aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2013-05-24 09:09:51 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2013-05-24 09:10:15 +0000
commit596f76568714ab83fed8fef00c69f6493e6996e3 (patch)
treecec9045a63630cc3896cdb37bbced58801504407
parent3e5921fae9eef23dbc7c56b7905ccbf9de168cea (diff)
downloadaports-596f76568714ab83fed8fef00c69f6493e6996e3.tar.bz2
aports-596f76568714ab83fed8fef00c69f6493e6996e3.tar.xz
main/libxp: fix CVE-2013-2062
ref #1931
-rw-r--r--main/libxp/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch36
-rw-r--r--main/libxp/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch59
-rw-r--r--main/libxp/0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch86
-rw-r--r--main/libxp/0004-integer-overflows-in-XpGetPrinterList-CVE-2013-2062-.patch118
-rw-r--r--main/libxp/0005-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch64
-rw-r--r--main/libxp/APKBUILD35
6 files changed, 393 insertions, 5 deletions
diff --git a/main/libxp/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch b/main/libxp/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
new file mode 100644
index 0000000000..410a7da033
--- /dev/null
+++ b/main/libxp/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
@@ -0,0 +1,36 @@
+From 41aab7d289aba2aaf3839e96d0c9e2f15ede4bd1 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 18 Jan 2013 23:03:57 -0800
+Subject: [PATCH 1/5] Replace deprecated Automake INCLUDES variable with
+ AM_CPPFLAGS
+
+Excerpt https://lists.gnu.org/archive/html/automake/2012-12/msg00038.html
+
+ - Support for the long-deprecated INCLUDES variable will be removed
+ altogether in Automake 1.14. The AM_CPPFLAGS variable should be
+ used instead.
+
+This variable was deprecated in Automake releases prior to 1.10, which is
+the current minimum level required to build X.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 3ca2659..f42b633 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -24,7 +24,7 @@ libXp_la_LIBADD = $(XPRINT_LIBS)
+
+ AM_CFLAGS = $(CWARNFLAGS) $(XPRINT_CFLAGS) $(MALLOC_ZERO_CFLAGS)
+
+-INCLUDES = -I$(top_srcdir)/include/X11/extensions
++AM_CPPFLAGS = -I$(top_srcdir)/include/X11/extensions
+
+ #
+ # Library version number. This must match old versions on
+--
+1.8.2.3
+
diff --git a/main/libxp/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch b/main/libxp/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
new file mode 100644
index 0000000000..fa61ef587f
--- /dev/null
+++ b/main/libxp/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
@@ -0,0 +1,59 @@
+From 15ec6d1d0bb8c4cb24a190ed34e63312a0623670 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 3 May 2013 22:30:36 -0700
+Subject: [PATCH 2/5] Use _XEatDataWords to avoid overflow of rep.length bit
+ shifting
+
+rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ configure.ac | 6 ++++++
