Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
I have uploaded xterm 366-1+deb11u1 to fix #1004689 aka CVE-2022-24130
in bullseye.
[ Reason ]
CVE-2022-24130: xterm through Patch 370, when Sixel support is enabled,
allows attackers to trigger a buffer overflow in set_sixel in
graphics_sixel.c via crafted text.
[ Impact ]
An attacker could cause xterm to crash or possibly do worse things,
e.g. by luring the victim to cat(1) a specially crafted file. In its
default configuration xterm does not interpret Sixel graphics, the user
needs to set the decTerminalID resource to a non-standard value or
invoke xterm with the -ti switch to enable Sixel support and become
vulnerable.
[ Tests ]
I have verified that the testcase at [1] no longer causes a crash with
the attached patch.
[ Risks ]
No official upstream release has been made yet, but the issue has been
addressed in current snapshots at [2]. The patch has been taken from
there and is identical to the one that went into xterm 370-2, currently
in unstable and testing.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
Cheers,
Sven
1. https://www.openwall.com/lists/oss-security/2022/01/30/3
2. https://github.com/ThomasDickey/xterm-snapshots/
diff -Nru xterm-366/debian/changelog xterm-366/debian/changelog --- xterm-366/debian/changelog 2021-02-11 10:31:09.000000000 +0100 +++ xterm-366/debian/changelog 2022-02-07 20:14:01.000000000 +0100 @@ -1,3 +1,12 @@ +xterm (366-1+deb11u1) bullseye; urgency=medium + + * Cherry-pick sixel graphics fixes from xterm 370d and 370f. + - Check for out-of-bounds condition while drawing sixels, and quit + that operation (report by Nick Black (CVE-2022-24130), + Closes: #1004689). + + -- Sven Joachim <svenj...@gmx.de> Mon, 07 Feb 2022 20:14:01 +0100 + xterm (366-1) unstable; urgency=medium * New upstream release diff -Nru xterm-366/debian/patches/CVE-2022-24130.diff xterm-366/debian/patches/CVE-2022-24130.diff --- xterm-366/debian/patches/CVE-2022-24130.diff 1970-01-01 01:00:00.000000000 +0100 +++ xterm-366/debian/patches/CVE-2022-24130.diff 2022-02-07 20:12:57.000000000 +0100 @@ -0,0 +1,73 @@ +Description: Cherry-pick sixel graphics fixes from xterm 370d and 370f + Check for out-of-bounds condition while drawing sixels, and quit that + operation (report by Nick Black, CVE-2022-24130). +Bug-Debian: https://bugs.debian.org/1004689 + +--- + graphics_sixel.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +--- a/graphics_sixel.c ++++ b/graphics_sixel.c +@@ -149,7 +149,7 @@ init_sixel_background(Graphic *graphic, + graphic->color_registers_used[context->background] = 1; + } + +-static void ++static Boolean + set_sixel(Graphic *graphic, SixelContext const *context, int sixel) + { + const int mh = graphic->max_height; +@@ -170,7 +170,10 @@ set_sixel(Graphic *graphic, SixelContext + ((color != COLOR_HOLE) + ? (unsigned) graphic->color_registers[color].b : 0U))); + for (pix = 0; pix < 6; pix++) { +- if (context->col < mw && context->row + pix < mh) { ++ if (context->col >= 0 && ++ context->col < mw && ++ context->row + pix >= 0 && ++ context->row + pix < mh) { + if (sixel & (1 << pix)) { + if (context->col + 1 > graphic->actual_width) { + graphic->actual_width = context->col + 1; +@@ -183,8 +186,10 @@ set_sixel(Graphic *graphic, SixelContext + } + } else { + TRACE(("sixel pixel %d out of bounds\n", pix)); ++ return False; + } + } ++ return True; + } + + static void +@@ -462,8 +467,12 @@ parse_sixel(XtermWidget xw, ANSI *params + init_sixel_background(graphic, &context); + graphic->valid = 1; + } +- if (sixel) +- set_sixel(graphic, &context, sixel); ++ if (sixel) { ++ if (!set_sixel(graphic, &context, sixel)) { ++ context.col = 0; ++ break; ++ } ++ } + context.col++; + } else if (ch == '$') { /* DECGCR */ + /* ignore DECCRNLM in sixel mode */ +@@ -531,8 +540,12 @@ parse_sixel(XtermWidget xw, ANSI *params + if (sixel) { + int i; + for (i = 0; i < Pcount; i++) { +- set_sixel(graphic, &context, sixel); +- context.col++; ++ if (set_sixel(graphic, &context, sixel)) { ++ context.col++; ++ } else { ++ context.col = 0; ++ break; ++ } + } + } else { + context.col += Pcount; diff -Nru xterm-366/debian/patches/series xterm-366/debian/patches/series --- xterm-366/debian/patches/series 2021-02-11 10:28:06.000000000 +0100 +++ xterm-366/debian/patches/series 2022-02-07 20:12:57.000000000 +0100 @@ -1,3 +1,4 @@ 900_debian_xterm.diff 902_windowops.diff 904_fontops.diff +CVE-2022-24130.diff
signature.asc
Description: PGP signature
