Sven Joachim pushed to branch debian-buster at X Strike Force / app / xterm
Commits: 9e3a2f22 by Sven Joachim at 2022-02-02T20:08:11+01:00 Cherry-pick sixel graphics fixes from xterm 370d and 370f Check for out-of-bounds condition while drawing sixels, and quit that operation (report by Nick Black, CVE-2022-24130). - - - - - 3 changed files: - debian/changelog - + debian/patches/CVE-2022-24130.diff - debian/patches/series Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,12 @@ +xterm (344-1+deb10u2) UNRELEASED; urgency=medium + + * Cherry-pick sixel graphics fixes from xterm 370d and 370f. + - Check for out-of-bounds condition while drawing sixels, and quit + that operation (report by Nick Black (CVE-2022-24130), + Closes: #1004689). + + -- Sven Joachim <svenj...@gmx.de> Wed, 02 Feb 2022 20:08:03 +0100 + xterm (344-1+deb10u1) buster; urgency=medium * Apply upstream fix from xterm 366 for CVE-2021-27135. ===================================== debian/patches/CVE-2022-24130.diff ===================================== @@ -0,0 +1,79 @@ +Description: Cherry-pick sixel graphics fixes from xterm 370d and 370f + Check for out-of-bounds condition while drawing sixels, and quit that + operation (report by Nick Black, CVE-2022-24130). +Bug-Debian: https://bugs.debian.org/1004689 + +--- + graphics_sixel.c | 31 +++++++++++++++++++++++++------ + 1 file changed, 25 insertions(+), 6 deletions(-) + +--- a/graphics_sixel.c ++++ b/graphics_sixel.c +@@ -141,7 +141,7 @@ init_sixel_background(Graphic *graphic, + graphic->color_registers_used[context->background] = 1; + } + +-static void ++static Boolean + set_sixel(Graphic *graphic, SixelContext const *context, int sixel) + { + const int mh = graphic->max_height; +@@ -162,7 +162,10 @@ set_sixel(Graphic *graphic, SixelContext + ((color != COLOR_HOLE) + ? (unsigned) graphic->color_registers[color].b : 0U))); + for (pix = 0; pix < 6; pix++) { +- if (context->col < mw && context->row + pix < mh) { ++ if (context->col >= 0 && ++ context->col < mw && ++ context->row + pix >= 0 && ++ context->row + pix < mh) { + if (sixel & (1 << pix)) { + if (context->col + 1 > graphic->actual_width) { + graphic->actual_width = context->col + 1; +@@ -175,8 +178,10 @@ set_sixel(Graphic *graphic, SixelContext + } + } else { + TRACE(("sixel pixel %d out of bounds\n", pix)); ++ return False; + } + } ++ return True; + } + + static void +@@ -451,7 +456,12 @@ parse_sixel(XtermWidget xw, ANSI *params + init_sixel_background(graphic, &context); + graphic->valid = 1; + } +- set_sixel(graphic, &context, sixel); ++ if (sixel) { ++ if (!set_sixel(graphic, &context, sixel)) { ++ context.col = 0; ++ break; ++ } ++ } + context.col++; + } else if (ch == '$') { /* DECGCR */ + /* ignore DECCRNLM in sixel mode */ +@@ -528,9 +538,18 @@ parse_sixel(XtermWidget xw, ANSI *params + init_sixel_background(graphic, &context); + graphic->valid = 1; + } +- for (i = 0; i < Pcount; i++) { +- set_sixel(graphic, &context, sixel); +- context.col++; ++ if (sixel) { ++ int i; ++ for (i = 0; i < Pcount; i++) { ++ if (set_sixel(graphic, &context, sixel)) { ++ context.col++; ++ } else { ++ context.col = 0; ++ break; ++ } ++ } ++ } else { ++ context.col += Pcount; + } + } else if (ch == '#') { /* DECGCI */ + ANSI color_params; ===================================== debian/patches/series ===================================== @@ -2,3 +2,4 @@ 902_windowops.diff 904_fontops.diff CVE-2021-27135.diff +CVE-2022-24130.diff View it on GitLab: https://salsa.debian.org/xorg-team/app/xterm/-/commit/9e3a2f22371a66eb22e305b5beeaa83810ca77f2 -- View it on GitLab: https://salsa.debian.org/xorg-team/app/xterm/-/commit/9e3a2f22371a66eb22e305b5beeaa83810ca77f2 You're receiving this email because of your account on salsa.debian.org.