main/vte: backport a couple of fixes (CVE-2012-2738)

This should also fix paste in xfce4-terminal

3 files changed, 121 insertions, 8 deletions

diff --git a/main/vte/APKBUILD b/main/vte/APKBUILD
index d841d26f4d..e0f47b4d7f 100644
--- a/main/vte/APKBUILD
+++ b/main/vte/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=vte
 pkgver=0.28.2
-pkgrel=11
+pkgrel=12
 pkgdesc="Virtual Terminal Emulator library"
 url="http://www.gnome.org"
 arch="all"
@@ -14,8 +14,14 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-lang"
 source="http://ftp.gnome.org/pub/GNOME/sources/$pkgname/${pkgver%.*}/$pkgname-$pkgver.tar.bz2
 	allow_alt_in_terminal.patch
 	fix-includes.patch
+	vte-0.28.2-paste-fix.patch
+	CVE-2012-2738.patch
 	"
 
+# secfixes:
+#   0.28.2-r12:
+#   - CVE-2012-2738
+
 builddir="$srcdir/$pkgname-$pkgver"
 prepare() {
 	default_prepare
@@ -47,12 +53,8 @@ check() {
 	make check
 }
 
-md5sums="f07a4bf943194f94b7f142db8f7f36dc  vte-0.28.2.tar.bz2
-6ae30139b7d7ca78b56a3b55426c83f2  allow_alt_in_terminal.patch
-4872d596fb461f11e9aa753f5a65dd08  fix-includes.patch"
-sha256sums="8d04e202b617373dfb47689e5e628febe2c58840b34cccc4af4feb88c48df903  vte-0.28.2.tar.bz2
-6e4488f9a60f52a2a7eeb09865bdc42f00c309eb4cf8d548b524b9c33fadcd8a  allow_alt_in_terminal.patch
-bb8bfcb6d88f40dba0025e9ec95f579219db7e80654371a1c926fa39a38134b2  fix-includes.patch"
 sha512sums="271aecbc0444c424afb70d81838d0f6f49957a3b74d3952c0b97fadacfe359eab989abae03b9b64a8b598abdb189db00ee534254d8044e496906c51947d314d1  vte-0.28.2.tar.bz2
 a4786a97a5caa42db3b29808c3542777684fcf7d931a116d4e3d847e859a64fb59a2d5b60927dc8e5c2733efc55c29aa4d30aeb02597aff5f034c172cc528833  allow_alt_in_terminal.patch
-bf8174189fe842d171c04633ce1f8b920f3a515108db48bfe1fff7e537960a88f7439a55b283b6ade6ebfe78ab8ff2473f3be2d062dc00aa74b93a13624b4d3c  fix-includes.patch"
+bf8174189fe842d171c04633ce1f8b920f3a515108db48bfe1fff7e537960a88f7439a55b283b6ade6ebfe78ab8ff2473f3be2d062dc00aa74b93a13624b4d3c  fix-includes.patch
+488a3d55c4afb5b74057c97adfaafc1cc6de697c157a2009905632af2137305eee671b1e0b294f153b37ee97e79d402d6e44fc19945f8c2dd332e95eef1b144f  vte-0.28.2-paste-fix.patch
+e5639d94fd455195c354d03cab04bbb73eff98bc540c813cccf4ab5eb793f4c8ae645fcf2bd502924ed4d38412101341deaf2d28ea8aaea3530a98ffbba8256d  CVE-2012-2738.patch"
diff --git a/main/vte/CVE-2012-2738.patch b/main/vte/CVE-2012-2738.patch
new file mode 100644
index 0000000000..fd45407939
--- /dev/null
+++ b/main/vte/CVE-2012-2738.patch
@@ -0,0 +1,40 @@
+From feeee4b5832b17641e505b7083e0d299fdae318e Mon Sep 17 00:00:00 2001
+From: Christian Persch <chpe@gnome.org>
+Date: Sat, 19 May 2012 17:36:09 +0000
+Subject: emulation: Limit integer arguments to 65535
+
+To guard against malicious sequences containing excessively big numbers,
+limit all parsed numbers to 16 bit range. Doing this here in the parsing
+routine is a catch-all guard; this doesn't preclude enforcing
+more stringent limits in the handlers themselves.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=676090
+---
+diff --git a/src/table.c b/src/table.c
+index 140e8c8..85cf631 100644
+--- a/src/table.c
++++ b/src/table.c
+@@ -550,7 +550,7 @@ _vte_table_extract_numbers(GValueArray **array,
+ 		if (G_UNLIKELY (*array == NULL)) {
+ 			*array = g_value_array_new(1);
+ 		}
+-		g_value_set_long(&value, total);
++		g_value_set_long(&value, CLAMP (total, 0, G_MAXUSHORT));
+ 		g_value_array_append(*array, &value);
+ 	} while (i++ < arginfo->length);
+ 	g_value_unset(&value);
+diff --git a/src/vteseq.c b/src/vteseq.c
