aboutsummaryrefslogtreecommitdiffstats
path: root/main
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2013-05-24 08:48:52 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2013-05-24 08:48:52 +0000
commitadf915bf8b5c4ff1c07648f42cee8ab4d804dede (patch)
tree6c08fce45da9c21698b244140ba27cd582104170 /main
parentc3c243cd3795568ab5dd6fb7648f225ef2dbf593 (diff)
downloadaports-adf915bf8b5c4ff1c07648f42cee8ab4d804dede.tar.bz2
aports-adf915bf8b5c4ff1c07648f42cee8ab4d804dede.tar.xz
main/libxext: fix CVE-2013-1982
ref #1931
Diffstat (limited to 'main')
-rw-r--r--main/libxext/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch260
-rw-r--r--main/libxext/0002-integer-overflow-in-XcupGetReservedColormapEntries-C.patch60
-rw-r--r--main/libxext/0003-integer-overflow-in-XcupStoreColors-CVE-2013-1982-2-.patch63
-rw-r--r--main/libxext/0004-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch84
-rw-r--r--main/libxext/0005-integer-overflow-in-XeviGetVisualInfo-CVE-2013-1982-.patch70
-rw-r--r--main/libxext/0006-integer-overflow-in-XShapeGetRectangles-CVE-2013-198.patch74
-rw-r--r--main/libxext/0007-integer-overflow-in-XSyncListSystemCounters-CVE-2013.patch87
-rw-r--r--main/libxext/APKBUILD55
8 files changed, 748 insertions, 5 deletions
diff --git a/main/libxext/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch b/main/libxext/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
new file mode 100644
index 0000000000..58f29757e0
--- /dev/null
+++ b/main/libxext/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
@@ -0,0 +1,260 @@
+From ca84a813716f9de691dc3f60390d83af4b5ae534 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 09:32:12 -0700
+Subject: [PATCH 1/7] Use _XEatDataWords to avoid overflow of rep.length bit
+ shifting
+
+rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ COPYING | 3 ++-
+ configure.ac | 6 ++++++
+ src/Makefile.am | 1 +
+ src/XEVI.c | 4 +++-
+ src/XMultibuf.c | 3 ++-
+ src/XSecurity.c | 3 ++-
+ src/XShape.c | 3 ++-
+ src/XSync.c | 3 ++-
+ src/Xcup.c | 7 ++++---
+ src/eat.h | 40 ++++++++++++++++++++++++++++++++++++++++
+ 10 files changed, 64 insertions(+), 9 deletions(-)
+ create mode 100644 src/eat.h
+
+diff --git a/COPYING b/COPYING
+index 80622a0..e3a63ef 100644
+--- a/COPYING
++++ b/COPYING
+@@ -160,7 +160,8 @@ makes no representations about the suitability for any purpose
+ of the information in this document. This documentation is
+ provided ``as is'' without express or implied warranty.
+
+-Copyright (c) 1999, 2005, 2006, Oracle and/or its affiliates. All rights reserved.
++Copyright (c) 1999, 2005, 2006, 2013, Oracle and/or its affiliates.
++All rights reserved.
+
+ Permission is hereby granted, free of charge, to any person obtaining a
+ copy of this software and associated documentation files (the "Software"),
+diff --git a/configure.ac b/configure.ac
+index 63775de..fb9888d 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -38,6 +38,12 @@ AC_SUBST(XEXT_SOREV)
+ # Obtain compiler/linker options for depedencies
+ PKG_CHECK_MODULES(XEXT, [xproto >= 7.0.13] [x11 >= 1.1.99.1] [xextproto >= 7.1.99])
+
++# Check for _XEatDataWords function that may be patched into older Xlib releases
++SAVE_LIBS="$LIBS"
++LIBS="$XEXT_LIBS"
++AC_CHECK_FUNCS([_XEatDataWords])
++LIBS="$SAVE_LIBS"
++
+ # Allow checking code with lint, sparse, etc.
