diff options
Diffstat (limited to 'meta/recipes-extended/screen/screen/CVE-2020-9366.patch')
-rw-r--r-- | meta/recipes-extended/screen/screen/CVE-2020-9366.patch | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/meta/recipes-extended/screen/screen/CVE-2020-9366.patch b/meta/recipes-extended/screen/screen/CVE-2020-9366.patch new file mode 100644 index 0000000000..a52b9e6e68 --- /dev/null +++ b/meta/recipes-extended/screen/screen/CVE-2020-9366.patch @@ -0,0 +1,48 @@ +From 8ce90c1d3d5bece150479d8bc9303fd9d9f45e03 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Amadeusz=20S=C5=82awi=C5=84ski?= <amade@asmblr.net> +Date: Thu, 30 Jan 2020 17:56:27 +0100 +Subject: [PATCH] Fix out of bounds access when setting w_xtermosc after OSC 49 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Amadeusz=20S=C5=82awi=C5=84ski?= <amade@asmblr.net> +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +echo -e "\e]49\e; \n\ec" +crashes screen. + +This happens because 49 is divided by 10 and used as table index +resulting in access to w_xtermosc[4], which is out of bounds with table +itself being size 4. Increase size of table by 1 to 5, which is enough +for all current uses. + +As this overwrites memory based on user input it is potential security +issue. + +Reported-by: pippin@gimp.org +Signed-off-by: Amadeusz Sławiński <amade@asmblr.net> + +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/screen.git/commit/?h=v.4.8.0&id=68386dfb1fa33471372a8cd2e74686758a2f527b] +CVE: CVE-2020-9366 +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> + +--- + window.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/window.h b/window.h +index bd10dcd..a8afa19 100644 +--- a/window.h ++++ b/window.h +@@ -237,7 +237,7 @@ struct win + char w_vbwait; + char w_norefresh; /* dont redisplay when switching to that win */ + #ifdef RXVT_OSC +- char w_xtermosc[4][MAXSTR]; /* special xterm/rxvt escapes */ ++ char w_xtermosc[5][MAXSTR]; /* special xterm/rxvt escapes */ + #endif + int w_mouse; /* mouse mode 0,9,1000 */ + #ifdef HAVE_BRAILLE |