+index 457c06a..46def5b 100644
+--- a/src/vteseq.c
++++ b/src/vteseq.c
+@@ -557,7 +557,7 @@ vte_sequence_handler_multiple(VteTerminal *terminal,
+                               GValueArray *params,
+                               VteTerminalSequenceHandler handler)
+ {
+-        vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXLONG);
++        vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXUSHORT);
+ }
+ 
+ static void
+--
+cgit v0.9.0.2
diff --git a/main/vte/vte-0.28.2-paste-fix.patch b/main/vte/vte-0.28.2-paste-fix.patch
new file mode 100644
index 0000000000..cc51eadde0
--- /dev/null
+++ b/main/vte/vte-0.28.2-paste-fix.patch
@@ -0,0 +1,71 @@
+diff -ur vte-0.28.2.orig/src/vte.c vte-0.28.2/src/vte.c
+--- vte-0.28.2.orig/src/vte.c	2011-08-29 00:31:45.000000000 +0300
++++ vte-0.28.2/src/vte.c	2014-06-26 04:20:52.409371214 +0300
+@@ -5806,10 +5806,10 @@
+ 				p++;
+ 			}
+ 		}
+-		if (terminal->pvt->screen->bracketed_paste_mode)
++		if (terminal->pvt->bracketed_paste_mode)
+ 			vte_terminal_feed_child(terminal, "\e[200~", -1);
+ 		vte_terminal_feed_child(terminal, paste, length);
+-		if (terminal->pvt->screen->bracketed_paste_mode)
++		if (terminal->pvt->bracketed_paste_mode)
+ 			vte_terminal_feed_child(terminal, "\e[201~", -1);
+ 		g_free(paste);
+ 	}
+@@ -14065,14 +14065,12 @@
+ 	pvt->normal_screen.linefeed_mode = FALSE;
+ 	pvt->normal_screen.origin_mode = FALSE;
+ 	pvt->normal_screen.reverse_mode = FALSE;
+-	pvt->normal_screen.bracketed_paste_mode = FALSE;
+ 	pvt->alternate_screen.scrolling_restricted = FALSE;
+ 	pvt->alternate_screen.sendrecv_mode = TRUE;
+ 	pvt->alternate_screen.insert_mode = FALSE;
+ 	pvt->alternate_screen.linefeed_mode = FALSE;
+ 	pvt->alternate_screen.origin_mode = FALSE;
+ 	pvt->alternate_screen.reverse_mode = FALSE;
+-	pvt->alternate_screen.bracketed_paste_mode = FALSE;
+ 	pvt->cursor_visible = TRUE;
+ 	/* Reset the encoding. */
+ 	vte_terminal_set_encoding(terminal, NULL);
+@@ -14102,6 +14100,8 @@
+ 	pvt->mouse_last_y = 0;
+ 	/* Clear modifiers. */
+ 	pvt->modifiers = 0;
++	/* Reset miscellaneous stuff. */
++	pvt->bracketed_paste_mode = FALSE;
+ 	/* Cause everything to be redrawn (or cleared). */
+ 	vte_terminal_maybe_scroll_to_bottom(terminal);
+ 	_vte_invalidate_all(terminal);
+diff -ur vte-0.28.2.orig/src/vte-private.h vte-0.28.2/src/vte-private.h
+--- vte-0.28.2.orig/src/vte-private.h	2011-08-17 00:52:48.000000000 +0300
++++ vte-0.28.2/src/vte-private.h	2014-06-26 04:20:52.410371214 +0300
+@@ -219,7 +219,6 @@
+ 		gboolean sendrecv_mode;	/* sendrecv mode */
+ 		gboolean insert_mode;	/* insert mode */
+ 		gboolean linefeed_mode;	/* linefeed mode */
+-		gboolean bracketed_paste_mode;
+ 		struct vte_scrolling_region {
+ 			int start, end;
+ 		} scrolling_region;	/* the region we scroll in */
+@@ -274,6 +273,7 @@
+ 	gboolean text_modified_flag;
+ 	gboolean text_inserted_flag;
+ 	gboolean text_deleted_flag;
++	gboolean bracketed_paste_mode;
+ 
+ 	/* Scrolling options. */
+ 	gboolean scroll_background;
+diff -ur vte-0.28.2.orig/src/vteseq.c vte-0.28.2/src/vteseq.c
+--- vte-0.28.2.orig/src/vteseq.c	2014-06-26 04:08:49.998358634 +0300
++++ vte-0.28.2/src/vteseq.c	2014-06-26 04:34:00.214384933 +0300
+@@ -737,7 +737,7 @@
+ 		 GINT_TO_POINTER(TRUE),
+ 		 NULL, NULL},
+ 		/* 2004: Bracketed paste mode. */
+-		{2004, &terminal->pvt->screen->bracketed_paste_mode, NULL, NULL,
++		{2004, &terminal->pvt->bracketed_paste_mode, NULL, NULL,
+ 		 GINT_TO_POINTER(FALSE),
+ 		 GINT_TO_POINTER(TRUE),
+ 		 NULL, NULL,},