vte: fix CVE-2024-37535

CVE-2024-37535: GNOME VTE before 0.76.3 allows an attacker to cause a denial of service (memory consumption) via a window resize escape sequence, a related issue to CVE-2000-0476. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-37535] Upstream patches: [https://gitlab.gnome.org/GNOME/vte/-/commit/036bc3ddcbb56f05c6ca76712a53b89dee1369e2] [https://gitlab.gnome.org/GNOME/vte/-/commit/c313849c2e5133802e21b13fa0b141b360171d39] (From OE-Core rev: 132a5168b125d6f4fb9391d982bc64d73429ab8f) Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Zhang Peng <peng.zhang1.cn@windriver.com> 2025-01-16 15:26:48 +0800
committer: Steve Sakoman <steve@sakoman.com> 2025-01-24 07:49:28 -0800
commit: 4ebaec2ca32b275dd2b39e0020e965e29fb6b387 (patch)
tree: fa2dae62a5f0ff71704b41dd4be2b6d58088e01e
parent: 0d7adecb6bc3688cbce9ca3822507775499ced64 (diff)
download: poky-4ebaec2ca32b275dd2b39e0020e965e29fb6b387.tar.gz
3 files changed, 155 insertions, 2 deletions
diff --git a/meta/recipes-support/vte/vte/CVE-2024-37535-0001.patch b/meta/recipes-support/vte/vte/CVE-2024-37535-0001.patch
new file mode 100644
index 0000000000..f7c84323fb
--- /dev/null
+++ b/meta/recipes-support/vte/vte/CVE-2024-37535-0001.patch
@@ -0,0 +1,63 @@
+From 036bc3ddcbb56f05c6ca76712a53b89dee1369e2 Mon Sep 17 00:00:00 2001
+From: Christian Persch <chpe@src.gnome.org>
+Date: Sun, 2 Jun 2024 19:19:35 +0200
+Subject: [PATCH] emulation: Restrict resize request to sane numbers
+Fixes: https://gitlab.gnome.org/GNOME/vte/-/issues/2786
+(cherry picked from commit fd5511f24b7269195a7083f409244e9787c705dc)
+CVE: CVE-2024-37535
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/vte/-/commit/036bc3ddcbb56f05c6ca76712a53b89dee1369e2]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/vteseq.cc | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+diff --git a/src/vteseq.cc b/src/vteseq.cc
+index 2c5b1e128..5b3f398e2 100644
+--- a/src/vteseq.cc
+++ b/src/vteseq.cc
+@@ -213,9 +213,18 @@ Terminal::emit_bell()
+ /* Emit a "resize-window" signal.  (Grid size.) */
+ void
+ Terminal::emit_resize_window(guint columns,
+-                                       guint rows)
+-{
+-        _vte_debug_print(VTE_DEBUG_SIGNALS, "Emitting `resize-window'.\n");
+                             guint rows)
+{
+        // Ignore resizes with excessive number of rows or columns,
+        // see https://gitlab.gnome.org/GNOME/vte/-/issues/2786
+        if (columns < VTE_MIN_GRID_WIDTH ||
+            columns > 511 ||
+            rows < VTE_MIN_GRID_HEIGHT ||
+            rows > 511)
+                return;
+
+        _vte_debug_print(VTE_DEBUG_SIGNALS, "Emitting `resize-window' %d columns %d rows.\n",
+                         columns, rows);
+         g_signal_emit(m_terminal, signals[SIGNAL_RESIZE_WINDOW], 0, columns, rows);
+ }
+ 
+@@ -4467,8 +4476,6 @@ Terminal::DECSLPP(vte::parser::Sequence const& seq)
+         else if (param < 24)
+                 return;
+ 
+-        _vte_debug_print(VTE_DEBUG_EMULATION, "Resizing to %d rows.\n", param);
+-
+         emit_resize_window(m_column_count, param);
+ }
+ 
+@@ -8990,9 +8997,6 @@ Terminal::XTERM_WM(vte::parser::Sequence const& seq)
+                 seq.collect(1, {&height, &width});
+ 
+                 if (width != -1 && height != -1) {
+-                        _vte_debug_print(VTE_DEBUG_EMULATION,
