diff options
| author | Ross Burton <ross.burton@intel.com> | 2015-11-02 11:03:26 +0000 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-11-02 12:26:39 +0000 |
| commit | 1b2a94245a8337e8a055c64e180f9e0f63f04d17 (patch) | |
| tree | 16da7ebf91f73787cfe7e93532a9f8243bf3f66e /meta | |
| parent | 370a2916c4559c17952392b872322e8e490b124c (diff) | |
| download | poky-1b2a94245a8337e8a055c64e180f9e0f63f04d17.tar.gz | |
vte: fix DoS from malicious escape sequence (CVE-2012-2738)
Backport a fix from upstream to fix a denial of service via a malicious escape
sequence.
[YOCTO #8617]
(From OE-Core rev: d5065e2b1c49fa65627f0adec8e42190ebccb572)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/recipes-support/vte/vte-0.28.2/cve-2012-2738.patch | 135 | ||||
| -rw-r--r-- | meta/recipes-support/vte/vte_0.28.2.bb | 3 |
2 files changed, 137 insertions, 1 deletions
diff --git a/meta/recipes-support/vte/vte-0.28.2/cve-2012-2738.patch b/meta/recipes-support/vte/vte-0.28.2/cve-2012-2738.patch new file mode 100644 index 0000000000..2407771804 --- /dev/null +++ b/meta/recipes-support/vte/vte-0.28.2/cve-2012-2738.patch | |||
| @@ -0,0 +1,135 @@ | |||
| 1 | Upstream-Status: Backport | ||
| 2 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
| 3 | |||
| 4 | From e524b0b3bd8fad844ffa73927c199545b892cdbd Mon Sep 17 00:00:00 2001 | ||
| 5 | From: Christian Persch <chpe@gnome.org> | ||
| 6 | Date: Sat, 19 May 2012 19:36:09 +0200 | ||
| 7 | Subject: [PATCH 1/2] emulation: Limit integer arguments to 65535 | ||
| 8 | |||
| 9 | To guard against malicious sequences containing excessively big numbers, | ||
| 10 | limit all parsed numbers to 16 bit range. Doing this here in the parsing | ||
| 11 | routine is a catch-all guard; this doesn't preclude enforcing | ||
| 12 | more stringent limits in the handlers themselves. | ||
| 13 | |||
| 14 | https://bugzilla.gnome.org/show_bug.cgi?id=676090 | ||
| 15 | --- | ||
| 16 | src/table.c | 2 +- | ||
| 17 | src/vteseq.c | 2 +- | ||
| 18 | 2 files changed, 2 insertions(+), 2 deletions(-) | ||
| 19 | |||
| 20 | diff --git a/src/table.c b/src/table.c | ||
| 21 | index 140e8c8..85cf631 100644 | ||
| 22 | --- a/src/table.c | ||
| 23 | +++ b/src/table.c | ||
| 24 | @@ -550,7 +550,7 @@ _vte_table_extract_numbers(GValueArray **array, | ||
| 25 | if (G_UNLIKELY (*array == NULL)) { | ||
| 26 | *array = g_value_array_new(1); | ||
| 27 | } | ||
| 28 | - g_value_set_long(&value, total); | ||
| 29 | + g_value_set_long(&value, CLAMP (total, 0, G_MAXUSHORT)); | ||
| 30 | g_value_array_append(*array, &value); | ||
| 31 | } while (i++ < arginfo->length); | ||
| 32 | g_value_unset(&value); | ||
| 33 | diff --git a/src/vteseq.c b/src/vteseq.c | ||
| 34 | index 7ef4c8c..10991db 100644 | ||
| 35 | --- a/src/vteseq.c | ||
| 36 | +++ b/src/vteseq.c | ||
| 37 | @@ -557,7 +557,7 @@ vte_sequence_handler_multiple(VteTerminal *terminal, | ||
| 38 | GValueArray *params, | ||
| 39 | VteTerminalSequenceHandler handler) | ||
| 40 | { | ||
| 41 | - vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXLONG); | ||
| 42 | + vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXUSHORT); | ||
| 43 | } | ||
| 44 | |||
| 45 | static void | ||
| 46 | -- | ||
| 47 | 2.4.9 (Apple Git-60) | ||
| 48 | |||
| 49 | |||
| 50 | From cf1ad453a8def873c49cf6d88162593402f32bb2 Mon Sep 17 00:00:00 2001 | ||
| 51 | From: Christian Persch <chpe@gnome.org> | ||
| 52 | Date: Sat, 19 May 2012 20:04:12 +0200 | ||
| 53 | Subject: [PATCH 2/2] emulation: Limit repetitions | ||
| 54 | |||
| 55 | Don't allow malicious sequences to cause excessive repetitions. | ||
| 56 | |||
| 57 | https://bugzilla.gnome.org/show_bug.cgi?id=676090 | ||
| 58 | --- | ||
| 59 | src/vteseq.c | 25 ++++++++++++++++++------- | ||
| 60 | 1 file changed, 18 insertions(+), 7 deletions(-) | ||
| 61 | |||
| 62 | diff --git a/src/vteseq.c b/src/vteseq.c | ||
| 63 | index 10991db..209522f 100644 | ||
