Bug#1005232: bullseye-pu: package xterm/366-1+deb11u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1005232: bullseye-pu: package xterm/366-1+deb11u1
From: Sven Joachim <svenjoac@gmx.de>
Date: Wed, 09 Feb 2022 18:03:23 +0100
Message-id: <[🔎] 878ruk55wk.fsf@turtle.gmx.de>
Reply-to: Sven Joachim <svenjoac@gmx.de>, 1005232@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

I have uploaded xterm 366-1+deb11u1 to fix #1004689 aka CVE-2022-24130
in bullseye.

[ Reason ]
CVE-2022-24130: xterm through Patch 370, when Sixel support is enabled,
allows attackers to trigger a buffer overflow in set_sixel in
graphics_sixel.c via crafted text.

[ Impact ]
An attacker could cause xterm to crash or possibly do worse things,
e.g. by luring the victim to cat(1) a specially crafted file.  In its
default configuration xterm does not interpret Sixel graphics, the user
needs to set the decTerminalID resource to a non-standard value or
invoke xterm with the -ti switch to enable Sixel support and become
vulnerable.

[ Tests ]
I have verified that the testcase at [1] no longer causes a crash with
the attached patch.

[ Risks ]
No official upstream release has been made yet, but the issue has been
addressed in current snapshots at [2].  The patch has been taken from
there and is identical to the one that went into xterm 370-2, currently
in unstable and testing.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Cheers,
       Sven


1. https://www.openwall.com/lists/oss-security/2022/01/30/3
2. https://github.com/ThomasDickey/xterm-snapshots/

diff -Nru xterm-366/debian/changelog xterm-366/debian/changelog
--- xterm-366/debian/changelog	2021-02-11 10:31:09.000000000 +0100
+++ xterm-366/debian/changelog	2022-02-07 20:14:01.000000000 +0100
@@ -1,3 +1,12 @@
+xterm (366-1+deb11u1) bullseye; urgency=medium
+
+  * Cherry-pick sixel graphics fixes from xterm 370d and 370f.
+    - Check for out-of-bounds condition while drawing sixels, and quit
+      that operation (report by Nick Black (CVE-2022-24130),
+      Closes: #1004689).
+
+ -- Sven Joachim <svenjoac@gmx.de>  Mon, 07 Feb 2022 20:14:01 +0100
+
 xterm (366-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru xterm-366/debian/patches/CVE-2022-24130.diff xterm-366/debian/patches/CVE-2022-24130.diff
--- xterm-366/debian/patches/CVE-2022-24130.diff	1970-01-01 01:00:00.000000000 +0100
+++ xterm-366/debian/patches/CVE-2022-24130.diff	2022-02-07 20:12:57.000000000 +0100
@@ -0,0 +1,73 @@
+Description: Cherry-pick sixel graphics fixes from xterm 370d and 370f
+ Check for out-of-bounds condition while drawing sixels, and quit that
+ operation (report by Nick Black, CVE-2022-24130).
+Bug-Debian: https://bugs.debian.org/1004689
+
+---
+ graphics_sixel.c |   25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+--- a/graphics_sixel.c
++++ b/graphics_sixel.c
+@@ -149,7 +149,7 @@ init_sixel_background(Graphic *graphic,
+     graphic->color_registers_used[context->background] = 1;
+ }
+ 
+-static void
++static Boolean
+ set_sixel(Graphic *graphic, SixelContext const *context, int sixel)
+ {
+     const int mh = graphic->max_height;
+@@ -170,7 +170,10 @@ set_sixel(Graphic *graphic, SixelContext
+ 	   ((color != COLOR_HOLE)
+ 	    ? (unsigned) graphic->color_registers[color].b : 0U)));
+     for (pix = 0; pix < 6; pix++) {
+-	if (context->col < mw && context->row + pix < mh) {
++	if (context->col >= 0 &&
++	    context->col < mw &&
++	    context->row + pix >= 0 &&
++	    context->row + pix < mh) {
+ 	    if (sixel & (1 << pix)) {
+ 		if (context->col + 1 > graphic->actual_width) {
+ 		    graphic->actual_width = context->col + 1;
+@@ -183,8 +186,10 @@ set_sixel(Graphic *graphic, SixelContext
+ 	    }
+ 	} else {
+ 	    TRACE(("sixel pixel %d out of bounds\n", pix));
++	    return False;
+ 	}
+     }
++    return True;
+ }
+ 
+ static void
+@@ -462,8 +467,12 @@ parse_sixel(XtermWidget xw, ANSI *params
+ 		init_sixel_background(graphic, &context);
+ 		graphic->valid = 1;
+ 	    }
+-	    if (sixel)
+-		set_sixel(graphic, &context, sixel);
++	    if (sixel) {
++		if (!set_sixel(graphic, &context, sixel)) {
++		    context.col = 0;
++		    break;
++		}
++	    }
+ 	    context.col++;
+ 	} else if (ch == '$') {	/* DECGCR */
+ 	    /* ignore DECCRNLM in sixel mode */
+@@ -531,8 +540,12 @@ parse_sixel(XtermWidget xw, ANSI *params
+ 	    if (sixel) {
+ 		int i;
+ 		for (i = 0; i < Pcount; i++) {
+-		    set_sixel(graphic, &context, sixel);
+-		    context.col++;
++		    if (set_sixel(graphic, &context, sixel)) {
++			context.col++;
++		    } else {
++			context.col = 0;
++			break;
++		    }
+ 		}
+ 	    } else {
+ 		context.col += Pcount;
diff -Nru xterm-366/debian/patches/series xterm-366/debian/patches/series
--- xterm-366/debian/patches/series	2021-02-11 10:28:06.000000000 +0100
+++ xterm-366/debian/patches/series	2022-02-07 20:12:57.000000000 +0100
@@ -1,3 +1,4 @@
 900_debian_xterm.diff
 902_windowops.diff
 904_fontops.diff
+CVE-2022-24130.diff

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#1005232: xterm 366-1+deb11u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Bug#1005231: bullseye-pu: package nvidia-xconfig/470.103.01-1~deb11u1
Next by Date: Bug#1005233: buster-pu: package xterm/344-1+deb10u2
Previous by thread: Processed: bullseye-pu: package nvidia-xconfig/470.103.01-1~deb11u1
Next by thread: Bug#1005232: xterm 366-1+deb11u1 flagged for acceptance
Index(es):
- Date
- Thread