aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2013-05-24 09:23:39 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2013-05-24 09:23:39 +0000
commitb262cf6c02f0e15dc88618b6a9e1298ace184057 (patch)
tree874e073def3c2d40af28279fdc19026ff24ebfab
parentf4a1e4bfe936b7b1c1364a8ebc769145f060ce25 (diff)
downloadaports-b262cf6c02f0e15dc88618b6a9e1298ace184057.tar.bz2
aports-b262cf6c02f0e15dc88618b6a9e1298ace184057.tar.xz
main/libxres: fix CVE-2013-1988
ref #1931
-rw-r--r--main/libxres/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch36
-rw-r--r--main/libxres/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch75
-rw-r--r--main/libxres/0003-integer-overflow-in-XResQueryClients-CVE-2013-1988-1.patch37
-rw-r--r--main/libxres/0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch37
-rw-r--r--main/libxres/APKBUILD48
5 files changed, 224 insertions, 9 deletions
diff --git a/main/libxres/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch b/main/libxres/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
new file mode 100644
index 0000000000..b8ef330d8d
--- /dev/null
+++ b/main/libxres/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
@@ -0,0 +1,36 @@
+From 83e7693515369d57dcd11c2bb1f03563f51bc500 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 18 Jan 2013 23:06:20 -0800
+Subject: [PATCH 1/4] Replace deprecated Automake INCLUDES variable with
+ AM_CPPFLAGS
+
+Excerpt https://lists.gnu.org/archive/html/automake/2012-12/msg00038.html
+
+ - Support for the long-deprecated INCLUDES variable will be removed
+ altogether in Automake 1.14. The AM_CPPFLAGS variable should be
+ used instead.
+
+This variable was deprecated in Automake releases prior to 1.10, which is
+the current minimum level required to build X.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/Makefile.am b/src/Makefile.am
+index fd508da..bf66d68 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -10,7 +10,7 @@ AM_CFLAGS = \
+ $(XRES_CFLAGS) \
+ $(MALLOC_ZERO_CFLAGS)
+
+-INCLUDES = -I$(top_srcdir)/include
++AM_CPPFLAGS = -I$(top_srcdir)/include
+
+ libXRes_la_LDFLAGS = -version-number 1:0:0 -no-undefined
+
+--
+1.8.2.3
+
diff --git a/main/libxres/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch b/main/libxres/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
new file mode 100644
index 0000000000..9f22c4fa5b
--- /dev/null
+++ b/main/libxres/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
@@ -0,0 +1,75 @@
+From 69457711050ac3a53859ef11790a7ac815cd7d94 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 10:34:22 -0700
+Subject: [PATCH 2/4] Use _XEatDataWords to avoid overflow of rep.length
+ shifting
+
+rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ configure.ac | 6 ++++++
+ src/XRes.c | 16 ++++++++++++++--
+ 2 files changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 90205cc..f68b689 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -50,6 +50,12 @@ XORG_CHECK_MALLOC_ZERO
+ # Obtain compiler/linker options for depedencies
+ PKG_CHECK_MODULES(XRES, x11 xext xextproto [resourceproto >= 1.2.0])
+
++# Check for _XEatDataWords function that may be patched into older Xlib release
++SAVE_LIBS="$LIBS"
++LIBS="$XRES_LIBS"
++AC_CHECK_FUNCS([_XEatDataWords])
++LIBS="$SAVE_LIBS"
++
+ AC_CONFIG_FILES([Makefile
+ src/Makefile
+ man/Makefile
+diff --git a/src/XRes.c b/src/XRes.c
+index 1744196..1ab1db8 100644
+--- a/src/XRes.c
++++ b/src/XRes.c
+@@ -13,6 +13,18 @@
+ #include <X11/extensions/XResproto.h>
+ #include <X11/extensions/XRes.h>
+
