diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-24 09:28:38 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-27 14:06:58 +0000 |
commit | 4b84d993c5872e6577785940b18f56b9b44b8c1a (patch) | |
tree | dc406685a689bba4e1f40d428119b22b85478a99 | |
parent | 5085262d55a50ebb9f793b40d891cb5727f3ad43 (diff) | |
download | aports-4b84d993c5872e6577785940b18f56b9b44b8c1a.tar.bz2 aports-4b84d993c5872e6577785940b18f56b9b44b8c1a.tar.xz |
main/libxv: fix CVE-2013-1989,CVE-2013-2066
ref #1931
fixes #1975
(cherry picked from commit a04d1c8ff925273f3caf3a46393cf73ac2b96ab5)
(cherry picked from commit 116a8d9ca2f4a57fd5c27dc32f9d393d7ed3b48e)
Conflicts:
main/libxv/APKBUILD
6 files changed, 284 insertions, 7 deletions
diff --git a/main/libxv/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch b/main/libxv/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch new file mode 100644 index 0000000000..0e33952a60 --- /dev/null +++ b/main/libxv/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch @@ -0,0 +1,93 @@ +From 79362c764a6df7e7fbe5247756bdbf60f3a58baf Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 00:28:34 -0700 +Subject: [PATCH 1/5] Use _XEatDataWords to avoid overflow of rep.length + shifting + +rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + configure.ac | 6 ++++++ + src/Xv.c | 22 +++++++++++++++++++--- + 2 files changed, 25 insertions(+), 3 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 5494b5d..6a335db 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -43,6 +43,12 @@ XORG_CHECK_MALLOC_ZERO + # Obtain compiler/linker options for depedencies + PKG_CHECK_MODULES(XV, x11 xext xextproto videoproto) + ++# Check for _XEatDataWords function that may be patched into older Xlib release ++SAVE_LIBS="$LIBS" ++LIBS="$XV_LIBS" ++AC_CHECK_FUNCS([_XEatDataWords]) ++LIBS="$SAVE_LIBS" ++ + # Allow checking code with lint, sparse, etc. + XORG_WITH_LINT + XORG_LINT_LIBRARY([Xv]) +diff --git a/src/Xv.c b/src/Xv.c +index b081e8a..5be1d95 100644 +--- a/src/Xv.c ++++ b/src/Xv.c +@@ -49,11 +49,27 @@ SOFTWARE. + ** + */ + ++#ifdef HAVE_CONFIG_H ++# include "config.h" ++#endif ++ + #include <stdio.h> + #include "Xvlibint.h" + #include <X11/extensions/Xext.h> + #include <X11/extensions/extutil.h> + #include <X11/extensions/XShm.h> ++#include <limits.h> ++ ++#ifndef HAVE__XEATDATAWORDS ++static inline void _XEatDataWords(Display *dpy, unsigned long n) ++{ ++# ifndef LONG64 ++ if (n >= (ULONG_MAX >> 2)) ++ _XIOError(dpy); ++# endif ++ _XEatData (dpy, n << 2); ++} ++#endif + + static XExtensionInfo _xv_info_data; + static XExtensionInfo *xv_info = &_xv_info_data; +@@ -853,7 +869,7 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num) + (*num)++; + } + } else +- _XEatData(dpy, rep.length << 2); ++ _XEatDataWords(dpy, rep.length); + } + + UnlockDisplay(dpy); +@@ -923,7 +939,7 @@ XvImageFormatValues * XvListImageFormats ( + (*num)++; + } + } else +- _XEatData(dpy, rep.length << 2); ++ _XEatDataWords(dpy, rep.length); + } + + UnlockDisplay(dpy); +@@ -976,7 +992,7 @@ XvImage * XvCreateImage ( + _XRead(dpy, (char*)(ret->pitches), rep.num_planes << 2); + _XRead(dpy, (char*)(ret->offsets), rep.num_planes << 2); + } else +- _XEatData(dpy, rep.length << 2); ++ _XEatDataWords(dpy, rep.length); + + UnlockDisplay(dpy); + SyncHandle(); +-- +1.8.2.3 + diff --git a/main/libxv/0002-integer-overflow-in-XvQueryPortAttributes-CVE-2013-1.patch b/main/libxv/0002-integer-overflow-in-XvQueryPortAttributes-CVE-2013-1.patch new file mode 100644 index 0000000000..707f99b02b --- /dev/null +++ b/main/libxv/0002-integer-overflow-in-XvQueryPortAttributes-CVE-2013-1.patch @@ -0,0 +1,43 @@ +From 6e1b743a276651195be3cd68dff41e38426bf3ab Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 00:03:03 -0700 +Subject: [PATCH 2/5] integer overflow in XvQueryPortAttributes() + [CVE-2013-1989 1/3] + +The num_attributes & text_size members of the reply are both CARD32s +and need to be bounds checked before multiplying & adding them together +to come up with the total size to allocate, to avoid integer overflow +leading to underallocation and writing data from the network past the +end of the allocated buffer. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/Xv.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/Xv.c b/src/Xv.c +index 5be1d95..3cbad35 100644 +--- a/src/Xv.c ++++ b/src/Xv.c +@@ -851,9 +851,15 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num) + } + + if(rep.num_attributes) { +- int size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size; ++ unsigned long size; ++ /* limit each part to no more than one half the max size */ ++ if ((rep.num_attributes < ((INT_MAX / 2) / sizeof(XvAttribute))) && ++ (rep.text_size < (INT_MAX / 2))) { ++ size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size; ++ ret = Xmalloc(size); ++ } + +- if((ret = Xmalloc(size))) { ++ if (ret != NULL) { + char* marker = (char*)(&ret[rep.num_attributes]); + xvAttributeInfo Info; + int i; +-- +1.8.2.3 + diff --git a/main/libxv/0003-buffer-overflow-in-XvQueryPortAttributes-CVE-2013-20.patch b/main/libxv/0003-buffer-overflow-in-XvQueryPortAttributes-CVE-2013-20.patch new file mode 100644 index 0000000000..24e1c1b8b3 --- /dev/null +++ b/main/libxv/0003-buffer-overflow-in-XvQueryPortAttributes-CVE-2013-20.patch @@ -0,0 +1,47 @@ +From 15ab7dec17d686c38f2c82ac23a17cac5622322a Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 00:16:14 -0700 +Subject: [PATCH 3/5] buffer overflow in XvQueryPortAttributes() + [CVE-2013-2066] + +Each attribute returned in the reply includes the number of bytes +to read for its marker. We had been always trusting it, and never +validating that it wouldn't cause us to write past the end of the +buffer we allocated based on the reported text_size. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/Xv.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/Xv.c b/src/Xv.c +index 3cbad35..f9813eb 100644 +--- a/src/Xv.c ++++ b/src/Xv.c +@@ -864,14 +864,20 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num) + xvAttributeInfo Info; + int i; + ++ /* keep track of remaining room for text strings */ ++ size = rep.text_size; ++ + for(i = 0; i < rep.num_attributes; i++) { + _XRead(dpy, (char*)(&Info), sz_xvAttributeInfo); + ret[i].flags = (int)Info.flags; + ret[i].min_value = Info.min; + ret[i].max_value = Info.max; + ret[i].name = marker; +- _XRead(dpy, marker, Info.size); +- marker += Info.size; ++ if (Info.size <= size) { ++ _XRead(dpy, marker, Info.size); ++ marker += Info.size; ++ size -= Info.size; ++ } + (*num)++; + } + } else +-- +1.8.2.3 + diff --git a/main/libxv/0004-integer-overflow-in-XvListImageFormats-CVE-2013-1989.patch b/main/libxv/0004-integer-overflow-in-XvListImageFormats-CVE-2013-1989.patch new file mode 100644 index 0000000000..b80f47a1d7 --- /dev/null +++ b/main/libxv/0004-integer-overflow-in-XvListImageFormats-CVE-2013-1989.patch @@ -0,0 +1,37 @@ +From 59301c1b5095f7dc6359d5b396dbbcdee7038270 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 00:03:03 -0700 +Subject: [PATCH 4/5] integer overflow in XvListImageFormats() [CVE-2013-1989 + 2/3] + +num_formats is a CARD32 and needs to be bounds checked before multiplying +by sizeof(XvImageFormatValues) to come up with the total size to allocate, +to avoid integer overflow leading to underallocation and writing data from +the network past the end of the allocated buffer. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/Xv.