com>
>
> But then, shouldn't we add all of the ncurses-6.2 patches available at
> https://invisible-mirror.net/archives/ncurses/6.2/. I remember Thomas
> DS discussed ncurses patches during the latest Buildroot meeting, and a
> number of them (at least for ncurses 6.1) contained security fixes.
>
Sure, but this patch is quite old, and only 4 of those patches were available at
the time of this patch.

Do you want me to respin again? It seems like if the next patch sits for another
2 or three months I would then have to respin again as well.

Let me know!
Adam

> It's not clear what those patches are though, as they seem to contain
> also the 6.1 -> 6.2 changes.
>
> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com

Hi,

On Tue, Apr 21, 2020, 23:26 Thomas Petazzoni <thomas.petazzoni@bootlin.com>
wrote:

> Hello,
>
> +Thomas DS, since he added all the patches for ncurses 6.1
>
> On Sat, 29 Feb 2020 15:20:15 -0800
> aduskett@gmail.com wrote:
>
> > From: Adam Duskett <Aduskett@gmail.com>
> >
> > Other changes:
> >   - Update hash for the license file due to copyright year changes.
> >   - Remove patches that are incorporated in this version.
> >
> > Signed-off-by: Adam Duskett <Aduskett@gmail.com>
>
> But then, shouldn't we add all of the ncurses-6.2 patches available at
> https://invisible-mirror.net/archives/ncurses/6.2/. I remember Thomas
> DS discussed ncurses patches during the latest Buildroot meeting, and a
> number of them (at least for ncurses 6.1) contained security fixes.
>

Yes, unfortunately the patches themselves do not always clearly indicate
whether it's the case.

Are there already any CVEs for ncurses 6.2?

From my perspective, if the 6.2 code includes the CVE fixes of 6.1, and
there are no new CVEs, then no additional patches are needed now.


> It's not clear what those patches are though, as they seem to contain
> also the 6.1 -> 6.2 changes.
>

Yes, the first patch is normally the upgrade to 6.2. This was similar in
6.1.

Thanks
Thomas

On Thu, 23 Apr 2020 07:38:18 +0200
Thomas De Schampheleire <patrickdepinguin+buildroot@gmail.com> wrote:

> > But then, shouldn't we add all of the ncurses-6.2 patches available at
> > https://invisible-mirror.net/archives/ncurses/6.2/. I remember Thomas
> > DS discussed ncurses patches during the latest Buildroot meeting, and a
> > number of them (at least for ncurses 6.1) contained security fixes.
> 
> Yes, unfortunately the patches themselves do not always clearly indicate
> whether it's the case.
> 
> Are there already any CVEs for ncurses 6.2?

Here are the changes from 6.2 to the latest patch version:

==

20200418
	+ improve tracemunch logic for "RUN" compaction.
	+ fix a special case in wresize() where copying the old text did not
	  check if the last cell on a row was the beginning of a fullwidth
	  character (adapted from patch by Benno Schulenberg).
	+ use vt52+keypad in xterm-vt52, from xterm #354 -TD
	+ improve see-also section of user_caps.5

20200411
	+ fix find_pair(), overlooked when refactoring for _nc_reserve_pairs()
	  (report/testcase by Brad Town, cf: 20170812).
	+ add a trailing null for magic-string in putwin, flagged by gcc 10
	+ update check for gcc version versus gnat to work with gcc 10.x

20200404
	+ modify -fvisibility check to work with g++
	> fixes for building with Visual Studio C++ and msys2 (patches by
	  "Maarten Anonymous"):
	+ add configure option and check for gcc -fvisibility=hidden feature
	+ define NCURSES_NOMACROS in lib_gen.c to work around Visual Studio
	  C++ preprocessor limitations.
	+ modify some of the configure-macros, as well as mk-1st.awk to work
	  with Visual Studio C++ default filenaming.

