SECURITY UPDATE

2024-11-05 09:27:00 +08:00 · 2024-11-05 09:27:00 +08:00 · 6e1edc49c9
parent f75427251e
commit 6e1edc49c9
3 changed files with 132 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,13 @@
+vte2.91 (0.76.0-ok2) nile; urgency=medium
+
+  * SECURITY UPDATE: DoS via window resize escape sequences     -
+    debian/patches/CVE-2024-37535-1.patch: Restrict resize request to
+    sane numbers in src/vteseq.cc.     - debian/patches/CVE-2024-37535-
+    2.patch: add safety limit to widget       size requests in
+    src/vtegtk.cc.     - CVE-2024-37535
+
+ -- liubo01 <liubo01@kylinos.cn>  Tue, 05 Nov 2024 09:27:00 +0800
+
 vte2.91 (0.76.0-ok1) nile; urgency=medium

  * Build for openKylin.
--- a/debian/patches/SECURITY-UPDATE.patch
+++ b/debian/patches/SECURITY-UPDATE.patch
@ -0,0 +1,121 @@
+From: liubo0711 <1191322237@qq.com>
+Date: Tue, 5 Nov 2024 09:27:00 +0800
+Subject: SECURITY UPDATE
+
+---
+ src/vtegtk.cc | 35 +++++++++++++++++++++++++++++++++++
+ src/vteseq.cc | 20 ++++++++++++--------
+ 2 files changed, 47 insertions(+), 8 deletions(-)
+
+diff --git a/src/vtegtk.cc b/src/vtegtk.cc
+index 53b93dc..7faf210 100644
+--- a/src/vtegtk.cc
+++ b/src/vtegtk.cc
+@@ -91,6 +91,38 @@
+ template<typename T>
+ constexpr bool check_enum_value(T value) noexcept;
+ 
+static inline void
+sanitise_widget_size_request(int* minimum,
+                             int* natural) noexcept
+{
+        // Overly large size requests will make gtk happily allocate
+        // a window size over the window system's limits (see
+        // e.g. https://gitlab.gnome.org/GNOME/vte/-/issues/2786),
+        // leading to aborting the whole process.
+        // The toolkit should be in a better position to know about
+        // these limits and not exceed them (which here is certainly
+        // possible since our minimum sizes are very small), let's
+        // limit the widget's size request to some large value
+        // that hopefully is within the absolute limits of
+        // the window system (assumed here to be int16 range,
+        // and leaving some space for the widgets that contain
+        // the terminal).
+        auto const limit = (1 << 15) - (1 << 12);
+
+        if (*minimum > limit || *natural > limit) {
+                static auto warned = false;
+
+                if (!warned) {
+                        g_warning("Widget size request (minimum %d, natural %d) exceeds limits\n",
+                                  *minimum, *natural);
+                        warned = true;
+                }
+        }
+
+        *minimum = std::min(*minimum, limit);
+        *natural = std::clamp(*natural, *minimum, limit);
+}
+
+ struct _VteTerminalClassPrivate {
+         GtkStyleProvider *fallback_style_provider;
+         GtkStyleProvider *style_provider;
+@@ -508,6 +540,7 @@ try
+ {
+ 	VteTerminal *terminal = VTE_TERMINAL(widget);
+         WIDGET(terminal)->get_preferred_width(minimum_width, natural_width);
+        sanitise_widget_size_request(minimum_width, natural_width);
+ }
+ catch (...)
+ {
+@@ -522,6 +555,7 @@ try
+ {
+ 	VteTerminal *terminal = VTE_TERMINAL(widget);
+         WIDGET(terminal)->get_preferred_height(minimum_height, natural_height);
+        sanitise_widget_size_request(minimum_height, natural_height);
+ }
+ catch (...)
+ {
+@@ -779,6 +813,7 @@ try
+         WIDGET(terminal)->measure(orientation, for_size,
+                                   minimum, natural,
+                                   minimum_baseline, natural_baseline);
+        sanitise_widget_size_request(minimum, natural);
+ }
+ catch (...)
+ {
+diff --git a/src/vteseq.cc b/src/vteseq.cc
+index 904837e..f09a58a 100644
+--- a/src/vteseq.cc
+++ b/src/vteseq.cc
+@@ -213,9 +213,18 @@ Terminal::emit_bell()
+ /* Emit a "resize-window" signal.  (Grid size.) */
+ void
+ Terminal::emit_resize_window(guint columns,
+-                                       guint rows)
+-{
+-        _vte_debug_print(VTE_DEBUG_SIGNALS, "Emitting `resize-window'.\n");
+                             guint rows)
+{
+        // Ignore resizes with excessive number of rows or columns,
+        // see https://gitlab.gnome.org/GNOME/vte/-/issues/2786
+        if (columns < VTE_MIN_GRID_WIDTH ||
+            columns > 511 ||
+            rows < VTE_MIN_GRID_HEIGHT ||
+            rows > 511)
+                return;
+
+        _vte_debug_print(VTE_DEBUG_SIGNALS, "Emitting `resize-window' %d columns %d rows.\n",
+                         columns, rows);
+         g_signal_emit(m_terminal, signals[SIGNAL_RESIZE_WINDOW], 0, columns, rows);
+ }
+ 
+@@ -4464,8 +4473,6 @@ Terminal::DECSLPP(vte::parser::Sequence const& seq)
+         else if (param < 24)
+                 return;
+ 
+-        _vte_debug_print(VTE_DEBUG_EMULATION, "Resizing to %d rows.\n", param);
+-
+         emit_resize_window(m_column_count, param);
+ }
+ 
+@@ -8987,9 +8994,6 @@ Terminal::XTERM_WM(vte::parser::Sequence const& seq)
+                 seq.collect(1, {&height, &width});
+ 
+                 if (width != -1 && height != -1) {
+-                        _vte_debug_print(VTE_DEBUG_EMULATION,
+-                                         "Resizing window to %d columns, %d rows.\n",
+-                                         width, height);
+                         emit_resize_window(width, height);
+                 }
+                 break;
--- a/debian/patches/series
+++ b/debian/patches/series
@ -1,2 +1,3 @@
 Allow-background-color-and-color-on-VteTerminal-widgets-t.patch
 terminal-fix-UTF-8-bounds-check.patch
+SECURITY-UPDATE.patch