aboutsummaryrefslogtreecommitdiffstats
path: root/main
diff options
context:
space:
mode:
Diffstat (limited to 'main')
-rw-r--r--main/libxt/0001-Unchecked-return-values-of-XGetWindowProperty-CVE-20.patch175
-rw-r--r--main/libxt/0002-unvalidated-length-in-_XtResourceConfigurationEH-CVE.patch78
-rw-r--r--main/libxt/APKBUILD18
3 files changed, 5 insertions, 266 deletions
diff --git a/main/libxt/0001-Unchecked-return-values-of-XGetWindowProperty-CVE-20.patch b/main/libxt/0001-Unchecked-return-values-of-XGetWindowProperty-CVE-20.patch
deleted file mode 100644
index f611802250..0000000000
--- a/main/libxt/0001-Unchecked-return-values-of-XGetWindowProperty-CVE-20.patch
+++ /dev/null
@@ -1,175 +0,0 @@
-From eae57493feec958bcf733ad0d334715107029f8b Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sat, 9 Mar 2013 11:29:21 -0800
-Subject: [PATCH 1/2] Unchecked return values of XGetWindowProperty
- [CVE-2013-2005]
-
-Multiple functions in Selection.c assumed that XGetWindowProperty() would
-always set the pointer to the property, but before libX11 1.6, it could
-fail to do so in some cases, leading to libXt freeing or operating on an
-uninitialized pointer value, so libXt should always initialize the pointers
-and check for failure itself.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- src/Selection.c | 84 ++++++++++++++++++++++++++++++++-------------------------
- 1 file changed, 47 insertions(+), 37 deletions(-)
-
-diff --git a/src/Selection.c b/src/Selection.c
-index f35cb44..4f59d70 100644
---- a/src/Selection.c
-+++ b/src/Selection.c
-@@ -839,14 +839,16 @@ static void HandleSelectionEvents(
- IndirectPair *p;
- int format;
- unsigned long bytesafter, length;
-- unsigned char *value;
-+ unsigned char *value = NULL;
- ev.property = event->xselectionrequest.property;
- StartProtectedSection(ev.display, ev.requestor);
-- (void) XGetWindowProperty(ev.display, ev.requestor,
-+ if (XGetWindowProperty(ev.display, ev.requestor,
- event->xselectionrequest.property, 0L, 1000000,
- False,(Atom)AnyPropertyType, &target, &format, &length,
-- &bytesafter, &value);
-- count = BYTELENGTH(length, format) / sizeof(IndirectPair);
-+ &bytesafter, &value) == Success)
-+ count = BYTELENGTH(length, format) / sizeof(IndirectPair);
-+ else
-+ count = 0;
- for (p = (IndirectPair *)value; count; p++, count--) {
- EndProtectedSection(ctx->dpy);
- if (!GetConversion(ctx, (XSelectionRequestEvent*)event,
-@@ -1053,9 +1055,10 @@ static Boolean IsINCRtype(
-
- if (prop == None) return False;
-
-- (void)XGetWindowProperty(XtDisplay(info->widget), window, prop, 0L, 0L,
-- False, info->ctx->prop_list->incr_atom,
-- &type, &format, &length, &bytesafter, &value);
-+ if (XGetWindowProperty(XtDisplay(info->widget), window, prop, 0L, 0L,
-+ False, info->ctx->prop_list->incr_atom, &type,
-+ &format, &length, &bytesafter, &value) != Success)
-+ return False;
-
- return (type == info->ctx->prop_list->incr_atom);
- }
-@@ -1069,7 +1072,6 @@ static void ReqCleanup(
- {
- CallBackInfo info = (CallBackInfo)closure;
