aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2013-05-24 08:32:13 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2013-05-27 14:06:56 +0000
commitcb0cd770ba3f64b0c0804962bc03dda167a4c207 (patch)
tree4baaef9361720ed4d3d51f011b82b0910933de13
parentb2f170f145ce7d7a5a7125aca8e4aacd05594596 (diff)
downloadaports-cb0cd770ba3f64b0c0804962bc03dda167a4c207.tar.bz2
aports-cb0cd770ba3f64b0c0804962bc03dda167a4c207.tar.xz
main/libxcursor: fix CVE-2013-2003
ref #1931 fixes #1999 (cherry picked from commit 99d3e572056d735f20db0b6a80e86398462ee97b) Conflicts: main/libxcursor/APKBUILD
-rw-r--r--main/libxcursor/APKBUILD26
-rw-r--r--main/libxcursor/CVE-2013-2003.patch34
2 files changed, 53 insertions, 7 deletions
diff --git a/main/libxcursor/APKBUILD b/main/libxcursor/APKBUILD
index 44cf51f2c2..500d94dde0 100644
--- a/main/libxcursor/APKBUILD
+++ b/main/libxcursor/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libxcursor
-pkgver=1.1.12
+pkgver=1.1.13
pkgrel=0
pkgdesc="X cursor management library"
url="http://xorg.freedesktop.org/"
@@ -8,12 +8,23 @@ arch="all"
license="custom"
subpackages="$pkgname-dev $pkgname-doc"
depends=
-makedepends="pkgconfig libxfixes-dev libx11-dev libxrender-dev"
-source="http://xorg.freedesktop.org/releases/individual/lib/libXcursor-$pkgver.tar.bz2"
-
depends_dev="xproto libx11-dev libxrender-dev libxfixes-dev"
+makedepends="$depends_dev"
+source="http://xorg.freedesktop.org/releases/individual/lib/libXcursor-$pkgver.tar.bz2
+ CVE-2013-2003.patch"
+
+_builddir="$srcdir"/libXcursor-$pkgver
+prepare() {
+ cd "$_builddir"
+ for i in $source; do
+ case $i in
+ *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+ esac
+ done
+}
+
build() {
- cd "$srcdir"/libXcursor-$pkgver
+ cd "$_builddir"
./configure --prefix=/usr \
--sysconfdir=/etc \
|| return 1
@@ -21,8 +32,9 @@ build() {
}
package() {
- cd "$srcdir"/libXcursor-$pkgver
+ cd "$_builddir"
make DESTDIR="$pkgdir" install || return 1
rm "$pkgdir"/usr/lib/*.la || return 1
}
-md5sums="a93b5a6f5b05976d2c0d3f8a07f6ac6a libXcursor-1.1.12.tar.bz2"
+md5sums="52efa81b7f26c8eda13510a2fba98eea libXcursor-1.1.13.tar.bz2
+e604d93c5dfcc22078129959acc9a6d5 CVE-2013-2003.patch"
diff --git a/main/libxcursor/CVE-2013-2003.patch b/main/libxcursor/CVE-2013-2003.patch
new file mode 100644
index 0000000000..a4f41e1453
--- /dev/null
+++ b/main/libxcursor/CVE-2013-2003.patch
@@ -0,0 +1,34 @@
+From 8f677eaea05290531d007d1fec2768119926088d Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 04:17:28 +0000
+Subject: signedness bug & integer overflow in _XcursorFileHeaderCreate() [CVE-2013-2003]
+
+When parsing cursor files, a user defined (e.g. through environment
+variables) cursor file is opened and parsed.
+
+The header is read in _XcursorReadFileHeader(), which reads an unsigned
+int for the number of toc structures in the header, but it was being
+passed to _XcursorFileHeaderCreate() as a signed int to allocate those
+structures. If the number was negative, it would pass the bounds check
+and could overflow the calculation for how much memory to allocate to
+store the data being read, leading to overflowing the buffer with the
+data read from the user controlled file.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+diff --git a/src/file.c b/src/file.c
+index efe6d4b..ce9de78 100644
+--- a/src/file.c
++++ b/src/file.c
+@@ -205,7 +205,7 @@ _XcursorFileHeaderDestroy (XcursorFileHeader *fileHeader)
+ }
+
+ static XcursorFileHeader *
+-_XcursorFileHeaderCreate (int ntoc)
++_XcursorFileHeaderCreate (XcursorUInt ntoc)
+ {
+ XcursorFileHeader *fileHeader;
+
+--
+cgit v0.9.0.2-2-gbebe