aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2013-05-24 08:26:58 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2013-05-24 12:54:52 +0000
commit65b25569aa1c907727bb6c89c7c402769d85faff (patch)
treef0ccdcd48173dad1eec6da447c479b49bb2140f2
parenteabb0f3cb4212d491cfbf155d6160c2127d2d1f5 (diff)
downloadaports-65b25569aa1c907727bb6c89c7c402769d85faff.tar.bz2
aports-65b25569aa1c907727bb6c89c7c402769d85faff.tar.xz
main/libxrender: fix CVE-2013-1987
ref #1931 fixes #1960 (cherry picked from commit de43558cd1904b59c2358a05514aea1d20fab1c2)
-rw-r--r--main/libxrender/APKBUILD40
-rw-r--r--main/libxrender/CVE-2013-1987-1.patch83
-rw-r--r--main/libxrender/CVE-2013-1987-2.patch81
-rw-r--r--main/libxrender/CVE-2013-1987-3.patch59
4 files changed, 256 insertions, 7 deletions
diff --git a/main/libxrender/APKBUILD b/main/libxrender/APKBUILD
index 6e9a8cd598..e1349f439d 100644
--- a/main/libxrender/APKBUILD
+++ b/main/libxrender/APKBUILD
@@ -1,26 +1,52 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libxrender
pkgver=0.9.7
-pkgrel=0
+pkgrel=1
pkgdesc="X Rendering Extension client library"
url="http://xorg.freedesktop.org/"
arch="all"
license="custom"
subpackages="$pkgname-dev"
depends=
-makedepends="pkgconfig libx11-dev renderproto"
-source="http://xorg.freedesktop.org/releases/individual/lib/libXrender-$pkgver.tar.bz2"
-
depends_dev="xproto renderproto libx11-dev"
+makedepends="$depends_dev"
+source="http://xorg.freedesktop.org/releases/individual/lib/libXrender-$pkgver.tar.bz2
+ CVE-2013-1987-1.patch
+ CVE-2013-1987-2.patch
+ CVE-2013-1987-3.patch
+ "
+
+
+_builddir="$srcdir"/libXrender-$pkgver
+prepare() {
+ cd "$_builddir"
+ for i in $source; do
+ case $i in
+ *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+ esac
+ done
+}
+
build() {
- cd "$srcdir"/libXrender-$pkgver
+ cd "$_builddir"
./configure --prefix=/usr
make || return 1
}
package() {
- cd "$srcdir"/libXrender-$pkgver
+ cd "$_builddir"
make DESTDIR="$pkgdir" install || return 1
rm "$pkgdir"/usr/lib/*.la || return 1
}
-md5sums="ee62f4c7f0f16ced4da63308963ccad2 libXrender-0.9.7.tar.bz2"
+md5sums="ee62f4c7f0f16ced4da63308963ccad2 libXrender-0.9.7.tar.bz2
+5d82b028bed7456b38f1d001a222b1d8 CVE-2013-1987-1.patch
+8e0adc5dcbf89ea1d0c7fe0e0dd5e8d7 CVE-2013-1987-2.patch
+b3bac65a7f41bcacbf5fd8278ac709b6 CVE-2013-1987-3.patch"
+sha256sums="f9b46b93c9bc15d5745d193835ac9ba2a2b411878fad60c504bbb8f98492bbe6 libXrender-0.9.7.tar.bz2
+4a0b2e6d693c86eab43aa6e6720de149298ea67b1ccc10a723bfb9db3787703a CVE-2013-1987-1.patch
+7ee9c01f3f20f817c37210147afc50038541bea53b270ce2c3eacf9969821a39 CVE-2013-1987-2.patch
+141096ee1b739e2ca4b270215dbf1ad9ed57ad9d0b405256241f0fb8e19a61ce CVE-2013-1987-3.patch"
+sha512sums="b52cebf6ebcdfc1e321b4ec7a18ba781cd05ddab9bb191532ea4174848fb7bb7f5bc7e609944e6e193f7b808e5b50316ba74b5bf1024e61b11358ac1887b44dc libXrender-0.9.7.tar.bz2
+5ec8fa4531271e9c6904b00fa828a82e3b2904d8ea7f8803da4175b516f9a4b268e44fd90607244850affd9899f12f107bb038b02529983c04c5968a10d74a0d CVE-2013-1987-1.patch
+45778c206f35b3ccc814bf68713582e1aeda45f182678ca88e194b0eb45f8f930732d465b3d10ee475892c5b7e0a9a67354b0036e0ffe2989c929c27f828d52b CVE-2013-1987-2.patch
+8bee48d9d23ce10aa8076a1c93edd2f2f2b221421ef4d706cacf2f4b23ccb7aea64cfca9fe7766820c8473208fc25d573d72f6a717aa5a0bad9da4297c15af05 CVE-2013-1987-3.patch"
diff --git a/main/libxrender/CVE-2013-1987-1.patch b/main/libxrender/CVE-2013-1987-1.patch
new file mode 100644
index 0000000000..706356a748
--- /dev/null
+++ b/main/libxrender/CVE-2013-1987-1.patch
@@ -0,0 +1,83 @@
+From e52853974664289fe42a92909667ed77cfa1cec5 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 05:45:20 +0000
+Subject: integer overflow in XRenderQueryFilters() [CVE-2013-1987 1/3]
