gnu: vte-0.28: Fix CVE-2012-2738.
* gnu/packages/gnome.scm (vte-0.28)[source]: Add patches. * gnu/packages/patches/vte-CVE-2012-2738-pt1.patch, gnu/packages/patches/vte-CVE-2012-2738-pt2.patch: New variables. * gnu/local.mk (dist_patch_DATA): Add them.
This commit is contained in:
parent
4f3e02f198
commit
7d48938a59
|
@ -779,6 +779,8 @@ dist_patch_DATA = \
|
||||||
%D%/packages/patches/vorbis-tools-CVE-2014-9640.patch \
|
%D%/packages/patches/vorbis-tools-CVE-2014-9640.patch \
|
||||||
%D%/packages/patches/vorbis-tools-CVE-2015-6749.patch \
|
%D%/packages/patches/vorbis-tools-CVE-2015-6749.patch \
|
||||||
%D%/packages/patches/vpnc-script.patch \
|
%D%/packages/patches/vpnc-script.patch \
|
||||||
|
%D%/packages/patches/vte-CVE-2012-2738-pt1.patch \
|
||||||
|
%D%/packages/patches/vte-CVE-2012-2738-pt2.patch \
|
||||||
%D%/packages/patches/vtk-mesa-10.patch \
|
%D%/packages/patches/vtk-mesa-10.patch \
|
||||||
%D%/packages/patches/w3m-libgc.patch \
|
%D%/packages/patches/w3m-libgc.patch \
|
||||||
%D%/packages/patches/w3m-force-ssl_verify_server-on.patch \
|
%D%/packages/patches/w3m-force-ssl_verify_server-on.patch \
|
||||||
|
|
|
@ -1820,7 +1820,10 @@ editors, IDEs, etc.")
|
||||||
name "-" version ".tar.xz"))
|
name "-" version ".tar.xz"))
|
||||||
(sha256
|
(sha256
|
||||||
(base32
|
(base32
|
||||||
"1bmhahkf8wdsra9whd3k5l5z4rv7r58ksr8mshzajgq2ma0hpkw6"))))
|
"1bmhahkf8wdsra9whd3k5l5z4rv7r58ksr8mshzajgq2ma0hpkw6"))
|
||||||
|
(patches (search-patches
|
||||||
|
"vte-CVE-2012-2738-pt1.patch"
|
||||||
|
"vte-CVE-2012-2738-pt2.patch"))))
|
||||||
(arguments
|
(arguments
|
||||||
'(#:configure-flags '("--disable-python")))
|
'(#:configure-flags '("--disable-python")))
|
||||||
(native-inputs
|
(native-inputs
|
||||||
|
|
|
@ -0,0 +1,40 @@
|
||||||
|
From feeee4b5832b17641e505b7083e0d299fdae318e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Christian Persch <chpe@gnome.org>
|
||||||
|
Date: Sat, 19 May 2012 17:36:09 +0000
|
||||||
|
Subject: emulation: Limit integer arguments to 65535
|
||||||
|
|
||||||
|
To guard against malicious sequences containing excessively big numbers,
|
||||||
|
limit all parsed numbers to 16 bit range. Doing this here in the parsing
|
||||||
|
routine is a catch-all guard; this doesn't preclude enforcing
|
||||||
|
more stringent limits in the handlers themselves.
|
||||||
|
|
||||||
|
https://bugzilla.gnome.org/show_bug.cgi?id=676090
|
||||||
|
---
|
||||||
|
diff --git a/src/table.c b/src/table.c
|
||||||
|
index 140e8c8..85cf631 100644
|
||||||
|
--- a/src/table.c
|
||||||
|
+++ b/src/table.c
|
||||||
|
@@ -550,7 +550,7 @@ _vte_table_extract_numbers(GValueArray **array,
|
||||||
|
if (G_UNLIKELY (*array == NULL)) {
|
||||||
|
*array = g_value_array_new(1);
|
||||||
|
}
|
||||||
|
- g_value_set_long(&value, total);
|
||||||
|
+ g_value_set_long(&value, CLAMP (total, 0, G_MAXUSHORT));
|
||||||
|
g_value_array_append(*array, &value);
|
||||||
|
} while (i++ < arginfo->length);
|
||||||
|
g_value_unset(&value);
|
||||||
|
diff --git a/src/vteseq.c b/src/vteseq.c
|
||||||
|
index 457c06a..46def5b 100644
|
||||||
|
--- a/src/vteseq.c
|
||||||
|
+++ b/src/vteseq.c
|
||||||
|
@@ -557,7 +557,7 @@ vte_sequence_handler_multiple(VteTerminal *terminal,
|
||||||
|
GValueArray *params,
|
||||||
|
VteTerminalSequenceHandler handler)
|
||||||
|
{
|
||||||
|
- vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXLONG);
|
||||||
|
+ vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXUSHORT);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
--
|
||||||
|
cgit v0.9.0.2
|
|
@ -0,0 +1,82 @@
|
||||||
|
From 98ce2f265f986fb88c38d508286bb5e3716b9e74 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Christian Persch <chpe@gnome.org>
|
||||||
|
Date: Sat, 19 May 2012 18:04:12 +0000
|
||||||
|
Subject: emulation: Limit repetitions
|
||||||
|
|
||||||
|
Don't allow malicious sequences to cause excessive repetitions.
