From 292a8a8c7ac4aa1d7ef36c99880b46318b408aa5 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Thu, 6 Jun 2013 16:13:40 +0000 Subject: main/libxt: upgrade to 1.1.4 --- ...eturn-values-of-XGetWindowProperty-CVE-20.patch | 175 --------------------- ...-length-in-_XtResourceConfigurationEH-CVE.patch | 78 --------- main/libxt/APKBUILD | 18 +-- 3 files changed, 5 insertions(+), 266 deletions(-) delete mode 100644 main/libxt/0001-Unchecked-return-values-of-XGetWindowProperty-CVE-20.patch delete mode 100644 main/libxt/0002-unvalidated-length-in-_XtResourceConfigurationEH-CVE.patch diff --git a/main/libxt/0001-Unchecked-return-values-of-XGetWindowProperty-CVE-20.patch b/main/libxt/0001-Unchecked-return-values-of-XGetWindowProperty-CVE-20.patch deleted file mode 100644 index f611802250..0000000000 --- a/main/libxt/0001-Unchecked-return-values-of-XGetWindowProperty-CVE-20.patch +++ /dev/null @@ -1,175 +0,0 @@ -From eae57493feec958bcf733ad0d334715107029f8b Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sat, 9 Mar 2013 11:29:21 -0800 -Subject: [PATCH 1/2] Unchecked return values of XGetWindowProperty - [CVE-2013-2005] - -Multiple functions in Selection.c assumed that XGetWindowProperty() would -always set the pointer to the property, but before libX11 1.6, it could -fail to do so in some cases, leading to libXt freeing or operating on an -uninitialized pointer value, so libXt should always initialize the pointers -and check for failure itself. - -Reported-by: Ilja Van Sprundel -Signed-off-by: Alan Coopersmith ---- - src/Selection.c | 84 ++++++++++++++++++++++++++++++++------------------------- - 1 file changed, 47 insertions(+), 37 deletions(-) - -diff --git a/src/Selection.c b/src/Selection.c -index f35cb44..4f59d70 100644 ---- a/src/Selection.c -+++ b/src/Selection.c -@@ -839,14 +839,16 @@ static void HandleSelectionEvents( - IndirectPair *p; - int format; - unsigned long bytesafter, length; -- unsigned char *value; -+ unsigned char *value = NULL; - ev.property = event->xselectionrequest.property; - StartProtectedSection(ev.display, ev.requestor); -- (void) XGetWindowProperty(ev.display, ev.requestor, -+ if (XGetWindowProperty(ev.display, ev.requestor, - event->xselectionrequest.property, 0L, 1000000, - False,(Atom)AnyPropertyType, &target, &format, &length, -- &bytesafter, &value); -- count = BYTELENGTH(length, format) / sizeof(IndirectPair); -+ &bytesafter, &value) == Success) -+ count = BYTELENGTH(length, format) / sizeof(IndirectPair); -+ else -+ count = 0; - for (p = (IndirectPair *)value; count; p++, count--) { - EndProtectedSection(ctx->dpy); - if (!GetConversion(ctx, (XSelectionRequestEvent*)event, -@@ -1053,9 +1055,10 @@ static Boolean IsINCRtype( - - if (prop == None) return False; - -- (void)XGetWindowProperty(XtDisplay(info->widget), window, prop, 0L, 0L, -- False, info->ctx->prop_list->incr_atom, -- &type, &format, &length, &bytesafter, &value); -+ if (XGetWindowProperty(XtDisplay(info->widget), window, prop, 0L, 0L, -+ False, info->ctx->prop_list->incr_atom, &type, -+ &format, &length, &bytesafter, &value) != Success) -+ return False; - - return (type == info->ctx->prop_list->incr_atom); - } -@@ -1069,7 +1072,6 @@ static void ReqCleanup( - { - CallBackInfo info = (CallBackInfo)closure; - unsigned long bytesafter, length; -- char *value; - int format; - Atom target; - -@@ -1093,17 +1095,19 @@ static void ReqCleanup( - (ev->xproperty.state == PropertyNewValue) && - (ev->xproperty.atom == info->property)) { - XPropertyEvent *event = (XPropertyEvent *) ev; -- (void) XGetWindowProperty(event->display, XtWindow(widget), -- event->atom, 0L, 1000000, True, AnyPropertyType, -- &target, &format, &length, &bytesafter, -- (unsigned char **) &value); -- XFree(value); -- if (length == 0) { -- XtRemoveEventHandler(widget, (EventMask) PropertyChangeMask, FALSE, -- ReqCleanup, (XtPointer) info ); -- FreeSelectionProperty(XtDisplay(widget), info->property); -- XtFree(info->value); /* requestor never got this, so free now */ -- FreeInfo(info); -+ char *value = NULL; -+ if (XGetWindowProperty(event->display, XtWindow(widget), -+ event->atom, 0L, 