aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2013-05-24 09:48:42 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2013-05-24 09:48:42 +0000
commitdecef4fe3c4a8fac3afe45c8beebfa95550484f7 (patch)
tree8eabee6c69c09e0120221e1c580e7f3a974ad91a
parenta632a13327ab882c590bbae004b3be338edc14cf (diff)
downloadaports-decef4fe3c4a8fac3afe45c8beebfa95550484f7.tar.bz2
aports-decef4fe3c4a8fac3afe45c8beebfa95550484f7.tar.xz
main/libxxf86dga: fix CVE-2013-1991,CVE-2013-2000
ref #1931
-rw-r--r--main/libxxf86dga/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch76
-rw-r--r--main/libxxf86dga/0002-integer-overflow-in-XDGAQueryModes-CVE-2013-1991-1-2.patch52
-rw-r--r--main/libxxf86dga/0003-buffer-overflow-in-XDGAQueryModes-CVE-2013-2000-1-2.patch43
-rw-r--r--main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch53
-rw-r--r--main/libxxf86dga/0005-buffer-overflow-in-XDGASetMode-CVE-2013-2000-2-2.patch40
-rw-r--r--main/libxxf86dga/0006-integer-overflow-in-XDGAOpenFramebuffer.patch40
-rw-r--r--main/libxxf86dga/APKBUILD24
7 files changed, 323 insertions, 5 deletions
diff --git a/main/libxxf86dga/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch b/main/libxxf86dga/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
new file mode 100644
index 0000000000..5a77d4cc40
--- /dev/null
+++ b/main/libxxf86dga/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
@@ -0,0 +1,76 @@
+From 6fa471be7a005bde97bcb5ca5a17662ea8d32587 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 12:05:25 -0700
+Subject: [PATCH 1/6] Use _XEatDataWords to avoid overflow of rep.length
+ shifting
+
+rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ configure.ac | 6 ++++++
+ src/XF86DGA2.c | 17 ++++++++++++++++-
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 0558326..955fa3c 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -22,6 +22,12 @@ XORG_CHECK_MALLOC_ZERO
+ # Obtain compiler/linker options for depedencies
+ PKG_CHECK_MODULES(XXF86DGA, xproto x11 xextproto xext [xf86dgaproto >= 2.0.99.2])
+
++# Check for _XEatDataWords function that may be patched into older Xlib release
++SAVE_LIBS="$LIBS"
++LIBS="$XXF86DGA_LIBS"
++AC_CHECK_FUNCS([_XEatDataWords])
++LIBS="$SAVE_LIBS"
++
+ AC_CONFIG_FILES([Makefile
+ src/Makefile
+ man/Makefile
+diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
+index 964de18..c17c7f1 100644
+--- a/src/XF86DGA2.c
++++ b/src/XF86DGA2.c
+@@ -6,6 +6,9 @@ Copyright (c) 1995,1996 The XFree86 Project, Inc
+ */
+
+ /* THIS IS NOT AN X CONSORTIUM STANDARD */
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif
+
+ #ifdef __UNIXOS2__ /* needed here to override certain constants in X headers */
+ #define INCL_DOS
+@@ -22,6 +25,18 @@ Copyright (c) 1995,1996 The XFree86 Project, Inc
+ #include <stdio.h>
+
+ #include <stdint.h>
++#include <limits.h>
++
++#ifndef HAVE__XEATDATAWORDS
++static inline void _XEatDataWords(Display *dpy, unsigned long n)
++{
++# ifndef LONG64
++ if (n >= (ULONG_MAX >> 2))
++ _XIOError(dpy);
++# endif
++ _XEatData (dpy, n << 2);
++}
++#endif
+
+ /* If you change this, change the Bases[] array below as well */
+ #define MAX_HEADS 16
+@@ -342,7 +357,7 @@ XDGAMode* XDGAQueryModes(
+ }
+ *num = rep.number;
+ } else
+- _XEatData(dpy, rep.length << 2);
++ _XEatDataWords(dpy, rep.length);
+ }
+ }
