xterm: Security fix for CVE-2021-27135

Source: Debian.org
MR: 108848
Type: Security Fix
Disposition: Backport from https://sources.debian.org/data/main/x/xterm/344-1%2Bdeb10u1/debian/patches/CVE-2021-27135.diff
ChangeID: 00f53def87b8b95e62908581f8fb56a69118dd32
Description:

xterm through Patch #365 allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted UTF-8 character sequence.

This fixes CVE-2021-27135.
Leverage a patch from Debian.

Signed-off-by: Armin Kuster <akuster@mvista.com>

2 files changed, 69 insertions, 0 deletions

diff --git a/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2021-27135.patch b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2021-27135.patch
new file mode 100644
index 00000000000..937b2176aa2
--- /dev/null
+++ b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2021-27135.patch
@@ -0,0 +1,68 @@
+Description: Fix for CVE-2021-27135 from xterm 366
+ Correct upper-limit for selection buffer, accounting for
+ combining characters (report by Tavis Ormandy).
+
+Upstream-Status: Backport
+https://sources.debian.org/data/main/x/xterm/344-1%2Bdeb10u1/debian/patches/CVE-2021-27135.diff
+CVE: CVE-2021-27135
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ button.c |   29 +++++++++++++++++++++++++----
+ 1 file changed, 25 insertions(+), 4 deletions(-)
+
+Index: xterm-353/button.c
+===================================================================
+--- xterm-353.orig/button.c
++++ xterm-353/button.c
+@@ -3928,6 +3928,7 @@ SaltTextAway(XtermWidget xw,
+     int i;
+     int eol;
+     int need = 0;
++    size_t have = 0;
+     Char *line;
+     Char *lp;
+     CELL first = *cellc;
+@@ -3962,7 +3963,11 @@ SaltTextAway(XtermWidget xw,
+ 
+     /* UTF-8 may require more space */
+     if_OPT_WIDE_CHARS(screen, {
+-	need *= 4;
++	if (need > 0) {
++	    if (screen->max_combining > 0)
++		need += screen->max_combining;
++	    need *= 6;
++	}
+     });
+ 
+     /* now get some memory to save it in */
+@@ -4000,10 +4005,26 @@ SaltTextAway(XtermWidget xw,
+     }
+     *lp = '\0';			/* make sure we have end marked */
+ 
+-    TRACE(("Salted TEXT:%u:%s\n", (unsigned) (lp - line),
+-	   visibleChars(line, (unsigned) (lp - line))));
++    have = (size_t) (lp - line);
++    /*
++     * Scanning the buffer twice is unnecessary.  Discard unwanted memory if
++     * the estimate is too-far off.
++     */
++    if ((have * 2) < (size_t) need) {
++	Char *next;
++	scp->data_limit = have + 1;
++	next = realloc(line, scp->data_limit);
++	if (next == NULL) {
++	    free(line);
++	    scp->data_length = 0;
++	    scp->data_limit = 0;
++	}
++	scp->data_buffer = next;
++    }
++    scp->data_length = have;
+ 
+-    scp->data_length = (size_t) (lp - line);
++    TRACE(("Salted TEXT:%u:%s\n", (unsigned) have,
++	   visibleChars(scp->data_buffer, (unsigned) have)));
+ }
+ 
+ #if OPT_PASTE64
diff --git a/meta-oe/recipes-graphics/xorg-app/xterm_353.bb b/meta-oe/recipes-graphics/xorg-app/xterm_353.bb
index 06c285924d6..264320212cc 100644
--- a/meta-oe/recipes-graphics/xorg-app/xterm_353.bb
+++ b/meta-oe/recipes-graphics/xorg-app/xterm_353.bb
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://xterm.h;beginline=3;endline=31;md5=996b1ce0584c0747b1
 
 SRC_URI = "http://invisible-mirror.net/archives/${BPN}/${BP}.tgz \
            file://0001-Add-configure-time-check-for-setsid.patch \
+           file://CVE-2021-27135.patch \
           "
 
 SRC_URI[md5sum] = "247c30ebfa44623f3a2d100e0cae5c7f"