3 files changed, 153 insertions, 1 deletions
diff --git a/meta/recipes-support/vte/vte/CVE-2024-37535-01.patch b/meta/recipes-support/vte/vte/CVE-2024-37535-01.patch
new file mode 100644
index 0000000000..d18a3380af
--- /dev/null
+++ b/meta/recipes-support/vte/vte/CVE-2024-37535-01.patch
@@ -0,0 +1,64 @@
+From 036bc3ddcbb56f05c6ca76712a53b89dee1369e2 Mon Sep 17 00:00:00 2001
+From: Christian Persch <chpe@src.gnome.org>
+Date: Sun, 2 Jun 2024 19:19:35 +0200
+Subject: [PATCH] emulation: Restrict resize request to sane numbers
+Fixes: https://gitlab.gnome.org/GNOME/vte/-/issues/2786
+(cherry picked from commit fd5511f24b7269195a7083f409244e9787c705dc)
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/vte/-/commit/036bc3ddcbb56f05c6ca76712a53b89dee1369e2]
+CVE: CVE-2024-37535
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/vteseq.cc | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+diff --git a/src/vteseq.cc b/src/vteseq.cc
+index 8d1c2e1..1c73dad 100644
+--- a/src/vteseq.cc
+++ b/src/vteseq.cc
+@@ -208,9 +208,18 @@ Terminal::emit_bell()
+ /* Emit a "resize-window" signal.  (Grid size.) */
+ void
+ Terminal::emit_resize_window(guint columns,
+-                                       guint rows)
+-{
+-        _vte_debug_print(VTE_DEBUG_SIGNALS, "Emitting `resize-window'.\n");
+                             guint rows)
+{
+        // Ignore resizes with excessive number of rows or columns,
+        // see https://gitlab.gnome.org/GNOME/vte/-/issues/2786
+        if (columns < VTE_MIN_GRID_WIDTH ||
+            columns > 511 ||
+            rows < VTE_MIN_GRID_HEIGHT ||
+            rows > 511)
+                return;
+
+        _vte_debug_print(VTE_DEBUG_SIGNALS, "Emitting `resize-window' %d columns %d rows.\n",
+                         columns, rows);
+         g_signal_emit(m_terminal, signals[SIGNAL_RESIZE_WINDOW], 0, columns, rows);
+ }
+ 
+@@ -4457,8 +4466,6 @@ Terminal::DECSLPP(vte::parser::Sequence const& seq)
+         else if (param < 24)
+                 return;
+ 
+-        _vte_debug_print(VTE_DEBUG_EMULATION, "Resizing to %d rows.\n", param);
+-
+         emit_resize_window(m_column_count, param);
+ }
+ 
+@@ -8917,9 +8924,6 @@ Terminal::XTERM_WM(vte::parser::Sequence const& seq)
+                 seq.collect(1, {&height, &width});
+ 
+                 if (width != -1 && height != -1) {
+-                        _vte_debug_print(VTE_DEBUG_EMULATION,
+-                                         "Resizing window to %d columns, %d rows.\n",
+-                                         width, height);
+                         emit_resize_window(width, height);
+                 }
+                 break;
+-- 
+2.25.1
diff --git a/meta/recipes-support/vte/vte/CVE-2024-37535-02.patch b/meta/recipes-support/vte/vte/CVE-2024-37535-02.patch
new file mode 100644
index 0000000000..032e00fb5c
--- /dev/null
+++ b/meta/recipes-support/vte/vte/CVE-2024-37535-02.patch
@@ -0,0 +1,85 @@
+rom c313849c2e5133802e21b13fa0b141b360171d39 Mon Sep 17 00:00:00 2001
+From: Christian Persch <chpe@src.gnome.org>
+Date: Sun, 2 Jun 2024 19:19:35 +0200
+Subject: [PATCH] widget: Add safety limit to widget size requests
+https://gitlab.gnome.org/GNOME/vte/-/issues/2786
+(cherry picked from commit 1803ba866053a3d7840892b9d31fe2944a183eda)
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/vte/-/commit/c313849c2e5133802e21b13fa0b141b360171d39]
+CVE: CVE-2024-37535
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/vtegtk.cc | 35 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 35 insertions(+)
+diff --git a/src/vtegtk.cc b/src/vtegtk.cc
+index 0f4641d..060d27e 100644
+--- a/src/vtegtk.cc
+++ b/src/vtegtk.cc
+@@ -91,6 +91,38 @@
+ template<typename T>
+ constexpr bool check_enum_value(T value) noexcept;
+ 
+static inline void
+sanitise_widget_size_request(int* minimum,
+                             int* natural) noexcept
+{
+        // Overly large size requests will make gtk happily allocate
+        // a window size over the window system's limits (see
+        // e.g. https://gitlab.gnome.org/GNOME/vte/-/issues/2786),
+        // leading to aborting the whole process.
