From 596f76568714ab83fed8fef00c69f6493e6996e3 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Fri, 24 May 2013 09:09:51 +0000 Subject: main/libxp: fix CVE-2013-2062 ref #1931 --- ...recated-Automake-INCLUDES-variable-with-A.patch | 36 +++++++ ...taWords-to-avoid-overflow-of-rep.length-b.patch | 59 +++++++++++ ...rflow-in-XpGetAttributes-XpGetOneAttribut.patch | 86 +++++++++++++++ ...rflows-in-XpGetPrinterList-CVE-2013-2062-.patch | 118 +++++++++++++++++++++ ...rflows-in-XpQueryScreens-CVE-2013-2062-3-.patch | 64 +++++++++++ main/libxp/APKBUILD | 35 +++++- 6 files changed, 393 insertions(+), 5 deletions(-) create mode 100644 main/libxp/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch create mode 100644 main/libxp/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch create mode 100644 main/libxp/0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch create mode 100644 main/libxp/0004-integer-overflows-in-XpGetPrinterList-CVE-2013-2062-.patch create mode 100644 main/libxp/0005-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch (limited to 'main/libxp') diff --git a/main/libxp/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch b/main/libxp/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch new file mode 100644 index 0000000000..410a7da033 --- /dev/null +++ b/main/libxp/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch @@ -0,0 +1,36 @@ +From 41aab7d289aba2aaf3839e96d0c9e2f15ede4bd1 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 18 Jan 2013 23:03:57 -0800 +Subject: [PATCH 1/5] Replace deprecated Automake INCLUDES variable with + AM_CPPFLAGS + +Excerpt https://lists.gnu.org/archive/html/automake/2012-12/msg00038.html + + - Support for the long-deprecated INCLUDES variable will be removed + altogether in Automake 1.14. The AM_CPPFLAGS variable should be + used instead. + +This variable was deprecated in Automake releases prior to 1.10, which is +the current minimum level required to build X. + +Signed-off-by: Alan Coopersmith +--- + src/Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/Makefile.am b/src/Makefile.am +index 3ca2659..f42b633 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -24,7 +24,7 @@ libXp_la_LIBADD = $(XPRINT_LIBS) + + AM_CFLAGS = $(CWARNFLAGS) $(XPRINT_CFLAGS) $(MALLOC_ZERO_CFLAGS) + +-INCLUDES = -I$(top_srcdir)/include/X11/extensions ++AM_CPPFLAGS = -I$(top_srcdir)/include/X11/extensions + + # + # Library version number. This must match old versions on +-- +1.8.2.3 + diff --git a/main/libxp/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch b/main/libxp/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch new file mode 100644 index 0000000000..fa61ef587f --- /dev/null +++ b/main/libxp/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch @@ -0,0 +1,59 @@ +From 15ec6d1d0bb8c4cb24a190ed34e63312a0623670 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 3 May 2013 22:30:36 -0700 +Subject: [PATCH 2/5] Use _XEatDataWords to avoid overflow of rep.length bit + shifting + +rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds + +Signed-off-by: Alan Coopersmith +--- + configure.ac | 6 ++++++ + src/XpExtUtil.h | 14 ++++++++++++++ + 2 files changed, 20 insertions(+) + +diff --git a/configure.ac b/configure.ac +index 50b029c..16b966c 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -45,6 +45,12 @@ AC_PROG_LIBTOOL + # Check for X and print proto + PKG_CHECK_MODULES(XPRINT, x11 xext xextproto xau printproto) + ++# Check for _XEatDataWords function that may be patched into older Xlib release ++SAVE_LIBS="$LIBS" ++LIBS="$XPRINT_LIBS" ++AC_CHECK_FUNCS([_XEatDataWords]) ++LIBS="$SAVE_LIBS" ++ + AC_CONFIG_FILES([Makefile + src/Makefile + man/Makefile +diff --git a/src/XpExtUtil.h b/src/XpExtUtil.h +index d479a95..1889825 100644 +--- a/src/XpExtUtil.h ++++ b/src/XpExtUtil.h +@@ -48,6 +48,20 @@ extern char *_xpstrdup( + const char * /* str */ + ); + ++#ifndef HAVE__XEATDATAWORDS ++#include /* for LONG64 on 64-bit platforms */ ++#include ++ ++static inline void _XEatDataWords(Display *dpy, unsigned long n) ++{ ++# ifndef LONG64 ++ if (n >= (ULONG_MAX >> 2)) ++ _XIOError(dpy); ++# endif ++ _XEatData (dpy, n << 2); ++} ++#endif ++ + _XFUNCPROTOEND + + #endif /* _XPEXTUTIL_H */ +-- +1.8.2.3 + diff --git a/main/libxp/0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch b/main/libxp/0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch new file mode 100644 index 0000000000..e510b705e0 --- /dev/null +++ b/main/libxp/0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch @@ -0,0 +1,86 @@ +From babb1fc823ab3be192c48fe115feeb0d57f74d05 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 26 Apr 2013 23:59:25 -0700 +Subject: [PATCH 3/5] integer overflow in XpGetAttributes & XpGetOneAttribute + [CVE-2013-2062 1/3] + +stringLen & valueLen are CARD32s and need to be bounds checked before adding +one to them to come up with the total size to allocate, to avoid integer +overflow leading to underallocation and writing data from the network past +the end of the allocated buffer. + +Signed-off-by: Alan Coopersmith +--- + src/XpAttr.c | 36 +++++++++++++++++++----------------- + 1 file changed, 19 insertions(+), 17 deletions(-) + +diff --git a/src/XpAttr.c b/src/XpAttr.c +index 6818daf..665e2e8 100644 +--- a/src/XpAttr.c ++++ b/src/XpAttr.c +@@ -48,6 +48,7 @@ + + #include + #include ++#include + + char * + XpGetAttributes ( +@@ -83,17 +84,18 @@ XpGetAttributes ( + /* + * Read pool and return to caller. + */ +- buf = Xmalloc( (unsigned) rep.stringLen + 1 ); ++ if (rep.stringLen < INT_MAX) ++ buf = Xmalloc(rep.stringLen + 1); ++ else ++ buf = NULL; + + if (!buf) { +- UnlockDisplay(dpy); +- SyncHandle(); +- return( (char *) NULL ); /* malloc error */ ++ _XEatDataWords(dpy, rep.length); ++ } ++ else { ++ _XReadPad (dpy, (char *) buf, rep.stringLen ); ++ buf[rep.stringLen] = 0; + } +- +- _XReadPad (dpy, (char *) buf, (long) rep.stringLen ); +- +- buf[rep.stringLen] = 0; + + UnlockDisplay(dpy); + SyncHandle(); +@@ -144,18 +146,18 @@ XpGetOneAttribute ( + /* + * Read variable answer. + */ +- buf = Xmalloc( (unsigned) rep.valueLen + 1 ); ++ if (rep.valueLen < INT_MAX) ++ buf = Xmalloc(rep.valueLen + 1); ++ else ++ buf = NULL; + + if (!buf) { +- UnlockDisplay(dpy); +- SyncHandle(); +- return( (char *) NULL ); /* malloc error */ ++ _XEatDataWords(dpy, rep.length); ++ } ++ else { ++ _XReadPad (dpy, (char *) buf, rep.valueLen); ++ buf[rep.valueLen] = 0; + } +- +- buf[rep.valueLen] = 0; +- +- _XReadPad (dpy, (char *) buf, (long) rep.valueLen ); +- buf[rep.valueLen] = 0; + + UnlockDisplay(dpy); + SyncHandle(); +-- +1.8.2.3 + diff --git a/main/libxp/0004-integer-overflows-in-XpGetPrinterList-CVE-2013-2062-.patch b/main/libxp/0004-integer-overflows-in-XpGetPrinterList-CVE-2013-2062-.patch new file mode 100644 index 0000000000..a528c59f53 --- /dev/null +++ b/main/libxp/0004-integer-overflows-in-XpGetPrinterList-CVE-2013-2062-.patch @@ -0,0 +1,118 @@ +From cc90f6be64bfd6973ae270b9bff494f577e1bda7 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 26 Apr 2013 23:59:25 -0700 +Subject: [PATCH 4/5] integer overflows in XpGetPrinterList() [CVE-2013-2062 + 2/3] + +listCount is a CARD32 that needs to be bounds checked before it is +multiplied by the size of the structs to allocate, and the string +lengths are CARD32s and need to be bounds checked before adding one +to them to come up with the total size to allocate, to avoid integer +overflow leading to underallocation and writing data from the network +past the end of the allocated buffer. + +Signed-off-by: Alan Coopersmith +--- + src/XpPrinter.c | 43 +++++++++++++++++++++++-------------------- + 1 file changed, 23 insertions(+), 20 deletions(-) + +diff --git a/src/XpPrinter.c b/src/XpPrinter.c +index bdc96e6..03b18c4 100644 +--- a/src/XpPrinter.c ++++ b/src/XpPrinter.c +@@ -42,6 +42,7 @@ + #include + #include + #include "XpExtUtil.h" ++#include + + #define _XpPadOut(len) (((len) + 3) & ~3) + +@@ -62,7 +63,7 @@ XpGetPrinterList ( + long dataLenVR; + CARD8 *dataVR; /* aka STRING8 */ + +- XPPrinterList ptr_list; ++ XPPrinterList ptr_list = NULL; + + XExtDisplayInfo *info = (XExtDisplayInfo *) xp_find_display (dpy); + +@@ -128,13 +129,12 @@ XpGetPrinterList ( + *list_count = rep.listCount; + + if (*list_count) { +- ptr_list = (XPPrinterList) +- Xmalloc( (unsigned) (sizeof(XPPrinterRec) * (*list_count + 1))); ++ if (rep.listCount < (INT_MAX / sizeof(XPPrinterRec))) ++ ptr_list = Xmalloc(sizeof(XPPrinterRec) * (*list_count + 1)); + + if (!ptr_list) { +- UnlockDisplay(dpy); +- SyncHandle(); +- return ( (XPPrinterList) NULL ); /* malloc error */ ++ _XEatDataWords(dpy, rep.length); ++ goto out; + } + + /* +@@ -150,16 +150,17 @@ XpGetPrinterList ( + _XRead32 (dpy, &dataLenVR, (long) sizeof(CARD32) ); + + if (dataLenVR) { +- dataVR = (CARD8 *) Xmalloc( (unsigned) dataLenVR + 1 ); ++ if (dataLenVR < INT_MAX) ++ dataVR = Xmalloc(dataLenVR + 1); ++ else ++ dataVR = NULL; + + if (!dataVR) { +- UnlockDisplay(dpy); +- SyncHandle(); +- return ( (XPPrinterList) NULL ); /* malloc error */ ++ _XEatData(dpy, dataLenVR); ++ } else { ++ _XReadPad (dpy, (char *) dataVR, (long) dataLenVR); ++ dataVR[dataLenVR] = 0; + } +- +- _XReadPad (dpy, (char *) dataVR, (long) dataLenVR); +- dataVR[dataLenVR] = 0; + ptr_list[i].name = (char *) dataVR; + } + else { +@@ -172,16 +173,17 @@ XpGetPrinterList ( + _XRead32 (dpy, &dataLenVR, (long) sizeof(CARD32) ); + + if (dataLenVR) { +- dataVR = (CARD8 *) Xmalloc( (unsigned) dataLenVR + 1 ); ++ if (dataLenVR < INT_MAX) ++ dataVR = Xmalloc(dataLenVR + 1); ++ else ++ dataVR = NULL; + + if (!dataVR) { +- UnlockDisplay(dpy); +- SyncHandle(); +- return ( (XPPrinterList) NULL ); /* malloc error */ ++ _XEatData(dpy, dataLenVR); ++ } else { ++ _XReadPad (dpy, (char *) dataVR, (long) dataLenVR); ++ dataVR[dataLenVR] = 0; + } +- +- _XReadPad (dpy, (char *) dataVR, (long) dataLenVR); +- dataVR[dataLenVR] = 0; + ptr_list[i].desc = (char *) dataVR; + } + else { +@@ -193,6 +195,7 @@ XpGetPrinterList ( + ptr_list = (XPPrinterList) NULL; + } + ++ out: + UnlockDisplay(dpy); + SyncHandle(); + +-- +1.8.2.3 + diff --git a/main/libxp/0005-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch b/main/libxp/0005-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch new file mode 100644 index 0000000000..c7e925e357 --- /dev/null +++ b/main/libxp/0005-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch @@ -0,0 +1,64 @@ +From e111065f6dd790c820fa67ea31055b18c68481e3 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 26 Apr 2013 23:59:25 -0700 +Subject: [PATCH 5/5] integer overflows in XpQueryScreens() [CVE-2013-2062 3/3] + +listCount is a CARD32 that needs to be bounds checked before it is +multiplied by the size of the pointers to allocate, to avoid integer +overflow leading to underallocation and writing data from the network +past the end of the allocated buffer. + +Signed-off-by: Alan Coopersmith +--- + src/XpScreens.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/src/XpScreens.c b/src/XpScreens.c +index 815dfbf..b31e554 100644 +--- a/src/XpScreens.c ++++ b/src/XpScreens.c +@@ -42,6 +42,7 @@ + #include + #include + #include "XpExtUtil.h" ++#include + + + Screen ** +@@ -82,19 +83,17 @@ XpQueryScreens ( + *list_count = rep.listCount; + + if (*list_count) { +- scr_list = (Screen **) +- Xmalloc( (unsigned) (sizeof(Screen *) * *list_count) ); ++ if (rep.listCount < (INT_MAX / sizeof(Screen *))) ++ scr_list = Xmalloc(sizeof(Screen *) * *list_count); ++ else ++ scr_list = NULL; + + if (!scr_list) { +- UnlockDisplay(dpy); +- SyncHandle(); +- return ( (Screen **) NULL ); /* malloc error */ ++ _XEatDataWords(dpy, rep.length); ++ goto out; + } + i = 0; + while(i < *list_count){ +- /* +- * Pull printer length and then name. +- */ + _XRead32 (dpy, &rootWindow, (long) sizeof(CARD32) ); + scr_list[i] = NULL; + for ( j = 0; j < XScreenCount(dpy); j++ ) { +@@ -118,6 +117,7 @@ XpQueryScreens ( + scr_list = (Screen **) NULL; + } + ++ out: + UnlockDisplay(dpy); + SyncHandle(); + +-- +1.8.2.3 + diff --git a/main/libxp/APKBUILD b/main/libxp/APKBUILD index 616e034f9e..4bd21ace04 100644 --- a/main/libxp/APKBUILD +++ b/main/libxp/APKBUILD @@ -2,17 +2,23 @@ # Maintainer: Natanael Copa pkgname=libxp pkgver=1.0.1 -pkgrel=1 +pkgrel=2 pkgdesc="X.Org X11 libXp runtime library" url="http://www.x.org" arch="all" license="MIT" depends= -depends_dev="util-macros libx11-dev libxext-dev libxau-dev printproto" -makedepends="$depends_dev" +depends_dev="libx11-dev libxext-dev libxau-dev printproto" +makedepends="$depends_dev libtool autoconf automake util-macros" install="" subpackages="$pkgname-dev $pkgname-doc" -source="http://xorg.freedesktop.org/releases/individual/lib/libXp-$pkgver.tar.bz2" +source="http://xorg.freedesktop.org/releases/individual/lib/libXp-$pkgver.tar.bz2 + 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch + 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch + 0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch + 0004-integer-overflows-in-XpGetPrinterList-CVE-2013-2062-.patch + 0005-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch + " _builddir="$srcdir"/libXp-$pkgver prepare() { @@ -23,6 +29,8 @@ prepare() { *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; esac done + libtoolize --force && aclocal && autoheader && autoconf \ + && automake --add-missing } build() { @@ -42,4 +50,21 @@ package() { rm "$pkgdir"/usr/lib/*.la || return 1 } -md5sums="7ae1d63748e79086bd51a633da1ff1a9 libXp-1.0.1.tar.bz2" +md5sums="7ae1d63748e79086bd51a633da1ff1a9 libXp-1.0.1.tar.bz2 +dfc36d7aa39348115edbed43e7b3bacd 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch +8d99d975ee248d292c57f0539a74f444 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch +0affd2550812541d7c6e03b10a882a39 0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch +74e9e315a2b7b714c2ebbc69e4478723 0004-integer-overflows-in-XpGetPrinterList-CVE-2013-2062-.patch +59085b08c7ae142238ee20af93836926 0005-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch" +sha256sums="71d1f260005616d646b8c8788365f2b7d93911dac57bb53b65753d9f9e6443d2 libXp-1.0.1.tar.bz2 +666273216e13b759e85cf84c345e9253771e729f605987e580ad55b0ad7651a3 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch +f128151ebd1206d85c6ee55d1558fb1e3f446a7334466571818850096fec7a87 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch +ad96f0031978dd8befa29bde872a8a9b40e4fbfccf42cd22e201f975564db3b6 0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch +cbadbece5e73d568826b19b2f743860c8dfe47f4077accffa939cc51a79ead0c 0004-integer-overflows-in-XpGetPrinterList-CVE-2013-2062-.patch +0a597afeab8bd76dcd72fec97efd0a8db12c1dd1d9f431085e061aa1b6ca1f3d 0005-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch" +sha512sums="0707256ae344b847f1a5bbf85f9e6e6f926be3bee10858e3c92932ee02007fdb908cb64a6f2ce0de501f99117e4582c1bcf9bc6f921490d42cabbfb997d731bd libXp-1.0.1.tar.bz2 +5a55658cedbf6ac8d410f19ceed0ef38d65a81ef54e9ffde86ac285c477669d760a1b5c2d9791aff50d48698298bcfdd3290e1b95321c62230809a8a65222127 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch +9a94b99f96d03e436450daa40e54d3d091d362e76428a4bc0fdacb38b3582c1a18ad5b1824621282892bc3f9e0964bae2d8e15ccdfc5c27a426f118c7a7336c8 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch +48d47a8878f2f3663c1e00091c6190ae9d4b0e08594cfb87d4810e726caf5a138100ef59d0fdb352cb5805ab3268bedde86f20d4637533f81d71451fc0989f20 0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch +5b6e0c05209546c6ef29bc6ed9a24b4117d8a4983fc49abf554920d189fd73d97198c4428951177f7b21dcd968d786c98fa5b53d457946e9b79504fc6ed7c9f6 0004-integer-overflows-in-XpGetPrinterList-CVE-2013-2062-.patch +8242840592974a57e98e9c6dfed73031f632dc26b88ba2bf40016c9778955476490eb14766de6a02429ad56066f228d23b3cd9c0772585c020be3b6dec32b522 0005-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch" -- cgit v1.2.3