aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2013-06-06 16:16:02 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2013-06-06 16:17:03 +0000
commitba5259e879b12c3266333e072624037d67f37be4 (patch)
treec46a7c64ba2ffef0134fe10dbb47ca53282c53cb
parenta2e6a170d7f82935f55d6b1dfd7cd408475983cd (diff)
downloadaports-ba5259e879b12c3266333e072624037d67f37be4.tar.bz2
aports-ba5259e879b12c3266333e072624037d67f37be4.tar.xz
main/libxxf86dga: upgrade to 1.1.4
-rw-r--r--main/libxxf86dga/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch76
-rw-r--r--main/libxxf86dga/0002-integer-overflow-in-XDGAQueryModes-CVE-2013-1991-1-2.patch52
-rw-r--r--main/libxxf86dga/0003-buffer-overflow-in-XDGAQueryModes-CVE-2013-2000-1-2.patch43
-rw-r--r--main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch53
-rw-r--r--main/libxxf86dga/0005-buffer-overflow-in-XDGASetMode-CVE-2013-2000-2-2.patch40
-rw-r--r--main/libxxf86dga/0006-integer-overflow-in-XDGAOpenFramebuffer.patch40
-rw-r--r--main/libxxf86dga/APKBUILD14
7 files changed, 6 insertions, 312 deletions
diff --git a/main/libxxf86dga/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch b/main/libxxf86dga/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
deleted file mode 100644
index 5a77d4cc40..0000000000
--- a/main/libxxf86dga/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From 6fa471be7a005bde97bcb5ca5a17662ea8d32587 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sat, 13 Apr 2013 12:05:25 -0700
-Subject: [PATCH 1/6] Use _XEatDataWords to avoid overflow of rep.length
- shifting
-
-rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- configure.ac | 6 ++++++
- src/XF86DGA2.c | 17 ++++++++++++++++-
- 2 files changed, 22 insertions(+), 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index 0558326..955fa3c 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -22,6 +22,12 @@ XORG_CHECK_MALLOC_ZERO
- # Obtain compiler/linker options for depedencies
- PKG_CHECK_MODULES(XXF86DGA, xproto x11 xextproto xext [xf86dgaproto >= 2.0.99.2])
-
-+# Check for _XEatDataWords function that may be patched into older Xlib release
-+SAVE_LIBS="$LIBS"
-+LIBS="$XXF86DGA_LIBS"
-+AC_CHECK_FUNCS([_XEatDataWords])
-+LIBS="$SAVE_LIBS"
-+
- AC_CONFIG_FILES([Makefile
- src/Makefile
- man/Makefile
-diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
-index 964de18..c17c7f1 100644
---- a/src/XF86DGA2.c
-+++ b/src/XF86DGA2.c
-@@ -6,6 +6,9 @@ Copyright (c) 1995,1996 The XFree86 Project, Inc
- */
-
- /* THIS IS NOT AN X CONSORTIUM STANDARD */
-+#ifdef HAVE_CONFIG_H
-+#include <config.h>
-+#endif
-
- #ifdef __UNIXOS2__ /* needed here to override certain constants in X headers */
- #define INCL_DOS
-@@ -22,6 +25,18 @@ Copyright (c) 1995,1996 The XFree86 Project, Inc
- #include <stdio.h>
-
- #include <stdint.h>
-+#include <limits.h>
-+
-+#ifndef HAVE__XEATDATAWORDS
-+static inline void _XEatDataWords(Display *dpy, unsigned long n)
-+{
-+# ifndef LONG64
-+ if (n >= (ULONG_MAX >> 2))
-+ _XIOError(dpy);
-+# endif
-+ _XEatData (dpy, n << 2);
-+}
-+#endif
-
- /* If you change this, change the Bases[] array below as well */
- #define MAX_HEADS 16
-@@ -342,7 +357,7 @@ XDGAMode* XDGAQueryModes(
- }
- *num = rep.number;
- } else
-- _XEatData(dpy, rep.length << 2);
-+ _XEatDataWords(dpy, rep.length);
- }
- }
-
---
-1.8.2.3
-
diff --git a/main/libxxf86dga/0002-integer-overflow-in-XDGAQueryModes-CVE-2013-1991-1-2.patch b/main/libxxf86dga/0002-integer-overflow-in-XDGAQueryModes-CVE-2013-1991-1-2.patch
deleted file mode 100644
index c3d190b546..0000000000
--- a/main/libxxf86dga/0002-integer-overflow-in-XDGAQueryModes-CVE-2013-1991-1-2.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From f4a8dd63af518640468d82948f450aad4b2b1e6a Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sat, 13 Apr 2013 12:18:57 -0700
-Subject: [PATCH 2/6] integer overflow in XDGAQueryModes() [CVE-2013-1991 1/2]
-
-number is a CARD32 and needs to be bounds checked before multiplying by
-sizeof(XDGAmode) to come up with the total size to allocate, to avoid
-integer overflow leading to underallocation and writing data from the
-network past the end of the allocated buffer.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- src/XF86DGA2.c | 19 ++++++++++++-------
- 1 file changed, 12 insertions(+), 7 deletions(-)
-
-diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
-index c17c7f1..8830266 100644
---- a/src/XF86DGA2.c
-+++ b/src/XF86DGA2.c
-@@ -312,16 +312,21 @@ XDGAMode* XDGAQueryModes(
- if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) {
- if(rep.length) {
- xXDGAModeInfo info;
-- int i, size;
-+ unsigned long size = 0;
- char *offset;
-
-- size = rep.length << 2;
-- size -= rep.number * sz_xXDGAModeInfo; /* find text size */
-- modes = (XDGAMode*)Xmalloc((rep.number * sizeof(XDGAMode)) + size);
-- offset = (char*)(&modes[rep.number]); /* start of text */
--
-+ if ((rep.length < (INT_MAX >> 2)) &&
-+ (rep.number < (INT_MAX / sizeof(XDGAMode)))) {
-+ size = rep.length << 2;
-+ if (size > (rep.number * sz_xXDGAModeInfo)) {
-+ size -= rep.number * sz_xXDGAModeInfo; /* find text size */
-+ modes = Xmalloc((rep.number * sizeof(XDGAMode)) + size);
-+ offset = (char*)(&modes[rep.number]); /* start of text */
-+ }
-+ }
-
-- if(modes) {
-+ if (modes != NULL) {
-+ unsigned int i;
- for(i = 0; i < rep.number; i++) {
- _XRead(dpy, (char*)(&info), sz_xXDGAModeInfo);
-
---
-1.8.2.3
-
diff --git a/main/libxxf86dga/0003-buffer-overflow-in-XDGAQueryModes-CVE-2013-2000-1-2.patch b/main/libxxf86dga/0003-buffer-overflow-in-XDGAQueryModes-CVE-2013-2000-1-2.patch
deleted file mode 100644
index 9123d7f3ba..0000000000
--- a/main/libxxf86dga/0003-buffer-overflow-in-XDGAQueryModes-CVE-2013-2000-1-2.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 5dcfa6a8cf2df39828da733e5945e730518c27b3 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sat, 13 Apr 2013 12:27:10 -0700
-Subject: [PATCH 3/6] buffer overflow in XDGAQueryModes() [CVE-2013-2000 1/2]
-
-When reading the name strings for the modes off the network, we never
-checked to make sure the length of the individual name strings didn't
-overflow the size of the buffer we'd allocated based on the reported
-rep.length for the total reply size.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- src/XF86DGA2.c | 13 ++++++++++---
- 1 file changed, 10 insertions(+), 3 deletions(-)
-
-diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
-index 8830266..b5145ee 100644
---- a/src/XF86DGA2.c
-+++ b/src/XF86DGA2.c
-@@ -356,9 +356,16 @@ XDGAMode* XDGAQueryModes(
- modes[i].reserved1 = info.reserved1;
- modes[i].reserved2 = info.reserved2;
-
-- _XRead(dpy, offset, info.name_size);
-- modes[i].name = offset;
-- offset += info.name_size;
-+ if (info.name_size > 0 && info.name_size <= size) {
-+ _XRead(dpy, offset, info.name_size);
-+ modes[i].name = offset;
-+ modes[i].name[info.name_size - 1] = '\0';
-+ offset += info.name_size;
-+ size -= info.name_size;
-+ } else {
-+ _XEatData(dpy, info.name_size);
-+ modes[i].name = NULL;
-+ }
- }
- *num = rep.number;
- } else
---
-1.8.2.3
-
diff --git a/main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch b/main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch
deleted file mode 100644
index 7a44a074ba..0000000000
--- a/main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From f89cf306a60facdf102696840bc05acebd7d1772 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sat, 13 Apr 2013 12:38:25 -0700
-Subject: [PATCH 4/6] integer overflow & underflow in XDGASetMode()
