aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2013-05-24 09:14:10 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2013-05-24 09:16:48 +0000
commitf4a1e4bfe936b7b1c1364a8ebc769145f060ce25 (patch)
treea99742771afbe580dfaf321e596ca12a09c2d643
parent596f76568714ab83fed8fef00c69f6493e6996e3 (diff)
downloadaports-f4a1e4bfe936b7b1c1364a8ebc769145f060ce25.tar.bz2
aports-f4a1e4bfe936b7b1c1364a8ebc769145f060ce25.tar.xz
main/libxrandr: fix CVE-2013-1986
ref #1931
-rw-r--r--main/libxrandr/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch36
-rw-r--r--main/libxrandr/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch221
-rw-r--r--main/libxrandr/0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch60
-rw-r--r--main/libxrandr/0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch55
-rw-r--r--main/libxrandr/0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch81
-rw-r--r--main/libxrandr/0006-integer-overflow-in-XRRGetProviderProperty-CVE-2013-.patch81
-rw-r--r--main/libxrandr/0007-Make-XRRGet-Property-always-initialize-returned-valu.patch74
-rw-r--r--main/libxrandr/APKBUILD57
8 files changed, 658 insertions, 7 deletions
diff --git a/main/libxrandr/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch b/main/libxrandr/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
new file mode 100644
index 0000000000..8c5eccb9fe
--- /dev/null
+++ b/main/libxrandr/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
@@ -0,0 +1,36 @@
+From 99a63d10cbbab7d69a52d25d78795a3278506ea9 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 18 Jan 2013 23:14:01 -0800
+Subject: [PATCH 1/7] Replace deprecated Automake INCLUDES variable with
+ AM_CPPFLAGS
+
+Excerpt https://lists.gnu.org/archive/html/automake/2012-12/msg00038.html
+
+ - Support for the long-deprecated INCLUDES variable will be removed
+ altogether in Automake 1.14. The AM_CPPFLAGS variable should be
+ used instead.
+
+This variable was deprecated in Automake releases prior to 1.10, which is
+the current minimum level required to build X.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 7a47b9c..2113846 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -19,7 +19,7 @@ AM_CFLAGS = \
+ $(MALLOC_ZERO_CFLAGS) \
+ $(CWARNFLAGS)
+
+-INCLUDES = -I$(top_srcdir)/include/X11/extensions
++AM_CPPFLAGS = -I$(top_srcdir)/include/X11/extensions
+
+ libXrandr_la_LDFLAGS = -version-number 2:2:0 -no-undefined
+
+--
+1.8.2.3
+
diff --git a/main/libxrandr/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch b/main/libxrandr/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
new file mode 100644
index 0000000000..4104b444eb
--- /dev/null
+++ b/main/libxrandr/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
@@ -0,0 +1,221 @@
+From 1c7ad6773ce6be00dcd6e51e9be08f203abe5071 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 3 May 2013 23:29:22 -0700
+Subject: [PATCH 2/7] Use _XEatDataWords to avoid overflow of rep.length bit
+ shifting
+
+rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ configure.ac | 6 ++++++
+ src/Xrandrint.h | 13 +++++++++++++
+ src/XrrCrtc.c | 6 +++---
+ src/XrrOutput.c | 2 +-
+ src/XrrProperty.c | 9 ++++-----
+ src/XrrProvider.c | 4 ++--
+ src/XrrProviderProperty.c | 9 ++++-----
+ src/XrrScreen.c | 2 +-
+ 8 files changed, 34 insertions(+), 17 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 3f28bef..8466999 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -55,6 +55,12 @@ AC_SUBST(RANDR_VERSION)
