Bug#984615: marked as done (xterm: bug in CVE-2021-27135 patch in at least stretch)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 20 Mar 2021 21:24:26 +0530
with message-id <CAPP0f94boM55htNN2S7L9=vp4L-Teyow4Mj0wXruq2Xj4befsQ@mail.gmail.com>
and subject line Re: Bug#984615: xterm: bug in CVE-2021-27135 patch in at least stretch
has caused the Debian Bug report #984615,
regarding xterm: bug in CVE-2021-27135 patch in at least stretch
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
984615: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984615
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Utkarsh Gupta <utkarsh@debian.org>, submit@bugs.debian.org
• Subject: xterm: bug in CVE-2021-27135 patch in at least stretch
• From: Thorsten Glaser <tg@mirbsd.de>
• Date: Fri, 5 Mar 2021 20:49:39 +0000 (UTC)
• Message-id: <[🔎] Pine.BSM.4.64L.2103052043370.10313@herc.mirbsd.org>

Source: xterm
Version: 327-2+deb9u1
Severity: serious
Justification: introduces use-after-realloc

debian/patches/CVE-2021-27135.patch changes button.c line (after
patching) 3747 to:

       line = realloc(line, screen->selection_size);

But “line” is a local variable, the address of the buffer must
be stored in the one handed out, too, so please change this to:

    if ((have * 2) < (size_t) j) { 
        Char *next = realloc(line, have + 1);
        if (next) {
            screen->selection_data = line = next;
            screen->selection_size = have + 1;
        }
    }

This also deals properly with realloc failures (since we’re
shrinking, ignore them and just keep the older, larger area).

I’ve not looked at jessie-ELTS or buster-security whether they
are affected as well; sid is clean (and where I got the realloc
failure check necessity from, although sid’s free()s the buffer
if realloc fails; this isn’t needed @Tom).

bye,
//mirabilos
-- 
<ch> you introduced a merge commit        │<mika> % g rebase -i HEAD^^
<mika> sorry, no idea and rebasing just fscked │<mika> Segmentation
<ch> should have cloned into a clean repo      │  fault (core dumped)
<ch> if I rebase that now, it's really ugh     │<mika:#grml> wuahhhhhh

--- End Message ---

--- Begin Message ---

• To: 984615-done@bugs.debian.org
• Cc: Thorsten Glaser <tg@mirbsd.de>, Sven Joachim <svenjoac@gmx.de>, dickey@his.com
• Subject: Re: Bug#984615: xterm: bug in CVE-2021-27135 patch in at least stretch
• From: Utkarsh Gupta <utkarsh@debian.org>
• Date: Sat, 20 Mar 2021 21:24:26 +0530
• Message-id: <CAPP0f94boM55htNN2S7L9=vp4L-Teyow4Mj0wXruq2Xj4befsQ@mail.gmail.com>
• In-reply-to: <[🔎] 20210306193522.GA9209@prl-debianold-64.jexium-island.net>
• References: <[🔎] CAPP0f95m95SBuskPhL5XjG91MbNG_wDV74ZMsbejqvys5ccDiA@mail.gmail.com> <[🔎] 87im646uq6.fsf@turtle.gmx.de> <[🔎] Pine.BSM.4.64L.2103052043370.10313@herc.mirbsd.org> <[🔎] Pine.BSM.4.64L.2103061804080.4852@herc.mirbsd.org> <[🔎] 20210306193522.GA9209@prl-debianold-64.jexium-island.net>

Hello,

Thanks to Thomas for his help, I've uploaded a fix for this regression
(by reverting the backport of that part of the patch which was not
necessary for this CVE fix). And thanks to Thorsten for his
comprehensive bug report and to Sven for further debugging and taking
a look.

Thorsten, could you please test the latest upload and see if
everything works alright for you?

Please note that I haven't yet announced the update. I'll do so after
I get confirmation on the above thingy^.


- u

--- End Message ---