Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: Salvatore Bonaccorso <carnil@debian.org>, Julien Cristau <jcristau@debian.org>, Sven Joachim <svenjoac@gmx.de> I would like to fix bug #982439/CVE-2021-27135[1] in Buster, a potential DoS against xterm when the user selects specially crafted text. The fix is already in testing and applies unmodified to the version in Buster, the code in question had not seen any changes since then. The xterm package in Stretch-LTS has also already been patched. At [2] there is the upstream source of the patch. Thanks for considering. 1. https://bugs.debian.org/982439 2. https://github.com/ThomasDickey/xterm-snapshots/commit/82ba55b8f994ab30ff561a347b82ea340ba7075c#diff-1316a8dc8f904428cd95f29accdea9fff33e680f9f30216391d8df33d2f9f806
diff -Nru xterm-344/debian/changelog xterm-344/debian/changelog --- xterm-344/debian/changelog 2019-02-14 18:04:18.000000000 +0100 +++ xterm-344/debian/changelog 2021-02-18 17:39:44.000000000 +0100 @@ -1,3 +1,11 @@ +xterm (344-1+deb10u1) buster; urgency=medium + + * Apply upstream fix from xterm 365d for CVE-2021-27135. + - Correct upper-limit for selection buffer, accounting for combining + characters (Closes: #982439). + + -- Sven Joachim <svenjoac@gmx.de> Thu, 18 Feb 2021 17:39:44 +0100 + xterm (344-1) unstable; urgency=medium * New upstream release. diff -Nru xterm-344/debian/patches/CVE-2021-27135.diff xterm-344/debian/patches/CVE-2021-27135.diff --- xterm-344/debian/patches/CVE-2021-27135.diff 1970-01-01 01:00:00.000000000 +0100 +++ xterm-344/debian/patches/CVE-2021-27135.diff 2021-02-17 19:28:55.000000000 +0100 @@ -0,0 +1,55 @@ +Description: Fix for CVE-2021-27135 from xterm 365d + Correct upper-limit for selection buffer, accounting for + combining characters (report by Tavis Ormandy). + +--- + button.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +--- a/button.c ++++ b/button.c +@@ -3914,6 +3914,7 @@ SaltTextAway(XtermWidget xw, + int i; + int eol; + int need = 0; ++ size_t have = 0; + Char *line; + Char *lp; + CELL first = *cellc; +@@ -3948,7 +3949,11 @@ SaltTextAway(XtermWidget xw, + + /* UTF-8 may require more space */ + if_OPT_WIDE_CHARS(screen, { +- need *= 4; ++ if (need > 0) { ++ if (screen->max_combining > 0) ++ need += screen->max_combining; ++ need *= 6; ++ } + }); + + /* now get some memory to save it in */ +@@ -3986,10 +3991,20 @@ SaltTextAway(XtermWidget xw, + } + *lp = '\0'; /* make sure we have end marked */ + +- TRACE(("Salted TEXT:%u:%s\n", (unsigned) (lp - line), +- visibleChars(line, (unsigned) (lp - line)))); ++ have = (size_t) (lp - line); ++ /* ++ * Scanning the buffer twice is unnecessary. Discard unwanted memory if ++ * the estimate is too-far off. ++ */ ++ if ((have * 2) < (size_t) need) { ++ scp->data_limit = have + 1; ++ line = realloc(line, scp->data_limit); ++ } ++ ++ TRACE(("Salted TEXT:%u:%s\n", (unsigned) have, ++ visibleChars(line, (unsigned) have))); + +- scp->data_length = (size_t) (lp - line); ++ scp->data_length = have; + } + + #if OPT_PASTE64 diff -Nru xterm-344/debian/patches/series xterm-344/debian/patches/series --- xterm-344/debian/patches/series 2019-02-13 17:54:29.000000000 +0100 +++ xterm-344/debian/patches/series 2021-02-17 18:51:05.000000000 +0100 @@ -1,3 +1,4 @@ 900_debian_xterm.diff 902_windowops.diff 904_fontops.diff +CVE-2021-27135.diff
Attachment:
signature.asc
Description: PGP signature