+ src/XpExtUtil.h | 14 ++++++++++++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index 50b029c..16b966c 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -45,6 +45,12 @@ AC_PROG_LIBTOOL
+ # Check for X and print proto
+ PKG_CHECK_MODULES(XPRINT, x11 xext xextproto xau printproto)
+
++# Check for _XEatDataWords function that may be patched into older Xlib release
++SAVE_LIBS="$LIBS"
++LIBS="$XPRINT_LIBS"
++AC_CHECK_FUNCS([_XEatDataWords])
++LIBS="$SAVE_LIBS"
++
+ AC_CONFIG_FILES([Makefile
+ src/Makefile
+ man/Makefile
+diff --git a/src/XpExtUtil.h b/src/XpExtUtil.h
+index d479a95..1889825 100644
+--- a/src/XpExtUtil.h
++++ b/src/XpExtUtil.h
+@@ -48,6 +48,20 @@ extern char *_xpstrdup(
+ const char * /* str */
+ );
+
++#ifndef HAVE__XEATDATAWORDS
++#include <X11/Xmd.h> /* for LONG64 on 64-bit platforms */
++#include <limits.h>
++
++static inline void _XEatDataWords(Display *dpy, unsigned long n)
++{
++# ifndef LONG64
++ if (n >= (ULONG_MAX >> 2))
++ _XIOError(dpy);
++# endif
++ _XEatData (dpy, n << 2);
++}
++#endif
++
+ _XFUNCPROTOEND
+
+ #endif /* _XPEXTUTIL_H */
+--
+1.8.2.3
+
diff --git a/main/libxp/0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch b/main/libxp/0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch
new file mode 100644
index 0000000000..e510b705e0
--- /dev/null
+++ b/main/libxp/0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch
@@ -0,0 +1,86 @@
+From babb1fc823ab3be192c48fe115feeb0d57f74d05 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 26 Apr 2013 23:59:25 -0700
+Subject: [PATCH 3/5] integer overflow in XpGetAttributes & XpGetOneAttribute
+ [CVE-2013-2062 1/3]
+
+stringLen & valueLen are CARD32s and need to be bounds checked before adding
+one to them to come up with the total size to allocate, to avoid integer
+overflow leading to underallocation and writing data from the network past
+the end of the allocated buffer.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XpAttr.c | 36 +++++++++++++++++++-----------------
+ 1 file changed, 19 insertions(+), 17 deletions(-)
+
+diff --git a/src/XpAttr.c b/src/XpAttr.c
+index 6818daf..665e2e8 100644
+--- a/src/XpAttr.c
++++ b/src/XpAttr.c
+@@ -48,6 +48,7 @@
+
+ #include <stdio.h>
+ #include <sys/stat.h>
++#include <limits.h>
+
+ char *
+ XpGetAttributes (
+@@ -83,17 +84,18 @@ XpGetAttributes (
+ /*
+ * Read pool and return to caller.
+ */
+- buf = Xmalloc( (unsigned) rep.stringLen + 1 );
++ if (rep.stringLen < INT_MAX)
++ buf = Xmalloc(rep.stringLen + 1);
++ else
++ buf = NULL;
+
+ if (!buf) {
+- UnlockDisplay(dpy);
+- SyncHandle();
+- return( (char *) NULL ); /* malloc error */
++ _XEatDataWords(dpy, rep.length);
++ }
++ else {
++ _XReadPad (dpy, (char *) buf, rep.stringLen );
++ buf[rep.stringLen] = 0;
+ }
+-
+- _XReadPad (dpy, (char *) buf, (long) rep.stringLen );
+-
+- buf[rep.stringLen] = 0;
+
+ UnlockDisplay(dpy);
+ SyncHandle();
+@@ -144,18 +146,18 @@ XpGetOneAttribute (
+ /*
+ * Read variable answer.
