xterm: CVE-2022-24130 Buffer overflow in set_sixel in graphics_sixel.c

Source: https://github.com/ThomasDickey/xterm-snapshots/ MR: 115675 Type: Security Fix Disposition: Backport from https://github.com/ThomasDickey/xterm-snapshots/commit/1584fc227673264661250d3a8d673c168ac9512d ChangeID: 6ad000b744527ae863187b570714792fc29467d9 Description: CVE-2022-24130 xterm: Buffer overflow in set_sixel in graphics_sixel.c. Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2022-06-24 17:48:02 +0530
committer: Armin Kuster <akuster808@gmail.com> 2022-07-16 12:56:17 -0700
commit: b406297d3bcdef6d174eea85945623f1a8f0e3b9 (patch)
tree: 72f09e21d5b236f3c72107a7d5b43d9fa807215a
parent: a24773d39edf4d156ecda08bc4317b2b37cc6231 (diff)
download: meta-openembedded-b406297d3bcdef6d174eea85945623f1a8f0e3b9.tar.gz
2 files changed, 85 insertions, 1 deletions
diff --git a/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-24130.patch b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-24130.patch
new file mode 100644
index 0000000000..b7a5f297a5
--- /dev/null
+++ b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-24130.patch
@@ -0,0 +1,84 @@
+From 85666286473f2fbb2d4731d4e175f00d7a76e21f Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Tue, 21 Jun 2022 10:53:01 +0530
+Subject: [PATCH] CVE-2022-24130
+Upstream-Status: Backport [https://github.com/ThomasDickey/xterm-snapshots/commit/1584fc227673264661250d3a8d673c168ac9512d]
+CVE: CVE-2022-24130
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+Description: Cherry-pick sixel graphics fixes from xterm 370d and 370f
+ Check for out-of-bounds condition while drawing sixels, and quit that
+ operation (report by Nick Black, CVE-2022-24130).
+Bug-Debian: https://bugs.debian.org/1004689
+---
+ graphics_sixel.c | 22 +++++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+diff --git a/graphics_sixel.c b/graphics_sixel.c
+index 00ba3ef..6a82295 100644
+--- a/graphics_sixel.c
+++ b/graphics_sixel.c
+@@ -141,7 +141,7 @@ init_sixel_background(Graphic *graphic, SixelContext const *context)
+     graphic->color_registers_used[context->background] = 1;
+ }
+ 
+-static void
+static Boolean
+ set_sixel(Graphic *graphic, SixelContext const *context, int sixel)
+ {
+     const int mh = graphic->max_height;
+@@ -162,7 +162,10 @@ set_sixel(Graphic *graphic, SixelContext const *context, int sixel)
+           ((color != COLOR_HOLE)
+            ? (unsigned) graphic->color_registers[color].b : 0U)));
+     for (pix = 0; pix < 6; pix++) {
+-       if (context->col < mw && context->row + pix < mh) {
+       if (context->col >= 0 &&
+           context->col < mw &&
+           context->row + pix >= 0 &&
+           context->row + pix < mh) {
+            if (sixel & (1 << pix)) {
+                if (context->col + 1 > graphic->actual_width) {
+                    graphic->actual_width = context->col + 1;
+@@ -175,8 +178,10 @@ set_sixel(Graphic *graphic, SixelContext const *context, int sixel)
+            }
+        } else {
+            TRACE(("sixel pixel %d out of bounds\n", pix));
+           return False;
+        }
+     }
+    return True;
+ }
