patches from

ftp://invisible-island.net/ncurses/6.0/ncurses-6.0-20170701.patch.gz
+ add/improve checks in tic's parser to address invalid input
 (Redhat #1464684, #1464685, #1464686, #1464691).
 + alloc_entry.c, add a check for a null-pointer.
 + parse_entry.c, add several checks for valid pointers as well as
   one check to ensure that a single character on a line is not
   treated as the 2-character termcap short-name.

that's CVE-2017-10684 CVE-2017-10685 CVE-2017-11112 CVE-2017-11113

4 files changed, 107 insertions, 3 deletions

diff --git a/devel/ncurses/Makefile b/devel/ncurses/Makefile
index 022db665f4e..ebccb6b9d9f 100644
--- a/devel/ncurses/Makefile
+++ b/devel/ncurses/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.94 2016/12/18 23:30:34 joerg Exp $
+# $NetBSD: Makefile,v 1.95 2017/08/08 18:38:21 spz Exp $
 
-PKGREVISION= 3
+PKGREVISION= 4
 .include "Makefile.common"
 
 COMMENT=	CRT screen handling and optimization package
diff --git a/devel/ncurses/distinfo b/devel/ncurses/distinfo
index 5efc2628750..e1ee13961bd 100644
--- a/devel/ncurses/distinfo
+++ b/devel/ncurses/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.31 2016/12/30 11:28:19 wiz Exp $
+$NetBSD: distinfo,v 1.32 2017/08/08 18:38:21 spz Exp $
 
