diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-24 09:48:42 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-24 09:48:42 +0000 |
commit | decef4fe3c4a8fac3afe45c8beebfa95550484f7 (patch) | |
tree | 8eabee6c69c09e0120221e1c580e7f3a974ad91a | |
parent | a632a13327ab882c590bbae004b3be338edc14cf (diff) | |
download | aports-decef4fe3c4a8fac3afe45c8beebfa95550484f7.tar.bz2 aports-decef4fe3c4a8fac3afe45c8beebfa95550484f7.tar.xz |
main/libxxf86dga: fix CVE-2013-1991,CVE-2013-2000
ref #1931
7 files changed, 323 insertions, 5 deletions
diff --git a/main/libxxf86dga/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch b/main/libxxf86dga/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch new file mode 100644 index 0000000000..5a77d4cc40 --- /dev/null +++ b/main/libxxf86dga/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch @@ -0,0 +1,76 @@ +From 6fa471be7a005bde97bcb5ca5a17662ea8d32587 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 12:05:25 -0700 +Subject: [PATCH 1/6] Use _XEatDataWords to avoid overflow of rep.length + shifting + +rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + configure.ac | 6 ++++++ + src/XF86DGA2.c | 17 ++++++++++++++++- + 2 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 0558326..955fa3c 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -22,6 +22,12 @@ XORG_CHECK_MALLOC_ZERO + # Obtain compiler/linker options for depedencies + PKG_CHECK_MODULES(XXF86DGA, xproto x11 xextproto xext [xf86dgaproto >= 2.0.99.2]) + ++# Check for _XEatDataWords function that may be patched into older Xlib release ++SAVE_LIBS="$LIBS" ++LIBS="$XXF86DGA_LIBS" ++AC_CHECK_FUNCS([_XEatDataWords]) ++LIBS="$SAVE_LIBS" ++ + AC_CONFIG_FILES([Makefile + src/Makefile + man/Makefile +diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c +index 964de18..c17c7f1 100644 +--- a/src/XF86DGA2.c ++++ b/src/XF86DGA2.c +@@ -6,6 +6,9 @@ Copyright (c) 1995,1996 The XFree86 Project, Inc + */ + + /* THIS IS NOT AN X CONSORTIUM STANDARD */ ++#ifdef HAVE_CONFIG_H ++#include <config.h> ++#endif + + #ifdef __UNIXOS2__ /* needed here to override certain constants in X headers */ + #define INCL_DOS +@@ -22,6 +25,18 @@ Copyright (c) 1995,1996 The XFree86 Project, Inc + #include <stdio.h> + + #include <stdint.h> ++#include <limits.h> ++ ++#ifndef HAVE__XEATDATAWORDS ++static inline void _XEatDataWords(Display *dpy, unsigned long n) ++{ ++# ifndef LONG64 ++ if (n >= (ULONG_MAX >> 2)) ++ _XIOError(dpy); ++# endif ++ _XEatData (dpy, n << 2); ++} ++#endif + + /* If you change this, change the Bases[] array below as well */ + #define MAX_HEADS 16 +@@ -342,7 +357,7 @@ XDGAMode* XDGAQueryModes( + } + *num = rep.number; + } else +- _XEatData(dpy, rep.length << 2); ++ _XEatDataWords(dpy, rep.length); + } + } + +-- +1.8.2.3 + diff --git a/main/libxxf86dga/0002-integer-overflow-in-XDGAQueryModes-CVE-2013-1991-1-2.patch b/main/libxxf86dga/0002-integer-overflow-in-XDGAQueryModes-CVE-2013-1991-1-2.patch new file mode 100644 index 0000000000..c3d190b546 --- /dev/null +++ b/main/libxxf86dga/0002-integer-overflow-in-XDGAQueryModes-CVE-2013-1991-1-2.patch @@ -0,0 +1,52 @@ +From f4a8dd63af518640468d82948f450aad4b2b1e6a Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 12:18:57 -0700 +Subject: [PATCH 2/6] integer overflow in XDGAQueryModes() [CVE-2013-1991 1/2] + +number is a CARD32 and needs to be bounds checked before multiplying by +sizeof(XDGAmode) to come up with the total size to allocate, to avoid +integer overflow leading to underallocation and writing data from the +network past the end of the allocated buffer. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/XF86DGA2.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c +index c17c7f1..8830266 100644 +--- a/src/XF86DGA2.c ++++ b/src/XF86DGA2.c +@@ -312,16 +312,21 @@ XDGAMode* XDGAQueryModes( + if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) { + if(rep.length) { + xXDGAModeInfo info; +- int i, size; ++ unsigned long size = 0; + char *offset; + +- size = rep.length << 2; +- size -= rep.number * sz_xXDGAModeInfo; /* find text size */ +- modes = (XDGAMode*)Xmalloc((rep.number * sizeof(XDGAMode)) + size); +- offset = (char*)(&modes[rep.number]); /* start of text */ +- ++ if ((rep.length < (INT_MAX >> 2)) && ++ (rep.number < (INT_MAX / sizeof(XDGAMode)))) { ++ size = rep.length << 2; ++ if (size > (rep.number * sz_xXDGAModeInfo)) { ++ size -= rep.number * sz_xXDGAModeInfo; /* find text size */ ++ modes = Xmalloc((rep.number * sizeof(XDGAMode)) + size); ++ offset = (char*)(&modes[rep.number]); /* start of text */ ++ } ++ } + +- if(modes) { ++ if (modes != NULL) { ++ unsigned int i; + for(i = 0; i < rep.number; i++) { + _XRead(dpy, (char*)(&info), sz_xXDGAModeInfo); + +-- +1.8.2.3 + diff --git a/main/libxxf86dga/0003-buffer-overflow-in-XDGAQueryModes-CVE-2013-2000-1-2.patch b/main/libxxf86dga/0003-buffer-overflow-in-XDGAQueryModes-CVE-2013-2000-1-2.patch new file mode 100644 index 0000000000..9123d7f3ba --- /dev/null +++ b/main/libxxf86dga/0003-buffer-overflow-in-XDGAQueryModes-CVE-2013-2000-1-2.patch @@ -0,0 +1,43 @@ +From 5dcfa6a8cf2df39828da733e5945e730518c27b3 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 12:27:10 -0700 +Subject: [PATCH 3/6] buffer overflow in XDGAQueryModes() [CVE-2013-2000 1/2] + +When reading the name strings for the modes off the network, we never +checked to make sure the length of the individual name strings didn't +overflow the size of the buffer we'd allocated based on the reported +rep.length for the total reply size. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/XF86DGA2.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c +index 8830266..b5145ee 100644 +--- a/src/XF86DGA2.c ++++ b/src/XF86DGA2.c +@@ -356,9 +356,16 @@ XDGAMode* XDGAQueryModes( + modes[i].reserved1 = info.reserved1; + modes[i].reserved2 = info.reserved2; + +- _XRead(dpy, offset, info.name_size); +- modes[i].name = offset; +- offset += info.name_size; ++ if (info.name_size > 0 && info.name_size <= size) { ++ _XRead(dpy, offset, info.name_size); ++ modes[i].name = offset; ++ modes[i].name[info.name_size - 1] = '\0'; ++ offset += info.name_size; ++ size -= info.name_size; ++ } else { ++ _XEatData(dpy, info.name_size); ++ modes[i].name = NULL; ++ } + } + *num = rep.number; + } else +-- +1.8.2.3 + diff --git a/main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch b/main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch new file mode 100644 index 0000000000..7a44a074ba --- /dev/null +++ b/main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch @@ -0,0 +1,53 @@ +From f89cf306a60facdf102696840bc05acebd7d1772 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 12:38:25 -0700 +Subject: [PATCH 4/6] integer overflow & underflow in XDGASetMode() + [CVE-2013-1991 2/2] + +rep.length is a CARD32 and needs to be bounds checked before bit shifting +and subtracting sz_xXDGAModeInfo to come up with the total size to allocate, +to avoid integer overflow or underflow leading to underallocation and +writing data from the network past the end of the allocated buffer. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/XF86DGA2.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c +index b5145ee..90ca918 100644 +--- a/src/XF86DGA2.c ++++ b/src/XF86DGA2.c +@@ -405,12 +405,15 @@ XDGASetMode( + if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) { + if(rep.length) { + xXDGAModeInfo info; +- int size; ++ unsigned long size; + +- size = rep.length << 2; +- size -= sz_xXDGAModeInfo; /* get text size */ ++ if ((rep.length < (INT_MAX >> 2)) && ++ (rep.length > (sz_xXDGAModeInfo >> 2))) { ++ size = rep.length << 2; ++ size -= sz_xXDGAModeInfo; /* get text size */ + +- dev = (XDGADevice*)Xmalloc(sizeof(XDGADevice) + size); ++ dev = Xmalloc(sizeof(XDGADevice) + size); ++ } + + if(dev) { + _XRead(dpy, (char*)(&info), sz_xXDGAModeInfo); +@@ -451,6 +454,8 @@ XDGASetMode( + dev->data += rep.offset; + } + /* not sure what to do if the allocation fails */ ++ else ++ _XEatDataWords(dpy, rep.length); + } + } + +-- +1.8.2.3 + diff --git a/main/libxxf86dga/0005-buffer-overflow-in-XDGASetMode-CVE-2013-2000-2-2.patch b/main/libxxf86dga/0005-buffer-overflow-in-XDGASetMode-CVE-2013-2000-2-2.patch new file mode 100644 index 0000000000..70ed6aef78 --- /dev/null +++ b/main/libxxf86dga/0005-buffer-overflow-in-XDGASetMode-CVE-2013-2000-2-2.patch @@ -0,0 +1,40 @@ +From b69d6d51a82b1d1e8c68a233360acb742c879375 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 12:45:41 -0700 +Subject: [PATCH 5/6] buffer overflow in XDGASetMode() [CVE-2013-2000 2/2] + +When reading the name strings for the mode off the network, we never +checked to make sure the length of the name strings didn't overflow +the size of the buffer we'd allocated based on the reported rep.length +for the total reply size. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/XF86DGA2.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c +index 90ca918..4d13677 100644 +--- a/src/XF86DGA2.c ++++ b/src/XF86DGA2.c +@@ -444,8 +444,14 @@ XDGASetMode( + dev->mode.reserved1 = info.reserved1; + dev->mode.reserved2 = info.reserved2; + +- dev->mode.name = (char*)(&dev[1]); +- _XRead(dpy, dev->mode.name, info.name_size); ++ if (info.name_size > 0 && info.name_size <= size) { ++ dev->mode.name = (char*)(&dev[1]); ++ _XRead(dpy, dev->mode.name, info.name_size); ++ dev->mode.name[info.name_size - 1] = '\0'; ++ } else { ++ dev->mode.name = NULL; ++ _XEatDataWords(dpy, rep.length); ++ } + + dev->pixmap = (rep.flags & XDGAPixmap) ? pid : 0; + dev->data = XDGAGetMappedMemory(screen); +-- +1.8.2.3 + diff --git a/main/libxxf86dga/0006-integer-overflow-in-XDGAOpenFramebuffer.patch b/main/libxxf86dga/0006-integer-overflow-in-XDGAOpenFramebuffer.patch new file mode 100644 index 0000000000..c21b1261fd --- /dev/null +++ b/main/libxxf86dga/0006-integer-overflow-in-XDGAOpenFramebuffer.patch @@ -0,0 +1,40 @@ +From a8dc6be3213bc91dec5e25535ef4bad5a9456af0 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 12:53:49 -0700 +Subject: [PATCH 6/6] integer overflow in XDGAOpenFramebuffer() + +rep.length is a CARD32 and should be bounds checked before left shifting +to come up with the size to allocate and read from the network, though +since both functions take the same size, there should be no way for the +buffer to be overflowed in this case. + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/XF86DGA2.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c +index 4d13677..9c656e6 100644 +--- a/src/XF86DGA2.c ++++ b/src/XF86DGA2.c +@@ -250,9 +250,14 @@ Bool XDGAOpenFramebuffer( + return False; + } + +- if(rep.length) { +- deviceName = Xmalloc(rep.length << 2); +- _XRead(dpy, deviceName, rep.length << 2); ++ if (rep.length) { ++ if (rep.length < (INT_MAX >> 2)) { ++ unsigned long size = rep.length << 2; ++ deviceName = Xmalloc(size); ++ _XRead(dpy, deviceName, size); ++ deviceName[size - 1] = '\0'; ++ } else ++ _XEatDataWords(dpy, rep.length); + } + + ret = XDGAMapFramebuffer(screen, deviceName, +-- +1.8.2.3 + diff --git a/main/libxxf86dga/APKBUILD b/main/libxxf86dga/APKBUILD index 9a8396ef46..ecb2143441 100644 --- a/main/libxxf86dga/APKBUILD +++ b/main/libxxf86dga/APKBUILD @@ -1,26 +1,40 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libxxf86dga pkgver=1.1.3 -pkgrel=0 +pkgrel=1 pkgdesc="X11 Direct Graphics Access extension library" url="http://xorg.freedesktop.org/" arch="all" license="custom" subpackages="$pkgname-dev $pkgname-doc" depends= -makedepends="pkgconfig xf86dgaproto libxext-dev libx11-dev" +depends_dev="xf86dgaproto libxext-dev libx11-dev" +makedepends="$depends_dev libtool autoconf automake util-macros" source="http://xorg.freedesktop.org/releases/individual/lib/libXxf86dga-$pkgver.tar.bz2" -depends_dev="xf86dgaproto libxext-dev libx11-dev" +_builddir="$srcdir"/libXxf86dga-$pkgver +prepare() { + cd "$_builddir" + for i in $source; do + case $i in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done + libtoolize --force && aclocal && autoheader && autoconf \ + && automake --add-missing +} + build() { - cd "$srcdir"/libXxf86dga-$pkgver + cd "$_builddir" ./configure --prefix=/usr make || return 1 } package() { - cd "$srcdir"/libXxf86dga-$pkgver + cd "$_builddir" make DESTDIR="$pkgdir" install || return 1 rm "$pkgdir"/usr/lib/*.la } md5sums="b7f38465c46e7145782d37dbb9da8c09 libXxf86dga-1.1.3.tar.bz2" +sha256sums="551fa374dbef0f977de1f35d005fa9ffe92b7a87e82dbe62d6a4640f5b0b4994 libXxf86dga-1.1.3.tar.bz2" +sha512sums="84129573f7491dff92c7072312bbadac7e7b9698b937e65c7bbf94d9b2e17a5448743e557c92c196738ddaa6d70917300f73c943e0c2507402df7bc31d5dd6d0 libXxf86dga-1.1.3.tar.bz2" |