+ # Obtain compiler/linker options for depedencies
+ PKG_CHECK_MODULES(RANDR, x11 randrproto >= $RANDR_VERSION xext xextproto xrender renderproto)
+
++# Check for _XEatDataWords function that may be patched into older Xlib release
++SAVE_LIBS="$LIBS"
++LIBS="$RANDR_LIBS"
++AC_CHECK_FUNCS([_XEatDataWords])
++LIBS="$SAVE_LIBS"
++
+ AC_CONFIG_FILES([Makefile
+ src/Makefile
+ man/Makefile
+diff --git a/src/Xrandrint.h b/src/Xrandrint.h
+index aed10e4..1687c29 100644
+--- a/src/Xrandrint.h
++++ b/src/Xrandrint.h
+@@ -42,6 +42,19 @@ extern char XRRExtensionName[];
+
+ XExtDisplayInfo *XRRFindDisplay (Display *dpy);
+
++#ifndef HAVE__XEATDATAWORDS
++#include <X11/Xmd.h> /* for LONG64 on 64-bit platforms */
++#include <limits.h>
++
++static inline void _XEatDataWords(Display *dpy, unsigned long n)
++{
++# ifndef LONG64
++ if (n >= (ULONG_MAX >> 2))
++ _XIOError(dpy);
++# endif
++ _XEatData (dpy, n << 2);
++}
++#endif
+
+ /* deliberately opaque internal data structure; can be extended,
+ but not reordered */
+diff --git a/src/XrrCrtc.c b/src/XrrCrtc.c
+index 04087c5..a704a52 100644
+--- a/src/XrrCrtc.c
++++ b/src/XrrCrtc.c
+@@ -74,7 +74,7 @@ XRRGetCrtcInfo (Display *dpy, XRRScreenResources *resources, RRCrtc crtc)
+
+ xci = (XRRCrtcInfo *) Xmalloc(rbytes);
+ if (xci == NULL) {
+- _XEatData (dpy, (unsigned long) nbytes);
++ _XEatDataWords (dpy, rep.length);
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ return NULL;
+@@ -203,7 +203,7 @@ XRRGetCrtcGamma (Display *dpy, RRCrtc crtc)
+
+ if (!crtc_gamma)
+ {
+- _XEatData (dpy, (unsigned long) nbytes);
++ _XEatDataWords (dpy, rep.length);
+ goto out;
+ }
+ _XRead16 (dpy, crtc_gamma->red, rep.size * 2);
+@@ -397,7 +397,7 @@ XRRGetCrtcTransform (Display *dpy,
+ int extraBytes = rep.length * 4 - CrtcTransformExtra;
+ extra = Xmalloc (extraBytes);
+ if (!extra) {
+- _XEatData (dpy, extraBytes);
++ _XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2));
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ return False;
+diff --git a/src/XrrOutput.c b/src/XrrOutput.c
+index f13a932..4df894e 100644
+--- a/src/XrrOutput.c
++++ b/src/XrrOutput.c
+@@ -81,7 +81,7 @@ XRRGetOutputInfo (Display *dpy, XRRScreenResources *resources, RROutput output)
+
+ xoi = (XRROutputInfo *) Xmalloc(rbytes);
+ if (xoi == NULL) {
+- _XEatData (dpy, (unsigned long) nbytes);
++ _XEatDataWords (dpy, rep.length - (OutputInfoExtra >> 2));
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ return NULL;
+diff --git a/src/XrrProperty.c b/src/XrrProperty.c
+index 4c3fdb0..2b065b2 100644
+--- a/src/XrrProperty.c
++++ b/src/XrrProperty.c
+@@ -62,7 +62,7 @@ XRRListOutputProperties (Display *dpy, RROutput output, int *nprop)
+
+ props = (Atom *) Xmalloc (rbytes);
+ if (props == NULL) {
+- _XEatData (dpy, nbytes);
++ _XEatDataWords (dpy, rep.length);
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ *nprop = 0;
+@@ -107,7 +107,7 @@ XRRQueryOutputProperty (Display *dpy, RROutput output, Atom property)
+
+ prop_info = (XRRPropertyInfo *) Xmalloc (rbytes);
+ if (prop_info == NULL) {
+- _XEatData (dpy, nbytes);
++ _XEatDataWords(dpy, rep.length);
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ return NULL;
+@@ -313,14 +313,13 @@ XRRGetOutputProperty (Display *dpy, RROutput output,
+ * This part of the code should never be reached. If it is,
+ * the server sent back a property with an invalid format.
