[OE-core] [PATCH] screen: fix CVE-2015-6806

Maxin B. John maxin.john at intel.com
Wed Oct 7 02:53:38 UTC 2015 

Backport a patch to fix CVE-2015-6806

Signed-off-by: Maxin B. John <maxin.john at intel.com>
---
 ...-stack-overflow-due-to-too-deep-recursion.patch | 57 ++++++++++++++++++++++
 meta/recipes-extended/screen/screen_4.3.1.bb       |  1 +
 2 files changed, 58 insertions(+)
 create mode 100644 meta/recipes-extended/screen/screen/0001-Fix-stack-overflow-due-to-too-deep-recursion.patch

diff --git a/meta/recipes-extended/screen/screen/0001-Fix-stack-overflow-due-to-too-deep-recursion.patch b/meta/recipes-extended/screen/screen/0001-Fix-stack-overflow-due-to-too-deep-recursion.patch
new file mode 100644
index 0000000..2bc9a59
--- /dev/null
+++ b/meta/recipes-extended/screen/screen/0001-Fix-stack-overflow-due-to-too-deep-recursion.patch
@@ -0,0 +1,57 @@
+Bug: 45713
+
+How to reproduce:
+Run this command inside screen
+$ printf '\x1b[10000000T'
+
+screen will recursively call MScrollV to depth n/256.
+This is time consuming and will overflow stack if n is huge.
+
+Fixes CVE-2015-6806
+
+Upstream-Status: Backport
+
+Signed-off-by: Kuang-che Wu <kcwu at csie.org>
+Signed-off-by: Amadeusz Sławiński <amade at asmblr.net>
+Signed-off-by: Maxin B. John <maxin.john at intel.com>
+---
+diff -Naur screen-4.3.1-orig/ansi.c screen-4.3.1/ansi.c
+--- screen-4.3.1-orig/ansi.c	2015-06-29 00:22:55.000000000 +0300
++++ screen-4.3.1/ansi.c	2015-10-06 13:13:58.297648039 +0300
+@@ -2502,13 +2502,13 @@
+     return;
+   if (n > 0)
+     {
++      if (ye - ys + 1 < n)
++	  n = ye - ys + 1;
+       if (n > 256)
+ 	{
+ 	  MScrollV(p, n - 256, ys, ye, bce);
+ 	  n = 256;
+ 	}
+-      if (ye - ys + 1 < n)
+-	n = ye - ys + 1;
+ #ifdef COPY_PASTE
+       if (compacthist)
+ 	{
+@@ -2562,15 +2562,15 @@
+     }
+   else
+     {
+-      if (n < -256)
+-	{
+-	  MScrollV(p, n + 256, ys, ye, bce);
+-	  n = -256;
+-	}
+       n = -n;
+       if (ye - ys + 1 < n)
+ 	n = ye - ys + 1;
+ 
++      if (n > 256)
++      {
++        MScrollV(p, - (n - 256), ys, ye, bce);
++        n = 256;
++      }
+       ml = p->w_mlines + ye;
+       /* Clear lines */
+       for (i = ye; i > ye - n; i--, ml--)
diff --git a/meta/recipes-extended/screen/screen_4.3.1.bb b/meta/recipes-extended/screen/screen_4.3.1.bb
index 92457af..00d878b 100644
--- a/meta/recipes-extended/screen/screen_4.3.1.bb
+++ b/meta/recipes-extended/screen/screen_4.3.1.bb
@@ -24,6 +24,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz \
            file://Avoid-mis-identifying-systems-as-SVR4.patch \
            file://0001-fix-for-multijob-build.patch \
            file://0002-comm.h-now-depends-on-term.h.patch \
+           file://0001-Fix-stack-overflow-due-to-too-deep-recursion.patch \
           "
 
 SRC_URI[md5sum] = "5bb3b0ff2674e29378c31ad3411170ad"
-- 
2.4.0

More information about the Openembedded-core mailing list