commit 22e4cac6db2a3791179d03b7c03fa4e0d787aba3 Author: Danny Rawlins <monster.romster@gmail.com> Date: Sat Feb 10 11:28:14 2018 +1100 [notify] vte: fix CVE-2012-2738 and various ther bugs and improvments diff --git a/vte/.footprint b/vte/.footprint index ecefa87a3..f65bdd15a 100644 --- a/vte/.footprint +++ b/vte/.footprint @@ -20,7 +20,6 @@ lrwxrwxrwx root/root usr/lib/libvte.so.9 -> libvte.so.9.2800.2 drwxr-xr-x root/root usr/lib/pkgconfig/ -rw-r--r-- root/root usr/lib/pkgconfig/vte.pc drwxr-xr-x root/root usr/lib/vte/ --rwxr-sr-x root/root usr/lib/vte/gnome-pty-helper drwxr-xr-x root/root usr/share/ drwxr-xr-x root/root usr/share/vte/ drwxr-xr-x root/root usr/share/vte/termcap-0.0/ diff --git a/vte/.md5sum b/vte/.md5sum index 0be02b3cb..2ddab1c1d 100644 --- a/vte/.md5sum +++ b/vte/.md5sum @@ -1,2 +1,5 @@ +2a70b691fe04d76f7b03c56925d6fa61 vte-0.28.2-interix.patch +a132b015831efe30c929728f29cdf7b2 vte-0.28.2-limit-arguments.patch +d590b31ae2a8f14bc9ad584711c491f6 vte-0.28.2-repaint-after-change-scroll-region.patch 497f26e457308649e6ece32b3bb142ff vte-0.28.2.tar.xz -90efc55c080484424464ad928929f642 vte-metamask.patch +6bf2c631a5f51a29d46d63e5333082ce vte-0.30.1-alt-meta.patch diff --git a/vte/.signature b/vte/.signature index 421d5f84c..af9d10820 100644 --- a/vte/.signature +++ b/vte/.signature @@ -1,6 +1,9 @@ untrusted comment: verify with /etc/ports/opt.pub -RWSE3ohX2g5d/aLbWcPyU1lRZJF04uQnMwHaU3rs2Wc96vnZ0isW/12QOQCmqyha2bEPT4CfqeD4jUwDrIi2HdXUag3NzyZ7qAk= -SHA256 (Pkgfile) = a8e1fa361925cc77de761802581a1d1bcd0b37cbfb16d7a6b2d3d593edcd9a0f -SHA256 (.footprint) = 061347c728371b4107946c3893b88e4669542dea420607a33e301160cbbeeb9d +RWSE3ohX2g5d/dQ0eGAbB3cEP+s8ck6F7RMkk4yohSk955qkYnXN6ak6r+HQEj6qjQZZLopOdiFuDt79oKFu9U+iMFo9l+m3mQw= +SHA256 (Pkgfile) = 3b1661d470de10ed1f8d8e7396ffc2c4835bef08f0febae7358306e1ce491b80 +SHA256 (.footprint) = 11f2a585afcf0f939ea666b375e0d123bef960ca92d2a7bf806e6c2421dc98ec SHA256 (vte-0.28.2.tar.xz) = 86cf0b81aa023fa93ed415653d51c96767f20b2d7334c893caba71e42654b0ae -SHA256 (vte-metamask.patch) = 0432074528c49f5399e45c774274332d06e28f5668e116093c3aaebddf31c381 +SHA256 (vte-0.30.1-alt-meta.patch) = 31a46fee8fe59bd1d6df54bc502b608fe80da57bf3786e2dc6e9856a4e793ed6 +SHA256 (vte-0.28.2-interix.patch) = 0c3bd451d2a48dd38b375fc7d72b675bbfcbcda66f6fbcdd20eeee315727d518 +SHA256 (vte-0.28.2-limit-arguments.patch) = 164af2b6756329f1ceb0cac77b5e6bc47d486e1bb0b4e5d3a6fc284e4e7f0ae9 +SHA256 (vte-0.28.2-repaint-after-change-scroll-region.patch) = 95ff6eb5d17e7c209aa4751dfd150a1baa97d8b5d1b31658d7645751eb38cad6 diff --git a/vte/Pkgfile b/vte/Pkgfile index 2efb1f5bc..76ffc3387 100644 --- a/vte/Pkgfile +++ b/vte/Pkgfile @@ -1,30 +1,52 @@ -# Description: Virtual Terminal Emulator -# URL: http://developer.gnome.org/arch/gnome/widgets/vte.html -# Maintainer: Jose V Beneyto, sepen at crux dot nu -# Packager: Juergen Daubert, jue at crux dot nu -# Depends on: gtk xorg-libxdamage +# Description: Virtual Terminal Emulator widget for use with GTK2 +# URL: https://wiki.gnome.org/Apps/Terminal/VTE +# Maintainer: Danny Rawlins, crux at romster dot me +# Depends on: gtk util-linux name=vte version=0.28.2 -release=2 -source=(ftp://ftp.gnome.org/pub/gnome/sources/$name/${version%.