From cb0cd770ba3f64b0c0804962bc03dda167a4c207 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Fri, 24 May 2013 08:32:13 +0000 Subject: main/libxcursor: fix CVE-2013-2003 ref #1931 fixes #1999 (cherry picked from commit 99d3e572056d735f20db0b6a80e86398462ee97b) Conflicts: main/libxcursor/APKBUILD --- main/libxcursor/APKBUILD | 26 +++++++++++++++++++------- main/libxcursor/CVE-2013-2003.patch | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+), 7 deletions(-) create mode 100644 main/libxcursor/CVE-2013-2003.patch diff --git a/main/libxcursor/APKBUILD b/main/libxcursor/APKBUILD index 44cf51f2c2..500d94dde0 100644 --- a/main/libxcursor/APKBUILD +++ b/main/libxcursor/APKBUILD @@ -1,6 +1,6 @@ # Maintainer: Natanael Copa pkgname=libxcursor -pkgver=1.1.12 +pkgver=1.1.13 pkgrel=0 pkgdesc="X cursor management library" url="http://xorg.freedesktop.org/" @@ -8,12 +8,23 @@ arch="all" license="custom" subpackages="$pkgname-dev $pkgname-doc" depends= -makedepends="pkgconfig libxfixes-dev libx11-dev libxrender-dev" -source="http://xorg.freedesktop.org/releases/individual/lib/libXcursor-$pkgver.tar.bz2" - depends_dev="xproto libx11-dev libxrender-dev libxfixes-dev" +makedepends="$depends_dev" +source="http://xorg.freedesktop.org/releases/individual/lib/libXcursor-$pkgver.tar.bz2 + CVE-2013-2003.patch" + +_builddir="$srcdir"/libXcursor-$pkgver +prepare() { + cd "$_builddir" + for i in $source; do + case $i in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done +} + build() { - cd "$srcdir"/libXcursor-$pkgver + cd "$_builddir" ./configure --prefix=/usr \ --sysconfdir=/etc \ || return 1 @@ -21,8 +32,9 @@ build() { } package() { - cd "$srcdir"/libXcursor-$pkgver + cd "$_builddir" make DESTDIR="$pkgdir" install || return 1 rm "$pkgdir"/usr/lib/*.la || return 1 } -md5sums="a93b5a6f5b05976d2c0d3f8a07f6ac6a libXcursor-1.1.12.tar.bz2" +md5sums="52efa81b7f26c8eda13510a2fba98eea libXcursor-1.1.13.tar.bz2 +e604d93c5dfcc22078129959acc9a6d5 CVE-2013-2003.patch" diff --git a/main/libxcursor/CVE-2013-2003.patch b/main/libxcursor/CVE-2013-2003.patch new file mode 100644 index 0000000000..a4f41e1453 --- /dev/null +++ b/main/libxcursor/CVE-2013-2003.patch @@ -0,0 +1,34 @@ +From 8f677eaea05290531d007d1fec2768119926088d Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 13 Apr 2013 04:17:28 +0000 +Subject: signedness bug & integer overflow in _XcursorFileHeaderCreate() [CVE-2013-2003] + +When parsing cursor files, a user defined (e.g. through environment +variables) cursor file is opened and parsed. + +The header is read in _XcursorReadFileHeader(), which reads an unsigned +int for the number of toc structures in the header, but it was being +passed to _XcursorFileHeaderCreate() as a signed int to allocate those +structures. If the number was negative, it would pass the bounds check +and could overflow the calculation for how much memory to allocate to +store the data being read, leading to overflowing the buffer with the +data read from the user controlled file. + +Reported-by: Ilja Van Sprundel +Signed-off-by: Alan Coopersmith +--- +diff --git a/src/file.c b/src/file.c +index efe6d4b..ce9de78 100644 +--- a/src/file.c ++++ b/src/file.c +@@ -205,7 +205,7 @@ _XcursorFileHeaderDestroy (XcursorFileHeader *fileHeader) + } + + static XcursorFileHeader * +-_XcursorFileHeaderCreate (int ntoc) ++_XcursorFileHeaderCreate (XcursorUInt ntoc) + { + XcursorFileHeader *fileHeader; + +-- +cgit v0.9.0.2-2-gbebe -- cgit v1.2.3