Hello community, here is the log from the commit of package tmux for openSUSE:Factory checked in at 2018-11-28 11:14:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tmux (Old) and /work/SRC/openSUSE:Factory/.tmux.new.19453 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "tmux" Wed Nov 28 11:14:14 2018 rev:42 rq:652133 version:2.8 Changes: -------- --- /work/SRC/openSUSE:Factory/tmux/tmux.changes 2018-10-22 11:25:27.219029867 +0200 +++ /work/SRC/openSUSE:Factory/.tmux.new.19453/tmux.changes 2018-11-28 11:14:34.174800335 +0100 @@ -1,0 +2,5 @@ +Tue Nov 27 10:01:13 UTC 2018 - Ondřej Súkup <mimi.vx@gmail.com> + +- add fix-cve201819387.patch fixes CVE-2018-19387 boo#1116887 + +------------------------------------------------------------------- New: ---- fix-cve201819387.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tmux.spec ++++++ --- /var/tmp/diff_new_pack.xZqIOq/_old 2018-11-28 11:14:35.706798193 +0100 +++ /var/tmp/diff_new_pack.xZqIOq/_new 2018-11-28 11:14:35.706798193 +0100 @@ -27,6 +27,7 @@ Source1: bash_completion_tmux.sh # PATCH-FIX-OPENSUSE crrodriguez@opensuse.org -- Use /run/tmux instead of /tmp as the default socket path, this add some robustness against accidental deletion via systemd-tmpfiles-clean, tmpwatch, or similar Patch0: tmux-socket-path.patch +Patch1: fix-cve201819387.patch BuildRequires: pkgconfig BuildRequires: utempter-devel BuildRequires: pkgconfig(libevent) >= 2.0 @@ -53,6 +54,7 @@ %prep %setup -q %patch0 -p1 +%patch1 -p3 %build export CFLAGS="%{optflags} -fno-strict-aliasing" ++++++ fix-cve201819387.patch ++++++
From b32e1d34e10a0da806823f57f02a4ae6e93d756e Mon Sep 17 00:00:00 2001 From: nicm <nicm@openbsd.org> Date: Mon, 19 Nov 2018 13:35:40 +0000 Subject: [PATCH] evbuffer_new and bufferevent_new can both fail (when malloc fails) and return NULL. GitHub issue 1547.
--- usr.bin/tmux/cmd-pipe-pane.c | 4 +++- usr.bin/tmux/control-notify.c | 4 +++- usr.bin/tmux/format.c | 6 +++++- usr.bin/tmux/input.c | 4 +++- usr.bin/tmux/job.c | 4 +++- usr.bin/tmux/server-client.c | 8 +++++++- usr.bin/tmux/tty.c | 6 +++++- usr.bin/tmux/window.c | 4 +++- 8 files changed, 32 insertions(+), 8 deletions(-) diff --git a/usr.bin/tmux/cmd-pipe-pane.c b/usr.bin/tmux/cmd-pipe-pane.c index 7b1ee05addb..95af043211b 100644 --- a/usr.bin/tmux/cmd-pipe-pane.c +++ b/usr.bin/tmux/cmd-pipe-pane.c @@ -166,6 +166,8 @@ cmd_pipe_pane_exec(struct cmd *self, struct cmdq_item *item) cmd_pipe_pane_write_callback, cmd_pipe_pane_error_callback, wp); + if (wp->pipe_event == NULL) + fatalx("out of memory"); if (out) bufferevent_enable(wp->pipe_event, EV_WRITE); if (in) diff --git a/usr.bin/tmux/control-notify.c b/usr.bin/tmux/control-notify.c index ecd64aca943..5927a5e9322 100644 --- a/usr.bin/tmux/control-notify.c +++ b/usr.bin/tmux/control-notify.c @@ -47,6 +47,8 @@ control_notify_input(struct client *c, struct window_pane *wp, */ if (winlink_find_by_window(&c->session->windows, wp->window) != NULL) { message = evbuffer_new(); + if (message == NULL) + fatalx("out of memory"); evbuffer_add_printf(message, "%%output %%%u ", wp->id); for (i = 0; i < len; i++) { if (buf[i] < ' ' || buf[i] == '\\') diff --git a/usr.bin/tmux/format.c