+-                                         "Resizing window to %d columns, %d rows.\n",
+-                                         width, height);
+                         emit_resize_window(width, height);
+                 }
+                 break;
+-- 
+GitLab
diff --git a/meta/recipes-support/vte/vte/CVE-2024-37535-0002.patch b/meta/recipes-support/vte/vte/CVE-2024-37535-0002.patch
new file mode 100644
index 0000000000..c396817060
--- /dev/null
+++ b/meta/recipes-support/vte/vte/CVE-2024-37535-0002.patch
@@ -0,0 +1,85 @@
+From c313849c2e5133802e21b13fa0b141b360171d39 Mon Sep 17 00:00:00 2001
+From: Christian Persch <chpe@src.gnome.org>
+Date: Sun, 2 Jun 2024 19:19:35 +0200
+Subject: [PATCH] widget: Add safety limit to widget size requests
+https://gitlab.gnome.org/GNOME/vte/-/issues/2786
+(cherry picked from commit 1803ba866053a3d7840892b9d31fe2944a183eda)
+CVE: CVE-2024-37535
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/vte/-/commit/c313849c2e5133802e21b13fa0b141b360171d39]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/vtegtk.cc | 35 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 35 insertions(+)
+diff --git a/src/vtegtk.cc b/src/vtegtk.cc
+index 24bdd7184..48cae79c1 100644
+--- a/src/vtegtk.cc
+++ b/src/vtegtk.cc
+@@ -91,6 +91,38 @@
+ template<typename T>
+ constexpr bool check_enum_value(T value) noexcept;
+ 
+static inline void
+sanitise_widget_size_request(int* minimum,
+                             int* natural) noexcept
+{
+        // Overly large size requests will make gtk happily allocate
+        // a window size over the window system's limits (see
+        // e.g. https://gitlab.gnome.org/GNOME/vte/-/issues/2786),
+        // leading to aborting the whole process.
+        // The toolkit should be in a better position to know about
+        // these limits and not exceed them (which here is certainly
+        // possible since our minimum sizes are very small), let's
+        // limit the widget's size request to some large value
+        // that hopefully is within the absolute limits of
+        // the window system (assumed here to be int16 range,
+        // and leaving some space for the widgets that contain
+        // the terminal).
+        auto const limit = (1 << 15) - (1 << 12);
+
+        if (*minimum > limit || *natural > limit) {
+                static auto warned = false;
+
+                if (!warned) {
+                        g_warning("Widget size request (minimum %d, natural %d) exceeds limits\n",
+                                  *minimum, *natural);
+                        warned = true;
+                }
+        }
+
+        *minimum = std::min(*minimum, limit);
+        *natural = std::clamp(*natural, *minimum, limit);
+}
+
+ struct _VteTerminalClassPrivate {
+         GtkStyleProvider *style_provider;
+ };
+@@ -510,6 +542,7 @@ try
+ {
+        VteTerminal *terminal = VTE_TERMINAL(widget);
+         WIDGET(terminal)->get_preferred_width(minimum_width, natural_width);
+        sanitise_widget_size_request(minimum_width, natural_width);
+ }
+ catch (...)
+ {
+@@ -524,6 +557,7 @@ try
+ {
+        VteTerminal *terminal = VTE_TERMINAL(widget);
+         WIDGET(terminal)->get_preferred_height(minimum_height, natural_height);
+        sanitise_widget_size_request(minimum_height, natural_height);
+ }
+ catch (...)
