diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-24 08:11:41 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-24 08:11:41 +0000 |
commit | b26655eaa38290e14b41bf0dd3645030445f42d7 (patch) | |
tree | 5b55747213a0470092f879479f769d4d84b75cd9 /main | |
parent | 29cd7b42af8cddcb339f1328bf8f7be3a115b396 (diff) | |
download | aports-b26655eaa38290e14b41bf0dd3645030445f42d7.tar.bz2 aports-b26655eaa38290e14b41bf0dd3645030445f42d7.tar.xz |
main/libxfixes: fix for CVE-2013-1983
ref #1931
Diffstat (limited to 'main')
-rw-r--r-- | main/libxfixes/APKBUILD | 25 | ||||
-rw-r--r-- | main/libxfixes/CVE-2013-1983.patch | 70 |
2 files changed, 90 insertions, 5 deletions
diff --git a/main/libxfixes/APKBUILD b/main/libxfixes/APKBUILD index df130f988e..b41372041f 100644 --- a/main/libxfixes/APKBUILD +++ b/main/libxfixes/APKBUILD @@ -1,18 +1,28 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libxfixes pkgver=5.0 -pkgrel=1 +pkgrel=2 pkgdesc="X11 miscellaneous 'fixes' extension library" url="http://xorg.freedesktop.org/" arch="all" license="custom" depends= -makedepends="pkgconfig xproto libx11-dev fixesproto xextproto" +depends_dev="xproto fixesproto libx11-dev" +makedepends="$depends_dev xextproto" subpackages="$pkgname-dev $pkgname-doc" -source="http://xorg.freedesktop.org/releases/individual/lib/libXfixes-$pkgver.tar.bz2" +source="http://xorg.freedesktop.org/releases/individual/lib/libXfixes-$pkgver.tar.bz2 + CVE-2013-1983.patch" -depends_dev="xproto fixesproto libx11-dev" _builddir="$srcdir"/libXfixes-$pkgver +prepare() { + cd "$_builddir" + for i in $source; do + case $i in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done +} + build() { cd "$_builddir" ./configure --prefix=/usr --sysconfdir=/etc --build=${CHOST} --host=${CHOST} @@ -24,4 +34,9 @@ package() { make DESTDIR="$pkgdir" install || return 1 rm "$pkgdir"/usr/lib/*.la || return 1 } -md5sums="678071bd7f9f7467e2fc712d81022318 libXfixes-5.0.tar.bz2" +md5sums="678071bd7f9f7467e2fc712d81022318 libXfixes-5.0.tar.bz2 +cfd62d3f71592118ca0a6862cfe221b3 CVE-2013-1983.patch" +sha256sums="537a2446129242737a35db40081be4bbcc126e56c03bf5f2b142b10a79cda2e3 libXfixes-5.0.tar.bz2 +b1e261feb83e064ac1123cb3004f0ed9284b23abef34f4f5bb6a5d452aff1192 CVE-2013-1983.patch" +sha512sums="fd3071b52c657975b4321e6c7ebe433c43ea6944d04d2228da075aad394e962eec705e41a6c3a6bbc12f704765189116d1328c3111e457f23395ff6f57ae63d5 libXfixes-5.0.tar.bz2 +6c1e9d1261ece81d97af947a1543f313aebfeb8cc18c121bc51e8cc1142e49c4c5c21fb304d2d37af318c530551e02c029bfbce928d9caefb9432b1c5a4da66c CVE-2013-1983.patch" diff --git a/main/libxfixes/CVE-2013-1983.patch b/main/libxfixes/CVE-2013-1983.patch new file mode 100644 index 0000000000..d0089d4f61 --- /dev/null +++ b/main/libxfixes/CVE-2013-1983.patch @@ -0,0 +1,70 @@ +From c480fe3271873ec7471b0cbd680f4dac18ca8904 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 17:24:08 +0000 +Subject: integer overflow in XFixesGetCursorImage() [CVE-2013-1983] + +If the reported cursor dimensions or name length are too large, the +calculations to allocate memory for them may overflow, leaving us +writing beyond the bounds of the allocation. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- +diff --git a/src/Cursor.c b/src/Cursor.c +index 641b747..33590b7 100644 +--- a/src/Cursor.c ++++ b/src/Cursor.c +@@ -47,6 +47,7 @@ + #include <config.h> + #endif + #include "Xfixesint.h" ++#include <limits.h> + + void + XFixesSelectCursorInput (Display *dpy, +@@ -74,9 +75,9 @@ XFixesGetCursorImage (Display *dpy) + XFixesExtDisplayInfo *info = XFixesFindDisplay (dpy); + xXFixesGetCursorImageAndNameReq *req; + xXFixesGetCursorImageAndNameReply rep; +- int npixels; +- int nbytes_name; +- int nbytes, nread, rlength; ++ size_t npixels; ++ size_t nbytes_name; ++ size_t nbytes, nread, rlength; + XFixesCursorImage *image; + char *name; + +@@ -101,16 +102,21 @@ XFixesGetCursorImage (Display *dpy) + } + npixels = rep.width * rep.height; + nbytes_name = rep.nbytes; +- /* reply data length */ +- nbytes = (long) rep.length << 2; +- /* bytes of actual data in the reply */ +- nread = (npixels << 2) + nbytes_name; +- /* size of data returned to application */ +- rlength = (sizeof (XFixesCursorImage) + +- npixels * sizeof (unsigned long) + +- nbytes_name + 1); ++ if ((rep.length < (INT_MAX >> 2)) && ++ npixels < (((INT_MAX >> 3) - sizeof (XFixesCursorImage) - 1) ++ - nbytes_name)) { ++ /* reply data length */ ++ nbytes = (size_t) rep.length << 2; ++ /* bytes of actual data in the reply */ ++ nread = (npixels << 2) + nbytes_name; ++ /* size of data returned to application */ ++ rlength = (sizeof (XFixesCursorImage) + ++ npixels * sizeof (unsigned long) + ++ nbytes_name + 1); + +- image = (XFixesCursorImage *) Xmalloc (rlength); ++ image = Xmalloc (rlength); ++ } else ++ image = NULL; + if (!image) + { + _XEatDataWords(dpy, rep.length); +-- +cgit v0.9.0.2-2-gbebe |