Bug#983051: buster-pu: package xterm/344-1+deb10u1
On 2021-03-13 17:27 +, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Sun, 2021-03-07 at 18:21 +0100, Sven Joachim wrote: >> On 2021-02-18 17:54 +0100, Sven Joachim wrote: > [...] >> > I would like to fix bug #982439/CVE-2021-27135[1] in Buster, a >> > potential >> > DoS against xterm when the user selects specially crafted >> > text. The fix >> > is already in testing and applies unmodified to the version in >> > Buster, >> > the code in question had not seen any changes since then. The >> > xterm >> > package in Stretch-LTS has also already been patched. >> >> It turned out that the patch was insufficient and introduced new >> problems reported in bug #984615. Fortunately, upstream had already >> fixed it in xterm 365e/366. >> >> Please find an updated debdiff attached, with it the SaltTextAway() >> function in question is identical to the one in xterm 366 >> (bullseye/sid). Apologies for not having tested the initial patch >> thoroughly enough. >> > > Please go ahead. Thanks, uploaded. Cheers, Sven signature.asc Description: PGP signature
Bug#983051: buster-pu: package xterm/344-1+deb10u1
Control: tags -1 + confirmed On Sun, 2021-03-07 at 18:21 +0100, Sven Joachim wrote: > On 2021-02-18 17:54 +0100, Sven Joachim wrote: [...] > > I would like to fix bug #982439/CVE-2021-27135[1] in Buster, a > > potential > > DoS against xterm when the user selects specially crafted > > text. The fix > > is already in testing and applies unmodified to the version in > > Buster, > > the code in question had not seen any changes since then. The > > xterm > > package in Stretch-LTS has also already been patched. > > It turned out that the patch was insufficient and introduced new > problems reported in bug #984615. Fortunately, upstream had already > fixed it in xterm 365e/366. > > Please find an updated debdiff attached, with it the SaltTextAway() > function in question is identical to the one in xterm 366 > (bullseye/sid). Apologies for not having tested the initial patch > thoroughly enough. > Please go ahead. Regards, Adam
Bug#983051: buster-pu: package xterm/344-1+deb10u1
On 2021-02-18 17:54 +0100, Sven Joachim wrote: > Package: release.debian.org > Severity: normal > Tags: buster > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: Salvatore Bonaccorso , Julien Cristau > , Sven Joachim > > I would like to fix bug #982439/CVE-2021-27135[1] in Buster, a potential > DoS against xterm when the user selects specially crafted text. The fix > is already in testing and applies unmodified to the version in Buster, > the code in question had not seen any changes since then. The xterm > package in Stretch-LTS has also already been patched. It turned out that the patch was insufficient and introduced new problems reported in bug #984615. Fortunately, upstream had already fixed it in xterm 365e/366. Please find an updated debdiff attached, with it the SaltTextAway() function in question is identical to the one in xterm 366 (bullseye/sid). Apologies for not having tested the initial patch thoroughly enough. Cheers, Sven diff -Nru xterm-344/debian/changelog xterm-344/debian/changelog --- xterm-344/debian/changelog 2019-02-14 18:04:18.0 +0100 +++ xterm-344/debian/changelog 2021-03-07 17:53:16.0 +0100 @@ -1,3 +1,11 @@ +xterm (344-1+deb10u1) buster; urgency=medium + + * Apply upstream fix from xterm 366 for CVE-2021-27135. +- Correct upper-limit for selection buffer, accounting for combining + characters (Closes: #982439). + + -- Sven Joachim Sun, 07 Mar 2021 17:53:16 +0100 + xterm (344-1) unstable; urgency=medium * New upstream release. diff -Nru xterm-344/debian/patches/CVE-2021-27135.diff xterm-344/debian/patches/CVE-2021-27135.diff --- xterm-344/debian/patches/CVE-2021-27135.diff 1970-01-01 01:00:00.0 +0100 +++ xterm-344/debian/patches/CVE-2021-27135.diff 2021-03-07 17:36:55.0 +0100 @@ -0,0 +1,61 @@ +Description: Fix for CVE-2021-27135 from xterm 366 + Correct upper-limit for selection buffer, accounting for + combining characters (report by Tavis Ormandy). + +--- + button.c | 29 + + 1 file changed, 25 insertions(+), 4 deletions(-) + +--- a/button.c b/button.c +@@ -3914,6 +3914,7 @@ SaltTextAway(XtermWidget xw, + int i; + int eol; + int need = 0; ++size_t have = 0; + Char *line; + Char *lp; + CELL first = *cellc; +@@ -3948,7 +3949,11 @@ SaltTextAway(XtermWidget xw, + + /* UTF-8 may require more space */ + if_OPT_WIDE_CHARS(screen, { +- need *= 4; ++ if (need > 0) { ++ if (screen->max_combining > 0) ++ need += screen->max_combining; ++ need *= 6; ++ } + }); + + /* now get some memory to save it in */ +@@ -3986,10 +3991,26 @@ SaltTextAway(XtermWidget xw, + } + *lp = '\0'; /* make sure we have end marked */ + +-TRACE(("Salted TEXT:%u:%s\n", (unsigned) (lp - line), +- visibleChars(line, (unsigned) (lp - line; ++have = (size_t) (lp - line); ++/* ++ * Scanning the buffer twice is unnecessary. Discard unwanted memory if ++ * the estimate is too-far off. ++ */ ++if ((have * 2) < (size_t) need) { ++ Char *next; ++ scp->data_limit = have + 1; ++ next = realloc(line, scp->data_limit); ++ if (next == NULL) { ++ free(line); ++ scp->data_length = 0; ++ scp->data_limit = 0; ++ } ++ scp->data_buffer = next; ++} ++scp->data_length = have; + +-scp->data_length = (size_t) (lp - line); ++TRACE(("Salted TEXT:%u:%s\n", (unsigned) have, ++ visibleChars(scp->data_buffer, (unsigned) have))); + } + + #if OPT_PASTE64 diff -Nru xterm-344/debian/patches/series xterm-344/debian/patches/series --- xterm-344/debian/patches/series 2019-02-13 17:54:29.0 +0100 +++ xterm-344/debian/patches/series 2021-03-05 22:10:42.0 +0100 @@ -1,3 +1,4 @@ 900_debian_xterm.diff 902_windowops.diff 904_fontops.diff +CVE-2021-27135.diff signature.asc Description: PGP signature
Bug#983051: buster-pu: package xterm/344-1+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: Salvatore Bonaccorso , Julien Cristau , Sven Joachim I would like to fix bug #982439/CVE-2021-27135[1] in Buster, a potential DoS against xterm when the user selects specially crafted text. The fix is already in testing and applies unmodified to the version in Buster, the code in question had not seen any changes since then. The xterm package in Stretch-LTS has also already been patched. At [2] there is the upstream source of the patch. Thanks for considering. 1. https://bugs.debian.org/982439 2. https://github.com/ThomasDickey/xterm-snapshots/commit/82ba55b8f994ab30ff561a347b82ea340ba7075c#diff-1316a8dc8f904428cd95f29accdea9fff33e680f9f30216391d8df33d2f9f806 diff -Nru xterm-344/debian/changelog xterm-344/debian/changelog --- xterm-344/debian/changelog 2019-02-14 18:04:18.0 +0100 +++ xterm-344/debian/changelog 2021-02-18 17:39:44.0 +0100 @@ -1,3 +1,11 @@ +xterm (344-1+deb10u1) buster; urgency=medium + + * Apply upstream fix from xterm 365d for CVE-2021-27135. +- Correct upper-limit for selection buffer, accounting for combining + characters (Closes: #982439). + + -- Sven Joachim Thu, 18 Feb 2021 17:39:44 +0100 + xterm (344-1) unstable; urgency=medium * New upstream release. diff -Nru xterm-344/debian/patches/CVE-2021-27135.diff xterm-344/debian/patches/CVE-2021-27135.diff --- xterm-344/debian/patches/CVE-2021-27135.diff 1970-01-01 01:00:00.0 +0100 +++ xterm-344/debian/patches/CVE-2021-27135.diff 2021-02-17 19:28:55.0 +0100 @@ -0,0 +1,55 @@ +Description: Fix for CVE-2021-27135 from xterm 365d + Correct upper-limit for selection buffer, accounting for + combining characters (report by Tavis Ormandy). + +--- + button.c | 23 +++ + 1 file changed, 19 insertions(+), 4 deletions(-) + +--- a/button.c b/button.c +@@ -3914,6 +3914,7 @@ SaltTextAway(XtermWidget xw, + int i; + int eol; + int need = 0; ++size_t have = 0; + Char *line; + Char *lp; + CELL first = *cellc; +@@ -3948,7 +3949,11 @@ SaltTextAway(XtermWidget xw, + + /* UTF-8 may require more space */ + if_OPT_WIDE_CHARS(screen, { +- need *= 4; ++ if (need > 0) { ++ if (screen->max_combining > 0) ++ need += screen->max_combining; ++ need *= 6; ++ } + }); + + /* now get some memory to save it in */ +@@ -3986,10 +3991,20 @@ SaltTextAway(XtermWidget xw, + } + *lp = '\0'; /* make sure we have end marked */ + +-TRACE(("Salted TEXT:%u:%s\n", (unsigned) (lp - line), +- visibleChars(line, (unsigned) (lp - line; ++have = (size_t) (lp - line); ++/* ++ * Scanning the buffer twice is unnecessary. Discard unwanted memory if ++ * the estimate is too-far off. ++ */ ++if ((have * 2) < (size_t) need) { ++ scp->data_limit = have + 1; ++ line = realloc(line, scp->data_limit); ++} ++ ++TRACE(("Salted TEXT:%u:%s\n", (unsigned) have, ++ visibleChars(line, (unsigned) have))); + +-scp->data_length = (size_t) (lp - line); ++scp->data_length = have; + } + + #if OPT_PASTE64 diff -Nru xterm-344/debian/patches/series xterm-344/debian/patches/series --- xterm-344/debian/patches/series 2019-02-13 17:54:29.0 +0100 +++ xterm-344/debian/patches/series 2021-02-17 18:51:05.0 +0100 @@ -1,3 +1,4 @@ 900_debian_xterm.diff 902_windowops.diff 904_fontops.diff +CVE-2021-27135.diff signature.asc Description: PGP signature