diff --git a/vte-0.28.2-limit-arguments.patch b/vte-0.28.2-limit-arguments.patch new file mode 100644 index 0000000..fd45407 --- /dev/null +++ b/vte-0.28.2-limit-arguments.patch @@ -0,0 +1,40 @@ +From feeee4b5832b17641e505b7083e0d299fdae318e Mon Sep 17 00:00:00 2001 +From: Christian Persch +Date: Sat, 19 May 2012 17:36:09 +0000 +Subject: emulation: Limit integer arguments to 65535 + +To guard against malicious sequences containing excessively big numbers, +limit all parsed numbers to 16 bit range. Doing this here in the parsing +routine is a catch-all guard; this doesn't preclude enforcing +more stringent limits in the handlers themselves. + +https://bugzilla.gnome.org/show_bug.cgi?id=676090 +--- +diff --git a/src/table.c b/src/table.c +index 140e8c8..85cf631 100644 +--- a/src/table.c ++++ b/src/table.c +@@ -550,7 +550,7 @@ _vte_table_extract_numbers(GValueArray **array, + if (G_UNLIKELY (*array == NULL)) { + *array = g_value_array_new(1); + } +- g_value_set_long(&value, total); ++ g_value_set_long(&value, CLAMP (total, 0, G_MAXUSHORT)); + g_value_array_append(*array, &value); + } while (i++ < arginfo->length); + g_value_unset(&value); +diff --git a/src/vteseq.c b/src/vteseq.c +index 457c06a..46def5b 100644 +--- a/src/vteseq.c ++++ b/src/vteseq.c +@@ -557,7 +557,7 @@ vte_sequence_handler_multiple(VteTerminal *terminal, + GValueArray *params, + VteTerminalSequenceHandler handler) + { +- vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXLONG); ++ vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXUSHORT); + } + + static void +-- +cgit v0.9.0.2 diff --git a/vte.spec b/vte.spec index e7d5e99..1871402 100644 --- a/vte.spec +++ b/vte.spec @@ -4,7 +4,7 @@ Name: vte Version: 0.28.2 -Release: 5%{?dist} +Release: 6%{?dist} Summary: A terminal emulator License: LGPLv2+ Group: User Interface/X @@ -16,6 +16,9 @@ Patch0: vte-alt-meta-confusion.patch # Python bindings bugfix # https://bugzilla.redhat.com/show_bug.cgi?id=556200 Patch1: vte-python-bugfixes.patch +# limit arguments to avoid DOS +# http://git.gnome.org/browse/vte/patch/?id=feeee4b5832b17641e505b7083e0d299fdae318e +Patch2: vte-0.28.2-limit-arguments.patch BuildRequires: gtk2-devel >= %{gtk2_version} BuildRequires: pango-devel >= %{pango_version} @@ -51,6 +54,7 @@ vte. %setup -q %patch0 -p1 %patch1 -p1 +%patch2 -p1 %build PYTHON=%{_bindir}/python`%{__python} -c "import sys ; print sys.version[:3]"` @@ -106,6 +110,10 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/python*/site-packages/gtk-2.0/*.a %doc %{_datadir}/gtk-doc/html/vte-0.0 %changelog +* Fri Jun 15 2012 Kevin Fenzi - 0.28.2-6 +- Add patch for DOS. Fixes bug #832356 +- fixes CVE-2012-2738 + * Tue Apr 03 2012 Jon Ciesla - 0.28.2-5 - Added URL, fixed whitespace for Merge Review BZ 226534. - Commented on odd provides for rpmlint warning.