diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-24 09:04:59 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-27 14:06:57 +0000 |
| commit | 98a1bfcf7b3b47dda59ab80e2ac1b665eb179903 (patch) | |
| tree | 548f414be8e03a92eed08b97063fb50be359bac8 | |
| parent | daf9b293c5e40e9edb1b89794e235f3dcbfe9917 (diff) | |
| download | aports-98a1bfcf7b3b47dda59ab80e2ac1b665eb179903.tar.bz2 aports-98a1bfcf7b3b47dda59ab80e2ac1b665eb179903.tar.xz | |
main/libxinerama: upgrade to 1.1.2 and fix CVE-2013-1985
ref #1931
fixes #1951
(cherry picked from commit 3e5921fae9eef23dbc7c56b7905ccbf9de168cea)
(cherry picked from commit 33a1152b1f5f134b0fe6439b0eaec2a46574b561)
Conflicts:
main/libxinerama/APKBUILD
3 files changed, 178 insertions, 7 deletions
diff --git a/main/libxinerama/0001-Use-_XEatDataWords-to-avoid-overflow-of-_XEatData-ca.patch b/main/libxinerama/0001-Use-_XEatDataWords-to-avoid-overflow-of-_XEatData-ca.patch new file mode 100644 index 0000000000..eb70095949 --- /dev/null +++ b/main/libxinerama/0001-Use-_XEatDataWords-to-avoid-overflow-of-_XEatData-ca.patch @@ -0,0 +1,78 @@ +From 7ce3ce4be46087f9cc57cb415875abaaa961f734 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 4 May 2013 09:21:14 -0700 +Subject: [PATCH 1/2] Use _XEatDataWords to avoid overflow of _XEatData + calculations + +rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + configure.ac | 6 ++++++ + src/Xinerama.c | 19 ++++++++++++++++++- + 2 files changed, 24 insertions(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index e335508..046a1aa 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -42,6 +42,12 @@ XORG_CHECK_MALLOC_ZERO + # Obtain compiler/linker options for depedencies + PKG_CHECK_MODULES(XINERAMA, x11 xext xextproto [xineramaproto >= 1.1.99.1]) + ++# Check for _XEatDataWords function that may be patched into older Xlib releases ++SAVE_LIBS="$LIBS" ++LIBS="$XINERAMA_LIBS" ++AC_CHECK_FUNCS([_XEatDataWords]) ++LIBS="$SAVE_LIBS" ++ + # Allow checking code with lint, sparse, etc. + XORG_WITH_LINT + LINT_FLAGS="${LINT_FLAGS} ${XINERAMA_CFLAGS}" +diff --git a/src/Xinerama.c b/src/Xinerama.c +index 7d7e4d8..04189b6 100644 +--- a/src/Xinerama.c ++++ b/src/Xinerama.c +@@ -23,6 +23,10 @@ dealings in this Software without prior written authorization from Digital + Equipment Corporation. + ******************************************************************/ + ++#ifdef HAVE_CONFIG_H ++# include "config.h" ++#endif ++ + #include <X11/Xlibint.h> + #include <X11/Xutil.h> + #include <X11/extensions/Xext.h> +@@ -31,6 +35,19 @@ Equipment Corporation. + #include <X11/extensions/panoramiXproto.h> + #include <X11/extensions/Xinerama.h> + ++#ifndef HAVE__XEATDATAWORDS ++#include <X11/Xmd.h> /* for LONG64 on 64-bit platforms */ ++#include <limits.h> ++ ++static inline void _XEatDataWords(Display *dpy, unsigned long n) ++{ ++# ifndef LONG64 ++ if (n >= (ULONG_MAX >> 2)) ++ _XIOError(dpy); ++# endif ++ _XEatData (dpy, n << 2); ++} ++#endif + + static XExtensionInfo _panoramiX_ext_info_data; + static XExtensionInfo *panoramiX_ext_info = &_panoramiX_ext_info_data; +@@ -302,7 +319,7 @@ XineramaQueryScreens( + + *number = rep.number; + } else +- _XEatData(dpy, rep.length << 2); ++ _XEatDataWords(dpy, rep.length); + } else { + *number = 0; + } +-- +1.8.2.3 + diff --git a/main/libxinerama/0002-integer-overflow-in-XineramaQueryScreens-CVE-2013-19.patch b/main/libxinerama/0002-integer-overflow-in-XineramaQueryScreens-CVE-2013-19.patch new file mode 100644 index 0000000000..a0ce966b92 --- /dev/null +++ b/main/libxinerama/0002-integer-overflow-in-XineramaQueryScreens-CVE-2013-19.patch @@ -0,0 +1,76 @@ +From 99c644fc8488657bdd106717df7446d606f9ef22 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Fri, 8 Mar 2013 19:55:55 -0800 +Subject: [PATCH 2/2] integer overflow in XineramaQueryScreens() + [CVE-2013-1985] + +If the reported number of screens is too large, the calculations to +allocate memory for them may overflow, leaving us writing beyond the +bounds of the allocation. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/Xinerama.c | 44 ++++++++++++++++++++++++++++---------------- + 1 file changed, 28 insertions(+), 16 deletions(-) + +diff --git a/src/Xinerama.c b/src/Xinerama.c +index 04189b6..67a35b5 100644 +--- a/src/Xinerama.c ++++ b/src/Xinerama.c +@@ -303,24 +303,36 @@ XineramaQueryScreens( + return NULL; + } + +- if(rep.number) { +- if((scrnInfo = Xmalloc(sizeof(XineramaScreenInfo) * rep.number))) { ++ /* ++ * rep.number is a CARD32 so could be as large as 2^32 ++ * The X11 protocol limits the total screen size to 64k x 64k, ++ * and no screen can be smaller than a pixel. While technically ++ * that means we could theoretically reach 2^32 screens, and that's ++ * not even taking overlap into account, Xorg is currently limited ++ * to 16 screens, and few known servers have a much higher limit, ++ * so 1024 seems more than enough to prevent both integer overflow ++ * and insane X server responses causing massive memory allocation. ++ */ ++ if ((rep.number > 0) && (rep.number <= 1024)) ++ scrnInfo = Xmalloc(sizeof(XineramaScreenInfo) * rep.number); ++ if (scrnInfo != NULL) { ++ int i; ++ ++ for (i = 0; i < rep.number; i++) { + xXineramaScreenInfo scratch; +- int i; +- +- for(i = 0; i < rep.number; i++) { +- _XRead(dpy, (char*)(&scratch), sz_XineramaScreenInfo); +- scrnInfo[i].screen_number = i; +- scrnInfo[i].x_org = scratch.x_org; +- scrnInfo[i].y_org = scratch.y_org; +- scrnInfo[i].width = scratch.width; +- scrnInfo[i].height = scratch.height; +- } +- +- *number = rep.number; +- } else +- _XEatDataWords(dpy, rep.length); ++ ++ _XRead(dpy, (char*)(&scratch), sz_XineramaScreenInfo); ++ ++ scrnInfo[i].screen_number = i; ++ scrnInfo[i].x_org = scratch.x_org; ++ scrnInfo[i].y_org = scratch.y_org; ++ scrnInfo[i].width = scratch.width; ++ scrnInfo[i].height = scratch.height; ++ } ++ ++ *number = rep.number; + } else { ++ _XEatDataWords(dpy, rep.length); + *number = 0; + } + +-- +1.8.2.3 + diff --git a/main/libxinerama/APKBUILD b/main/libxinerama/APKBUILD index 98f7e1b131..33de52d008 100644 --- a/main/libxinerama/APKBUILD +++ b/main/libxinerama/APKBUILD @@ -1,26 +1,43 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libxinerama -pkgver=1.1.1 -pkgrel=2 +pkgver=1.1.2 +pkgrel=0 pkgdesc="X11 Xinerama extension library" url="http://xorg.freedesktop.org/" arch="all" license="custom" subpackages="$pkgname-dev $pkgname-doc" depends= -makedepends="pkgconfig libxext-dev libx11-dev xineramaproto" -source="http://xorg.freedesktop.org/releases/individual/lib/libXinerama-$pkgver.tar.bz2" depends_dev="xineramaproto libx11-dev libxext-dev" +makedepends="$depends_dev libtool automake autoconf util-macros" +source="http://xorg.freedesktop.org/releases/individual/lib/libXinerama-$pkgver.tar.bz2 + 0001-Use-_XEatDataWords-to-avoid-overflow-of-_XEatData-ca.patch + 0002-integer-overflow-in-XineramaQueryScreens-CVE-2013-19.patch + " + +_builddir="$srcdir"/libXinerama-$pkgver +prepare() { + cd "$_builddir" + for i in $source; do + case $i in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done + libtoolize --force && aclocal && autoheader && autoconf \ + && automake --add-missing +} build() { - cd "$srcdir"/libXinerama-$pkgver + cd "$_builddir" ./configure --prefix=/usr make || return 1 } package() { - cd "$srcdir"/libXinerama-$pkgver + cd "$_builddir" make DESTDIR="$pkgdir" install || return 1 rm "$pkgdir"/usr/lib/*.la || return 1 } -md5sums="ecd4839ad01f6f637c6fb5327207f89b libXinerama-1.1.1.tar.bz2" +md5sums="cb45d6672c93a608f003b6404f1dd462 libXinerama-1.1.2.tar.bz2 +a315f9665077ca4b845a7176a6a761e6 0001-Use-_XEatDataWords-to-avoid-overflow-of-_XEatData-ca.patch +0fccb7f32a31711cadf04d1f68326ea7 0002-integer-overflow-in-XineramaQueryScreens-CVE-2013-19.patch" |