kookie
/
nomicon
1
0
Fork 0
Code Issues Projects Releases 1 Activity

Merge pull request #32506 from andir/gnome2.vte

Browse Source 
gnome2.vte: fix CVE-2012-2738
wip/yesman
Michael Raskin 7 years ago committed by GitHub
parent 0a41fc6b7c 4c6f7ee729
commit f1acf2d6b9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 12 additions and 42 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 14
      pkgs/desktops/gnome-2/desktop/vte/default.nix
  2. 40
      pkgs/desktops/gnome-2/desktop/vte/vte-0.28.2-limit-arguments.patch

14
pkgs/desktops/gnome-2/desktop/vte/default.nix
Unescape View File

@ -1,4 +1,4 @@
{ stdenv, fetchurl, intltool, pkgconfig, glib, gtk, ncurses
{ stdenv, fetchurl, fetchpatch, intltool, pkgconfig, glib, gtk, ncurses
, pythonSupport ? false, python27Packages}:
let
@ -15,7 +15,17 @@ in stdenv.mkDerivation rec {
./alt.patch
./change-scroll-region.patch
# CVE-2012-2738
./vte-0.28.2-limit-arguments.patch
# fixed in upstream version 0.32.2
(fetchpatch{
name = "CVE-2012-2738-1.patch";
url = https://git.gnome.org/browse/vte/patch/?id=feeee4b5832b17641e505b7083e0d299fdae318e;
sha256 = "1455i6zxcx4rj2cz639s8qdc04z2nshprwl7k00mcsw49gv3hk5n";
})
(fetchpatch{
name = "CVE-2012-2738-2.patch";
url = https://git.gnome.org/browse/vte/patch/?id=98ce2f265f986fb88c38d508286bb5e3716b9e74;
sha256 = "0n24vw49h89w085ggq23iwlnnb6ajllfh2dg4vsar21d82jxc0sn";
})
];
nativeBuildInputs = [ pkgconfig ];

40
pkgs/desktops/gnome-2/desktop/vte/vte-0.28.2-limit-arguments.patch
Unescape View File

@ -1,40 +0,0 @@
From feeee4b5832b17641e505b7083e0d299fdae318e Mon Sep 17 00:00:00 2001
From: Christian Persch <chpe@gnome.org>
Date: Sat, 19 May 2012 17:36:09 +0000
Subject: emulation: Limit integer arguments to 65535
To guard against malicious sequences containing excessively big numbers,
limit all parsed numbers to 16 bit range. Doing this here in the parsing
routine is a catch-all guard; this doesn't preclude enforcing
more stringent limits in the handlers themselves.
https://bugzilla.gnome.org/show_bug.cgi?id=676090
---
diff --git a/src/table.c b/src/table.c
index 140e8c8..85cf631 100644
--- a/src/table.c
+++ b/src/table.c
@@ -550,7 +550,7 @@ _vte_table_extract_numbers(GValueArray **array,
if (G_UNLIKELY (*array == NULL)) {
*array = g_value_array_new(1);
}
- g_value_set_long(&value, total);
+ g_value_set_long(&value, CLAMP (total, 0, G_MAXUSHORT));
g_value_array_append(*array, &value);
} while (i++ < arginfo->length);
g_value_unset(&value);
diff --git a/src/vteseq.c b/src/vteseq.c
index 457c06a..46def5b 100644
--- a/src/vteseq.c
+++ b/src/vteseq.c
@@ -557,7 +557,7 @@ vte_sequence_handler_multiple(VteTerminal *terminal,
GValueArray *params,
VteTerminalSequenceHandler handler)
{
- vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXLONG);
+ vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXUSHORT);
}
static void
--
cgit v0.9.0.2
Write Preview
Loading…
Cancel
Save