summaryrefslogtreecommitdiff
path: root/gnu/packages/patches/vte-CVE-2012-2738-pt1.patch
diff options
context:
space:
mode:
authorEfraim Flashner <efraim@flashner.co.il>2016-05-30 11:53:45 +0300
committerEfraim Flashner <efraim@flashner.co.il>2016-05-30 12:09:15 +0300
commit7d48938a590c676e6f140a976bfcf26aadeb008a (patch)
tree4cc3e3fc436ccee4c928e855fd72226c588af30b /gnu/packages/patches/vte-CVE-2012-2738-pt1.patch
parent4f3e02f198719c98a46aa3060fbd9bececa20f87 (diff)
gnu: vte-0.28: Fix CVE-2012-2738.
* gnu/packages/gnome.scm (vte-0.28)[source]: Add patches. * gnu/packages/patches/vte-CVE-2012-2738-pt1.patch, gnu/packages/patches/vte-CVE-2012-2738-pt2.patch: New variables. * gnu/local.mk (dist_patch_DATA): Add them.
Diffstat (limited to 'gnu/packages/patches/vte-CVE-2012-2738-pt1.patch')
-rw-r--r--gnu/packages/patches/vte-CVE-2012-2738-pt1.patch40
1 files changed, 40 insertions, 0 deletions
diff --git a/gnu/packages/patches/vte-CVE-2012-2738-pt1.patch b/gnu/packages/patches/vte-CVE-2012-2738-pt1.patch
new file mode 100644
index 0000000000..fd45407939
--- /dev/null
+++ b/gnu/packages/patches/vte-CVE-2012-2738-pt1.patch
@@ -0,0 +1,40 @@
+From feeee4b5832b17641e505b7083e0d299fdae318e Mon Sep 17 00:00:00 2001
+From: Christian Persch <chpe@gnome.org>
+Date: Sat, 19 May 2012 17:36:09 +0000
+Subject: emulation: Limit integer arguments to 65535
+
+To guard against malicious sequences containing excessively big numbers,
+limit all parsed numbers to 16 bit range. Doing this here in the parsing
+routine is a catch-all guard; this doesn't preclude enforcing
+more stringent limits in the handlers themselves.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=676090
+---
+diff --git a/src/table.c b/src/table.c
+index 140e8c8..85cf631 100644
+--- a/src/table.c
++++ b/src/table.c
+@@ -550,7 +550,7 @@ _vte_table_extract_numbers(GValueArray **array,
+ if (G_UNLIKELY (*array == NULL)) {
+ *array = g_value_array_new(1);
+ }
+- g_value_set_long(&value, total);
++ g_value_set_long(&value, CLAMP (total, 0, G_MAXUSHORT));
+ g_value_array_append(*array, &value);
+ } while (i++ < arginfo->length);
+ g_value_unset(&value);
+diff --git a/src/vteseq.c b/src/vteseq.c
+index 457c06a..46def5b 100644
+--- a/src/vteseq.c
++++ b/src/vteseq.c
+@@ -557,7 +557,7 @@ vte_sequence_handler_multiple(VteTerminal *terminal,
+ GValueArray *params,
+ VteTerminalSequenceHandler handler)
+ {
+- vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXLONG);
++ vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXUSHORT);
+ }
+
+ static void
+--
+cgit v0.9.0.2