+ {
+@@ -781,6 +815,7 @@ try
+         WIDGET(terminal)->measure(orientation, for_size,
+                                   minimum, natural,
+                                   minimum_baseline, natural_baseline);
+        sanitise_widget_size_request(minimum, natural);
+ }
+ catch (...)
+ {
+-- 
+GitLab
diff --git a/meta/recipes-support/vte/vte_0.66.2.bb b/meta/recipes-support/vte/vte_0.66.2.bb
index af1c47cf80..365e4361cb 100644
--- a/meta/recipes-support/vte/vte_0.66.2.bb
+++ b/meta/recipes-support/vte/vte_0.66.2.bb
@@ -19,8 +19,13 @@ GIR_MESON_OPTION = 'gir'
 inherit gnomebase gtk-doc features_check upstream-version-is-even gobject-introspection
 # vapigen.m4 is required when vala is not present (but the one from vala should be used normally)
-SRC_URI += "file://0001-Add-W_EXITCODE-macro-for-non-glibc-systems.patch \
+SRC_URI += " \
-            file://0001-Makefile.docs-correctly-substitute-gtkdoc-qemu-wrapp.patch"
+            file://0001-Add-W_EXITCODE-macro-for-non-glibc-systems.patch \
+            file://0001-Makefile.docs-correctly-substitute-gtkdoc-qemu-wrapp.patch \
+            file://CVE-2024-37535-0001.patch \
+            file://CVE-2024-37535-0002.patch \
+            "
 SRC_URI[archive.sha256sum] = "e89974673a72a0a06edac6d17830b82bb124decf0cb3b52cebc92ec3ff04d976"
 ANY_OF_DISTRO_FEATURES = "${GTK3DISTROFEATURES}"
author	Zhang Peng <peng.zhang1.cn@windriver.com>	2025-01-16 15:26:48 +0800
committer	Steve Sakoman <steve@sakoman.com>	2025-01-24 07:49:28 -0800
commit	4ebaec2ca32b275dd2b39e0020e965e29fb6b387 (patch)
tree	fa2dae62a5f0ff71704b41dd4be2b6d58088e01e
parent	0d7adecb6bc3688cbce9ca3822507775499ced64 (diff)
download	poky-4ebaec2ca32b275dd2b39e0020e965e29fb6b387.tar.gz

diff --git a/meta/recipes-support/vte/vte/CVE-2024-37535-0001.patch b/meta/recipes-support/vte/vte/CVE-2024-37535-0001.patch new file mode 100644 index 0000000000..f7c84323fb --- /dev/null +++ b/meta/recipes-support/vte/vte/CVE-2024-37535-0001.patch
@@ -0,0 +1,63 @@
		1	From 036bc3ddcbb56f05c6ca76712a53b89dee1369e2 Mon Sep 17 00:00:00 2001
		2	From: Christian Persch <chpe@src.gnome.org>
		3	Date: Sun, 2 Jun 2024 19:19:35 +0200
		4	Subject: [PATCH] emulation: Restrict resize request to sane numbers
		5
		6	Fixes: https://gitlab.gnome.org/GNOME/vte/-/issues/2786
		7	(cherry picked from commit fd5511f24b7269195a7083f409244e9787c705dc)
		8
		9	CVE: CVE-2024-37535
		10	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/vte/-/commit/036bc3ddcbb56f05c6ca76712a53b89dee1369e2]
		11
		12	Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
		13	---
		14	src/vteseq.cc \| 20 ++++++++++++--------
		15	1 file changed, 12 insertions(+), 8 deletions(-)
		16
		17	diff --git a/src/vteseq.cc b/src/vteseq.cc
		18	index 2c5b1e128..5b3f398e2 100644
		19	--- a/src/vteseq.cc
		20	+++ b/src/vteseq.cc
		21	@@ -213,9 +213,18 @@ Terminal::emit_bell()
		22	/* Emit a "resize-window" signal. (Grid size.) */