20200328
	+ correct length of buffer copied in dup_field().
	+ remove "$(srcdir)/" from path of library.gpr, needed for out-of-tree
	  builds of Ada95 (patch by Adam Van Ymeren).

20200321
	+ improve configure-checks to reduce warnings about unused variables.
	+ improve description of error-returns in waddch and waddnstr manual
	  pages (prompted by patch by Benno Schulenberg).
	+ add test/move_field.c to demonstrate move_field(), and a stub for
	  a corresponding demo of dup_field().

20200314
	+ add history note to curs_scanw.3x for <stdarg.h> and <varargs.h>
	+ add history note to curs_printw.3x for <stdarg.h> and <varargs.h>
	+ add portability note to ncurses.3x regarding <stdarg.h>

20200308
	+ update copyright notices in test-packages.
	+ modify tracemunch to guard against errors in its known_p1 table.
	+ add several --with-xxx-libname options, to help with pkgsrc (prompted
	  by discussion with Thomas Klausner).

20200301
	+ modify wbkgd() and wbkgrnd() to avoid storing a null in the
	  background character, because it may be used in cases where the
	  corresponding 0x80 is not treated as a null (report by Marc Rechte,
	  cf: 20181208).

20200229
	+ modify CF_NCURSES_CONFIG to work around xcode's c99 "-W" option,
	  which conflicts with conventional use for passing linker options.
	> fixes for building with Visual Studio C++ and msys2 (patches by
	  "Maarten Anonymous"):
	+ check for pcre2posix.h instead of pcre2-posix.h
	+ add case in CF_SHARED_OPTS for msys2 + msvc
	+ add fallback definition for STDIN_FILENO in progs.priv.h
	+ modify win_driver.c to use _alloca() rather than gcc's variable
	  length array feature.
	+ add NCURSES_IMPEXP to ncurses wrapped-variable declarations
	+ remove NCURSES_IMPEXP from class variables in c++/cursslk.h
	+ remove fallback prototype for exit() from c++/etip.h.in
	+ use configured check for <sys/time.h> in a couple of places
	+ conditionally include winsock.h in ncurses/win32con/gettimeofday.c,
	  because Visual Studio needs this for the timestruct declaration.
	+ adjust syntax in a couple of files using the NCURSES_API symbol.

20200222
	+ expanded note in ncurses.3x regarding automatically-included headers
	+ improve vt50h and vt52 based on DECScope manual -TD
	+ add/use vt52+keypad and vt52-basic -TD
	+ check/workaround for line-too-long in Ada95 generate utility when
	  building out-of-tree.
	+ improve/update HEADER_DEPS in */Makefile.in
	+ add "check" rule to include/Makefile, to demonstrate that the headers
	  include all of the required headers for the types used.

20200215
	+ improve manual page for panel library, extending the portability
	  section as well as documenting error-returns.
	+ show tic's version when installing terminal database in run_tic.sh
	+ correct check for gcc vs other compilers used in ncurses 6.0, from
	  FreeBSD patch by Kyle Evans (cf: 20150725).
	+ add notes for 6.2 to INSTALL.

20200212 6.2 release for upload to ftp.gnu.org
	+ update release notes
	+ minor build-fixes, mostly to test-package scripts

==

It is worth noting that ftp://ftp.invisible-island.net/ncurses/current/
has complete tarballs for each of the "updated" 6.2 versions.
Unfortunately the name of the folder, current/ and the fact that the
6.1 tarballs are not there makes me think such tarballs might disappear
over time from this location.

However using those tarballs would allow us to use 6.2-20200418 as the
version, which would match what release-monitoring.org has:
https://release-monitoring.org/project/2057/.