+ XORG_WITH_LINT
+ XORG_LINT_LIBRARY([Xext])
+diff --git a/src/Makefile.am b/src/Makefile.am
+index e236c33..b828547 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -12,6 +12,7 @@ libXext_la_LDFLAGS = -version-number $(XEXT_SOREV) -no-undefined
+ libXext_la_LIBADD = $(XEXT_LIBS)
+
+ libXext_la_SOURCES = \
++ eat.h \
+ DPMS.c \
+ MITMisc.c \
+ XAppgroup.c \
+diff --git a/src/XEVI.c b/src/XEVI.c
+index eb09daa..0125c51 100644
+--- a/src/XEVI.c
++++ b/src/XEVI.c
+@@ -30,6 +30,8 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ #include <X11/extensions/Xext.h>
+ #include <X11/extensions/extutil.h>
+ #include <X11/Xutil.h>
++#include "eat.h"
++
+ static XExtensionInfo *xevi_info;/* needs to move to globals.c */
+ static const char *xevi_extension_name = EVINAME;
+ #define XeviCheckExtension(dpy,i,val) \
+@@ -171,7 +173,7 @@ Status XeviGetVisualInfo(
+ xInfoPtr = temp_xInfo = (xExtendedVisualInfo *)Xmalloc(sz_xInfo);
+ xConflictPtr = temp_conflict = (VisualID32 *)Xmalloc(sz_xConflict);
+ if (!*evi_return || !temp_xInfo || !temp_conflict) {
+- _XEatData(dpy, (sz_xInfo + sz_xConflict + 3) & ~3);
++ _XEatDataWords(dpy, rep.length);
+ UnlockDisplay(dpy);
+ SyncHandle();
+ if (evi_return)
+diff --git a/src/XMultibuf.c b/src/XMultibuf.c
+index 7a746ba..43d56d3 100644
+--- a/src/XMultibuf.c
++++ b/src/XMultibuf.c
+@@ -34,6 +34,7 @@ in this Software without prior written authorization from The Open Group.
+ #include <X11/extensions/extutil.h>
+ #include <X11/extensions/multibufproto.h>
+ #include <X11/extensions/multibuf.h>
++#include "eat.h"
+
+ static XExtensionInfo _multibuf_info_data;
+ static XExtensionInfo *multibuf_info = &_multibuf_info_data;
+@@ -408,7 +409,7 @@ Status XmbufGetWindowAttributes (
+ attr->buffers = (Multibuffer *) Xmalloc((unsigned) nbytes);
+ nbytes = rep.length << 2;
+ if (! attr->buffers) {
+- _XEatData(dpy, (unsigned long) nbytes);
++ _XEatDataWords(dpy, rep.length);
+ UnlockDisplay(dpy);
+ SyncHandle();
+ return (0);
+diff --git a/src/XSecurity.c b/src/XSecurity.c
+index f8c7da1..ab17755 100644
+--- a/src/XSecurity.c
++++ b/src/XSecurity.c
+@@ -33,6 +33,7 @@ in this Software without prior written authorization from The Open Group.
+ #include <X11/extensions/extutil.h>
+ #include <X11/extensions/securproto.h>
+ #include <X11/extensions/security.h>
++#include "eat.h"
+
+ static XExtensionInfo _Security_info_data;
+ static XExtensionInfo *Security_info = &_Security_info_data;
+@@ -282,7 +283,7 @@ XSecurityGenerateAuthorization(
+ }
+ else
+ {
+- _XEatData(dpy, (unsigned long) (rep.dataLength + 3) & ~3);
++ _XEatDataWords(dpy, rep.length);
+ }
+
+ UnlockDisplay (dpy);
+diff --git a/src/XShape.c b/src/XShape.c
+index 6e8fbae..3987876 100644
+--- a/src/XShape.c
++++ b/src/XShape.c
+@@ -35,6 +35,7 @@ in this Software without prior written authorization from The Open Group.
+ #include <X11/extensions/extutil.h>
+ #include <X11/extensions/shape.h>
+ #include <X11/extensions/shapeproto.h>
++#include "eat.h"
+
+ static XExtensionInfo _shape_info_data;
+ static XExtensionInfo *shape_info = &_shape_info_data;
+@@ -468,7 +469,7 @@ XRectangle *XShapeGetRectangles (
+ Xfree (xrects);
+ if (rects)
+ Xfree (rects);
+- _XEatData (dpy, *count * sizeof (xRectangle));
++ _XEatDataWords (dpy, rep.length);
+ rects = NULL;
+ *count = 0;
+ } else {
+diff --git a/src/XSync.c b/src/XSync.c
+index 5775293..3ca1308 100644
+--- a/src/XSync.c
++++ b/src/XSync.c
+@@ -59,6 +59,7 @@ PERFORMANCE OF THIS SOFTWARE.
+ #include <X11/extensions/extutil.h>
+ #include <X11/extensions/sync.h>
+ #include <X11/extensions/syncproto.h>
++#include "eat.h"
+
+ static XExtensionInfo _sync_info_data;
+ static XExtensionInfo *sync_info = &_sync_info_data;
+@@ -364,7 +365,7 @@ XSyncListSystemCounters(Display *dpy, int *n_counters_return)
+ {
+ if (list) Xfree((char *) list);
+ if (pWireSysCounter) Xfree((char *) pWireSysCounter);
+- _XEatData(dpy, (unsigned long) replylen);
++ _XEatDataWords(dpy, rep.length);
+ list = NULL;
+ goto bail;
+ }
+diff --git a/src/Xcup.c b/src/Xcup.c
+index bb9e90f..1f1d625 100644
+--- a/src/Xcup.c
++++ b/src/Xcup.c
+@@ -36,6 +36,7 @@ in this Software without prior written authorization from The Open Group.