b/usr.bin/tmux/format.c index abd1e0a0fc4..f788de8da14 100644 --- a/usr.bin/tmux/format.c +++ b/usr.bin/tmux/format.c @@ -573,6 +573,8 @@ format_cb_pane_tabs(struct format_tree *ft, struct format_entry *fe) return; buffer = evbuffer_new(); + if (buffer == NULL) + fatalx("out of memory"); for (i = 0; i < wp->base.grid->sx; i++) { if (!bit_test(wp->base.tabs, i)) continue; @@ -603,6 +605,8 @@ format_cb_session_group_list(struct format_tree *ft, struct format_entry *fe) return; buffer = evbuffer_new(); + if (buffer == NULL) + fatalx("out of memory"); TAILQ_FOREACH(loop, &sg->sessions, gentry) { if (EVBUFFER_LENGTH(buffer) > 0) evbuffer_add(buffer, ",", 1); diff --git a/usr.bin/tmux/input.c b/usr.bin/tmux/input.c index e97f6d7c690..df920b34f0a 100644 --- a/usr.bin/tmux/input.c +++ b/usr.bin/tmux/input.c @@ -767,6 +767,8 @@ input_init(struct window_pane *wp) ictx->input_buf = xmalloc(INPUT_BUF_START); ictx->since_ground = evbuffer_new(); + if (ictx->since_ground == NULL) + fatalx("out of memory"); evtimer_set(&ictx->timer, input_timer_callback, ictx); diff --git a/usr.bin/tmux/job.c b/usr.bin/tmux/job.c index edc06e141d3..74878d78c18 100644 --- a/usr.bin/tmux/job.c +++ b/usr.bin/tmux/job.c @@ -155,6 +155,8 @@ job_run(const char *cmd, struct session *s, const char *cwd, job->event = bufferevent_new(job->fd, job_read_callback, job_write_callback, job_error_callback, job); + if (job->event == NULL) + fatalx("out of memory"); bufferevent_enable(job->event, EV_READ|EV_WRITE); log_debug("run job %p: %s, pid %ld", job, job->cmd, (long) job->pid); diff --git a/usr.bin/tmux/server-client.c b/usr.bin/tmux/server-client.c index 27c96891d32..8fa9b332a8c 100644 --- a/usr.bin/tmux/server-client.c +++ b/usr.bin/tmux/server-client.c @@ -186,8 +186,14 @@ server_client_create(int fd) TAILQ_INIT(&c->queue); c->stdin_data = evbuffer_new(); + if (c->stdin_data == NULL) + fatalx("out of memory"); c->stdout_data = evbuffer_new(); + if (c->stdout_data == NULL) + fatalx("out of memory"); c->stderr_data = evbuffer_new(); + if (c->stderr_data == NULL) + fatalx("out of memory"); c->tty.fd = -1; c->title = NULL; diff --git a/usr.bin/tmux/tty.c b/usr.bin/tmux/tty.c index e5298c6f368..24761b71471 100644 --- a/usr.bin/tmux/tty.c +++ b/usr.bin/tmux/tty.c @@ -258,9 +258,13 @@ tty_open(struct tty *tty, char **cause) event_set(&tty->event_in, tty->fd, EV_PERSIST|EV_READ, tty_read_callback, tty); tty->in = evbuffer_new(); + if (tty->in == NULL) + fatal("out of memory"); event_set(&tty->event_out, tty->fd, EV_WRITE, tty_write_callback, tty); tty->out = evbuffer_new(); + if (tty->out == NULL) + fatal("out of memory"); evtimer_set(&tty->timer, tty_timer_callback, tty); diff --git a/usr.bin/tmux/window.c b/usr.bin/tmux/window.c index 998f2087e9a..a0ba831f299 100644 --- a/usr.bin/tmux/window.c +++ b/usr.bin/tmux/window.c @@ -997,6 +997,8 @@ window_pane_spawn(struct window_pane *wp, int argc, char **argv, wp->event = bufferevent_new(wp->fd, window_pane_read_callback, NULL, window_pane_error_callback, wp); + if (wp->event == NULL) + fatalx("out of memory"); bufferevent_setwatermark(wp->event, EV_READ, 0, READ_SIZE); bufferevent_enable(wp->event, EV_READ|EV_WRITE);
participants (1)
-
root