r35404 - in /attic/vte/debian: changelog patches/03_CVE-2012-2738.patch patches/04_CVE-2012-2738.patch patches/series

joss at users.alioth.debian.org joss at users.alioth.debian.org
Sat Jun 23 14:02:58 UTC 2012 

Author: joss
Date: Sat Jun 23 14:02:56 2012
New Revision: 35404

URL: http://svn.debian.org/wsvn/pkg-gnome/?sc=1&rev=35404
Log:
03_CVE-2012-2738.patch, 04_CVE-2012-2738.patch: backport upstream 
patches to fix a memory exhaustion vulnerability. Closes: #677717.

Added:
    attic/vte/debian/patches/03_CVE-2012-2738.patch
    attic/vte/debian/patches/04_CVE-2012-2738.patch
Modified:
    attic/vte/debian/changelog
    attic/vte/debian/patches/series

Modified: attic/vte/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnome/attic/vte/debian/changelog?rev=35404&op=diff
==============================================================================
--- attic/vte/debian/changelog [utf-8] (original)
+++ attic/vte/debian/changelog [utf-8] Sat Jun 23 14:02:56 2012
@@ -1,8 +1,10 @@
-vte (1:0.28.2-5) UNRELEASED; urgency=low
+vte (1:0.28.2-5) unstable; urgency=medium
 
   * Update repository URL.
-
- -- Josselin Mouette <joss at debian.org>  Sat, 31 Dec 2011 14:57:53 +0100
+  * 03_CVE-2012-2738.patch, 04_CVE-2012-2738.patch: backport upstream 
+    patches to fix a memory exhaustion vulnerability. Closes: #677717.
+
+ -- Josselin Mouette <joss at debian.org>  Sat, 23 Jun 2012 16:02:46 +0200
 
 vte (1:0.28.2-4) unstable; urgency=low
 

Added: attic/vte/debian/patches/03_CVE-2012-2738.patch
URL: http://svn.debian.org/wsvn/pkg-gnome/attic/vte/debian/patches/03_CVE-2012-2738.patch?rev=35404&op=file
==============================================================================
--- attic/vte/debian/patches/03_CVE-2012-2738.patch (added)
+++ attic/vte/debian/patches/03_CVE-2012-2738.patch [utf-8] Sat Jun 23 14:02:56 2012
@@ -1,0 +1,40 @@
+From feeee4b5832b17641e505b7083e0d299fdae318e Mon Sep 17 00:00:00 2001
+From: Christian Persch <chpe at gnome.org>
+Date: Sat, 19 May 2012 17:36:09 +0000
+Subject: emulation: Limit integer arguments to 65535
+
+To guard against malicious sequences containing excessively big numbers,
+limit all parsed numbers to 16 bit range. Doing this here in the parsing
+routine is a catch-all guard; this doesn't preclude enforcing
+more stringent limits in the handlers themselves.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=676090
+---
+diff --git a/src/table.c b/src/table.c
+index 140e8c8..85cf631 100644
+--- a/src/table.c
++++ b/src/table.c
+@@ -550,7 +550,7 @@ _vte_table_extract_numbers(GValueArray **array,
+ 		if (G_UNLIKELY (*array == NULL)) {
+ 			*array = g_value_array_new(1);
+ 		}
+-		g_value_set_long(&value, total);
++		g_value_set_long(&value, CLAMP (total, 0, G_MAXUSHORT));
+ 		g_value_array_append(*array, &value);
+ 	} while (i++ < arginfo->length);
+ 	g_value_unset(&value);
+diff --git a/src/vteseq.c b/src/vteseq.c
+index 457c06a..46def5b 100644
+--- a/src/vteseq.c
++++ b/src/vteseq.c
+@@ -557,7 +557,7 @@ vte_sequence_handler_multiple(VteTerminal *terminal,
+                               GValueArray *params,
+                               VteTerminalSequenceHandler handler)
+ {
+-        vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXLONG);
++        vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXUSHORT);
+ }
+ 
+ static void
+--
+cgit v0.9.0.2