+ #include <X11/extensions/cupproto.h>
+ #include <X11/extensions/Xext.h>
+ #include <X11/extensions/extutil.h>
++#include "eat.h"
+
+ static XExtensionInfo _xcup_info_data;
+ static XExtensionInfo *xcup_info = &_xcup_info_data;
+@@ -144,7 +145,7 @@ XcupGetReservedColormapEntries(
+ rbufp = rbuf;
+
+ if (rbufp == NULL) {
+- _XEatData (dpy, (unsigned long) nbytes);
++ _XEatDataWords(dpy, rep.length);
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ return False;
+@@ -221,7 +222,7 @@ XcupStoreColors(
+ nbytes = nentries * SIZEOF (xColorItem);
+
+ if (nentries != ncolors) {
+- _XEatData (dpy, (unsigned long) nbytes);
++ _XEatDataWords(dpy, rep.length);
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ return False;
+@@ -233,7 +234,7 @@ XcupStoreColors(
+ rbufp = rbuf;
+
+ if (rbufp == NULL) {
+- _XEatData (dpy, (unsigned long) nbytes);
++ _XEatDataWords(dpy, rep.length);
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ return False;
+diff --git a/src/eat.h b/src/eat.h
+new file mode 100644
+index 0000000..239532b
+--- /dev/null
++++ b/src/eat.h
+@@ -0,0 +1,40 @@
++/*
++ * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a
++ * copy of this software and associated documentation files (the "Software"),
++ * to deal in the Software without restriction, including without limitation
++ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
++ * and/or sell copies of the Software, and to permit persons to whom the
++ * Software is furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice (including the next
++ * paragraph) shall be included in all copies or substantial portions of the
++ * Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
++ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
++ * DEALINGS IN THE SOFTWARE.
++ */
++
++#ifdef HAVE_CONFIG_H
++# include "config.h"
++#endif
++
++#ifndef HAVE__XEATDATAWORDS
++#include <X11/Xmd.h> /* for LONG64 on 64-bit platforms */
++#include <limits.h>
++
++static inline void _XEatDataWords(Display *dpy, unsigned long n)
++{
++# ifndef LONG64
++ if (n >= (ULONG_MAX >> 2))
++ _XIOError(dpy);
++# endif
++ _XEatData (dpy, n << 2);
++}
++#endif
+--
+1.8.2.3
+
diff --git a/main/libxext/0002-integer-overflow-in-XcupGetReservedColormapEntries-C.patch b/main/libxext/0002-integer-overflow-in-XcupGetReservedColormapEntries-C.patch
new file mode 100644
index 0000000000..d974de57af
--- /dev/null
+++ b/main/libxext/0002-integer-overflow-in-XcupGetReservedColormapEntries-C.patch
@@ -0,0 +1,60 @@
+From d05f27a6f74cb419ad5a437f2e4690b17e7faee5 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 9 Mar 2013 14:40:33 -0800
+Subject: [PATCH 2/7] integer overflow in XcupGetReservedColormapEntries()
+ [CVE-2013-1982 1/6]
+
+If the computed number of entries is large enough that it overflows when
+multiplied by the size of a xColorItem struct, or is treated as negative
+when compared to the size of the stack allocated buffer, then memory
+corruption can occur when more bytes are read from the X server than the
+size of the buffer we allocated to hold them.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/Xcup.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/src/Xcup.c b/src/Xcup.c
+index 1f1d625..670f356 100644
+--- a/src/Xcup.c
++++ b/src/Xcup.c
+@@ -36,6 +36,7 @@ in this Software without prior written authorization from The Open Group.
+ #include <X11/extensions/cupproto.h>
+ #include <X11/extensions/Xext.h>
+ #include <X11/extensions/extutil.h>
++#include <limits.h>
+ #include "eat.h"
+
+ static XExtensionInfo _xcup_info_data;
+@@ -134,15 +135,19 @@ XcupGetReservedColormapEntries(
+ req->xcupReqType = X_XcupGetReservedColormapEntries;
+ req->screen = screen;
+ if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) {
+- long nbytes;
++ unsigned long nbytes;
+ xColorItem* rbufp;
+- int nentries = rep.length / 3;
++ unsigned int nentries = rep.length / 3;
+
+- nbytes = nentries * SIZEOF (xColorItem);
+- if (nentries > TYP_RESERVED_ENTRIES)
+- rbufp = (xColorItem*) Xmalloc (nbytes);
+- else
+- rbufp = rbuf;
++ if (nentries < (INT_MAX / SIZEOF (xColorItem))) {
++ nbytes = nentries * SIZEOF (xColorItem);
++
++ if (nentries > TYP_RESERVED_ENTRIES)
++ rbufp = Xmalloc (nbytes);
++ else
++ rbufp = rbuf;
++ } else
++ rbufp = NULL;
+
+ if (rbufp == NULL) {
+ _XEatDataWords(dpy, rep.length);
+--
+1.8.2.3
+
diff --git a/main/libxext/0003-integer-overflow-in-XcupStoreColors-CVE-2013-1982-2-.patch b/main/libxext/0003-integer-overflow-in-XcupStoreColors-CVE-2013-1982-2-.patch
new file mode 100644
index 0000000000..0be477d23d
--- /dev/null
+++ b/main/libxext/0003-integer-overflow-in-XcupStoreColors-CVE-2013-1982-2-.patch
@@ -0,0 +1,63 @@
+From 082d70b19848059ba78c9d1c315114fb07e8c0ef Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 9 Mar 2013 14:40:33 -0800
+Subject: [PATCH 3/7] integer overflow in XcupStoreColors() [CVE-2013-1982 2/6]
+
+If the computed number of entries is large enough that it overflows when
+multiplied by the size of a xColorItem struct, or is treated as negative
+when compared to the size of the stack allocated buffer, then memory
+corruption can occur when more bytes are read from the X server than the
+size of the buffer we allocated to hold them.
