diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-24 09:14:10 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-24 09:16:48 +0000 |
commit | f4a1e4bfe936b7b1c1364a8ebc769145f060ce25 (patch) | |
tree | a99742771afbe580dfaf321e596ca12a09c2d643 | |
parent | 596f76568714ab83fed8fef00c69f6493e6996e3 (diff) | |
download | aports-f4a1e4bfe936b7b1c1364a8ebc769145f060ce25.tar.bz2 aports-f4a1e4bfe936b7b1c1364a8ebc769145f060ce25.tar.xz |
main/libxrandr: fix CVE-2013-1986
ref #1931
8 files changed, 658 insertions, 7 deletions
diff --git a/main/libxrandr/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch b/main/libxrandr/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch new file mode 100644 index 0000000000..8c5eccb9fe --- /dev/null +++ b/main/libxrandr/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch @@ -0,0 +1,36 @@ +From 99a63d10cbbab7d69a52d25d78795a3278506ea9 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Fri, 18 Jan 2013 23:14:01 -0800 +Subject: [PATCH 1/7] Replace deprecated Automake INCLUDES variable with + AM_CPPFLAGS + +Excerpt https://lists.gnu.org/archive/html/automake/2012-12/msg00038.html + + - Support for the long-deprecated INCLUDES variable will be removed + altogether in Automake 1.14. The AM_CPPFLAGS variable should be + used instead. + +This variable was deprecated in Automake releases prior to 1.10, which is +the current minimum level required to build X. + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/Makefile.am b/src/Makefile.am +index 7a47b9c..2113846 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -19,7 +19,7 @@ AM_CFLAGS = \ + $(MALLOC_ZERO_CFLAGS) \ + $(CWARNFLAGS) + +-INCLUDES = -I$(top_srcdir)/include/X11/extensions ++AM_CPPFLAGS = -I$(top_srcdir)/include/X11/extensions + + libXrandr_la_LDFLAGS = -version-number 2:2:0 -no-undefined + +-- +1.8.2.3 + diff --git a/main/libxrandr/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch b/main/libxrandr/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch new file mode 100644 index 0000000000..4104b444eb --- /dev/null +++ b/main/libxrandr/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch @@ -0,0 +1,221 @@ +From 1c7ad6773ce6be00dcd6e51e9be08f203abe5071 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Fri, 3 May 2013 23:29:22 -0700 +Subject: [PATCH 2/7] Use _XEatDataWords to avoid overflow of rep.length bit + shifting + +rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + configure.ac | 6 ++++++ + src/Xrandrint.h | 13 +++++++++++++ + src/XrrCrtc.c | 6 +++--- + src/XrrOutput.c | 2 +- + src/XrrProperty.c | 9 ++++----- + src/XrrProvider.c | 4 ++-- + src/XrrProviderProperty.c | 9 ++++----- + src/XrrScreen.c | 2 +- + 8 files changed, 34 insertions(+), 17 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 3f28bef..8466999 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -55,6 +55,12 @@ AC_SUBST(RANDR_VERSION) + # Obtain compiler/linker options for depedencies + PKG_CHECK_MODULES(RANDR, x11 randrproto >= $RANDR_VERSION xext xextproto xrender renderproto) + ++# Check for _XEatDataWords function that may be patched into older Xlib release ++SAVE_LIBS="$LIBS" ++LIBS="$RANDR_LIBS" ++AC_CHECK_FUNCS([_XEatDataWords]) ++LIBS="$SAVE_LIBS" ++ + AC_CONFIG_FILES([Makefile + src/Makefile + man/Makefile +diff --git a/src/Xrandrint.h b/src/Xrandrint.h +index aed10e4..1687c29 100644 +--- a/src/Xrandrint.h ++++ b/src/Xrandrint.h +@@ -42,6 +42,19 @@ extern char XRRExtensionName[]; + + XExtDisplayInfo *XRRFindDisplay (Display *dpy); + ++#ifndef HAVE__XEATDATAWORDS ++#include <X11/Xmd.h> /* for LONG64 on 64-bit platforms */ ++#include <limits.h> ++ ++static inline void _XEatDataWords(Display *dpy, unsigned long n) ++{ ++# ifndef LONG64 ++ if (n >= (ULONG_MAX >> 2)) ++ _XIOError(dpy); ++# endif ++ _XEatData (dpy, n << 2); ++} ++#endif + + /* deliberately opaque internal