Your message dated Sat, 20 Mar 2021 21:24:26 +0530 with message-id <CAPP0f94boM55htNN2S7L9=vp4L-Teyow4Mj0wXruq2Xj4befsQ@mail.gmail.com> and subject line Re: Bug#984615: xterm: bug in CVE-2021-27135 patch in at least stretch has caused the Debian Bug report #984615, regarding xterm: bug in CVE-2021-27135 patch in at least stretch to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 984615: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984615 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Utkarsh Gupta <utkarsh@debian.org>, submit@bugs.debian.org
- Subject: xterm: bug in CVE-2021-27135 patch in at least stretch
- From: Thorsten Glaser <tg@mirbsd.de>
- Date: Fri, 5 Mar 2021 20:49:39 +0000 (UTC)
- Message-id: <[🔎] Pine.BSM.4.64L.2103052043370.10313@herc.mirbsd.org>
Source: xterm Version: 327-2+deb9u1 Severity: serious Justification: introduces use-after-realloc debian/patches/CVE-2021-27135.patch changes button.c line (after patching) 3747 to: line = realloc(line, screen->selection_size); But “line” is a local variable, the address of the buffer must be stored in the one handed out, too, so please change this to: if ((have * 2) < (size_t) j) { Char *next = realloc(line, have + 1); if (next) { screen->selection_data = line = next; screen->selection_size = have + 1; } } This also deals properly with realloc failures (since we’re shrinking, ignore them and just keep the older, larger area). I’ve not looked at jessie-ELTS or buster-security whether they are affected as well; sid is clean (and where I got the realloc failure check necessity from, although sid’s free()s the buffer if realloc fails; this isn’t needed @Tom). bye, //mirabilos -- <ch> you introduced a merge commit │<mika> % g rebase -i HEAD^^ <mika> sorry, no idea and rebasing just fscked │<mika> Segmentation <ch> should have cloned into a clean repo │ fault (core dumped) <ch> if I rebase that now, it's really ugh │<mika:#grml> wuahhhhhh
--- End Message ---
--- Begin Message ---
- To: 984615-done@bugs.debian.org
- Cc: Thorsten Glaser <tg@mirbsd.de>, Sven Joachim <svenjoac@gmx.de>, dickey@his.com
- Subject: Re: Bug#984615: xterm: bug in CVE-2021-27135 patch in at least stretch
- From: Utkarsh Gupta <utkarsh@debian.org>
- Date: Sat, 20 Mar 2021 21:24:26 +0530
- Message-id: <CAPP0f94boM55htNN2S7L9=vp4L-Teyow4Mj0wXruq2Xj4befsQ@mail.gmail.com>
- In-reply-to: <[🔎] 20210306193522.GA9209@prl-debianold-64.jexium-island.net>
- References: <[🔎] CAPP0f95m95SBuskPhL5XjG91MbNG_wDV74ZMsbejqvys5ccDiA@mail.gmail.com> <[🔎] 87im646uq6.fsf@turtle.gmx.de> <[🔎] Pine.BSM.4.64L.2103052043370.10313@herc.mirbsd.org> <[🔎] Pine.BSM.4.64L.2103061804080.4852@herc.mirbsd.org> <[🔎] 20210306193522.GA9209@prl-debianold-64.jexium-island.net>
Hello, Thanks to Thomas for his help, I've uploaded a fix for this regression (by reverting the backport of that part of the patch which was not necessary for this CVE fix). And thanks to Thorsten for his comprehensive bug report and to Sven for further debugging and taking a look. Thorsten, could you please test the latest upload and see if everything works alright for you? Please note that I haven't yet announced the update. I'll do so after I get confirmation on the above thingy^. - u
--- End Message ---