aboutsummaryrefslogtreecommitdiffstats
path: root/main/libxrender
diff options
context:
space:
mode:
Diffstat (limited to 'main/libxrender')
-rw-r--r--main/libxrender/APKBUILD33
-rw-r--r--main/libxrender/CVE-2013-1987-1.patch83
-rw-r--r--main/libxrender/CVE-2013-1987-2.patch81
-rw-r--r--main/libxrender/CVE-2013-1987-3.patch59
4 files changed, 6 insertions, 250 deletions
diff --git a/main/libxrender/APKBUILD b/main/libxrender/APKBUILD
index e1349f439d..0a4e6a80d7 100644
--- a/main/libxrender/APKBUILD
+++ b/main/libxrender/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libxrender
-pkgver=0.9.7
-pkgrel=1
+pkgver=0.9.8
+pkgrel=0
pkgdesc="X Rendering Extension client library"
url="http://xorg.freedesktop.org/"
arch="all"
@@ -10,22 +10,10 @@ subpackages="$pkgname-dev"
depends=
depends_dev="xproto renderproto libx11-dev"
makedepends="$depends_dev"
-source="http://xorg.freedesktop.org/releases/individual/lib/libXrender-$pkgver.tar.bz2
- CVE-2013-1987-1.patch
- CVE-2013-1987-2.patch
- CVE-2013-1987-3.patch
- "
+source="http://xorg.freedesktop.org/releases/individual/lib/libXrender-$pkgver.tar.bz2"
_builddir="$srcdir"/libXrender-$pkgver
-prepare() {
- cd "$_builddir"
- for i in $source; do
- case $i in
- *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
- esac
- done
-}
build() {
cd "$_builddir"
@@ -38,15 +26,6 @@ package() {
make DESTDIR="$pkgdir" install || return 1
rm "$pkgdir"/usr/lib/*.la || return 1
}
-md5sums="ee62f4c7f0f16ced4da63308963ccad2 libXrender-0.9.7.tar.bz2
-5d82b028bed7456b38f1d001a222b1d8 CVE-2013-1987-1.patch
-8e0adc5dcbf89ea1d0c7fe0e0dd5e8d7 CVE-2013-1987-2.patch
-b3bac65a7f41bcacbf5fd8278ac709b6 CVE-2013-1987-3.patch"
-sha256sums="f9b46b93c9bc15d5745d193835ac9ba2a2b411878fad60c504bbb8f98492bbe6 libXrender-0.9.7.tar.bz2
-4a0b2e6d693c86eab43aa6e6720de149298ea67b1ccc10a723bfb9db3787703a CVE-2013-1987-1.patch
-7ee9c01f3f20f817c37210147afc50038541bea53b270ce2c3eacf9969821a39 CVE-2013-1987-2.patch
-141096ee1b739e2ca4b270215dbf1ad9ed57ad9d0b405256241f0fb8e19a61ce CVE-2013-1987-3.patch"
-sha512sums="b52cebf6ebcdfc1e321b4ec7a18ba781cd05ddab9bb191532ea4174848fb7bb7f5bc7e609944e6e193f7b808e5b50316ba74b5bf1024e61b11358ac1887b44dc libXrender-0.9.7.tar.bz2
-5ec8fa4531271e9c6904b00fa828a82e3b2904d8ea7f8803da4175b516f9a4b268e44fd90607244850affd9899f12f107bb038b02529983c04c5968a10d74a0d CVE-2013-1987-1.patch
-45778c206f35b3ccc814bf68713582e1aeda45f182678ca88e194b0eb45f8f930732d465b3d10ee475892c5b7e0a9a67354b0036e0ffe2989c929c27f828d52b CVE-2013-1987-2.patch
-8bee48d9d23ce10aa8076a1c93edd2f2f2b221421ef4d706cacf2f4b23ccb7aea64cfca9fe7766820c8473208fc25d573d72f6a717aa5a0bad9da4297c15af05 CVE-2013-1987-3.patch"
+md5sums="2bd9a15fcf64d216e63b8d129e4f1f1c libXrender-0.9.8.tar.bz2"
+sha256sums="1d14b02f0060aec5d90dfdcf16a996f17002e515292906ed26e3dcbba0f4fc62 libXrender-0.9.8.tar.bz2"
+sha512sums="111a0ec4e19932a50da4914d9112b0a16c1d9c800e2b8398ddaf9ed70dae1a4eb75860282ca62d023e78957bbc3f015cb80d91ba76a24595df9f8a2b7e055b58 libXrender-0.9.8.tar.bz2"
diff --git a/main/libxrender/CVE-2013-1987-1.patch b/main/libxrender/CVE-2013-1987-1.patch
deleted file mode 100644
index 706356a748..0000000000
--- a/main/libxrender/CVE-2013-1987-1.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From e52853974664289fe42a92909667ed77cfa1cec5 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sat, 13 Apr 2013 05:45:20 +0000
-Subject: integer overflow in XRenderQueryFilters() [CVE-2013-1987 1/3]
-
-The length, numFilters & numAliases members of the reply are all CARD32
-and need to be bounds checked before multiplying & adding them together
-to come up with the total size to allocate, to avoid integer overflow