+ */
+- buf = Xmalloc( (unsigned) rep.valueLen + 1 );
++ if (rep.valueLen < INT_MAX)
++ buf = Xmalloc(rep.valueLen + 1);
++ else
++ buf = NULL;
+
+ if (!buf) {
+- UnlockDisplay(dpy);
+- SyncHandle();
+- return( (char *) NULL ); /* malloc error */
++ _XEatDataWords(dpy, rep.length);
++ }
++ else {
++ _XReadPad (dpy, (char *) buf, rep.valueLen);
++ buf[rep.valueLen] = 0;
+ }
+-
+- buf[rep.valueLen] = 0;
+-
+- _XReadPad (dpy, (char *) buf, (long) rep.valueLen );
+- buf[rep.valueLen] = 0;
+
+ UnlockDisplay(dpy);
+ SyncHandle();
+--
+1.8.2.3
+
diff --git a/main/libxp/0004-integer-overflows-in-XpGetPrinterList-CVE-2013-2062-.patch b/main/libxp/0004-integer-overflows-in-XpGetPrinterList-CVE-2013-2062-.patch
new file mode 100644
index 0000000000..a528c59f53
--- /dev/null
+++ b/main/libxp/0004-integer-overflows-in-XpGetPrinterList-CVE-2013-2062-.patch
@@ -0,0 +1,118 @@
+From cc90f6be64bfd6973ae270b9bff494f577e1bda7 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 26 Apr 2013 23:59:25 -0700
+Subject: [PATCH 4/5] integer overflows in XpGetPrinterList() [CVE-2013-2062
+ 2/3]
+
+listCount is a CARD32 that needs to be bounds checked before it is
+multiplied by the size of the structs to allocate, and the string
+lengths are CARD32s and need to be bounds checked before adding one
+to them to come up with the total size to allocate, to avoid integer
+overflow leading to underallocation and writing data from the network
+past the end of the allocated buffer.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XpPrinter.c | 43 +++++++++++++++++++++++--------------------
+ 1 file changed, 23 insertions(+), 20 deletions(-)
+
+diff --git a/src/XpPrinter.c b/src/XpPrinter.c
+index bdc96e6..03b18c4 100644
+--- a/src/XpPrinter.c
++++ b/src/XpPrinter.c
+@@ -42,6 +42,7 @@
+ #include <X11/extensions/Printstr.h>
+ #include <X11/Xlibint.h>
+ #include "XpExtUtil.h"
++#include <limits.h>
+
+ #define _XpPadOut(len) (((len) + 3) & ~3)
+
+@@ -62,7 +63,7 @@ XpGetPrinterList (
+ long dataLenVR;
+ CARD8 *dataVR; /* aka STRING8 */
+
+- XPPrinterList ptr_list;
++ XPPrinterList ptr_list = NULL;
+
+ XExtDisplayInfo *info = (XExtDisplayInfo *) xp_find_display (dpy);
+
+@@ -128,13 +129,12 @@ XpGetPrinterList (
+ *list_count = rep.listCount;
+
+ if (*list_count) {
+- ptr_list = (XPPrinterList)
+- Xmalloc( (unsigned) (sizeof(XPPrinterRec) * (*list_count + 1)));
++ if (rep.listCount < (INT_MAX / sizeof(XPPrinterRec)))
++ ptr_list = Xmalloc(sizeof(XPPrinterRec) * (*list_count + 1));
+
+ if (!ptr_list) {
+- UnlockDisplay(dpy);
+- SyncHandle();
+- return ( (XPPrinterList) NULL ); /* malloc error */
++ _XEatDataWords(dpy, rep.length);
++ goto out;
+ }
+
+ /*
+@@ -150,16 +150,17 @@ XpGetPrinterList (
+ _XRead32 (dpy, &dataLenVR, (long) sizeof(CARD32) );
+
+ if (dataLenVR) {
+- dataVR = (CARD8 *) Xmalloc( (unsigned) dataLenVR + 1 );
++ if (dataLenVR < INT_MAX)
++ dataVR = Xmalloc(dataLenVR + 1);
