aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeonardo Arena <rnalrd@alpinelinux.org>2016-10-19 09:58:33 +0000
committerLeonardo Arena <rnalrd@alpinelinux.org>2016-10-19 10:02:04 +0000
commited1503d2efe5cb5899616fd977454712f4edd679 (patch)
tree42c247a5d59e8527c6c00d8e110335347093fcd9
parent14039a717a7e33d8e8075b6b33815509532e3d74 (diff)
downloadaports-ed1503d2efe5cb5899616fd977454712f4edd679.tar.bz2
aports-ed1503d2efe5cb5899616fd977454712f4edd679.tar.xz
main/libxv: security fix (CVE-2016-5407). Fixes #6281
(cherry picked from commit 00c0d0b37ed78ec5eb99beb9d464eea9a59595fd)
-rw-r--r--main/libxv/APKBUILD16
-rw-r--r--main/libxv/CVE-2016-5407.patch151
2 files changed, 163 insertions, 4 deletions
diff --git a/main/libxv/APKBUILD b/main/libxv/APKBUILD
index 4a05c15e0f..0688c29488 100644
--- a/main/libxv/APKBUILD
+++ b/main/libxv/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libxv
pkgver=1.0.10
-pkgrel=0
+pkgrel=1
pkgdesc="X11 Video extension library"
url="http://xorg.freedesktop.org/"
arch="all"
@@ -11,8 +11,13 @@ depends=
depends_dev="xproto videoproto libx11-dev libxext-dev"
makedepends="$depends_dev"
source="http://xorg.freedesktop.org/releases/individual/lib/libXv-$pkgver.tar.bz2
+ CVE-2016-5407.patch
"
+# secfixes:
+# 1.0.10-r1:
+# - CVE-2016-5407
+
_builddir="$srcdir"/libXv-$pkgver
prepare() {
cd "$_builddir"
@@ -39,6 +44,9 @@ package() {
rm "$pkgdir"/usr/lib/*.la || return 1
install -D -m644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING
}
-md5sums="e0af49d7d758b990e6fef629722d4aca libXv-1.0.10.tar.bz2"
-sha256sums="55fe92f8686ce8612e2c1bfaf58c057715534419da700bda8d517b1d97914525 libXv-1.0.10.tar.bz2"
-sha512sums="3c9642006dbc7a74f91263aa3a94711a95ee436b03d97ef51fce2bc2f602c25589606e1fcb58287ea0efebb3b9dbe7ef5fcb94e11ad3ec6be7830947a4cefe03 libXv-1.0.10.tar.bz2"
+md5sums="e0af49d7d758b990e6fef629722d4aca libXv-1.0.10.tar.bz2
+64e67ae612b8c2edcff2645f801173ac CVE-2016-5407.patch"
+sha256sums="55fe92f8686ce8612e2c1bfaf58c057715534419da700bda8d517b1d97914525 libXv-1.0.10.tar.bz2
+e04382d00a65077941e15f142e8b9f751de86f1d116404b1fd51bb6ff80dd177 CVE-2016-5407.patch"
+sha512sums="3c9642006dbc7a74f91263aa3a94711a95ee436b03d97ef51fce2bc2f602c25589606e1fcb58287ea0efebb3b9dbe7ef5fcb94e11ad3ec6be7830947a4cefe03 libXv-1.0.10.tar.bz2
+5cfa33741711de6346067d5dafb97030c091497e2826b2ba48e0dc40c7d4e2866f1b2a8cd48530726bbe1fc70fd9ecbc1b0e9269617465a05dbc4caf2c7781f7 CVE-2016-5407.patch"
diff --git a/main/libxv/CVE-2016-5407.patch b/main/libxv/CVE-2016-5407.patch
new file mode 100644
index 0000000000..3b2f69a174
--- /dev/null
+++ b/main/libxv/CVE-2016-5407.patch
@@ -0,0 +1,151 @@
+From d9da580b46a28ab497de2e94fdc7b9ff953dab17 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 25 Sep 2016 21:30:03 +0200
+Subject: Protocol handling issues in libXv - CVE-2016-5407
+
+The Xv query functions for adaptors and encodings suffer from out of
+boundary accesses if a hostile X server sends a maliciously crafted
+response.
+
+A previous fix already checks the received length against fixed values
+but ignores additional length specifications which are stored inside
+the received data.
+
+These lengths are accessed in a for-loop. The easiest way to guarantee
+a correct processing is by validating all lengths against the
+remaining size left before accessing referenced memory.
+
+This makes the previously applied check obsolete, therefore I removed
+it.