|
||||||
|
|
||||||
|
https://bugzilla.gnome.org/show_bug.cgi?id=676090
|
||||||
|
---
|
||||||
|
diff --git a/src/vteseq.c b/src/vteseq.c
|
||||||
|
index 46def5b..7fb4707 100644
|
||||||
|
--- a/src/vteseq.c
|
||||||
|
+++ b/src/vteseq.c
|
||||||
|
@@ -1397,7 +1397,7 @@ vte_sequence_handler_dc (VteTerminal *terminal, GValueArray *params)
|
||||||
|
static void
|
||||||
|
vte_sequence_handler_DC (VteTerminal *terminal, GValueArray *params)
|
||||||
|
{
|
||||||
|
- vte_sequence_handler_multiple(terminal, params, vte_sequence_handler_dc);
|
||||||
|
+ vte_sequence_handler_multiple_r(terminal, params, vte_sequence_handler_dc);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Delete a line at the current cursor position. */
|
||||||
|
@@ -1790,7 +1790,7 @@ vte_sequence_handler_reverse_index (VteTerminal *terminal, GValueArray *params)
|
||||||
|
static void
|
||||||
|
vte_sequence_handler_RI (VteTerminal *terminal, GValueArray *params)
|
||||||
|
{
|
||||||
|
- vte_sequence_handler_multiple(terminal, params, vte_sequence_handler_nd);
|
||||||
|
+ vte_sequence_handler_multiple_r(terminal, params, vte_sequence_handler_nd);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Save cursor (position). */
|
||||||
|
@@ -2782,8 +2782,7 @@ vte_sequence_handler_insert_lines (VteTerminal *terminal, GValueArray *params)
|
||||||
|
{
|
||||||
|
GValue *value;
|
||||||
|
VteScreen *screen;
|
||||||
|
- long param, end, row;
|
||||||
|
- int i;
|
||||||
|
+ long param, end, row, i, limit;
|
||||||
|
screen = terminal->pvt->screen;
|
||||||
|
/* The default is one. */
|
||||||
|
param = 1;
|
||||||
|
@@ -2801,7 +2800,13 @@ vte_sequence_handler_insert_lines (VteTerminal *terminal, GValueArray *params)
|
||||||
|
} else {
|
||||||
|
end = screen->insert_delta + terminal->row_count - 1;
|
||||||
|
}
|
||||||
|
- /* Insert the new lines at the cursor. */
|
||||||
|
+
|
||||||
|
+ /* Only allow to insert as many lines as there are between this row
|
||||||
|
+ * and the end of the scrolling region. See bug #676090.
|
||||||
|
+ */
|
||||||
|
+ limit = end - row + 1;
|
||||||
|
+ param = MIN (param, limit);
|
||||||
|
+
|
||||||
|
for (i = 0; i < param; i++) {
|
||||||
|
/* Clear a line off the end of the region and add one to the
|
||||||
|
* top of the region. */
|
||||||
|
@@ -2822,8 +2827,7 @@ vte_sequence_handler_delete_lines (VteTerminal *terminal, GValueArray *params)
|
||||||
|
{
|
||||||
|
GValue *value;
|
||||||
|
VteScreen *screen;
|
||||||
|
- long param, end, row;
|
||||||
|
- int i;
|
||||||
|
+ long param, end, row, i, limit;
|
||||||
|
|
||||||
|
screen = terminal->pvt->screen;
|
||||||
|
/* The default is one. */
|
||||||
|
@@ -2842,6 +2846,13 @@ vte_sequence_handler_delete_lines (VteTerminal *terminal, GValueArray *params)
|
||||||
|
} else {
|
||||||
|
end = screen->insert_delta + terminal->row_count - 1;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ /* Only allow to delete as many lines as there are between this row
|
||||||
|
+ * and the end of the scrolling region. See bug #676090.
|
||||||
|
+ */
|
||||||
|
+ limit = end - row + 1;
|
||||||
|
+ param = MIN (param, limit);
|
||||||
|
+
|
||||||
|
/* Clear them from below the current cursor. */
|
||||||
|
for (i = 0; i < param; i++) {
|
||||||
|
/* Insert a line at the end of the region and remove one from
|
||||||
|
--
|
||||||
|
cgit v0.9.0.2
|
Loading…
Reference in New Issue