fix CVE-2024-37535

(cherry picked from commit fdb2f89ca1755b083cbfdee8fc7bba5b7a5e578f)
2024-06-11 11:34:51 +08:00 · 2024-06-11 11:34:51 +08:00 · 046fa7c74e
commit 046fa7c74e
parent 88b3865712
2 changed files with 130 additions and 1 deletions
--- a/0001-fix-CVE-2024-37535.patch
+++ b/0001-fix-CVE-2024-37535.patch
@ -0,0 +1,125 @@
 From b6a976254b95f728ba17b369b387c19b26890141 Mon Sep 17 00:00:00 2001
 From: Christian Persch <Christian Persch@chpe>
 Date: Tue, 11 Jun 2024 02:59:02 +0000
 Subject: [PATCH] fix CVE-2024-37535
 ---
 src/vtegtk.cc | 35 +++++++++++++++++++++++++++++++++++
 src/vteseq.cc | 20 ++++++++++++--------
 2 files changed, 47 insertions(+), 8 deletions(-)
 diff --git a/src/vtegtk.cc b/src/vtegtk.cc
 index 0457b2b..2f7c77b 100644
 --- a/src/vtegtk.cc
 +++ b/src/vtegtk.cc
@@ -91,6 +91,38 @@
 template<typename T>
 constexpr bool check_enum_value(T value) noexcept;
 +static inline void
 +sanitise_widget_size_request(int* minimum,
 +                             int* natural) noexcept
 +{
 +        // Overly large size requests will make gtk happily allocate
 +        // a window size over the window system's limits (see
 +        // e.g. https://gitlab.gnome.org/GNOME/vte/-/issues/2786),
 +        // leading to aborting the whole process.
 +        // The toolkit should be in a better position to know about
 +        // these limits and not exceed them (which here is certainly
 +        // possible since our minimum sizes are very small), let's
 +        // limit the widget's size request to some large value
 +        // that hopefully is within the absolute limits of
 +        // the window system (assumed here to be int16 range,
 +        // and leaving some space for the widgets that contain
 +        // the terminal).
 +        auto const limit = (1 << 15) - (1 << 12);
 +
 +        if (*minimum > limit || *natural > limit) {
 +                static auto warned = false;
 +
 +                if (!warned) {
 +                        g_warning("Widget size request (minimum %d, natural %d) exceeds limits\n",
 +                                  *minimum, *natural);
 +                        warned = true;
 +                }
 +        }
 +
 +        *minimum = std::min(*minimum, limit);
 +        *natural = std::clamp(*natural, *minimum, limit);
 +}
 +
 struct _VteTerminalClassPrivate {
         GtkStyleProvider *style_provider;
 };
@@ -485,6 +517,7 @@ try
 {
 	VteTerminal *terminal = VTE_TERMINAL(widget);
         WIDGET(terminal)->get_preferred_width(minimum_width, natural_width);
 +	sanitise_widget_size_request(minimum_width, natural_width);
 }
 catch (...)
 {
@@ -499,6 +532,7 @@ try
 {
 	VteTerminal *terminal = VTE_TERMINAL(widget);
         WIDGET(terminal)->get_preferred_height(minimum_height, natural_height);
 +	sanitise_widget_size_request(minimum_height, natural_height);
 }
 catch (...)
 {
@@ -736,6 +770,7 @@ try
         WIDGET(terminal)->measure(orientation, for_size,
                                   minimum, natural,
                                   minimum_baseline, natural_baseline);
 +	sanitise_widget_size_request(minimum, natural);
 }
 catch (...)
 {
 diff --git a/src/vteseq.cc b/src/vteseq.cc
 index 8a7f5b3..7c0e227 100644
 --- a/src/vteseq.cc
 +++ b/src/vteseq.cc
@@ -214,9 +214,18 @@ Terminal::emit_bell()
 /* Emit a "resize-window" signal.  (Grid size.) */
 void
 Terminal::emit_resize_window(guint columns,
 -                                       guint rows)
 -{
 -        _vte_debug_print(VTE_DEBUG_SIGNALS, "Emitting `resize-window'.\n");
 +                             guint rows)
 +{
 +        // Ignore resizes with excessive number of rows or columns,
 +        // see https://gitlab.gnome.org/GNOME/vte/-/issues/2786
 +        if (columns < VTE_MIN_GRID_WIDTH ||
 +            columns > 511 ||
 +            rows < VTE_MIN_GRID_HEIGHT ||
 +            rows > 511)
 +                return;
 +
 +        _vte_debug_print(VTE_DEBUG_SIGNALS, "Emitting `resize-window' %d columns %d rows.\n",
 +                         columns, rows);
         g_signal_emit(m_terminal, signals[SIGNAL_RESIZE_WINDOW], 0, columns, rows);
 }
@@ -4581,8 +4590,6 @@ Terminal::DECSLPP(vte::parser::Sequence const& seq)
         else if (param < 24)
                 return;
 -        _vte_debug_print(VTE_DEBUG_EMULATION, "Resizing to %d rows.\n", param);
 -
         emit_resize_window(m_column_count, param);
 }
@@ -9044,9 +9051,6 @@ Terminal::XTERM_WM(vte::parser::Sequence const& seq)
                 seq.collect(1, {&height, &width});
                 if (width != -1 && height != -1) {
 -                        _vte_debug_print(VTE_DEBUG_EMULATION,
 -                                         "Resizing window to %d columns, %d rows.\n",
 -                                         width, height);
                         emit_resize_window(width, height);
                 }
                 break;
 -- 
 2.43.0
--- a/vte291.spec
+++ b/vte291.spec
@ -12,12 +12,13 @@
 Name:           vte291
 Version:        0.72.2
-Release:        1
+Release:        2
 Summary:        Virtual terminal widget
 License:        GPL-3.0-or-later AND LGPL-3.0-or-later and MIT-open-group AND CC-BY-4.0
 URL:            https://wiki.gnome.org/Apps/Terminal/VTE
 Source0:        https://download.gnome.org/sources/vte/0.72/vte-%{version}.tar.xz
 Patch0:         vte291-cntnr-precmd-preexec-scroll.patch
 Patch1:         0001-fix-CVE-2024-37535.patch
 BuildRequires:  gcc-c++ gettext gi-docgen gobject-introspection-devel gperf meson systemd vala
 BuildRequires:  pkgconfig(fribidi) >= %{fribidi_version}
@ -113,6 +114,9 @@ sed -i -e "/^vte_systemduserunitdir =/s|vte_prefix|'/usr'|" meson.build
 %doc %{_datadir}/doc/vte-2.91-gtk4/
 %changelog
 * Tue Jun 11 2024 kywqs <weiqingsong@kylinos.cn> - 0.72.2-2
 - fix CVE-2024-37535
 * Mon Nov 20 2023 lwg <liweiganga@uniontech.com> - 0.72.2-1
 - update to version 0.72.2