diff options
author | Leonardo Arena <rnalrd@alpinelinux.org> | 2016-10-19 09:58:33 +0000 |
---|---|---|
committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2016-10-19 10:02:04 +0000 |
commit | ed1503d2efe5cb5899616fd977454712f4edd679 (patch) | |
tree | 42c247a5d59e8527c6c00d8e110335347093fcd9 | |
parent | 14039a717a7e33d8e8075b6b33815509532e3d74 (diff) | |
download | aports-ed1503d2efe5cb5899616fd977454712f4edd679.tar.bz2 aports-ed1503d2efe5cb5899616fd977454712f4edd679.tar.xz |
main/libxv: security fix (CVE-2016-5407). Fixes #6281
(cherry picked from commit 00c0d0b37ed78ec5eb99beb9d464eea9a59595fd)
-rw-r--r-- | main/libxv/APKBUILD | 16 | ||||
-rw-r--r-- | main/libxv/CVE-2016-5407.patch | 151 |
2 files changed, 163 insertions, 4 deletions
diff --git a/main/libxv/APKBUILD b/main/libxv/APKBUILD index 4a05c15e0f..0688c29488 100644 --- a/main/libxv/APKBUILD +++ b/main/libxv/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libxv pkgver=1.0.10 -pkgrel=0 +pkgrel=1 pkgdesc="X11 Video extension library" url="http://xorg.freedesktop.org/" arch="all" @@ -11,8 +11,13 @@ depends= depends_dev="xproto videoproto libx11-dev libxext-dev" makedepends="$depends_dev" source="http://xorg.freedesktop.org/releases/individual/lib/libXv-$pkgver.tar.bz2 + CVE-2016-5407.patch " +# secfixes: +# 1.0.10-r1: +# - CVE-2016-5407 + _builddir="$srcdir"/libXv-$pkgver prepare() { cd "$_builddir" @@ -39,6 +44,9 @@ package() { rm "$pkgdir"/usr/lib/*.la || return 1 install -D -m644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING } -md5sums="e0af49d7d758b990e6fef629722d4aca libXv-1.0.10.tar.bz2" -sha256sums="55fe92f8686ce8612e2c1bfaf58c057715534419da700bda8d517b1d97914525 libXv-1.0.10.tar.bz2" -sha512sums="3c9642006dbc7a74f91263aa3a94711a95ee436b03d97ef51fce2bc2f602c25589606e1fcb58287ea0efebb3b9dbe7ef5fcb94e11ad3ec6be7830947a4cefe03 libXv-1.0.10.tar.bz2" +md5sums="e0af49d7d758b990e6fef629722d4aca libXv-1.0.10.tar.bz2 +64e67ae612b8c2edcff2645f801173ac CVE-2016-5407.patch" +sha256sums="55fe92f8686ce8612e2c1bfaf58c057715534419da700bda8d517b1d97914525 libXv-1.0.10.tar.bz2 +e04382d00a65077941e15f142e8b9f751de86f1d116404b1fd51bb6ff80dd177 CVE-2016-5407.patch" +sha512sums="3c9642006dbc7a74f91263aa3a94711a95ee436b03d97ef51fce2bc2f602c25589606e1fcb58287ea0efebb3b9dbe7ef5fcb94e11ad3ec6be7830947a4cefe03 libXv-1.0.10.tar.bz2 +5cfa33741711de6346067d5dafb97030c091497e2826b2ba48e0dc40c7d4e2866f1b2a8cd48530726bbe1fc70fd9ecbc1b0e9269617465a05dbc4caf2c7781f7 CVE-2016-5407.patch" diff --git a/main/libxv/CVE-2016-5407.patch b/main/libxv/CVE-2016-5407.patch new file mode 100644 index 0000000000..3b2f69a174 --- /dev/null +++ b/main/libxv/CVE-2016-5407.patch @@ -0,0 +1,151 @@ +From d9da580b46a28ab497de2e94fdc7b9ff953dab17 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann <tobias@stoeckmann.org> +Date: Sun, 25 Sep 2016 21:30:03 +0200 +Subject: Protocol handling issues in libXv - CVE-2016-5407 + +The Xv query functions for adaptors and encodings suffer from out of +boundary accesses if a hostile X server sends a maliciously crafted +response. + +A previous fix already checks the received length against fixed values +but ignores additional length specifications which are stored inside +the received data. + +These lengths are accessed in a for-loop. The easiest way to guarantee +a correct processing is by validating all