diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2020-03-31 07:45:28 +0200 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2020-03-31 07:45:28 +0200 |
commit | 9579edd780321f85280a40a215548b1483c49b61 (patch) | |
tree | 6bbcc965a1faaf4e66b61c14a0bc96566b728151 | |
parent | 42dd95bb5e7747f3740de7e2f5646ad6280bc573 (diff) | |
download | aports-9579edd780321f85280a40a215548b1483c49b61.tar.bz2 aports-9579edd780321f85280a40a215548b1483c49b61.tar.xz |
main/screen: fix patch for CVE-2020-9366
-rw-r--r-- | main/screen/APKBUILD | 4 | ||||
-rw-r--r-- | main/screen/CVE-2020-9366.patch | 41 |
2 files changed, 43 insertions, 2 deletions
diff --git a/main/screen/APKBUILD b/main/screen/APKBUILD index 09a3ffa6e9..8392d40561 100644 --- a/main/screen/APKBUILD +++ b/main/screen/APKBUILD @@ -11,7 +11,7 @@ options="!check" # No test suite. makedepends="ncurses-dev ncurses" subpackages="$pkgname-doc" source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz - https://git.savannah.gnu.org/cgit/screen.git/patch/?id=68386dfb1fa33471372a8cd2e74686758a2f527b + CVE-2020-9366.patch " builddir="$srcdir/$pkgname-$pkgver" @@ -45,4 +45,4 @@ package() { } sha512sums="44c7a33e2ed772ce91998cdc07556ef7b972e5b100335e14702b273a234e437fe6415de459e7b6d34c6086282a432778629047424ef9159ac6fcf26d22b45745 screen-4.7.0.tar.gz -497a47b5f4952645f94bcc4594695db9f7a993f5d7c9b9142984804aee61b5cc571b7c666310cc651eb2428c6d39d5320923d464917fd925f57f1e13acb1db7d ?id=68386dfb1fa33471372a8cd2e74686758a2f527b" +a711983119b86527a85464d4f5c8fecd6d481ab5691dd7b1b83c33983594d511ac69a8a67b088906540f8475dba08bda4ba559b2b514ac43535bd668db801fe0 CVE-2020-9366.patch" diff --git a/main/screen/CVE-2020-9366.patch b/main/screen/CVE-2020-9366.patch new file mode 100644 index 0000000000..7653dabbe7 --- /dev/null +++ b/main/screen/CVE-2020-9366.patch @@ -0,0 +1,41 @@ +From 68386dfb1fa33471372a8cd2e74686758a2f527b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Amadeusz=20S=C5=82awi=C5=84ski?= <amade@asmblr.net> +Date: Thu, 30 Jan 2020 17:56:27 +0100 +Subject: Fix out of bounds access when setting w_xtermosc after OSC 49 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +echo -e "\e]49\e; \n\ec" +crashes screen. + +This happens because 49 is divided by 10 and used as table index +resulting in access to w_xtermosc[4], which is out of bounds with table +itself being size 4. Increase size of table by 1 to 5, which is enough +for all current uses. + +As this overwrites memory based on user input it is potential security +issue. + +Reported-by: pippin@gimp.org +Signed-off-by: Amadeusz Sławiński <amade@asmblr.net> +--- + src/window.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/window.h b/src/window.h +index fbe98dc..11d2a9e 100644 +--- a/window.h ++++ b/window.h +@@ -237,7 +237,7 @@ struct win + char w_vbwait; + char w_norefresh; /* dont redisplay when switching to that win */ + #ifdef RXVT_OSC +- char w_xtermosc[4][MAXSTR]; /* special xterm/rxvt escapes */ ++ char w_xtermosc[5][MAXSTR]; /* special xterm/rxvt escapes */ + #endif + int w_mouse; /* mouse mode 0,9,1000 */ + int w_extmouse; /* extended mouse mode 0,1006 */ +-- +cgit v1.2.1 + |