1000000, True, AnyPropertyType, -+ &target, &format, &length, &bytesafter, -+ (unsigned char **) &value) == Success) { -+ XFree(value); -+ if (length == 0) { -+ XtRemoveEventHandler(widget, (EventMask) PropertyChangeMask, -+ FALSE, ReqCleanup, (XtPointer) info ); -+ FreeSelectionProperty(XtDisplay(widget), info->property); -+ XtFree(info->value); /* requestor never got this, so free now */ -+ FreeInfo(info); -+ } - } - } - } -@@ -1121,20 +1125,23 @@ static void ReqTimedOut( - unsigned long bytesafter; - unsigned long proplength; - Atom type; -- IndirectPair *pairs; - XtPointer *c; - int i; - - if (*info->target == info->ctx->prop_list->indirect_atom) { -- (void) XGetWindowProperty(XtDisplay(info->widget), -- XtWindow(info->widget), info->property, 0L, -- 10000000, True, AnyPropertyType, &type, &format, -- &proplength, &bytesafter, (unsigned char **) &pairs); -- XFree((char*)pairs); -- for (proplength = proplength / IndirectPairWordSize, i = 0, c = info->req_closure; -- proplength; proplength--, c++, i++) -- (*info->callbacks[i])(info->widget, *c, -- &info->ctx->selection, &resulttype, value, &length, &format); -+ IndirectPair *pairs = NULL; -+ if (XGetWindowProperty(XtDisplay(info->widget), XtWindow(info->widget), -+ info->property, 0L, 10000000, True, -+ AnyPropertyType, &type, &format, &proplength, -+ &bytesafter, (unsigned char **) &pairs) -+ == Success) { -+ XFree(pairs); -+ for (proplength = proplength / IndirectPairWordSize, i = 0, -+ c = info->req_closure; -+ proplength; proplength--, c++, i++) -+ (*info->callbacks[i])(info->widget, *c, &info->ctx->selection, -+ &resulttype, value, &length, &format); -+ } - } else { - (*info->callbacks[0])(info->widget, *info->req_closure, - &info->ctx->selection, &resulttype, value, &length, &format); -@@ -1280,12 +1287,13 @@ Boolean HandleNormal( - unsigned long length; - int format; - Atom type; -- unsigned char *value; -+ unsigned char *value = NULL; - int number = info->current; - -- (void) XGetWindowProperty(dpy, XtWindow(widget), property, 0L, -- 10000000, False, AnyPropertyType, -- &type, &format, &length, &bytesafter, &value); -+ if (XGetWindowProperty(dpy, XtWindow(widget), property, 0L, 10000000, -+ False, AnyPropertyType, &type, &format, &length, -+ &bytesafter, &value) != Success) -+ return FALSE; - - if (type == info->ctx->prop_list->incr_atom) { - unsigned long size = IncrPropSize(widget, value, format, length); -@@ -1370,7 +1378,6 @@ static void HandleSelectionReplies( - Display *dpy = event->display; - CallBackInfo info = (CallBackInfo) closure; - Select ctx = info->ctx; -- IndirectPair *pairs, *p; - unsigned long bytesafter; - unsigned long length; - int format; -@@ -1385,9 +1392,12 @@ static void HandleSelectionReplies( - XtRemoveEventHandler(widget, (EventMask)0, TRUE, - HandleSelectionReplies, (XtPointer) info ); - if (event->target == ctx->prop_list->indirect_atom) { -- (void) XGetWindowProperty(dpy, XtWindow(widget), info->property, 0L, -- 10000000, True, AnyPropertyType, &type, &format, -- &length, &bytesafter, (unsigned char **) &pairs); -+ IndirectPair *pairs = NULL, *p; -+ if (XGetWindowProperty(dpy, XtWindow(widget), info->property, 0L, -+ 10000000, True, AnyPropertyType, &type, &format, -+ &length, &bytesafter, (unsigned char **) &pairs) -+ != Success) -+ length = 0; - for (length = length / IndirectPairWordSize, p = pairs, - c = info->req_closure; - length; length--, p++, c++, info->current++) { --- -1.8.2.3 - diff --git a/main/libxt/0002-unvalidated-length-in-_XtResourceConfigurationEH-CVE.patch b/main/libxt/0002-unvalidated-length-in-_XtResourceConfigurationEH-CVE.patch deleted file mode 100644 index 05c77504e1..0000000000 --- a/main/libxt/0002-unvalidated-length-in-_XtResourceConfigurationEH-CVE.