From 7d48938a590c676e6f140a976bfcf26aadeb008a Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Mon, 30 May 2016 11:53:45 +0300 Subject: [PATCH] gnu: vte-0.28: Fix CVE-2012-2738. * gnu/packages/gnome.scm (vte-0.28)[source]: Add patches. * gnu/packages/patches/vte-CVE-2012-2738-pt1.patch, gnu/packages/patches/vte-CVE-2012-2738-pt2.patch: New variables. * gnu/local.mk (dist_patch_DATA): Add them. --- gnu/local.mk | 2 + gnu/packages/gnome.scm | 5 +- .../patches/vte-CVE-2012-2738-pt1.patch | 40 +++++++++ .../patches/vte-CVE-2012-2738-pt2.patch | 82 +++++++++++++++++++ 4 files changed, 128 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/vte-CVE-2012-2738-pt1.patch create mode 100644 gnu/packages/patches/vte-CVE-2012-2738-pt2.patch diff --git a/gnu/local.mk b/gnu/local.mk index 1f2c2dd24d..dc1b521b6e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -779,6 +779,8 @@ dist_patch_DATA = \ %D%/packages/patches/vorbis-tools-CVE-2014-9640.patch \ %D%/packages/patches/vorbis-tools-CVE-2015-6749.patch \ %D%/packages/patches/vpnc-script.patch \ + %D%/packages/patches/vte-CVE-2012-2738-pt1.patch \ + %D%/packages/patches/vte-CVE-2012-2738-pt2.patch \ %D%/packages/patches/vtk-mesa-10.patch \ %D%/packages/patches/w3m-libgc.patch \ %D%/packages/patches/w3m-force-ssl_verify_server-on.patch \ diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm index 04d9bb75bd..0d9c946fd5 100644 --- a/gnu/packages/gnome.scm +++ b/gnu/packages/gnome.scm @@ -1820,7 +1820,10 @@ (define-public vte/gtk+-2 name "-" version ".tar.xz")) (sha256 (base32 - "1bmhahkf8wdsra9whd3k5l5z4rv7r58ksr8mshzajgq2ma0hpkw6")))) + "1bmhahkf8wdsra9whd3k5l5z4rv7r58ksr8mshzajgq2ma0hpkw6")) + (patches (search-patches + "vte-CVE-2012-2738-pt1.patch" + "vte-CVE-2012-2738-pt2.patch")))) (arguments '(#:configure-flags '("--disable-python"))) (native-inputs diff --git a/gnu/packages/patches/vte-CVE-2012-2738-pt1.patch b/gnu/packages/patches/vte-CVE-2012-2738-pt1.patch new file mode 100644 index 0000000000..fd45407939 --- /dev/null +++ b/gnu/packages/patches/vte-CVE-2012-2738-pt1.patch @@ -0,0 +1,40 @@ +From feeee4b5832b17641e505b7083e0d299fdae318e Mon Sep 17 00:00:00 2001 +From: Christian Persch +Date: Sat, 19 May 2012 17:36:09 +0000 +Subject: emulation: Limit integer arguments to 65535 + +To guard against malicious sequences containing excessively big numbers, +limit all parsed numbers to 16 bit range. Doing this here in the parsing +routine is a catch-all guard; this doesn't preclude enforcing +more stringent limits in the handlers themselves. + +https://bugzilla.gnome.org/show_bug.cgi?id=676090 +--- +diff --git a/src/table.c b/src/table.c +index 140e8c8..85cf631 100644 +--- a/src/table.c ++++ b/src/table.c +@@ -550,7 +550,7 @@ _vte_table_extract_numbers(GValueArray **array, + if (G_UNLIKELY (*array == NULL)) { + *array = g_value_array_new(1); + } +- g_value_set_long(&value, total); ++ g_value_set_long(&value, CLAMP (total, 0, G_MAXUSHORT)); + g_value_array_append(*array, &value); + } while (i++ < arginfo->length); + g_value_unset(&value); +diff --git a/src/vteseq.c b/src/vteseq.c +index 457c06a..46def5b 100644 +--- a/src/vteseq.c ++++ b/src/vteseq.c +@@ -557,7 +557,7 @@ vte_sequence_handler_multiple(VteTerminal *terminal, + GValueArray *params, + VteTerminalSequenceHandler handler) + { +- vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXLONG); ++ vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXUSHORT); + } + + static void +-- +cgit v0.9.0.2 diff --git a/gnu/packages/patches/vte-CVE-2012-2738-pt2.patch b/gnu/packages/patches/vte-CVE-2012-2738-pt2.patch new file mode 100644 index 0000000000..e98fd35b95 --- /dev/null +++ b/gnu/packages/patches/vte-CVE-2012-2738-pt2.patch @@ -0,0 +1,82 @@ +From 98ce2f265f986fb88c38d508286bb5e3716b9e74 Mon Sep 17 00:00:00 2001 +From: Christian Persch +Date: Sat, 19 May 2012 18:04:12 +0000 +Subject: emulation: Limit repetitions + +Don't allow malicious sequences to cause excessive repetitions. + +https://bugzilla.gnome.org/show_bug.cgi?id=676090 +--- +diff --git a/src/vteseq.c b/src/vteseq.c +index 46def5b..7fb4707 100644 +--- a/src/vteseq.c ++++ b/src/vteseq.c +@@ -1397,7 +1397,7 @@ vte_sequence_handler_dc (VteTerminal *terminal, GValueArray *params) + static void + vte_sequence_handler_DC (VteTerminal *terminal, GValueArray *params) + { +- vte_sequence_handler_multiple(terminal, params, vte_sequence_handler_dc); ++ vte_sequence_handler_multiple_r(terminal, params, vte_sequence_handler_dc); + } + + /* Delete a line at the current cursor position. */ +@@ -1790,7 +1790,7 @@ vte_sequence_handler_reverse_index (VteTerminal *terminal, GValueArray *params) + static void + vte_sequence_handler_RI (VteTerminal *terminal, GValueArray *params) + { +- vte_sequence_handler_multiple(terminal, params, vte_sequence_handler_nd); ++ vte_sequence_handler_multiple_r(terminal, params, vte_sequence_handler_nd); + } + + /* Save cursor (position). */ +@@ -2782,8 +2782,7 @@ vte_sequence_handler_insert_lines (VteTerminal *terminal, GValueArray *params) + { + GValue *value; + VteScreen *screen; +- long param, end, row; +- int i; ++ long param, end, row, i, limit; + screen = terminal->pvt->screen; + /* The default is one. */ + param = 1; +@@ -2801,7 +2800,13 @@ vte_sequence_handler_insert_lines (VteTerminal *terminal, GValueArray *params) + } else { + end = screen->insert_delta + terminal->row_count - 1; + } +- /* Insert the new lines at the cursor. */ ++ ++ /* Only allow to insert as many lines as there are between this row ++ * and the end of the scrolling region. See bug #676090. ++ */ ++ limit = end - row + 1; ++ param = MIN (param, limit); ++ + for (i = 0; i < param; i++) { + /* Clear a line off the end of the region and add one to the + * top of the region. */ +@@ -2822,8 +2827,7 @@ vte_sequence_handler_delete_lines (VteTerminal *terminal, GValueArray *params) + { + GValue *value; + VteScreen *screen; +- long param, end, row; +- int i; ++ long param, end, row, i, limit; + + screen = terminal->pvt->screen; + /* The default is one. */ +@@ -2842,6 +2846,13 @@ vte_sequence_handler_delete_lines (VteTerminal *terminal, GValueArray *params) + } else { + end = screen->insert_delta + terminal->row_count - 1; + } ++ ++ /* Only allow to delete as many lines as there are between this row ++ * and the end of the scrolling region. See bug #676090. ++ */ ++ limit = end - row + 1; ++ param = MIN (param, limit); ++ + /* Clear them from below the current cursor. */ + for (i = 0; i < param; i++) { + /* Insert a line at the end of the region and remove one from +-- +cgit v0.9.0.2