tcsh-6.19.00-034-fix-out-of-bounds-read.patch added

To fix crashing when pressing TAB for auto-completion, etc.

  This might be possible security issue, fixing this pre-emptively.

tcsh-6.19.00-032-fix-multiline-prompt.patch

@@ -0,0 +1,66 @@
+From b0a4d13dadbc96fd9950ee67fe4d6241faad56e5 Mon Sep 17 00:00:00 2001
+From: christos <christos>
+Date: Sun, 17 Jul 2016 15:02:44 +0000
+Subject: [PATCH 1/2] For multiline prompt (do control chars first).
+Kensuke Iwahashi/David Kaspar: set prompt="%~\n%%" ctrl-p, ctrl-u
+
+---
+ tc.nls.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/tc.nls.c b/tc.nls.c
+index 6158097..60ce2f7 100644
+--- a/tc.nls.c
++++ b/tc.nls.c
+@@ -143,6 +143,13 @@ NLSClassify(Char c, int nocomb, int drawPrompt)
+ 	if (c >= 0x10000)		/*    U+10000 = F0 90 80 80 */
+ 	    return NLSCLASS_ILLEGAL2;
+     }
++    if (Iscntrl(c) && (c & CHAR) < 0x100) {
++	if (c == '\n')
++	    return NLSCLASS_NL;
++	if (c == '\t')
++	    return NLSCLASS_TAB;
++	return NLSCLASS_CTRL;
++    }
+     w = NLSWidth(c);
+     if (drawPrompt) {			/* draw prompt */
+ 	if (w > 0)
+@@ -152,12 +159,5 @@ NLSClassify(Char c, int nocomb, int drawPrompt)
+     }
+     if ((w > 0 && !(Iscntrl(c) && (c & CHAR) < 0x100)) || (Isprint(c) && !nocomb))
+ 	return w;
+-    if (Iscntrl(c) && (c & CHAR) < 0x100) {
+-	if (c == '\n')
+-	    return NLSCLASS_NL;
+-	if (c == '\t')
+-	    return NLSCLASS_TAB;
+-	return NLSCLASS_CTRL;
+-    }
+     return NLSCLASS_ILLEGAL;
+ }
+-- 
+2.5.5
+
+
+From 8d61ab6c7e7ad2db3fca0ad51e216c49bca14125 Mon Sep 17 00:00:00 2001
+From: christos <christos>
+Date: Sun, 17 Jul 2016 15:03:34 +0000
+Subject: [PATCH 2/2] mention multi-line prompt fix.
+
+---
+ Fixes | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/Fixes b/Fixes
+index 981d676..c1b4537 100644
+--- a/Fixes
++++ b/Fixes
+@@ -1,3 +1,4 @@
++ 14. Fix drawing issu with multi-line prompt (Kensuke Iwahashi/David Kaspar)
+  12. PR/526: Fix double \\ printing from previous fix in history expansion.
+  10. PR/526: Quote backslashes properly so they can be preserved in ``
+      expansions
+-- 
+2.5.5
+

tcsh-6.19.00-033-type-of-read-in-prompt-confirm.patch

@@ -0,0 +1,49 @@
+From 7275e31da65bf6e9c20bbd0dc054df550c2caf2d Mon Sep 17 00:00:00 2001
+From: christos <christos>
+Date: Mon, 28 Nov 2016 17:14:20 +0000
+Subject: [PATCH] Fix type of read in prompt confirmation (eg. rmstar) (David
+ Kaspar)
+
+---
+ Fixes     | 1 +
+ sh.func.c | 8 +++++---
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/Fixes b/Fixes
+index c1b4537..2b7b55f 100644
+--- a/Fixes
++++ b/Fixes
+@@ -1,3 +1,4 @@
++ 22. Fix type of read in prompt confirmation (eg. rmstar) (David Kaspar)
+  14. Fix drawing issu with multi-line prompt (Kensuke Iwahashi/David Kaspar)
+  12. PR/526: Fix double \\ printing from previous fix in history expansion.
+  10. PR/526: Quote backslashes properly so they can be preserved in ``
+diff --git a/sh.func.c b/sh.func.c
+index 7cba84d..42c74c6 100644
+--- a/sh.func.c
++++ b/sh.func.c
+@@ -2726,16 +2726,18 @@ nlsclose(void)
+ int
+ getYN(const char *prompt)
+ {
+-    int doit, c;
++    int doit;
++    char c;
++
+     xprintf("%s", prompt);
+     flush();
+-    (void) force_read(SHIN, &c, 1);
++    (void) force_read(SHIN, &c, sizeof(c));
+     /* 
+      * Perhaps we should use the yesexpr from the
+      * actual locale
+      */
+     doit = (strchr(CGETS(22, 14, "Yy"), c) != NULL);
+-    while (c != '\n' && force_read(SHIN, &c, 1) == 1)
++    while (c != '\n' && force_read(SHIN, &c, sizeof(c)) == sizeof(c))
+ 	continue;
+     return doit;
+ }
+-- 
+2.7.4
+