+        // The toolkit should be in a better position to know about
+        // these limits and not exceed them (which here is certainly
+        // possible since our minimum sizes are very small), let's
+        // limit the widget's size request to some large value
+        // that hopefully is within the absolute limits of
+        // the window system (assumed here to be int16 range,
+        // and leaving some space for the widgets that contain
+        // the terminal).
+        auto const limit = (1 << 15) - (1 << 12);
+
+        if (*minimum > limit || *natural > limit) {
+                static auto warned = false;
+
+                if (!warned) {
+                        g_warning("Widget size request (minimum %d, natural %d) exceeds limits\n",
+                                  *minimum, *natural);
+                        warned = true;
+                }
+        }
+
+        *minimum = std::min(*minimum, limit);
+        *natural = std::clamp(*natural, *minimum, limit);
+}
+
+ struct _VteTerminalClassPrivate {
+         GtkStyleProvider *style_provider;
+ };
+@@ -497,6 +529,7 @@ try
+ {
+        VteTerminal *terminal = VTE_TERMINAL(widget);
+         WIDGET(terminal)->get_preferred_width(minimum_width, natural_width);
+        sanitise_widget_size_request(minimum_width, natural_width);
+ }
+ catch (...)
+ {
+@@ -511,6 +544,7 @@ try
+ {
+        VteTerminal *terminal = VTE_TERMINAL(widget);
+         WIDGET(terminal)->get_preferred_height(minimum_height, natural_height);
+        sanitise_widget_size_request(minimum_height, natural_height);
+ }
+ catch (...)
+ {
+@@ -748,6 +782,7 @@ try
+         WIDGET(terminal)->measure(orientation, for_size,
+                                   minimum, natural,
+                                   minimum_baseline, natural_baseline);
+        sanitise_widget_size_request(minimum, natural);
+ }
+ catch (...)
+ {
+-- 
+2.25.1
diff --git a/meta/recipes-support/vte/vte_0.74.2.bb b/meta/recipes-support/vte/vte_0.74.2.bb
index d8eafde2fb..af9ff1bb1d 100644
--- a/meta/recipes-support/vte/vte_0.74.2.bb
+++ b/meta/recipes-support/vte/vte_0.74.2.bb
@@ -18,7 +18,10 @@ GIDOCGEN_MESON_OPTION = "docs"
 inherit gnomebase gi-docgen features_check upstream-version-is-even gobject-introspection systemd vala
-SRC_URI += "file://0001-Add-W_EXITCODE-macro-for-non-glibc-systems.patch"
+SRC_URI += "file://0001-Add-W_EXITCODE-macro-for-non-glibc-systems.patch \
+            file://CVE-2024-37535-01.patch \
+            file://CVE-2024-37535-02.patch \
+            "
 SRC_URI[archive.sha256sum] = "a535fb2a98fea8a2449cd1a02cccf5190131dddff52e715afdace3feb536eae7"
 ANY_OF_DISTRO_FEATURES = "${GTK3DISTROFEATURES}"

diff --git a/meta/recipes-support/vte/vte/CVE-2024-37535-01.patch b/meta/recipes-support/vte/vte/CVE-2024-37535-01.patch new file mode 100644 index 0000000000..d18a3380af --- /dev/null +++ b/meta/recipes-support/vte/vte/CVE-2024-37535-01.patch
@@ -0,0 +1,64 @@
		1	From 036bc3ddcbb56f05c6ca76712a53b89dee1369e2 Mon Sep 17 00:00:00 2001
		2	From: Christian Persch <chpe@src.gnome.org>
		3	Date: Sun, 2 Jun 2024 19:19:35 +0200
		4	Subject: [PATCH] emulation: Restrict resize request to sane numbers
		5
		6	Fixes: https://gitlab.gnome.org/GNOME/vte/-/issues/2786
		7	(cherry picked from commit fd5511f24b7269195a7083f409244e9787c705dc)
		8
		9
