[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
06/07: gnu: vte-0.28: Fix CVE-2012-2738.
|
From: |
Efraim Flashner |
|
Subject: |
06/07: gnu: vte-0.28: Fix CVE-2012-2738. |
|
Date: |
Mon, 30 May 2016 09:09:31 +0000 (UTC) |
efraim pushed a commit to branch master
in repository guix.
commit 7d48938a590c676e6f140a976bfcf26aadeb008a
Author: Efraim Flashner <address@hidden>
Date: Mon May 30 11:53:45 2016 +0300
gnu: vte-0.28: Fix CVE-2012-2738.
* gnu/packages/gnome.scm (vte-0.28)[source]: Add patches.
* gnu/packages/patches/vte-CVE-2012-2738-pt1.patch,
gnu/packages/patches/vte-CVE-2012-2738-pt2.patch: New variables.
* gnu/local.mk (dist_patch_DATA): Add them.
---
gnu/local.mk | 2 +
gnu/packages/gnome.scm | 5 +-
gnu/packages/patches/vte-CVE-2012-2738-pt1.patch | 40 +++++++++++
gnu/packages/patches/vte-CVE-2012-2738-pt2.patch | 82 ++++++++++++++++++++++
4 files changed, 128 insertions(+), 1 deletion(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index 1f2c2dd..dc1b521 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -779,6 +779,8 @@ dist_patch_DATA =
\
%D%/packages/patches/vorbis-tools-CVE-2014-9640.patch \
%D%/packages/patches/vorbis-tools-CVE-2015-6749.patch \
%D%/packages/patches/vpnc-script.patch \
+ %D%/packages/patches/vte-CVE-2012-2738-pt1.patch \
+ %D%/packages/patches/vte-CVE-2012-2738-pt2.patch \
%D%/packages/patches/vtk-mesa-10.patch \
%D%/packages/patches/w3m-libgc.patch \
%D%/packages/patches/w3m-force-ssl_verify_server-on.patch \
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 04d9bb7..0d9c946 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -1820,7 +1820,10 @@ editors, IDEs, etc.")
name "-" version ".tar.xz"))
(sha256
(base32
- "1bmhahkf8wdsra9whd3k5l5z4rv7r58ksr8mshzajgq2ma0hpkw6"))))
+ "1bmhahkf8wdsra9whd3k5l5z4rv7r58ksr8mshzajgq2ma0hpkw6"))
+ (patches (search-patches
+ "vte-CVE-2012-2738-pt1.patch"
+ "vte-CVE-2012-2738-pt2.patch"))))
(arguments
'(#:configure-flags '("--disable-python")))
(native-inputs
diff --git a/gnu/packages/patches/vte-CVE-2012-2738-pt1.patch
b/gnu/packages/patches/vte-CVE-2012-2738-pt1.patch
new file mode 100644
index 0000000..fd45407
--- /dev/null
+++ b/gnu/packages/patches/vte-CVE-2012-2738-pt1.patch
@@ -0,0 +1,40 @@
+From feeee4b5832b17641e505b7083e0d299fdae318e Mon Sep 17 00:00:00 2001
+From: Christian Persch <address@hidden>
+Date: Sat, 19 May 2012 17:36:09 +0000
+Subject: emulation: Limit integer arguments to 65535
+
+To guard against malicious sequences containing excessively big numbers,
+limit all parsed numbers to 16 bit range. Doing this here in the parsing
+routine is a catch-all guard; this doesn't preclude enforcing
+more stringent limits in the handlers themselves.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=676090
+---
+diff --git a/src/table.c b/src/table.c
+index 140e8c8..85cf631 100644
+--- a/src/table.c
++++ b/src/table.c
+@@ -550,7 +550,7 @@ _vte_table_extract_numbers(GValueArray **array,
+ if (G_UNLIKELY (*array == NULL)) {
+ *array = g_value_array_new(1);
+ }
+- g_value_set_long(&value, total);
++ g_value_set_long(&value, CLAMP (total, 0, G_MAXUSHORT));
+ g_value_array_append(*array, &value);
+ } while (i++ < arginfo->length);
+ g_value_unset(&value);
+diff --git a/src/vteseq.c b/src/vteseq.c
+index 457c06a..46def5b 100644
+--- a/src/vteseq.c
++++ b/src/vteseq.c
+@@ -557,7 +557,7 @@ vte_sequence_handler_multiple(VteTerminal *terminal,
+ GValueArray *params,
+ VteTerminalSequenceHandler handler)
+ {
+- vte_sequence_handler_multiple_limited(terminal, params, handler,
G_MAXLONG);
++ vte_sequence_handler_multiple_limited(terminal, params, handler,
G_MAXUSHORT);
+ }
+
+ static void
+--
+cgit v0.9.0.2
diff --git a/gnu/packages/patches/vte-CVE-2012-2738-pt2.patch