+
+The requirement to match the number of colors specified by the caller makes
+this much harder to hit than the one in XcupGetReservedColormapEntries()
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/Xcup.c | 25 +++++++++++--------------
+ 1 file changed, 11 insertions(+), 14 deletions(-)
+
+diff --git a/src/Xcup.c b/src/Xcup.c
+index 670f356..cdc64c2 100644
+--- a/src/Xcup.c
++++ b/src/Xcup.c
+@@ -219,24 +219,21 @@ XcupStoreColors(
+ }
+
+ if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) {
+- long nbytes;
++ unsigned long nbytes;
+ xColorItem* rbufp;
+ xColorItem* cs;
+- int nentries = rep.length / 3;
+-
+- nbytes = nentries * SIZEOF (xColorItem);
++ unsigned int nentries = rep.length / 3;
+
+- if (nentries != ncolors) {
+- _XEatDataWords(dpy, rep.length);
+- UnlockDisplay (dpy);
+- SyncHandle ();
+- return False;
+- }
++ if ((nentries == ncolors) &&
++ (nentries < (INT_MAX / SIZEOF (xColorItem)))) {
++ nbytes = nentries * SIZEOF (xColorItem);
+
+- if (ncolors > 256)
+- rbufp = (xColorItem*) Xmalloc (nbytes);
+- else
+- rbufp = rbuf;
++ if (ncolors > 256)
++ rbufp = Xmalloc (nbytes);
++ else
++ rbufp = rbuf;
++ } else
++ rbufp = NULL;
+
+ if (rbufp == NULL) {
+ _XEatDataWords(dpy, rep.length);
+--
+1.8.2.3
+
diff --git a/main/libxext/0004-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch b/main/libxext/0004-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch
new file mode 100644
index 0000000000..75c50e0025
--- /dev/null
+++ b/main/libxext/0004-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch
@@ -0,0 +1,84 @@
+From 96d1da55a08c4cd52b763cb07bdce5cdcbec4da8 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 9 Mar 2013 14:40:33 -0800
+Subject: [PATCH 4/7] several integer overflows in XdbeGetVisualInfo()
+ [CVE-2013-1982 3/6]
+
+If the number of screens or visuals reported by the server is large enough
+that it overflows when multiplied by the size of the appropriate struct,
+then memory corruption can occur when more bytes are read from the X server
+than the size of the buffer we allocated to hold them.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/Xdbe.c | 27 +++++++++++++++++----------
+ 1 file changed, 17 insertions(+), 10 deletions(-)
+
+diff --git a/src/Xdbe.c b/src/Xdbe.c
+index 4b5fa18..016886c 100644
+--- a/src/Xdbe.c
++++ b/src/Xdbe.c
+@@ -39,6 +39,8 @@
+ #include <X11/extensions/extutil.h>
+ #include <X11/extensions/Xdbe.h>
+ #include <X11/extensions/dbeproto.h>
++#include <limits.h>
++#include "eat.h"
+
+ static XExtensionInfo _dbe_info_data;
+ static XExtensionInfo *dbe_info = &_dbe_info_data;
+@@ -352,9 +354,12 @@ XdbeScreenVisualInfo *XdbeGetVisualInfo (
+ *num_screens = rep.m;
+
+ /* allocate list of visual information to be returned */
+- if (!(scrVisInfo =
+- (XdbeScreenVisualInfo *)Xmalloc(
+- (unsigned)(*num_screens * sizeof(XdbeScreenVisualInfo))))) {
++ if ((*num_screens > 0) && (*num_screens < 65536))
++ scrVisInfo = Xmalloc(*num_screens * sizeof(XdbeScreenVisualInfo));
++ else
++ scrVisInfo = NULL;
++ if (scrVisInfo == NULL) {
++ _XEatDataWords(dpy, rep.length);
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ return NULL;
+@@ -362,25 +367,27 @@ XdbeScreenVisualInfo *XdbeGetVisualInfo (
+
+ for (i = 0; i < *num_screens; i++)
+ {
+- int nbytes;
+ int j;
+- long c;
++ unsigned long c;
+
+- _XRead32 (dpy, &c, sizeof(CARD32));
+- scrVisInfo[i].count = c;
++ _XRead32 (dpy, (long *) &c, sizeof(CARD32));
+
+- nbytes = scrVisInfo[i].count * sizeof(XdbeVisualInfo);
++ if (c < 65536) {
++ scrVisInfo[i].count = c;
++ scrVisInfo[i].visinfo = Xmalloc(c * sizeof(XdbeVisualInfo));
++ } else
++ scrVisInfo[i].visinfo = NULL;
+
