From 0fc9d446d17391e33dfb5e6d42313a5bd38fd930 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Sun, 22 Aug 2021 11:56:47 -0700 Subject: xterm: Security fix for CVE-2021-27135 Source: Debian.org MR: 108848 Type: Security Fix Disposition: Backport from https://sources.debian.org/data/main/x/xterm/344-1%2Bdeb10u1/debian/patches/CVE-2021-27135.diff ChangeID: 00f53def87b8b95e62908581f8fb56a69118dd32 Description: xterm through Patch #365 allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted UTF-8 character sequence. This fixes CVE-2021-27135. Leverage a patch from Debian. Signed-off-by: Armin Kuster --- .../xorg-app/xterm/CVE-2021-27135.patch | 68 ++++++++++++++++++++++ meta-oe/recipes-graphics/xorg-app/xterm_353.bb | 1 + 2 files changed, 69 insertions(+) create mode 100644 meta-oe/recipes-graphics/xorg-app/xterm/CVE-2021-27135.patch diff --git a/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2021-27135.patch b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2021-27135.patch new file mode 100644 index 0000000000..937b2176aa --- /dev/null +++ b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2021-27135.patch @@ -0,0 +1,68 @@ +Description: Fix for CVE-2021-27135 from xterm 366 + Correct upper-limit for selection buffer, accounting for + combining characters (report by Tavis Ormandy). + +Upstream-Status: Backport +https://sources.debian.org/data/main/x/xterm/344-1%2Bdeb10u1/debian/patches/CVE-2021-27135.diff +CVE: CVE-2021-27135 +Signed-off-by: Armin Kuster + +--- + button.c | 29 +++++++++++++++++++++++++---- + 1 file changed, 25 insertions(+), 4 deletions(-) + +Index: xterm-353/button.c +=================================================================== +--- xterm-353.orig/button.c ++++ xterm-353/button.c +@@ -3928,6 +3928,7 @@ SaltTextAway(XtermWidget xw, + int i; + int eol; + int need = 0; ++ size_t have = 0; + Char *line; + Char *lp; + CELL first = *cellc; +@@ -3962,7 +3963,11 @@ SaltTextAway(XtermWidget xw, + + /* UTF-8 may require more space */ + if_OPT_WIDE_CHARS(screen, { +- need *= 4; ++ if (need > 0) { ++ if (screen->max_combining > 0) ++ need += screen->max_combining; ++ need *= 6; ++ } + }); + + /* now get some memory to save it in */ +@@ -4000,10 +4005,26 @@ SaltTextAway(XtermWidget xw, + } + *lp = '\0'; /* make sure we have end marked */ + +- TRACE(("Salted TEXT:%u:%s\n", (unsigned) (lp - line), +- visibleChars(line, (unsigned) (lp - line)))); ++ have = (size_t) (lp - line); ++ /* ++ * Scanning the buffer twice is unnecessary. Discard unwanted memory if ++ * the estimate is too-far off. ++ */ ++ if ((have * 2) < (size_t) need) { ++ Char *next; ++ scp->data_limit = have + 1; ++ next = realloc(line, scp->data_limit); ++ if (next == NULL) { ++ free(line); ++ scp->data_length = 0; ++ scp->data_limit = 0; ++ } ++ scp->data_buffer = next; ++ } ++ scp->data_length = have; + +- scp->data_length = (size_t) (lp - line); ++ TRACE(("Salted TEXT:%u:%s\n", (unsigned) have, ++ visibleChars(scp->data_buffer, (unsigned) have))); + } + + #if OPT_PASTE64 diff --git a/meta-oe/recipes-graphics/xorg-app/xterm_353.bb b/meta-oe/recipes-graphics/xorg-app/xterm_353.bb index 06c285924d..264320212c 100644 --- a/meta-oe/recipes-graphics/xorg-app/xterm_353.bb +++ b/meta-oe/recipes-graphics/xorg-app/xterm_353.bb @@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://xterm.h;beginline=3;endline=31;md5=996b1ce0584c0747b1 SRC_URI = "http://invisible-mirror.net/archives/${BPN}/${BP}.tgz \ file://0001-Add-configure-time-check-for-setsid.patch \ + file://CVE-2021-27135.patch \ " SRC_URI[md5sum] = "247c30ebfa44623f3a2d100e0cae5c7f" -- cgit 1.2.3-korg