Sven Joachim pushed to branch debian-unstable at X Strike Force / app / xterm
Commits: 4a9e3948 by Sven Joachim at 2022-02-01T20:54:56+01:00 Cherry-pick sixel graphics fixes from xterm 370d and 370f Check for out-of-bounds condition while drawing sixels, and quit that operation (report by Nick Black, CVE-2022-24130). - - - - - 71f23810 by Sven Joachim at 2022-02-01T20:57:09+01:00 Upload to unstable - - - - - 3 changed files: - debian/changelog - + debian/patches/CVE-2022-24130.diff - debian/patches/series Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,12 @@ +xterm (370-2) unstable; urgency=medium + + * Cherry-pick sixel graphics fixes from xterm 370d and 370f. + - Check for out-of-bounds condition while drawing sixels, and quit + that operation (report by Nick Black (CVE-2022-24130), + Closes: #1004689). + + -- Sven Joachim <svenj...@gmx.de> Tue, 01 Feb 2022 20:56:55 +0100 + xterm (370-1) unstable; urgency=medium * New upstream release. ===================================== debian/patches/CVE-2022-24130.diff ===================================== @@ -0,0 +1,73 @@ +Description: Cherry-pick sixel graphics fixes from xterm 370d and 370f + Check for out-of-bounds condition while drawing sixels, and quit that + operation (report by Nick Black, CVE-2022-24130). +Bug-Debian: https://bugs.debian.org/1004689 + +--- + graphics_sixel.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +--- a/graphics_sixel.c ++++ b/graphics_sixel.c +@@ -149,7 +149,7 @@ init_sixel_background(Graphic *graphic, + graphic->color_registers_used[context->background] = 1; + } + +-static void ++static Boolean + set_sixel(Graphic *graphic, SixelContext const *context, int sixel) + { + const int mh = graphic->max_height; +@@ -170,7 +170,10 @@ set_sixel(Graphic *graphic, SixelContext + ((color != COLOR_HOLE) + ? (unsigned) graphic->color_registers[color].b : 0U))); + for (pix = 0; pix < 6; pix++) { +- if (context->col < mw && context->row + pix < mh) { ++ if (context->col >= 0 && ++ context->col < mw && ++ context->row + pix >= 0 && ++ context->row + pix < mh) { + if (sixel & (1 << pix)) { + if (context->col + 1 > graphic->actual_width) { + graphic->actual_width = context->col + 1; +@@ -183,8 +186,10 @@ set_sixel(Graphic *graphic, SixelContext + } + } else { + TRACE(("sixel pixel %d out of bounds\n", pix)); ++ return False; + } + } ++ return True; + } + + static void +@@ -462,8 +467,12 @@ parse_sixel(XtermWidget xw, ANSI *params + init_sixel_background(graphic, &context); + graphic->valid = 1; + } +- if (sixel) +- set_sixel(graphic, &context, sixel); ++ if (sixel) { ++ if (!set_sixel(graphic, &context, sixel)) { ++ context.col = 0; ++ break; ++ } ++ } + context.col++; + } else if (ch == '$') { /* DECGCR */ + /* ignore DECCRNLM in sixel mode */ +@@ -531,8 +540,12 @@ parse_sixel(XtermWidget xw, ANSI *params + if (sixel) { + int i; + for (i = 0; i < Pcount; i++) { +- set_sixel(graphic, &context, sixel); +- context.col++; ++ if (set_sixel(graphic, &context, sixel)) { ++ context.col++; ++ } else { ++ context.col = 0; ++ break; ++ } + } + } else { + context.col += Pcount; ===================================== debian/patches/series ===================================== @@ -1,3 +1,4 @@ 900_debian_xterm.diff 902_windowops.diff 904_fontops.diff +CVE-2022-24130.diff View it on GitLab: https://salsa.debian.org/xorg-team/app/xterm/-/compare/a548ffe770f5063d27079dcfa42c4d38dd0330d2...71f23810e03607e78c21d6564eb55abd98087904 -- View it on GitLab: https://salsa.debian.org/xorg-team/app/xterm/-/compare/a548ffe770f5063d27079dcfa42c4d38dd0330d2...71f23810e03607e78c21d6564eb55abd98087904 You're receiving this email because of your account on salsa.debian.org.