On 2021-02-18 17:54 +0100, Sven Joachim wrote:
> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian.org@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: Salvatore Bonaccorso <carnil@debian.org>, Julien Cristau <jcristau@debian.org>, Sven Joachim <svenjoac@gmx.de>
>
> I would like to fix bug #982439/CVE-2021-27135[1] in Buster, a potential
> DoS against xterm when the user selects specially crafted text. The fix
> is already in testing and applies unmodified to the version in Buster,
> the code in question had not seen any changes since then. The xterm
> package in Stretch-LTS has also already been patched.
It turned out that the patch was insufficient and introduced new
problems reported in bug #984615. Fortunately, upstream had already
fixed it in xterm 365e/366.
Please find an updated debdiff attached, with it the SaltTextAway()
function in question is identical to the one in xterm 366
(bullseye/sid). Apologies for not having tested the initial patch
thoroughly enough.
Cheers,
Sven
diff -Nru xterm-344/debian/changelog xterm-344/debian/changelog
--- xterm-344/debian/changelog 2019-02-14 18:04:18.000000000 +0100
+++ xterm-344/debian/changelog 2021-03-07 17:53:16.000000000 +0100
@@ -1,3 +1,11 @@
+xterm (344-1+deb10u1) buster; urgency=medium
+
+ * Apply upstream fix from xterm 366 for CVE-2021-27135.
+ - Correct upper-limit for selection buffer, accounting for combining
+ characters (Closes: #982439).
+
+ -- Sven Joachim <svenjoac@gmx.de> Sun, 07 Mar 2021 17:53:16 +0100
+
xterm (344-1) unstable; urgency=medium
* New upstream release.
diff -Nru xterm-344/debian/patches/CVE-2021-27135.diff xterm-344/debian/patches/CVE-2021-27135.diff
--- xterm-344/debian/patches/CVE-2021-27135.diff 1970-01-01 01:00:00.000000000 +0100
+++ xterm-344/debian/patches/CVE-2021-27135.diff 2021-03-07 17:36:55.000000000 +0100
@@ -0,0 +1,61 @@
+Description: Fix for CVE-2021-27135 from xterm 366
+ Correct upper-limit for selection buffer, accounting for
+ combining characters (report by Tavis Ormandy).
+
+---
+ button.c | 29 +++++++++++++++++++++++++----
+ 1 file changed, 25 insertions(+), 4 deletions(-)
+
+--- a/button.c
++++ b/button.c
+@@ -3914,6 +3914,7 @@ SaltTextAway(XtermWidget xw,
+ int i;
+ int eol;
+ int need = 0;
++ size_t have = 0;
+ Char *line;
+ Char *lp;
+ CELL first = *cellc;
+@@ -3948,7 +3949,11 @@ SaltTextAway(XtermWidget xw,
+
+ /* UTF-8 may require more space */
+ if_OPT_WIDE_CHARS(screen, {
+- need *= 4;
++ if (need > 0) {
++ if (screen->max_combining > 0)
++ need += screen->max_combining;
++ need *= 6;
++ }
+ });
+
+ /* now get some memory to save it in */
+@@ -3986,10 +3991,26 @@ SaltTextAway(XtermWidget xw,
+ }
+ *lp = '\0'; /* make sure we have end marked */
+
+- TRACE(("Salted TEXT:%u:%s\n", (unsigned) (lp - line),
+- visibleChars(line, (unsigned) (lp - line))));
++ have = (size_t) (lp - line);
++ /*
++ * Scanning the buffer twice is unnecessary. Discard unwanted memory if
++ * the estimate is too-far off.
++ */
++ if ((have * 2) < (size_t) need) {
++ Char *next;
++ scp->data_limit = have + 1;
++ next = realloc(line, scp->data_limit);
++ if (next == NULL) {
++ free(line);
++ scp->data_length = 0;
++ scp->data_limit = 0;
++ }
++ scp->data_buffer = next;
++ }
++ scp->data_length = have;
+
+- scp->data_length = (size_t) (lp - line);
++ TRACE(("Salted TEXT:%u:%s\n", (unsigned) have,
++ visibleChars(scp->data_buffer, (unsigned) have)));
+ }
+
+ #if OPT_PASTE64
diff -Nru xterm-344/debian/patches/series xterm-344/debian/patches/series
--- xterm-344/debian/patches/series 2019-02-13 17:54:29.000000000 +0100
+++ xterm-344/debian/patches/series 2021-03-05 22:10:42.000000000 +0100
@@ -1,3 +1,4 @@
900_debian_xterm.diff
902_windowops.diff
904_fontops.diff
+CVE-2021-27135.diff
Attachment:
signature.asc
Description: PGP signature