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+
+diff --git a/src/Xv.c b/src/Xv.c
+index e47093a..be450c4 100644
+--- a/src/Xv.c
++++ b/src/Xv.c
+@@ -158,6 +158,7 @@ XvQueryAdaptors(
+ size_t size;
+ unsigned int ii, jj;
+ char *name;
++ char *end;
+ XvAdaptorInfo *pas = NULL, *pa;
+ XvFormat *pfs, *pf;
+ char *buffer = NULL;
+@@ -197,17 +198,13 @@ XvQueryAdaptors(
+ /* GET INPUT ADAPTORS */
+
+ if (rep.num_adaptors == 0) {
+- /* If there's no adaptors, there's nothing more to do. */
++ /* If there are no adaptors, there's nothing more to do. */
+ status = Success;
+ goto out;
+ }
+
+- if (size < (rep.num_adaptors * sz_xvAdaptorInfo)) {
+- /* If there's not enough data for the number of adaptors,
+- then we have a problem. */
+- status = XvBadReply;
+- goto out;
+- }
++ u.buffer = buffer;
++ end = buffer + size;
+
+ size = rep.num_adaptors * sizeof(XvAdaptorInfo);
+ if ((pas = Xmalloc(size)) == NULL) {
+@@ -225,9 +222,12 @@ XvQueryAdaptors(
+ pa++;
+ }
+
+- u.buffer = buffer;
+ pa = pas;
+ for (ii = 0; ii < rep.num_adaptors; ii++) {
++ if (u.buffer + sz_xvAdaptorInfo > end) {
++ status = XvBadReply;
++ goto out;
++ }
+ pa->type = u.pa->type;
+ pa->base_id = u.pa->base_id;
+ pa->num_ports = u.pa->num_ports;
+@@ -239,6 +239,10 @@ XvQueryAdaptors(
+ size = u.pa->name_size;
+ u.buffer += pad_to_int32(sz_xvAdaptorInfo);
+
++ if (u.buffer + size > end) {
++ status = XvBadReply;
++ goto out;
++ }
+ if ((name = Xmalloc(size + 1)) == NULL) {
+ status = XvBadAlloc;
+ goto out;
+@@ -259,6 +263,11 @@ XvQueryAdaptors(
+
+ pf = pfs;
+ for (jj = 0; jj < pa->num_formats; jj++) {
++ if (u.buffer + sz_xvFormat > end) {
++ Xfree(pfs);
++ status = XvBadReply;
++ goto out;
++ }
+ pf->depth = u.pf->depth;
+ pf->visual_id = u.pf->visual;
+ pf++;
+@@ -327,6 +336,7 @@ XvQueryEncodings(
+ size_t size;
+ unsigned int jj;
+ char *name;
++ char *end;
+ XvEncodingInfo *pes = NULL, *pe;
+ char *buffer = NULL;
+ union {
+@@ -364,17 +374,13 @@ XvQueryEncodings(
+ /* GET ENCODINGS */
+
+ if (rep.num_encodings == 0) {
+- /* If there's no encodings, there's nothing more to do. */
++ /* If there are no encodings, there's nothing more to do. */
+ status = Success;
+ goto out;
+ }
+
+- if (size < (rep.num_encodings * sz_xvEncodingInfo)) {
+- /* If there's not enough data for the number of adaptors,
+- then we have a problem. */
+- status = XvBadReply;
+- goto out;
+- }
++ u.buffer = buffer;
++ end = buffer + size;
+
+ size = rep.num_encodings * sizeof(XvEncodingInfo);
+ if ((pes = Xmalloc(size)) == NULL) {
+@@ -391,10 +397,12 @@ XvQueryEncodings(
+ pe++;
+ }
+
+- u.buffer = buffer;
+-
+ pe = pes;
+ for (jj = 0; jj < rep.num_encodings; jj++) {
++ if (u.buffer + sz_xvEncodingInfo > end) {
++ status = XvBadReply;
++ goto out;
++ }
+ pe->encoding_id = u.pe->encoding;
+ pe->width = u.pe->width;
+ pe->height = u.pe->height;
+@@ -405,6 +413,10 @@ XvQueryEncodings(
+ size = u.pe->name_size;
+ u.buffer += pad_to_int32(sz_xvEncodingInfo);
+
++ if (u.buffer + size > end) {
++ status = XvBadReply;
++ goto out;
++ }
+ if ((name = Xmalloc(size + 1)) == NULL) {
+ status = XvBadAlloc;
+ goto out;
+--
+cgit v0.10.2
+