b/gnu/packages/patches/vte-CVE-2012-2738-pt2.patch
new file mode 100644
index 0000000..e98fd35
--- /dev/null
+++ b/gnu/packages/patches/vte-CVE-2012-2738-pt2.patch
@@ -0,0 +1,82 @@
+From 98ce2f265f986fb88c38d508286bb5e3716b9e74 Mon Sep 17 00:00:00 2001
+From: Christian Persch <address@hidden>
+Date: Sat, 19 May 2012 18:04:12 +0000
+Subject: emulation: Limit repetitions
+
+Don't allow malicious sequences to cause excessive repetitions.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=676090
+---
+diff --git a/src/vteseq.c b/src/vteseq.c
+index 46def5b..7fb4707 100644
+--- a/src/vteseq.c
++++ b/src/vteseq.c
+@@ -1397,7 +1397,7 @@ vte_sequence_handler_dc (VteTerminal *terminal,
GValueArray *params)
+ static void
+ vte_sequence_handler_DC (VteTerminal *terminal, GValueArray *params)
+ {
+- vte_sequence_handler_multiple(terminal, params,
vte_sequence_handler_dc);
++ vte_sequence_handler_multiple_r(terminal, params,
vte_sequence_handler_dc);
+ }
+
+ /* Delete a line at the current cursor position. */
+@@ -1790,7 +1790,7 @@ vte_sequence_handler_reverse_index (VteTerminal
*terminal, GValueArray *params)
+ static void
+ vte_sequence_handler_RI (VteTerminal *terminal, GValueArray *params)
+ {
+- vte_sequence_handler_multiple(terminal, params,
vte_sequence_handler_nd);
++ vte_sequence_handler_multiple_r(terminal, params,
vte_sequence_handler_nd);
+ }
+
+ /* Save cursor (position). */
+@@ -2782,8 +2782,7 @@ vte_sequence_handler_insert_lines (VteTerminal
*terminal, GValueArray *params)
+ {
+ GValue *value;
+ VteScreen *screen;
+- long param, end, row;
+- int i;
++ long param, end, row, i, limit;
+ screen = terminal->pvt->screen;
+ /* The default is one. */
+ param = 1;
+@@ -2801,7 +2800,13 @@ vte_sequence_handler_insert_lines (VteTerminal
*terminal, GValueArray *params)
+ } else {
+ end = screen->insert_delta + terminal->row_count - 1;
+ }
+- /* Insert the new lines at the cursor. */
++
++ /* Only allow to insert as many lines as there are between this row
++ * and the end of the scrolling region. See bug #676090.
++ */
++ limit = end - row + 1;
++ param = MIN (param, limit);
++
+ for (i = 0; i < param; i++) {
+ /* Clear a line off the end of the region and add one to the
+ * top of the region. */
+@@ -2822,8 +2827,7 @@ vte_sequence_handler_delete_lines (VteTerminal
*terminal, GValueArray *params)
+ {
+ GValue *value;
+ VteScreen *screen;
+- long param, end, row;
+- int i;
++ long param, end, row, i, limit;
+
+ screen = terminal->pvt->screen;
+ /* The default is one. */
+@@ -2842,6 +2846,13 @@ vte_sequence_handler_delete_lines (VteTerminal
*terminal, GValueArray *params)
+ } else {
+ end = screen->insert_delta + terminal->row_count - 1;
+ }
++
++ /* Only allow to delete as many lines as there are between this row
++ * and the end of the scrolling region. See bug #676090.
++ */
++ limit = end - row + 1;
++ param = MIN (param, limit);
++
+ /* Clear them from below the current cursor. */
+ for (i = 0; i < param; i++) {
+ /* Insert a line at the end of the region and remove one from
+--
+cgit v0.9.0.2
- branch master updated (538884c -> 5f1ba08), Efraim Flashner, 2016/05/30
- 01/07: gnu: tinyproxy: Update to 1.8.4 [Fixes CVE-2012-3505]., Efraim Flashner, 2016/05/30
- 02/07: gnu: dtach: Update to 0.9 [Fixes CVE-2012-3368]., Efraim Flashner, 2016/05/30
- 03/07: gnu: dtach: Use 'modify-phases'., Efraim Flashner, 2016/05/30
- 04/07: download: Update Sourceforge mirrors., Efraim Flashner, 2016/05/30
- 06/07: gnu: vte-0.28: Fix CVE-2012-2738.,
Efraim Flashner <=
- 05/07: gnu: t1lib: Fix CVE-2010-2642, CVE-2011-{0764, 1552, 1553, 1554}., Efraim Flashner, 2016/05/30
- 07/07: gnu: gegl: Fix CVE-2012-4433., Efraim Flashner, 2016/05/30