lengths against the +remaining size left before accessing referenced memory. + +This makes the previously applied check obsolete, therefore I removed +it. + +Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> +Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> + +diff --git a/src/Xv.c b/src/Xv.c +index e47093a..be450c4 100644 +--- a/src/Xv.c ++++ b/src/Xv.c +@@ -158,6 +158,7 @@ XvQueryAdaptors( + size_t size; + unsigned int ii, jj; + char *name; ++ char *end; + XvAdaptorInfo *pas = NULL, *pa; + XvFormat *pfs, *pf; + char *buffer = NULL; +@@ -197,17 +198,13 @@ XvQueryAdaptors( + /* GET INPUT ADAPTORS */ + + if (rep.num_adaptors == 0) { +- /* If there's no adaptors, there's nothing more to do. */ ++ /* If there are no adaptors, there's nothing more to do. */ + status = Success; + goto out; + } + +- if (size < (rep.num_adaptors * sz_xvAdaptorInfo)) { +- /* If there's not enough data for the number of adaptors, +- then we have a problem. */ +- status = XvBadReply; +- goto out; +- } ++ u.buffer = buffer; ++ end = buffer + size; + + size = rep.num_adaptors * sizeof(XvAdaptorInfo); + if ((pas = Xmalloc(size)) == NULL) { +@@ -225,9 +222,12 @@ XvQueryAdaptors( + pa++; + } + +- u.buffer = buffer; + pa = pas; + for (ii = 0; ii < rep.num_adaptors; ii++) { ++ if (u.buffer + sz_xvAdaptorInfo > end) { ++ status = XvBadReply; ++ goto out; ++ } + pa->type = u.pa->type; + pa->base_id = u.pa->base_id; + pa->num_ports = u.pa->num_ports; +@@ -239,6 +239,10 @@ XvQueryAdaptors( + size = u.pa->name_size; + u.buffer += pad_to_int32(sz_xvAdaptorInfo); + ++ if (u.buffer + size > end) { ++ status = XvBadReply; ++ goto out; ++ } + if ((name = Xmalloc(size + 1)) == NULL) { + status = XvBadAlloc; + goto out; +@@ -259,6 +263,11 @@ XvQueryAdaptors( + + pf = pfs; + for (jj = 0; jj < pa->num_formats; jj++) { ++ if (u.buffer + sz_xvFormat > end) { ++ Xfree(pfs); ++ status = XvBadReply; ++ goto out; ++ } + pf->depth = u.pf->depth; + pf->visual_id = u.pf->visual; + pf++; +@@ -327,6 +336,7 @@ XvQueryEncodings( + size_t size; + unsigned int jj; + char *name; ++ char *end; + XvEncodingInfo *pes = NULL, *pe; + char *buffer = NULL; + union { +@@ -364,17 +374,13 @@ XvQueryEncodings( + /* GET ENCODINGS */ + + if (rep.num_encodings == 0) { +- /* If there's no encodings, there's nothing more to do. */ ++ /* If there are no encodings, there's nothing more to do. */ + status = Success; + goto out; + } + +- if (size < (rep.num_encodings * sz_xvEncodingInfo)) { +- /* If there's not enough data for the number of adaptors, +- then we have a problem. */ +- status = XvBadReply; +- goto out; +- } ++ u.buffer = buffer; ++ end = buffer + size; + + size = rep.num_encodings * sizeof(XvEncodingInfo); + if ((pes = Xmalloc(size)) == NULL) { +@@ -391,10 +397,12 @@ XvQueryEncodings( + pe++; + } + +- u.buffer = buffer; +- + pe = pes; + for (jj = 0; jj < rep.num_encodings; jj++) { ++ if (u.buffer + sz_xvEncodingInfo > end) { ++ status = XvBadReply; ++ goto out; ++ } + pe->encoding_id = u.pe->encoding; + pe->width = u.pe->width; + pe->height = u.pe->height; +@@ -405,6 +413,10 @@ XvQueryEncodings( + size = u.pe->name_size; + u.buffer += pad_to_int32(sz_xvEncodingInfo); + ++ if (u.buffer + size > end) { ++ status = XvBadReply; ++ goto out; ++ } + if ((name = Xmalloc(size + 1)) == NULL) { + status = XvBadAlloc; + goto out; +-- +cgit v0.10.2 + |