aboutsummaryrefslogtreecommitdiffstats
path: root/main/libxfixes
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2013-05-24 08:11:41 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2013-05-24 08:11:41 +0000
commitb26655eaa38290e14b41bf0dd3645030445f42d7 (patch)
tree5b55747213a0470092f879479f769d4d84b75cd9 /main/libxfixes
parent29cd7b42af8cddcb339f1328bf8f7be3a115b396 (diff)
downloadaports-b26655eaa38290e14b41bf0dd3645030445f42d7.tar.bz2
aports-b26655eaa38290e14b41bf0dd3645030445f42d7.tar.xz
main/libxfixes: fix for CVE-2013-1983
ref #1931
Diffstat (limited to 'main/libxfixes')
-rw-r--r--main/libxfixes/APKBUILD25
-rw-r--r--main/libxfixes/CVE-2013-1983.patch70
2 files changed, 90 insertions, 5 deletions
diff --git a/main/libxfixes/APKBUILD b/main/libxfixes/APKBUILD
index df130f988e..b41372041f 100644
--- a/main/libxfixes/APKBUILD
+++ b/main/libxfixes/APKBUILD
@@ -1,18 +1,28 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libxfixes
pkgver=5.0
-pkgrel=1
+pkgrel=2
pkgdesc="X11 miscellaneous 'fixes' extension library"
url="http://xorg.freedesktop.org/"
arch="all"
license="custom"
depends=
-makedepends="pkgconfig xproto libx11-dev fixesproto xextproto"
+depends_dev="xproto fixesproto libx11-dev"
+makedepends="$depends_dev xextproto"
subpackages="$pkgname-dev $pkgname-doc"
-source="http://xorg.freedesktop.org/releases/individual/lib/libXfixes-$pkgver.tar.bz2"
+source="http://xorg.freedesktop.org/releases/individual/lib/libXfixes-$pkgver.tar.bz2
+ CVE-2013-1983.patch"
-depends_dev="xproto fixesproto libx11-dev"
_builddir="$srcdir"/libXfixes-$pkgver
+prepare() {
+ cd "$_builddir"
+ for i in $source; do
+ case $i in
+ *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+ esac
+ done
+}
+
build() {
cd "$_builddir"
./configure --prefix=/usr --sysconfdir=/etc --build=${CHOST} --host=${CHOST}
@@ -24,4 +34,9 @@ package() {
make DESTDIR="$pkgdir" install || return 1
rm "$pkgdir"/usr/lib/*.la || return 1
}
-md5sums="678071bd7f9f7467e2fc712d81022318 libXfixes-5.0.tar.bz2"
+md5sums="678071bd7f9f7467e2fc712d81022318 libXfixes-5.0.tar.bz2
+cfd62d3f71592118ca0a6862cfe221b3 CVE-2013-1983.patch"
+sha256sums="537a2446129242737a35db40081be4bbcc126e56c03bf5f2b142b10a79cda2e3 libXfixes-5.0.tar.bz2
+b1e261feb83e064ac1123cb3004f0ed9284b23abef34f4f5bb6a5d452aff1192 CVE-2013-1983.patch"
+sha512sums="fd3071b52c657975b4321e6c7ebe433c43ea6944d04d2228da075aad394e962eec705e41a6c3a6bbc12f704765189116d1328c3111e457f23395ff6f57ae63d5 libXfixes-5.0.tar.bz2
+6c1e9d1261ece81d97af947a1543f313aebfeb8cc18c121bc51e8cc1142e49c4c5c21fb304d2d37af318c530551e02c029bfbce928d9caefb9432b1c5a4da66c CVE-2013-1983.patch"
diff --git a/main/libxfixes/CVE-2013-1983.patch b/main/libxfixes/CVE-2013-1983.patch
new file mode 100644
index 0000000000..d0089d4f61
--- /dev/null
+++ b/main/libxfixes/CVE-2013-1983.patch
@@ -0,0 +1,70 @@
+From c480fe3271873ec7471b0cbd680f4dac18ca8904 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 17:24:08 +0000
+Subject: integer overflow in XFixesGetCursorImage() [CVE-2013-1983]
+
+If the reported cursor dimensions or name length are too large, the
+calculations to allocate memory for them may overflow, leaving us
+writing beyond the bounds of the allocation.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+diff --git a/src/Cursor.c b/src/Cursor.c
+index 641b747..33590b7 100644
+--- a/src/Cursor.c
++++ b/src/Cursor.c
+@@ -47,6 +47,7 @@
+ #include <config.h>
+ #endif
+ #include "Xfixesint.h"
++#include <limits.h>
+
+ void
+ XFixesSelectCursorInput (Display *dpy,
+@@ -74,9 +75,9 @@ XFixesGetCursorImage (Display *dpy)
+ XFixesExtDisplayInfo *info = XFixesFindDisplay (dpy);
+ xXFixesGetCursorImageAndNameReq *req;
+ xXFixesGetCursorImageAndNameReply rep;
+- int npixels;
+- int nbytes_name;
+- int nbytes, nread, rlength;
++ size_t npixels;
++ size_t nbytes_name;
++ size_t nbytes, nread, rlength;
+ XFixesCursorImage *image;
+ char *name;
+
+@@ -101,16 +102,21 @@ XFixesGetCursorImage (Display *dpy)
+ }
+ npixels = rep.width * rep.height;
+ nbytes_name = rep.nbytes;
+- /* reply data length */
+- nbytes = (long) rep.length << 2;
+- /* bytes of actual data in the reply */
+- nread = (npixels << 2) + nbytes_name;
+- /* size of data returned to application */
+- rlength = (sizeof (XFixesCursorImage) +
+- npixels * sizeof (unsigned long) +
+- nbytes_name + 1);
++ if ((rep.length < (INT_MAX >> 2)) &&
++ npixels < (((INT_MAX >> 3) - sizeof (XFixesCursorImage) - 1)
++ - nbytes_name)) {
++ /* reply data length */
++ nbytes = (size_t) rep.length << 2;
++ /* bytes of actual data in the reply */
++ nread = (npixels << 2) + nbytes_name;
++ /* size of data returned to application */
++ rlength = (sizeof (XFixesCursorImage) +
++ npixels * sizeof (unsigned long) +
++ nbytes_name + 1);
+
+- image = (XFixesCursorImage *) Xmalloc (rlength);
++ image = Xmalloc (rlength);
++ } else
++ image = NULL;
+ if (!image)
+ {
+ _XEatDataWords(dpy, rep.length);
+--
+cgit v0.9.0.2-2-gbebe