From owner-svn-ports-all@freebsd.org Tue Sep 8 16:35:21 2015 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E121A9CCFBE; Tue, 8 Sep 2015 16:35:21 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B95951B3D; Tue, 8 Sep 2015 16:35:21 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id t88GZLL4080813; Tue, 8 Sep 2015 16:35:21 GMT (envelope-from feld@FreeBSD.org) Received: (from feld@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id t88GZLZX080810; Tue, 8 Sep 2015 16:35:21 GMT (envelope-from feld@FreeBSD.org) Message-Id: <201509081635.t88GZLZX080810@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: feld set sender to feld@FreeBSD.org using -f From: Mark Felder Date: Tue, 8 Sep 2015 16:35:21 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r396408 - in head/sysutils/screen: . files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 16:35:22 -0000 Author: feld Date: Tue Sep 8 16:35:20 2015 New Revision: 396408 URL: https://svnweb.freebsd.org/changeset/ports/396408 Log: Add patch to resolve stack overflow vulnerability MFH: 2015Q3 Security: 98092444-5645-11e5-9ad8-14dae9d210b8 Security: CVE-2015-6806 Added: head/sysutils/screen/files/patch-CVE-2015-6806 (contents, props changed) Modified: head/sysutils/screen/Makefile Modified: head/sysutils/screen/Makefile ============================================================================== --- head/sysutils/screen/Makefile Tue Sep 8 16:34:20 2015 (r396407) +++ head/sysutils/screen/Makefile Tue Sep 8 16:35:20 2015 (r396408) @@ -3,7 +3,7 @@ PORTNAME= screen PORTVERSION= 4.3.1 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= sysutils MASTER_SITES= http://ftp.gnu.org/gnu/screen/ \ ftp://ftp.gnu.org/gnu/screen/ \ Added: head/sysutils/screen/files/patch-CVE-2015-6806 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/screen/files/patch-CVE-2015-6806 Tue Sep 8 16:35:20 2015 (r396408) @@ -0,0 +1,55 @@ +From b7484c224738247b510ed0d268cd577076958f1b Mon Sep 17 00:00:00 2001 +From: Kuang-che Wu +Date: Mon, 31 Aug 2015 17:49:57 +0000 +Subject: Fix stack overflow due to too deep recursion + +Bug: 45713 + +How to reproduce: +Run this command inside screen +$ printf '\x1b[10000000T' + +screen will recursively call MScrollV to depth n/256. This is time consuming and will overflow stack if n is huge. +--- +diff --git a/src/ansi.c b/src/ansi.c +index a342fb1..152d2ef 100644 +--- ansi.c ++++ ansi.c +@@ -2502,13 +2502,13 @@ int n, ys, ye, bce; + return; + if (n > 0) + { ++ if (ye - ys + 1 < n) ++ n = ye - ys + 1; + if (n > 256) + { + MScrollV(p, n - 256, ys, ye, bce); + n = 256; + } +- if (ye - ys + 1 < n) +- n = ye - ys + 1; + #ifdef COPY_PASTE + if (compacthist) + { +@@ -2562,14 +2562,14 @@ int n, ys, ye, bce; + } + else + { +- if (n < -256) +- { +- MScrollV(p, n + 256, ys, ye, bce); +- n = -256; +- } + n = -n; + if (ye - ys + 1 < n) + n = ye - ys + 1; ++ if (n > 256) ++ { ++ MScrollV(p, - (n - 256), ys, ye, bce); ++ n = 256; ++ } + + ml = p->w_mlines + ye; + /* Clear lines */ +-- +cgit v0.9.0.2