mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-01-29 21:08:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

vte: fix CVE-2024-37535

Browse Source 
Upstream-Status: Backport from 036bc3ddcb && c313849c2e

(From OE-Core rev: dd5482d64587124bd5060c7b3532f0e90b94c367)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Hitendra Prajapati
2024-07-15 13:41:43 +05:30
committed by Steve Sakoman
parent bdb92a57ea
commit 7c4954d902
3 changed files with 153 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
meta/recipes-support/vte/vte/CVE-2024-37535-01.patch Normal file
View File

@@ -0,0 +1,64 @@
From 036bc3ddcbb56f05c6ca76712a53b89dee1369e2 Mon Sep 17 00:00:00 2001
From: Christian Persch <chpe@src.gnome.org>
Date: Sun, 2 Jun 2024 19:19:35 +0200
Subject: [PATCH] emulation: Restrict resize request to sane numbers
Fixes: https://gitlab.gnome.org/GNOME/vte/-/issues/2786
(cherry picked from commit fd5511f24b7269195a7083f409244e9787c705dc)
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/vte/-/commit/036bc3ddcbb56f05c6ca76712a53b89dee1369e2]
CVE: CVE-2024-37535
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
src/vteseq.cc | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/src/vteseq.cc b/src/vteseq.cc
index 8d1c2e1..1c73dad 100644
--- a/src/vteseq.cc
+++ b/src/vteseq.cc
@@ -208,9 +208,18 @@ Terminal::emit_bell()
/* Emit a "resize-window" signal. (Grid size.) */
void
Terminal::emit_resize_window(guint columns,
- guint rows)
-{
- _vte_debug_print(VTE_DEBUG_SIGNALS, "Emitting `resize-window'.\n");
+ guint rows)
+{
+ // Ignore resizes with excessive number of rows or columns,
+ // see https://gitlab.gnome.org/GNOME/vte/-/issues/2786
+ if (columns < VTE_MIN_GRID_WIDTH ||
+ columns > 511 ||
+ rows < VTE_MIN_GRID_HEIGHT ||
+ rows > 511)
+ return;
+
+ _vte_debug_print(VTE_DEBUG_SIGNALS, "Emitting `resize-window' %d columns %d rows.\n",
+ columns, rows);
g_signal_emit(m_terminal, signals[SIGNAL_RESIZE_WINDOW], 0, columns, rows);
}
@@ -4457,8 +4466,6 @@ Terminal::DECSLPP(vte::parser::Sequence const& seq)
else if (param < 24)
return;
- _vte_debug_print(VTE_DEBUG_EMULATION, "Resizing to %d rows.\n", param);
-
emit_resize_window(m_column_count, param);
}
@@ -8917,9 +8924,6 @@ Terminal::XTERM_WM(vte::parser::Sequence const& seq)
seq.collect(1, {&height, &width});
if (width != -1 && height != -1) {
- _vte_debug_print(VTE_DEBUG_EMULATION,
- "Resizing window to %d columns, %d rows.\n",
- width, height);
emit_resize_window(width, height);
}
break;
--
2.25.1

85
meta/recipes-support/vte/vte/CVE-2024-37535-02.patch Normal file
View File

@@ -0,0 +1,85 @@
rom c313849c2e5133802e21b13fa0b141b360171d39 Mon Sep 17 00:00:00 2001
From: Christian Persch <chpe@src.gnome.org>
Date: Sun, 2 Jun 2024 19:19:35 +0200
Subject: [PATCH] widget: Add safety limit to widget size requests
https://gitlab.gnome.org/GNOME/vte/-/issues/2786
(cherry picked from commit 1803ba866053a3d7840892b9d31fe2944a183eda)
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/vte/-/commit/c313849c2e5133802e21b13fa0b141b360171d39]
CVE: CVE-2024-37535
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
src/vtegtk.cc | 35 +++++++++++++++++++++++++++++++++++
1 file changed, 35 insertions(+)
diff --git a/src/vtegtk.cc b/src/vtegtk.cc
index 0f4641d..060d27e 100644
--- a/src/vtegtk.cc
+++ b/src/vtegtk.cc
@@ -91,6 +91,38 @@
template<typename T>
constexpr bool check_enum_value(T value) noexcept;
+static inline void
+sanitise_widget_size_request(int* minimum,
+ int* natural) noexcept
+{
+ // Overly large size requests will make gtk happily allocate
+ // a window size over the window system's limits (see
+ // e.g. https://gitlab.gnome.org/GNOME/vte/-/issues/2786),
+ // leading to aborting the whole process.
+ // The toolkit should be in a better position to know about
+ // these limits and not exceed them (which here is certainly
+ // possible since our minimum sizes are very small), let's
+ // limit the widget's size request to some large value
+ // that hopefully is within the absolute limits of
+ // the window system (assumed here to be int16 range,
+ // and leaving some space for the widgets that contain
+ // the terminal).
+ auto const limit = (1 << 15) - (1 << 12);
+
+ if (*minimum > limit || *natural > limit) {
+ static auto warned = false;
+
+ if (!warned) {
+ g_warning("Widget size request (minimum %d, natural %d) exceeds limits\n",
+ *minimum, *natural);
+ warned = true;
+ }
+ }
+
+ *minimum = std::min(*minimum, limit);
+ *natural = std::clamp(*natural, *minimum, limit);
+}
+
struct _VteTerminalClassPrivate {
GtkStyleProvider *style_provider;
};
@@ -497,6 +529,7 @@ try
{
VteTerminal *terminal = VTE_TERMINAL(widget);
WIDGET(terminal)->get_preferred_width(minimum_width, natural_width);
+ sanitise_widget_size_request(minimum_width, natural_width);
}
catch (...)
{
@@ -511,6 +544,7 @@ try
{
VteTerminal *terminal = VTE_TERMINAL(widget);
WIDGET(terminal)->get_preferred_height(minimum_height, natural_height);
+ sanitise_widget_size_request(minimum_height, natural_height);
}
catch (...)
{
@@ -748,6 +782,7 @@ try
WIDGET(terminal)->measure(orientation, for_size,
minimum, natural,
minimum_baseline, natural_baseline);
+ sanitise_widget_size_request(minimum, natural);
}
catch (...)
{
--
2.25.1

5
meta/recipes-support/vte/vte_0.74.2.bb
View File

@@ -18,7 +18,10 @@ GIDOCGEN_MESON_OPTION = "docs"
inherit gnomebase gi-docgen features_check upstream-version-is-even gobject-introspection systemd vala
SRC_URI += "file://0001-Add-W_EXITCODE-macro-for-non-glibc-systems.patch"
SRC_URI += "file://0001-Add-W_EXITCODE-macro-for-non-glibc-systems.patch \
file://CVE-2024-37535-01.patch \
file://CVE-2024-37535-02.patch \
"
SRC_URI[archive.sha256sum] = "a535fb2a98fea8a2449cd1a02cccf5190131dddff52e715afdace3feb536eae7"
ANY_OF_DISTRO_FEATURES = "${GTK3DISTROFEATURES}"