*}/$name-$version.tar.xz \ - $name-metamask.patch) +release=3 +source=(https://download.gnome.org/sources/$name/${version%%.*}/$name-$version.tar.xz + $name-0.30.1-alt-meta.patch + $name-0.28.2-interix.patch + $name-0.28.2-limit-arguments.patch + $name-0.28.2-repaint-after-change-scroll-region.patch) build() { - cd $name-$version - - patch -R -p1 -i $SRC/$name-metamask.patch - ./configure --prefix=/usr \ - --libexecdir=/usr/lib/$name \ - --disable-static \ - --disable-debugging \ - --disable-python \ - --disable-gtk-doc \ - --with-xft2 \ - --with-pangox - - make - make DESTDIR=$PKG install - - rm -rf $PKG/usr/share/{gtk-doc,locale} + cd $name-$version + + # https://bugzilla.gnome.org/show_bug.cgi?id=663779 + patch -p1 -i $SRC/$name-0.30.1-alt-meta.patch + + # https://bugzilla.gnome.org/show_bug.cgi?id=652290 + patch -p1 -i $SRC/$name-0.28.2-interix.patch + + # Fix CVE-2012-2738, upstream bug #676090 + patch -p1 -i $SRC/$name-0.28.2-limit-arguments.patch + + # Fix https://bugzilla.gnome.org/show_bug.cgi?id=542087 + # Patch from https://github.com/pld-linux/vte0/commit/1e8dce16b239e5d378b02e4d04a60e823df... + patch -p1 -i $SRC/$name-0.28.2-repaint-after-change-scroll-region.patch + + export CFLAGS="$CFLAGS -Wno-deprecated-declarations" + + ./configure \ + --prefix=/usr \ + --libexecdir=/usr/lib/$name \ + --disable-deprecation \ + --disable-static \ + --disable-debugging \ + --disable-python \ + --disable-gtk-doc \ + --with-xft2 \ + --with-pangox \ + --with-gtk=2.0 + + sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool + + make + make DESTDIR=$PKG install + + rm -r $PKG/usr/share/{gtk-doc,locale} + rm $PKG/usr/lib/vte/gnome-pty-helper } diff --git a/vte/vte-0.28.2-interix.patch b/vte/vte-0.28.2-interix.patch new file mode 100644 index 000000000..c54d46ebc --- /dev/null +++ b/vte/vte-0.28.2-interix.patch @@ -0,0 +1,51 @@ +reported upstream: https://bugzilla.gnome.org/show_bug.cgi?id=652290 + +diff -ru vte-0.26.2.orig/configure.in vte-0.26.2/configure.in +--- vte-0.26.2.orig/configure.in 2011-08-17 08:30:55 +0200 ++++ vte-0.26.2/configure.in 2011-08-17 08:35:42 +0200 +@@ -362,7 +362,11 @@ + AC_DEFINE(HAVE_RECVMSG,1,[Define if you have the recvmsg function.]) + fi + AC_CHECK_FUNC(floor,,AC_CHECK_LIB(m,floor,LIBS=["$LIBS -lm"])) +-AC_CHECK_FUNCS([ceil floor]) ++dnl if the first check didn't find floor, it caches the "no" value, ++dnl and doesn't recheck. this makes the below check fail always on ++dnl systems with floor in -lm. thus we unset the chached result. ++unset ac_cv_func_floor ++AC_CHECK_FUNCS([ceil floor round]) + + # Look for tgetent + +--- vte-0.26.2.orig/configure 2012-04-30 20:02:55.000000000 +0200 ++++ vte-0.26.2/configure 2012-04-30 20:03:16.000000000 +0200 +@@ -13277,7 +13277,7 @@ + + fi + +-for ac_func in ceil floor ++for ac_func in ceil floor round + do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` + ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +diff -ru vte-0.26.2.orig/src/vte.c vte-0.26.2/src/vte.c +--- vte-0.26.2.orig/src/vte.c 2011-08-17 08:30:58 +0200 ++++ vte-0.26.2/src/vte.c 2011-08-17 08:38:09 +0200 +@@ -63,6 +63,18 @@ + #include <locale.h> + #endif + ++#ifndef HAVE_ROUND ++# if defined(HAVE_CEIL) && defined(HAVE_FLOOR) ++static inline double round(double x) { ++ if(x - floor(x) < 0.5) { ++ return floor(x); ++ } else { ++ return ceil(x); ++ } ++} ++# endif ++#endif ++ + #if GTK_CHECK_VERSION (2, 90, 7) + #define GDK_KEY(symbol) GDK_KEY_##symbol + #else diff --git a/vte/vte-0.28.2-limit-arguments.patch b/vte/vte-0.28.2-limit-arguments.patch new file mode 100644 index 000000000..fd4540793 --- /dev/null +++ b/vte/vte-0.28.2-limit-arguments.patch @@ -0,0 +1,40 @@ +From feeee4b5832b17641e505b7083e0d299fdae318e Mon Sep 17 00:00:00 2001 +From: Christian Persch <chpe@gnome.org> +Date: Sat, 19 May 2012 17:36:09 +0000 +Subject: emulation: Limit integer arguments to 65535 + +To guard against malicious sequences containing excessively big numbers, +limit all parsed numbers to 16 bit range. Doing this here in the parsing +routine is a catch-all guard; this doesn't preclude enforcing +more stringent limits in the handlers themselves. + +https://bugzilla.gnome.org/show_bug.cgi?id=676090 +--- +diff --git a/src/table.c b/src/table.c +index 140e8c8..85cf631 100644 +--- a/src/table.c ++++ b/src/table.c +@@ -550,7 +550,7 @@ _vte_table_extract_numbers(GValueArray **array, + if (G_UNLIKELY (*array == NULL)) { + *array = g_value_array_new(1); + } +- g_value_set_long(&value, total); ++ g_value_set_long(&value, CLAMP (total, 0, G_MAXUSHORT)); + g_value_array_append(*array, &value); + } while (i++ < arginfo->length); + g_value_unset(&value); +diff --git a/src/vteseq.c b/src/vteseq.c +index 457c06a..46def5b 100644 +--- a/src/vteseq.c ++++ b/src/vteseq.c +@@ -557,7 +557,7 @@ vte_sequence_handler_multiple(VteTerminal *terminal, + GValueArray *params, + VteTerminalSequenceHandler handler) + { +- vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXLONG); ++ vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXUSHORT); + } + + static void +-- +cgit v0.9.0.2 diff --git a/vte/vte-0.28.2-repaint-after-change-scroll-region.patch b/vte/vte-0.28.2-repaint-after-change-scroll-region.patch new file mode 100644 index 000000000..86e547103 --- /dev/null +++ b/vte/vte-0.28.2-repaint-after-change-scroll-region.patch @@ -0,0 +1,86 @@ +https://git.gnome.org/browse/vte/commit/?id=88e8e89560a62d0981ce2b18974a230d... + +From 88e8e89560a62d0981ce2b18974a230d0a07dbdd Mon Sep 17 00:00:00 2001 +From: Micah Cowan <micah@cowan.name> +Date: Tue, 22 Oct 2013 23:30:43 +0200 +Subject: widget: Fix invalidation region + +When the sequence handler moves the cursor into the restricted scrolling region, +the bbox needs to be reset, too. +Fixes glitches with interspersing writes to the bottom line with scrolls of the +upper region, and also fixes missing screen redraws when using mosh. + +https://bugzilla.gnome.org/show_bug.cgi?id=542087 +https://bugzilla.gnome.org/show_bug.cgi?id=686097 + +diff --git a/src/vte.c b/src/vte.c +index 9f6d7d8..a4d9d25 100644 +--- a/src/vte.c ++++ b/src/vte.c +@@ -4077,6 +4077,7 @@ vte_terminal_process_incoming(VteTerminal *terminal) + long wcount, start, delta; + gboolean