diff options
| author | Kevin Daudt <kdaudt@alpinelinux.org> | 2021-02-13 21:02:10 +0000 |
|---|---|---|
| committer | Kevin Daudt <kdaudt@alpinelinux.org> | 2021-02-14 17:44:38 +0000 |
| commit | 70f979c6376be8694ccd7373e5eedc26a11f26b0 (patch) | |
| tree | 4851feff43ae8a61fc7bc4e239059f06959ec1a2 | |
| parent | abdccd3b358b794ff34922160ded5ef4a011306e (diff) | |
main/screen: use better patch for CVE-2021-26937
The patch from Debian will result in screen stop propertly processing
combining characters after all slots have been exhausted.
| -rw-r--r-- | main/screen/APKBUILD | 4 | ||||
| -rw-r--r-- | main/screen/CVE-2021-26937.patch | 96 |
2 files changed, 55 insertions, 45 deletions
diff --git a/main/screen/APKBUILD b/main/screen/APKBUILD index 48c48c2ded5..c7b87bec623 100644 --- a/main/screen/APKBUILD +++ b/main/screen/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=screen pkgver=4.8.0 -pkgrel=4 +pkgrel=5 pkgdesc="Window manager that multiplexes a physical terminal" url="https://www.gnu.org/software/screen/" arch="all" @@ -50,4 +50,4 @@ package() { sha512sums="770ebaf6ee9be711bcb8a6104b3294f2bf4523dae6683fdc5eac4b3aff7e511be2d922b6b2ad28ec241113c2e4fe0d80f9a482ae1658adc19c8c3a3680caa25c screen-4.8.0.tar.gz 82aca3e16c8cd7a3029d3b589ff2dd3471708d6287979ebb5cfdaedbd1f3012c0cd660b131e0cbe142b99786e49ef8b24c63159523d870e95ccf71ec94b82634 utmpx.patch -1c9fec7b971d1674c8be9b0b540d33bb977d63b1bffe3d38fb0d23a75dd5137eac482b9388f4a0affe15717a7814c3913f0c2290876e50ac20bc5cff82c0606d CVE-2021-26937.patch" +21f296fa558ef5cdde378fcd8d47cf780f99702c3f798387f611260f29700397591f1757d1d3197a12650a4042af74176753e69bc19997c2bbfbb02b413a50a5 CVE-2021-26937.patch" diff --git a/main/screen/CVE-2021-26937.patch b/main/screen/CVE-2021-26937.patch index f1bb41b266e..bfd188a95b0 100644 --- a/main/screen/CVE-2021-26937.patch +++ b/main/screen/CVE-2021-26937.patch @@ -1,49 +1,59 @@ -Description: [CVE-2021-26937] Fix out of bounds array access -Author: Axel Beckert <abe@debian.org> -Bug-Debian: https://bugs.debian.org/982435 -Bug: https://savannah.gnu.org/bugs/?60030 -Bug: https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html -Bug-OSS-Security: https://www.openwall.com/lists/oss-security/2021/02/09/3 -Forwarded: https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00004.html - +Source: https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00010.html +diff --git a/encoding.c b/encoding.c +index e5db3e7..79f5d14 100644 --- a/encoding.c +++ b/encoding.c -@@ -1408,21 +1408,23 @@ - } - /* FIXME: delete old char from all buffers */ - } -- else if (!combchars[i]) -- { -- combchars[i] = (struct combchar *)malloc(sizeof(struct combchar)); -- if (!combchars[i]) -- return; -- combchars[i]->prev = i; -- combchars[i]->next = i; -- } -- combchars[i]->c1 = c1; -- combchars[i]->c2 = c; -- mc->image = i & 0xff; -- mc->font = (i >> 8) + 0xd8; -- mc->fontx = 0; -- debug3("combinig char %x %x -> %x\n", c1, c, i + 0xd800); +@@ -43,7 +43,7 @@ static int encmatch __P((char *, char *)); + # ifdef UTF8 + static int recode_char __P((int, int, int)); + static int recode_char_to_encoding __P((int, int)); +-static void comb_tofront __P((int, int)); ++static void comb_tofront __P((int)); + # ifdef DW_CHARS + static int recode_char_dw __P((int, int *, int, int)); + static int recode_char_dw_to_encoding __P((int, int *, int)); +@@ -1263,6 +1263,8 @@ int c; + {0x30000, 0x3FFFD}, + }; + ++ if (c >= 0xdf00 && c <= 0xdfff) ++ return 1; /* dw combining sequence */ + return ((bisearch(c, wide, sizeof(wide) / sizeof(struct interval) - 1)) || + (cjkwidth && + bisearch(c, ambiguous, +@@ -1330,11 +1332,12 @@ int c; + } + + static void +-comb_tofront(root, i) +-int root, i; ++comb_tofront(i) ++int i; + { + for (;;) + { ++ int root = i >= 0x700 ? 0x801 : 0x800; + debug1("bring to front: %x\n", i); + combchars[combchars[i]->prev]->next = combchars[i]->next; + combchars[combchars[i]->next]->prev = combchars[i]->prev; +@@ -1396,9 +1399,9 @@ struct mchar *mc; + { + /* full, recycle old entry */ + if (c1 >= 0xd800 && c1 < 0xe000) +- comb_tofront(root, c1 - 0xd800); ++ comb_tofront(c1 - 0xd800); + i = combchars[root]->prev; +- if (c1 == i + 0xd800) ++ if (i == 0x800 || i == 0x801 || c1 == i + 0xd800) + { + /* completely full, can't recycle */ + debug("utf8_handle_comp: completely full!\n"); +@@ -1422,7 +1425,7 @@ struct mchar *mc; + mc->font = (i >> 8) + 0xd8; + mc->fontx = 0; + debug3("combinig char %x %x -> %x\n", c1, c, i + 0xd800); - comb_tofront(root, i); -+ else if (i < sizeof combchars / sizeof *combchars) { -+ if (!combchars[i]) -+ { -+ combchars[i] = (struct combchar *)malloc(sizeof(struct combchar)); -+ if (!combchars[i]) -+ return; -+ combchars[i]->prev = i; -+ combchars[i]->next = i; -+ } -+ combchars[i]->c1 = c1; -+ combchars[i]->c2 = c; -+ mc->image = i & 0xff; -+ mc->font = (i >> 8) + 0xd8; -+ mc->fontx = 0; -+ debug3("combinig char %x %x -> %x\n", c1, c, i + 0xd800); -+ comb_tofront(root, i); -+ } ++ comb_tofront(i); } #else /* !UTF8 */ |