aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2013-05-27 14:31:43 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2013-05-27 14:41:01 +0000
commit406661591c02dd83efcb2a8885ed58349e2864cd (patch)
treefd401ea72700e51c6523149f5ecd9e7d2ea3038e
parentaac3ab664faee25685e9a6fa912f8ec49d1aadab (diff)
downloadaports-406661591c02dd83efcb2a8885ed58349e2864cd.tar.bz2
aports-406661591c02dd83efcb2a8885ed58349e2864cd.tar.xz
main/libxtst: fix CVE-2013-2063
ref #1931 fixes #1970 (cherry picked from commit ca33affea49de655ea0a1aa27accea11f84df7c1)
-rw-r--r--main/libxtst/0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch88
-rw-r--r--main/libxtst/0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch81
-rw-r--r--main/libxtst/APKBUILD38
3 files changed, 199 insertions, 8 deletions
diff --git a/main/libxtst/0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch b/main/libxtst/0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch
new file mode 100644
index 0000000000..43fa1e0d76
--- /dev/null
+++ b/main/libxtst/0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch
@@ -0,0 +1,88 @@
+From 46ed6283034b5b7d14584009453f5d974cfacf1e Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 11:05:27 -0700
+Subject: [PATCH 1/2] Use _XEatDataWords to eat data in error cases
+
+Avoids having to do calculcations based on response contents
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ configure.ac | 6 ++++++
+ src/XRecord.c | 23 +++++++++++++++++------
+ 2 files changed, 23 insertions(+), 6 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 7ef0153..d83d4d8 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -47,6 +47,12 @@ XORG_CHECK_SGML_DOCTOOLS(1.8)
+ # Obtain compiler/linker options for depedencies
+ PKG_CHECK_MODULES(XTST, x11 [xext >= 1.0.99.4] xi [recordproto >= 1.13.99.1] [xextproto >= 7.0.99.3] inputproto)
+
++# Check for _XEatDataWords function that may be patched into older Xlib release
++SAVE_LIBS="$LIBS"
++LIBS="$XTST_LIBS"
++AC_CHECK_FUNCS([_XEatDataWords])
++LIBS="$SAVE_LIBS"
++
+ # Determine if the source for man pages is available
+ # It may already be present (tarball) or can be generated using xmlto
+ AM_CONDITIONAL([INSTALL_MANPAGES],
+diff --git a/src/XRecord.c b/src/XRecord.c
+index b65451c..ba628b6 100644
+--- a/src/XRecord.c
++++ b/src/XRecord.c
+@@ -49,6 +49,9 @@ from The Open Group.
+ * By Stephen Gildea, X Consortium, and Martha Zimet, NCD.
+ */
+
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif
+ #include <stdio.h>
+ #include <assert.h>
+ #include <X11/Xlibint.h>
+@@ -56,6 +59,18 @@ from The Open Group.