leftovers, modified, bottom, again; + gboolean invalidated_text; ++ gboolean in_scroll_region; + GArray *unichars; + struct _vte_incoming_chunk *chunk, *next_chunk, *achunk = NULL; + +@@ -4096,6 +4097,10 @@ vte_terminal_process_incoming(VteTerminal *terminal) + cursor = screen->cursor_current; + cursor_visible = terminal->pvt->cursor_visible; + ++ in_scroll_region = screen->scrolling_restricted ++ && (screen->cursor_current.row >= (screen->insert_delta + screen->scrolling_region.start)) ++ && (screen->cursor_current.row <= (screen->insert_delta + screen->scrolling_region.end)); ++ + /* We should only be called when there's data to process. */ + g_assert(terminal->pvt->incoming || + (terminal->pvt->pending->len > 0)); +@@ -4194,6 +4199,8 @@ skip_chunk: + * points to the first character which isn't part of this + * sequence. */ + if ((match != NULL) && (match[0] != '\0')) { ++ gboolean new_in_scroll_region; ++ + /* Call the right sequence handler for the requested + * behavior. */ + _vte_terminal_handle_sequence(terminal, +@@ -4204,12 +4211,21 @@ skip_chunk: + start = (next - wbuf); + modified = TRUE; + +- /* if we have moved during the sequence handler, restart the bbox */ ++ new_in_scroll_region = screen->scrolling_restricted ++ && (screen->cursor_current.row >= (screen->insert_delta + screen->scrolling_region.start)) ++ && (screen->cursor_current.row <= (screen->insert_delta + screen->scrolling_region.end)); ++ ++ delta = screen->scroll_delta; /* delta may have changed from sequence. */ ++ ++ /* if we have moved greatly during the sequence handler, or moved ++ * into a scroll_region from outside it, restart the bbox. ++ */ + if (invalidated_text && +- (screen->cursor_current.col > bbox_bottomright.x + VTE_CELL_BBOX_SLACK || +- screen->cursor_current.col < bbox_topleft.x - VTE_CELL_BBOX_SLACK || +- screen->cursor_current.row > bbox_bottomright.y + VTE_CELL_BBOX_SLACK || +- screen->cursor_current.row < bbox_topleft.y - VTE_CELL_BBOX_SLACK)) { ++ ((new_in_scroll_region && !in_scroll_region) || ++ (screen->cursor_current.col > bbox_bottomright.x + VTE_CELL_BBOX_SLACK || ++ screen->cursor_current.col < bbox_topleft.x - VTE_CELL_BBOX_SLACK || ++ screen->cursor_current.row > bbox_bottomright.y + VTE_CELL_BBOX_SLACK || ++ screen->cursor_current.row < bbox_topleft.y - VTE_CELL_BBOX_SLACK))) { + /* Clip off any part of the box which isn't already on-screen. */ + bbox_topleft.x = MAX(bbox_topleft.x, 0); + bbox_topleft.y = MAX(bbox_topleft.y, delta); +@@ -4229,6 +4245,8 @@ skip_chunk: + bbox_bottomright.x = bbox_bottomright.y = -G_MAXINT; + bbox_topleft.x = bbox_topleft.y = G_MAXINT; + } ++ ++ in_scroll_region = new_in_scroll_region; + } else + /* Second, we have a NULL match, and next points to the very + * next character in the buffer. Insert the character which +-- +cgit v0.10.2 + diff --git a/vte/vte-0.30.1-alt-meta.patch b/vte/vte-0.30.1-alt-meta.patch new file mode 100644 index 000000000..bd364be58 --- /dev/null +++ b/vte/vte-0.30.1-alt-meta.patch @@ -0,0 +1,74 @@ +From 180dcc578e13c6096e277fb853e7162db640f207 Mon Sep 17 00:00:00 2001 +From: Alexandre Rostovtsev <tetromino@gentoo.org> +Date: Tue, 15 Nov 2011 03:06:40 -0500 +Subject: [PATCH] Map both gdk's Meta and Alt to vte's Meta for >=gtk+-3.2.2 + compatibility + +Also, since VTE_META_MASK is now a mask with multiple bits set, code that +compares gdk key modifiers to VTE_META_MASK by numerical equality is no +longer guaranteed to work. Therefore, for such comparisons a new function, +vte_keymap_fixup_modifiers, is introduced; it ensures that if any bits +matching matching VTE_META_MASK are set, then all are set. + +https://bugzilla.gnome.org/show_bug.cgi?id=663779 +--- + src/keymap.c | 15 +++++++++++++-- + src/keymap.h | 2 +- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/src/keymap.c b/src/keymap.c +index 9a21669..95b4c5b 100644 +--- a/src/keymap.c ++++ b/src/keymap.c +@@ -990,6 +990,17 @@ static const struct _vte_keymap_group { + {GDK_KEY (F35), _vte_keymap_GDK_F35}, + }; + ++/* Restrict modifiers to the specified mask and ensure that VTE_META_MASK, ++ * despite being a compound mask, is treated as indivisible. */ ++GdkModifierType ++_vte_keymap_fixup_modifiers(GdkModifierType modifiers, ++ GdkModifierType mask) ++{ ++ if (modifiers & VTE_META_MASK) ++ modifiers |= VTE_META_MASK; ++ return modifiers & mask; ++} ++ + /* Map the specified keyval/modifier setup, dependent on the mode, to either + * a literal string or a capability name. */ + void +@@ -1104,7 +1115,7 @@ _vte_keymap_map(guint keyval, + } else { + fkey_mode = fkey_default; + } +- modifiers &= (GDK_SHIFT_MASK | GDK_CONTROL_MASK | VTE_META_MASK | VTE_NUMLOCK_MASK); ++ modifiers = _vte_keymap_fixup_modifiers(modifiers, GDK_SHIFT_MASK | GDK_CONTROL_MASK | VTE_META_MASK | VTE_NUMLOCK_MASK); + + /* Search for the conditions. */ + for (i = 0; entries[i].normal_length || entries[i].special[0]; i++) +@@ -1375,7 +1386,7 @@ _vte_keymap_key_add_key_modifiers(guint keyval, + return; + } + +- switch (modifiers & significant_modifiers) { ++ switch (_vte_keymap_fixup_modifiers(modifiers, significant_modifiers)) { + case 0: + modifier = 0; + break; +diff --git a/src/keymap.h b/src/keymap.h +index 243e22e..21d9b8e 100644 +--- a/src/keymap.h ++++ b/src/keymap.h +@@ -27,7 +27,7 @@ + + G_BEGIN_DECLS + +-#define VTE_META_MASK GDK_META_MASK ++#define VTE_META_MASK (GDK_META_MASK | GDK_MOD1_MASK) + #define VTE_NUMLOCK_MASK GDK_MOD2_MASK + + /* Map the specified keyval/modifier setup, dependent on the mode, to either +-- +1.7.8.rc3 + diff --git a/vte/vte-metamask.patch b/vte/vte-metamask.patch deleted file mode 100644 index 9423d94f8..000000000 --- a/vte/vte-metamask.patch +++ /dev/null @@ -1,20 +0,0 @@ -From b73782a28894e25ed146271f9d6c6775a6836199 Mon Sep 17 00:00:00 2001 -From: Behdad Esfahbod <behdad@behdad.org> -Date: Fri, 04 Jun 2010 18:36:45 +0000 -Subject: Bug 601926 - Don't hardcode meta to alt - ---- -diff --git a/src/keymap.h b/src/keymap.h -index 3a4cefe..243e22e 100644 ---- a/src/keymap.h -+++ b/src/keymap.h -@@ -27,7 +27,7 @@ - - G_BEGIN_DECLS - --#define VTE_META_MASK GDK_MOD1_MASK -+#define VTE_META_MASK GDK_META_MASK - #define VTE_NUMLOCK_MASK GDK_MOD2_MASK - - /* Map the specified keyval/modifier setup, dependent on the mode, to either ---