diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-24 08:26:58 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-24 08:26:58 +0000 |
commit | de43558cd1904b59c2358a05514aea1d20fab1c2 (patch) | |
tree | ff02029193d79538fdafd6467fec97b92b42110e /main/libxrender | |
parent | b26655eaa38290e14b41bf0dd3645030445f42d7 (diff) | |
download | aports-de43558cd1904b59c2358a05514aea1d20fab1c2.tar.bz2 aports-de43558cd1904b59c2358a05514aea1d20fab1c2.tar.xz |
main/libxrender: fix CVE-2013-1987
Diffstat (limited to 'main/libxrender')
-rw-r--r-- | main/libxrender/APKBUILD | 40 | ||||
-rw-r--r-- | main/libxrender/CVE-2013-1987-1.patch | 83 | ||||
-rw-r--r-- | main/libxrender/CVE-2013-1987-2.patch | 81 | ||||
-rw-r--r-- | main/libxrender/CVE-2013-1987-3.patch | 59 |
4 files changed, 256 insertions, 7 deletions
diff --git a/main/libxrender/APKBUILD b/main/libxrender/APKBUILD index 6e9a8cd598..e1349f439d 100644 --- a/main/libxrender/APKBUILD +++ b/main/libxrender/APKBUILD @@ -1,26 +1,52 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libxrender pkgver=0.9.7 -pkgrel=0 +pkgrel=1 pkgdesc="X Rendering Extension client library" url="http://xorg.freedesktop.org/" arch="all" license="custom" subpackages="$pkgname-dev" depends= -makedepends="pkgconfig libx11-dev renderproto" -source="http://xorg.freedesktop.org/releases/individual/lib/libXrender-$pkgver.tar.bz2" - depends_dev="xproto renderproto libx11-dev" +makedepends="$depends_dev" +source="http://xorg.freedesktop.org/releases/individual/lib/libXrender-$pkgver.tar.bz2 + CVE-2013-1987-1.patch + CVE-2013-1987-2.patch + CVE-2013-1987-3.patch + " + + +_builddir="$srcdir"/libXrender-$pkgver +prepare() { + cd "$_builddir" + for i in $source; do + case $i in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done +} + build() { - cd "$srcdir"/libXrender-$pkgver + cd "$_builddir" ./configure --prefix=/usr make || return 1 } package() { - cd "$srcdir"/libXrender-$pkgver + cd "$_builddir" make DESTDIR="$pkgdir" install || return 1 rm "$pkgdir"/usr/lib/*.la || return 1 } -md5sums="ee62f4c7f0f16ced4da63308963ccad2 libXrender-0.9.7.tar.bz2" +md5sums="ee62f4c7f0f16ced4da63308963ccad2 libXrender-0.9.7.tar.bz2 +5d82b028bed7456b38f1d001a222b1d8 CVE-2013-1987-1.patch +8e0adc5dcbf89ea1d0c7fe0e0dd5e8d7 CVE-2013-1987-2.patch +b3bac65a7f41bcacbf5fd8278ac709b6 CVE-2013-1987-3.patch" +sha256sums="f9b46b93c9bc15d5745d193835ac9ba2a2b411878fad60c504bbb8f98492bbe6 libXrender-0.9.7.tar.bz2 +4a0b2e6d693c86eab43aa6e6720de149298ea67b1ccc10a723bfb9db3787703a CVE-2013-1987-1.patch +7ee9c01f3f20f817c37210147afc50038541bea53b270ce2c3eacf9969821a39 CVE-2013-1987-2.patch +141096ee1b739e2ca4b270215dbf1ad9ed57ad9d0b405256241f0fb8e19a61ce CVE-2013-1987-3.patch" +sha512sums="b52cebf6ebcdfc1e321b4ec7a18ba781cd05ddab9bb191532ea4174848fb7bb7f5bc7e609944e6e193f7b808e5b50316ba74b5bf1024e61b11358ac1887b44dc libXrender-0.9.7.tar.bz2 +5ec8fa4531271e9c6904b00fa828a82e3b2904d8ea7f8803da4175b516f9a4b268e44fd90607244850affd9899f12f107bb038b02529983c04c5968a10d74a0d CVE-2013-1987-1.patch +45778c206f35b3ccc814bf68713582e1aeda45f182678ca88e194b0eb45f8f930732d465b3d10ee475892c5b7e0a9a67354b0036e0ffe2989c929c27f828d52b CVE-2013-1987-2.patch +8bee48d9d23ce10aa8076a1c93edd2f2f2b221421ef4d706cacf2f4b23ccb7aea64cfca9fe7766820c8473208fc25d573d72f6a717aa5a0bad9da4297c15af05 CVE-2013-1987-3.patch" diff --git a/main/libxrender/CVE-2013-1987-1.patch b/main/libxrender/CVE-2013-1987-1.patch new file mode 100644 index 0000000000..706356a748 --- /dev/null +++ b/main/libxrender/CVE-2013-1987-1.patch @@ -0,0 +1,83 @@ +From e52853974664289fe42a92909667ed77cfa1cec5 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 05:45:20 +0000 +Subject: integer overflow in XRenderQueryFilters() [CVE-2013-1987 1/3] + +The length, numFilters & numAliases members of the reply are all CARD32 +and need to be bounds checked before multiplying & adding them together +to come up with the total size to allocate, to avoid integer overflow +leading to underallocation and writing data from the network past the +end of the allocated buffer. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- +diff --git a/src/Filter.c b/src/Filter.c +index 924b2a3..edfa572 100644 +--- a/src/Filter.c ++++ b/src/Filter.c +@@ -25,6 +25,7 @@ + #include <config.h> + #endif + #include "Xrenderint.h" ++#include <limits.h> + + XFilters * + XRenderQueryFilters (Display *dpy, Drawable drawable) +@@ -37,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable) + char *name; + char len; + int i; +- long nbytes, nbytesAlias, nbytesName; ++ unsigned long nbytes, nbytesAlias, nbytesName; + + if (!RenderHasExtension (info)) + return NULL; +@@ -60,22 +61,32 @@ XRenderQueryFilters (Display *dpy, Drawable drawable) + SyncHandle (); + return NULL; + } +- /* +- * Compute total number of bytes for filter names +- */ +- nbytes = (long)rep.length << 2; +- nbytesAlias = rep.numAliases * 2; +- if (rep.numAliases & 1) +- nbytesAlias += 2; +- nbytesName = nbytes - nbytesAlias; + + /* +- * Allocate one giant block for the whole data structure ++ * Limit each component of combined size to 1/4 the max, which is far ++ * more than they should ever possibly need. + */ +- filters = Xmalloc (sizeof (XFilters) + +- rep.numFilters * sizeof (char *) + +- rep.numAliases * sizeof (short) + +- nbytesName); ++ if ((rep.length < (INT_MAX >> 2)) && ++ (rep.numFilters < ((INT_MAX / 4) / sizeof (char *))) && ++ (rep.numAliases < ((INT_MAX / 4) / sizeof (short)))) { ++ /* ++ * Compute total number of bytes for filter names ++ */ ++ nbytes = (unsigned long)rep.length << 2; ++ nbytesAlias = rep.numAliases * 2; ++ if (rep.numAliases & 1) ++ nbytesAlias += 2; ++ nbytesName = nbytes - nbytesAlias; ++ ++ /* ++ * Allocate one giant block for the whole data structure ++ */ ++ filters = Xmalloc (sizeof (XFilters) + ++ (rep.numFilters * sizeof (char *)) + ++ (rep.numAliases * sizeof (short)) + ++ nbytesName); ++ } else ++ filters = NULL; + + if (!filters) + { +-- +cgit v0.9.0.2-2-gbebe diff --git a/main/libxrender/CVE-2013-1987-2.patch b/main/libxrender/CVE-2013-1987-2.patch new file mode 100644 index 0000000000..4a0980dd73 --- /dev/null +++ b/main/libxrender/CVE-2013-1987-2.patch @@ -0,0 +1,81 @@ +From 9e577d40322b9e3d8bdefec0eefa44d8ead451a4 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 06:02:11 +0000 +Subject: integer overflow in XRenderQueryFormats() [CVE-2013-1987 2/3] + +The length, numFormats, numScreens, numDepths, and numVisuals members of +the reply are all CARD32 and need to be bounds checked before multiplying +and adding them together to come up with the total size to allocate, to +avoid integer overflow leading to underallocation and writing data from +the network past the end of the allocated buffer. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- +diff --git a/src/Xrender.c b/src/Xrender.c +index 5c8e5f5..a62c753 100644 +--- a/src/Xrender.c ++++ b/src/Xrender.c +@@ -26,6 +26,7 @@ + #include <config.h> + #endif + #include "Xrenderint.h" ++#include <limits.h> + + XRenderExtInfo XRenderExtensionInfo; + char XRenderExtensionName[] = RENDER_NAME; +@@ -411,8 +412,8 @@ XRenderQueryFormats (Display *dpy) + CARD32 *xSubpixel; + void *xData; + int nf, ns, nd, nv; +- int rlength; +- int nbytes; ++ unsigned long rlength; ++ unsigned long nbytes; + + RenderCheckExtension (dpy, info, 0); + LockDisplay (dpy); +@@ -458,18 +459,29 @@ XRenderQueryFormats (Display *dpy) + if (async_state.major_version == 0 && async_state.minor_version < 6) + rep.numSubpixel = 0; + +- xri = (XRenderInfo *) Xmalloc (sizeof (XRenderInfo) + +- rep.numFormats * sizeof (XRenderPictFormat) + +- rep.numScreens * sizeof (XRenderScreen) + +- rep.numDepths * sizeof (XRenderDepth) + +- rep.numVisuals * sizeof (XRenderVisual)); +- rlength = (rep.numFormats * sizeof (xPictFormInfo) + +- rep.numScreens * sizeof (xPictScreen) + +- rep.numDepths * sizeof (xPictDepth) + +- rep.numVisuals * sizeof (xPictVisual) + +- rep.numSubpixel * 4); +- xData = (void *) Xmalloc (rlength); +- nbytes = (int) rep.length << 2; ++ if ((rep.numFormats < ((INT_MAX / 4) / sizeof (XRenderPictFormat))) && ++ (rep.numScreens < ((INT_MAX / 4) / sizeof (XRenderScreen))) && ++ (rep.numDepths < ((INT_MAX / 4) / sizeof (XRenderDepth))) && ++ (rep.numVisuals < ((INT_MAX / 4) / sizeof (XRenderVisual))) && ++ (rep.numSubpixel < ((INT_MAX / 4) / 4)) && ++ (rep.length < (INT_MAX >> 2)) ) { ++ xri = Xmalloc (sizeof (XRenderInfo) + ++ (rep.numFormats * sizeof (XRenderPictFormat)) + ++ (rep.numScreens * sizeof (XRenderScreen)) + ++ (rep.numDepths * sizeof (XRenderDepth)) + ++ (rep.numVisuals * sizeof (XRenderVisual))); ++ rlength = ((rep.numFormats * sizeof (xPictFormInfo)) + ++ (rep.numScreens * sizeof (xPictScreen)) + ++ (rep.numDepths * sizeof (xPictDepth)) + ++ (rep.numVisuals * sizeof (xPictVisual)) + ++ (rep.numSubpixel * 4)); ++ xData = Xmalloc (rlength); ++ nbytes = (unsigned long) rep.length << 2; ++ } else { ++ xri = NULL; ++ xData = NULL; ++ rlength = nbytes = 0; ++ } + + if (!xri || !xData || nbytes < rlength) + { +-- +cgit v0.9.0.2-2-gbebe diff --git a/main/libxrender/CVE-2013-1987-3.patch b/main/libxrender/CVE-2013-1987-3.patch new file mode 100644 index 0000000000..92e35d773e --- /dev/null +++ b/main/libxrender/CVE-2013-1987-3.patch @@ -0,0 +1,59 @@ +From 786f78fd8df6d165ccbc81f306fd9f22b5c1551c Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 06:02:11 +0000 +Subject: integer overflow in XRenderQueryPictIndexValues() [CVE-2013-1987 3/3] + +The length and numIndexValues members of the reply are both CARD32 and +need to be bounds checked before multiplying by sizeof (XIndexValue) to +avoid integer overflow leading to underallocation and writing data from +the network past the end of the allocated buffer. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- +diff --git a/src/Xrender.c b/src/Xrender.c +index a62c753..3102eb2 100644 +--- a/src/Xrender.c ++++ b/src/Xrender.c +@@ -844,7 +844,7 @@ XRenderQueryPictIndexValues(Display *dpy, + xRenderQueryPictIndexValuesReq *req; + xRenderQueryPictIndexValuesReply rep; + XIndexValue *values; +- int nbytes, nread, rlength, i; ++ unsigned int nbytes, nread, rlength, i; + + RenderCheckExtension (dpy, info, NULL); + +@@ -860,15 +860,22 @@ XRenderQueryPictIndexValues(Display *dpy, + return NULL; + } + +- /* request data length */ +- nbytes = (long)rep.length << 2; +- /* bytes of actual data in the request */ +- nread = rep.numIndexValues * SIZEOF (xIndexValue); +- /* size of array returned to application */ +- rlength = rep.numIndexValues * sizeof (XIndexValue); ++ if ((rep.length < (INT_MAX >> 2)) && ++ (rep.numIndexValues < (INT_MAX / sizeof (XIndexValue)))) { ++ /* request data length */ ++ nbytes = rep.length << 2; ++ /* bytes of actual data in the request */ ++ nread = rep.numIndexValues * SIZEOF (xIndexValue); ++ /* size of array returned to application */ ++ rlength = rep.numIndexValues * sizeof (XIndexValue); ++ ++ /* allocate returned data */ ++ values = Xmalloc (rlength); ++ } else { ++ nbytes = nread = rlength = 0; ++ values = NULL; ++ } + +- /* allocate returned data */ +- values = (XIndexValue *)Xmalloc (rlength); + if (!values) + { + _XEatDataWords (dpy, rep.length); +-- +cgit v0.9.0.2-2-gbebe |