+ */
+- nbytes = rep.length << 2;
+- _XEatData(dpy, (unsigned long) nbytes);
++ _XEatDataWords(dpy, rep.length);
+ UnlockDisplay(dpy);
+ SyncHandle();
+ return(BadImplementation);
+ }
+ if (! *prop) {
+- _XEatData(dpy, (unsigned long) nbytes);
++ _XEatDataWords(dpy, rep.length);
+ UnlockDisplay(dpy);
+ SyncHandle();
+ return(BadAlloc);
+diff --git a/src/XrrProvider.c b/src/XrrProvider.c
+index fcd06ff..309e321 100644
+--- a/src/XrrProvider.c
++++ b/src/XrrProvider.c
+@@ -67,7 +67,7 @@ XRRGetProviderResources(Display *dpy, Window window)
+ xrpr = (XRRProviderResources *) Xmalloc(rbytes);
+
+ if (xrpr == NULL) {
+- _XEatData (dpy, (unsigned long) nbytes);
++ _XEatDataWords (dpy, rep.length);
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ return NULL;
+@@ -136,7 +136,7 @@ XRRGetProviderInfo(Display *dpy, XRRScreenResources *resources, RRProvider provi
+
+ xpi = (XRRProviderInfo *)Xmalloc(rbytes);
+ if (xpi == NULL) {
+- _XEatData (dpy, (unsigned long) nbytes);
++ _XEatDataWords (dpy, rep.length - (ProviderInfoExtra >> 2));
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ return NULL;
+diff --git a/src/XrrProviderProperty.c b/src/XrrProviderProperty.c
+index c8c08e9..2d90a0a 100644
+--- a/src/XrrProviderProperty.c
++++ b/src/XrrProviderProperty.c
+@@ -62,7 +62,7 @@ XRRListProviderProperties (Display *dpy, RRProvider provider, int *nprop)
+
+ props = (Atom *) Xmalloc (rbytes);
+ if (props == NULL) {
+- _XEatData (dpy, nbytes);
++ _XEatDataWords (dpy, rep.length);
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ *nprop = 0;
+@@ -107,7 +107,7 @@ XRRQueryProviderProperty (Display *dpy, RRProvider provider, Atom property)
+
+ prop_info = (XRRPropertyInfo *) Xmalloc (rbytes);
+ if (prop_info == NULL) {
+- _XEatData (dpy, nbytes);
++ _XEatDataWords (dpy, rep.length);
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ return NULL;
+@@ -313,14 +313,13 @@ XRRGetProviderProperty (Display *dpy, RRProvider provider,
+ * This part of the code should never be reached. If it is,
+ * the server sent back a property with an invalid format.
+ */
+- nbytes = rep.length << 2;
+- _XEatData(dpy, (unsigned long) nbytes);
++ _XEatDataWords(dpy, rep.length);
+ UnlockDisplay(dpy);
+ SyncHandle();
+ return(BadImplementation);
+ }
+ if (! *prop) {
+- _XEatData(dpy, (unsigned long) nbytes);
++ _XEatDataWords(dpy, rep.length);
+ UnlockDisplay(dpy);
+ SyncHandle();
+ return(BadAlloc);
+diff --git a/src/XrrScreen.c b/src/XrrScreen.c
+index f830913..08710b6 100644
+--- a/src/XrrScreen.c
++++ b/src/XrrScreen.c
+@@ -129,7 +129,7 @@ doGetScreenResources (Display *dpy, Window window, int poll)
+ if (xrsr == NULL || wire_names == NULL) {
+ if (xrsr) Xfree (xrsr);
+ if (wire_names) Xfree (wire_names);
+- _XEatData (dpy, (unsigned long) nbytes);
++ _XEatDataWords (dpy, rep.length);
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ return NULL;
+--
+1.8.2.3
+
diff --git a/main/libxrandr/0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch b/main/libxrandr/0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch
new file mode 100644
index 0000000000..0d07f5459d
--- /dev/null
+++ b/main/libxrandr/0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch
@@ -0,0 +1,60 @@
+From 0e79d96c36aef5889ae2e2a3fc2e96e93f30dc21 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 12 Apr 2013 21:44:59 -0700
+Subject: [PATCH 3/7] integer overflow in XRRQueryOutputProperty()
+ [CVE-2013-1986 1/4]
+
+rep.length is a CARD32, while rbytes was a signed int, so
+ rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long);
+could result in integer overflow, leading to an undersized malloc
+and reading data off the connection and writing it past the end of
+the allocated buffer.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XrrProperty.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/XrrProperty.c b/src/XrrProperty.c
+index 2b065b2..50382bf 100644
+--- a/src/XrrProperty.c
++++ b/src/XrrProperty.c
+@@ -31,6 +31,7 @@
+ #include <X11/extensions/render.h>
+ #include <X11/extensions/Xrender.h>
+ #include "Xrandrint.h"
++#include <limits.h>
+
+ Atom *
+ XRRListOutputProperties (Display *dpy, RROutput output, int *nprop)
+@@ -84,7 +85,7 @@ XRRQueryOutputProperty (Display *dpy, RROutput output, Atom property)
+ XExtDisplayInfo *info = XRRFindDisplay(dpy);
+ xRRQueryOutputPropertyReply rep;
+ xRRQueryOutputPropertyReq *req;
+- int rbytes, nbytes;
++ unsigned int rbytes, nbytes;
+ XRRPropertyInfo *prop_info;
+
+ RRCheckExtension (dpy, info, NULL);
+@@ -102,10 +103,14 @@ XRRQueryOutputProperty (Display *dpy, RROutput output, Atom property)
+ return NULL;
+ }
+
+- rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long);
+- nbytes = rep.length << 2;
++ if (rep.length < ((INT_MAX / sizeof(long)) - sizeof (XRRPropertyInfo))) {
++ rbytes = sizeof (XRRPropertyInfo) + (rep.length * sizeof (long));
++ nbytes = rep.length << 2;
++
++ prop_info = Xmalloc (rbytes);
++ } else
++ prop_info = NULL;
+
+- prop_info = (XRRPropertyInfo *) Xmalloc (rbytes);
+ if (prop_info == NULL) {
+ _XEatDataWords(dpy, rep.length);
+ UnlockDisplay (dpy);
+--
+1.8.2.3
+
diff --git a/main/libxrandr/0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch b/main/libxrandr/0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch
new file mode 100644
index 0000000000..d55f91def0
--- /dev/null
+++ b/main/libxrandr/0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch
@@ -0,0 +1,55 @@
+From 1da5b838c2a8565d4d95a4e948f951ce6b466345 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 12 Apr 2013 21:44:59 -0700
+Subject: [PATCH 4/7] integer overflow in XRRQueryProviderProperty()
+ [CVE-2013-1986 2/4]
+
+Same problem as XRRQueryOutputProperty() that it was cloned from
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XrrProviderProperty.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/XrrProviderProperty.c b/src/XrrProviderProperty.c
+index 2d90a0a..dc699f6 100644
+--- a/src/XrrProviderProperty.c
++++ b/src/XrrProviderProperty.c
+@@ -31,6 +31,7 @@
+ #include <X11/extensions/render.h>
+ #include <X11/extensions/Xrender.h>
+ #include "Xrandrint.h"
++#include <limits.h>
+
+ Atom *
+ XRRListProviderProperties (Display *dpy, RRProvider provider, int *nprop)
+@@ -84,7 +85,7 @@ XRRQueryProviderProperty (Display *dpy, RRProvider provider, Atom property)
+ XExtDisplayInfo *info = XRRFindDisplay(dpy);
+ xRRQueryProviderPropertyReply rep;
+ xRRQueryProviderPropertyReq *req;
+- int rbytes, nbytes;
++ unsigned int rbytes, nbytes;
+ XRRPropertyInfo *prop_info;
+
+ RRCheckExtension (dpy, info, NULL);
+@@ -102,10 +103,14 @@ XRRQueryProviderProperty (Display *dpy, RRProvider provider, Atom property)
+ return NULL;
+ }
+
+- rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long);
+- nbytes = rep.length << 2;
++ if (rep.length < ((INT_MAX / sizeof(long)) - sizeof (XRRPropertyInfo))) {
++ rbytes = sizeof (XRRPropertyInfo) + (rep.length * sizeof (long));
++ nbytes = rep.length << 2;
++
++ prop_info = Xmalloc (rbytes);
++ } else
++ prop_info = NULL;
+
+- prop_info = (XRRPropertyInfo *) Xmalloc (rbytes);
+ if (prop_info == NULL) {
+ _XEatDataWords (dpy, rep.length);
+ UnlockDisplay (dpy);
+--
+1.8.2.3
+
diff --git a/main/libxrandr/0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch b/main/libxrandr/0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch
new file mode 100644
index 0000000000..225924c639
--- /dev/null
+++ b/main/libxrandr/0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch
@@ -0,0 +1,81 @@
+From 289a1927949e6f278c18d115772e454837702e35 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 4 May 2013 21:37:49 -0700
+Subject: [PATCH 5/7] integer overflow in XRRGetOutputProperty() [CVE-2013-1986
+ 3/4]
+
+If the reported number of properties is too large, the calculations
+to allocate memory for them may overflow, leaving us returning less
+memory to the caller than implied by the value written to *nitems.
+
+(Same as reported against libX11 XGetWindowProperty by Ilja Van Sprundel)
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XrrProperty.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/src/XrrProperty.c b/src/XrrProperty.c
+index 50382bf..707a28d 100644
+--- a/src/XrrProperty.c
++++ b/src/XrrProperty.c
+@@ -257,7 +257,7 @@ XRRGetOutputProperty (Display *dpy, RROutput output,
+ XExtDisplayInfo *info = XRRFindDisplay(dpy);
+ xRRGetOutputPropertyReply rep;
+ xRRGetOutputPropertyReq *req;
+- long nbytes, rbytes;
++ unsigned long nbytes, rbytes;
+
+ RRCheckExtension (dpy, info, 1);
+
+@@ -282,34 +282,40 @@ XRRGetOutputProperty (Display *dpy, RROutput output,
+
+ *prop = (unsigned char *) NULL;
+ if (rep.propertyType != None) {
++ int format = rep.format;
++
++ /*
++ * Protect against both integer overflow and just plain oversized
++ * memory allocation - no server should ever return this many props.
++ */
++ if (rep.nItems >= (INT_MAX >> 4))
++ format = -1; /* fall through to default error case */
++
+ /*
+ * One extra byte is malloced than is needed to contain the property
+ * data, but this last byte is null terminated and convenient for
+ * returning string properties, so the client doesn't then have to
+ * recopy the string to make it null terminated.
+ */
+- switch (rep.format) {
++ switch (format) {
+ case 8:
+ nbytes = rep.nItems;
+ rbytes = rep.nItems + 1;
+- if (rbytes > 0 &&
+- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
++ if (rbytes > 0 && (*prop = Xmalloc (rbytes)))
+ _XReadPad (dpy, (char *) *prop, nbytes);
+ break;
+
+ case 16:
+ nbytes = rep.nItems << 1;
+ rbytes = rep.nItems * sizeof (short) + 1;
+- if (rbytes > 0 &&
+- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
++ if (rbytes > 0 && (*prop = Xmalloc (rbytes)))
+ _XRead16Pad (dpy, (short *) *prop, nbytes);
+ break;
+
+ case 32:
+ nbytes = rep.nItems << 2;
+ rbytes = rep.nItems * sizeof (long) + 1;
+- if (rbytes > 0 &&
+- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
++ if (rbytes > 0 && (*prop = Xmalloc (rbytes)))
+ _XRead32 (dpy, (long *) *prop, nbytes);
+ break;
+
+--
+1.8.2.3
+
diff --git a/main/libxrandr/0006-integer-overflow-in-XRRGetProviderProperty-CVE-2013-.patch b/main/libxrandr/0006-integer-overflow-in-XRRGetProviderProperty-CVE-2013-.patch
new file mode 100644
index 0000000000..cdc616a319
--- /dev/null
+++ b/main/libxrandr/0006-integer-overflow-in-XRRGetProviderProperty-CVE-2013-.patch
@@ -0,0 +1,81 @@
+From 4254bf0ee4c7a8f9d03841cf0d8e16cbb201dfbd Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 4 May 2013 21:37:49 -0700
+Subject: [PATCH 6/7] integer overflow in XRRGetProviderProperty()
+ [CVE-2013-1986 4/4]
+
+If the reported number of properties is too large, the calculations
+to allocate memory for them may overflow, leaving us returning less
+memory to the caller than implied by the value written to *nitems.