- unsigned long bytesafter, length;
-- char *value;
- int format;
- Atom target;
-
-@@ -1093,17 +1095,19 @@ static void ReqCleanup(
- (ev->xproperty.state == PropertyNewValue) &&
- (ev->xproperty.atom == info->property)) {
- XPropertyEvent *event = (XPropertyEvent *) ev;
-- (void) XGetWindowProperty(event->display, XtWindow(widget),
-- event->atom, 0L, 1000000, True, AnyPropertyType,
-- &target, &format, &length, &bytesafter,
-- (unsigned char **) &value);
-- XFree(value);
-- if (length == 0) {
-- XtRemoveEventHandler(widget, (EventMask) PropertyChangeMask, FALSE,
-- ReqCleanup, (XtPointer) info );
-- FreeSelectionProperty(XtDisplay(widget), info->property);
-- XtFree(info->value); /* requestor never got this, so free now */
-- FreeInfo(info);
-+ char *value = NULL;
-+ if (XGetWindowProperty(event->display, XtWindow(widget),
-+ event->atom, 0L, 1000000, True, AnyPropertyType,
-+ &target, &format, &length, &bytesafter,
-+ (unsigned char **) &value) == Success) {
-+ XFree(value);
-+ if (length == 0) {
-+ XtRemoveEventHandler(widget, (EventMask) PropertyChangeMask,
-+ FALSE, ReqCleanup, (XtPointer) info );
-+ FreeSelectionProperty(XtDisplay(widget), info->property);
-+ XtFree(info->value); /* requestor never got this, so free now */
-+ FreeInfo(info);
-+ }
- }
- }
- }
-@@ -1121,20 +1125,23 @@ static void ReqTimedOut(
- unsigned long bytesafter;
- unsigned long proplength;
- Atom type;
-- IndirectPair *pairs;
- XtPointer *c;
- int i;
-
- if (*info->target == info->ctx->prop_list->indirect_atom) {
-- (void) XGetWindowProperty(XtDisplay(info->widget),
-- XtWindow(info->widget), info->property, 0L,
-- 10000000, True, AnyPropertyType, &type, &format,
-- &proplength, &bytesafter, (unsigned char **) &pairs);
-- XFree((char*)pairs);
-- for (proplength = proplength / IndirectPairWordSize, i = 0, c = info->req_closure;
-- proplength; proplength--, c++, i++)
-- (*info->callbacks[i])(info->widget, *c,
-- &info->ctx->selection, &resulttype, value, &length, &format);
-+ IndirectPair *pairs = NULL;
-+ if (XGetWindowProperty(XtDisplay(info->widget), XtWindow(info->widget),
-+ info->property, 0L, 10000000, True,
-+ AnyPropertyType, &type, &format, &proplength,
-+ &bytesafter, (unsigned char **) &pairs)
-+ == Success) {
-+ XFree(pairs);
-+ for (proplength = proplength / IndirectPairWordSize, i = 0,
-+ c = info->req_closure;
-+ proplength; proplength--, c++, i++)
-+ (*info->callbacks[i])(info->widget, *c, &info->ctx->selection,
-+ &resulttype, value, &length, &format);
-+ }
- } else {
- (*info->callbacks[0])(info->widget, *info->req_closure,
- &info->ctx->selection, &resulttype, value, &length, &format);
-@@ -1280,12 +1287,13 @@ Boolean HandleNormal(
- unsigned long length;
- int format;
- Atom type;
-- unsigned char *value;
-+ unsigned char *value = NULL;
- int number = info->current;
-
-- (void) XGetWindowProperty(dpy, XtWindow(widget), property, 0L,
-- 10000000, False, AnyPropertyType,
-- &type, &format, &length, &bytesafter, &value);
-+ if (XGetWindowProperty(dpy, XtWindow(widget), property, 0L, 10000000,
