diff options
Diffstat (limited to 'meta/recipes-extended/screen/screen')
-rw-r--r-- | meta/recipes-extended/screen/screen/CVE-2021-26937.patch | 68 | ||||
-rw-r--r-- | meta/recipes-extended/screen/screen/CVE-2023-24626.patch | 40 |
2 files changed, 108 insertions, 0 deletions
diff --git a/meta/recipes-extended/screen/screen/CVE-2021-26937.patch b/meta/recipes-extended/screen/screen/CVE-2021-26937.patch new file mode 100644 index 0000000000..983b35c1b0 --- /dev/null +++ b/meta/recipes-extended/screen/screen/CVE-2021-26937.patch | |||
@@ -0,0 +1,68 @@ | |||
1 | Description: [CVE-2021-26937] Fix out of bounds array access | ||
2 | Author: Michael Schröder <mls@suse.de> | ||
3 | Bug-Debian: https://bugs.debian.org/982435 | ||
4 | Bug: https://savannah.gnu.org/bugs/?60030 | ||
5 | Bug: https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html | ||
6 | Bug-OSS-Security: https://www.openwall.com/lists/oss-security/2021/02/09/3 | ||
7 | Origin: https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00010.html | ||
8 | |||
9 | CVE: CVE-2021-26937 | ||
10 | Upstream-Status: Pending | ||
11 | Signed-off-by: Scott Murray <scott.murray@konsulko.com> | ||
12 | |||
13 | --- a/encoding.c | ||
14 | +++ b/encoding.c | ||
15 | @@ -43,7 +43,7 @@ | ||
16 | # ifdef UTF8 | ||
17 | static int recode_char __P((int, int, int)); | ||
18 | static int recode_char_to_encoding __P((int, int)); | ||
19 | -static void comb_tofront __P((int, int)); | ||
20 | +static void comb_tofront __P((int)); | ||
21 | # ifdef DW_CHARS | ||
22 | static int recode_char_dw __P((int, int *, int, int)); | ||
23 | static int recode_char_dw_to_encoding __P((int, int *, int)); | ||
24 | @@ -1263,6 +1263,8 @@ | ||
25 | {0x30000, 0x3FFFD}, | ||
26 | }; | ||
27 | |||
28 | + if (c >= 0xdf00 && c <= 0xdfff) | ||
29 | + return 1; /* dw combining sequence */ | ||
30 | return ((bisearch(c, wide, sizeof(wide) / sizeof(struct interval) - 1)) || | ||
31 | (cjkwidth && | ||
32 | bisearch(c, ambiguous, | ||
33 | @@ -1330,11 +1332,12 @@ | ||
34 | } | ||
35 | |||
36 | static void | ||
37 | -comb_tofront(root, i) | ||
38 | -int root, i; | ||
39 | +comb_tofront(i) | ||
40 | +int i; | ||
41 | { | ||
42 | for (;;) | ||
43 | { | ||
44 | + int root = i >= 0x700 ? 0x801 : 0x800; | ||
45 | debug1("bring to front: %x\n", i); | ||
46 | combchars[combchars[i]->prev]->next = combchars[i]->next; | ||
47 | combchars[combchars[i]->next]->prev = combchars[i]->prev; | ||
48 | @@ -1396,9 +1399,9 @@ | ||
49 | { | ||
50 | /* full, recycle old entry */ | ||
51 | if (c1 >= 0xd800 && c1 < 0xe000) | ||
52 | - comb_tofront(root, c1 - 0xd800); | ||
53 | + comb_tofront(c1 - 0xd800); | ||
54 | i = combchars[root]->prev; | ||
55 | - if (c1 == i + 0xd800) | ||
56 | + if (i == 0x800 || i == 0x801 || c1 == i + 0xd800) | ||
57 | { | ||
58 | /* completely full, can't recycle */ | ||
59 | debug("utf8_handle_comp: completely full!\n"); | ||
60 | @@ -1422,7 +1425,7 @@ | ||
61 | mc->font = (i >> 8) + 0xd8; | ||
62 | mc->fontx = 0; | ||
63 | debug3("combinig char %x %x -> %x\n", c1, c, i + 0xd800); | ||
64 | - comb_tofront(root, i); | ||
65 | + comb_tofront(i); | ||
66 | } | ||
67 | |||
68 | #else /* !UTF8 */ | ||
diff --git a/meta/recipes-extended/screen/screen/CVE-2023-24626.patch b/meta/recipes-extended/screen/screen/CVE-2023-24626.patch new file mode 100644 index 0000000000..73caf9d81b --- /dev/null +++ b/meta/recipes-extended/screen/screen/CVE-2023-24626.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | From e9ad41bfedb4537a6f0de20f00b27c7739f168f7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alexander Naumov <alexander_naumov@opensuse.org> | ||
3 | Date: Mon, 30 Jan 2023 17:22:25 +0200 | ||
4 | Subject: fix: missing signal sending permission check on failed query messages | ||
5 | |||
6 | Signed-off-by: Alexander Naumov <alexander_naumov@opensuse.org> | ||
7 | |||
8 | CVE: CVE-2023-24626 | ||
9 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/screen.git/commit/?id=e9ad41bfedb4537a6f0de20f00b27c7739f168f7] | ||
10 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
11 | --- | ||
12 | socket.c | 9 +++++++-- | ||
13 | 1 file changed, 7 insertions(+), 2 deletions(-) | ||
14 | |||
15 | diff --git a/socket.c b/socket.c | ||
16 | index bb68b35..9d87445 100644 | ||
17 | --- a/socket.c | ||
18 | +++ b/socket.c | ||
19 | @@ -1285,11 +1285,16 @@ ReceiveMsg() | ||
20 | else | ||
21 | queryflag = -1; | ||
22 | |||
23 | - Kill(m.m.command.apid, | ||
24 | + if (CheckPid(m.m.command.apid)) { | ||
25 | + Msg(0, "Query attempt with bad pid(%d)!", m.m.command.apid); | ||
26 | + } | ||
27 | + else { | ||
28 | + Kill(m.m.command.apid, | ||
29 | (queryflag >= 0) | ||
30 | ? SIGCONT | ||
31 | : SIG_BYE); /* Send SIG_BYE if an error happened */ | ||
32 | - queryflag = -1; | ||
33 | + queryflag = -1; | ||
34 | + } | ||
35 | } | ||
36 | break; | ||
37 | case MSG_COMMAND: | ||
38 | -- | ||
39 | 2.25.1 | ||
40 | |||