| 64 | --- a/src/vteseq.c | ||
| 65 | +++ b/src/vteseq.c | ||
| 66 | @@ -1392,7 +1392,7 @@ vte_sequence_handler_dc (VteTerminal *terminal, GValueArray *params) | ||
| 67 | static void | ||
| 68 | vte_sequence_handler_DC (VteTerminal *terminal, GValueArray *params) | ||
| 69 | { | ||
| 70 | - vte_sequence_handler_multiple(terminal, params, vte_sequence_handler_dc); | ||
| 71 | + vte_sequence_handler_multiple_r(terminal, params, vte_sequence_handler_dc); | ||
| 72 | } | ||
| 73 | |||
| 74 | /* Delete a line at the current cursor position. */ | ||
| 75 | @@ -1785,7 +1785,7 @@ vte_sequence_handler_reverse_index (VteTerminal *terminal, GValueArray *params) | ||
| 76 | static void | ||
| 77 | vte_sequence_handler_RI (VteTerminal *terminal, GValueArray *params) | ||
| 78 | { | ||
| 79 | - vte_sequence_handler_multiple(terminal, params, vte_sequence_handler_nd); | ||
| 80 | + vte_sequence_handler_multiple_r(terminal, params, vte_sequence_handler_nd); | ||
| 81 | } | ||
| 82 | |||
| 83 | /* Save cursor (position). */ | ||
| 84 | @@ -2777,8 +2777,7 @@ vte_sequence_handler_insert_lines (VteTerminal *terminal, GValueArray *params) | ||
| 85 | { | ||
| 86 | GValue *value; | ||
| 87 | VteScreen *screen; | ||
| 88 | - long param, end, row; | ||
| 89 | - int i; | ||
| 90 | + long param, end, row, i, limit; | ||
| 91 | screen = terminal->pvt->screen; | ||
| 92 | /* The default is one. */ | ||
| 93 | param = 1; | ||
| 94 | @@ -2796,7 +2795,13 @@ vte_sequence_handler_insert_lines (VteTerminal *terminal, GValueArray *params) | ||
| 95 | } else { | ||
| 96 | end = screen->insert_delta + terminal->row_count - 1; | ||
| 97 | } | ||
| 98 | - /* Insert the new lines at the cursor. */ | ||
| 99 | + | ||
| 100 | + /* Only allow to insert as many lines as there are between this row | ||
| 101 | + * and the end of the scrolling region. See bug #676090. | ||
| 102 | + */ | ||
| 103 | + limit = end - row + 1; | ||
| 104 | + param = MIN (param, limit); | ||
| 105 | + | ||
| 106 | for (i = 0; i < param; i++) { | ||
| 107 | /* Clear a line off the end of the region and add one to the | ||
| 108 | * top of the region. */ | ||
| 109 | @@ -2817,8 +2822,7 @@ vte_sequence_handler_delete_lines (VteTerminal *terminal, GValueArray *params) | ||
| 110 | { | ||
| 111 | GValue *value; | ||
| 112 | VteScreen *screen; | ||
| 113 | - long param, end, row; | ||
| 114 | - int i; | ||
| 115 | + long param, end, row, i, limit; | ||
| 116 | |||
| 117 | screen = terminal->pvt->screen; | ||
| 118 | /* The default is one. */ | ||
| 119 | @@ -2837,6 +2841,13 @@ vte_sequence_handler_delete_lines (VteTerminal *terminal, GValueArray *params) | ||
| 120 | } else { | ||
| 121 | end = screen->insert_delta + terminal->row_count - 1; | ||
| 122 | } | ||
| 123 | + | ||
| 124 | + /* Only allow to delete as many lines as there are between this row | ||
| 125 | + * and the end of the scrolling region. See bug #676090. | ||
| 126 | + */ | ||
| 127 | + limit = end - row + 1; | ||
| 128 | + param = MIN (param, limit); | ||
| 129 | + | ||
| 130 | /* Clear them from below the current cursor. */ | ||
| 131 | for (i = 0; i < param; i++) { | ||
| 132 | /* Insert a line at the end of the region and remove one from | ||
| 133 | -- | ||
| 134 | 2.4.9 (Apple Git-60) | ||
| 135 | |||
diff --git a/meta/recipes-support/vte/vte_0.28.2.bb b/meta/recipes-support/vte/vte_0.28.2.bb index b1025cb0e5..8b4e7f71de 100644 --- a/meta/recipes-support/vte/vte_0.28.2.bb +++ b/meta/recipes-support/vte/vte_0.28.2.bb | |||
| @@ -4,7 +4,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=3bf50002aefd002f49e7bb854063f7e7" | |||
| 4 | 4 | ||
| 5 | PR = "r6" | 5 | PR = "r6" |
| 6 | 6 | ||
| 7 | SRC_URI += "file://obsolete_automake_macros.patch" | 7 | SRC_URI += "file://obsolete_automake_macros.patch \ |
| 8 | file://cve-2012-2738.patch" | ||
| 8 | 9 | ||
| 9 | CFLAGS += "-D_GNU_SOURCE" | 10 | CFLAGS += "-D_GNU_SOURCE" |
| 10 | 11 | ||