aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2020-03-31 07:45:28 +0200
committerNatanael Copa <ncopa@alpinelinux.org>2020-03-31 07:48:41 +0200
commitc4fb5bfb47b603327299badabe821fb495560cf8 (patch)
tree903cb37fd1c1cc9c3ad8a1a8ab17ffa17cd08142
parent74e6a27a58e946f528b44022cddd706d5fa2b74f (diff)
downloadaports-c4fb5bfb47b603327299badabe821fb495560cf8.tar.bz2
aports-c4fb5bfb47b603327299badabe821fb495560cf8.tar.xz
main/screen: fix patch for CVE-2020-9366
-rw-r--r--main/screen/APKBUILD4
-rw-r--r--main/screen/CVE-2020-9366.patch41
2 files changed, 43 insertions, 2 deletions
diff --git a/main/screen/APKBUILD b/main/screen/APKBUILD
index d9e501e942..8d7cc4c828 100644
--- a/main/screen/APKBUILD
+++ b/main/screen/APKBUILD
@@ -11,7 +11,7 @@ options="!check" # No test suite.
makedepends="ncurses-dev ncurses"
subpackages="$pkgname-doc"
source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz
- https://git.savannah.gnu.org/cgit/screen.git/patch/?id=68386dfb1fa33471372a8cd2e74686758a2f527b
+ CVE-2020-9366.patch
"
builddir="$srcdir/$pkgname-$pkgver"
@@ -45,4 +45,4 @@ package() {
}
sha512sums="224bd16ad5ae501d1b8bb7d2ba9cc19e6a0743de5a5b320109c2f6bf3b1ca564cc7094ed9211be13733d9d769cde77d13fe236341d448cad0518038ab1e85c99 screen-4.6.2.tar.gz
-497a47b5f4952645f94bcc4594695db9f7a993f5d7c9b9142984804aee61b5cc571b7c666310cc651eb2428c6d39d5320923d464917fd925f57f1e13acb1db7d ?id=68386dfb1fa33471372a8cd2e74686758a2f527b"
+a711983119b86527a85464d4f5c8fecd6d481ab5691dd7b1b83c33983594d511ac69a8a67b088906540f8475dba08bda4ba559b2b514ac43535bd668db801fe0 CVE-2020-9366.patch"
diff --git a/main/screen/CVE-2020-9366.patch b/main/screen/CVE-2020-9366.patch
new file mode 100644
index 0000000000..7653dabbe7
--- /dev/null
+++ b/main/screen/CVE-2020-9366.patch
@@ -0,0 +1,41 @@
+From 68386dfb1fa33471372a8cd2e74686758a2f527b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Amadeusz=20S=C5=82awi=C5=84ski?= <amade@asmblr.net>
+Date: Thu, 30 Jan 2020 17:56:27 +0100
+Subject: Fix out of bounds access when setting w_xtermosc after OSC 49
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+echo -e "\e]49\e; \n\ec"
+crashes screen.
+
+This happens because 49 is divided by 10 and used as table index
+resulting in access to w_xtermosc[4], which is out of bounds with table
+itself being size 4. Increase size of table by 1 to 5, which is enough
+for all current uses.
+
+As this overwrites memory based on user input it is potential security
+issue.
+
+Reported-by: pippin@gimp.org
+Signed-off-by: Amadeusz Sławiński <amade@asmblr.net>
+---
+ src/window.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/window.h b/src/window.h
+index fbe98dc..11d2a9e 100644
+--- a/window.h
++++ b/window.h
+@@ -237,7 +237,7 @@ struct win
+ char w_vbwait;
+ char w_norefresh; /* dont redisplay when switching to that win */
+ #ifdef RXVT_OSC
+- char w_xtermosc[4][MAXSTR]; /* special xterm/rxvt escapes */
++ char w_xtermosc[5][MAXSTR]; /* special xterm/rxvt escapes */
+ #endif
+ int w_mouse; /* mouse mode 0,9,1000 */
+ int w_extmouse; /* extended mouse mode 0,1006 */
+--
+cgit v1.2.1
+