++#include <limits.h>
++
++#ifndef HAVE__XEATDATAWORDS
++static inline void _XEatDataWords(Display *dpy, unsigned long n)
++{
++# ifndef LONG64
++ if (n >= (ULONG_MAX >> 2))
++ _XIOError(dpy);
++# endif
++ _XEatData (dpy, n << 2);
++}
++#endif
+
+ static XExtensionInfo _xres_ext_info_data;
+ static XExtensionInfo *xres_ext_info = &_xres_ext_info_data;
+@@ -131,7 +143,7 @@ Status XResQueryClients (
+ *num_clients = rep.num_clients;
+ result = 1;
+ } else {
+- _XEatData(dpy, rep.length << 2);
++ _XEatDataWords(dpy, rep.length);
+ }
+ }
+
+@@ -183,7 +195,7 @@ Status XResQueryClientResources (
+ *num_types = rep.num_types;
+ result = 1;
+ } else {
+- _XEatData(dpy, rep.length << 2);
++ _XEatDataWords(dpy, rep.length);
+ }
+ }
+
+--
+1.8.2.3
+
diff --git a/main/libxres/0003-integer-overflow-in-XResQueryClients-CVE-2013-1988-1.patch b/main/libxres/0003-integer-overflow-in-XResQueryClients-CVE-2013-1988-1.patch
new file mode 100644
index 0000000000..e851c092f1
--- /dev/null
+++ b/main/libxres/0003-integer-overflow-in-XResQueryClients-CVE-2013-1988-1.patch
@@ -0,0 +1,37 @@
+From b053d215b80e721f9afdc5794e4f3f4f2aee0141 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 12 Apr 2013 23:36:13 -0700
+Subject: [PATCH 3/4] integer overflow in XResQueryClients() [CVE-2013-1988
+ 1/2]
+
+The CARD32 rep.num_clients needs to be bounds checked before multiplying
+by sizeof(XResClient) to avoid integer overflow leading to underallocation
+and writing data from the network past the end of the allocated buffer.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XRes.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/XRes.c b/src/XRes.c
+index 1ab1db8..c989985 100644
+--- a/src/XRes.c
++++ b/src/XRes.c
+@@ -130,7 +130,12 @@ Status XResQueryClients (
+ }
+
+ if(rep.num_clients) {
+- if((clnts = Xmalloc(sizeof(XResClient) * rep.num_clients))) {
++ if (rep.num_clients < (INT_MAX / sizeof(XResClient)))
++ clnts = Xmalloc(sizeof(XResClient) * rep.num_clients);
++ else
++ clnts = NULL;
++
++ if (clnts != NULL) {
+ xXResClient scratch;
+ int i;
+
+--
+1.8.2.3
+
diff --git a/main/libxres/0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch b/main/libxres/0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch
new file mode 100644
index 0000000000..bca2bb0260
--- /dev/null
+++ b/main/libxres/0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch
@@ -0,0 +1,37 @@
+From f468184963e53feda848853c4aefd0197b2cc116 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 12 Apr 2013 23:36:13 -0700
+Subject: [PATCH 4/4] integer overflow in XResQueryClientResources()
+ [CVE-2013-1988 2/2]
+
+The CARD32 rep.num_types needs to be bounds checked before multiplying
+by sizeof(XResType) to avoid integer overflow leading to underallocation
+and writing data from the network past the end of the allocated buffer.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XRes.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/XRes.c b/src/XRes.c
+index c989985..51e905f 100644
+--- a/src/XRes.c
++++ b/src/XRes.c
+@@ -187,7 +187,12 @@ Status XResQueryClientResources (
+ }
+
+ if(rep.num_types) {
+- if((typs = Xmalloc(sizeof(XResType) * rep.num_types))) {
++ if (rep.num_types < (INT_MAX / sizeof(XResType)))
++ typs = Xmalloc(sizeof(XResType) * rep.num_types);
++ else
++ typs = NULL;
++
++ if (typs != NULL) {
+ xXResType scratch;
+ int i;
+
+--
+1.8.2.3
+
diff --git a/main/libxres/APKBUILD b/main/libxres/APKBUILD
index fc23b9d49e..705ca3e2dc 100644
--- a/main/libxres/APKBUILD
+++ b/main/libxres/APKBUILD