data structure; can be extended, + but not reordered */ +diff --git a/src/XrrCrtc.c b/src/XrrCrtc.c +index 04087c5..a704a52 100644 +--- a/src/XrrCrtc.c ++++ b/src/XrrCrtc.c +@@ -74,7 +74,7 @@ XRRGetCrtcInfo (Display *dpy, XRRScreenResources *resources, RRCrtc crtc) + + xci = (XRRCrtcInfo *) Xmalloc(rbytes); + if (xci == NULL) { +- _XEatData (dpy, (unsigned long) nbytes); ++ _XEatDataWords (dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + return NULL; +@@ -203,7 +203,7 @@ XRRGetCrtcGamma (Display *dpy, RRCrtc crtc) + + if (!crtc_gamma) + { +- _XEatData (dpy, (unsigned long) nbytes); ++ _XEatDataWords (dpy, rep.length); + goto out; + } + _XRead16 (dpy, crtc_gamma->red, rep.size * 2); +@@ -397,7 +397,7 @@ XRRGetCrtcTransform (Display *dpy, + int extraBytes = rep.length * 4 - CrtcTransformExtra; + extra = Xmalloc (extraBytes); + if (!extra) { +- _XEatData (dpy, extraBytes); ++ _XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2)); + UnlockDisplay (dpy); + SyncHandle (); + return False; +diff --git a/src/XrrOutput.c b/src/XrrOutput.c +index f13a932..4df894e 100644 +--- a/src/XrrOutput.c ++++ b/src/XrrOutput.c +@@ -81,7 +81,7 @@ XRRGetOutputInfo (Display *dpy, XRRScreenResources *resources, RROutput output) + + xoi = (XRROutputInfo *) Xmalloc(rbytes); + if (xoi == NULL) { +- _XEatData (dpy, (unsigned long) nbytes); ++ _XEatDataWords (dpy, rep.length - (OutputInfoExtra >> 2)); + UnlockDisplay (dpy); + SyncHandle (); + return NULL; +diff --git a/src/XrrProperty.c b/src/XrrProperty.c +index 4c3fdb0..2b065b2 100644 +--- a/src/XrrProperty.c ++++ b/src/XrrProperty.c +@@ -62,7 +62,7 @@ XRRListOutputProperties (Display *dpy, RROutput output, int *nprop) + + props = (Atom *) Xmalloc (rbytes); + if (props == NULL) { +- _XEatData (dpy, nbytes); ++ _XEatDataWords (dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + *nprop = 0; +@@ -107,7 +107,7 @@ XRRQueryOutputProperty (Display *dpy, RROutput output, Atom property) + + prop_info = (XRRPropertyInfo *) Xmalloc (rbytes); + if (prop_info == NULL) { +- _XEatData (dpy, nbytes); ++ _XEatDataWords(dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + return NULL; +@@ -313,14 +313,13 @@ XRRGetOutputProperty (Display *dpy, RROutput output, + * This part of the code should never be reached. If it is, + * the server sent back a property with an invalid format. + */ +- nbytes = rep.length << 2; +- _XEatData(dpy, (unsigned long) nbytes); ++ _XEatDataWords(dpy, rep.length); + UnlockDisplay(dpy); + SyncHandle(); + return(BadImplementation); + } + if (! *prop) { +- _XEatData(dpy, (unsigned long) nbytes); ++ _XEatDataWords(dpy, rep.length); + UnlockDisplay(dpy); + SyncHandle(); + return(BadAlloc); +diff --git a/src/XrrProvider.c b/src/XrrProvider.c +index fcd06ff..309e321 100644 +--- a/src/XrrProvider.c ++++ b/src/XrrProvider.c +@@ -67,7 +67,7 @@ XRRGetProviderResources(Display *dpy, Window window) + xrpr = (XRRProviderResources *) Xmalloc(rbytes); + + if (xrpr == NULL) { +- _XEatData (dpy, (unsigned long) nbytes); ++ _XEatDataWords (dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + return NULL; +@@ -136,7 +136,7 @@ XRRGetProviderInfo(Display *dpy, XRRScreenResources *resources, RRProvider provi + + xpi = (XRRProviderInfo *)Xmalloc(rbytes); + if (xpi == NULL) { +- _XEatData (dpy, (unsigned long) nbytes); ++ _XEatDataWords (dpy, rep.length - (ProviderInfoExtra >> 2)); + UnlockDisplay (dpy); + SyncHandle (); + return NULL; +diff --git a/src/XrrProviderProperty.c b/src/XrrProviderProperty.c +index c8c08e9..2d90a0a 100644 +--- a/src/XrrProviderProperty.c ++++ b/src/XrrProviderProperty.c +@@ -62,7 +62,7 @@ XRRListProviderProperties (Display *dpy, RRProvider provider, int *nprop) + + props = (Atom *) Xmalloc (rbytes); + if (props == NULL) { +- _XEatData (dpy, nbytes); ++ _XEatDataWords (dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + *nprop = 0; +@@ -107,7 +107,7 @@ XRRQueryProviderProperty (Display *dpy, RRProvider provider, Atom property) + + prop_info = (XRRPropertyInfo *) Xmalloc (rbytes); + if (prop_info == NULL) { +- _XEatData (dpy, nbytes); ++ _XEatDataWords (dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + return NULL; +@@ -313,14 +313,13 @@ XRRGetProviderProperty (Display *dpy, RRProvider provider, + * This part of the code should never be reached. If it is, + * the server sent back a property with an invalid format. + */ +- nbytes = rep.length << 2; +- _XEatData(dpy, (unsigned long) nbytes); ++ _XEatDataWords(dpy, rep.length); + UnlockDisplay(dpy); + SyncHandle(); + return(BadImplementation); + } + if (! *prop) { +- _XEatData(dpy, (unsigned long) nbytes); ++ _XEatDataWords(dpy, rep.length); + UnlockDisplay(dpy); + SyncHandle(); + return(BadAlloc); +diff --git a/src/XrrScreen.c b/src/XrrScreen.c +index f830913..08710b6 100644 +--- a/src/XrrScreen.c ++++ b/src/XrrScreen.c +@@ -129,7 +129,7 @@ doGetScreenResources (Display *dpy, Window window, int poll) + if (xrsr == NULL || wire_names == NULL) { + if (xrsr) Xfree (xrsr); + if (wire_names) Xfree (wire_names); +- _XEatData (dpy, (unsigned long) nbytes); ++ _XEatDataWords (dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + return NULL; +-- +1.8.2.3 + diff --git a/main/libxrandr/0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch b/main/libxrandr/0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch new file mode 100644 index 0000000000..0d07f5459d --- /dev/null +++ b/main/libxrandr/0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch @@ -0,0 +1,60 @@ +From 0e79d96c36aef5889ae2e2a3fc2e96e93f30dc21 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Fri, 12 Apr 2013 21:44:59 -0700 +Subject: [PATCH 3/7] integer overflow in XRRQueryOutputProperty() + [CVE-2013-1986 1/4] + +rep.length is a CARD32, while rbytes was a signed int, so + rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long); +could result in integer overflow, leading to an undersized malloc +and reading data off the connection and writing it past the end of +the allocated buffer. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/XrrProperty.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/src/XrrProperty.c b/src/XrrProperty.c +index 2b065b2..50382bf 100644 +--- a/src/XrrProperty.c ++++ b/src/XrrProperty.c +@@ -31,6 +31,7 @@ + #include <X11/extensions/render.h> + #include <X11/extensions/Xrender.h> + #include "Xrandrint.h" ++#include <limits.h> + + Atom * + XRRListOutputProperties (Display *dpy, RROutput output, int *nprop) +@@ -84,7 +85,7 @@ XRRQueryOutputProperty (Display *dpy, RROutput output, Atom property) + XExtDisplayInfo *info = XRRFindDisplay(dpy); + xRRQueryOutputPropertyReply rep; + xRRQueryOutputPropertyReq *req; +- int rbytes, nbytes; ++ unsigned int rbytes, nbytes; + XRRPropertyInfo *prop_info; + + RRCheckExtension (dpy, info, NULL); +@@ -102,10 +103,14 @@ XRRQueryOutputProperty (Display *dpy, RROutput output, Atom property) + return NULL; + } + +- rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long); +- nbytes = rep.length << 2; ++ if (rep.length < ((INT_MAX / sizeof(long)) - sizeof (XRRPropertyInfo))) { ++ rbytes = sizeof (XRRPropertyInfo) + (rep.length * sizeof (long)); ++ nbytes = rep.length << 2; ++ ++ prop_info = Xmalloc (rbytes); ++ } else ++ prop_info = NULL; + +- prop_info = (XRRPropertyInfo *) Xmalloc (rbytes); + if (prop_info == NULL) { + _XEatDataWords(dpy, rep.length); + UnlockDisplay (dpy); +-- +1.8.2.3 + diff --git a/main/libxrandr/0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch b/main/libxrandr/0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch new file mode 100644 index 0000000000..d55f91def0 --- /dev/null +++ b/main/libxrandr/0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch @@ -0,0 +1,55 @@ +From 1da5b838c2a8565d4d95a4e948f951ce6b466345 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Fri, 12 Apr 2013 21:44:59 -0700 +Subject: [PATCH 4/7] integer overflow in XRRQueryProviderProperty() + [CVE-2013-1986 2/4] + +Same problem as XRRQueryOutputProperty() that it was cloned from + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/XrrProviderProperty.