+ #include <X11/extensions/extutil.h>
+ #include <X11/extensions/recordproto.h>
+ #include <X11/extensions/record.h>
++#include <limits.h>
++
++#ifndef HAVE__XEATDATAWORDS
++static inline void _XEatDataWords(Display *dpy, unsigned long n)
++{
++# ifndef LONG64
++ if (n >= (ULONG_MAX >> 2))
++ _XIOError(dpy);
++# endif
++ _XEatData (dpy, n << 2);
++}
++#endif
+
+ static XExtensionInfo _xrecord_info_data;
+ static XExtensionInfo *xrecord_info = &_xrecord_info_data;
+@@ -427,7 +442,7 @@ XRecordGetContext(Display *dpy, XRecordContext context,
+
+ ret = (XRecordState*)Xmalloc(sizeof(XRecordState));
+ if (!ret) {
+- /* XXX - eat data */
++ _XEatDataWords (dpy, rep.length);
+ UnlockDisplay(dpy);
+ SyncHandle();
+ return 0;
+@@ -446,11 +461,7 @@ XRecordGetContext(Display *dpy, XRecordContext context,
+ }
+ if (!client_inf || !client_inf_str)
+ {
+- for(i = 0; i < count; i++)
+- {
+- _XEatData (dpy, sizeof(xRecordClientInfo));
+- _XEatData (dpy, SIZEOF(xRecordRange)); /* XXX - don't know how many */
+- }
++ _XEatDataWords (dpy, rep.length);
+ UnlockDisplay(dpy);
+ XRecordFreeState(ret);
+ SyncHandle();
+--
+1.8.2.3
+
diff --git a/main/libxtst/0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch b/main/libxtst/0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch
new file mode 100644
index 0000000000..661a464fd0
--- /dev/null
+++ b/main/libxtst/0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch
@@ -0,0 +1,81 @@
+From e7e04b7be3f018ad636aba3a36bfc1cd80b9906d Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 11:27:26 -0700
+Subject: [PATCH 2/2] integer overflow in XRecordGetContext() [CVE-2013-2063]
+
+The nclients and nranges members of the reply are both CARD32 and need
+to be bounds checked before multiplying by the size of the structs to
+avoid integer overflow leading to underallocation and writing data from
+the network past the end of the allocated buffer.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XRecord.c | 32 +++++++++++++++++++++-----------
+ 1 file changed, 21 insertions(+), 11 deletions(-)
+
+diff --git a/src/XRecord.c b/src/XRecord.c
+index ba628b6..5bbd5ac 100644
+--- a/src/XRecord.c
++++ b/src/XRecord.c
+@@ -420,11 +420,9 @@ XRecordGetContext(Display *dpy, XRecordContext context,
+ XExtDisplayInfo *info = find_display (dpy);
+ register xRecordGetContextReq *req;
+ xRecordGetContextReply rep;
+- int count, i, rn;
++ unsigned int count, i, rn;
+ xRecordRange xrange;
+- XRecordRange *ranges = NULL;
+ xRecordClientInfo xclient_inf;
+- XRecordClientInfo **client_inf, *client_inf_str = NULL;
+ XRecordState *ret;
+
+ XRecordCheckExtension (dpy, info, 0);
+@@ -454,13 +452,18 @@ XRecordGetContext(Display *dpy, XRecordContext context,
+
+ if (count)
+ {
+- client_inf = (XRecordClientInfo **) Xcalloc(count, sizeof(XRecordClientInfo*));
+- ret->client_info = client_inf;
+- if (client_inf != NULL) {
+- client_inf_str = (XRecordClientInfo *) Xmalloc(count*sizeof(XRecordClientInfo));
++ XRecordClientInfo **client_inf = NULL;
++ XRecordClientInfo *client_inf_str = NULL;
++
++ if (count < (INT_MAX / sizeof(XRecordClientInfo))) {
++ client_inf = Xcalloc(count, sizeof(XRecordClientInfo *));
++ if (client_inf != NULL)
++ client_inf_str = Xmalloc(count * sizeof(XRecordClientInfo));
+ }
++ ret->client_info = client_inf;
+ if (!client_inf || !client_inf_str)
+ {
++ free(client_inf);
+ _XEatDataWords (dpy, rep.length);
+ UnlockDisplay(dpy);
+ XRecordFreeState(ret);
+@@ -476,11 +479,18 @@ XRecordGetContext(Display *dpy, XRecordContext context,