Otherwise, we can also do something like this:

NCURSES_BASE_VERSION = 6.2
NCURSES_PATCH_VERSIONS = \
	20200215 \
	20200222 \
	20200229 \
	20200301 \
	20200308 \
	20200314 \
	20200321 \
	20200328 \
	20200404 \
	20200411 \
	20200418
NCURSES_SOURCE = ncurses-$(NCURSES_BASE_VERSION).tar.gz
NCURSES_PATCH = \
	$(patsubst %,https://invisible-mirror.net/archives/ncurses/$(NCURSES_BASE_VERSION)/ncurses-$(NCURSES_BASE_VERSION)-%.patch.gz,$(NCURSES_PATCH_VERSIONS))
NCURSES_VERSION = $(NCURSES_BASE_VERSION)-$(lastword $(NCURSES_PATCH_VERSIONS))

Best regards,

Thomas

Hello,

Seems I hadn't replied to this mail yet, sorry...

El jue., 23 abr. 2020 a las 8:16, Thomas Petazzoni
(<thomas.petazzoni@bootlin.com>) escribió:

...

>
> It is worth noting that ftp://ftp.invisible-island.net/ncurses/current/
> has complete tarballs for each of the "updated" 6.2 versions.
> Unfortunately the name of the folder, current/ and the fact that the
> 6.1 tarballs are not there makes me think such tarballs might disappear
> over time from this location.

Yes exactly, I don't think these links are stable and they will be
removed later.
The FAQ gives an insight on the process used (even though this line is
about development patches, not the tarballs you mentioned):
https://invisible-island.net/ncurses/ncurses.faq.html#applying_patches

"After providing a rollup patch, I remove the development patches to
reduce clutter. Beginning in May 2013, I modified the process to
provide all of the development patches since the release in
"dev-patches.zip". "


>
> However using those tarballs would allow us to use 6.2-20200418 as the
> version, which would match what release-monitoring.org has:
> https://release-monitoring.org/project/2057/.
>
> Otherwise, we can also do something like this:
>
> NCURSES_BASE_VERSION = 6.2
> NCURSES_PATCH_VERSIONS = \
>         20200215 \
>         20200222 \
>         20200229 \
>         20200301 \
>         20200308 \
>         20200314 \
>         20200321 \
>         20200328 \
>         20200404 \
>         20200411 \
>         20200418
> NCURSES_SOURCE = ncurses-$(NCURSES_BASE_VERSION).tar.gz
> NCURSES_PATCH = \
>         $(patsubst %,https://invisible-mirror.net/archives/ncurses/$(NCURSES_BASE_VERSION)/ncurses-$(NCURSES_BASE_VERSION)-%.patch.gz,$(NCURSES_PATCH_VERSIONS))
> NCURSES_VERSION = $(NCURSES_BASE_VERSION)-$(lastword $(NCURSES_PATCH_VERSIONS))

In the 6.1 case, we first had to apply a .sh.bz2 file and then on top
of that a list of .gz patches.

NCURSES_PATCH = \
    $(addprefix
https://invisible-mirror.net/archives/ncurses/$(NCURSES_VERSION)/, \
        ncurses-6.1-20190609-patch.sh.bz2 \
        ncurses-6.1-20190615.patch.gz \
        ncurses-6.1-20190623.patch.gz \

so if reducing the list to only dates, then this could not be
achieved.  From Buildroot commit
10fae9624b3c58e00e5406e8b489c4674d680380:

    Ncurses upstream uses a fairly special way of releasing (security) bugfixes.
    Approximately once a week an incremental .patch.gz is released, and once in
    a while these incremental patches are bundled up to a bigger patch relative
    to the current release in .patch.sh.bz2 format (a bzip2 compressed patch
    with a small shell script prepended, luckily apply-patches can handle that),
    and the relative patch files deleted.

    For details of this process, see the upstream FAQ:
    https://invisible-island.net/ncurses/ncurses.faq.html#applying_patches

    Apply the latest .patch.sh.bz2 and incremental patches up to 20200118 to fix
    a number of (security) issues.  Notice that these patch files are NOT
    available on the GNU mirrors.


Best regards,
Thomas