+
+--
+1.8.2.3
+
diff --git a/main/libxxf86dga/0002-integer-overflow-in-XDGAQueryModes-CVE-2013-1991-1-2.patch b/main/libxxf86dga/0002-integer-overflow-in-XDGAQueryModes-CVE-2013-1991-1-2.patch
new file mode 100644
index 0000000000..c3d190b546
--- /dev/null
+++ b/main/libxxf86dga/0002-integer-overflow-in-XDGAQueryModes-CVE-2013-1991-1-2.patch
@@ -0,0 +1,52 @@
+From f4a8dd63af518640468d82948f450aad4b2b1e6a Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 12:18:57 -0700
+Subject: [PATCH 2/6] integer overflow in XDGAQueryModes() [CVE-2013-1991 1/2]
+
+number is a CARD32 and needs to be bounds checked before multiplying by
+sizeof(XDGAmode) to come up with the total size to allocate, to avoid
+integer overflow leading to underallocation and writing data from the
+network past the end of the allocated buffer.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XF86DGA2.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
+index c17c7f1..8830266 100644
+--- a/src/XF86DGA2.c
++++ b/src/XF86DGA2.c
+@@ -312,16 +312,21 @@ XDGAMode* XDGAQueryModes(
+ if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) {
+ if(rep.length) {
+ xXDGAModeInfo info;
+- int i, size;
++ unsigned long size = 0;
+ char *offset;
+
+- size = rep.length << 2;
+- size -= rep.number * sz_xXDGAModeInfo; /* find text size */
+- modes = (XDGAMode*)Xmalloc((rep.number * sizeof(XDGAMode)) + size);
+- offset = (char*)(&modes[rep.number]); /* start of text */
+-
++ if ((rep.length < (INT_MAX >> 2)) &&
++ (rep.number < (INT_MAX / sizeof(XDGAMode)))) {
++ size = rep.length << 2;
++ if (size > (rep.number * sz_xXDGAModeInfo)) {
++ size -= rep.number * sz_xXDGAModeInfo; /* find text size */
++ modes = Xmalloc((rep.number * sizeof(XDGAMode)) + size);
++ offset = (char*)(&modes[rep.number]); /* start of text */
++ }
++ }
+
+- if(modes) {
++ if (modes != NULL) {
++ unsigned int i;
+ for(i = 0; i < rep.number; i++) {
+ _XRead(dpy, (char*)(&info), sz_xXDGAModeInfo);
+
+--
+1.8.2.3
+
diff --git a/main/libxxf86dga/0003-buffer-overflow-in-XDGAQueryModes-CVE-2013-2000-1-2.patch b/main/libxxf86dga/0003-buffer-overflow-in-XDGAQueryModes-CVE-2013-2000-1-2.patch
new file mode 100644
index 0000000000..9123d7f3ba
--- /dev/null
+++ b/main/libxxf86dga/0003-buffer-overflow-in-XDGAQueryModes-CVE-2013-2000-1-2.patch
@@ -0,0 +1,43 @@
+From 5dcfa6a8cf2df39828da733e5945e730518c27b3 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 12:27:10 -0700
+Subject: [PATCH 3/6] buffer overflow in XDGAQueryModes() [CVE-2013-2000 1/2]
+
+When reading the name strings for the modes off the network, we never
+checked to make sure the length of the individual name strings didn't
+overflow the size of the buffer we'd allocated based on the reported
+rep.length for the total reply size.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XF86DGA2.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
+index 8830266..b5145ee 100644
+--- a/src/XF86DGA2.c
++++ b/src/XF86DGA2.c
+@@ -356,9 +356,16 @@ XDGAMode* XDGAQueryModes(
+ modes[i].reserved1 = info.reserved1;
+ modes[i].reserved2 = info.reserved2;
+
+- _XRead(dpy, offset, info.name_size);
+- modes[i].name = offset;
+- offset += info.name_size;
++ if (info.name_size > 0 && info.name_size <= size) {
++ _XRead(dpy, offset, info.name_size);
++ modes[i].name = offset;
++ modes[i].name[info.name_size - 1] = '\0';
++ offset += info.name_size;
++ size -= info.name_size;
++ } else {
++ _XEatData(dpy, info.name_size);
++ modes[i].name = NULL;
++ }
+ }
+ *num = rep.number;
+ } else
+--
+1.8.2.3
+
diff --git a/main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch b/main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch
new file mode 100644
index 0000000000..7a44a074ba
--- /dev/null
+++ b/main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch
@@ -0,0 +1,53 @@
+From f89cf306a60facdf102696840bc05acebd7d1772 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 12:38:25 -0700
+Subject: [PATCH 4/6] integer overflow & underflow in XDGASetMode()
+ [CVE-2013-1991 2/2]
+
+rep.length is a CARD32 and needs to be bounds checked before bit shifting
+and subtracting sz_xXDGAModeInfo to come up with the total size to allocate,
+to avoid integer overflow or underflow leading to underallocation and
+writing data from the network past the end of the allocated buffer.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XF86DGA2.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
+index b5145ee..90ca918 100644
+--- a/src/XF86DGA2.c
++++ b/src/XF86DGA2.c
+@@ -405,12 +405,15 @@ XDGASetMode(
+ if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) {
+ if(rep.length) {
+ xXDGAModeInfo info;
+- int size;
++ unsigned long size;
+
+- size = rep.length << 2;
+- size -= sz_xXDGAModeInfo; /* get text size */
++ if ((rep.length < (INT_MAX >> 2)) &&
++ (rep.length > (sz_xXDGAModeInfo >> 2))) {
++ size = rep.length << 2;
++ size -= sz_xXDGAModeInfo; /* get text size */
+
+- dev = (XDGADevice*)Xmalloc(sizeof(XDGADevice) + size);
++ dev = Xmalloc(sizeof(XDGADevice) + size);
++ }
+
+ if(dev) {
+ _XRead(dpy, (char*)(&info), sz_xXDGAModeInfo);
+@@ -451,6 +454,8 @@ XDGASetMode(
+ dev->data += rep.offset;
+ }
+ /* not sure what to do if the allocation fails */
++ else
++ _XEatDataWords(dpy, rep.length);
+ }
+ }
+
+--
+1.8.2.3
+
diff --git a/main/libxxf86dga/0005-buffer-overflow-in-XDGASetMode-CVE-2013-2000-2-2.patch b/main/libxxf86dga/0005-buffer-overflow-in-XDGASetMode-CVE-2013-2000-2-2.patch
new file mode 100644
index 0000000000..70ed6aef78
--- /dev/null
+++ b/main/libxxf86dga/0005-buffer-overflow-in-XDGASetMode-CVE-2013-2000-2-2.patch
@@ -0,0 +1,40 @@
+From b69d6d51a82b1d1e8c68a233360acb742c879375 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 12:45:41 -0700
+Subject: [PATCH 5/6] buffer overflow in XDGASetMode() [CVE-2013-2000 2/2]
+
+When reading the name strings for the mode off the network, we never
+checked to make sure the length of the name strings didn't overflow
+the size of the buffer we'd allocated based on the reported rep.length
+for the total reply size.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XF86DGA2.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
+index 90ca918..4d13677 100644
+--- a/src/XF86DGA2.c
++++ b/src/XF86DGA2.c
+@@ -444,8 +444,14 @@ XDGASetMode(
+ dev->mode.reserved1 = info.reserved1;
+ dev->mode.reserved2 = info.reserved2;
+
+- dev->mode.name = (char*)(&dev[1]);
+- _XRead(dpy, dev->mode.name, info.name_size);
++ if (info.name_size > 0 && info.name_size <= size) {
++ dev->mode.name = (char*)(&dev[1]);
++ _XRead(dpy, dev->mode.name, info.name_size);
++ dev->mode.name[info.name_size - 1] = '\0';
++ } else {
++ dev->mode.name = NULL;
++ _XEatDataWords(dpy, rep.length);
++ }
+
+ dev->pixmap = (rep.flags & XDGAPixmap) ? pid : 0;
+ dev->data = XDGAGetMappedMemory(screen);
+--
+1.8.2.3
+
diff --git a/main/libxxf86dga/0006-integer-overflow-in-XDGAOpenFramebuffer.patch b/main/libxxf86dga/0006-integer-overflow-in-XDGAOpenFramebuffer.patch
new file mode 100644
index 0000000000..c21b1261fd
--- /dev/null
+++ b/main/libxxf86dga/0006-integer-overflow-in-XDGAOpenFramebuffer.patch
@@ -0,0 +1,40 @@
+From a8dc6be3213bc91dec5e25535ef4bad5a9456af0 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 12:53:49 -0700
+Subject: [PATCH 6/6] integer overflow in XDGAOpenFramebuffer()
+
+rep.length is a CARD32 and should be bounds checked before left shifting
+to come up with the size to allocate and read from the network, though
+since both functions take the same size, there should be no way for the
+buffer to be overflowed in this case.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XF86DGA2.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
+index 4d13677..9c656e6 100644
+--- a/src/XF86DGA2.c
++++ b/src/XF86DGA2.c
+@@ -250,9 +250,14 @@ Bool XDGAOpenFramebuffer(
+ return False;
+ }
+
+- if(rep.length) {
+- deviceName = Xmalloc(rep.length << 2);
+- _XRead(dpy, deviceName, rep.length << 2);
++ if (rep.length) {
++ if (rep.length < (INT_MAX >> 2)) {
++ unsigned long size = rep.length << 2;
++ deviceName = Xmalloc(size);
++ _XRead(dpy, deviceName, size);
++ deviceName[size - 1] = '\0';
++ } else
++ _XEatDataWords(dpy, rep.length);
+ }
+
+ ret = XDGAMapFramebuffer(screen, deviceName,
+--
+1.8.2.3
+
diff --git a/main/libxxf86dga/APKBUILD b/main/libxxf86dga/APKBUILD
index 9a8396ef46..ecb2143441 100644
--- a/main/libxxf86dga/APKBUILD
+++ b/main/libxxf86dga/APKBUILD
@@ -1,26 +1,40 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libxxf86dga
pkgver=1.1.3
-pkgrel=0
+pkgrel=1
pkgdesc="X11 Direct Graphics Access extension library"
url="http://xorg.freedesktop.org/"
arch="all"
license="custom"
subpackages="$pkgname-dev $pkgname-doc"
depends=
-makedepends="pkgconfig xf86dgaproto libxext-dev libx11-dev"
+depends_dev="xf86dgaproto libxext-dev libx11-dev"
+makedepends="$depends_dev libtool autoconf automake util-macros"
source="http://xorg.freedesktop.org/releases/individual/lib/libXxf86dga-$pkgver.tar.bz2"
-depends_dev="xf86dgaproto libxext-dev libx11-dev"
+_builddir="$srcdir"/libXxf86dga-$pkgver
+prepare() {
+ cd "$_builddir"
+ for i in $source; do
+ case $i in
+ *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+ esac
+ done
+ libtoolize --force && aclocal && autoheader && autoconf \
+ && automake --add-missing
+}
+
build() {
- cd "$srcdir"/libXxf86dga-$pkgver
+ cd "$_builddir"
./configure --prefix=/usr
make || return 1
}
package() {
- cd "$srcdir"/libXxf86dga-$pkgver
+ cd "$_builddir"
make DESTDIR="$pkgdir" install || return 1
rm "$pkgdir"/usr/lib/*.la
}
md5sums="b7f38465c46e7145782d37dbb9da8c09 libXxf86dga-1.1.3.tar.bz2"
+sha256sums="551fa374dbef0f977de1f35d005fa9ffe92b7a87e82dbe62d6a4640f5b0b4994 libXxf86dga-1.1.3.tar.bz2"
+sha512sums="84129573f7491dff92c7072312bbadac7e7b9698b937e65c7bbf94d9b2e17a5448743e557c92c196738ddaa6d70917300f73c943e0c2507402df7bc31d5dd6d0 libXxf86dga-1.1.3.tar.bz2"