-+ False, AnyPropertyType, &type, &format, &length,
-+ &bytesafter, &value) != Success)
-+ return FALSE;
-
- if (type == info->ctx->prop_list->incr_atom) {
- unsigned long size = IncrPropSize(widget, value, format, length);
-@@ -1370,7 +1378,6 @@ static void HandleSelectionReplies(
- Display *dpy = event->display;
- CallBackInfo info = (CallBackInfo) closure;
- Select ctx = info->ctx;
-- IndirectPair *pairs, *p;
- unsigned long bytesafter;
- unsigned long length;
- int format;
-@@ -1385,9 +1392,12 @@ static void HandleSelectionReplies(
- XtRemoveEventHandler(widget, (EventMask)0, TRUE,
- HandleSelectionReplies, (XtPointer) info );
- if (event->target == ctx->prop_list->indirect_atom) {
-- (void) XGetWindowProperty(dpy, XtWindow(widget), info->property, 0L,
-- 10000000, True, AnyPropertyType, &type, &format,
-- &length, &bytesafter, (unsigned char **) &pairs);
-+ IndirectPair *pairs = NULL, *p;
-+ if (XGetWindowProperty(dpy, XtWindow(widget), info->property, 0L,
-+ 10000000, True, AnyPropertyType, &type, &format,
-+ &length, &bytesafter, (unsigned char **) &pairs)
-+ != Success)
-+ length = 0;
- for (length = length / IndirectPairWordSize, p = pairs,
- c = info->req_closure;
- length; length--, p++, c++, info->current++) {
---
-1.8.2.3
-
diff --git a/main/libxt/0002-unvalidated-length-in-_XtResourceConfigurationEH-CVE.patch b/main/libxt/0002-unvalidated-length-in-_XtResourceConfigurationEH-CVE.patch
deleted file mode 100644
index 05c77504e1..0000000000
--- a/main/libxt/0002-unvalidated-length-in-_XtResourceConfigurationEH-CVE.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From 9264a21b688891dbdcee630ff72cf39aa75fc4e1 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sat, 9 Mar 2013 11:44:14 -0800
-Subject: [PATCH 2/2] unvalidated length in _XtResourceConfigurationEH
- [CVE-2013-2002]
-
-The RCM_DATA property is expected to be in the format:
- resource_length, resource, value
-
-If the property contains a resource_length thats results in a pointer
-outside the property string, memory corruption can occur.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- src/ResConfig.c | 41 ++++++++++++++++++++++++++---------------
- 1 file changed, 26 insertions(+), 15 deletions(-)
-
-diff --git a/src/ResConfig.c b/src/ResConfig.c
-index 68da536..1f3edbe 100644
---- a/src/ResConfig.c
-+++ b/src/ResConfig.c
-@@ -971,26 +971,37 @@ _XtResourceConfigurationEH (
- * resource and value fields.
- */
- if (data) {
-+ char *data_end = data + nitems;
-+ char *data_value;
-+
- resource_len = Strtoul ((void *)data, &data_ptr, 10);
-- data_ptr++;
-
-- data_ptr[resource_len] = '\0';
-+ if (data_ptr != (char *) data) {
-+ data_ptr++;
-+ data_value = data_ptr + resource_len;
-+ } else /* strtoul failed to convert a number */
-+ data_ptr = data_value = NULL;
-+
-+ if (data_value > data_ptr && data_value < data_end) {
-+ *data_value++ = '\0';
-
-- resource = XtNewString (data_ptr);
-- value = XtNewString (&data_ptr[resource_len + 1]);
-+ resource = XtNewString (data_ptr);
-+ value = XtNewString (data_value);