tcsh-6.19.00-034-fix-out-of-bounds-read.patch

@@ -0,0 +1,26 @@
+From 6a542dc4fb2ba26518a47e9b3a9bcd6a91b94596 Mon Sep 17 00:00:00 2001
+From: christos <christos>
+Date: Fri, 2 Dec 2016 16:59:28 +0000
+Subject: [PATCH] Fix out of bounds read (Brooks Davis) (reproduce by starting
+ tcsh and hitting tab at the prompt)
+
+---
+ ed.chared.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ed.chared.c b/ed.chared.c
+index 1277e53..310393e 100644
+--- a/ed.chared.c
++++ b/ed.chared.c
+@@ -750,7 +750,7 @@ c_substitute(void)
+     /*
+      * If we found a history character, go expand it.
+      */
+-    if (HIST != '\0' && *p == HIST)
++    if (p >= InputBuf && HIST != '\0' && *p == HIST)
+ 	nr_exp = c_excl(p);
+     else
+         nr_exp = 0;
+-- 
+2.7.4
+

tcsh.spec

@@ -1,7 +1,7 @@
 Name: tcsh
 Summary: An enhanced version of csh, the C shell
 Version: 6.19.00
-Release: 9%{?dist}
+Release: 12%{?dist}
 License: BSD
 Group: System Environment/Shells
 URL: http://www.tcsh.org/
@@ -19,7 +19,7 @@ BuildRequires: git
 BuildRequires: ncurses-devel
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
-Source: ftp://ftp.astron.com/pub/tcsh/%{name}-%{version}.tar.gz
+Source: ftp://ftp.astron.com/pub/tcsh/old/%{name}-%{version}.tar.gz
 
 # NOTE: 'autosetup' macro (below) uses 'git' for applying the patches:
 #       ->> All the patches should be provided in 'git format-patch' format.
@@ -58,6 +58,9 @@ Patch026: tcsh-6.19.00-026-quote-backslashes-properly.patch
 Patch027: tcsh-6.19.00-027-fix-memory-leak-when-cdpath-fails.patch
 Patch028: tcsh-6.19.00-028-fix-wrong-ifdef.patch
 Patch029: tcsh-6.19.00-029-do-not-print-jobs-to-stderr.patch
+Patch032: tcsh-6.19.00-032-fix-multiline-prompt.patch
+Patch033: tcsh-6.19.00-033-type-of-read-in-prompt-confirm.patch
+Patch034: tcsh-6.19.00-034-fix-out-of-bounds-read.patch
 
 
 # Downstream patches -- these should be always included when doing rebase:
@@ -176,6 +179,18 @@ fi
 
 
 %changelog
+* Mon Dec  5 2016 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 6.19.00-12
+- Added tcsh-6.19.00-034-fix-out-of-bounds-read.patch
+
+* Tue Nov 29 2016 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 6.19.00-12
+- Updated link to upstream source code after their new release
+
+* Tue Nov 29 2016 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 6.19.00-11
+- Added tcsh-6.19.00-033-type-of-read-in-prompt-confirm.patch (bug #1386129)
+
+* Mon Jul 18 2016 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 6.19.00-10
+- Added tcsh-6.19.00-032-fix-multiline-prompt.patch (bug #1351056)
+
 * Fri May 27 2016 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 6.19.00-9
 - Another regression in tcsh-6.19.00-026-quote-backslashes-properly.patch fixed, see:
   <https://bugzilla.redhat.com/show_bug.cgi?id=1334751#c9>
@@ -703,5 +718,5 @@ fi
 - built against glibc
 
 * Fri Feb 07 1997 Erik Troan <ewt@redhat.com>
- - Provides csh, adds and removes /bin/csh from /etc/shells if csh package
+- Provides csh, adds and removes /bin/csh from /etc/shells if csh package
 isn't installed.