+
+ if (xclient_inf.nRanges)
+ {
+- client_inf_str[i].ranges = (XRecordRange**) Xcalloc(xclient_inf.nRanges, sizeof(XRecordRange*));
+- if (client_inf_str[i].ranges != NULL) {
+- ranges = (XRecordRange*)
+- Xmalloc(xclient_inf.nRanges * sizeof(XRecordRange));
++ XRecordRange *ranges = NULL;
++
++ if (xclient_inf.nRanges < (INT_MAX / sizeof(XRecordRange))) {
++ client_inf_str[i].ranges =
++ Xcalloc(xclient_inf.nRanges, sizeof(XRecordRange *));
++ if (client_inf_str[i].ranges != NULL)
++ ranges =
++ Xmalloc(xclient_inf.nRanges * sizeof(XRecordRange));
+ }
++ else
++ client_inf_str[i].ranges = NULL;
++
+ if (!client_inf_str[i].ranges || !ranges) {
+ /* XXX eat data */
+ UnlockDisplay(dpy);
+--
+1.8.2.3
+
diff --git a/main/libxtst/APKBUILD b/main/libxtst/APKBUILD
index c4eb84bf9a..c87af4a041 100644
--- a/main/libxtst/APKBUILD
+++ b/main/libxtst/APKBUILD
@@ -1,30 +1,52 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libxtst
pkgver=1.2.1
-pkgrel=0
+pkgrel=1
pkgdesc="X11 Testing -- Resource extension library"
url="http://xorg.freedesktop.org/"
arch="all"
license="custom"
subpackages="$pkgname-dev $pkgname-doc"
depends=
-makedepends="pkgconfig libxext-dev libxi-dev recordproto inputproto"
-source="http://xorg.freedesktop.org/releases/individual/lib/libXtst-$pkgver.tar.bz2"
depends_dev="recordproto libx11-dev libxext-dev inputproto libxi-dev"
+makedepends="$depends_dev libtool autoconf automake util-macros"
+source="http://xorg.freedesktop.org/releases/individual/lib/libXtst-$pkgver.tar.bz2
+ 0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch
+ 0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch
+ "
-build ()
-{
- cd "$srcdir"/libXtst-$pkgver
+_builddir="$srcdir"/libXtst-$pkgver
+prepare() {
+ cd "$_builddir"
+ for i in $source; do
+ case $i in
+ *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+ esac
+ done
+ libtoolize --force && aclocal && autoheader && autoconf \
+ && automake --add-missing
+}
+
+build() {
+ cd "$_builddir"
./configure --prefix=/usr \
--build=${CHOST} --host=${CHOST}
make || return 1
}
package() {
- cd "$srcdir"/libXtst-$pkgver
+ cd "$_builddir"
make DESTDIR="$pkgdir" install || return 1
rm "$pkgdir"/usr/lib/*.la || return 1
install -D -m644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/LICENSE
}
-md5sums="e8abc5c00c666f551cf26aa53819d592 libXtst-1.2.1.tar.bz2"
+md5sums="e8abc5c00c666f551cf26aa53819d592 libXtst-1.2.1.tar.bz2
+ef5006c916511e087973d797a60aaee1 0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch
+641e6194973b4d324f8278faa821b87a 0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch"
+sha256sums="7eea3e66e392aca3f9dad6238198753c28e1c32fa4903cbb7739607a2504e5e0 libXtst-1.2.1.tar.bz2
+bba7db9220b8a91b5ca71133af55414851d350e81c6142e74e7c44a3fc57c052 0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch
+d67b95b9bf1587e48bc4009d1d100ed1ee3a611ed07869bb157290064986db6f 0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch"
+sha512sums="287c10a761d30acc988399e23de1ecb7c90d8bd4d363cd03cd0a02eb232e37b0943f359fae76a8e68504ccadc2b7c0117bfebee75e00a0b6f58397658f8ebe0d libXtst-1.2.1.tar.bz2
+0144a420f78f5377acd2548355089596439437d1d19945532428a1cc5f263155f03ebfbba668f9c468525c579aa091d4ddf27006ec4d55246bd045a7e6ff9739 0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch
+730a9ad7c8aafd8f161bf7cbbd4bbd2c62d4fc6cf50a69f5575a4c52e9a2d712e36bb4e3b9325f628a2f71115ce8797ac93aa7bf023d0abe7ba3603f33f47e81 0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch"