summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorRoss Burton <ross.burton@intel.com>2015-11-02 11:03:26 +0000
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-11-02 12:26:39 +0000
commit1b2a94245a8337e8a055c64e180f9e0f63f04d17 (patch)
tree16da7ebf91f73787cfe7e93532a9f8243bf3f66e /meta
parent370a2916c4559c17952392b872322e8e490b124c (diff)
downloadpoky-1b2a94245a8337e8a055c64e180f9e0f63f04d17.tar.gz
vte: fix DoS from malicious escape sequence (CVE-2012-2738)
Backport a fix from upstream to fix a denial of service via a malicious escape sequence. [YOCTO #8617] (From OE-Core rev: d5065e2b1c49fa65627f0adec8e42190ebccb572) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-support/vte/vte-0.28.2/cve-2012-2738.patch135
-rw-r--r--meta/recipes-support/vte/vte_0.28.2.bb3
2 files changed, 137 insertions, 1 deletions
diff --git a/meta/recipes-support/vte/vte-0.28.2/cve-2012-2738.patch b/meta/recipes-support/vte/vte-0.28.2/cve-2012-2738.patch
new file mode 100644
index 0000000000..2407771804
--- /dev/null
+++ b/meta/recipes-support/vte/vte-0.28.2/cve-2012-2738.patch
@@ -0,0 +1,135 @@
1Upstream-Status: Backport
2Signed-off-by: Ross Burton <ross.burton@intel.com>
3
4From e524b0b3bd8fad844ffa73927c199545b892cdbd Mon Sep 17 00:00:00 2001
5From: Christian Persch <chpe@gnome.org>
6Date: Sat, 19 May 2012 19:36:09 +0200
7Subject: [PATCH 1/2] emulation: Limit integer arguments to 65535
8
9To guard against malicious sequences containing excessively big numbers,
10limit all parsed numbers to 16 bit range. Doing this here in the parsing
11routine is a catch-all guard; this doesn't preclude enforcing
12more stringent limits in the handlers themselves.
13
14https://bugzilla.gnome.org/show_bug.cgi?id=676090
15---
16 src/table.c | 2 +-
17 src/vteseq.c | 2 +-
18 2 files changed, 2 insertions(+), 2 deletions(-)
19
20diff --git a/src/table.c b/src/table.c
21index 140e8c8..85cf631 100644
22--- a/src/table.c
23+++ b/src/table.c
24@@ -550,7 +550,7 @@ _vte_table_extract_numbers(GValueArray **array,
25 if (G_UNLIKELY (*array == NULL)) {
26 *array = g_value_array_new(1);
27 }
28- g_value_set_long(&value, total);
29+ g_value_set_long(&value, CLAMP (total, 0, G_MAXUSHORT));
30 g_value_array_append(*array, &value);
31 } while (i++ < arginfo->length);
32 g_value_unset(&value);
33diff --git a/src/vteseq.c b/src/vteseq.c
34index 7ef4c8c..10991db 100644
35--- a/src/vteseq.c
36+++ b/src/vteseq.c
37@@ -557,7 +557,7 @@ vte_sequence_handler_multiple(VteTerminal *terminal,
38 GValueArray *params,
39 VteTerminalSequenceHandler handler)
40 {
41- vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXLONG);
42+ vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXUSHORT);
43 }
44
45 static void
46--
472.4.9 (Apple Git-60)
48
49
50From cf1ad453a8def873c49cf6d88162593402f32bb2 Mon Sep 17 00:00:00 2001
51From: Christian Persch <chpe@gnome.org>
52Date: Sat, 19 May 2012 20:04:12 +0200
53Subject: [PATCH 2/2] emulation: Limit repetitions
54
55Don't allow malicious sequences to cause excessive repetitions.
