[vte] Add patch for DOS. Fixes bug #832356

Fri Jun 15 21:03:07 UTC 2012

commit adecff5f926b566dadbf1aa8fcae45ceadb40a46
Author: Kevin Fenzi <kevin at scrye.com>
Date:   Fri Jun 15 15:03:07 2012 -0600

    Add patch for DOS. Fixes bug #832356
    
    - fixes CVE-2012-2738

 vte-0.28.2-limit-arguments.patch |   40 ++++++++++++++++++++++++++++++++++++++
 vte.spec                         |   10 ++++++++-
 2 files changed, 49 insertions(+), 1 deletions(-)
---

diff --git a/vte-0.28.2-limit-arguments.patch b/vte-0.28.2-limit-arguments.patch
new file mode 100644
index 0000000..fd45407
--- /dev/null
+++ b/vte-0.28.2-limit-arguments.patch
@@ -0,0 +1,40 @@
+From feeee4b5832b17641e505b7083e0d299fdae318e Mon Sep 17 00:00:00 2001
+From: Christian Persch <chpe at gnome.org>
+Date: Sat, 19 May 2012 17:36:09 +0000
+Subject: emulation: Limit integer arguments to 65535
+
+To guard against malicious sequences containing excessively big numbers,
+limit all parsed numbers to 16 bit range. Doing this here in the parsing
+routine is a catch-all guard; this doesn't preclude enforcing
+more stringent limits in the handlers themselves.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=676090
+---
+diff --git a/src/table.c b/src/table.c
+index 140e8c8..85cf631 100644
+--- a/src/table.c
++++ b/src/table.c
+@@ -550,7 +550,7 @@ _vte_table_extract_numbers(GValueArray **array,
+ 		if (G_UNLIKELY (*array == NULL)) {
+ 			*array = g_value_array_new(1);
+ 		}
+-		g_value_set_long(&value, total);
++		g_value_set_long(&value, CLAMP (total, 0, G_MAXUSHORT));
+ 		g_value_array_append(*array, &value);
+ 	} while (i++ < arginfo->length);
+ 	g_value_unset(&value);
+diff --git a/src/vteseq.c b/src/vteseq.c
+index 457c06a..46def5b 100644
+--- a/src/vteseq.c
++++ b/src/vteseq.c
+@@ -557,7 +557,7 @@ vte_sequence_handler_multiple(VteTerminal *terminal,
+                               GValueArray *params,
+                               VteTerminalSequenceHandler handler)
+ {
+-        vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXLONG);
++        vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXUSHORT);
+ }
+ 
+ static void
+--
+cgit v0.9.0.2
diff --git a/vte.spec b/vte.spec
index e7d5e99..1871402 100644
--- a/vte.spec
+++ b/vte.spec
@@ -4,7 +4,7 @@
 
 Name: vte
 Version: 0.28.2
-Release: 5%{?dist}
+Release: 6%{?dist}
 Summary: A terminal emulator
 License: LGPLv2+
 Group: User Interface/X
@@ -16,6 +16,9 @@ Patch0: vte-alt-meta-confusion.patch
 # Python bindings bugfix
 # https://bugzilla.redhat.com/show_bug.cgi?id=556200
 Patch1: vte-python-bugfixes.patch
+# limit arguments to avoid DOS
+# http://git.gnome.org/browse/vte/patch/?id=feeee4b5832b17641e505b7083e0d299fdae318e
+Patch2: vte-0.28.2-limit-arguments.patch
 
 BuildRequires: gtk2-devel >= %{gtk2_version}
 BuildRequires: pango-devel >= %{pango_version}
@@ -51,6 +54,7 @@ vte.
 %setup -q
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 
 %build
 PYTHON=%{_bindir}/python`%{__python} -c "import sys ; print sys.version[:3]"`
@@ -106,6 +110,10 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/python*/site-packages/gtk-2.0/*.a
 %doc %{_datadir}/gtk-doc/html/vte-0.0
 
 %changelog
+* Fri Jun 15 2012 Kevin Fenzi <kevin at scrye.com> - 0.28.2-6
+- Add patch for DOS. Fixes bug #832356
+- fixes CVE-2012-2738
+
 * Tue Apr 03 2012 Jon Ciesla <limburgher at gmail.com> - 0.28.2-5
 - Added URL, fixed whitespace for Merge Review BZ 226534.
 - Commented on odd provides for rpmlint warning.
