From owner-svn-ports-branches@freebsd.org  Tue Sep  8 16:46:06 2015
Return-Path: <owner-svn-ports-branches@freebsd.org>
Delivered-To: svn-ports-branches@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id CAFE5A004C6;
 Tue,  8 Sep 2015 16:46:06 +0000 (UTC)
 (envelope-from feld@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id A1EB7126E;
 Tue,  8 Sep 2015 16:46:06 +0000 (UTC)
 (envelope-from feld@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.70])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id t88Gk60X085564;
 Tue, 8 Sep 2015 16:46:06 GMT (envelope-from feld@FreeBSD.org)
Received: (from feld@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id t88Gk6Nb085561;
 Tue, 8 Sep 2015 16:46:06 GMT (envelope-from feld@FreeBSD.org)
Message-Id: <201509081646.t88Gk6Nb085561@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: feld set sender to
 feld@FreeBSD.org using -f
From: Mark Felder <feld@FreeBSD.org>
Date: Tue, 8 Sep 2015 16:46:06 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-branches@freebsd.org
Subject: svn commit: r396411 - in branches/2015Q3/sysutils/screen: . files
X-SVN-Group: ports-branches
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-branches@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: SVN commit messages for all the branches of the ports tree
 <svn-ports-branches.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-branches>, 
 <mailto:svn-ports-branches-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-branches/>
List-Post: <mailto:svn-ports-branches@freebsd.org>
List-Help: <mailto:svn-ports-branches-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-branches>, 
 <mailto:svn-ports-branches-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Sep 2015 16:46:06 -0000

Author: feld
Date: Tue Sep  8 16:46:05 2015
New Revision: 396411
URL: https://svnweb.freebsd.org/changeset/ports/396411

Log:
  MFH: r396408
  
  Add patch to resolve stack overflow vulnerability
  
  Security:	98092444-5645-11e5-9ad8-14dae9d210b8
  Security:	CVE-2015-6806
  Approved by:	ports-secteam (with hat)

Added:
  branches/2015Q3/sysutils/screen/files/patch-CVE-2015-6806
     - copied unchanged from r396408, head/sysutils/screen/files/patch-CVE-2015-6806
Modified:
  branches/2015Q3/sysutils/screen/Makefile
Directory Properties:
  branches/2015Q3/   (props changed)

Modified: branches/2015Q3/sysutils/screen/Makefile
==============================================================================
--- branches/2015Q3/sysutils/screen/Makefile	Tue Sep  8 16:45:00 2015	(r396410)
+++ branches/2015Q3/sysutils/screen/Makefile	Tue Sep  8 16:46:05 2015	(r396411)
@@ -3,7 +3,7 @@
 
 PORTNAME=	screen
 PORTVERSION=	4.3.1
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	sysutils
 MASTER_SITES=	http://ftp.gnu.org/gnu/screen/ \
 		ftp://ftp.gnu.org/gnu/screen/ \

Copied: branches/2015Q3/sysutils/screen/files/patch-CVE-2015-6806 (from r396408, head/sysutils/screen/files/patch-CVE-2015-6806)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2015Q3/sysutils/screen/files/patch-CVE-2015-6806	Tue Sep  8 16:46:05 2015	(r396411, copy of r396408, head/sysutils/screen/files/patch-CVE-2015-6806)
@@ -0,0 +1,55 @@
+From b7484c224738247b510ed0d268cd577076958f1b Mon Sep 17 00:00:00 2001
+From: Kuang-che Wu <kcwu@csie.org>
+Date: Mon, 31 Aug 2015 17:49:57 +0000
+Subject: Fix stack overflow due to too deep recursion
+
+Bug: 45713
+
+How to reproduce:
+Run this command inside screen
+$ printf '\x1b[10000000T'
+
+screen will recursively call MScrollV to depth n/256. This is time consuming and will overflow stack if n is huge.
+---
+diff --git a/src/ansi.c b/src/ansi.c
+index a342fb1..152d2ef 100644
+--- ansi.c
++++ ansi.c
+@@ -2502,13 +2502,13 @@ int n, ys, ye, bce;
+     return;
+   if (n > 0)
+     {
++      if (ye - ys + 1 < n)
++	n = ye - ys + 1;
+       if (n > 256)
+ 	{
+ 	  MScrollV(p, n - 256, ys, ye, bce);
+ 	  n = 256;
+ 	}
+-      if (ye - ys + 1 < n)
+-	n = ye - ys + 1;
+ #ifdef COPY_PASTE
+       if (compacthist)
+ 	{
+@@ -2562,14 +2562,14 @@ int n, ys, ye, bce;
+     }
+   else
+     {
+-      if (n < -256)
+-	{
+-	  MScrollV(p, n + 256, ys, ye, bce);
+-	  n = -256;
+-	}
+       n = -n;
+       if (ye - ys + 1 < n)
+ 	n = ye - ys + 1;
++      if (n > 256)
++	{
++	  MScrollV(p, - (n - 256), ys, ye, bce);
++	  n = 256;
++	}
+ 
+       ml = p->w_mlines + ye;
+       /* Clear lines */
+--
+cgit v0.9.0.2