Hello community, here is the log from the commit of package vte2 for openSUSE:Factory checked in at 2012-07-30 09:47:33 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/vte2 (Old) and /work/SRC/openSUSE:Factory/.vte2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "vte2", Maintainer is "" Changes: -------- --- /work/SRC/openSUSE:Factory/vte2/vte2.changes 2012-05-21 07:32:56.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.vte2.new/vte2.changes 2012-07-30 09:48:10.000000000 +0200 @@ -1,0 +2,6 @@ +Wed Jul 25 06:52:56 UTC 2012 - vu...@opensuse.org + +- Add vte-CVE-2012-2738.patch: fix potential DoS through malicious + escape sequences. Fix bnc#772761, CVE-2012-2738. + +------------------------------------------------------------------- New: ---- vte-CVE-2012-2738.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ vte2.spec ++++++ --- /var/tmp/diff_new_pack.7bR0CR/_old 2012-07-30 09:48:27.000000000 +0200 +++ /var/tmp/diff_new_pack.7bR0CR/_new 2012-07-30 09:48:27.000000000 +0200 @@ -33,6 +33,8 @@ Source: http://download.gnome.org/sources/vte/0.28/%{_name}-%{version}.tar.bz2 # PATCH-FIX-UPSTREAM vte-keymaps.patch bnc#754350 bgo#663779 dims...@opensuse.org -- keymap: Treat ALT as META. Patch from tracker, comment 38. So far the likeliest candidate to be merged. Patch0: vte-keymaps.patch +# PATCH-FIX-UPTREAM vte-CVE-2012-2738.patch bnc#772761 bgo#676090 CVE-2012-2738 vu...@opensuse.org -- malicious escape sequences can cause denial of service, taken from git +Patch1: vte-CVE-2012-2738.patch BuildRequires: fdupes BuildRequires: gobject-introspection-devel BuildRequires: gtk2-devel @@ -147,6 +149,7 @@ %prep %setup -q -n %{_name}-%{version} %patch0 -p1 +%patch1 -p1 translation-update-upstream %build ++++++ vte-CVE-2012-2738.patch ++++++ >From feeee4b5832b17641e505b7083e0d299fdae318e Mon Sep 17 00:00:00 2001 From: Christian Persch <c...@gnome.org> Date: Sat, 19 May 2012 17:36:09 +0000 Subject: emulation: Limit integer arguments to 65535 To guard against malicious sequences containing excessively big numbers, limit all parsed numbers to 16 bit range. Doing this here in the parsing routine is a catch-all guard; this doesn't preclude enforcing more stringent limits in the handlers themselves. https://bugzilla.gnome.org/show_bug.cgi?id=676090 --- diff --git a/src/table.c b/src/table.c index 140e8c8..85cf631 100644 --- a/src/table.c +++ b/src/table.c @@ -550,7 +550,7 @@ _vte_table_extract_numbers(GValueArray **array, if (G_UNLIKELY (*array == NULL)) { *array = g_value_array_new(1); } - g_value_set_long(&value, total); + g_value_set_long(&value, CLAMP (total, 0, G_MAXUSHORT)); g_value_array_append(*array, &value); } while (i++ < arginfo->length); g_value_unset(&value); diff --git a/src/vteseq.c b/src/vteseq.c index 457c06a..46def5b 100644 --- a/src/vteseq.c +++ b/src/vteseq.c @@ -557,7 +557,7 @@ vte_sequence_handler_multiple(VteTerminal *terminal, GValueArray *params, VteTerminalSequenceHandler handler) { - vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXLONG); + vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXUSHORT); } static void -- cgit v0.9.0.2 >From 98ce2f265f986fb88c38d508286bb5e3716b9e74 Mon Sep 17 00:00:00 2001 From: Christian Persch <c...@gnome.org> Date: Sat, 19 May 2012 18:04:12 +0000 Subject: emulation: Limit repetitions Don't allow malicious sequences to cause excessive repetitions. https://bugzilla.gnome.org/show_bug.cgi?id=676090 --- diff --git a/src/vteseq.c b/src/vteseq.c index 46def5b..7fb4707 100644 --- a/src/vteseq.c +++ b/src/vteseq.c @@ -1397,7 +1397,7 @@ vte_sequence_handler_dc (VteTerminal *terminal, GValueArray *params) static void vte_sequence_handler_DC (VteTerminal *terminal, GValueArray *params) { - vte_sequence_handler_multiple(terminal, params, vte_sequence_handler_dc); + vte_sequence_handler_multiple_r(terminal, params, vte_sequence_handler_dc); } /* Delete a line at the current cursor position. */ @@ -1790,7 +1790,7 @@ vte_sequence_handler_reverse_index (VteTerminal *terminal, GValueArray *params) static void vte_sequence_handler_RI (VteTerminal *terminal, GValueArray *params) { - vte_sequence_handler_multiple(terminal, params, vte_sequence_handler_nd); + vte_sequence_handler_multiple_r(terminal, params, vte_sequence_handler_nd); } /* Save cursor (position). */ @@ -2782,8 +2782,7 @@ vte_sequence_handler_insert_lines (VteTerminal *terminal, GValueArray *params) { GValue *value; VteScreen *screen; - long param, end, row; - int i; + long param, end, row, i, limit; screen = terminal->pvt->screen; /* The default is one. */ param = 1; @@ -2801,7 +2800,13 @@ vte_sequence_handler_insert_lines (VteTerminal *terminal, GValueArray *params) } else { end = screen->insert_delta + terminal->row_count - 1; } - /* Insert the new lines at the cursor. */ + + /* Only allow to insert as many lines as there are between this row + * and the end of the scrolling region. See bug #676090. + */ + limit = end - row + 1; + param = MIN (param, limit); + for (i = 0; i < param; i++) { /* Clear a line off the end of the region and add one to the * top of the region. */ @@ -2822,8 +2827,7 @@ vte_sequence_handler_delete_lines (VteTerminal *terminal, GValueArray *params) { GValue *value; VteScreen *screen; - long param, end, row; - int i; + long param, end, row, i, limit; screen = terminal->pvt->screen; /* The default is one. */ @@ -2842,6 +2846,13 @@ vte_sequence_handler_delete_lines (VteTerminal *terminal, GValueArray *params) } else { end = screen->insert_delta + terminal->row_count - 1; } + + /* Only allow to delete as many lines as there are between this row + * and the end of the scrolling region. See bug #676090. + */ + limit = end - row + 1; + param = MIN (param, limit); + /* Clear them from below the current cursor. */ for (i = 0; i < param; i++) { /* Insert a line at the end of the region and remove one from -- cgit v0.9.0.2 -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org