From 406661591c02dd83efcb2a8885ed58349e2864cd Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Mon, 27 May 2013 14:31:43 +0000 Subject: main/libxtst: fix CVE-2013-2063 ref #1931 fixes #1970 (cherry picked from commit ca33affea49de655ea0a1aa27accea11f84df7c1) --- ..._XEatDataWords-to-eat-data-in-error-cases.patch | 88 ++++++++++++++++++++++ ...erflow-in-XRecordGetContext-CVE-2013-2063.patch | 81 ++++++++++++++++++++ main/libxtst/APKBUILD | 38 ++++++++-- 3 files changed, 199 insertions(+), 8 deletions(-) create mode 100644 main/libxtst/0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch create mode 100644 main/libxtst/0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch diff --git a/main/libxtst/0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch b/main/libxtst/0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch new file mode 100644 index 0000000000..43fa1e0d76 --- /dev/null +++ b/main/libxtst/0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch @@ -0,0 +1,88 @@ +From 46ed6283034b5b7d14584009453f5d974cfacf1e Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 13 Apr 2013 11:05:27 -0700 +Subject: [PATCH 1/2] Use _XEatDataWords to eat data in error cases + +Avoids having to do calculcations based on response contents + +Signed-off-by: Alan Coopersmith +--- + configure.ac | 6 ++++++ + src/XRecord.c | 23 +++++++++++++++++------ + 2 files changed, 23 insertions(+), 6 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 7ef0153..d83d4d8 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -47,6 +47,12 @@ XORG_CHECK_SGML_DOCTOOLS(1.8) + # Obtain compiler/linker options for depedencies + PKG_CHECK_MODULES(XTST, x11 [xext >= 1.0.99.4] xi [recordproto >= 1.13.99.1] [xextproto >= 7.0.99.3] inputproto) + ++# Check for _XEatDataWords function that may be patched into older Xlib release ++SAVE_LIBS="$LIBS" ++LIBS="$XTST_LIBS" ++AC_CHECK_FUNCS([_XEatDataWords]) ++LIBS="$SAVE_LIBS" ++ + # Determine if the source for man pages is available + # It may already be present (tarball) or can be generated using xmlto + AM_CONDITIONAL([INSTALL_MANPAGES], +diff --git a/src/XRecord.c b/src/XRecord.c +index b65451c..ba628b6 100644 +--- a/src/XRecord.c ++++ b/src/XRecord.c +@@ -49,6 +49,9 @@ from The Open Group. + * By Stephen Gildea, X Consortium, and Martha Zimet, NCD. + */ + ++#ifdef HAVE_CONFIG_H ++#include ++#endif + #include + #include + #include +@@ -56,6 +59,18 @@ from The Open Group. + #include + #include + #include ++#include ++ ++#ifndef HAVE__XEATDATAWORDS ++static inline void _XEatDataWords(Display *dpy, unsigned long n) ++{ ++# ifndef LONG64 ++ if (n >= (ULONG_MAX >> 2)) ++ _XIOError(dpy); ++# endif ++ _XEatData (dpy, n << 2); ++} ++#endif + + static XExtensionInfo _xrecord_info_data; + static XExtensionInfo *xrecord_info = &_xrecord_info_data; +@@ -427,7 +442,7 @@ XRecordGetContext(Display *dpy, XRecordContext context, + + ret = (XRecordState*)Xmalloc(sizeof(XRecordState)); + if (!ret) { +- /* XXX - eat data */ ++ _XEatDataWords (dpy, rep.length); + UnlockDisplay(dpy); + SyncHandle(); + return 0; +@@ -446,11 +461,7 @@ XRecordGetContext(Display *dpy, XRecordContext context, + } + if (!client_inf || !client_inf_str) + { +- for(i = 0; i < count; i++) +- { +- _XEatData (dpy, sizeof(xRecordClientInfo)); +- _XEatData (dpy, SIZEOF(xRecordRange)); /* XXX - don't know how many */ +- } ++ _XEatDataWords (dpy, rep.length); + UnlockDisplay(dpy); + XRecordFreeState(ret); + SyncHandle(); +-- +1.8.2.3 + diff --git a/main/libxtst/0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch b/main/libxtst/0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch new file mode 100644 index 0000000000..661a464fd0 --- /dev/null +++ b/main/libxtst/0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch @@ -0,0 +1,81 @@ +From e7e04b7be3f018ad636aba3a36bfc1cd80b9906d Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 13 Apr 2013 11:27:26 -0700 +Subject: [PATCH 2/2] integer overflow in XRecordGetContext() [CVE-2013-2063] + +The nclients and nranges members of the reply are both CARD32 and need +to be bounds checked before multiplying by the size of the structs to +avoid integer overflow leading to underallocation and writing data from +the network past the end of the allocated buffer. + +Signed-off-by: Alan Coopersmith +--- + src/XRecord.c | 32 +++++++++++++++++++++----------- + 1 file changed, 21 insertions(+), 11 deletions(-) + +diff --git a/src/XRecord.c b/src/XRecord.c +index ba628b6..5bbd5ac 100644 +--- a/src/XRecord.c ++++ b/src/XRecord.c +@@ -420,11 +420,9 @@ XRecordGetContext(Display *dpy, XRecordContext context, + XExtDisplayInfo *info = find_display (dpy); + register