56
57https://bugzilla.gnome.org/show_bug.cgi?id=676090
58---
59 src/vteseq.c | 25 ++++++++++++++++++-------
60 1 file changed, 18 insertions(+), 7 deletions(-)
61
62diff --git a/src/vteseq.c b/src/vteseq.c
63index 10991db..209522f 100644
64--- a/src/vteseq.c
65+++ b/src/vteseq.c
66@@ -1392,7 +1392,7 @@ vte_sequence_handler_dc (VteTerminal *terminal, GValueArray *params)
67 static void
68 vte_sequence_handler_DC (VteTerminal *terminal, GValueArray *params)
69 {
70- vte_sequence_handler_multiple(terminal, params, vte_sequence_handler_dc);
71+ vte_sequence_handler_multiple_r(terminal, params, vte_sequence_handler_dc);
72 }
73
74 /* Delete a line at the current cursor position. */
75@@ -1785,7 +1785,7 @@ vte_sequence_handler_reverse_index (VteTerminal *terminal, GValueArray *params)
76 static void
77 vte_sequence_handler_RI (VteTerminal *terminal, GValueArray *params)
78 {
79- vte_sequence_handler_multiple(terminal, params, vte_sequence_handler_nd);
80+ vte_sequence_handler_multiple_r(terminal, params, vte_sequence_handler_nd);
81 }
82
83 /* Save cursor (position). */
84@@ -2777,8 +2777,7 @@ vte_sequence_handler_insert_lines (VteTerminal *terminal, GValueArray *params)
85 {
86 GValue *value;
87 VteScreen *screen;
88- long param, end, row;
89- int i;
90+ long param, end, row, i, limit;
91 screen = terminal->pvt->screen;
92 /* The default is one. */
93 param = 1;
94@@ -2796,7 +2795,13 @@ vte_sequence_handler_insert_lines (VteTerminal *terminal, GValueArray *params)
95 } else {
96 end = screen->insert_delta + terminal->row_count - 1;
97 }
98- /* Insert the new lines at the cursor. */
99+
100+ /* Only allow to insert as many lines as there are between this row
101+ * and the end of the scrolling region. See bug #676090.
102+ */
103+ limit = end - row + 1;
104+ param = MIN (param, limit);
105+
106 for (i = 0; i < param; i++) {
107 /* Clear a line off the end of the region and add one to the
108 * top of the region. */
109@@ -2817,8 +2822,7 @@ vte_sequence_handler_delete_lines (VteTerminal *terminal, GValueArray *params)
110 {
111 GValue *value;
112 VteScreen *screen;
113- long param, end, row;
114- int i;
115+ long param, end, row, i, limit;
116
117 screen = terminal->pvt->screen;
118 /* The default is one. */
119@@ -2837,6 +2841,13 @@ vte_sequence_handler_delete_lines (VteTerminal *terminal, GValueArray *params)
120 } else {
121 end = screen->insert_delta + terminal->row_count - 1;
122 }
123+
124+ /* Only allow to delete as many lines as there are between this row
125+ * and the end of the scrolling region. See bug #676090.
126+ */
127+ limit = end - row + 1;
128+ param = MIN (param, limit);
129+
130 /* Clear them from below the current cursor. */
131 for (i = 0; i < param; i++) {
132 /* Insert a line at the end of the region and remove one from
133--
1342.4.9 (Apple Git-60)
135
diff --git a/meta/recipes-support/vte/vte_0.28.2.bb b/meta/recipes-support/vte/vte_0.28.2.bb
index b1025cb0e5..8b4e7f71de 100644
--- a/meta/recipes-support/vte/vte_0.28.2.bb
+++ b/meta/recipes-support/vte/vte_0.28.2.bb
@@ -4,7 +4,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=3bf50002aefd002f49e7bb854063f7e7"
4 4
5PR = "r6" 5PR = "r6"
6 6
7SRC_URI += "file://obsolete_automake_macros.patch" 7SRC_URI += "file://obsolete_automake_macros.patch \
8 file://cve-2012-2738.patch"
8 9
9CFLAGS += "-D_GNU_SOURCE" 10CFLAGS += "-D_GNU_SOURCE"
10 11