+ /* if we can not allocate the list of visual/depth info
+ * then free the lists that we already allocate as well
+ * as the visual info list itself
+ */
+- if (!(scrVisInfo[i].visinfo = (XdbeVisualInfo *)Xmalloc(
+- (unsigned)nbytes))) {
++ if (scrVisInfo[i].visinfo == NULL) {
+ for (j = 0; j < i; j++) {
+ Xfree ((char *)scrVisInfo[j].visinfo);
+ }
+ Xfree ((char *)scrVisInfo);
++ _XEatDataWords(dpy, rep.length);
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ return NULL;
+--
+1.8.2.3
+
diff --git a/main/libxext/0005-integer-overflow-in-XeviGetVisualInfo-CVE-2013-1982-.patch b/main/libxext/0005-integer-overflow-in-XeviGetVisualInfo-CVE-2013-1982-.patch
new file mode 100644
index 0000000000..e1aa4cc383
--- /dev/null
+++ b/main/libxext/0005-integer-overflow-in-XeviGetVisualInfo-CVE-2013-1982-.patch
@@ -0,0 +1,70 @@
+From 67ecdcf7e29de9fa78b421122620525ed2c7db88 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 9 Mar 2013 14:40:33 -0800
+Subject: [PATCH 5/7] integer overflow in XeviGetVisualInfo() [CVE-2013-1982
+ 4/6]
+
+If the number of visuals or conflicts reported by the server is large
+enough that it overflows when multiplied by the size of the appropriate
+struct, then memory corruption can occur when more bytes are read from
+the X server than the size of the buffer we allocated to hold them.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XEVI.c | 25 ++++++++++++++++++-------
+ 1 file changed, 18 insertions(+), 7 deletions(-)
+
+diff --git a/src/XEVI.c b/src/XEVI.c
+index 0125c51..5a95583 100644
+--- a/src/XEVI.c
++++ b/src/XEVI.c
+@@ -30,6 +30,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ #include <X11/extensions/Xext.h>
+ #include <X11/extensions/extutil.h>
+ #include <X11/Xutil.h>
++#include <limits.h>
+ #include "eat.h"
+
+ static XExtensionInfo *xevi_info;/* needs to move to globals.c */
+@@ -165,13 +166,20 @@ Status XeviGetVisualInfo(
+ return BadAccess;
+ }
+ Xfree(temp_visual);
+- sz_info = rep.n_info * sizeof(ExtendedVisualInfo);
+- sz_xInfo = rep.n_info * sz_xExtendedVisualInfo;
+- sz_conflict = rep.n_conflicts * sizeof(VisualID);
+- sz_xConflict = rep.n_conflicts * sz_VisualID32;
+- infoPtr = *evi_return = (ExtendedVisualInfo *)Xmalloc(sz_info + sz_conflict);
+- xInfoPtr = temp_xInfo = (xExtendedVisualInfo *)Xmalloc(sz_xInfo);
+- xConflictPtr = temp_conflict = (VisualID32 *)Xmalloc(sz_xConflict);
++ if ((rep.n_info < 65536) && (rep.n_conflicts < 65536)) {
++ sz_info = rep.n_info * sizeof(ExtendedVisualInfo);
++ sz_xInfo = rep.n_info * sz_xExtendedVisualInfo;
++ sz_conflict = rep.n_conflicts * sizeof(VisualID);
++ sz_xConflict = rep.n_conflicts * sz_VisualID32;
++ *evi_return = Xmalloc(sz_info + sz_conflict);
++ temp_xInfo = Xmalloc(sz_xInfo);
++ temp_conflict = Xmalloc(sz_xConflict);
++ } else {
++ sz_xInfo = sz_xConflict = 0;
++ *evi_return = NULL;
++ temp_xInfo = NULL;
++ temp_conflict = NULL;
++ }
+ if (!*evi_return || !temp_xInfo || !temp_conflict) {
+ _XEatDataWords(dpy, rep.length);
+ UnlockDisplay(dpy);
+@@ -188,6 +196,9 @@ Status XeviGetVisualInfo(
+ _XRead(dpy, (char *)temp_conflict, sz_xConflict);
+ UnlockDisplay(dpy);
+ SyncHandle();
++ infoPtr = *evi_return;
++ xInfoPtr = temp_xInfo;
++ xConflictPtr = temp_conflict;
+ n_data = rep.n_info;
+ conflict = (VisualID *)(infoPtr + n_data);
+ while (n_data-- > 0) {
+--
+1.8.2.3
+
diff --git a/main/libxext/0006-integer-overflow-in-XShapeGetRectangles-CVE-2013-198.patch b/main/libxext/0006-integer-overflow-in-XShapeGetRectangles-CVE-2013-198.patch
new file mode 100644
index 0000000000..01f40d7b56
--- /dev/null
+++ b/main/libxext/0006-integer-overflow-in-XShapeGetRectangles-CVE-2013-198.patch