- #ifdef DEBUG
-- fprintf (stderr, "resource_len=%d\n",resource_len);
-- fprintf (stderr, "resource = %s\t value = %s\n",
-- resource, value);
-+ fprintf (stderr, "resource_len=%d\n"
-+ resource_len);
-+ fprintf (stderr, "resource = %s\t value = %s\n",
-+ resource, value);
- #endif
-- /*
-- * descend the application widget tree and
-- * apply the value to the appropriate widgets
-- */
-- _search_widget_tree (w, resource, value);
--
-- XtFree (resource);
-- XtFree (value);
-+ /*
-+ * descend the application widget tree and
-+ * apply the value to the appropriate widgets
-+ */
-+ _search_widget_tree (w, resource, value);
-+
-+ XtFree (resource);
-+ XtFree (value);
-+ }
- }
- }
-
---
-1.8.2.3
-
diff --git a/main/libxt/APKBUILD b/main/libxt/APKBUILD
index c2b318a963..613958d2a5 100644
--- a/main/libxt/APKBUILD
+++ b/main/libxt/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libxt
-pkgver=1.1.3
-pkgrel=1
+pkgver=1.1.4
+pkgrel=0
pkgdesc="X11 toolkit intrinsics library"
url="http://xorg.freedesktop.org/"
arch="all"
@@ -11,8 +11,6 @@ depends=
depends_dev="xproto libx11-dev libsm-dev"
makedepends="$depends_dev libice-dev e2fsprogs-dev"
source="http://xorg.freedesktop.org/releases/individual/lib/libXt-$pkgver.tar.bz2
- 0001-Unchecked-return-values-of-XGetWindowProperty-CVE-20.patch
- 0002-unvalidated-length-in-_XtResourceConfigurationEH-CVE.patch
"
_builddir="$srcdir"/libXt-$pkgver
@@ -39,12 +37,6 @@ package() {
make -j1 DESTDIR="$pkgdir" install || return 1
rm "$pkgdir"/usr/lib/*.la || return 1
}
-md5sums="a6f137ae100e74ebe3b71eb4a38c40b3 libXt-1.1.3.tar.bz2
-ddbc29bbc588eaeb01c01a94ddf8cdb8 0001-Unchecked-return-values-of-XGetWindowProperty-CVE-20.patch
-4ffbba851dcb9031ec620e48d0acffe9 0002-unvalidated-length-in-_XtResourceConfigurationEH-CVE.patch"
-sha256sums="8db593c3fc5ffc4e9cd854ba50af1eac9b90d66521ba17802b8f1e0d2d7f05bd libXt-1.1.3.tar.bz2
-84d0bc18fb74b4bbde40ec19e7745db1fc8cdc131a2578361005b289fa6dcb09 0001-Unchecked-return-values-of-XGetWindowProperty-CVE-20.patch
-758c710f423e22d17b8938574bebf8dc5c8193ef8296f8c8fb974229f886420c 0002-unvalidated-length-in-_XtResourceConfigurationEH-CVE.patch"
-sha512sums="26d81ddb00f2d231afe37f0d55be9aaf95f0926086751d1816d02d15244e8ac7dc61e4e96e6ac33b2d22455aa7992c7b86e5bc9eada4ebcecaf6909dc0939416 libXt-1.1.3.tar.bz2
-b1e7040636ff0ab4d67c522c46aa72d134ca47bfb8553288a28e6e69e1aafcb9bce41e4a55b2356d7145fdacef72c5018ff96923bf46d7c21e15bf30d23d40e3 0001-Unchecked-return-values-of-XGetWindowProperty-CVE-20.patch
-e43430f8b904bce0a6e171a6e24f7dc85bcfa9741d742c00d7f616744ae629b7ea3bdb32dd2b4c8f006880657f6ffc809966b69ce24bdf2343ecedf4fe579b1c 0002-unvalidated-length-in-_XtResourceConfigurationEH-CVE.patch"
+md5sums="03149823ae57bb02d0cec90d5b97d56c libXt-1.1.4.tar.bz2"
+sha256sums="843a97a988f5654872682a4120486d987d853a71651515472f55519ffae2dd57 libXt-1.1.4.tar.bz2"
+sha512sums="57721def16bf29e05deb746566400d71cf0cd5bf9b8b7ebed19abb7c6804e14073060b6cf94409903aa464d27acca2e91f55654b2d4770677b2b4b4dc78fd423 libXt-1.1.4.tar.bz2"