diff options
author | Armin Kuster <akuster@mvista.com> | 2021-08-22 11:56:47 -0700 |
---|---|---|
committer | Armin Kuster <akuster@mvista.com> | 2021-08-24 21:25:43 -0700 |
commit | 0fc9d446d17391e33dfb5e6d42313a5bd38fd930 (patch) | |
tree | aadc921e222c0c0175fbef31760ef9b54ceca614 | |
parent | 4a0d93d250576177e1237fa559f55c4f9d371809 (diff) | |
download | meta-openembedded-0fc9d446d17391e33dfb5e6d42313a5bd38fd930.tar.gz |
xterm: Security fix for CVE-2021-27135
Source: Debian.org
MR: 108848
Type: Security Fix
Disposition: Backport from https://sources.debian.org/data/main/x/xterm/344-1%2Bdeb10u1/debian/patches/CVE-2021-27135.diff
ChangeID: 00f53def87b8b95e62908581f8fb56a69118dd32
Description:
xterm through Patch #365 allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted UTF-8 character sequence.
This fixes CVE-2021-27135.
Leverage a patch from Debian.
Signed-off-by: Armin Kuster <akuster@mvista.com>
-rw-r--r-- | meta-oe/recipes-graphics/xorg-app/xterm/CVE-2021-27135.patch | 68 | ||||
-rw-r--r-- | meta-oe/recipes-graphics/xorg-app/xterm_353.bb | 1 |
2 files changed, 69 insertions, 0 deletions
diff --git a/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2021-27135.patch b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2021-27135.patch new file mode 100644 index 000000000..937b2176a --- /dev/null +++ b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2021-27135.patch | |||
@@ -0,0 +1,68 @@ | |||
1 | Description: Fix for CVE-2021-27135 from xterm 366 | ||
2 | Correct upper-limit for selection buffer, accounting for | ||
3 | combining characters (report by Tavis Ormandy). | ||
4 | |||
5 | Upstream-Status: Backport | ||
6 | https://sources.debian.org/data/main/x/xterm/344-1%2Bdeb10u1/debian/patches/CVE-2021-27135.diff | ||
7 | CVE: CVE-2021-27135 | ||
8 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
9 | |||
10 | --- | ||
11 | button.c | 29 +++++++++++++++++++++++++---- | ||
12 | 1 file changed, 25 insertions(+), 4 deletions(-) | ||
13 | |||
14 | Index: xterm-353/button.c | ||
15 | =================================================================== | ||
16 | --- xterm-353.orig/button.c | ||
17 | +++ xterm-353/button.c | ||
18 | @@ -3928,6 +3928,7 @@ SaltTextAway(XtermWidget xw, | ||
19 | int i; | ||
20 | int eol; | ||
21 | int need = 0; | ||
22 | + size_t have = 0; | ||
23 | Char *line; | ||
24 | Char *lp; | ||
25 | CELL first = *cellc; | ||
26 | @@ -3962,7 +3963,11 @@ SaltTextAway(XtermWidget xw, | ||
27 | |||
28 | /* UTF-8 may require more space */ | ||
29 | if_OPT_WIDE_CHARS(screen, { | ||
30 | - need *= 4; | ||
31 | + if (need > 0) { | ||
32 | + if (screen->max_combining > 0) | ||
33 | + need += screen->max_combining; | ||
34 | + need *= 6; | ||
35 | + } | ||
36 | }); | ||
37 | |||
38 | /* now get some memory to save it in */ | ||
39 | @@ -4000,10 +4005,26 @@ SaltTextAway(XtermWidget xw, | ||
40 | } | ||
41 | *lp = '\0'; /* make sure we have end marked */ | ||
42 | |||
43 | - TRACE(("Salted TEXT:%u:%s\n", (unsigned) (lp - line), | ||
44 | - visibleChars(line, (unsigned) (lp - line)))); | ||
45 | + have = (size_t) (lp - line); | ||
46 | + /* | ||
47 | + * Scanning the buffer twice is unnecessary. Discard unwanted memory if | ||
48 | + * the estimate is too-far off. | ||
49 | + */ | ||
50 | + if ((have * 2) < (size_t) need) { | ||
51 | + Char *next; | ||
52 | + scp->data_limit = have + 1; | ||
53 | + next = realloc(line, scp->data_limit); | ||
54 | + if (next == NULL) { | ||
55 | + free(line); | ||
56 | + scp->data_length = 0; | ||
57 | + scp->data_limit = 0; | ||
58 | + } | ||
59 | + scp->data_buffer = next; | ||
60 | + } | ||
61 | + scp->data_length = have; | ||
62 | |||
63 | - scp->data_length = (size_t) (lp - line); | ||
64 | + TRACE(("Salted TEXT:%u:%s\n", (unsigned) have, | ||
65 | + visibleChars(scp->data_buffer, (unsigned) have))); | ||
66 | } | ||
67 | |||
68 | #if OPT_PASTE64 | ||
diff --git a/meta-oe/recipes-graphics/xorg-app/xterm_353.bb b/meta-oe/recipes-graphics/xorg-app/xterm_353.bb index 06c285924..264320212 100644 --- a/meta-oe/recipes-graphics/xorg-app/xterm_353.bb +++ b/meta-oe/recipes-graphics/xorg-app/xterm_353.bb | |||
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://xterm.h;beginline=3;endline=31;md5=996b1ce0584c0747b1 | |||
6 | 6 | ||
7 | SRC_URI = "http://invisible-mirror.net/archives/${BPN}/${BP}.tgz \ | 7 | SRC_URI = "http://invisible-mirror.net/archives/${BPN}/${BP}.tgz \ |
8 | file://0001-Add-configure-time-check-for-setsid.patch \ | 8 | file://0001-Add-configure-time-check-for-setsid.patch \ |
9 | file://CVE-2021-27135.patch \ | ||
9 | " | 10 | " |
10 | 11 | ||
11 | SRC_URI[md5sum] = "247c30ebfa44623f3a2d100e0cae5c7f" | 12 | SRC_URI[md5sum] = "247c30ebfa44623f3a2d100e0cae5c7f" |