-leading to underallocation and writing data from the network past the
-end of the allocated buffer.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
-diff --git a/src/Filter.c b/src/Filter.c
-index 924b2a3..edfa572 100644
---- a/src/Filter.c
-+++ b/src/Filter.c
-@@ -25,6 +25,7 @@
- #include <config.h>
- #endif
- #include "Xrenderint.h"
-+#include <limits.h>
-
- XFilters *
- XRenderQueryFilters (Display *dpy, Drawable drawable)
-@@ -37,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
- char *name;
- char len;
- int i;
-- long nbytes, nbytesAlias, nbytesName;
-+ unsigned long nbytes, nbytesAlias, nbytesName;
-
- if (!RenderHasExtension (info))
- return NULL;
-@@ -60,22 +61,32 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
- SyncHandle ();
- return NULL;
- }
-- /*
-- * Compute total number of bytes for filter names
-- */
-- nbytes = (long)rep.length << 2;
-- nbytesAlias = rep.numAliases * 2;
-- if (rep.numAliases & 1)
-- nbytesAlias += 2;
-- nbytesName = nbytes - nbytesAlias;
-
- /*
-- * Allocate one giant block for the whole data structure
-+ * Limit each component of combined size to 1/4 the max, which is far
-+ * more than they should ever possibly need.
- */
-- filters = Xmalloc (sizeof (XFilters) +
-- rep.numFilters * sizeof (char *) +
-- rep.numAliases * sizeof (short) +
-- nbytesName);
-+ if ((rep.length < (INT_MAX >> 2)) &&
-+ (rep.numFilters < ((INT_MAX / 4) / sizeof (char *))) &&
-+ (rep.numAliases < ((INT_MAX / 4) / sizeof (short)))) {
-+ /*
-+ * Compute total number of bytes for filter names
-+ */
-+ nbytes = (unsigned long)rep.length << 2;
-+ nbytesAlias = rep.numAliases * 2;
-+ if (rep.numAliases & 1)
-+ nbytesAlias += 2;
-+ nbytesName = nbytes - nbytesAlias;
-+
-+ /*
-+ * Allocate one giant block for the whole data structure
-+ */
-+ filters = Xmalloc (sizeof (XFilters) +
-+ (rep.numFilters * sizeof (char *)) +
-+ (rep.numAliases * sizeof (short)) +
-+ nbytesName);
-+ } else
-+ filters = NULL;
-
- if (!filters)
- {
---
-cgit v0.9.0.2-2-gbebe
diff --git a/main/libxrender/CVE-2013-1987-2.patch b/main/libxrender/CVE-2013-1987-2.patch
deleted file mode 100644
index 4a0980dd73..0000000000
--- a/main/libxrender/CVE-2013-1987-2.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From 9e577d40322b9e3d8bdefec0eefa44d8ead451a4 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sat, 13 Apr 2013 06:02:11 +0000
-Subject: integer overflow in XRenderQueryFormats() [CVE-2013-1987 2/3]
-
-The length, numFormats, numScreens, numDepths, and numVisuals members of
-the reply are all CARD32 and need to be bounds checked before multiplying
-and adding them together to come up with the total size to allocate, to
-avoid integer overflow leading to underallocation and writing data from
-the network past the end of the allocated buffer.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
-diff --git a/src/Xrender.c b/src/Xrender.c
-index 5c8e5f5..a62c753 100644
---- a/src/Xrender.c
-+++ b/src/Xrender.c
-@@ -26,6 +26,7 @@
- #include <config.h>
- #endif
- #include "Xrenderint.h"
-+#include <limits.h>
-
- XRenderExtInfo XRenderExtensionInfo;
- char XRenderExtensionName[] = RENDER_NAME;
-@@ -411,8 +412,8 @@ XRenderQueryFormats (Display *dpy)
- CARD32 *xSubpixel;
- void *xData;
- int nf, ns, nd, nv;
-- int rlength;
-- int nbytes;
-+ unsigned long rlength;
-+ unsigned long nbytes;
-
- RenderCheckExtension (dpy, info, 0);
- LockDisplay (dpy);
-@@ -458,18 +459,29 @@ XRenderQueryFormats (Display *dpy)
- if (async_state.major_version == 0 && async_state.minor_version < 6)
- rep.numSubpixel = 0;
-
-- xri = (XRenderInfo *) Xmalloc (sizeof (XRenderInfo) +