+ 
+ static void
+@@ -451,7 +456,10 @@ parse_sixel(XtermWidget xw, ANSI *params, char const *string)
+                init_sixel_background(graphic, &context);
+                graphic->valid = 1;
+            }
+-           set_sixel(graphic, &context, sixel);
+           if (!set_sixel(graphic, &context, sixel)) {
+             context.col = 0;
+             break;
+           }
+            context.col++;
+        } else if (ch == '$') { /* DECGCR */
+            /* ignore DECCRNLM in sixel mode */
+@@ -529,8 +537,12 @@ parse_sixel(XtermWidget xw, ANSI *params, char const *string)
+                graphic->valid = 1;
+            }
+            for (i = 0; i < Pcount; i++) {
+-               set_sixel(graphic, &context, sixel);
+-               context.col++;
+               if (set_sixel(graphic, &context, sixel)) {
+                 context.col++;
+               } else {
+                 context.col = 0;
+                 break;
+               }
+            }
+        } else if (ch == '#') { /* DECGCI */
+            ANSI color_params;
+-- 
+2.25.1
diff --git a/meta-oe/recipes-graphics/xorg-app/xterm_353.bb b/meta-oe/recipes-graphics/xorg-app/xterm_353.bb
index 264320212c..1862b250ef 100644
--- a/meta-oe/recipes-graphics/xorg-app/xterm_353.bb
+++ b/meta-oe/recipes-graphics/xorg-app/xterm_353.bb
@@ -7,8 +7,8 @@ LIC_FILES_CHKSUM = "file://xterm.h;beginline=3;endline=31;md5=996b1ce0584c0747b1
 SRC_URI = "http://invisible-mirror.net/archives/${BPN}/${BP}.tgz \
           file://0001-Add-configure-time-check-for-setsid.patch \
           file://CVE-2021-27135.patch \
+           file://CVE-2022-24130.patch \
          "
 SRC_URI[md5sum] = "247c30ebfa44623f3a2d100e0cae5c7f"
 SRC_URI[sha256sum] = "e521d3ee9def61f5d5c911afc74dd5c3a56ce147c7071c74023ea24cac9bb768"
 PACKAGECONFIG ?= ""
author	Hitendra Prajapati <hprajapati@mvista.com>	2022-06-24 17:48:02 +0530
committer	Armin Kuster <akuster808@gmail.com>	2022-07-16 12:56:17 -0700
commit	b406297d3bcdef6d174eea85945623f1a8f0e3b9 (patch)
tree	72f09e21d5b236f3c72107a7d5b43d9fa807215a
parent	a24773d39edf4d156ecda08bc4317b2b37cc6231 (diff)
download	meta-openembedded-b406297d3bcdef6d174eea85945623f1a8f0e3b9.tar.gz

diff --git a/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-24130.patch b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-24130.patch new file mode 100644 index 0000000000..b7a5f297a5 --- /dev/null +++ b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-24130.patch
@@ -0,0 +1,84 @@
		1	From 85666286473f2fbb2d4731d4e175f00d7a76e21f Mon Sep 17 00:00:00 2001
		2	From: Hitendra Prajapati <hprajapati@mvista.com>
		3	Date: Tue, 21 Jun 2022 10:53:01 +0530
		4	Subject: [PATCH] CVE-2022-24130
		5
		6	Upstream-Status: Backport [https://github.com/ThomasDickey/xterm-snapshots/commit/1584fc227673264661250d3a8d673c168ac9512d]
		7	CVE: CVE-2022-24130
		8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		9
		10	Description: Cherry-pick sixel graphics fixes from xterm 370d and 370f
		11	Check for out-of-bounds condition while drawing sixels, and quit that
		12	operation (report by Nick Black, CVE-2022-24130).