		10	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/vte/-/commit/036bc3ddcbb56f05c6ca76712a53b89dee1369e2]
		11	CVE: CVE-2024-37535
		12	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		13	---
		14	src/vteseq.cc \| 20 ++++++++++++--------
		15	1 file changed, 12 insertions(+), 8 deletions(-)
		16
		17	diff --git a/src/vteseq.cc b/src/vteseq.cc
		18	index 8d1c2e1..1c73dad 100644
		19	--- a/src/vteseq.cc
		20	+++ b/src/vteseq.cc
		21	@@ -208,9 +208,18 @@ Terminal::emit_bell()
		22	/* Emit a "resize-window" signal. (Grid size.) */
		23	void
		24	Terminal::emit_resize_window(guint columns,
		25	- guint rows)
		26	-{
		27	- _vte_debug_print(VTE_DEBUG_SIGNALS, "Emitting `resize-window'.\n");
		28	+ guint rows)
		29	+{
		30	+ // Ignore resizes with excessive number of rows or columns,
		31	+ // see https://gitlab.gnome.org/GNOME/vte/-/issues/2786
		32	+ if (columns < VTE_MIN_GRID_WIDTH \|\|
		33	+ columns > 511 \|\|
		34	+ rows < VTE_MIN_GRID_HEIGHT \|\|
		35	+ rows > 511)
		36	+ return;
		37	+
		38	+ _vte_debug_print(VTE_DEBUG_SIGNALS, "Emitting `resize-window' %d columns %d rows.\n",
		39	+ columns, rows);
		40	g_signal_emit(m_terminal, signals[SIGNAL_RESIZE_WINDOW], 0, columns, rows);
		41	}
		42
		43	@@ -4457,8 +4466,6 @@ Terminal::DECSLPP(vte::parser::Sequence const& seq)
		44	else if (param < 24)
		45	return;
		46
		47	- _vte_debug_print(VTE_DEBUG_EMULATION, "Resizing to %d rows.\n", param);
		48	-
		49	emit_resize_window(m_column_count, param);
		50	}
		51
		52	@@ -8917,9 +8924,6 @@ Terminal::XTERM_WM(vte::parser::Sequence const& seq)
		53	seq.collect(1, {&height, &width});
		54
		55	if (width != -1 && height != -1) {
		56	- _vte_debug_print(VTE_DEBUG_EMULATION,
		57	- "Resizing window to %d columns, %d rows.\n",
		58	- width, height);
		59	emit_resize_window(width, height);
		60	}
		61	break;
		62	--
		63	2.25.1
		64


diff --git a/meta/recipes-support/vte/vte/CVE-2024-37535-02.patch b/meta/recipes-support/vte/vte/CVE-2024-37535-02.patch new file mode 100644 index 0000000000..032e00fb5c --- /dev/null +++ b/meta/recipes-support/vte/vte/CVE-2024-37535-02.patch
@@ -0,0 +1,85 @@
		1	rom c313849c2e5133802e21b13fa0b141b360171d39 Mon Sep 17 00:00:00 2001
		2	From: Christian Persch <chpe@src.gnome.org>
		3	Date: Sun, 2 Jun 2024 19:19:35 +0200
		4	Subject: [PATCH] widget: Add safety limit to widget size requests
		5
		6	https://gitlab.gnome.org/GNOME/vte/-/issues/2786
		7	(cherry picked from commit 1803ba866053a3d7840892b9d31fe2944a183eda)
		8
		9	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/vte/-/commit/c313849c2e5133802e21b13fa0b141b360171d39]
		10	CVE: CVE-2024-37535
		11	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		12	---
		13	src/vtegtk.cc \| 35 +++++++++++++++++++++++++++++++++++
		14	1 file changed, 35 insertions(+)
		15
		16	diff --git a/src/vtegtk.cc b/src/vtegtk.cc
		17	index 0f4641d..060d27e 100644
		18	--- a/src/vtegtk.cc
		19	+++ b/src/vtegtk.cc
		20	@@ -91,6 +91,38 @@
		21	template<typename T>
		22	constexpr bool check_enum_value(T value) noexcept;
		23
		24	+static inline void
		25	+sanitise_widget_size_request(int* minimum,
		26	+ int* natural) noexcept
		27	+{
		28	+ // Overly large size requests will make gtk happily allocate
		29	+ // a window size over the window system's limits (see
		30	+ // e.g. https://gitlab.gnome.org/GNOME/vte/-/issues/2786),
		31	+ // leading to aborting the whole process.