-- rep.numFormats * sizeof (XRenderPictFormat) +
-- rep.numScreens * sizeof (XRenderScreen) +
-- rep.numDepths * sizeof (XRenderDepth) +
-- rep.numVisuals * sizeof (XRenderVisual));
-- rlength = (rep.numFormats * sizeof (xPictFormInfo) +
-- rep.numScreens * sizeof (xPictScreen) +
-- rep.numDepths * sizeof (xPictDepth) +
-- rep.numVisuals * sizeof (xPictVisual) +
-- rep.numSubpixel * 4);
-- xData = (void *) Xmalloc (rlength);
-- nbytes = (int) rep.length << 2;
-+ if ((rep.numFormats < ((INT_MAX / 4) / sizeof (XRenderPictFormat))) &&
-+ (rep.numScreens < ((INT_MAX / 4) / sizeof (XRenderScreen))) &&
-+ (rep.numDepths < ((INT_MAX / 4) / sizeof (XRenderDepth))) &&
-+ (rep.numVisuals < ((INT_MAX / 4) / sizeof (XRenderVisual))) &&
-+ (rep.numSubpixel < ((INT_MAX / 4) / 4)) &&
-+ (rep.length < (INT_MAX >> 2)) ) {
-+ xri = Xmalloc (sizeof (XRenderInfo) +
-+ (rep.numFormats * sizeof (XRenderPictFormat)) +
-+ (rep.numScreens * sizeof (XRenderScreen)) +
-+ (rep.numDepths * sizeof (XRenderDepth)) +
-+ (rep.numVisuals * sizeof (XRenderVisual)));
-+ rlength = ((rep.numFormats * sizeof (xPictFormInfo)) +
-+ (rep.numScreens * sizeof (xPictScreen)) +
-+ (rep.numDepths * sizeof (xPictDepth)) +
-+ (rep.numVisuals * sizeof (xPictVisual)) +
-+ (rep.numSubpixel * 4));
-+ xData = Xmalloc (rlength);
-+ nbytes = (unsigned long) rep.length << 2;
-+ } else {
-+ xri = NULL;
-+ xData = NULL;
-+ rlength = nbytes = 0;
-+ }
-
- if (!xri || !xData || nbytes < rlength)
- {
---
-cgit v0.9.0.2-2-gbebe
diff --git a/main/libxrender/CVE-2013-1987-3.patch b/main/libxrender/CVE-2013-1987-3.patch
deleted file mode 100644
index 92e35d773e..0000000000
--- a/main/libxrender/CVE-2013-1987-3.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From 786f78fd8df6d165ccbc81f306fd9f22b5c1551c Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sat, 13 Apr 2013 06:02:11 +0000
-Subject: integer overflow in XRenderQueryPictIndexValues() [CVE-2013-1987 3/3]
-
-The length and numIndexValues members of the reply are both CARD32 and
-need to be bounds checked before multiplying by sizeof (XIndexValue) to
-avoid integer overflow leading to underallocation and writing data from
-the network past the end of the allocated buffer.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
-diff --git a/src/Xrender.c b/src/Xrender.c
-index a62c753..3102eb2 100644
---- a/src/Xrender.c
-+++ b/src/Xrender.c
-@@ -844,7 +844,7 @@ XRenderQueryPictIndexValues(Display *dpy,
- xRenderQueryPictIndexValuesReq *req;
- xRenderQueryPictIndexValuesReply rep;
- XIndexValue *values;
-- int nbytes, nread, rlength, i;
-+ unsigned int nbytes, nread, rlength, i;
-
- RenderCheckExtension (dpy, info, NULL);
-
-@@ -860,15 +860,22 @@ XRenderQueryPictIndexValues(Display *dpy,
- return NULL;
- }
-
-- /* request data length */
-- nbytes = (long)rep.length << 2;
-- /* bytes of actual data in the request */
-- nread = rep.numIndexValues * SIZEOF (xIndexValue);
-- /* size of array returned to application */
-- rlength = rep.numIndexValues * sizeof (XIndexValue);
-+ if ((rep.length < (INT_MAX >> 2)) &&
-+ (rep.numIndexValues < (INT_MAX / sizeof (XIndexValue)))) {
-+ /* request data length */
-+ nbytes = rep.length << 2;
-+ /* bytes of actual data in the request */
-+ nread = rep.numIndexValues * SIZEOF (xIndexValue);
-+ /* size of array returned to application */
-+ rlength = rep.numIndexValues * sizeof (XIndexValue);
-+
-+ /* allocate returned data */
-+ values = Xmalloc (rlength);
-+ } else {
-+ nbytes = nread = rlength = 0;
-+ values = NULL;
-+ }
-
-- /* allocate returned data */
-- values = (XIndexValue *)Xmalloc (rlength);
- if (!values)
- {
- _XEatDataWords (dpy, rep.length);
---
-cgit v0.9.0.2-2-gbebe