@@ -1,30 +1,60 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libxres
pkgver=1.0.6
-pkgrel=0
+pkgrel=1
pkgdesc="X11 Resource extension library"
url="http://xorg.freedesktop.org"
arch="all"
license="custom"
subpackages="$pkgname-dev $pkgname-doc"
-makedepends="pkgconfig libxext-dev resourceproto"
depends=
-source="http://xorg.freedesktop.org/releases/individual/lib/libXres-$pkgver.tar.bz2"
+depends_dev="xproto resourceproto libx11-dev libxext-dev"
+makedepends="$depends_dev libtool autoconf automake util-macros"
+source="http://xorg.freedesktop.org/releases/individual/lib/libXres-$pkgver.tar.bz2
+ 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
+ 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
+ 0003-integer-overflow-in-XResQueryClients-CVE-2013-1988-1.patch
+ 0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch
+ "
-depends_dev="xproto libx11-dev libxext-dev"
-build ()
-{
- cd "$srcdir"/libXres-$pkgver
+_builddir="$srcdir"/libXres-$pkgver
+prepare() {
+ cd "$_builddir"
+ for i in $source; do
+ case $i in
+ *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+ esac
+ done
+ libtoolize --force && aclocal && autoheader && autoconf \
+ && automake --add-missing
+}
+
+build() {
+ cd "$_builddir"
./configure --prefix=/usr \
--sysconfdir=/etc
make || return 1
}
package() {
- cd "$srcdir"/libXres-$pkgver
+ cd "$_builddir"
make DESTDIR="$pkgdir" install || return 1
rm "$pkgdir"/usr/lib/*.la
install -D -m644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/LICENSE
}
-md5sums="80d0c6d8522fa7a645e4f522e9a9cd20 libXres-1.0.6.tar.bz2"
+md5sums="80d0c6d8522fa7a645e4f522e9a9cd20 libXres-1.0.6.tar.bz2
+1c9e87b0d44dd1e3630c2dace1885f5c 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
+b846d11e2aded99e05b17f582704a2b8 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
+d30b38ef42f65a9409ff53df81257ca2 0003-integer-overflow-in-XResQueryClients-CVE-2013-1988-1.patch
+791bd7a8effc52ed2e5ae266729b317a 0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch"
+sha256sums="ff8661c925e8b182f98ae98f02bbd93c55259ef7f34a92c1a126b6074ebde890 libXres-1.0.6.tar.bz2
+6069a7690f226a98e5ca898e0213f96672ad47a3ce2fbd4079cce185bf7842e2 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
+5ae734771ea853177771b7ef566c1ebc8a365c301353fc1883007d2c560df26e 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
+c40579e8ce20316710339fe1c497b3b75e641a1de66321892f40b71ca0e316db 0003-integer-overflow-in-XResQueryClients-CVE-2013-1988-1.patch
+4ce80a734022df47f5c6b6bbb984446c67ca2dff7231dee5c1686f496bf6ab30 0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch"
+sha512sums="ba884e32446946520d1ba81764fac64f5350fb109cff1846e839c2a9ef11708ebd39d4434525a373af0c10250fc5f508a34f965f9e2312d5bc50ccbefbafa65c libXres-1.0.6.tar.bz2
+ffa4def53bd8e99120526e55d5eb025e135517e8d6d43fb6abd64ec9c3c4234d026bdb5d35477292aecb3a56f44041a2b1338909997bc671adca43f175d9f774 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
+6a9d2e50b5bf128c5a9366b227b4d0649388aea5907e180346ac53ddb0685afad05d22d24b7953e7c323292153aa5867582adf9940420da69eef2b67ff0597d3 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
+ea313a26f8ffffcaa8de2a813e8df775b534895b0d8400640292e94465a80b20daf3ee45db25695e6ca867f298b6490beeb5b5bf67065b001e4a9f971534c474 0003-integer-overflow-in-XResQueryClients-CVE-2013-1988-1.patch
+d8b4be3b9a69f33c32254f23dfa51fd4154ea1afae498aea2ab841a7d98e526af666b4a3b9df8f011f04d440e6f20ea0e9c58627eb7030992a2e0897b8f02ad7 0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch"