fix CVE

2020-11-28 15:43:49 +08:00 · 2020-11-28 15:43:49 +08:00 · 7b47e17429
commit 7b47e17429
parent c4ffa83577
2 changed files with 36 additions and 1 deletions
--- a/CVE-2020-27347.patch
+++ b/CVE-2020-27347.patch
@ -0,0 +1,30 @@
 From a868bacb46e3c900530bed47a1c6f85b0fbe701c Mon Sep 17 00:00:00 2001
 From: nicm <nicm>
 Date: Thu, 29 Oct 2020 16:33:01 +0000
 Subject: [PATCH] Do not write after the end of the array and overwrite the
 stack when colon-separated SGR sequences contain empty arguments. Reported by
 Sergey Nizovtsev.
 ---
 input.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)
 diff --git a/input.c b/input.c
 index 42a60c92a..c280c0d97 100644
 --- a/input.c
 +++ b/input.c
@@ -1976,8 +1976,13 @@ input_csi_dispatch_sgr_colon(struct input_ctx *ictx, u_int i)
 				free(copy);
 				return;
 			}
 -		} else
 +		} else {
 			n++;
 +			if (n == nitems(p)) {
 +				free(copy);
 +				return;
 +			}
 +		}
 		log_debug("%s: %u = %d", __func__, n - 1, p[n - 1]);
 	}
 	free(copy);
--- a/tmux.spec
+++ b/tmux.spec
@ -2,7 +2,7 @@
 Name:           tmux
 Version:        3.1
-Release:        1
+Release:        2
 Summary:        A terminal multiplexer
 License:        ISC and BSD
@ -10,6 +10,8 @@ URL:            https://tmux.github.io/
 Source0:        https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
 Source1:        bash_completion_tmux.sh
 Patch1:         CVE-2020-27347.patch
 BuildRequires:  gcc libevent-devel ncurses-devel libutempter-devel
 %description
@ -62,6 +64,9 @@ fi
 %{_mandir}/man1/%{name}.1.gz
 %changelog
 * Sat Nov 28 2020 wangye <wangye70@huawei.com> - 3.1-2
 - DESC:fix CVE
 * Sat Jun 20 2020 weiwei_150212 <tianwei12@huawei.com> - 3.1-1
 - DESC:update to release 3.1