+
+(Same as reported against libX11 XGetWindowProperty by Ilja Van Sprundel)
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XrrProviderProperty.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/src/XrrProviderProperty.c b/src/XrrProviderProperty.c
+index dc699f6..6989580 100644
+--- a/src/XrrProviderProperty.c
++++ b/src/XrrProviderProperty.c
+@@ -257,7 +257,7 @@ XRRGetProviderProperty (Display *dpy, RRProvider provider,
+ XExtDisplayInfo *info = XRRFindDisplay(dpy);
+ xRRGetProviderPropertyReply rep;
+ xRRGetProviderPropertyReq *req;
+- long nbytes, rbytes;
++ unsigned long nbytes, rbytes;
+
+ RRCheckExtension (dpy, info, 1);
+
+@@ -282,34 +282,40 @@ XRRGetProviderProperty (Display *dpy, RRProvider provider,
+
+ *prop = (unsigned char *) NULL;
+ if (rep.propertyType != None) {
++ int format = rep.format;
++
++ /*
++ * Protect against both integer overflow and just plain oversized
++ * memory allocation - no server should ever return this many props.
++ */
++ if (rep.nItems >= (INT_MAX >> 4))
++ format = -1; /* fall through to default error case */
++
+ /*
+ * One extra byte is malloced than is needed to contain the property
+ * data, but this last byte is null terminated and convenient for
+ * returning string properties, so the client doesn't then have to
+ * recopy the string to make it null terminated.
+ */
+- switch (rep.format) {
++ switch (format) {
+ case 8:
+ nbytes = rep.nItems;
+ rbytes = rep.nItems + 1;
+- if (rbytes > 0 &&
+- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
++ if (rbytes > 0 && (*prop = Xmalloc (rbytes)))
+ _XReadPad (dpy, (char *) *prop, nbytes);
+ break;
+
+ case 16:
+ nbytes = rep.nItems << 1;
+ rbytes = rep.nItems * sizeof (short) + 1;
+- if (rbytes > 0 &&
+- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
++ if (rbytes > 0 && (*prop = Xmalloc (rbytes)))
+ _XRead16Pad (dpy, (short *) *prop, nbytes);
+ break;
+
+ case 32:
+ nbytes = rep.nItems << 2;
+ rbytes = rep.nItems * sizeof (long) + 1;
+- if (rbytes > 0 &&
+- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
++ if (rbytes > 0 && (*prop = Xmalloc (rbytes)))
+ _XRead32 (dpy, (long *) *prop, nbytes);
+ break;
+
+--
+1.8.2.3
+
diff --git a/main/libxrandr/0007-Make-XRRGet-Property-always-initialize-returned-valu.patch b/main/libxrandr/0007-Make-XRRGet-Property-always-initialize-returned-valu.patch
new file mode 100644
index 0000000000..659b9c1752
--- /dev/null
+++ b/main/libxrandr/0007-Make-XRRGet-Property-always-initialize-returned-valu.patch
@@ -0,0 +1,74 @@
+From c90f74497dbcb96854346435349c6e2207b530c5 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 4 May 2013 21:47:50 -0700
+Subject: [PATCH 7/7] Make XRRGet*Property() always initialize returned values
+
+Avoids memory corruption and other errors when callers access them
+without checking to see if the calls returned an error value.
+
+Callers are still required to check for errors, this just reduces the
+damage when they don't.