++ else
++ dataVR = NULL;
+
+ if (!dataVR) {
+- UnlockDisplay(dpy);
+- SyncHandle();
+- return ( (XPPrinterList) NULL ); /* malloc error */
++ _XEatData(dpy, dataLenVR);
++ } else {
++ _XReadPad (dpy, (char *) dataVR, (long) dataLenVR);
++ dataVR[dataLenVR] = 0;
+ }
+-
+- _XReadPad (dpy, (char *) dataVR, (long) dataLenVR);
+- dataVR[dataLenVR] = 0;
+ ptr_list[i].name = (char *) dataVR;
+ }
+ else {
+@@ -172,16 +173,17 @@ XpGetPrinterList (
+ _XRead32 (dpy, &dataLenVR, (long) sizeof(CARD32) );
+
+ if (dataLenVR) {
+- dataVR = (CARD8 *) Xmalloc( (unsigned) dataLenVR + 1 );
++ if (dataLenVR < INT_MAX)
++ dataVR = Xmalloc(dataLenVR + 1);
++ else
++ dataVR = NULL;
+
+ if (!dataVR) {
+- UnlockDisplay(dpy);
+- SyncHandle();
+- return ( (XPPrinterList) NULL ); /* malloc error */
++ _XEatData(dpy, dataLenVR);
++ } else {
++ _XReadPad (dpy, (char *) dataVR, (long) dataLenVR);
++ dataVR[dataLenVR] = 0;
+ }
+-
+- _XReadPad (dpy, (char *) dataVR, (long) dataLenVR);
+- dataVR[dataLenVR] = 0;
+ ptr_list[i].desc = (char *) dataVR;
+ }
+ else {
+@@ -193,6 +195,7 @@ XpGetPrinterList (
+ ptr_list = (XPPrinterList) NULL;
+ }
+
++ out:
+ UnlockDisplay(dpy);
+ SyncHandle();
+
+--
+1.8.2.3
+
diff --git a/main/libxp/0005-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch b/main/libxp/0005-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch
new file mode 100644
index 0000000000..c7e925e357
--- /dev/null
+++ b/main/libxp/0005-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch
@@ -0,0 +1,64 @@
+From e111065f6dd790c820fa67ea31055b18c68481e3 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 26 Apr 2013 23:59:25 -0700
+Subject: [PATCH 5/5] integer overflows in XpQueryScreens() [CVE-2013-2062 3/3]
+
+listCount is a CARD32 that needs to be bounds checked before it is
+multiplied by the size of the pointers to allocate, to avoid integer
+overflow leading to underallocation and writing data from the network
+past the end of the allocated buffer.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XpScreens.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/src/XpScreens.c b/src/XpScreens.c
+index 815dfbf..b31e554 100644
+--- a/src/XpScreens.c
++++ b/src/XpScreens.c
+@@ -42,6 +42,7 @@
+ #include <X11/extensions/Printstr.h>
+ #include <X11/Xlibint.h>
+ #include "XpExtUtil.h"
++#include <limits.h>
+
+
+ Screen **
+@@ -82,19 +83,17 @@ XpQueryScreens (
+ *list_count = rep.listCount;
+
+ if (*list_count) {
+- scr_list = (Screen **)
+- Xmalloc( (unsigned) (sizeof(Screen *) * *list_count) );
++ if (rep.listCount < (INT_MAX / sizeof(Screen *)))
++ scr_list = Xmalloc(sizeof(Screen *) * *list_count);
++ else
++ scr_list = NULL;
+
+ if (!scr_list) {
+- UnlockDisplay(dpy);
+- SyncHandle();
+- return ( (Screen **) NULL ); /* malloc error */
++ _XEatDataWords(dpy, rep.length);
++ goto out;
+ }
+ i = 0;
+ while(i < *list_count){
+- /*
+- * Pull printer length and then name.
