mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-15 16:07:26 +00:00
xterm: Security fix for CVE-2021-27135
Source: Debian.org MR: 108848 Type: Security Fix Disposition: Backport from https://sources.debian.org/data/main/x/xterm/344-1%2Bdeb10u1/debian/patches/CVE-2021-27135.diff ChangeID: 00f53def87b8b95e62908581f8fb56a69118dd32 Description: xterm through Patch #365 allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted UTF-8 character sequence. This fixes CVE-2021-27135. Leverage a patch from Debian. Signed-off-by: Armin Kuster <akuster@mvista.com>
This commit is contained in:
@@ -0,0 +1,68 @@
|
|||||||
|
Description: Fix for CVE-2021-27135 from xterm 366
|
||||||
|
Correct upper-limit for selection buffer, accounting for
|
||||||
|
combining characters (report by Tavis Ormandy).
|
||||||
|
|
||||||
|
Upstream-Status: Backport
|
||||||
|
https://sources.debian.org/data/main/x/xterm/344-1%2Bdeb10u1/debian/patches/CVE-2021-27135.diff
|
||||||
|
CVE: CVE-2021-27135
|
||||||
|
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
||||||
|
|
||||||
|
---
|
||||||
|
button.c | 29 +++++++++++++++++++++++++----
|
||||||
|
1 file changed, 25 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
Index: xterm-353/button.c
|
||||||
|
===================================================================
|
||||||
|
--- xterm-353.orig/button.c
|
||||||
|
+++ xterm-353/button.c
|
||||||
|
@@ -3928,6 +3928,7 @@ SaltTextAway(XtermWidget xw,
|
||||||
|
int i;
|
||||||
|
int eol;
|
||||||
|
int need = 0;
|
||||||
|
+ size_t have = 0;
|
||||||
|
Char *line;
|
||||||
|
Char *lp;
|
||||||
|
CELL first = *cellc;
|
||||||
|
@@ -3962,7 +3963,11 @@ SaltTextAway(XtermWidget xw,
|
||||||
|
|
||||||
|
/* UTF-8 may require more space */
|
||||||
|
if_OPT_WIDE_CHARS(screen, {
|
||||||
|
- need *= 4;
|
||||||
|
+ if (need > 0) {
|
||||||
|
+ if (screen->max_combining > 0)
|
||||||
|
+ need += screen->max_combining;
|
||||||
|
+ need *= 6;
|
||||||
|
+ }
|
||||||
|
});
|
||||||
|
|
||||||
|
/* now get some memory to save it in */
|
||||||
|
@@ -4000,10 +4005,26 @@ SaltTextAway(XtermWidget xw,
|
||||||
|
}
|
||||||
|
*lp = '\0'; /* make sure we have end marked */
|
||||||
|
|
||||||
|
- TRACE(("Salted TEXT:%u:%s\n", (unsigned) (lp - line),
|
||||||
|
- visibleChars(line, (unsigned) (lp - line))));
|
||||||
|
+ have = (size_t) (lp - line);
|
||||||
|
+ /*
|
||||||
|
+ * Scanning the buffer twice is unnecessary. Discard unwanted memory if
|
||||||
|
+ * the estimate is too-far off.
|
||||||
|
+ */
|
||||||
|
+ if ((have * 2) < (size_t) need) {
|
||||||
|
+ Char *next;
|
||||||
|
+ scp->data_limit = have + 1;
|
||||||
|
+ next = realloc(line, scp->data_limit);
|
||||||
|
+ if (next == NULL) {
|
||||||
|
+ free(line);
|
||||||
|
+ scp->data_length = 0;
|
||||||
|
+ scp->data_limit = 0;
|
||||||
|
+ }
|
||||||
|
+ scp->data_buffer = next;
|
||||||
|
+ }
|
||||||
|
+ scp->data_length = have;
|
||||||
|
|
||||||
|
- scp->data_length = (size_t) (lp - line);
|
||||||
|
+ TRACE(("Salted TEXT:%u:%s\n", (unsigned) have,
|
||||||
|
+ visibleChars(scp->data_buffer, (unsigned) have)));
|
||||||
|
}
|
||||||
|
|
||||||
|
#if OPT_PASTE64
|
||||||
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://xterm.h;beginline=3;endline=31;md5=996b1ce0584c0747b1
|
|||||||
|
|
||||||
SRC_URI = "http://invisible-mirror.net/archives/${BPN}/${BP}.tgz \
|
SRC_URI = "http://invisible-mirror.net/archives/${BPN}/${BP}.tgz \
|
||||||
file://0001-Add-configure-time-check-for-setsid.patch \
|
file://0001-Add-configure-time-check-for-setsid.patch \
|
||||||
|
file://CVE-2021-27135.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
SRC_URI[md5sum] = "247c30ebfa44623f3a2d100e0cae5c7f"
|
SRC_URI[md5sum] = "247c30ebfa44623f3a2d100e0cae5c7f"
|
||||||
|
|||||||
Reference in New Issue
Block a user