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/src/XrrProviderProperty.c b/src/XrrProviderProperty.c +index 2d90a0a..dc699f6 100644 +--- a/src/XrrProviderProperty.c ++++ b/src/XrrProviderProperty.c +@@ -31,6 +31,7 @@ + #include <X11/extensions/render.h> + #include <X11/extensions/Xrender.h> + #include "Xrandrint.h" ++#include <limits.h> + + Atom * + XRRListProviderProperties (Display *dpy, RRProvider provider, int *nprop) +@@ -84,7 +85,7 @@ XRRQueryProviderProperty (Display *dpy, RRProvider provider, Atom property) + XExtDisplayInfo *info = XRRFindDisplay(dpy); + xRRQueryProviderPropertyReply rep; + xRRQueryProviderPropertyReq *req; +- int rbytes, nbytes; ++ unsigned int rbytes, nbytes; + XRRPropertyInfo *prop_info; + + RRCheckExtension (dpy, info, NULL); +@@ -102,10 +103,14 @@ XRRQueryProviderProperty (Display *dpy, RRProvider provider, Atom property) + return NULL; + } + +- rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long); +- nbytes = rep.length << 2; ++ if (rep.length < ((INT_MAX / sizeof(long)) - sizeof (XRRPropertyInfo))) { ++ rbytes = sizeof (XRRPropertyInfo) + (rep.length * sizeof (long)); ++ nbytes = rep.length << 2; ++ ++ prop_info = Xmalloc (rbytes); ++ } else ++ prop_info = NULL; + +- prop_info = (XRRPropertyInfo *) Xmalloc (rbytes); + if (prop_info == NULL) { + _XEatDataWords (dpy, rep.length); + UnlockDisplay (dpy); +-- +1.8.2.3 + diff --git a/main/libxrandr/0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch b/main/libxrandr/0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch new file mode 100644 index 0000000000..225924c639 --- /dev/null +++ b/main/libxrandr/0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch @@ -0,0 +1,81 @@ +From 289a1927949e6f278c18d115772e454837702e35 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 4 May 2013 21:37:49 -0700 +Subject: [PATCH 5/7] integer overflow in XRRGetOutputProperty() [CVE-2013-1986 + 3/4] + +If the reported number of properties is too large, the calculations +to allocate memory for them may overflow, leaving us returning less +memory to the caller than implied by the value written to *nitems. + +(Same as reported against libX11 XGetWindowProperty by Ilja Van Sprundel) + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/XrrProperty.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +diff --git a/src/XrrProperty.c b/src/XrrProperty.c +index 50382bf..707a28d 100644 +--- a/src/XrrProperty.c ++++ b/src/XrrProperty.c +@@ -257,7 +257,7 @@ XRRGetOutputProperty (Display *dpy, RROutput output, + XExtDisplayInfo *info = XRRFindDisplay(dpy); + xRRGetOutputPropertyReply rep; + xRRGetOutputPropertyReq *req; +- long nbytes, rbytes; ++ unsigned long nbytes, rbytes; + + RRCheckExtension (dpy, info, 1); + +@@ -282,34 +282,40 @@ XRRGetOutputProperty (Display *dpy, RROutput output, + + *prop = (unsigned char *) NULL; + if (rep.propertyType != None) { ++ int format = rep.format; ++ ++ /* ++ * Protect against both integer overflow and just plain oversized ++ * memory allocation - no server should ever return this many props. ++ */ ++ if (rep.nItems >= (INT_MAX >> 4)) ++ format = -1; /* fall through to default error case */ ++ + /* + * One extra byte is malloced than is needed to contain the property + * data, but this last byte is null terminated and convenient for + * returning string properties, so the client doesn't then have to + * recopy the string to make it null terminated. + */ +- switch (rep.format) { ++ switch (format) { + case 8: + nbytes = rep.nItems; + rbytes = rep.nItems + 1; +- if (rbytes > 0 && +- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) ++ if (rbytes > 0 && (*prop = Xmalloc (rbytes))) + _XReadPad (dpy, (char *) *prop, nbytes); + break; + + case 16: + nbytes = rep.nItems << 1; + rbytes = rep.nItems * sizeof (short) + 1; +- if (rbytes > 0 && +- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) ++ if (rbytes > 0 && (*prop = Xmalloc (rbytes))) + _XRead16Pad (dpy, (short *) *prop, nbytes); + break; + + case 32: + nbytes = rep.nItems << 2; + rbytes = rep.nItems * sizeof (long) + 1; +- if (rbytes > 0 && +- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) ++ if (rbytes > 0 && (*prop = Xmalloc (rbytes))) + _XRead32 (dpy, (long *) *prop, nbytes); + break; + +-- +1.8.2.3 + diff --git a/main/libxrandr/0006-integer-overflow-in-XRRGetProviderProperty-CVE-2013-.patch b/main/libxrandr/0006-integer-overflow-in-XRRGetProviderProperty-CVE-2013-.patch new file mode 100644 index 0000000000..cdc616a319 --- /dev/null +++ b/main/libxrandr/0006-integer-overflow-in-XRRGetProviderProperty-CVE-2013-.patch @@ -0,0 +1,81 @@ +From 4254bf0ee4c7a8f9d03841cf0d8e16cbb201dfbd Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 4 May 2013 21:37:49 -0700 +Subject: [PATCH 6/7] integer overflow in XRRGetProviderProperty() + [CVE-2013-1986 4/4] + +If the reported number of properties is too large, the calculations +to allocate memory for them may overflow, leaving us returning less +memory to the caller than implied by the value written to *nitems. + +(Same as reported against libX11 XGetWindowProperty by Ilja Van Sprundel) + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/XrrProviderProperty.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +diff --git a/src/XrrProviderProperty.c b/src/XrrProviderProperty.c +index dc699f6..6989580 100644 +--- a/src/XrrProviderProperty.c ++++ b/src/XrrProviderProperty.c +@@ -257,7 +257,7 @@ XRRGetProviderProperty (Display *dpy, RRProvider provider, + XExtDisplayInfo *info = XRRFindDisplay(dpy); + xRRGetProviderPropertyReply rep; + xRRGetProviderPropertyReq *req; +- long nbytes, rbytes; ++ unsigned long nbytes, rbytes; + + RRCheckExtension (dpy, info, 1); + +@@ -282,34 +282,40 @@ XRRGetProviderProperty (Display *dpy, RRProvider provider, + + *prop = (unsigned char *) NULL; + if (rep.propertyType != None) { ++ int format = rep.format; ++ ++ /* ++ * Protect against both integer overflow and just plain oversized ++ * memory allocation - no server should ever return this many props. ++ */ ++ if (rep.nItems >= (INT_MAX >> 4)) ++ format = -1; /* fall through to default error case */ ++ + /* + * One extra byte is malloced than is needed to contain the property + * data, but this last byte is null terminated and convenient for + * returning string properties, so the client doesn't then have to + * recopy the string to make it null terminated. + */ +- switch (rep.format) { ++ switch (format) { + case 8: + nbytes = rep.nItems; + rbytes = rep.nItems + 1; +- if (rbytes > 0 && +- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) ++ if (rbytes > 0 && (*prop = Xmalloc (rbytes))) + _XReadPad (dpy, (char *) *prop, nbytes); + break; + + case 16: + nbytes = rep.nItems << 1; + rbytes = rep.nItems * sizeof (short) + 1; +- if (rbytes > 0 && +- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) ++ if (rbytes > 0 && (*prop = Xmalloc (rbytes))) + _XRead16Pad (dpy, (short *) *prop, nbytes); + break; + + case 32: + nbytes = rep.nItems << 2; + rbytes = rep.nItems * sizeof (long) + 1; +- if (rbytes > 0 && +- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) ++ if (rbytes > 0 && (*prop = Xmalloc (rbytes))) + _XRead32 (dpy, (long *) *prop, nbytes); + break; + +-- +1.8.2.3 + diff --git a/main/libxrandr/0007-Make-XRRGet-Property-always-initialize-returned-valu.patch b/main/libxrandr/0007-Make-XRRGet-Property-always-initialize-returned-valu.patch new file mode 100644 index 0000000000..659b9c1752 --- /dev/null +++ b/main/libxrandr/0007-Make-XRRGet-Property-always-initialize-returned-valu.patch @@ -0,0 +1,74 @@ +From c90f74497dbcb96854346435349c6e2207b530c5 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 4 May 2013 21:47:50 -0700 +Subject: [PATCH 7/7] Make XRRGet*Property() always initialize returned values + +Avoids memory corruption and other errors when callers access them +without checking to see if the calls returned an error value. + +Callers are still required to check for errors, this just reduces the +damage when they don't. + +(Same as reported against libX11 XGetWindowProperty by Ilja Van Sprundel) + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/XrrProperty.c | 8 +++++++- + src/XrrProviderProperty.c | 8 +++++++- + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/src/XrrProperty.c b/src/XrrProperty.c +index 707a28d..2096c56 100644 +--- a/src/XrrProperty.c ++++ b/src/XrrProperty.c +@@ -259,6 +259,13 @@ XRRGetOutputProperty (Display *dpy, RROutput output, + xRRGetOutputPropertyReq *req; + unsigned long nbytes, rbytes; + ++ /* Always initialize return values, in case callers fail to initialize ++ them and fail to check the return code for an error. */ ++ *actual_type = None; ++ *actual_format = 0; ++ *nitems = *bytes_after = 0L; ++ *prop = (unsigned char *) NULL; ++ + RRCheckExtension (dpy, info, 1); + + LockDisplay (dpy); +@@ -280,7 +287,6 @@ XRRGetOutputProperty (Display *dpy, RROutput output, + return ((xError *)&rep)->errorCode; + } + +- *prop = (unsigned char *) NULL; + if (rep.propertyType != None) { + int format = rep.format; + +diff --git a/src/XrrProviderProperty.c b/src/XrrProviderProperty.c +index 6989580..34cc082 100644 +--- a/src/XrrProviderProperty.c ++++ b/src/XrrProviderProperty.c +@@ -259,6 +259,13 @@ XRRGetProviderProperty (Display *dpy, RRProvider provider, + xRRGetProviderPropertyReq *req; + unsigned long nbytes, rbytes; + ++ /* Always initialize return values, in case callers fail to initialize ++ them and fail to check the return code for an error. */ ++ *actual_type = None; ++ *actual_format = 0; ++ *nitems = *bytes_after = 0L; ++ *prop = (unsigned char *) NULL; ++ + RRCheckExtension (dpy, info, 1); + + LockDisplay (dpy); +@@ -280,7 +287,6 @@ XRRGetProviderProperty (Display *dpy, RRProvider provider, + return ((xError *)&rep)->errorCode; + } + +- *prop = (unsigned char *) NULL; + if (rep.propertyType != None) { + int format = rep.format; + +-- +1.8.2.3 + diff --git a/main/libxrandr/APKBUILD b/main/libxrandr/APKBUILD index 94499cb9b8..e4228018d5 100644 --- a/main/libxrandr/APKBUILD +++ b/main/libxrandr/APKBUILD @@ -1,20 +1,40 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libxrandr pkgver=1.4.0 -pkgrel=0 +pkgrel=1 pkgdesc="X11 RandR extension library" url="http://xorg.freedesktop.org/" arch="all" license="custom" subpackages="$pkgname-dev $pkgname-doc" depends= -makedepends="pkgconfig libxext-dev libxrender-dev randrproto libx11-dev" -source="http://xorg.freedesktop.org/releases/individual/lib/libXrandr-$pkgver.tar.bz2" - depends_dev="xproto randrproto libx11-dev libxext-dev libxrender-dev" +makedepends="$depends_dev libtool autoconf automake util-macros" +source="http://xorg.freedesktop.org/releases/individual/lib/libXrandr-$pkgver.tar.bz2 + 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch + 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch + 0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch + 0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch + 0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch + 0006-integer-overflow-in-XRRGetProviderProperty-CVE-2013-.patch + 0007-Make-XRRGet-Property-always-initialize-returned-valu.patch + " + + +_builddir="$srcdir"/libXrandr-$pkgver +prepare() { + cd "$_builddir" + for i in $source; do + case $i in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done + libtoolize --force && aclocal && autoheader && autoconf \ + && automake --add-missing +} build() { - cd "$srcdir"/libXrandr-$pkgver + cd "$_builddir" ./configure --prefix=/usr \ --sysconfdir=/etc \ || return 1 @@ -22,9 +42,32 @@ build() { } package() { - cd "$srcdir"/libXrandr-$pkgver + cd "$_builddir" make DESTDIR="$pkgdir" install || return 1 rm "$pkgdir"/usr/lib/*.la || return 1 install -Dm644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING } -md5sums="0c843636124cc1494e3d87df16957672 libXrandr-1.4.0.tar.bz2" +md5sums="0c843636124cc1494e3d87df16957672 libXrandr-1.4.0.tar.bz2 +d40ab63148e3a7c31f3548097c48d507 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch +f79a519bdf980c7ef92e18aa3a2c16ca 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch +41e672b46e9e3d25c8eb2e86cea29ed1 0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch +e2bb9968f01fc41f53e6457f60bdfae0 0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch +7d65549f48058f8f9bf9e527d03bbb08 0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch +486e84c4089b4f5120cbbc605e732f5b 0006-integer-overflow-in-XRRGetProviderProperty-CVE-2013-.patch +0883bd4a4e0360e54968f9e4887c03c8 0007-Make-XRRGet-Property-always-initialize-returned-valu.patch" +sha256sums="033ad0ac2f012afb05268660f6d78705c85f84689f92fa7b47ce12959b15f5c3 libXrandr-1.4.0.tar.bz2 +fc55395c3a275b9c2bce1cd17caf3963b57afb424e95504cf84ed3ab3bf58e19 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch +7ca77f1f0e5f7a1febc76e2957c3705d6378c1af6944616735bacc194bc81097 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch +847f2b8da4e9d9346d273fd541830a0d6d457857cea576394c2117c5dcbcf356 0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch +a537b5ca75a88c5b1ccc862775e4512fb57c4665eb6245c59b3160250ac02ba8 0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch +2b84742ed038b96625cc0486e47e3b85e6bd9700a8095b7b65d9dc8a93087dfc 0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch +8daabc77bfbcef87d7e52478306fd2774b0c3b59afc7d002d413c7fd6598b93c 0006-integer-overflow-in-XRRGetProviderProperty-CVE-2013-.patch +03b9c156b04cbe934978983e6a4fff427fd9230b39408b20bbdb4768a7a06bb4 0007-Make-XRRGet-Property-always-initialize-returned-valu.patch" +sha512sums="a97f2442c7f73786e5d3fae9a98b172ac1cb17b1584a7bad243128fc755b25a41cc7e32ceed10eb8eac733ff137b95504485967716f0122edf6682db6065a289 libXrandr-1.4.0.tar.bz2 +11584e52674a6d1216d5586f578962464f8e6942653a3bce7ddf3af27ea28d604e9ce989635b1db051147f5046ed0593601d74277a86c2776e84ff1c5350a9df 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch +ce19127f19d5b932b68de1f336335587bdda4db791b20d26488dcba00a9e303832c679033e59d1f2602f24c8519fe909c24199226ab2b651863b60a7a1e2a5c6 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch +228c64d64c839682cb7523cd6dd9153d0acf76e7d9e88a7e73c24bc4536b9dcbf5a500d7fd33ba373f605a0e9d0a770899c1b44a25f9d7468db6de46d0702152 0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch +1784174229c46575431eb6a0e05ccac631c3d843ed2742cd89ec8f28866c0e10881ab1c1e30fab5831ba0cb066ece0debbbeb98c7bb4a528768dd8342f42f7b2 0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch +14d508d519ca972ee6e521597b16663e78b3f44bcbada97d6ba797cec2b09392daeaf673e02670af0d0f6f71ac5c8e8cb8aa75546ec46cb92ecb6f9190990bca 0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch +ec6996991010498de70ad69d55d8a7b2bb5f5f751af567d6be385166d485e145920356a9a3b87603be924121e0202251f6dca96c1af2bd6328961c5fa286d8d1 0006-integer-overflow-in-XRRGetProviderProperty-CVE-2013-.patch +0d7804c66749090a72bd52297948b7b27c51d77773e57d62e905a7b45d349a77c9857933d85a9e22ce9a2d249ed6ed492fc80040193652ddebe47bd7c558562e 0007-Make-XRRGet-Property-always-initialize-returned-valu.patch" |