From 40dcf01b68bec31e24f4cadbf49548349cf6e41c Mon Sep 17 00:00:00 2001 From: Filipe Rosset Date: Thu, 22 Nov 2018 00:03:24 -0200 Subject: [PATCH] - fixes rhbz #1652128 CVE-2018-19387 - tmux: NULL Pointer Dereference in format_cb_pane_tabs in format.c --- ...67b7d801eed03345fef9c04206fbd079c3cb.patch | 141 ++++++++++++++++++ tmux.spec | 14 +- 2 files changed, 154 insertions(+), 1 deletion(-) create mode 100644 749f67b7d801eed03345fef9c04206fbd079c3cb.patch diff --git a/749f67b7d801eed03345fef9c04206fbd079c3cb.patch b/749f67b7d801eed03345fef9c04206fbd079c3cb.patch new file mode 100644 index 0000000..80436f9 --- /dev/null +++ b/749f67b7d801eed03345fef9c04206fbd079c3cb.patch @@ -0,0 +1,141 @@ +From 749f67b7d801eed03345fef9c04206fbd079c3cb Mon Sep 17 00:00:00 2001 +From: nicm +Date: Mon, 19 Nov 2018 13:35:40 +0000 +Subject: [PATCH] evbuffer_new and bufferevent_new can both fail (when malloc + fails) and return NULL. GitHub issue 1547. + +--- + cmd-pipe-pane.c | 2 ++ + control-notify.c | 2 ++ + format.c | 4 ++++ + input.c | 2 ++ + job.c | 2 ++ + server-client.c | 6 ++++++ + tty.c | 4 ++++ + window.c | 2 ++ + 8 files changed, 24 insertions(+) + +diff --git a/cmd-pipe-pane.c b/cmd-pipe-pane.c +index 199dd5754..4650959ce 100644 +--- a/cmd-pipe-pane.c ++++ b/cmd-pipe-pane.c +@@ -166,6 +166,8 @@ cmd_pipe_pane_exec(struct cmd *self, struct cmdq_item *item) + cmd_pipe_pane_write_callback, + cmd_pipe_pane_error_callback, + wp); ++ if (wp->pipe_event == NULL) ++ fatalx("out of memory"); + if (out) + bufferevent_enable(wp->pipe_event, EV_WRITE); + if (in) +diff --git a/control-notify.c b/control-notify.c +index 492914830..7b28e8f0a 100644 +--- a/control-notify.c ++++ b/control-notify.c +@@ -47,6 +47,8 @@ control_notify_input(struct client *c, struct window_pane *wp, + */ + if (winlink_find_by_window(&c->session->windows, wp->window) != NULL) { + message = evbuffer_new(); ++ if (message == NULL) ++ fatalx("out of memory"); + evbuffer_add_printf(message, "%%output %%%u ", wp->id); + for (i = 0; i < len; i++) { + if (buf[i] < ' ' || buf[i] == '\\') +diff --git a/format.c b/format.c +index 213654579..77f5f59d9 100644 +--- a/format.c ++++ b/format.c +@@ -573,6 +573,8 @@ format_cb_pane_tabs(struct format_tree *ft, struct format_entry *fe) + return; + + buffer = evbuffer_new(); ++ if (buffer == NULL) ++ fatalx("out of memory"); + for (i = 0; i < wp->base.grid->sx; i++) { + if (!bit_test(wp->base.tabs, i)) + continue; +@@ -603,6 +605,8 @@ format_cb_session_group_list(struct format_tree *ft, struct format_entry *fe) + return; + + buffer = evbuffer_new(); ++ if (buffer == NULL) ++ fatalx("out of memory"); + TAILQ_FOREACH(loop, &sg->sessions, gentry) { + if (EVBUFFER_LENGTH(buffer) > 0) + evbuffer_add(buffer, ",", 1); +diff --git a/input.c b/input.c +index 41cdfb70f..d9f419fe2 100644 +--- a/input.c ++++ b/input.c +@@ -767,6 +767,8 @@ input_init(struct window_pane *wp) + ictx->input_buf = xmalloc(INPUT_BUF_START); + + ictx->since_ground = evbuffer_new(); ++ if (ictx->since_ground == NULL) ++ fatalx("out of memory"); + + evtimer_set(&ictx->timer, input_timer_callback, ictx); + +diff --git a/job.c b/job.c +index 66315bd2c..73f62359f 100644 +--- a/job.c ++++ b/job.c +@@ -155,6 +155,8 @@ job_run(const char *cmd, struct session *s, const char *cwd, + + job->event = bufferevent_new(job->fd, job_read_callback, + job_write_callback, job_error_callback, job); ++ if (job->event == NULL) ++ fatalx("out of memory"); + bufferevent_enable(job->event, EV_READ|EV_WRITE); + + log_debug("run job %p: %s, pid %ld", job, job->cmd, (long) job->pid); +diff --git a/server-client.c b/server-client.c +index 3d939163b..94cc9e925 100644 +--- a/server-client.c ++++ b/server-client.c +@@ -186,8 +186,14 @@ server_client_create(int fd) + TAILQ_INIT(&c->queue); + + c->stdin_data = evbuffer_new(); ++ if (c->stdin_data == NULL) ++ fatalx("out of memory"); + c->stdout_data = evbuffer_new(); ++ if (c->stdout_data == NULL) ++ fatalx("out of memory"); + c->stderr_data = evbuffer_new(); ++ if (c->stderr_data == NULL) ++ fatalx("out of memory"); + + c->tty.fd = -1; + c->title = NULL; +diff --git a/tty.c b/tty.c +index 6b63aa3bd..df47c9726 100644 +--- a/tty.c ++++ b/tty.c +@@ -258,9 +258,13 @@ tty_open(struct tty *tty, char **cause) + event_set(&tty->event_in, tty->fd, EV_PERSIST|EV_READ, + tty_read_callback, tty); + tty->in = evbuffer_new(); ++ if (tty->in == NULL) ++ fatal("out of memory"); + + event_set(&tty->event_out, tty->fd, EV_WRITE, tty_write_callback, tty); + tty->out = evbuffer_new(); ++ if (tty->out == NULL) ++ fatal("out of memory"); + + evtimer_set(&tty->timer, tty_timer_callback, tty); + +diff --git a/window.c b/window.c +index 6e76b480d..530d95743 100644 +--- a/window.c ++++ b/window.c +@@ -997,6 +997,8 @@ window_pane_spawn(struct window_pane *wp, int argc, char **argv, + + wp->event = bufferevent_new(wp->fd, window_pane_read_callback, NULL, + window_pane_error_callback, wp); ++ if (wp->event == NULL) ++ fatalx("out of memory"); + + bufferevent_setwatermark(wp->event, EV_READ, 0, READ_SIZE); + bufferevent_enable(wp->event, EV_READ|EV_WRITE); diff --git a/tmux.spec b/tmux.spec index 516c94a..0ea7d86 100644 --- a/tmux.spec +++ b/tmux.spec @@ -2,7 +2,7 @@ Name: tmux Version: 2.8 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A terminal multiplexer Group: Applications/System @@ -13,6 +13,14 @@ URL: https://tmux.github.io/ Source0: https://github.com/tmux/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz # Examples has been removed - so include the bash_completion here Source1: bash_completion_tmux.sh +Patch0: 749f67b7d801eed03345fef9c04206fbd079c3cb.patch +# Patch0 from https://github.com/tmux/tmux/commit/749f67b7d801eed03345fef9c04206fbd079c3cb.patch +# From 749f67b7d801eed03345fef9c04206fbd079c3cb Mon Sep 17 00:00:00 2001 +# From: nicm +# Date: Mon, 19 Nov 2018 13:35:40 +0000 +# Subject: [PATCH] evbuffer_new and bufferevent_new can both fail (when malloc +# fails) and return NULL. GitHub issue 1547. + BuildRequires: gcc BuildRequires: ncurses-devel @@ -64,6 +72,10 @@ fi %{_datadir}/bash-completion/completions/tmux %changelog +* Thu Nov 22 2018 Filipe Rosset - 2.8-2 +- fixes rhbz #1652128 CVE-2018-19387 +- tmux: NULL Pointer Dereference in format_cb_pane_tabs in format.c + * Fri Oct 19 2018 Filipe Rosset - 2.8-1 - update to version 2.8 - ChangeLog https://raw.githubusercontent.com/tmux/tmux/2.8/CHANGES