Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
I have uploaded xterm 344-1+deb10u2 to fix #1004689 aka CVE-2022-24130
in buster.
This is the same problem and the same fix as the one for bullseye, see
#1005232 for details. The patch is six lines longer because two minor
changes from xterm 357 had to be applied first.
Cheers,
Sven
diff -Nru xterm-344/debian/changelog xterm-344/debian/changelog
--- xterm-344/debian/changelog 2021-03-07 17:53:16.000000000 +0100
+++ xterm-344/debian/changelog 2022-02-07 20:05:11.000000000 +0100
@@ -1,3 +1,12 @@
+xterm (344-1+deb10u2) buster; urgency=medium
+
+ * Cherry-pick sixel graphics fixes from xterm 370d and 370f.
+ - Check for out-of-bounds condition while drawing sixels, and quit
+ that operation (report by Nick Black (CVE-2022-24130),
+ Closes: #1004689).
+
+ -- Sven Joachim <svenjoac@gmx.de> Mon, 07 Feb 2022 20:05:11 +0100
+
xterm (344-1+deb10u1) buster; urgency=medium
* Apply upstream fix from xterm 366 for CVE-2021-27135.
diff -Nru xterm-344/debian/patches/CVE-2022-24130.diff xterm-344/debian/patches/CVE-2022-24130.diff
--- xterm-344/debian/patches/CVE-2022-24130.diff 1970-01-01 01:00:00.000000000 +0100
+++ xterm-344/debian/patches/CVE-2022-24130.diff 2022-02-02 18:26:45.000000000 +0100
@@ -0,0 +1,79 @@
+Description: Cherry-pick sixel graphics fixes from xterm 370d and 370f
+ Check for out-of-bounds condition while drawing sixels, and quit that
+ operation (report by Nick Black, CVE-2022-24130).
+Bug-Debian: https://bugs.debian.org/1004689
+
+---
+ graphics_sixel.c | 31 +++++++++++++++++++++++++------
+ 1 file changed, 25 insertions(+), 6 deletions(-)
+
+--- a/graphics_sixel.c
++++ b/graphics_sixel.c
+@@ -141,7 +141,7 @@ init_sixel_background(Graphic *graphic,
+ graphic->color_registers_used[context->background] = 1;
+ }
+
+-static void
++static Boolean
+ set_sixel(Graphic *graphic, SixelContext const *context, int sixel)
+ {
+ const int mh = graphic->max_height;
+@@ -162,7 +162,10 @@ set_sixel(Graphic *graphic, SixelContext
+ ((color != COLOR_HOLE)
+ ? (unsigned) graphic->color_registers[color].b : 0U)));
+ for (pix = 0; pix < 6; pix++) {
+- if (context->col < mw && context->row + pix < mh) {
++ if (context->col >= 0 &&
++ context->col < mw &&
++ context->row + pix >= 0 &&
++ context->row + pix < mh) {
+ if (sixel & (1 << pix)) {
+ if (context->col + 1 > graphic->actual_width) {
+ graphic->actual_width = context->col + 1;
+@@ -175,8 +178,10 @@ set_sixel(Graphic *graphic, SixelContext
+ }
+ } else {
+ TRACE(("sixel pixel %d out of bounds\n", pix));
++ return False;
+ }
+ }
++ return True;
+ }
+
+ static void
+@@ -451,7 +456,12 @@ parse_sixel(XtermWidget xw, ANSI *params
+ init_sixel_background(graphic, &context);
+ graphic->valid = 1;
+ }
+- set_sixel(graphic, &context, sixel);
++ if (sixel) {
++ if (!set_sixel(graphic, &context, sixel)) {
++ context.col = 0;
++ break;
++ }
++ }
+ context.col++;
+ } else if (ch == '$') { /* DECGCR */
+ /* ignore DECCRNLM in sixel mode */
+@@ -528,9 +538,18 @@ parse_sixel(XtermWidget xw, ANSI *params
+ init_sixel_background(graphic, &context);
+ graphic->valid = 1;
+ }
+- for (i = 0; i < Pcount; i++) {
+- set_sixel(graphic, &context, sixel);
+- context.col++;
++ if (sixel) {
++ int i;
++ for (i = 0; i < Pcount; i++) {
++ if (set_sixel(graphic, &context, sixel)) {
++ context.col++;
++ } else {
++ context.col = 0;
++ break;
++ }
++ }
++ } else {
++ context.col += Pcount;
+ }
+ } else if (ch == '#') { /* DECGCI */
+ ANSI color_params;
diff -Nru xterm-344/debian/patches/series xterm-344/debian/patches/series
--- xterm-344/debian/patches/series 2021-03-05 22:10:42.000000000 +0100
+++ xterm-344/debian/patches/series 2022-02-02 17:42:37.000000000 +0100
@@ -2,3 +2,4 @@
902_windowops.diff
904_fontops.diff
CVE-2021-27135.diff
+CVE-2022-24130.diff
Attachment:
signature.asc
Description: PGP signature