Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
I have uploaded xterm 344-1+deb10u2 to fix #1004689 aka CVE-2022-24130
in buster.
This is the same problem and the same fix as the one for bullseye, see
#1005232 for details. The patch is six lines longer because two minor
changes from xterm 357 had to be applied first.
Cheers,
Sven
diff -Nru xterm-344/debian/changelog xterm-344/debian/changelog --- xterm-344/debian/changelog 2021-03-07 17:53:16.000000000 +0100 +++ xterm-344/debian/changelog 2022-02-07 20:05:11.000000000 +0100 @@ -1,3 +1,12 @@ +xterm (344-1+deb10u2) buster; urgency=medium + + * Cherry-pick sixel graphics fixes from xterm 370d and 370f. + - Check for out-of-bounds condition while drawing sixels, and quit + that operation (report by Nick Black (CVE-2022-24130), + Closes: #1004689). + + -- Sven Joachim <svenj...@gmx.de> Mon, 07 Feb 2022 20:05:11 +0100 + xterm (344-1+deb10u1) buster; urgency=medium * Apply upstream fix from xterm 366 for CVE-2021-27135. diff -Nru xterm-344/debian/patches/CVE-2022-24130.diff xterm-344/debian/patches/CVE-2022-24130.diff --- xterm-344/debian/patches/CVE-2022-24130.diff 1970-01-01 01:00:00.000000000 +0100 +++ xterm-344/debian/patches/CVE-2022-24130.diff 2022-02-02 18:26:45.000000000 +0100 @@ -0,0 +1,79 @@ +Description: Cherry-pick sixel graphics fixes from xterm 370d and 370f + Check for out-of-bounds condition while drawing sixels, and quit that + operation (report by Nick Black, CVE-2022-24130). +Bug-Debian: https://bugs.debian.org/1004689 + +--- + graphics_sixel.c | 31 +++++++++++++++++++++++++------ + 1 file changed, 25 insertions(+), 6 deletions(-) + +--- a/graphics_sixel.c ++++ b/graphics_sixel.c +@@ -141,7 +141,7 @@ init_sixel_background(Graphic *graphic, + graphic->color_registers_used[context->background] = 1; + } + +-static void ++static Boolean + set_sixel(Graphic *graphic, SixelContext const *context, int sixel) + { + const int mh = graphic->max_height; +@@ -162,7 +162,10 @@ set_sixel(Graphic *graphic, SixelContext + ((color != COLOR_HOLE) + ? (unsigned) graphic->color_registers[color].b : 0U))); + for (pix = 0; pix < 6; pix++) { +- if (context->col < mw && context->row + pix < mh) { ++ if (context->col >= 0 && ++ context->col < mw && ++ context->row + pix >= 0 && ++ context->row + pix < mh) { + if (sixel & (1 << pix)) { + if (context->col + 1 > graphic->actual_width) { + graphic->actual_width = context->col + 1; +@@ -175,8 +178,10 @@ set_sixel(Graphic *graphic, SixelContext + } + } else { + TRACE(("sixel pixel %d out of bounds\n", pix)); ++ return False; + } + } ++ return True; + } + + static void +@@ -451,7 +456,12 @@ parse_sixel(XtermWidget xw, ANSI *params + init_sixel_background(graphic, &context); + graphic->valid = 1; + } +- set_sixel(graphic, &context, sixel); ++ if (sixel) { ++ if (!set_sixel(graphic, &context, sixel)) { ++ context.col = 0; ++ break; ++ } ++ } + context.col++; + } else if (ch == '$') { /* DECGCR */ + /* ignore DECCRNLM in sixel mode */ +@@ -528,9 +538,18 @@ parse_sixel(XtermWidget xw, ANSI *params + init_sixel_background(graphic, &context); + graphic->valid = 1; + } +- for (i = 0; i < Pcount; i++) { +- set_sixel(graphic, &context, sixel); +- context.col++; ++ if (sixel) { ++ int i; ++ for (i = 0; i < Pcount; i++) { ++ if (set_sixel(graphic, &context, sixel)) { ++ context.col++; ++ } else { ++ context.col = 0; ++ break; ++ } ++ } ++ } else { ++ context.col += Pcount; + } + } else if (ch == '#') { /* DECGCI */ + ANSI color_params; diff -Nru xterm-344/debian/patches/series xterm-344/debian/patches/series --- xterm-344/debian/patches/series 2021-03-05 22:10:42.000000000 +0100 +++ xterm-344/debian/patches/series 2022-02-02 17:42:37.000000000 +0100 @@ -2,3 +2,4 @@ 902_windowops.diff 904_fontops.diff CVE-2021-27135.diff +CVE-2022-24130.diff
signature.asc
Description: PGP signature