		23	void
		24	Terminal::emit_resize_window(guint columns,
		25	- guint rows)
		26	-{
		27	- _vte_debug_print(VTE_DEBUG_SIGNALS, "Emitting `resize-window'.\n");
		28	+ guint rows)
		29	+{
		30	+ // Ignore resizes with excessive number of rows or columns,
		31	+ // see https://gitlab.gnome.org/GNOME/vte/-/issues/2786
		32	+ if (columns < VTE_MIN_GRID_WIDTH \|\|
		33	+ columns > 511 \|\|
		34	+ rows < VTE_MIN_GRID_HEIGHT \|\|
		35	+ rows > 511)
		36	+ return;
		37	+
		38	+ _vte_debug_print(VTE_DEBUG_SIGNALS, "Emitting `resize-window' %d columns %d rows.\n",
		39	+ columns, rows);
		40	g_signal_emit(m_terminal, signals[SIGNAL_RESIZE_WINDOW], 0, columns, rows);
		41	}
		42
		43	@@ -4467,8 +4476,6 @@ Terminal::DECSLPP(vte::parser::Sequence const& seq)
		44	else if (param < 24)
		45	return;
		46
		47	- _vte_debug_print(VTE_DEBUG_EMULATION, "Resizing to %d rows.\n", param);
		48	-
		49	emit_resize_window(m_column_count, param);
		50	}
		51
		52	@@ -8990,9 +8997,6 @@ Terminal::XTERM_WM(vte::parser::Sequence const& seq)
		53	seq.collect(1, {&height, &width});
		54
		55	if (width != -1 && height != -1) {
		56	- _vte_debug_print(VTE_DEBUG_EMULATION,
		57	- "Resizing window to %d columns, %d rows.\n",
		58	- width, height);
		59	emit_resize_window(width, height);
		60	}
		61	break;
		62	--
		63	GitLab


diff --git a/meta/recipes-support/vte/vte/CVE-2024-37535-0002.patch b/meta/recipes-support/vte/vte/CVE-2024-37535-0002.patch new file mode 100644 index 0000000000..c396817060 --- /dev/null +++ b/meta/recipes-support/vte/vte/CVE-2024-37535-0002.patch
@@ -0,0 +1,85 @@
		1	From c313849c2e5133802e21b13fa0b141b360171d39 Mon Sep 17 00:00:00 2001
		2	From: Christian Persch <chpe@src.gnome.org>
		3	Date: Sun, 2 Jun 2024 19:19:35 +0200
		4	Subject: [PATCH] widget: Add safety limit to widget size requests
		5
		6	https://gitlab.gnome.org/GNOME/vte/-/issues/2786
		7	(cherry picked from commit 1803ba866053a3d7840892b9d31fe2944a183eda)
		8
		9	CVE: CVE-2024-37535
		10	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/vte/-/commit/c313849c2e5133802e21b13fa0b141b360171d39]
		11
		12	Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
		13	---
		14	src/vtegtk.cc \| 35 +++++++++++++++++++++++++++++++++++
		15	1 file changed, 35 insertions(+)
		16
		17	diff --git a/src/vtegtk.cc b/src/vtegtk.cc
		18	index 24bdd7184..48cae79c1 100644
		19	--- a/src/vtegtk.cc
		20	+++ b/src/vtegtk.cc
		21	@@ -91,6 +91,38 @@
		22	template<typename T>
		23	constexpr bool check_enum_value(T value) noexcept;
		24
		25	+static inline void
		26	+sanitise_widget_size_request(int* minimum,
		27	+ int* natural) noexcept
		28	+{
		29	+ // Overly large size requests will make gtk happily allocate
		30	+ // a window size over the window system's limits (see
		31	+ // e.g. https://gitlab.gnome.org/GNOME/vte/-/issues/2786),
		32	+ // leading to aborting the whole process.