+
+(Same as reported against libX11 XGetWindowProperty by Ilja Van Sprundel)
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XrrProperty.c | 8 +++++++-
+ src/XrrProviderProperty.c | 8 +++++++-
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/src/XrrProperty.c b/src/XrrProperty.c
+index 707a28d..2096c56 100644
+--- a/src/XrrProperty.c
++++ b/src/XrrProperty.c
+@@ -259,6 +259,13 @@ XRRGetOutputProperty (Display *dpy, RROutput output,
+ xRRGetOutputPropertyReq *req;
+ unsigned long nbytes, rbytes;
+
++ /* Always initialize return values, in case callers fail to initialize
++ them and fail to check the return code for an error. */
++ *actual_type = None;
++ *actual_format = 0;
++ *nitems = *bytes_after = 0L;
++ *prop = (unsigned char *) NULL;
++
+ RRCheckExtension (dpy, info, 1);
+
+ LockDisplay (dpy);
+@@ -280,7 +287,6 @@ XRRGetOutputProperty (Display *dpy, RROutput output,
+ return ((xError *)&rep)->errorCode;
+ }
+
+- *prop = (unsigned char *) NULL;
+ if (rep.propertyType != None) {
+ int format = rep.format;
+
+diff --git a/src/XrrProviderProperty.c b/src/XrrProviderProperty.c
+index 6989580..34cc082 100644
+--- a/src/XrrProviderProperty.c
++++ b/src/XrrProviderProperty.c
+@@ -259,6 +259,13 @@ XRRGetProviderProperty (Display *dpy, RRProvider provider,
+ xRRGetProviderPropertyReq *req;
+ unsigned long nbytes, rbytes;
+
++ /* Always initialize return values, in case callers fail to initialize
++ them and fail to check the return code for an error. */
++ *actual_type = None;
++ *actual_format = 0;
++ *nitems = *bytes_after = 0L;
++ *prop = (unsigned char *) NULL;
++
+ RRCheckExtension (dpy, info, 1);
+
+ LockDisplay (dpy);
+@@ -280,7 +287,6 @@ XRRGetProviderProperty (Display *dpy, RRProvider provider,
+ return ((xError *)&rep)->errorCode;
+ }
+
+- *prop = (unsigned char *) NULL;
+ if (rep.propertyType != None) {
+ int format = rep.format;
+
+--
+1.8.2.3
+
diff --git a/main/libxrandr/APKBUILD b/main/libxrandr/APKBUILD
index 94499cb9b8..e4228018d5 100644
--- a/main/libxrandr/APKBUILD
+++ b/main/libxrandr/APKBUILD
@@ -1,20 +1,40 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libxrandr
pkgver=1.4.0
-pkgrel=0
+pkgrel=1
pkgdesc="X11 RandR extension library"
url="http://xorg.freedesktop.org/"
arch="all"
license="custom"
subpackages="$pkgname-dev $pkgname-doc"
depends=
-makedepends="pkgconfig libxext-dev libxrender-dev randrproto libx11-dev"
-source="http://xorg.freedesktop.org/releases/individual/lib/libXrandr-$pkgver.tar.bz2"
-
depends_dev="xproto randrproto libx11-dev libxext-dev libxrender-dev"
+makedepends="$depends_dev libtool autoconf automake util-macros"
+source="http://xorg.freedesktop.org/releases/individual/lib/libXrandr-$pkgver.tar.bz2
+ 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
+ 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
+ 0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch
+ 0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch
+ 0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch
+ 0006-integer-overflow-in-XRRGetProviderProperty-CVE-2013-.patch
+ 0007-Make-XRRGet-Property-always-initialize-returned-valu.patch
+ "
+
+
+_builddir="$srcdir"/libXrandr-$pkgver
+prepare() {
+ cd "$_builddir"
+ for i in $source; do
+ case $i in
+ *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+ esac
+ done
+ libtoolize --force && aclocal && autoheader && autoconf \
+ && automake --add-missing
+}
build() {
- cd "$srcdir"/libXrandr-$pkgver
+ cd "$_builddir"
./configure --prefix=/usr \
--sysconfdir=/etc \
