[vte] Add patch for DOS. Fixes bug #832356
Kevin Fenzi
kevin at fedoraproject.org
Fri Jun 15 21:03:07 UTC 2012
commit adecff5f926b566dadbf1aa8fcae45ceadb40a46
Author: Kevin Fenzi <kevin at scrye.com>
Date: Fri Jun 15 15:03:07 2012 -0600
Add patch for DOS. Fixes bug #832356
- fixes CVE-2012-2738
vte-0.28.2-limit-arguments.patch | 40 ++++++++++++++++++++++++++++++++++++++
vte.spec | 10 ++++++++-
2 files changed, 49 insertions(+), 1 deletions(-)
---
diff --git a/vte-0.28.2-limit-arguments.patch b/vte-0.28.2-limit-arguments.patch
new file mode 100644
index 0000000..fd45407
--- /dev/null
+++ b/vte-0.28.2-limit-arguments.patch
@@ -0,0 +1,40 @@
+From feeee4b5832b17641e505b7083e0d299fdae318e Mon Sep 17 00:00:00 2001
+From: Christian Persch <chpe at gnome.org>
+Date: Sat, 19 May 2012 17:36:09 +0000
+Subject: emulation: Limit integer arguments to 65535
+
+To guard against malicious sequences containing excessively big numbers,
+limit all parsed numbers to 16 bit range. Doing this here in the parsing
+routine is a catch-all guard; this doesn't preclude enforcing
+more stringent limits in the handlers themselves.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=676090
+---
+diff --git a/src/table.c b/src/table.c
+index 140e8c8..85cf631 100644
+--- a/src/table.c
++++ b/src/table.c
+@@ -550,7 +550,7 @@ _vte_table_extract_numbers(GValueArray **array,
+ if (G_UNLIKELY (*array == NULL)) {
+ *array = g_value_array_new(1);
+ }
+- g_value_set_long(&value, total);
++ g_value_set_long(&value, CLAMP (total, 0, G_MAXUSHORT));
+ g_value_array_append(*array, &value);
+ } while (i++ < arginfo->length);
+ g_value_unset(&value);
+diff --git a/src/vteseq.c b/src/vteseq.c
+index 457c06a..46def5b 100644
+--- a/src/vteseq.c
++++ b/src/vteseq.c
+@@ -557,7 +557,7 @@ vte_sequence_handler_multiple(VteTerminal *terminal,
+ GValueArray *params,
+ VteTerminalSequenceHandler handler)
+ {
+- vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXLONG);
++ vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXUSHORT);
+ }
+
+ static void
+--
+cgit v0.9.0.2
diff --git a/vte.spec b/vte.spec
index e7d5e99..1871402 100644
--- a/vte.spec
+++ b/vte.spec
@@ -4,7 +4,7 @@
Name: vte
Version: 0.28.2
-Release: 5%{?dist}
+Release: 6%{?dist}
Summary: A terminal emulator
License: LGPLv2+
Group: User Interface/X
@@ -16,6 +16,9 @@ Patch0: vte-alt-meta-confusion.patch
# Python bindings bugfix
# https://bugzilla.redhat.com/show_bug.cgi?id=556200
Patch1: vte-python-bugfixes.patch
+# limit arguments to avoid DOS
+# http://git.gnome.org/browse/vte/patch/?id=feeee4b5832b17641e505b7083e0d299fdae318e
+Patch2: vte-0.28.2-limit-arguments.patch
BuildRequires: gtk2-devel >= %{gtk2_version}
BuildRequires: pango-devel >= %{pango_version}
@@ -51,6 +54,7 @@ vte.
%setup -q
%patch0 -p1
%patch1 -p1
+%patch2 -p1
%build
PYTHON=%{_bindir}/python`%{__python} -c "import sys ; print sys.version[:3]"`
@@ -106,6 +110,10 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/python*/site-packages/gtk-2.0/*.a
%doc %{_datadir}/gtk-doc/html/vte-0.0
%changelog
+* Fri Jun 15 2012 Kevin Fenzi <kevin at scrye.com> - 0.28.2-6
+- Add patch for DOS. Fixes bug #832356
+- fixes CVE-2012-2738
+
* Tue Apr 03 2012 Jon Ciesla <limburgher at gmail.com> - 0.28.2-5
- Added URL, fixed whitespace for Merge Review BZ 226534.
- Commented on odd provides for rpmlint warning.
More information about the scm-commits
mailing list