		33	+ // The toolkit should be in a better position to know about
		34	+ // these limits and not exceed them (which here is certainly
		35	+ // possible since our minimum sizes are very small), let's
		36	+ // limit the widget's size request to some large value
		37	+ // that hopefully is within the absolute limits of
		38	+ // the window system (assumed here to be int16 range,
		39	+ // and leaving some space for the widgets that contain
		40	+ // the terminal).
		41	+ auto const limit = (1 << 15) - (1 << 12);
		42	+
		43	+ if (minimum > limit \|\| natural > limit) {
		44	+ static auto warned = false;
		45	+
		46	+ if (!warned) {
		47	+ g_warning("Widget size request (minimum %d, natural %d) exceeds limits\n",
		48	+ minimum, natural);
		49	+ warned = true;
		50	+ }
		51	+ }
		52	+
		53	+ minimum = std::min(minimum, limit);
		54	+ natural = std::clamp(natural, *minimum, limit);
		55	+}
		56	+
		57	struct _VteTerminalClassPrivate {
		58	GtkStyleProvider *style_provider;
		59	};
		60	@@ -510,6 +542,7 @@ try
		61	{
		62	VteTerminal *terminal = VTE_TERMINAL(widget);
		63	WIDGET(terminal)->get_preferred_width(minimum_width, natural_width);
		64	+ sanitise_widget_size_request(minimum_width, natural_width);
		65	}
		66	catch (...)
		67	{
		68	@@ -524,6 +557,7 @@ try
		69	{
		70	VteTerminal *terminal = VTE_TERMINAL(widget);
		71	WIDGET(terminal)->get_preferred_height(minimum_height, natural_height);
		72	+ sanitise_widget_size_request(minimum_height, natural_height);
		73	}
		74	catch (...)
		75	{
		76	@@ -781,6 +815,7 @@ try
		77	WIDGET(terminal)->measure(orientation, for_size,
		78	minimum, natural,
		79	minimum_baseline, natural_baseline);
		80	+ sanitise_widget_size_request(minimum, natural);
		81	}
		82	catch (...)
		83	{
		84	--
		85	GitLab


diff --git a/meta/recipes-support/vte/vte_0.66.2.bb b/meta/recipes-support/vte/vte_0.66.2.bb index af1c47cf80..365e4361cb 100644 --- a/meta/recipes-support/vte/vte_0.66.2.bb +++ b/meta/recipes-support/vte/vte_0.66.2.bb
@@ -19,8 +19,13 @@ GIR_MESON_OPTION = 'gir'
19	inherit gnomebase gtk-doc features_check upstream-version-is-even gobject-introspection	19	inherit gnomebase gtk-doc features_check upstream-version-is-even gobject-introspection
20		20
21	# vapigen.m4 is required when vala is not present (but the one from vala should be used normally)	21	# vapigen.m4 is required when vala is not present (but the one from vala should be used normally)
22	SRC_URI += "file://0001-Add-W_EXITCODE-macro-for-non-glibc-systems.patch \	22	SRC_URI += " \
23	file://0001-Makefile.docs-correctly-substitute-gtkdoc-qemu-wrapp.patch"	23	file://0001-Add-W_EXITCODE-macro-for-non-glibc-systems.patch \
		24	file://0001-Makefile.docs-correctly-substitute-gtkdoc-qemu-wrapp.patch \
		25	file://CVE-2024-37535-0001.patch \
		26	file://CVE-2024-37535-0002.patch \
		27	"
		28
24	SRC_URI[archive.sha256sum] = "e89974673a72a0a06edac6d17830b82bb124decf0cb3b52cebc92ec3ff04d976"	29	SRC_URI[archive.sha256sum] = "e89974673a72a0a06edac6d17830b82bb124decf0cb3b52cebc92ec3ff04d976"
25		30
26	ANY_OF_DISTRO_FEATURES = "${GTK3DISTROFEATURES}"	31	ANY_OF_DISTRO_FEATURES = "${GTK3DISTROFEATURES}"