 SHA1 (ncurses-6.0.tar.gz) = acd606135a5124905da770803c05f1f20dd3b21c
 RMD160 (ncurses-6.0.tar.gz) = 4d9e5938f00b400bfb0d37f3c54f2f36c4157d48
@@ -11,4 +11,6 @@ SHA1 (patch-aclocal.m4) = efb1a966687d2c35fc3e3e1d5345e80aaf2822f6
 SHA1 (patch-c++_Makefile.in) = 974f89c75737a8079977fc35a924b54d32e98df2
 SHA1 (patch-configure.in) = 48a705b3f4de3a65c0c1c3648f5a24c5310ed3fa
 SHA1 (patch-ncurses_base_MKlib__gen.sh) = f8ce67fbd273529e4161a2820677d05a623fd527
+SHA1 (patch-ncurses_tinfo_alloc__entry.c) = b9f3ab1ba347f9725a97874b0020e14b56341195
 SHA1 (patch-ncurses_tinfo_lib__baudrate.c) = e383a11530a3045e729ab8c738e57a9e217a994f
+SHA1 (patch-ncurses_tinfo_parse__entry.c) = c99eb89dcdbf0ad4e05eea9b7f9820a0d4328173
diff --git a/devel/ncurses/patches/patch-ncurses_tinfo_alloc__entry.c b/devel/ncurses/patches/patch-ncurses_tinfo_alloc__entry.c
new file mode 100644
index 00000000000..5a7dd6e453f
--- /dev/null
+++ b/devel/ncurses/patches/patch-ncurses_tinfo_alloc__entry.c
@@ -0,0 +1,28 @@
+$NetBSD: patch-ncurses_tinfo_alloc__entry.c,v 1.1 2017/08/08 18:38:21 spz Exp $
+
+from ftp://invisible-island.net/ncurses/6.0/ncurses-6.0-20170701.patch.gz
++ add/improve checks in tic's parser to address invalid input
+ (Redhat #1464684, #1464685, #1464686, #1464691).
+ + alloc_entry.c, add a check for a null-pointer.
+ + parse_entry.c, add several checks for valid pointers as well as
+   one check to ensure that a single character on a line is not
+   treated as the 2-character termcap short-name.
+
+that's CVE-2017-10684 CVE-2017-10685 CVE-2017-11112 CVE-2017-11113
+
+
+--- ncurses/tinfo/alloc_entry.c.orig	2013-08-17 19:20:38.000000000 +0000
++++ ncurses/tinfo/alloc_entry.c
+@@ -96,7 +96,11 @@ _nc_save_str(const char *const string)
+ {
+     char *result = 0;
+     size_t old_next_free = next_free;
+-    size_t len = strlen(string) + 1;
++    size_t len;
++
++    if (string == 0)
++	return _nc_save_str("");
++    len = strlen(string) + 1;
+ 
+     if (len == 1 && next_free != 0) {
+ 	/*
diff --git a/devel/ncurses/patches/patch-ncurses_tinfo_parse__entry.c b/devel/ncurses/patches/patch-ncurses_tinfo_parse__entry.c
new file mode 100644
index 00000000000..96d7f6f7162
--- /dev/null
+++ b/devel/ncurses/patches/patch-ncurses_tinfo_parse__entry.c
@@ -0,0 +1,74 @@
+$NetBSD: patch-ncurses_tinfo_parse__entry.c,v 1.1 2017/08/08 18:38:21 spz Exp $
+
+from ftp://invisible-island.net/ncurses/6.0/ncurses-6.0-20170701.patch.gz
++ add/improve checks in tic's parser to address invalid input
+ (Redhat #1464684, #1464685, #1464686, #1464691).
+ + alloc_entry.c, add a check for a null-pointer.
+ + parse_entry.c, add several checks for valid pointers as well as
+   one check to ensure that a single character on a line is not 
+   treated as the 2-character termcap short-name.
+
+that's CVE-2017-10684 CVE-2017-10685 CVE-2017-11112 CVE-2017-11113
+
+--- ncurses/tinfo/parse_entry.c.orig	2015-04-04 14:18:38.000000000 +0000
++++ ncurses/tinfo/parse_entry.c
+@@ -236,13 +236,14 @@ _nc_parse_entry(struct entry *entryp, in
+      * implemented it.  Note that the resulting terminal type was never the
+      * 2-character name, but was instead the first alias after that.
+      */
++#define ok_TC2(s) (isgraph(UChar(s)) && (s) != '|')
+     ptr = _nc_curr_token.tk_name;
+     if (_nc_syntax == SYN_TERMCAP
+ #if NCURSES_XNAMES
+ 	&& !_nc_user_definable
+ #endif
+ 	) {
+-	if (ptr[2] == '|') {
++	if (ok_TC2(ptr[0]) && ok_TC2(ptr[1]) && (ptr[2] == '|')) {
+ 	    ptr += 3;
+ 	    _nc_curr_token.tk_name[2] = '\0';
+ 	}
+@@ -284,9 +285,11 @@ _nc_parse_entry(struct entry *entryp, in
+ 	if (is_use || is_tc) {
+ 	    entryp->uses[entryp->nuses].name = _nc_save_str(_nc_curr_token.tk_valstring);
+ 	    entryp->uses[entryp->nuses].line = _nc_curr_line;
+-	    entryp->nuses++;
+-	    if (entryp->nuses > 1 && is_tc) {
+-		BAD_TC_USAGE
++	    if (VALID_STRING(entryp->uses[entryp->nuses].name)) {
++		entryp->nuses++;
++		if (entryp->nuses > 1 && is_tc) {
++		    BAD_TC_USAGE
++		}
+ 	    }
+ 	} else {
+ 	    /* normal token lookup */
+@@ -571,7 +574,7 @@ append_acs0(string_desc * dst, int code,
+ static void
+ append_acs(string_desc * dst, int code, char *src)
+ {
+-    if (src != 0 && strlen(src) == 1) {
++    if (VALID_STRING(src) && strlen(src) == 1) {
+ 	append_acs0(dst, code, *src);
+     }
+ }
+@@ -832,15 +835,14 @@ postprocess_termcap(TERMTYPE *tp, bool h
+ 	    }
+ 
+ 	    if (tp->Strings[to_ptr->nte_index]) {
++		const char *s = tp->Strings[from_ptr->nte_index];
++		const char *t = tp->Strings[to_ptr->nte_index];
+ 		/* There's no point in warning about it if it's the same
+ 		 * string; that's just an inefficiency.
+ 		 */
+-		if (strcmp(
+-			      tp->Strings[from_ptr->nte_index],
+-			      tp->Strings[to_ptr->nte_index]) != 0)
++		if (VALID_STRING(s) && VALID_STRING(t) && strcmp(s, t) != 0)
+ 		    _nc_warning("%s (%s) already has an explicit value %s, ignoring ko",
+-				ap->to, ap->from,
+-				_nc_visbuf(tp->Strings[to_ptr->nte_index]));
++				ap->to, ap->from, t);
+ 		continue;
+ 	    }
+