Added: attic/vte/debian/patches/04_CVE-2012-2738.patch
URL: http://svn.debian.org/wsvn/pkg-gnome/attic/vte/debian/patches/04_CVE-2012-2738.patch?rev=35404&op=file
==============================================================================
--- attic/vte/debian/patches/04_CVE-2012-2738.patch (added)
+++ attic/vte/debian/patches/04_CVE-2012-2738.patch [utf-8] Sat Jun 23 14:02:56 2012
@@ -1,0 +1,82 @@
+From 98ce2f265f986fb88c38d508286bb5e3716b9e74 Mon Sep 17 00:00:00 2001
+From: Christian Persch <chpe at gnome.org>
+Date: Sat, 19 May 2012 18:04:12 +0000
+Subject: emulation: Limit repetitions
+
+Don't allow malicious sequences to cause excessive repetitions.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=676090
+---
+diff --git a/src/vteseq.c b/src/vteseq.c
+index 46def5b..7fb4707 100644
+--- a/src/vteseq.c
++++ b/src/vteseq.c
+@@ -1397,7 +1397,7 @@ vte_sequence_handler_dc (VteTerminal *terminal, GValueArray *params)
+ static void
+ vte_sequence_handler_DC (VteTerminal *terminal, GValueArray *params)
+ {
+-	vte_sequence_handler_multiple(terminal, params, vte_sequence_handler_dc);
++	vte_sequence_handler_multiple_r(terminal, params, vte_sequence_handler_dc);
+ }
+ 
+ /* Delete a line at the current cursor position. */
+@@ -1790,7 +1790,7 @@ vte_sequence_handler_reverse_index (VteTerminal *terminal, GValueArray *params)
+ static void
+ vte_sequence_handler_RI (VteTerminal *terminal, GValueArray *params)
+ {
+-	vte_sequence_handler_multiple(terminal, params, vte_sequence_handler_nd);
++	vte_sequence_handler_multiple_r(terminal, params, vte_sequence_handler_nd);
+ }
+ 
+ /* Save cursor (position). */
+@@ -2782,8 +2782,7 @@ vte_sequence_handler_insert_lines (VteTerminal *terminal, GValueArray *params)
+ {
+ 	GValue *value;
+ 	VteScreen *screen;
+-	long param, end, row;
+-	int i;
++	long param, end, row, i, limit;
+ 	screen = terminal->pvt->screen;
+ 	/* The default is one. */
+ 	param = 1;
+@@ -2801,7 +2800,13 @@ vte_sequence_handler_insert_lines (VteTerminal *terminal, GValueArray *params)
+ 	} else {
+ 		end = screen->insert_delta + terminal->row_count - 1;
+ 	}
+-	/* Insert the new lines at the cursor. */
++
++	/* Only allow to insert as many lines as there are between this row
++         * and the end of the scrolling region. See bug #676090.
++         */
++        limit = end - row + 1;
++        param = MIN (param, limit);
++
+ 	for (i = 0; i < param; i++) {
+ 		/* Clear a line off the end of the region and add one to the
+ 		 * top of the region. */
+@@ -2822,8 +2827,7 @@ vte_sequence_handler_delete_lines (VteTerminal *terminal, GValueArray *params)
+ {
+ 	GValue *value;
+ 	VteScreen *screen;
+-	long param, end, row;
+-	int i;
++	long param, end, row, i, limit;
+ 
+ 	screen = terminal->pvt->screen;
+ 	/* The default is one. */
+@@ -2842,6 +2846,13 @@ vte_sequence_handler_delete_lines (VteTerminal *terminal, GValueArray *params)
+ 	} else {
+ 		end = screen->insert_delta + terminal->row_count - 1;
+ 	}
++
++        /* Only allow to delete as many lines as there are between this row
++         * and the end of the scrolling region. See bug #676090.
++         */
++        limit = end - row + 1;
++        param = MIN (param, limit);
++
+ 	/* Clear them from below the current cursor. */
+ 	for (i = 0; i < param; i++) {
+ 		/* Insert a line at the end of the region and remove one from
+--
+cgit v0.9.0.2

Modified: attic/vte/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-gnome/attic/vte/debian/patches/series?rev=35404&op=diff
==============================================================================
--- attic/vte/debian/patches/series [utf-8] (original)
+++ attic/vte/debian/patches/series [utf-8] Sat Jun 23 14:02:56 2012
@@ -1,4 +1,6 @@
 01_scroll_notebook.patch
 02_meta.patch
+03_CVE-2012-2738.patch
+04_CVE-2012-2738.patch
 25_optional-ncurses.patch
 60_termcap-home-end.patch

More information about the pkg-gnome-commits mailing list