From d5065e2b1c49fa65627f0adec8e42190ebccb572 Mon Sep 17 00:00:00 2001 From: Ross Burton Date: Mon, 2 Nov 2015 11:03:26 +0000 Subject: vte: fix DoS from malicious escape sequence (CVE-2012-2738) Backport a fix from upstream to fix a denial of service via a malicious escape sequence. [YOCTO #8617] Signed-off-by: Ross Burton Signed-off-by: Richard Purdie --- .../vte/vte-0.28.2/cve-2012-2738.patch | 135 +++++++++++++++++++++ meta/recipes-support/vte/vte_0.28.2.bb | 3 +- 2 files changed, 137 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-support/vte/vte-0.28.2/cve-2012-2738.patch (limited to 'meta/recipes-support/vte') diff --git a/meta/recipes-support/vte/vte-0.28.2/cve-2012-2738.patch b/meta/recipes-support/vte/vte-0.28.2/cve-2012-2738.patch new file mode 100644 index 0000000000..2407771804 --- /dev/null +++ b/meta/recipes-support/vte/vte-0.28.2/cve-2012-2738.patch @@ -0,0 +1,135 @@ +Upstream-Status: Backport +Signed-off-by: Ross Burton + +From e524b0b3bd8fad844ffa73927c199545b892cdbd Mon Sep 17 00:00:00 2001 +From: Christian Persch +Date: Sat, 19 May 2012 19:36:09 +0200 +Subject: [PATCH 1/2] emulation: Limit integer arguments to 65535 + +To guard against malicious sequences containing excessively big numbers, +limit all parsed numbers to 16 bit range. Doing this here in the parsing +routine is a catch-all guard; this doesn't preclude enforcing +more stringent limits in the handlers themselves. + +https://bugzilla.gnome.org/show_bug.cgi?id=676090 +--- + src/table.c | 2 +- + src/vteseq.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/table.c b/src/table.c +index 140e8c8..85cf631 100644 +--- a/src/table.c ++++ b/src/table.c +@@ -550,7 +550,7 @@ _vte_table_extract_numbers(GValueArray **array, + if (G_UNLIKELY (*array == NULL)) { + *array = g_value_array_new(1); + } +- g_value_set_long(&value, total); ++ g_value_set_long(&value, CLAMP (total, 0, G_MAXUSHORT)); + g_value_array_append(*array, &value); + } while (i++ < arginfo->length); + g_value_unset(&value); +diff --git a/src/vteseq.c b/src/vteseq.c +index 7ef4c8c..10991db 100644 +--- a/src/vteseq.c ++++ b/src/vteseq.c +@@ -557,7 +557,7 @@ vte_sequence_handler_multiple(VteTerminal *terminal, + GValueArray *params, + VteTerminalSequenceHandler handler) + { +- vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXLONG); ++ vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXUSHORT); + } + + static void +-- +2.4.9 (Apple Git-60) + + +From cf1ad453a8def873c49cf6d88162593402f32bb2 Mon Sep 17 00:00:00 2001 +From: Christian Persch +Date: Sat, 19 May 2012 20:04:12 +0200 +Subject: [PATCH 2/2] emulation: Limit repetitions + +Don't allow malicious sequences to cause excessive repetitions. + +https://bugzilla.gnome.org/show_bug.cgi?id=676090 +--- + src/vteseq.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +diff --git a/src/vteseq.c b/src/vteseq.c +index 10991db..209522f 100644 +--- a/src/vteseq.c ++++ b/src/vteseq.c +@@ -1392,7 +1392,7 @@ vte_sequence_handler_dc (VteTerminal *terminal, GValueArray *params) + static void + vte_sequence_handler_DC (VteTerminal *terminal, GValueArray *params) + { +- vte_sequence_handler_multiple(terminal, params, vte_sequence_handler_dc); ++ vte_sequence_handler_multiple_r(terminal, params, vte_sequence_handler_dc); + } + + /* Delete a line at the current cursor position. */ +@@ -1785,7 +1785,7 @@ vte_sequence_handler_reverse_index (VteTerminal *terminal, GValueArray *params) + static void + vte_sequence_handler_RI (VteTerminal *terminal, GValueArray *params) + { +- vte_sequence_handler_multiple(terminal, params, vte_sequence_handler_nd); ++ vte_sequence_handler_multiple_r(terminal, params, vte_sequence_handler_nd); + } + + /* Save cursor (position). */ +@@ -2777,8 +2777,7 @@ vte_sequence_handler_insert_lines (VteTerminal *terminal, GValueArray *params) + { + GValue *value; + VteScreen *screen; +- long param, end, row; +- int i; ++ long param, end, row, i, limit; + screen = terminal->pvt->screen; + /* The default is one. */ + param = 1; +@@ -2796,7 +2795,13 @@ vte_sequence_handler_insert_lines (VteTerminal *terminal, GValueArray *params) + } else { + end = screen->insert_delta + terminal->row_count - 1; + } +- /* Insert the new lines at the cursor. */ ++ ++ /* Only allow to insert as many lines as there are between this row ++ * and the end of the scrolling region. See bug #676090. ++ */ ++ limit = end - row + 1; ++ param = MIN (param, limit); ++ + for (i = 0; i < param; i++) { + /* Clear a line off the end of the region and add one to the + * top of the region. */ +@@ -2817,8 +2822,7 @@ vte_sequence_handler_delete_lines (VteTerminal *terminal, GValueArray *params) + { + GValue *value; + VteScreen *screen; +- long param, end, row; +- int i; ++ long param, end, row, i, limit; + + screen = terminal->pvt->screen; + /* The default is one. */ +@@ -2837,6 +2841,13 @@ vte_sequence_handler_delete_lines (VteTerminal *terminal, GValueArray *params) + } else { + end = screen->insert_delta + terminal->row_count - 1; + } ++ ++ /* Only allow to delete as many lines as there are between this row ++ * and the end of the scrolling region. See bug #676090. ++ */ ++ limit = end - row + 1; ++ param = MIN (param, limit); ++ + /* Clear them from below the current cursor. */ + for (i = 0; i < param; i++) { + /* Insert a line at the end of the region and remove one from +-- +2.4.9 (Apple Git-60) + diff --git a/meta/recipes-support/vte/vte_0.28.2.bb b/meta/recipes-support/vte/vte_0.28.2.bb index b1025cb0e5..8b4e7f71de 100644 --- a/meta/recipes-support/vte/vte_0.28.2.bb +++ b/meta/recipes-support/vte/vte_0.28.2.bb @@ -4,7 +4,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=3bf50002aefd002f49e7bb854063f7e7" PR = "r6" -SRC_URI += "file://obsolete_automake_macros.patch" +SRC_URI += "file://obsolete_automake_macros.patch \ + file://cve-2012-2738.patch" CFLAGS += "-D_GNU_SOURCE" -- cgit 1.2.3-korg