+
+The length, numFilters & numAliases members of the reply are all CARD32
+and need to be bounds checked before multiplying & adding them together
+to come up with the total size to allocate, to avoid integer overflow
+leading to underallocation and writing data from the network past the
+end of the allocated buffer.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+diff --git a/src/Filter.c b/src/Filter.c
+index 924b2a3..edfa572 100644
+--- a/src/Filter.c
++++ b/src/Filter.c
+@@ -25,6 +25,7 @@
+ #include <config.h>
+ #endif
+ #include "Xrenderint.h"
++#include <limits.h>
+
+ XFilters *
+ XRenderQueryFilters (Display *dpy, Drawable drawable)
+@@ -37,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
+ char *name;
+ char len;
+ int i;
+- long nbytes, nbytesAlias, nbytesName;
++ unsigned long nbytes, nbytesAlias, nbytesName;
+
+ if (!RenderHasExtension (info))
+ return NULL;
+@@ -60,22 +61,32 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
+ SyncHandle ();
+ return NULL;
+ }
+- /*
+- * Compute total number of bytes for filter names
+- */
+- nbytes = (long)rep.length << 2;
+- nbytesAlias = rep.numAliases * 2;
+- if (rep.numAliases & 1)
+- nbytesAlias += 2;
+- nbytesName = nbytes - nbytesAlias;
+
+ /*
+- * Allocate one giant block for the whole data structure
++ * Limit each component of combined size to 1/4 the max, which is far
++ * more than they should ever possibly need.
+ */
+- filters = Xmalloc (sizeof (XFilters) +
+- rep.numFilters * sizeof (char *) +
+- rep.numAliases * sizeof (short) +
+- nbytesName);
++ if ((rep.length < (INT_MAX >> 2)) &&
++ (rep.numFilters < ((INT_MAX / 4) / sizeof (char *))) &&
++ (rep.numAliases < ((INT_MAX / 4) / sizeof (short)))) {
++ /*
++ * Compute total number of bytes for filter names
++ */
++ nbytes = (unsigned long)rep.length << 2;
++ nbytesAlias = rep.numAliases * 2;
++ if (rep.numAliases & 1)
++ nbytesAlias += 2;
++ nbytesName = nbytes - nbytesAlias;
++
++ /*
++ * Allocate one giant block for the whole data structure
++ */
++ filters = Xmalloc (sizeof (XFilters) +
++ (rep.numFilters * sizeof (char *)) +
++ (rep.numAliases * sizeof (short)) +
++ nbytesName);
++ } else
++ filters = NULL;
+
+ if (!filters)
+ {
+--
+cgit v0.9.0.2-2-gbebe
diff --git a/main/libxrender/CVE-2013-1987-2.patch b/main/libxrender/CVE-2013-1987-2.patch
new file mode 100644
index 0000000000..4a0980dd73
--- /dev/null
+++ b/main/libxrender/CVE-2013-1987-2.patch
@@ -0,0 +1,81 @@
+From 9e577d40322b9e3d8bdefec0eefa44d8ead451a4 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 06:02:11 +0000
+Subject: integer overflow in XRenderQueryFormats() [CVE-2013-1987 2/3]
+
+The length, numFormats, numScreens, numDepths, and numVisuals members of
+the reply are all CARD32 and need to be bounds checked before multiplying
+and adding them together to come up with the total size to allocate, to
+avoid integer overflow leading to underallocation and writing data from
+the network past the end of the allocated buffer.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+diff --git a/src/Xrender.c b/src/Xrender.c
+index 5c8e5f5..a62c753 100644
+--- a/src/Xrender.c
++++ b/src/Xrender.c
+@@ -26,6 +26,7 @@
+ #include <config.h>
+ #endif
+ #include "Xrenderint.h"
++#include <limits.h>
+
+ XRenderExtInfo XRenderExtensionInfo;
+ char XRenderExtensionName[] = RENDER_NAME;
+@@ -411,8 +412,8 @@ XRenderQueryFormats (Display *dpy)
+ CARD32 *xSubpixel;
+ void *xData;
+ int nf, ns, nd, nv;
+- int rlength;
+- int nbytes;
++ unsigned long rlength;
++ unsigned long nbytes;
+
+ RenderCheckExtension (dpy, info, 0);
+ LockDisplay (dpy);
+@@ -458,18 +459,29 @@ XRenderQueryFormats (Display *dpy)
+ if (async_state.major_version == 0 && async_state.minor_version < 6)
+ rep.numSubpixel = 0;
+
+- xri = (XRenderInfo *) Xmalloc (sizeof (XRenderInfo) +
+- rep.numFormats * sizeof (XRenderPictFormat) +
+- rep.numScreens * sizeof (XRenderScreen) +
+- rep.numDepths * sizeof (XRenderDepth) +
+- rep.numVisuals * sizeof (XRenderVisual));
+- rlength = (rep.numFormats * sizeof (xPictFormInfo) +
+- rep.numScreens * sizeof (xPictScreen) +
+- rep.numDepths * sizeof (xPictDepth) +
+- rep.numVisuals * sizeof (xPictVisual) +
+- rep.numSubpixel * 4);
+- xData = (void *) Xmalloc (rlength);
+- nbytes = (int) rep.length << 2;
++ if ((rep.numFormats < ((INT_MAX / 4) / sizeof (XRenderPictFormat))) &&
++ (rep.numScreens < ((INT_MAX / 4) / sizeof (XRenderScreen))) &&
++ (rep.numDepths < ((INT_MAX / 4) / sizeof (XRenderDepth))) &&
++ (rep.numVisuals < ((INT_MAX / 4) / sizeof (XRenderVisual))) &&
++ (rep.numSubpixel < ((INT_MAX / 4) / 4)) &&
++ (rep.length < (INT_MAX >> 2)) ) {
++ xri = Xmalloc (sizeof (XRenderInfo) +
++ (rep.numFormats * sizeof (XRenderPictFormat)) +
++ (rep.numScreens * sizeof (XRenderScreen)) +
++ (rep.numDepths * sizeof (XRenderDepth)) +
++ (rep.numVisuals * sizeof (XRenderVisual)));
++ rlength = ((rep.numFormats * sizeof (xPictFormInfo)) +
++ (rep.numScreens * sizeof (xPictScreen)) +
++ (rep.numDepths * sizeof (xPictDepth)) +
++ (rep.numVisuals * sizeof (xPictVisual)) +
++ (rep.numSubpixel * 4));
++ xData = Xmalloc (rlength);
++ nbytes = (unsigned long) rep.length << 2;
++ } else {
++ xri = NULL;
++ xData = NULL;
++ rlength = nbytes = 0;
++ }
+
+ if (!xri || !xData || nbytes < rlength)
+ {
+--
+cgit v0.9.0.2-2-gbebe
diff --git a/main/libxrender/CVE-2013-1987-3.patch b/main/libxrender/CVE-2013-1987-3.patch
new file mode 100644
index 0000000000..92e35d773e
--- /dev/null
+++ b/main/libxrender/CVE-2013-1987-3.patch
@@ -0,0 +1,59 @@
+From 786f78fd8df6d165ccbc81f306fd9f22b5c1551c Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 06:02:11 +0000
+Subject: integer overflow in XRenderQueryPictIndexValues() [CVE-2013-1987 3/3]
+
+The length and numIndexValues members of the reply are both CARD32 and
+need to be bounds checked before multiplying by sizeof (XIndexValue) to
+avoid integer overflow leading to underallocation and writing data from
+the network past the end of the allocated buffer.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+diff --git a/src/Xrender.c b/src/Xrender.c
+index a62c753..3102eb2 100644
+--- a/src/Xrender.c
++++ b/src/Xrender.c
+@@ -844,7 +844,7 @@ XRenderQueryPictIndexValues(Display *dpy,
+ xRenderQueryPictIndexValuesReq *req;
+ xRenderQueryPictIndexValuesReply rep;
+ XIndexValue *values;
+- int nbytes, nread, rlength, i;
++ unsigned int nbytes, nread, rlength, i;
+
+ RenderCheckExtension (dpy, info, NULL);
+
+@@ -860,15 +860,22 @@ XRenderQueryPictIndexValues(Display *dpy,
+ return NULL;
+ }
+
+- /* request data length */
+- nbytes = (long)rep.length << 2;
+- /* bytes of actual data in the request */
+- nread = rep.numIndexValues * SIZEOF (xIndexValue);
+- /* size of array returned to application */
+- rlength = rep.numIndexValues * sizeof (XIndexValue);
++ if ((rep.length < (INT_MAX >> 2)) &&
++ (rep.numIndexValues < (INT_MAX / sizeof (XIndexValue)))) {
++ /* request data length */
++ nbytes = rep.length << 2;
++ /* bytes of actual data in the request */
++ nread = rep.numIndexValues * SIZEOF (xIndexValue);
++ /* size of array returned to application */
++ rlength = rep.numIndexValues * sizeof (XIndexValue);
++
++ /* allocate returned data */
++ values = Xmalloc (rlength);
++ } else {
++ nbytes = nread = rlength = 0;
++ values = NULL;
++ }
+
+- /* allocate returned data */
+- values = (XIndexValue *)Xmalloc (rlength);
+ if (!values)
+ {
+ _XEatDataWords (dpy, rep.length);
+--
+cgit v0.9.0.2-2-gbebe