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 9264a21b688891dbdcee630ff72cf39aa75fc4e1 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sat, 9 Mar 2013 11:44:14 -0800 -Subject: [PATCH 2/2] unvalidated length in _XtResourceConfigurationEH - [CVE-2013-2002] - -The RCM_DATA property is expected to be in the format: - resource_length, resource, value - -If the property contains a resource_length thats results in a pointer -outside the property string, memory corruption can occur. - -Reported-by: Ilja Van Sprundel -Signed-off-by: Alan Coopersmith ---- - src/ResConfig.c | 41 ++++++++++++++++++++++++++--------------- - 1 file changed, 26 insertions(+), 15 deletions(-) - -diff --git a/src/ResConfig.c b/src/ResConfig.c -index 68da536..1f3edbe 100644 ---- a/src/ResConfig.c -+++ b/src/ResConfig.c -@@ -971,26 +971,37 @@ _XtResourceConfigurationEH ( - * resource and value fields. - */ - if (data) { -+ char *data_end = data + nitems; -+ char *data_value; -+ - resource_len = Strtoul ((void *)data, &data_ptr, 10); -- data_ptr++; - -- data_ptr[resource_len] = '\0'; -+ if (data_ptr != (char *) data) { -+ data_ptr++; -+ data_value = data_ptr + resource_len; -+ } else /* strtoul failed to convert a number */ -+ data_ptr = data_value = NULL; -+ -+ if (data_value > data_ptr && data_value < data_end) { -+ *data_value++ = '\0'; - -- resource = XtNewString (data_ptr); -- value = XtNewString (&data_ptr[resource_len + 1]); -+ resource = XtNewString (data_ptr); -+ value = XtNewString (data_value); - #ifdef DEBUG -- fprintf (stderr, "resource_len=%d\n",resource_len); -- fprintf (stderr, "resource = %s\t value = %s\n", -- resource, value); -+ fprintf (stderr, "resource_len=%d\n" -+ resource_len); -+ fprintf (stderr, "resource = %s\t value = %s\n", -+ resource, value); - #endif -- /* -- * descend the application widget tree and -- * apply the value to the appropriate widgets -- */ -- _search_widget_tree (w, resource, value); -- -- XtFree (resource); -- XtFree (value); -+ /* -+ * descend the application widget tree and -+ * apply the value to the appropriate widgets -+ */ -+ _search_widget_tree (w, resource, value); -+ -+ XtFree (resource); -+ XtFree (value); -+ } - } - } - --- -1.8.2.3 - diff --git a/main/libxt/APKBUILD b/main/libxt/APKBUILD index c2b318a963..613958d2a5 100644 --- a/main/libxt/APKBUILD +++ b/main/libxt/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa pkgname=libxt -pkgver=1.1.3 -pkgrel=1 +pkgver=1.1.4 +pkgrel=0 pkgdesc="X11 toolkit intrinsics library" url="http://xorg.freedesktop.org/" arch="all" @@ -11,8 +11,6 @@ depends= depends_dev="xproto libx11-dev libsm-dev" makedepends="$depends_dev libice-dev e2fsprogs-dev" source="http://xorg.freedesktop.org/releases/individual/lib/libXt-$pkgver.tar.bz2 - 0001-Unchecked-return-values-of-XGetWindowProperty-CVE-20.patch - 0002-unvalidated-length-in-_XtResourceConfigurationEH-CVE.patch " _builddir="$srcdir"/libXt-$pkgver @@ -39,12 +37,6 @@ package() { make -j1 DESTDIR="$pkgdir" install || return 1 rm "$pkgdir"/usr/lib/*.la || return 1 } -md5sums="a6f137ae100e74ebe3b71eb4a38c40b3 libXt-1.1.3.tar.bz2 -ddbc29bbc588eaeb01c01a94ddf8cdb8 0001-Unchecked-return-values-of-XGetWindowProperty-CVE-20.patch -4ffbba851dcb9031ec620e48d0acffe9 0002-unvalidated-length-in-_XtResourceConfigurationEH-CVE.patch" -sha256sums="8db593c3fc5ffc4e9cd854ba50af1eac9b90d66521ba17802b8f1e0d2d7f05bd libXt-1.1.3.tar.bz2 -84d0bc18fb74b4bbde40ec19e7745db1fc8cdc131a2578361005b289fa6dcb09 0001-Unchecked-return-values-of-XGetWindowProperty-CVE-20.patch -758c710f423e22d17b8938574bebf8dc5c8193ef8296f8c8fb974229f886420c 0002-unvalidated-length-in-_XtResourceConfigurationEH-CVE.patch" -sha512sums="26d81ddb00f2d231afe37f0d55be9aaf95f0926086751d1816d02d15244e8ac7dc61e4e96e6ac33b2d22455aa7992c7b86e5bc9eada4ebcecaf6909dc0939416 libXt-1.1.3.tar.bz2 -b1e7040636ff0ab4d67c522c46aa72d134ca47bfb8553288a28e6e69e1aafcb9bce41e4a55b2356d7145fdacef72c5018ff96923bf46d7c21e15bf30d23d40e3 0001-Unchecked-return-values-of-XGetWindowProperty-CVE-20.patch -e43430f8b904bce0a6e171a6e24f7dc85bcfa9741d742c00d7f616744ae629b7ea3bdb32dd2b4c8f006880657f6ffc809966b69ce24bdf2343ecedf4fe579b1c 0002-unvalidated-length-in-_XtResourceConfigurationEH-CVE.patch" +md5sums="03149823ae57bb02d0cec90d5b97d56c libXt-1.1.4.tar.bz2" +sha256sums="843a97a988f5654872682a4120486d987d853a71651515472f55519ffae2dd57 libXt-1.1.4.tar.bz2" +sha512sums="57721def16bf29e05deb746566400d71cf0cd5bf9b8b7ebed19abb7c6804e14073060b6cf94409903aa464d27acca2e91f55654b2d4770677b2b4b4dc78fd423 libXt-1.1.4.tar.bz2" -- cgit v1.2.3