Re: squeeze update of screen?

To: debian-lts@lists.debian.org
Cc: Axel Beckert <abe@debian.org>
Subject: Re: squeeze update of screen?
From: László Böszörményi (GCS) <gcs@debian.org>
Date: Wed, 2 Sep 2015 19:19:31 +0200
Message-id: <[🔎] CAKjSHr152awJ4SSwDG69fpe8EoZR975vmjn=e4wpKO-TT4hRXQ@mail.gmail.com>
In-reply-to: <[🔎] 20150902133353.GD9970@sym.noone.org>
References: <[🔎] 20150902074646.GA14252@nomada> <[🔎] 20150902133353.GD9970@sym.noone.org>

On Wed, Sep 2, 2015 at 3:33 PM, Axel Beckert <abe@debian.org> wrote:
> Santiago Ruano Rincón wrote:
>> the Debian LTS team would like to fix the security issues which are
>> currently open in the Squeeze version of screen:
>> https://security-tracker.debian.org/tracker/source-package/screen
>>
>> Would you like to take care of this yourself?
>
> Let's phrase it this way: I don't mind if someone else does it.
 OK, the proposed patch is attached. Only build tested - it compiles
fine in a clean Squeeze chroot.

> I'll work on the updates for Jessie and Wheezy first, though.
 Feel free to drop my patch entirely if you want.

Regards,
Laszlo/GCS

diff -u screen-4.0.3/debian/changelog screen-4.0.3/debian/changelog
--- screen-4.0.3/debian/changelog
+++ screen-4.0.3/debian/changelog
@@ -1,3 +1,9 @@
+screen (4.0.3-14+deb6u1) squeeze-security; urgency=high
+
+  * Fix stack overflow due to too deep recursion.
+
+ -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Wed, 02 Sep 2015 18:53:14 +0200
+
 screen (4.0.3-14) unstable; urgency=low
 
   * Cherry-pick a few upstream commits:
diff -u screen-4.0.3/debian/patches/00list screen-4.0.3/debian/patches/00list
--- screen-4.0.3/debian/patches/00list
+++ screen-4.0.3/debian/patches/00list
@@ -44,0 +45 @@
+61denial-of-service-stack-overflow-fix
only in patch2:
unchanged:
--- screen-4.0.3.orig/debian/patches/61denial-of-service-stack-overflow-fix.dpatch
+++ screen-4.0.3/debian/patches/61denial-of-service-stack-overflow-fix.dpatch
@@ -0,0 +1,44 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 61denial-of-service-stack-overflow-fix.dpatch by Kuang-che Wu <kcwu@csie.org>
+##
+## DP: Fix stack overflow due to too deep recursion
+
+@DPATCH@
+--- a/ansi.c
++++ b/ansi.c
+@@ -2425,13 +2425,13 @@ int n, ys, ye, bce;
+     return;
+   if (n > 0)
+     {
++      if (ye - ys + 1 < n)
++	n = ye - ys + 1;
+       if (n > 256)
+ 	{
+ 	  MScrollV(p, n - 256, ys, ye, bce);
+ 	  n = 256;
+ 	}
+-      if (ye - ys + 1 < n)
+-	n = ye - ys + 1;
+ #ifdef COPY_PASTE
+       if (compacthist)
+ 	{
+@@ -2482,14 +2482,14 @@ int n, ys, ye, bce;
+     }
+   else
+     {
+-      if (n < -256)
+-	{
+-	  MScrollV(p, n + 256, ys, ye, bce);
+-	  n = -256;
+-	}
+       n = -n;
+       if (ye - ys + 1 < n)
+ 	n = ye - ys + 1;
++      if (n > 256)
++	{
++	  MScrollV(p, - (n - 256), ys, ye, bce);
++	  n = 256;
++	}
+ 
+       ml = p->w_mlines + ye;
+       /* Clear lines */

Reply to:

References:
- squeeze update of screen?
  - From: Santiago Ruano Rincón <santiagorr@riseup.net>
- Re: squeeze update of screen?
  - From: Axel Beckert <abe@debian.org>

Prev by Date: Re: Volunteers to handle embargoed security issues
Next by Date: Re: Volunteers to handle embargoed security issues
Previous by thread: Re: squeeze update of screen?
Next by thread: Volunteers to handle embargoed security issues
Index(es):
- Date
- Thread