@@ -0,0 +1,74 @@
+From 6ecd96e8be3c33e2ffad6631cea4aa0a030d93c2 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 9 Mar 2013 14:40:33 -0800
+Subject: [PATCH 6/7] integer overflow in XShapeGetRectangles() [CVE-2013-1982
+ 5/6]
+
+If the number of rectangles reported by the server is large enough that
+it overflows when multiplied by the size of the appropriate struct, then
+memory corruption can occur when more bytes are read from the X server
+than the size of the buffer we allocated to hold them.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XShape.c | 24 ++++++++++++++----------
+ 1 file changed, 14 insertions(+), 10 deletions(-)
+
+diff --git a/src/XShape.c b/src/XShape.c
+index 3987876..d025020 100644
+--- a/src/XShape.c
++++ b/src/XShape.c
+@@ -35,6 +35,7 @@ in this Software without prior written authorization from The Open Group.
+ #include <X11/extensions/extutil.h>
+ #include <X11/extensions/shape.h>
+ #include <X11/extensions/shapeproto.h>
++#include <limits.h>
+ #include "eat.h"
+
+ static XExtensionInfo _shape_info_data;
+@@ -443,7 +444,7 @@ XRectangle *XShapeGetRectangles (
+ xShapeGetRectanglesReply rep;
+ XRectangle *rects;
+ xRectangle *xrects;
+- int i;
++ unsigned int i;
+
+ ShapeCheckExtension (dpy, info, (XRectangle *)NULL);
+
+@@ -461,20 +462,23 @@ XRectangle *XShapeGetRectangles (
+ *count = rep.nrects;
+ *ordering = rep.ordering;
+ rects = NULL;
+- if (*count) {
+- xrects = (xRectangle *) Xmalloc (*count * sizeof (xRectangle));
+- rects = (XRectangle *) Xmalloc (*count * sizeof (XRectangle));
++ if (rep.nrects) {
++ if (rep.nrects < (INT_MAX / sizeof (XRectangle))) {
++ xrects = Xmalloc (rep.nrects * sizeof (xRectangle));
++ rects = Xmalloc (rep.nrects * sizeof (XRectangle));
++ } else {
++ xrects = NULL;
++ rects = NULL;
++ }
+ if (!xrects || !rects) {
+- if (xrects)
+- Xfree (xrects);
+- if (rects)
+- Xfree (rects);
++ Xfree (xrects);
++ Xfree (rects);
+ _XEatDataWords (dpy, rep.length);
+ rects = NULL;
+ *count = 0;
+ } else {
+- _XRead (dpy, (char *) xrects, *count * sizeof (xRectangle));
+- for (i = 0; i < *count; i++) {
++ _XRead (dpy, (char *) xrects, rep.nrects * sizeof (xRectangle));
++ for (i = 0; i < rep.nrects; i++) {
+ rects[i].x = (short) cvtINT16toInt (xrects[i].x);
+ rects[i].y = (short) cvtINT16toInt (xrects[i].y);
+ rects[i].width = xrects[i].width;
+--
+1.8.2.3
+
diff --git a/main/libxext/0007-integer-overflow-in-XSyncListSystemCounters-CVE-2013.patch b/main/libxext/0007-integer-overflow-in-XSyncListSystemCounters-CVE-2013.patch
new file mode 100644
index 0000000000..95382256d1
--- /dev/null
+++ b/main/libxext/0007-integer-overflow-in-XSyncListSystemCounters-CVE-2013.patch
@@ -0,0 +1,87 @@
+From dfe6e1f3b8ede3d0bab7a5fa57f73513a09ec649 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 9 Mar 2013 14:40:33 -0800
+Subject: [PATCH 7/7] integer overflow in XSyncListSystemCounters()
+ [CVE-2013-1982 6/6]
+
+If the number of counters or amount of data reported by the server is
+large enough that it overflows when multiplied by the size of the
+appropriate struct, then memory corruption can occur when more bytes
+are read from the X server than the size of the buffers we allocated
+to hold them.
+
+V2: Make sure we don't walk past the end of the reply when converting
+data from wire format to the structures returned to the caller.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XSync.c | 32 +++++++++++++++++++++++++-------
+ 1 file changed, 25 insertions(+), 7 deletions(-)
+
+diff --git a/src/XSync.c b/src/XSync.c
+index 3ca1308..ce4ab44 100644
+--- a/src/XSync.c
++++ b/src/XSync.c
+@@ -59,6 +59,7 @@ PERFORMANCE OF THIS SOFTWARE.