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/Xv.c b/src/Xv.c +index f9813eb..0a07d9d 100644 +--- a/src/Xv.c ++++ b/src/Xv.c +@@ -918,9 +918,10 @@ XvImageFormatValues * XvListImageFormats ( + } + + if(rep.num_formats) { +- int size = (rep.num_formats * sizeof(XvImageFormatValues)); ++ if (rep.num_formats < (INT_MAX / sizeof(XvImageFormatValues))) ++ ret = Xmalloc(rep.num_formats * sizeof(XvImageFormatValues)); + +- if((ret = Xmalloc(size))) { ++ if (ret != NULL) { + xvImageFormatInfo Info; + int i; + +-- +1.8.2.3 + diff --git a/main/libxv/0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch b/main/libxv/0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch new file mode 100644 index 0000000000..2be6900c33 --- /dev/null +++ b/main/libxv/0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch @@ -0,0 +1,35 @@ +From 50fc4cb18069cb9450a02c13f80223ef23511409 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 00:03:03 -0700 +Subject: [PATCH 5/5] integer overflow in XvCreateImage() [CVE-2013-1989 3/3] + +num_planes is a CARD32 and needs to be bounds checked before bit shifting +and adding to sizeof(XvImage) to come up with the total size to allocate, +to avoid integer overflow leading to underallocation and writing data from +the network past the end of the allocated buffer. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/Xv.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/Xv.c b/src/Xv.c +index 0a07d9d..f268f8e 100644 +--- a/src/Xv.c ++++ b/src/Xv.c +@@ -992,7 +992,10 @@ XvImage * XvCreateImage ( + return NULL; + } + +- if((ret = (XvImage*)Xmalloc(sizeof(XvImage) + (rep.num_planes << 3)))) { ++ if (rep.num_planes < ((INT_MAX >> 3) - sizeof(XvImage))) ++ ret = Xmalloc(sizeof(XvImage) + (rep.num_planes << 3)); ++ ++ if (ret != NULL) { + ret->id = id; + ret->width = rep.width; + ret->height = rep.height; +-- +1.8.2.3 + diff --git a/main/libxv/APKBUILD b/main/libxv/APKBUILD index a75f8d7cb1..c7911a9287 100644 --- a/main/libxv/APKBUILD +++ b/main/libxv/APKBUILD @@ -1,6 +1,6 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libxv -pkgver=1.0.6 +pkgver=1.0.7 pkgrel=1 pkgdesc="X11 Video extension library" url="http://xorg.freedesktop.org/" @@ -8,21 +8,43 @@ arch="all" license="custom" subpackages="$pkgname-dev $pkgname-doc" depends= -makedepends="pkgconfig libxext-dev libx11-dev videoproto" -source="http://xorg.freedesktop.org/releases/individual/lib/libXv-$pkgver.tar.bz2" - depends_dev="xproto videoproto libx11-dev libxext-dev" +makedepends="$depends_dev libtool autoconf automake util-macros" +source="http://xorg.freedesktop.org/releases/individual/lib/libXv-$pkgver.tar.bz2 + 0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch + 0002-integer-overflow-in-XvQueryPortAttributes-CVE-2013-1.patch + 0003-buffer-overflow-in-XvQueryPortAttributes-CVE-2013-20.patch + 0004-integer-overflow-in-XvListImageFormats-CVE-2013-1989.patch + 0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch + " + +_builddir="$srcdir"/libXv-$pkgver +prepare() { + cd "$_builddir" + for i in $source; do + case $i in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done + libtoolize --force && aclocal && autoheader && autoconf \ + && automake --add-missing +} build() { - cd "$srcdir"/libXv-$pkgver + cd "$_builddir" ./configure --prefix=/usr make || return 1 } package() { - cd "$srcdir"/libXv-$pkgver + cd "$_builddir" make DESTDIR="$pkgdir" install || return 1 rm "$pkgdir"/usr/lib/*.la || return 1 install -D -m644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING } -md5sums="e292445a64b63e918bbc8b6aae6391dd libXv-1.0.6.tar.bz2" +md5sums="5e1ac203ccd3ce3e89755ed1fbe75b0b libXv-1.0.7.tar.bz2 +cbd5367f2b5717cab78b819aaaacd7d9 0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch +ff8da08c2883bdc98cbac78e448e81e6 0002-integer-overflow-in-XvQueryPortAttributes-CVE-2013-1.patch +108ba64a9d7d5f3763cfbb00ffe53eb2 0003-buffer-overflow-in-XvQueryPortAttributes-CVE-2013-20.patch +53dbcb31cb08325b3a5329f16ddab3dd 0004-integer-overflow-in-XvListImageFormats-CVE-2013-1989.patch +0844dd0e117d36a70f603019af580f13 0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch" |