fix CVE-2024-37535

2024-07-05 15:21:15 +08:00 · 2024-07-05 15:21:15 +08:00 · b6266e00c7
commit b6266e00c7
parent 4aa8335e2d
2 changed files with 123 additions and 1 deletions
--- a/0001-fix-CVE-2024-37535.patch
+++ b/0001-fix-CVE-2024-37535.patch
@ -0,0 +1,118 @@
+From d590efa43eb4cd57ac9cbdea93de170361db38e6 Mon Sep 17 00:00:00 2001
+From: happyworker <208suo@208suo.com>
+Date: Fri, 5 Jul 2024 16:32:42 +0800
+Subject: [PATCH] CreatePatch
+
+---
+ src/vtegtk.cc | 39 +++++++++++++++++++++++++++++++++++++++
+ src/vteseq.cc | 16 ++++++++++------
+ 2 files changed, 49 insertions(+), 6 deletions(-)
+
+diff --git a/src/vtegtk.cc b/src/vtegtk.cc
+index d4fe1b7..49f20e0 100644
+--- a/src/vtegtk.cc
+++ b/src/vtegtk.cc
+@@ -66,6 +66,43 @@
+ 
+ #define VTE_TERMINAL_CSS_NAME "vte-terminal"
+ 
+static inline void
+sanitise_widget_size_request(int* minimum,
+                             int* natural) noexcept
+{
+        // Overly large size requests will make gtk happily allocate
+        // a window size over the window system's limits (see
+        // e.g. https://gitlab.gnome.org/GNOME/vte/-/issues/2786),
+        // leading to aborting the whole process.
+        // The toolkit should be in a better position to know about
+        // these limits and not exceed them (which here is certainly
+        // possible since our minimum sizes are very small), let's
+        // limit the widget's size request to some large value
+        // that hopefully is within the absolute limits of
+        // the window system (assumed here to be int16 range,
+        // and leaving some space for the widgets that contain
+        // the terminal).
+        auto const limit = (1 << 15) - (1 << 12);
+
+        if (*minimum > limit || *natural > limit) {
+                static auto warned = false;
+
+                if (!warned) {
+                        g_warning("Widget size request (minimum %d, natural %d) exceeds limits\n",
+                                  *minimum, *natural);
+                        warned = true;
+                }
+        }
+
+        *minimum = std::min(*minimum, limit);
+        //*natural = std::clamp(*natural, *minimum, limit);
+        if (*natural < *minimum) {
+            *natural  = *minimum;
+        } else if (*natural > limit) {
+            *natural = limit;
+        } 
+}
+
+ struct _VteTerminalClassPrivate {
+         GtkStyleProvider *style_provider;
+ };
+@@ -289,6 +326,7 @@ vte_terminal_get_preferred_width(GtkWidget *widget,
+ {
+ 	VteTerminal *terminal = VTE_TERMINAL(widget);
+         WIDGET(terminal)->get_preferred_width(minimum_width, natural_width);
+        sanitise_widget_size_request(minimum_width, natural_width);
+ }
+ 
+ static void
+@@ -298,6 +336,7 @@ vte_terminal_get_preferred_height(GtkWidget *widget,
+ {
+ 	VteTerminal *terminal = VTE_TERMINAL(widget);
+         WIDGET(terminal)->get_preferred_height(minimum_height, natural_height);
+        sanitise_widget_size_request(minimum_height, natural_height);
+ }
+ 
+ static void
+diff --git a/src/vteseq.cc b/src/vteseq.cc
+index 51b3a2c..2f2b791 100644
+--- a/src/vteseq.cc
+++ b/src/vteseq.cc
+@@ -236,7 +236,16 @@ void
+ Terminal::emit_move_window(guint x,
+                                      guint y)
+ {
+-        _vte_debug_print(VTE_DEBUG_SIGNALS, "Emitting `move-window'.\n");
+        // Ignore resizes with excessive number of rows or columns,
+        // see https://gitlab.gnome.org/GNOME/vte/-/issues/2786
+        if (x < 2 ||  /* space for one wide character */
+            x > 511 ||
+            y < 1 ||
+            y > 511)
+                return;
+
+        _vte_debug_print(VTE_DEBUG_SIGNALS, "Emitting `resize-window' %d columns %d rows.\n",
+                         x, y);
+         g_signal_emit(m_terminal, signals[SIGNAL_MOVE_WINDOW], 0, x, y);
+ }
+ 
+@@ -4341,8 +4350,6 @@ Terminal::DECSLPP(vte::parser::Sequence const& seq)
+         else if (param < 24)
+                 return;
+ 
+-        _vte_debug_print(VTE_DEBUG_EMULATION, "Resizing to %d rows.\n", param);
+-
+         emit_resize_window(m_column_count, param);
+ }
+ 
+@@ -8439,9 +8446,6 @@ Terminal::XTERM_WM(vte::parser::Sequence const& seq)
+                 seq.collect(1, {&height, &width});
+ 
+                 if (width != -1 && height != -1) {
+-                        _vte_debug_print(VTE_DEBUG_EMULATION,
+-                                         "Resizing window to %d columns, %d rows.\n",
+-                                         width, height);
+                         emit_resize_window(width, height);
+                 }
+                 break;
+-- 
+2.27.0
+
--- a/vte291.spec
+++ b/vte291.spec
@ -1,6 +1,6 @@
 Name:           vte291
 Version:        0.54.1
-Release:        5
+Release:        6
 Summary:        Virtual terminal widget
 License:        LGPLv2+ and GPLv3+
 URL:            http://www.gnome.org/
@ -8,6 +8,7 @@ Source0:        http://download.gnome.org/sources/vte/0.54/vte-%{version}.tar.xz
 Patch0000:      vte291-Fix-the-build-with-GCC-8.1.1.patch
 Patch0001:      vte291-command-notify-scroll-speed.patch
 Patch0002:      Fix-build-empty-struct-definition.patch
+Patch0003:      0001-fix-CVE-2024-37535.patch 

 BuildRequires:  gcc-c++ gettext pkgconfig(gnutls) >= 3.2.7
 BuildRequires:  gobject-introspection-devel gperf pkgconfig(gtk+-3.0) >= 3.8.0
@ -63,6 +64,9 @@ LDFLAGS="$LDFLAGS -Wl,-z,relro -Wl,-z,now -pie" \
 %{_datadir}/vala/

 %changelog
+* Fri Jul  5 CST 2024 happyworker <208suo@208suo.com> - 0.54.1-6
+- Fix CVE-2024-37535
+
 * Mon Nov 08 2021 chenchen <chen_aka_jan@163.com> - 0.54.1-5
 - Fix build empty struct definition