On 2021-02-18 17:54 +0100, Sven Joachim wrote: > Package: release.debian.org > Severity: normal > Tags: buster > User: release.debian.org@packages.debian.org > Usertags: pu > X-Debbugs-Cc: Salvatore Bonaccorso <carnil@debian.org>, Julien Cristau <jcristau@debian.org>, Sven Joachim <svenjoac@gmx.de> > > I would like to fix bug #982439/CVE-2021-27135[1] in Buster, a potential > DoS against xterm when the user selects specially crafted text. The fix > is already in testing and applies unmodified to the version in Buster, > the code in question had not seen any changes since then. The xterm > package in Stretch-LTS has also already been patched. It turned out that the patch was insufficient and introduced new problems reported in bug #984615. Fortunately, upstream had already fixed it in xterm 365e/366. Please find an updated debdiff attached, with it the SaltTextAway() function in question is identical to the one in xterm 366 (bullseye/sid). Apologies for not having tested the initial patch thoroughly enough. Cheers, Sven
diff -Nru xterm-344/debian/changelog xterm-344/debian/changelog --- xterm-344/debian/changelog 2019-02-14 18:04:18.000000000 +0100 +++ xterm-344/debian/changelog 2021-03-07 17:53:16.000000000 +0100 @@ -1,3 +1,11 @@ +xterm (344-1+deb10u1) buster; urgency=medium + + * Apply upstream fix from xterm 366 for CVE-2021-27135. + - Correct upper-limit for selection buffer, accounting for combining + characters (Closes: #982439). + + -- Sven Joachim <svenjoac@gmx.de> Sun, 07 Mar 2021 17:53:16 +0100 + xterm (344-1) unstable; urgency=medium * New upstream release. diff -Nru xterm-344/debian/patches/CVE-2021-27135.diff xterm-344/debian/patches/CVE-2021-27135.diff --- xterm-344/debian/patches/CVE-2021-27135.diff 1970-01-01 01:00:00.000000000 +0100 +++ xterm-344/debian/patches/CVE-2021-27135.diff 2021-03-07 17:36:55.000000000 +0100 @@ -0,0 +1,61 @@ +Description: Fix for CVE-2021-27135 from xterm 366 + Correct upper-limit for selection buffer, accounting for + combining characters (report by Tavis Ormandy). + +--- + button.c | 29 +++++++++++++++++++++++++---- + 1 file changed, 25 insertions(+), 4 deletions(-) + +--- a/button.c ++++ b/button.c +@@ -3914,6 +3914,7 @@ SaltTextAway(XtermWidget xw, + int i; + int eol; + int need = 0; ++ size_t have = 0; + Char *line; + Char *lp; + CELL first = *cellc; +@@ -3948,7 +3949,11 @@ SaltTextAway(XtermWidget xw, + + /* UTF-8 may require more space */ + if_OPT_WIDE_CHARS(screen, { +- need *= 4; ++ if (need > 0) { ++ if (screen->max_combining > 0) ++ need += screen->max_combining; ++ need *= 6; ++ } + }); + + /* now get some memory to save it in */ +@@ -3986,10 +3991,26 @@ SaltTextAway(XtermWidget xw, + } + *lp = '\0'; /* make sure we have end marked */ + +- TRACE(("Salted TEXT:%u:%s\n", (unsigned) (lp - line), +- visibleChars(line, (unsigned) (lp - line)))); ++ have = (size_t) (lp - line); ++ /* ++ * Scanning the buffer twice is unnecessary. Discard unwanted memory if ++ * the estimate is too-far off. ++ */ ++ if ((have * 2) < (size_t) need) { ++ Char *next; ++ scp->data_limit = have + 1; ++ next = realloc(line, scp->data_limit); ++ if (next == NULL) { ++ free(line); ++ scp->data_length = 0; ++ scp->data_limit = 0; ++ } ++ scp->data_buffer = next; ++ } ++ scp->data_length = have; + +- scp->data_length = (size_t) (lp - line); ++ TRACE(("Salted TEXT:%u:%s\n", (unsigned) have, ++ visibleChars(scp->data_buffer, (unsigned) have))); + } + + #if OPT_PASTE64 diff -Nru xterm-344/debian/patches/series xterm-344/debian/patches/series --- xterm-344/debian/patches/series 2019-02-13 17:54:29.000000000 +0100 +++ xterm-344/debian/patches/series 2021-03-05 22:10:42.000000000 +0100 @@ -1,3 +1,4 @@ 900_debian_xterm.diff 902_windowops.diff 904_fontops.diff +CVE-2021-27135.diff
Attachment:
signature.asc
Description: PGP signature