		32	+ // The toolkit should be in a better position to know about
		33	+ // these limits and not exceed them (which here is certainly
		34	+ // possible since our minimum sizes are very small), let's
		35	+ // limit the widget's size request to some large value
		36	+ // that hopefully is within the absolute limits of
		37	+ // the window system (assumed here to be int16 range,
		38	+ // and leaving some space for the widgets that contain
		39	+ // the terminal).
		40	+ auto const limit = (1 << 15) - (1 << 12);
		41	+
		42	+ if (minimum > limit \|\| natural > limit) {
		43	+ static auto warned = false;
		44	+
		45	+ if (!warned) {
		46	+ g_warning("Widget size request (minimum %d, natural %d) exceeds limits\n",
		47	+ minimum, natural);
		48	+ warned = true;
		49	+ }
		50	+ }
		51	+
		52	+ minimum = std::min(minimum, limit);
		53	+ natural = std::clamp(natural, *minimum, limit);
		54	+}
		55	+
		56	struct _VteTerminalClassPrivate {
		57	GtkStyleProvider *style_provider;
		58	};
		59	@@ -497,6 +529,7 @@ try
		60	{
		61	VteTerminal *terminal = VTE_TERMINAL(widget);
		62	WIDGET(terminal)->get_preferred_width(minimum_width, natural_width);
		63	+ sanitise_widget_size_request(minimum_width, natural_width);
		64	}
		65	catch (...)
		66	{
		67	@@ -511,6 +544,7 @@ try
		68	{
		69	VteTerminal *terminal = VTE_TERMINAL(widget);
		70	WIDGET(terminal)->get_preferred_height(minimum_height, natural_height);
		71	+ sanitise_widget_size_request(minimum_height, natural_height);
		72	}
		73	catch (...)
		74	{
		75	@@ -748,6 +782,7 @@ try
		76	WIDGET(terminal)->measure(orientation, for_size,
		77	minimum, natural,
		78	minimum_baseline, natural_baseline);
		79	+ sanitise_widget_size_request(minimum, natural);
		80	}
		81	catch (...)
		82	{
		83	--
		84	2.25.1
		85


diff --git a/meta/recipes-support/vte/vte_0.74.2.bb b/meta/recipes-support/vte/vte_0.74.2.bb index d8eafde2fb..af9ff1bb1d 100644 --- a/meta/recipes-support/vte/vte_0.74.2.bb +++ b/meta/recipes-support/vte/vte_0.74.2.bb
@@ -18,7 +18,10 @@ GIDOCGEN_MESON_OPTION = "docs"
18		18
19	inherit gnomebase gi-docgen features_check upstream-version-is-even gobject-introspection systemd vala	19	inherit gnomebase gi-docgen features_check upstream-version-is-even gobject-introspection systemd vala
20		20
21	SRC_URI += "file://0001-Add-W_EXITCODE-macro-for-non-glibc-systems.patch"	21	SRC_URI += "file://0001-Add-W_EXITCODE-macro-for-non-glibc-systems.patch \
		22	file://CVE-2024-37535-01.patch \
		23	file://CVE-2024-37535-02.patch \
		24	"
22	SRC_URI[archive.sha256sum] = "a535fb2a98fea8a2449cd1a02cccf5190131dddff52e715afdace3feb536eae7"	25	SRC_URI[archive.sha256sum] = "a535fb2a98fea8a2449cd1a02cccf5190131dddff52e715afdace3feb536eae7"
23		26
24	ANY_OF_DISTRO_FEATURES = "${GTK3DISTROFEATURES}"	27	ANY_OF_DISTRO_FEATURES = "${GTK3DISTROFEATURES}"