+- */
+ _XRead32 (dpy, &rootWindow, (long) sizeof(CARD32) );
+ scr_list[i] = NULL;
+ for ( j = 0; j < XScreenCount(dpy); j++ ) {
+@@ -118,6 +117,7 @@ XpQueryScreens (
+ scr_list = (Screen **) NULL;
+ }
+
++ out:
+ UnlockDisplay(dpy);
+ SyncHandle();
+
+--
+1.8.2.3
+
diff --git a/main/libxp/APKBUILD b/main/libxp/APKBUILD
index 616e034f9e..4bd21ace04 100644
--- a/main/libxp/APKBUILD
+++ b/main/libxp/APKBUILD
@@ -2,17 +2,23 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libxp
pkgver=1.0.1
-pkgrel=1
+pkgrel=2
pkgdesc="X.Org X11 libXp runtime library"
url="http://www.x.org"
arch="all"
license="MIT"
depends=
-depends_dev="util-macros libx11-dev libxext-dev libxau-dev printproto"
-makedepends="$depends_dev"
+depends_dev="libx11-dev libxext-dev libxau-dev printproto"
+makedepends="$depends_dev libtool autoconf automake util-macros"
install=""
subpackages="$pkgname-dev $pkgname-doc"
-source="http://xorg.freedesktop.org/releases/individual/lib/libXp-$pkgver.tar.bz2"
+source="http://xorg.freedesktop.org/releases/individual/lib/libXp-$pkgver.tar.bz2
+ 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
+ 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
+ 0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch
+ 0004-integer-overflows-in-XpGetPrinterList-CVE-2013-2062-.patch
+ 0005-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch
+ "
_builddir="$srcdir"/libXp-$pkgver
prepare() {
@@ -23,6 +29,8 @@ prepare() {
*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
esac
done
+ libtoolize --force && aclocal && autoheader && autoconf \
+ && automake --add-missing
}
build() {
@@ -42,4 +50,21 @@ package() {
rm "$pkgdir"/usr/lib/*.la || return 1
}
-md5sums="7ae1d63748e79086bd51a633da1ff1a9 libXp-1.0.1.tar.bz2"
+md5sums="7ae1d63748e79086bd51a633da1ff1a9 libXp-1.0.1.tar.bz2
+dfc36d7aa39348115edbed43e7b3bacd 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
+8d99d975ee248d292c57f0539a74f444 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
+0affd2550812541d7c6e03b10a882a39 0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch
+74e9e315a2b7b714c2ebbc69e4478723 0004-integer-overflows-in-XpGetPrinterList-CVE-2013-2062-.patch
+59085b08c7ae142238ee20af93836926 0005-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch"
+sha256sums="71d1f260005616d646b8c8788365f2b7d93911dac57bb53b65753d9f9e6443d2 libXp-1.0.1.tar.bz2
+666273216e13b759e85cf84c345e9253771e729f605987e580ad55b0ad7651a3 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
+f128151ebd1206d85c6ee55d1558fb1e3f446a7334466571818850096fec7a87 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
+ad96f0031978dd8befa29bde872a8a9b40e4fbfccf42cd22e201f975564db3b6 0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch
+cbadbece5e73d568826b19b2f743860c8dfe47f4077accffa939cc51a79ead0c 0004-integer-overflows-in-XpGetPrinterList-CVE-2013-2062-.patch
+0a597afeab8bd76dcd72fec97efd0a8db12c1dd1d9f431085e061aa1b6ca1f3d 0005-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch"
+sha512sums="0707256ae344b847f1a5bbf85f9e6e6f926be3bee10858e3c92932ee02007fdb908cb64a6f2ce0de501f99117e4582c1bcf9bc6f921490d42cabbfb997d731bd libXp-1.0.1.tar.bz2
+5a55658cedbf6ac8d410f19ceed0ef38d65a81ef54e9ffde86ac285c477669d760a1b5c2d9791aff50d48698298bcfdd3290e1b95321c62230809a8a65222127 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
+9a94b99f96d03e436450daa40e54d3d091d362e76428a4bc0fdacb38b3582c1a18ad5b1824621282892bc3f9e0964bae2d8e15ccdfc5c27a426f118c7a7336c8 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
+48d47a8878f2f3663c1e00091c6190ae9d4b0e08594cfb87d4810e726caf5a138100ef59d0fdb352cb5805ab3268bedde86f20d4637533f81d71451fc0989f20 0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch
+5b6e0c05209546c6ef29bc6ed9a24b4117d8a4983fc49abf554920d189fd73d97198c4428951177f7b21dcd968d786c98fa5b53d457946e9b79504fc6ed7c9f6 0004-integer-overflows-in-XpGetPrinterList-CVE-2013-2062-.patch
+8242840592974a57e98e9c6dfed73031f632dc26b88ba2bf40016c9778955476490eb14766de6a02429ad56066f228d23b3cd9c0772585c020be3b6dec32b522 0005-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch"