main/libxtst: fix CVE-2013-2063

ref #1931 fixes #1971 (cherry picked from commit ca33affea49de655ea0a1aa27accea11f84df7c1) Conflicts: main/libxtst/APKBUILD
author: Natanael Copa <ncopa@alpinelinux.org> 2013-05-27 14:31:43 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2013-05-27 14:44:03 +0000
commit: 1a986b6d1c449347db886c40abc2c7e2d8d2538b (patch)
tree: f7dfd5a52e2d7b0974ddc76c0138275d8a42623d
parent: dc3a97fa22906a13cba3bd29a3792081ecaa3119 (diff)
download: aports-1a986b6d1c449347db886c40abc2c7e2d8d2538b.tar.bz2
aports-1a986b6d1c449347db886c40abc2c7e2d8d2538b.tar.xz
3 files changed, 194 insertions, 9 deletions
diff --git a/main/libxtst/0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch b/main/libxtst/0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch
new file mode 100644
index 0000000000..43fa1e0d76
--- /dev/null
+++ b/main/libxtst/0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch
@@ -0,0 +1,88 @@
+From 46ed6283034b5b7d14584009453f5d974cfacf1e Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 11:05:27 -0700
+Subject: [PATCH 1/2] Use _XEatDataWords to eat data in error cases
+
+Avoids having to do calculcations based on response contents
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ configure.ac  |  6 ++++++
+ src/XRecord.c | 23 +++++++++++++++++------
+ 2 files changed, 23 insertions(+), 6 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 7ef0153..d83d4d8 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -47,6 +47,12 @@ XORG_CHECK_SGML_DOCTOOLS(1.8)
+ # Obtain compiler/linker options for depedencies
+ PKG_CHECK_MODULES(XTST, x11 [xext >= 1.0.99.4] xi [recordproto >= 1.13.99.1] [xextproto >= 7.0.99.3] inputproto)
+ 
++# Check for _XEatDataWords function that may be patched into older Xlib release
++SAVE_LIBS="$LIBS"
++LIBS="$XTST_LIBS"
++AC_CHECK_FUNCS([_XEatDataWords])
++LIBS="$SAVE_LIBS"
++
+ # Determine if the source for man pages is available
+ # It may already be present (tarball) or can be generated using xmlto
+ AM_CONDITIONAL([INSTALL_MANPAGES],
+diff --git a/src/XRecord.c b/src/XRecord.c
+index b65451c..ba628b6 100644
+--- a/src/XRecord.c
++++ b/src/XRecord.c
+@@ -49,6 +49,9 @@ from The Open Group.
+  * By Stephen Gildea, X Consortium, and Martha Zimet, NCD.
+  */
+ 
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif
+ #include <stdio.h>
+ #include <assert.h>
+ #include <X11/Xlibint.h>
+@@ -56,6 +59,18 @@ from The Open Group.
+ #include <X11/extensions/extutil.h>
+ #include <X11/extensions/recordproto.h>
+ #include <X11/extensions/record.h>
++#include <limits.h>
++
++#ifndef HAVE__XEATDATAWORDS
++static inline void _XEatDataWords(Display *dpy, unsigned long n)
++{
++# ifndef LONG64
++    if (n >= (ULONG_MAX >> 2))
++        _XIOError(dpy);
++# endif
++    _XEatData (dpy, n << 2);
++}
++#endif
+ 
+ static XExtensionInfo _xrecord_info_data;
+ static XExtensionInfo *xrecord_info = &_xrecord_info_data;
+@@ -427,7 +442,7 @@ XRecordGetContext(Display *dpy, XRecordContext context,
+ 
+     ret = (XRecordState*)Xmalloc(sizeof(XRecordState));
+     if (!ret) {
+-	/* XXX - eat data */
++	_XEatDataWords (dpy, rep.length);
+ 	UnlockDisplay(dpy);
+ 	SyncHandle();
+ 	return 0;
+@@ -446,11 +461,7 @@ XRecordGetContext(Display *dpy, XRecordContext context,
+ 	}
+         if (!client_inf || !client_inf_str)
+         {
+-           for(i = 0; i < count; i++)
+-           {
+-	        _XEatData (dpy, sizeof(xRecordClientInfo));
+-                _XEatData (dpy, SIZEOF(xRecordRange)); /* XXX - don't know how many */
+-           }
++	   _XEatDataWords (dpy, rep.length);
+ 	   UnlockDisplay(dpy);
+ 	   XRecordFreeState(ret);
+ 	   SyncHandle();
+-- 
+1.8.2.3
+
diff --git a/main/libxtst/0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch b/main/libxtst/0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch
new file mode 100644
index 0000000000..661a464fd0
--- /dev/null
+++ b/main/libxtst/0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch
@@ -0,0 +1,81 @@
+From e7e04b7be3f018ad636aba3a36bfc1cd80b9906d Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 11:27:26 -0700
+Subject: [PATCH 2/2] integer overflow in XRecordGetContext() [CVE-2013-2063]
+
+The nclients and nranges members of the reply are both CARD32 and need
+to be bounds checked before multiplying by the size of the structs to
+avoid integer overflow leading to underallocation and writing data from
+the network past the end of the allocated buffer.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XRecord.c | 32 +++++++++++++++++++++-----------
+ 1 file changed, 21 insertions(+), 11 deletions(-)
+
+diff --git a/src/XRecord.c b/src/XRecord.c
+index ba628b6..5bbd5ac 100644
+--- a/src/XRecord.c
++++ b/src/XRecord.c
+@@ -420,11 +420,9 @@ XRecordGetContext(Display *dpy, XRecordContext context,
+     XExtDisplayInfo 	*info = find_display (dpy);
+     register 		xRecordGetContextReq   	*req;
+     xRecordGetContextReply 	rep;
+-    int			count, i, rn;
++    unsigned int	count, i, rn;
+     xRecordRange   	xrange;
+-    XRecordRange	*ranges = NULL;
+     xRecordClientInfo   xclient_inf;
+-    XRecordClientInfo	**client_inf, *client_inf_str = NULL;
+     XRecordState	*ret;
+ 
+     XRecordCheckExtension (dpy, info, 0);
+@@ -454,13 +452,18 @@ XRecordGetContext(Display *dpy, XRecordContext context,
+ 
+     if (count)
+     {
+-     	client_inf = (XRecordClientInfo **) Xcalloc(count, sizeof(XRecordClientInfo*));
+-	ret->client_info = client_inf;
+-	if (client_inf != NULL) {
+-	    client_inf_str = (XRecordClientInfo *) Xmalloc(count*sizeof(XRecordClientInfo));
++	XRecordClientInfo	**client_inf = NULL;
++	XRecordClientInfo	*client_inf_str = NULL;
++
++	if (count < (INT_MAX / sizeof(XRecordClientInfo))) {
++	    client_inf = Xcalloc(count, sizeof(XRecordClientInfo *));
++	    if (client_inf != NULL)
++		client_inf_str = Xmalloc(count * sizeof(XRecordClientInfo));
+ 	}
++	ret->client_info = client_inf;
+         if (!client_inf || !client_inf_str)
+         {
++	   free(client_inf);
+ 	   _XEatDataWords (dpy, rep.length);
+ 	   UnlockDisplay(dpy);
+ 	   XRecordFreeState(ret);
+@@ -476,11 +479,18 @@ XRecordGetContext(Display *dpy, XRecordContext context,
+ 
+ 	    if (xclient_inf.nRanges)
+ 	    {
+-		client_inf_str[i].ranges = (XRecordRange**) Xcalloc(xclient_inf.nRanges, sizeof(XRecordRange*));
+-		if (client_inf_str[i].ranges != NULL) {
+-		    ranges = (XRecordRange*)
+-			Xmalloc(xclient_inf.nRanges * sizeof(XRecordRange));
++		XRecordRange	*ranges = NULL;
++
++		if (xclient_inf.nRanges < (INT_MAX / sizeof(XRecordRange))) {
++		    client_inf_str[i].ranges =
++			Xcalloc(xclient_inf.nRanges, sizeof(XRecordRange *));
++		    if (client_inf_str[i].ranges != NULL)
++			ranges =
++			    Xmalloc(xclient_inf.nRanges * sizeof(XRecordRange));
+ 		}
++		else
++		    client_inf_str[i].ranges = NULL;
++
+ 		if (!client_inf_str[i].ranges || !ranges) {
+ 		    /* XXX eat data */
+ 		    UnlockDisplay(dpy);
+-- 
+1.8.2.3
+
diff --git a/main/libxtst/APKBUILD b/main/libxtst/APKBUILD
index 6a7ab8ea70..9a3b21ab8b 100644
--- a/main/libxtst/APKBUILD
+++ b/main/libxtst/APKBUILD
@@ -1,30 +1,46 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libxtst
-pkgver=1.2.0
-pkgrel=2
+pkgver=1.2.1
+pkgrel=1
 pkgdesc="X11 Testing -- Resource extension library"
 url="http://xorg.freedesktop.org/"
 arch="all"
 license="custom"
 subpackages="$pkgname-dev $pkgname-doc"
 depends=
-makedepends="pkgconfig libxext-dev libxi-dev recordproto inputproto"
-source="http://xorg.freedesktop.org/releases/individual/lib/libXtst-$pkgver.tar.bz2"
 depends_dev="recordproto libx11-dev libxext-dev inputproto libxi-dev"
+makedepends="$depends_dev libtool autoconf automake util-macros"
+source="http://xorg.freedesktop.org/releases/individual/lib/libXtst-$pkgver.tar.bz2
+	0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch
+	0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch
+	"
 