+ #include <X11/extensions/extutil.h>
+ #include <X11/extensions/sync.h>
+ #include <X11/extensions/syncproto.h>
++#include <limits.h>
+ #include "eat.h"
+
+ static XExtensionInfo _sync_info_data;
+@@ -352,19 +353,28 @@ XSyncListSystemCounters(Display *dpy, int *n_counters_return)
+ if (rep.nCounters > 0)
+ {
+ xSyncSystemCounter *pWireSysCounter, *pNextWireSysCounter;
++ xSyncSystemCounter *pLastWireSysCounter;
+ XSyncCounter counter;
+- int replylen;
++ unsigned int replylen;
+ int i;
+
+- list = Xmalloc(rep.nCounters * sizeof(XSyncSystemCounter));
+- replylen = rep.length << 2;
+- pWireSysCounter = Xmalloc ((unsigned) replylen + sizeof(XSyncCounter));
+- /* +1 to leave room for last counter read-ahead */
++ if (rep.nCounters < (INT_MAX / sizeof(XSyncSystemCounter)))
++ list = Xmalloc(rep.nCounters * sizeof(XSyncSystemCounter));
++ if (rep.length < (INT_MAX >> 2)) {
++ replylen = rep.length << 2;
++ pWireSysCounter = Xmalloc (replylen + sizeof(XSyncCounter));
++ /* +1 to leave room for last counter read-ahead */
++ pLastWireSysCounter = (xSyncSystemCounter *)
++ ((char *)pWireSysCounter) + replylen;
++ } else {
++ replylen = 0;
++ pWireSysCounter = NULL;
++ }
+
+ if ((!list) || (!pWireSysCounter))
+ {
+- if (list) Xfree((char *) list);
+- if (pWireSysCounter) Xfree((char *) pWireSysCounter);
++ Xfree(list);
++ Xfree(pWireSysCounter);
+ _XEatDataWords(dpy, rep.length);
+ list = NULL;
+ goto bail;
+@@ -388,6 +398,14 @@ XSyncListSystemCounters(Display *dpy, int *n_counters_return)
+ pNextWireSysCounter = (xSyncSystemCounter *)
+ (((char *)pWireSysCounter) + ((SIZEOF(xSyncSystemCounter) +
+ pWireSysCounter->name_length + 3) & ~3));
++ /* Make sure we haven't gone too far */
++ if (pNextWireSysCounter > pLastWireSysCounter) {
++ Xfree(list);
++ Xfree(pWireSysCounter);
++ list = NULL;
++ goto bail;
++ }
++
+ counter = pNextWireSysCounter->counter;
+
+ list[i].name = ((char *)pWireSysCounter) +
+--
+1.8.2.3
+
diff --git a/main/libxext/APKBUILD b/main/libxext/APKBUILD
index 1561fa3735..b5cbc1d92a 100644
--- a/main/libxext/APKBUILD
+++ b/main/libxext/APKBUILD
@@ -1,17 +1,39 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libxext
pkgver=1.3.1
-pkgrel=0
+pkgrel=1
pkgdesc="X11 miscellaneous extensions library"
url="http://xorg.freedesktop.org/"
arch="all"
license="custom"
depends=
-makedepends="pkgconfig xproto xextproto libx11-dev libxau-dev"
+depends_dev="xextproto libx11-dev libxau-dev"
+makedepends="$depends_dev xproto
+ libtool autoconf automake util-macros"
subpackages="$pkgname-dev $pkgname-doc"
-source="http://xorg.freedesktop.org/releases/individual/lib/libXext-$pkgver.tar.bz2"
+source="http://xorg.freedesktop.org/releases/individual/lib/libXext-$pkgver.tar.bz2
+ 0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
+ 0002-integer-overflow-in-XcupGetReservedColormapEntries-C.patch
+ 0003-integer-overflow-in-XcupStoreColors-CVE-2013-1982-2-.patch
+ 0004-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch
+ 0005-integer-overflow-in-XeviGetVisualInfo-CVE-2013-1982-.patch
+ 0006-integer-overflow-in-XShapeGetRectangles-CVE-2013-198.patch
+ 0007-integer-overflow-in-XSyncListSystemCounters-CVE-2013.patch
+ "
+
+
+_builddir="$srcdir"/libXext-$pkgver
+prepare() {
+ cd "$_builddir"
+ for i in $source; do
+ case $i in
+ *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+ esac
+ done
+ libtoolize --force && aclocal && autoheader && autoconf \
+ && automake --add-missing
+}
-depends_dev="xextproto libx11-dev libxau-dev"
build() {