- [CVE-2013-1991 2/2]
-
-rep.length is a CARD32 and needs to be bounds checked before bit shifting
-and subtracting sz_xXDGAModeInfo to come up with the total size to allocate,
-to avoid integer overflow or underflow leading to underallocation and
-writing data from the network past the end of the allocated buffer.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- src/XF86DGA2.c | 13 +++++++++----
- 1 file changed, 9 insertions(+), 4 deletions(-)
-
-diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
-index b5145ee..90ca918 100644
---- a/src/XF86DGA2.c
-+++ b/src/XF86DGA2.c
-@@ -405,12 +405,15 @@ XDGASetMode(
- if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) {
- if(rep.length) {
- xXDGAModeInfo info;
-- int size;
-+ unsigned long size;
-
-- size = rep.length << 2;
-- size -= sz_xXDGAModeInfo; /* get text size */
-+ if ((rep.length < (INT_MAX >> 2)) &&
-+ (rep.length > (sz_xXDGAModeInfo >> 2))) {
-+ size = rep.length << 2;
-+ size -= sz_xXDGAModeInfo; /* get text size */
-
-- dev = (XDGADevice*)Xmalloc(sizeof(XDGADevice) + size);
-+ dev = Xmalloc(sizeof(XDGADevice) + size);
-+ }
-
- if(dev) {
- _XRead(dpy, (char*)(&info), sz_xXDGAModeInfo);
-@@ -451,6 +454,8 @@ XDGASetMode(
- dev->data += rep.offset;
- }
- /* not sure what to do if the allocation fails */
-+ else
-+ _XEatDataWords(dpy, rep.length);
- }
- }
-
---
-1.8.2.3
-
diff --git a/main/libxxf86dga/0005-buffer-overflow-in-XDGASetMode-CVE-2013-2000-2-2.patch b/main/libxxf86dga/0005-buffer-overflow-in-XDGASetMode-CVE-2013-2000-2-2.patch
deleted file mode 100644
index 70ed6aef78..0000000000
--- a/main/libxxf86dga/0005-buffer-overflow-in-XDGASetMode-CVE-2013-2000-2-2.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From b69d6d51a82b1d1e8c68a233360acb742c879375 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sat, 13 Apr 2013 12:45:41 -0700
-Subject: [PATCH 5/6] buffer overflow in XDGASetMode() [CVE-2013-2000 2/2]
-
-When reading the name strings for the mode off the network, we never
-checked to make sure the length of the name strings didn't overflow
-the size of the buffer we'd allocated based on the reported rep.length
-for the total reply size.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- src/XF86DGA2.c | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
-index 90ca918..4d13677 100644
---- a/src/XF86DGA2.c
-+++ b/src/XF86DGA2.c
-@@ -444,8 +444,14 @@ XDGASetMode(
- dev->mode.reserved1 = info.reserved1;
- dev->mode.reserved2 = info.reserved2;
-
-- dev->mode.name = (char*)(&dev[1]);
-- _XRead(dpy, dev->mode.name, info.name_size);
-+ if (info.name_size > 0 && info.name_size <= size) {
-+ dev->mode.name = (char*)(&dev[1]);
-+ _XRead(dpy, dev->mode.name, info.name_size);
-+ dev->mode.name[info.name_size - 1] = '\0';
-+ } else {
-+ dev->mode.name = NULL;
-+ _XEatDataWords(dpy, rep.length);
-+ }
-
- dev->pixmap = (rep.flags & XDGAPixmap) ? pid : 0;
- dev->data = XDGAGetMappedMemory(screen);
---
-1.8.2.3
-
diff --git a/main/libxxf86dga/0006-integer-overflow-in-XDGAOpenFramebuffer.patch b/main/libxxf86dga/0006-integer-overflow-in-XDGAOpenFramebuffer.patch
deleted file mode 100644
index c21b1261fd..0000000000
--- a/main/libxxf86dga/0006-integer-overflow-in-XDGAOpenFramebuffer.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From a8dc6be3213bc91dec5e25535ef4bad5a9456af0 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sat, 13 Apr 2013 12:53:49 -0700
-Subject: [PATCH 6/6] integer overflow in XDGAOpenFramebuffer()
-
-rep.length is a CARD32 and should be bounds checked before left shifting
-to come up with the size to allocate and read from the network, though
-since both functions take the same size, there should be no way for the
-buffer to be overflowed in this case.
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- src/XF86DGA2.c | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
-index 4d13677..9c656e6 100644
---- a/src/XF86DGA2.c
-+++ b/src/XF86DGA2.c
-@@ -250,9 +250,14 @@ Bool XDGAOpenFramebuffer(
- return False;
- }
-
-- if(rep.length) {
-- deviceName = Xmalloc(rep.length << 2);
-- _XRead(dpy, deviceName, rep.length << 2);
-+ if (rep.length) {
-+ if (rep.length < (INT_MAX >> 2)) {
-+ unsigned long size = rep.length << 2;
-+ deviceName = Xmalloc(size);
-+ _XRead(dpy, deviceName, size);
-+ deviceName[size - 1] = '\0';
-+ } else
-+ _XEatDataWords(dpy, rep.length);
- }
-
- ret = XDGAMapFramebuffer(screen, deviceName,
---
-1.8.2.3
-
diff --git a/main/libxxf86dga/APKBUILD b/main/libxxf86dga/APKBUILD
index ecb2143441..464301d61c 100644
--- a/main/libxxf86dga/APKBUILD
+++ b/main/libxxf86dga/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libxxf86dga
-pkgver=1.1.3
-pkgrel=1
+pkgver=1.1.4
+pkgrel=0
pkgdesc="X11 Direct Graphics Access extension library"
url="http://xorg.freedesktop.org/"
arch="all"
@@ -9,7 +9,7 @@ license="custom"
subpackages="$pkgname-dev $pkgname-doc"
depends=
depends_dev="xf86dgaproto libxext-dev libx11-dev"
-makedepends="$depends_dev libtool autoconf automake util-macros"
+makedepends="$depends_dev"
source="http://xorg.freedesktop.org/releases/individual/lib/libXxf86dga-$pkgver.tar.bz2"
_builddir="$srcdir"/libXxf86dga-$pkgver
@@ -20,8 +20,6 @@ prepare() {
*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
esac
done
- libtoolize --force && aclocal && autoheader && autoconf \
- && automake --add-missing
}
build() {
@@ -35,6 +33,6 @@ package() {
make DESTDIR="$pkgdir" install || return 1
rm "$pkgdir"/usr/lib/*.la
}
-md5sums="b7f38465c46e7145782d37dbb9da8c09 libXxf86dga-1.1.3.tar.bz2"
-sha256sums="551fa374dbef0f977de1f35d005fa9ffe92b7a87e82dbe62d6a4640f5b0b4994 libXxf86dga-1.1.3.tar.bz2"
-sha512sums="84129573f7491dff92c7072312bbadac7e7b9698b937e65c7bbf94d9b2e17a5448743e557c92c196738ddaa6d70917300f73c943e0c2507402df7bc31d5dd6d0 libXxf86dga-1.1.3.tar.bz2"
+md5sums="d7dd9b9df336b7dd4028b6b56542ff2c libXxf86dga-1.1.4.tar.bz2"
+sha256sums="8eecd4b6c1df9a3704c04733c2f4fa93ef469b55028af5510b25818e2456c77e libXxf86dga-1.1.4.tar.bz2"
+sha512sums="58d81a7850275fc8382018bcc56dbc65b4200828b1f1379dcee3da1878f12a83ee681a9d474bcd564d99bf93bedfeb7b243370e0ebb89177652b37cee158a3f2 libXxf86dga-1.1.4.tar.bz2"