xRecordGetContextReq *req; + xRecordGetContextReply rep; +- int count, i, rn; ++ unsigned int count, i, rn; + xRecordRange xrange; +- XRecordRange *ranges = NULL; + xRecordClientInfo xclient_inf; +- XRecordClientInfo **client_inf, *client_inf_str = NULL; + XRecordState *ret; + + XRecordCheckExtension (dpy, info, 0); +@@ -454,13 +452,18 @@ XRecordGetContext(Display *dpy, XRecordContext context, + + if (count) + { +- client_inf = (XRecordClientInfo **) Xcalloc(count, sizeof(XRecordClientInfo*)); +- ret->client_info = client_inf; +- if (client_inf != NULL) { +- client_inf_str = (XRecordClientInfo *) Xmalloc(count*sizeof(XRecordClientInfo)); ++ XRecordClientInfo **client_inf = NULL; ++ XRecordClientInfo *client_inf_str = NULL; ++ ++ if (count < (INT_MAX / sizeof(XRecordClientInfo))) { ++ client_inf = Xcalloc(count, sizeof(XRecordClientInfo *)); ++ if (client_inf != NULL) ++ client_inf_str = Xmalloc(count * sizeof(XRecordClientInfo)); + } ++ ret->client_info = client_inf; + if (!client_inf || !client_inf_str) + { ++ free(client_inf); + _XEatDataWords (dpy, rep.length); + UnlockDisplay(dpy); + XRecordFreeState(ret); +@@ -476,11 +479,18 @@ XRecordGetContext(Display *dpy, XRecordContext context, + + if (xclient_inf.nRanges) + { +- client_inf_str[i].ranges = (XRecordRange**) Xcalloc(xclient_inf.nRanges, sizeof(XRecordRange*)); +- if (client_inf_str[i].ranges != NULL) { +- ranges = (XRecordRange*) +- Xmalloc(xclient_inf.nRanges * sizeof(XRecordRange)); ++ XRecordRange *ranges = NULL; ++ ++ if (xclient_inf.nRanges < (INT_MAX / sizeof(XRecordRange))) { ++ client_inf_str[i].ranges = ++ Xcalloc(xclient_inf.nRanges, sizeof(XRecordRange *)); ++ if (client_inf_str[i].ranges != NULL) ++ ranges = ++ Xmalloc(xclient_inf.nRanges * sizeof(XRecordRange)); + } ++ else ++ client_inf_str[i].ranges = NULL; ++ + if (!client_inf_str[i].ranges || !ranges) { + /* XXX eat data */ + UnlockDisplay(dpy); +-- +1.8.2.3 + diff --git a/main/libxtst/APKBUILD b/main/libxtst/APKBUILD index c4eb84bf9a..c87af4a041 100644 --- a/main/libxtst/APKBUILD +++ b/main/libxtst/APKBUILD @@ -1,30 +1,52 @@ # Maintainer: Natanael Copa pkgname=libxtst pkgver=1.2.1 -pkgrel=0 +pkgrel=1 pkgdesc="X11 Testing -- Resource extension library" url="http://xorg.freedesktop.org/" arch="all" license="custom" subpackages="$pkgname-dev $pkgname-doc" depends= -makedepends="pkgconfig libxext-dev libxi-dev recordproto inputproto" -source="http://xorg.freedesktop.org/releases/individual/lib/libXtst-$pkgver.tar.bz2" depends_dev="recordproto libx11-dev libxext-dev inputproto libxi-dev" +makedepends="$depends_dev libtool autoconf automake util-macros" +source="http://xorg.freedesktop.org/releases/individual/lib/libXtst-$pkgver.tar.bz2 + 0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch + 0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch + " -build () -{ - cd "$srcdir"/libXtst-$pkgver +_builddir="$srcdir"/libXtst-$pkgver +prepare() { + cd "$_builddir" + for i in $source; do + case $i in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done + libtoolize --force && aclocal && autoheader && autoconf \ + && automake --add-missing +} + +build() { + cd "$_builddir" ./configure --prefix=/usr \ --build=${CHOST} --host=${CHOST} make || return 1 } package() { - cd "$srcdir"/libXtst-$pkgver + cd "$_builddir" make DESTDIR="$pkgdir" install || return 1 rm "$pkgdir"/usr/lib/*.la || return 1 install -D -m644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/LICENSE } -md5sums="e8abc5c00c666f551cf26aa53819d592 libXtst-1.2.1.tar.bz2" +md5sums="e8abc5c00c666f551cf26aa53819d592 libXtst-1.2.1.tar.bz2 +ef5006c916511e087973d797a60aaee1 0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch +641e6194973b4d324f8278faa821b87a 0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch" +sha256sums="7eea3e66e392aca3f9dad6238198753c28e1c32fa4903cbb7739607a2504e5e0 libXtst-1.2.1.tar.bz2 +bba7db9220b8a91b5ca71133af55414851d350e81c6142e74e7c44a3fc57c052 0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch +d67b95b9bf1587e48bc4009d1d100ed1ee3a611ed07869bb157290064986db6f 0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch" +sha512sums="287c10a761d30acc988399e23de1ecb7c90d8bd4d363cd03cd0a02eb232e37b0943f359fae76a8e68504ccadc2b7c0117bfebee75e00a0b6f58397658f8ebe0d libXtst-1.2.1.tar.bz2 +0144a420f78f5377acd2548355089596439437d1d19945532428a1cc5f263155f03ebfbba668f9c468525c579aa091d4ddf27006ec4d55246bd045a7e6ff9739 0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch +730a9ad7c8aafd8f161bf7cbbd4bbd2c62d4fc6cf50a69f5575a4c52e9a2d712e36bb4e3b9325f628a2f71115ce8797ac93aa7bf023d0abe7ba3603f33f47e81 0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch" -- cgit v1.2.3