cd "$srcdir"/libXext-$pkgver
./configure --prefix=/usr --sysconfdir=/etc
@@ -23,4 +45,27 @@ package() {
make DESTDIR="$pkgdir" install || return 1
rm "$pkgdir"/usr/lib/*.la || return 1
}
-md5sums="71251a22bc47068d60a95f50ed2ec3cf libXext-1.3.1.tar.bz2"
+md5sums="71251a22bc47068d60a95f50ed2ec3cf libXext-1.3.1.tar.bz2
+e8571e1188293644413df6beb332c209 0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
+3ae33cae5c48fa8cfaa2669a2f474377 0002-integer-overflow-in-XcupGetReservedColormapEntries-C.patch
+be5437299e95d870d0c2555e994f9e99 0003-integer-overflow-in-XcupStoreColors-CVE-2013-1982-2-.patch
+f10d0d95cd02a31b42ebd9c71b098e00 0004-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch
+30d0d1e0d7e47444d767101c789129c6 0005-integer-overflow-in-XeviGetVisualInfo-CVE-2013-1982-.patch
+0684b2e3ac5875c1642a77ba6194ec81 0006-integer-overflow-in-XShapeGetRectangles-CVE-2013-198.patch
+1c60dbeb9032d3823616e7fcf1162c15 0007-integer-overflow-in-XSyncListSystemCounters-CVE-2013.patch"
+sha256sums="56229c617eb7bfd6dec40d2805bc4dfb883dfe80f130d99b9a2beb632165e859 libXext-1.3.1.tar.bz2
+a403c890692475a9e1a99c50bae893c150695a75f8ba7f415da2a165a54b1a14 0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
+46b3466a51fa040f39ae7e3fbf7d4d590dd6f3c246990cb5fb91eb40a547e156 0002-integer-overflow-in-XcupGetReservedColormapEntries-C.patch
+b1c4b9308e140458a1e010b874d68fdc646ebf9c16b8adf573bbe05ab3e266a1 0003-integer-overflow-in-XcupStoreColors-CVE-2013-1982-2-.patch
+1ddc2cd6d47b77247fc67831d81b33df287b9042bffec4fceeb1014ea08462be 0004-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch
+f25b13702696eb15bbcc903e6900a08f61ab39a9e79972ff1666dc32671082cb 0005-integer-overflow-in-XeviGetVisualInfo-CVE-2013-1982-.patch
+438dec8cc7e02d70318631b8c094a238a88a049eea8187a83f1b34cf859de333 0006-integer-overflow-in-XShapeGetRectangles-CVE-2013-198.patch
+660c78e986fc227845dea5aeef00d91e328a52e3268a852160fe4056d4c13c1f 0007-integer-overflow-in-XSyncListSystemCounters-CVE-2013.patch"
+sha512sums="e8536d5a93ae6718c459c013abef0660085b4014fa5db7614f847e75dc4ea87a6235593201c144c424c9f809c8f1275eeadd858fd8915ca34ea1713cf367110a libXext-1.3.1.tar.bz2
+3944b42305c7686e815bf11f996a48ed605f6f6cbac525e44dd42f0a6e1f9d7ed03b53bf0cc540fd0e1528128a1895ab8683f659d04670cf4c98fe784763ec50 0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
+10f5c15281aa9d5e6e18511243e020f3d943bd7421defc2c0e5c68cca36d2e0fdd55f1cc58955ba8f2e2ba5983c18ff6610d5b2b2e6a0877f23f446bf2a6c4ed 0002-integer-overflow-in-XcupGetReservedColormapEntries-C.patch
+dfc93f726ae0298c2b3ff43be24509904882de8d87e450e0292b32358211e961be72bca0d7af50afb955fa5ac4679598eb72526c9436d6f3fb0973b3ab6c2f08 0003-integer-overflow-in-XcupStoreColors-CVE-2013-1982-2-.patch
+26699071127642cf32763be2823fcf57e4bfa7766f60c432154e569f5fb91cf7bb8fb9bd9033190fec0c74cc62aad75f73418d48a7218fe37792ca0584a990e3 0004-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch
+6019357b85646c1c97426d03be5146a0af7a05e90af5fcee713cd2f5cd228b3634f896c76d66e174d55ea095f083b5afbb53ae4ea266979c9cdbb2813a4e5013 0005-integer-overflow-in-XeviGetVisualInfo-CVE-2013-1982-.patch
+4701c06782c7fb69b4eae19a7e6e1d88f8243fc3353f8be72d820bfa36761ad98ee0e5359e55c4e45a1fbf440cfd63e6d2732dd6d68564da3c707e85184e5a41 0006-integer-overflow-in-XShapeGetRectangles-CVE-2013-198.patch
+741a7716aa955c618b526f063919b7268e467f65d125a13dc72f4fd237550e2085e176f08375e8f01829341f9e967963d6d82f95bbc1cda80831c5c0691dbc91 0007-integer-overflow-in-XSyncListSystemCounters-CVE-2013.patch"