-build ()
-{
-	cd "$srcdir"/libXtst-$pkgver
+_builddir="$srcdir"/libXtst-$pkgver
+prepare() {
+	cd "$_builddir"
+	for i in $source; do
+		case $i in
+		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+		esac
+	done
+	libtoolize --force && aclocal && autoheader && autoconf \
+		&& automake --add-missing
+}
+
+build() {
+	cd "$_builddir"
 	./configure --prefix=/usr \
 		--build=${CHOST} --host=${CHOST}
 	make || return 1
 }
 
 package() {
-	cd "$srcdir"/libXtst-$pkgver
+	cd "$_builddir"
 	make DESTDIR="$pkgdir" install || return 1
 	rm "$pkgdir"/usr/lib/*.la || return 1
 	install -D -m644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/LICENSE
 }
 
-md5sums="7c592c72da6676f8b0aeec9133b81686  libXtst-1.2.0.tar.bz2"
+md5sums="e8abc5c00c666f551cf26aa53819d592  libXtst-1.2.1.tar.bz2
+ef5006c916511e087973d797a60aaee1  0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch
+641e6194973b4d324f8278faa821b87a  0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch"
author	Natanael Copa <ncopa@alpinelinux.org>	2013-05-27 14:31:43 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2013-05-27 14:44:03 +0000
commit	1a986b6d1c449347db886c40abc2c7e2d8d2538b (patch)
tree	f7dfd5a52e2d7b0974ddc76c0138275d8a42623d
parent	dc3a97fa22906a13cba3bd29a3792081ecaa3119 (diff)
download	aports-1a986b6d1c449347db886c40abc2c7e2d8d2538b.tar.bz2 aports-1a986b6d1c449347db886c40abc2c7e2d8d2538b.tar.xz