diff options
Diffstat (limited to 'main/libxrender')
-rw-r--r-- | main/libxrender/APKBUILD | 33 | ||||
-rw-r--r-- | main/libxrender/CVE-2013-1987-1.patch | 83 | ||||
-rw-r--r-- | main/libxrender/CVE-2013-1987-2.patch | 81 | ||||
-rw-r--r-- | main/libxrender/CVE-2013-1987-3.patch | 59 |
4 files changed, 6 insertions, 250 deletions
diff --git a/main/libxrender/APKBUILD b/main/libxrender/APKBUILD index e1349f439d..0a4e6a80d7 100644 --- a/main/libxrender/APKBUILD +++ b/main/libxrender/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libxrender -pkgver=0.9.7 -pkgrel=1 +pkgver=0.9.8 +pkgrel=0 pkgdesc="X Rendering Extension client library" url="http://xorg.freedesktop.org/" arch="all" @@ -10,22 +10,10 @@ subpackages="$pkgname-dev" depends= depends_dev="xproto renderproto libx11-dev" makedepends="$depends_dev" -source="http://xorg.freedesktop.org/releases/individual/lib/libXrender-$pkgver.tar.bz2 - CVE-2013-1987-1.patch - CVE-2013-1987-2.patch - CVE-2013-1987-3.patch - " +source="http://xorg.freedesktop.org/releases/individual/lib/libXrender-$pkgver.tar.bz2" _builddir="$srcdir"/libXrender-$pkgver -prepare() { - cd "$_builddir" - for i in $source; do - case $i in - *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; - esac - done -} build() { cd "$_builddir" @@ -38,15 +26,6 @@ package() { make DESTDIR="$pkgdir" install || return 1 rm "$pkgdir"/usr/lib/*.la || return 1 } -md5sums="ee62f4c7f0f16ced4da63308963ccad2 libXrender-0.9.7.tar.bz2 -5d82b028bed7456b38f1d001a222b1d8 CVE-2013-1987-1.patch -8e0adc5dcbf89ea1d0c7fe0e0dd5e8d7 CVE-2013-1987-2.patch -b3bac65a7f41bcacbf5fd8278ac709b6 CVE-2013-1987-3.patch" -sha256sums="f9b46b93c9bc15d5745d193835ac9ba2a2b411878fad60c504bbb8f98492bbe6 libXrender-0.9.7.tar.bz2 -4a0b2e6d693c86eab43aa6e6720de149298ea67b1ccc10a723bfb9db3787703a CVE-2013-1987-1.patch -7ee9c01f3f20f817c37210147afc50038541bea53b270ce2c3eacf9969821a39 CVE-2013-1987-2.patch -141096ee1b739e2ca4b270215dbf1ad9ed57ad9d0b405256241f0fb8e19a61ce CVE-2013-1987-3.patch" -sha512sums="b52cebf6ebcdfc1e321b4ec7a18ba781cd05ddab9bb191532ea4174848fb7bb7f5bc7e609944e6e193f7b808e5b50316ba74b5bf1024e61b11358ac1887b44dc libXrender-0.9.7.tar.bz2 -5ec8fa4531271e9c6904b00fa828a82e3b2904d8ea7f8803da4175b516f9a4b268e44fd90607244850affd9899f12f107bb038b02529983c04c5968a10d74a0d CVE-2013-1987-1.patch -45778c206f35b3ccc814bf68713582e1aeda45f182678ca88e194b0eb45f8f930732d465b3d10ee475892c5b7e0a9a67354b0036e0ffe2989c929c27f828d52b CVE-2013-1987-2.patch -8bee48d9d23ce10aa8076a1c93edd2f2f2b221421ef4d706cacf2f4b23ccb7aea64cfca9fe7766820c8473208fc25d573d72f6a717aa5a0bad9da4297c15af05 CVE-2013-1987-3.patch" +md5sums="2bd9a15fcf64d216e63b8d129e4f1f1c libXrender-0.9.8.tar.bz2" +sha256sums="1d14b02f0060aec5d90dfdcf16a996f17002e515292906ed26e3dcbba0f4fc62 libXrender-0.9.8.tar.bz2" +sha512sums="111a0ec4e19932a50da4914d9112b0a16c1d9c800e2b8398ddaf9ed70dae1a4eb75860282ca62d023e78957bbc3f015cb80d91ba76a24595df9f8a2b7e055b58 libXrender-0.9.8.tar.bz2" diff --git a/main/libxrender/CVE-2013-1987-1.patch b/main/libxrender/CVE-2013-1987-1.patch deleted file mode 100644 index 706356a748..0000000000 --- a/main/libxrender/CVE-2013-1987-1.patch +++ /dev/null @@ -1,83 +0,0 @@ -From e52853974664289fe42a92909667ed77cfa1cec5 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Sat, 13 Apr 2013 05:45:20 +0000 -Subject: integer overflow in XRenderQueryFilters() [CVE-2013-1987 1/3] - -The length, numFilters & numAliases members of the reply are all CARD32 -and need to be bounds checked before multiplying & adding them together -to come up with the total size to allocate, to avoid integer overflow -leading to underallocation and