[OE-core] [PATCH] screen: fix CVE-2015-6806

Wed, 07 Oct 2015 00:40:56 -0700 

Backport a patch to fix CVE-2015-6806

Signed-off-by: Maxin B. John <maxin.j...@intel.com>
---
 ...-stack-overflow-due-to-too-deep-recursion.patch | 57 ++++++++++++++++++++++
 meta/recipes-extended/screen/screen_4.3.1.bb       |  1 +
 2 files changed, 58 insertions(+)
 create mode 100644 
meta/recipes-extended/screen/screen/0001-Fix-stack-overflow-due-to-too-deep-recursion.patch

diff --git 
a/meta/recipes-extended/screen/screen/0001-Fix-stack-overflow-due-to-too-deep-recursion.patch
 
b/meta/recipes-extended/screen/screen/0001-Fix-stack-overflow-due-to-too-deep-recursion.patch
new file mode 100644
index 0000000..2bc9a59
--- /dev/null
+++ 
b/meta/recipes-extended/screen/screen/0001-Fix-stack-overflow-due-to-too-deep-recursion.patch
@@ -0,0 +1,57 @@
+Bug: 45713
+
+How to reproduce:
+Run this command inside screen
+$ printf '\x1b[10000000T'
+
+screen will recursively call MScrollV to depth n/256.
+This is time consuming and will overflow stack if n is huge.
+
+Fixes CVE-2015-6806
+
+Upstream-Status: Backport
+
+Signed-off-by: Kuang-che Wu <k...@csie.org>
+Signed-off-by: Amadeusz Sławiński <am...@asmblr.net>
+Signed-off-by: Maxin B. John <maxin.j...@intel.com>
+---
+diff -Naur screen-4.3.1-orig/ansi.c screen-4.3.1/ansi.c
+--- screen-4.3.1-orig/ansi.c   2015-06-29 00:22:55.000000000 +0300
++++ screen-4.3.1/ansi.c        2015-10-06 13:13:58.297648039 +0300
+@@ -2502,13 +2502,13 @@
+     return;
+   if (n > 0)
+     {
++      if (ye - ys + 1 < n)
++        n = ye - ys + 1;
+       if (n > 256)
+       {
+         MScrollV(p, n - 256, ys, ye, bce);
+         n = 256;
+       }
+-      if (ye - ys + 1 < n)
+-      n = ye - ys + 1;
+ #ifdef COPY_PASTE
+       if (compacthist)
+       {
+@@ -2562,15 +2562,15 @@
+     }
+   else
+     {
+-      if (n < -256)
+-      {
+-        MScrollV(p, n + 256, ys, ye, bce);
+-        n = -256;
+-      }
+       n = -n;
+       if (ye - ys + 1 < n)
+       n = ye - ys + 1;
+ 
++      if (n > 256)
++      {
++        MScrollV(p, - (n - 256), ys, ye, bce);
++        n = 256;
++      }
+       ml = p->w_mlines + ye;
+       /* Clear lines */
+       for (i = ye; i > ye - n; i--, ml--)
diff --git a/meta/recipes-extended/screen/screen_4.3.1.bb 
b/meta/recipes-extended/screen/screen_4.3.1.bb
index 92457af..00d878b 100644
--- a/meta/recipes-extended/screen/screen_4.3.1.bb
+++ b/meta/recipes-extended/screen/screen_4.3.1.bb
@@ -24,6 +24,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz \
            file://Avoid-mis-identifying-systems-as-SVR4.patch \
            file://0001-fix-for-multijob-build.patch \
            file://0002-comm.h-now-depends-on-term.h.patch \
+           file://0001-Fix-stack-overflow-due-to-too-deep-recursion.patch \
           "
 
 SRC_URI[md5sum] = "5bb3b0ff2674e29378c31ad3411170ad"
-- 
2.4.0

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Reply via email to