|| return 1
@@ -22,9 +42,32 @@ build() {
}
package() {
- cd "$srcdir"/libXrandr-$pkgver
+ cd "$_builddir"
make DESTDIR="$pkgdir" install || return 1
rm "$pkgdir"/usr/lib/*.la || return 1
install -Dm644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING
}
-md5sums="0c843636124cc1494e3d87df16957672 libXrandr-1.4.0.tar.bz2"
+md5sums="0c843636124cc1494e3d87df16957672 libXrandr-1.4.0.tar.bz2
+d40ab63148e3a7c31f3548097c48d507 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
+f79a519bdf980c7ef92e18aa3a2c16ca 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
+41e672b46e9e3d25c8eb2e86cea29ed1 0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch
+e2bb9968f01fc41f53e6457f60bdfae0 0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch
+7d65549f48058f8f9bf9e527d03bbb08 0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch
+486e84c4089b4f5120cbbc605e732f5b 0006-integer-overflow-in-XRRGetProviderProperty-CVE-2013-.patch
+0883bd4a4e0360e54968f9e4887c03c8 0007-Make-XRRGet-Property-always-initialize-returned-valu.patch"
+sha256sums="033ad0ac2f012afb05268660f6d78705c85f84689f92fa7b47ce12959b15f5c3 libXrandr-1.4.0.tar.bz2
+fc55395c3a275b9c2bce1cd17caf3963b57afb424e95504cf84ed3ab3bf58e19 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
+7ca77f1f0e5f7a1febc76e2957c3705d6378c1af6944616735bacc194bc81097 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
+847f2b8da4e9d9346d273fd541830a0d6d457857cea576394c2117c5dcbcf356 0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch
+a537b5ca75a88c5b1ccc862775e4512fb57c4665eb6245c59b3160250ac02ba8 0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch
+2b84742ed038b96625cc0486e47e3b85e6bd9700a8095b7b65d9dc8a93087dfc 0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch
+8daabc77bfbcef87d7e52478306fd2774b0c3b59afc7d002d413c7fd6598b93c 0006-integer-overflow-in-XRRGetProviderProperty-CVE-2013-.patch
+03b9c156b04cbe934978983e6a4fff427fd9230b39408b20bbdb4768a7a06bb4 0007-Make-XRRGet-Property-always-initialize-returned-valu.patch"
+sha512sums="a97f2442c7f73786e5d3fae9a98b172ac1cb17b1584a7bad243128fc755b25a41cc7e32ceed10eb8eac733ff137b95504485967716f0122edf6682db6065a289 libXrandr-1.4.0.tar.bz2
+11584e52674a6d1216d5586f578962464f8e6942653a3bce7ddf3af27ea28d604e9ce989635b1db051147f5046ed0593601d74277a86c2776e84ff1c5350a9df 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
+ce19127f19d5b932b68de1f336335587bdda4db791b20d26488dcba00a9e303832c679033e59d1f2602f24c8519fe909c24199226ab2b651863b60a7a1e2a5c6 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
+228c64d64c839682cb7523cd6dd9153d0acf76e7d9e88a7e73c24bc4536b9dcbf5a500d7fd33ba373f605a0e9d0a770899c1b44a25f9d7468db6de46d0702152 0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch
+1784174229c46575431eb6a0e05ccac631c3d843ed2742cd89ec8f28866c0e10881ab1c1e30fab5831ba0cb066ece0debbbeb98c7bb4a528768dd8342f42f7b2 0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch
+14d508d519ca972ee6e521597b16663e78b3f44bcbada97d6ba797cec2b09392daeaf673e02670af0d0f6f71ac5c8e8cb8aa75546ec46cb92ecb6f9190990bca 0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch
+ec6996991010498de70ad69d55d8a7b2bb5f5f751af567d6be385166d485e145920356a9a3b87603be924121e0202251f6dca96c1af2bd6328961c5fa286d8d1 0006-integer-overflow-in-XRRGetProviderProperty-CVE-2013-.patch
+0d7804c66749090a72bd52297948b7b27c51d77773e57d62e905a7b45d349a77c9857933d85a9e22ce9a2d249ed6ed492fc80040193652ddebe47bd7c558562e 0007-Make-XRRGet-Property-always-initialize-returned-valu.patch"