writing data from the network past the -end of the allocated buffer. - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> ---- -diff --git a/src/Filter.c b/src/Filter.c -index 924b2a3..edfa572 100644 ---- a/src/Filter.c -+++ b/src/Filter.c -@@ -25,6 +25,7 @@ - #include <config.h> - #endif - #include "Xrenderint.h" -+#include <limits.h> - - XFilters * - XRenderQueryFilters (Display *dpy, Drawable drawable) -@@ -37,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable) - char *name; - char len; - int i; -- long nbytes, nbytesAlias, nbytesName; -+ unsigned long nbytes, nbytesAlias, nbytesName; - - if (!RenderHasExtension (info)) - return NULL; -@@ -60,22 +61,32 @@ XRenderQueryFilters (Display *dpy, Drawable drawable) - SyncHandle (); - return NULL; - } -- /* -- * Compute total number of bytes for filter names -- */ -- nbytes = (long)rep.length << 2; -- nbytesAlias = rep.numAliases * 2; -- if (rep.numAliases & 1) -- nbytesAlias += 2; -- nbytesName = nbytes - nbytesAlias; - - /* -- * Allocate one giant block for the whole data structure -+ * Limit each component of combined size to 1/4 the max, which is far -+ * more than they should ever possibly need. - */ -- filters = Xmalloc (sizeof (XFilters) + -- rep.numFilters * sizeof (char *) + -- rep.numAliases * sizeof (short) + -- nbytesName); -+ if ((rep.length < (INT_MAX >> 2)) && -+ (rep.numFilters < ((INT_MAX / 4) / sizeof (char *))) && -+ (rep.numAliases < ((INT_MAX / 4) / sizeof (short)))) { -+ /* -+ * Compute total number of bytes for filter names -+ */ -+ nbytes = (unsigned long)rep.length << 2; -+ nbytesAlias = rep.numAliases * 2; -+ if (rep.numAliases & 1) -+ nbytesAlias += 2; -+ nbytesName = nbytes - nbytesAlias; -+ -+ /* -+ * Allocate one giant block for the whole data structure -+ */ -+ filters = Xmalloc (sizeof (XFilters) + -+ (rep.numFilters * sizeof (char *)) + -+ (rep.numAliases * sizeof (short)) + -+ nbytesName); -+ } else -+ filters = NULL; - - if (!filters) - { --- -cgit v0.9.0.2-2-gbebe diff --git a/main/libxrender/CVE-2013-1987-2.patch b/main/libxrender/CVE-2013-1987-2.patch deleted file mode 100644 index 4a0980dd73..0000000000 --- a/main/libxrender/CVE-2013-1987-2.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 9e577d40322b9e3d8bdefec0eefa44d8ead451a4 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Sat, 13 Apr 2013 06:02:11 +0000 -Subject: integer overflow in XRenderQueryFormats() [CVE-2013-1987 2/3] - -The length, numFormats, numScreens, numDepths, and numVisuals members of -the reply are all CARD32 and need to be bounds checked before multiplying -and adding them together to come up with the total size to allocate, to -avoid integer overflow leading to underallocation and writing data from -the network past the end of the allocated buffer. - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> ---- -diff --git a/src/Xrender.c b/src/Xrender.c -index 5c8e5f5..a62c753 100644 ---- a/src/Xrender.c -+++ b/src/Xrender.c -@@ -26,6 +26,7 @@ - #include <config.h> - #endif - #include "Xrenderint.h" -+#include <limits.h> - - XRenderExtInfo XRenderExtensionInfo; - char XRenderExtensionName[] = RENDER_NAME; -@@ -411,8 +412,8 @@ XRenderQueryFormats (Display *dpy) - CARD32 *xSubpixel; - void *xData; - int nf, ns, nd, nv; -- int rlength; -- int nbytes; -+ unsigned long rlength; -+ unsigned long nbytes; - - RenderCheckExtension (dpy, info, 0); - LockDisplay (dpy); -@@ -458,18 +459,29 @@ XRenderQueryFormats (Display *dpy) - if (async_state.major_version == 0 && async_state.minor_version < 6) - rep.numSubpixel = 0; - -- xri = (XRenderInfo *) Xmalloc (sizeof (XRenderInfo) + -- rep.numFormats * sizeof (XRenderPictFormat) + -- rep.numScreens * sizeof (XRenderScreen) + -- rep.numDepths * sizeof (XRenderDepth) + -- rep.numVisuals * sizeof (XRenderVisual)); -- rlength = (rep.numFormats * sizeof (xPictFormInfo) + -- rep.numScreens * sizeof (xPictScreen) + -- rep.numDepths * sizeof (xPictDepth) + -- rep.numVisuals * sizeof (xPictVisual) + -- rep.numSubpixel * 4); -- xData = (void *) Xmalloc (rlength); -- nbytes = (int) rep.length << 2; -+ if ((rep.numFormats < ((INT_MAX / 4) / sizeof (XRenderPictFormat))) && -+ (rep.numScreens < ((INT_MAX / 4) / sizeof (XRenderScreen))) && -+ (rep.numDepths < ((INT_MAX / 4) / sizeof (XRenderDepth))) && -+ (rep.numVisuals < ((INT_MAX / 4) / sizeof (XRenderVisual))) && -+ (rep.numSubpixel < ((INT_MAX / 4) / 4)) && -+ (rep.length < (INT_MAX >> 2)) ) { -+ xri = Xmalloc (sizeof (XRenderInfo) + -+ (rep.numFormats * sizeof (XRenderPictFormat)) + -+ (rep.numScreens * sizeof (XRenderScreen)) + -+ (rep.numDepths * sizeof (XRenderDepth)) + -+ (rep.numVisuals * sizeof (XRenderVisual))); -+ rlength = ((rep.numFormats * sizeof (xPictFormInfo)) + -+ (rep.numScreens * sizeof (xPictScreen)) + -+ (rep.numDepths * sizeof (xPictDepth)) + -+ (rep.numVisuals * sizeof (xPictVisual)) + -+ (rep.numSubpixel * 4)); -+ xData = Xmalloc (rlength); -+ nbytes = (unsigned long) rep.length << 2; -+ } else { -+ xri = NULL; -+ xData = NULL; -+ rlength = nbytes = 0; -+ } - - if (!xri || !xData || nbytes < rlength) - { --- -cgit v0.9.0.2-2-gbebe diff --git a/main/libxrender/CVE-2013-1987-3.patch b/main/libxrender/CVE-2013-1987-3.patch deleted file mode 100644 index 92e35d773e..0000000000 --- a/main/libxrender/CVE-2013-1987-3.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 786f78fd8df6d165ccbc81f306fd9f22b5c1551c Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Sat, 13 Apr 2013 06:02:11 +0000 -Subject: integer overflow in XRenderQueryPictIndexValues() [CVE-2013-1987 3/3] - -The length and numIndexValues members of the reply are both CARD32 and -need to be bounds checked before multiplying by sizeof (XIndexValue) to -avoid integer overflow leading to underallocation and writing data from -the network past the end of the allocated buffer. - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> ---- -diff --git a/src/Xrender.c b/src/Xrender.c -index a62c753..3102eb2 100644 ---- a/src/Xrender.c -+++ b/src/Xrender.c -@@ -844,7 +844,7 @@ XRenderQueryPictIndexValues(Display *dpy, - xRenderQueryPictIndexValuesReq *req; - xRenderQueryPictIndexValuesReply rep; - XIndexValue *values; -- int nbytes, nread, rlength, i; -+ unsigned int nbytes, nread, rlength, i; - - RenderCheckExtension (dpy, info, NULL); - -@@ -860,15 +860,22 @@ XRenderQueryPictIndexValues(Display *dpy, - return NULL; - } - -- /* request data length */ -- nbytes = (long)rep.length << 2; -- /* bytes of actual data in the request */ -- nread = rep.numIndexValues * SIZEOF (xIndexValue); -- /* size of array returned to application */ -- rlength = rep.numIndexValues * sizeof (XIndexValue); -+ if ((rep.length < (INT_MAX >> 2)) && -+ (rep.numIndexValues < (INT_MAX / sizeof (XIndexValue)))) { -+ /* request data length */ -+ nbytes = rep.length << 2; -+ /* bytes of actual data in the request */ -+ nread = rep.numIndexValues * SIZEOF (xIndexValue); -+ /* size of array returned to application */ -+ rlength = rep.numIndexValues * sizeof (XIndexValue); -+ -+ /* allocate returned data */ -+ values = Xmalloc (rlength); -+ } else { -+ nbytes = nread = rlength = 0; -+ values = NULL; -+ } - -- /* allocate returned data */ -- values = (XIndexValue *)Xmalloc (rlength); - if (!values) - { - _XEatDataWords (dpy, rep.length); --- -cgit v0.9.0.2-2-gbebe |