1 files changed, 68 insertions, 0 deletions
diff --git a/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2021-27135.patch b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2021-27135.patch
new file mode 100644
index 000000000..937b2176a
--- /dev/null
+++ b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2021-27135.patch
@@ -0,0 +1,68 @@
+Description: Fix for CVE-2021-27135 from xterm 366
+ Correct upper-limit for selection buffer, accounting for
+ combining characters (report by Tavis Ormandy).
+Upstream-Status: Backport
+https://sources.debian.org/data/main/x/xterm/344-1%2Bdeb10u1/debian/patches/CVE-2021-27135.diff
+CVE: CVE-2021-27135
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ button.c |   29 +++++++++++++++++++++++++----
+ 1 file changed, 25 insertions(+), 4 deletions(-)
+Index: xterm-353/button.c
+===================================================================
+--- xterm-353.orig/button.c
+++ xterm-353/button.c
+@@ -3928,6 +3928,7 @@ SaltTextAway(XtermWidget xw,
+     int i;
+     int eol;
+     int need = 0;
+    size_t have = 0;
+     Char *line;
+     Char *lp;
+     CELL first = *cellc;
+@@ -3962,7 +3963,11 @@ SaltTextAway(XtermWidget xw,
+ 
+     /* UTF-8 may require more space */
+     if_OPT_WIDE_CHARS(screen, {
+-       need *= 4;
+       if (need > 0) {
+           if (screen->max_combining > 0)
+               need += screen->max_combining;
+           need *= 6;
+       }
+     });
+ 
+     /* now get some memory to save it in */
+@@ -4000,10 +4005,26 @@ SaltTextAway(XtermWidget xw,
+     }
+     *lp = '\0';                        /* make sure we have end marked */
+ 
+-    TRACE(("Salted TEXT:%u:%s\n", (unsigned) (lp - line),
+-          visibleChars(line, (unsigned) (lp - line))));
+    have = (size_t) (lp - line);
+    /*
+     * Scanning the buffer twice is unnecessary.  Discard unwanted memory if
+     * the estimate is too-far off.
+     */
+    if ((have * 2) < (size_t) need) {
+       Char *next;
+       scp->data_limit = have + 1;
+       next = realloc(line, scp->data_limit);
+       if (next == NULL) {
+           free(line);
+           scp->data_length = 0;
+           scp->data_limit = 0;
+       }
+       scp->data_buffer = next;
+    }
+    scp->data_length = have;
+ 
+-    scp->data_length = (size_t) (lp - line);
+    TRACE(("Salted TEXT:%u:%s\n", (unsigned) have,
+          visibleChars(scp->data_buffer, (unsigned) have)));
+ }
+ 
+ #if OPT_PASTE64

diff --git a/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2021-27135.patch b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2021-27135.patch new file mode 100644 index 000000000..937b2176a --- /dev/null +++ b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2021-27135.patch
@@ -0,0 +1,68 @@
	1	Description: Fix for CVE-2021-27135 from xterm 366
	2	Correct upper-limit for selection buffer, accounting for
	3	combining characters (report by Tavis Ormandy).
	4
	5	Upstream-Status: Backport
	6	https://sources.debian.org/data/main/x/xterm/344-1%2Bdeb10u1/debian/patches/CVE-2021-27135.diff
	7	CVE: CVE-2021-27135
	8	Signed-off-by: Armin Kuster <akuster@mvista.com>
	9
	10	---
	11	button.c \| 29 +++++++++++++++++++++++++----
	12	1 file changed, 25 insertions(+), 4 deletions(-)
	13
	14	Index: xterm-353/button.c
	15	===================================================================
	16	--- xterm-353.orig/button.c
	17	+++ xterm-353/button.c
	18	@@ -3928,6 +3928,7 @@ SaltTextAway(XtermWidget xw,
	19	int i;
	20	int eol;
	21	int need = 0;
	22	+ size_t have = 0;
	23	Char *line;
	24	Char *lp;
	25	CELL first = *cellc;
	26	@@ -3962,7 +3963,11 @@ SaltTextAway(XtermWidget xw,
	27
	28	/* UTF-8 may require more space */
	29	if_OPT_WIDE_CHARS(screen, {
	30	- need *= 4;
	31	+ if (need > 0) {
	32	+ if (screen->max_combining > 0)
	33	+ need += screen->max_combining;
	34	+ need *= 6;
	35	+ }
	36	});
	37
	38	/* now get some memory to save it in */
	39	@@ -4000,10 +4005,26 @@ SaltTextAway(XtermWidget xw,
	40	}
	41	lp = '\0'; / make sure we have end marked */
	42
	43	- TRACE(("Salted TEXT:%u:%s\n", (unsigned) (lp - line),
	44	- visibleChars(line, (unsigned) (lp - line))));
	45	+ have = (size_t) (lp - line);
	46	+ /*
	47	+ * Scanning the buffer twice is unnecessary. Discard unwanted memory if
	48	+ * the estimate is too-far off.
	49	+ */
	50	+ if ((have * 2) < (size_t) need) {
	51	+ Char *next;
	52	+ scp->data_limit = have + 1;
	53	+ next = realloc(line, scp->data_limit);
	54	+ if (next == NULL) {
	55	+ free(line);
	56	+ scp->data_length = 0;
	57	+ scp->data_limit = 0;
	58	+ }
	59	+ scp->data_buffer = next;
	60	+ }
	61	+ scp->data_length = have;
	62
	63	- scp->data_length = (size_t) (lp - line);
	64	+ TRACE(("Salted TEXT:%u:%s\n", (unsigned) have,
	65	+ visibleChars(scp->data_buffer, (unsigned) have)));
	66	}
	67
	68	#if OPT_PASTE64