		13	Bug-Debian: https://bugs.debian.org/1004689
		14
		15	---
		16	graphics_sixel.c \| 22 +++++++++++++++++-----
		17	1 file changed, 17 insertions(+), 5 deletions(-)
		18
		19	diff --git a/graphics_sixel.c b/graphics_sixel.c
		20	index 00ba3ef..6a82295 100644
		21	--- a/graphics_sixel.c
		22	+++ b/graphics_sixel.c
		23	@@ -141,7 +141,7 @@ init_sixel_background(Graphic graphic, SixelContext const context)
		24	graphic->color_registers_used[context->background] = 1;
		25	}
		26
		27	-static void
		28	+static Boolean
		29	set_sixel(Graphic graphic, SixelContext const context, int sixel)
		30	{
		31	const int mh = graphic->max_height;
		32	@@ -162,7 +162,10 @@ set_sixel(Graphic graphic, SixelContext const context, int sixel)
		33	((color != COLOR_HOLE)
		34	? (unsigned) graphic->color_registers[color].b : 0U)));
		35	for (pix = 0; pix < 6; pix++) {
		36	- if (context->col < mw && context->row + pix < mh) {
		37	+ if (context->col >= 0 &&
		38	+ context->col < mw &&
		39	+ context->row + pix >= 0 &&
		40	+ context->row + pix < mh) {
		41	if (sixel & (1 << pix)) {
		42	if (context->col + 1 > graphic->actual_width) {
		43	graphic->actual_width = context->col + 1;
		44	@@ -175,8 +178,10 @@ set_sixel(Graphic graphic, SixelContext const context, int sixel)
		45	}
		46	} else {
		47	TRACE(("sixel pixel %d out of bounds\n", pix));
		48	+ return False;
		49	}
		50	}
		51	+ return True;
		52	}
		53
		54	static void
		55	@@ -451,7 +456,10 @@ parse_sixel(XtermWidget xw, ANSI params, char const string)
		56	init_sixel_background(graphic, &context);
		57	graphic->valid = 1;
		58	}
		59	- set_sixel(graphic, &context, sixel);
		60	+ if (!set_sixel(graphic, &context, sixel)) {
		61	+ context.col = 0;
		62	+ break;
		63	+ }
		64	context.col++;
		65	} else if (ch == '$') { /* DECGCR */
		66	/* ignore DECCRNLM in sixel mode */
		67	@@ -529,8 +537,12 @@ parse_sixel(XtermWidget xw, ANSI params, char const string)
		68	graphic->valid = 1;
		69	}
		70	for (i = 0; i < Pcount; i++) {
		71	- set_sixel(graphic, &context, sixel);
		72	- context.col++;
		73	+ if (set_sixel(graphic, &context, sixel)) {
		74	+ context.col++;
		75	+ } else {
		76	+ context.col = 0;
		77	+ break;
		78	+ }
		79	}
		80	} else if (ch == '#') { /* DECGCI */
		81	ANSI color_params;
		82	--
		83	2.25.1
		84


diff --git a/meta-oe/recipes-graphics/xorg-app/xterm_353.bb b/meta-oe/recipes-graphics/xorg-app/xterm_353.bb index 264320212c..1862b250ef 100644 --- a/meta-oe/recipes-graphics/xorg-app/xterm_353.bb +++ b/meta-oe/recipes-graphics/xorg-app/xterm_353.bb
@@ -7,8 +7,8 @@ LIC_FILES_CHKSUM = "file://xterm.h;beginline=3;endline=31;md5=996b1ce0584c0747b1
7	SRC_URI = "http://invisible-mirror.net/archives/${BPN}/${BP}.tgz \	7	SRC_URI = "http://invisible-mirror.net/archives/${BPN}/${BP}.tgz \
8	file://0001-Add-configure-time-check-for-setsid.patch \	8	file://0001-Add-configure-time-check-for-setsid.patch \
9	file://CVE-2021-27135.patch \	9	file://CVE-2021-27135.patch \
		10	file://CVE-2022-24130.patch \
10	"	11	"
11
12	SRC_URI[md5sum] = "247c30ebfa44623f3a2d100e0cae5c7f"	12	SRC_URI[md5sum] = "247c30ebfa44623f3a2d100e0cae5c7f"
13	SRC_URI[sha256sum] = "e521d3ee9def61f5d5c911afc74dd5c3a56ce147c7071c74023ea24cac9bb768"	13	SRC_URI[sha256sum] = "e521d3ee9def61f5d5c911afc74dd5c3a56ce147c7071c74023ea24cac9bb768"
14	PACKAGECONFIG ?= ""	14	PACKAGECONFIG ?= ""