diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-24 08:32:13 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-27 14:06:56 +0000 |
| commit | cb0cd770ba3f64b0c0804962bc03dda167a4c207 (patch) | |
| tree | 4baaef9361720ed4d3d51f011b82b0910933de13 /main | |
| parent | b2f170f145ce7d7a5a7125aca8e4aacd05594596 (diff) | |
| download | aports-cb0cd770ba3f64b0c0804962bc03dda167a4c207.tar.bz2 aports-cb0cd770ba3f64b0c0804962bc03dda167a4c207.tar.xz | |
main/libxcursor: fix CVE-2013-2003
ref #1931
fixes #1999
(cherry picked from commit 99d3e572056d735f20db0b6a80e86398462ee97b)
Conflicts:
main/libxcursor/APKBUILD
Diffstat (limited to 'main')
| -rw-r--r-- | main/libxcursor/APKBUILD | 26 | ||||
| -rw-r--r-- | main/libxcursor/CVE-2013-2003.patch | 34 |
2 files changed, 53 insertions, 7 deletions
diff --git a/main/libxcursor/APKBUILD b/main/libxcursor/APKBUILD index 44cf51f2c2..500d94dde0 100644 --- a/main/libxcursor/APKBUILD +++ b/main/libxcursor/APKBUILD @@ -1,6 +1,6 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libxcursor -pkgver=1.1.12 +pkgver=1.1.13 pkgrel=0 pkgdesc="X cursor management library" url="http://xorg.freedesktop.org/" @@ -8,12 +8,23 @@ arch="all" license="custom" subpackages="$pkgname-dev $pkgname-doc" depends= -makedepends="pkgconfig libxfixes-dev libx11-dev libxrender-dev" -source="http://xorg.freedesktop.org/releases/individual/lib/libXcursor-$pkgver.tar.bz2" - depends_dev="xproto libx11-dev libxrender-dev libxfixes-dev" +makedepends="$depends_dev" +source="http://xorg.freedesktop.org/releases/individual/lib/libXcursor-$pkgver.tar.bz2 + CVE-2013-2003.patch" + +_builddir="$srcdir"/libXcursor-$pkgver +prepare() { + cd "$_builddir" + for i in $source; do + case $i in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done +} + build() { - cd "$srcdir"/libXcursor-$pkgver + cd "$_builddir" ./configure --prefix=/usr \ --sysconfdir=/etc \ || return 1 @@ -21,8 +32,9 @@ build() { } package() { - cd "$srcdir"/libXcursor-$pkgver + cd "$_builddir" make DESTDIR="$pkgdir" install || return 1 rm "$pkgdir"/usr/lib/*.la || return 1 } -md5sums="a93b5a6f5b05976d2c0d3f8a07f6ac6a libXcursor-1.1.12.tar.bz2" +md5sums="52efa81b7f26c8eda13510a2fba98eea libXcursor-1.1.13.tar.bz2 +e604d93c5dfcc22078129959acc9a6d5 CVE-2013-2003.patch" diff --git a/main/libxcursor/CVE-2013-2003.patch b/main/libxcursor/CVE-2013-2003.patch new file mode 100644 index 0000000000..a4f41e1453 --- /dev/null +++ b/main/libxcursor/CVE-2013-2003.patch @@ -0,0 +1,34 @@ +From 8f677eaea05290531d007d1fec2768119926088d Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 04:17:28 +0000 +Subject: signedness bug & integer overflow in _XcursorFileHeaderCreate() [CVE-2013-2003] + +When parsing cursor files, a user defined (e.g. through environment +variables) cursor file is opened and parsed. + +The header is read in _XcursorReadFileHeader(), which reads an unsigned +int for the number of toc structures in the header, but it was being +passed to _XcursorFileHeaderCreate() as a signed int to allocate those +structures. If the number was negative, it would pass the bounds check +and could overflow the calculation for how much memory to allocate to +store the data being read, leading to overflowing the buffer with the +data read from the user controlled file. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- +diff --git a/src/file.c b/src/file.c +index efe6d4b..ce9de78 100644 +--- a/src/file.c ++++ b/src/file.c +@@ -205,7 +205,7 @@ _XcursorFileHeaderDestroy (XcursorFileHeader *fileHeader) + } + + static XcursorFileHeader * +-_XcursorFileHeaderCreate (int ntoc) ++_XcursorFileHeaderCreate (XcursorUInt ntoc) + { + XcursorFileHeader *fileHeader; + +-- +cgit v0.9.0.2-2-gbebe |