From 365d1deeccc7e6bfa143e09ef9d8a7de01f2c21f Mon Sep 17 00:00:00 2001 From: Leonardo Arena Date: Wed, 19 Oct 2016 09:48:58 +0000 Subject: main/libxvmc: security fix (CVE-2016-7953). Fixes #6274 (cherry picked from commit 64829de6223eea876af4dfff594135fb79b114ae) --- main/libxvmc/APKBUILD | 27 ++++++++++++++++++++++----- main/libxvmc/CVE-2016-7953.patch | 31 +++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+), 5 deletions(-) create mode 100644 main/libxvmc/CVE-2016-7953.patch (limited to 'main/libxvmc') diff --git a/main/libxvmc/APKBUILD b/main/libxvmc/APKBUILD index b63902b08b..87407fadd3 100644 --- a/main/libxvmc/APKBUILD +++ b/main/libxvmc/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa pkgname=libxvmc pkgver=1.0.9 -pkgrel=0 +pkgrel=1 pkgdesc="X11 Video Motion Compensation extension library" url="http://xorg.freedesktop.org/" arch="all" @@ -10,9 +10,23 @@ subpackages="$pkgname-dev" depends= depends_dev="xproto videoproto libxv-dev libx11-dev libxext-dev" makedepends="$depends_dev libtool autoconf automake util-macros" -source="http://xorg.freedesktop.org/releases/individual/lib/libXvMC-$pkgver.tar.bz2" +source="http://xorg.freedesktop.org/releases/individual/lib/libXvMC-$pkgver.tar.bz2 + CVE-2016-7953.patch + " + +# secfixes: +# 1.0.9-r1: +# - CVE-2016-7953 _builddir="$srcdir"/libXvMC-$pkgver +prepare() { + cd "$_builddir" + for i in $source; do + case $i in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done +} build() { cd "$_builddir" @@ -30,6 +44,9 @@ package() { make DESTDIR="$pkgdir" install || return 1 rm "$pkgdir"/usr/lib/*.la } -md5sums="eba6b738ed5fdcd8f4203d7c8a470c79 libXvMC-1.0.9.tar.bz2" -sha256sums="0703d7dff6ffc184f1735ca5d4eb9dbb402b522e08e008f2f96aee16c40a5756 libXvMC-1.0.9.tar.bz2" -sha512sums="658db91ae37cbad468a85301d77b6237674f91fad82679348c26a297bb8c1da81f6b7b13c4ff47a3d6c7f4f8fefdf270d0fde316ec14666fa4e2d1e2c4b337ca libXvMC-1.0.9.tar.bz2" +md5sums="eba6b738ed5fdcd8f4203d7c8a470c79 libXvMC-1.0.9.tar.bz2 +214b3716fc0efe08f9c29165e4419cc0 CVE-2016-7953.patch" +sha256sums="0703d7dff6ffc184f1735ca5d4eb9dbb402b522e08e008f2f96aee16c40a5756 libXvMC-1.0.9.tar.bz2 +1a26c55e6c454fc64877c55b8e4650a04ad7b74d10d248c36247e1543550d5a5 CVE-2016-7953.patch" +sha512sums="658db91ae37cbad468a85301d77b6237674f91fad82679348c26a297bb8c1da81f6b7b13c4ff47a3d6c7f4f8fefdf270d0fde316ec14666fa4e2d1e2c4b337ca libXvMC-1.0.9.tar.bz2 +c5a6eef61ccffe6167b968e11b1b45d50007b9e2942f1374ff5a406064e08123f7994572a434c007c37dbd2dd47f9b8c9f611290aca7dd855d9bc678183cabc3 CVE-2016-7953.patch" diff --git a/main/libxvmc/CVE-2016-7953.patch b/main/libxvmc/CVE-2016-7953.patch new file mode 100644 index 0000000000..c57ab61b12 --- /dev/null +++ b/main/libxvmc/CVE-2016-7953.patch @@ -0,0 +1,31 @@ +From 2cd95e7da8367cccdcdd5c9b160012d1dec5cbdb Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Sun, 25 Sep 2016 22:34:27 +0200 +Subject: Avoid buffer underflow on empty strings. + +If an empty string is received from an x-server, do not underrun the +buffer by accessing "rep.nameLen - 1" unconditionally, which could end +up being -1. + +Signed-off-by: Tobias Stoeckmann +Reviewed-by: Matthieu Herrb + +diff --git a/src/XvMC.c b/src/XvMC.c +index 7336760..3ee4212 100644 +--- a/src/XvMC.c ++++ b/src/XvMC.c +@@ -576,9 +576,9 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port, + if (*name && *busID && tmpBuf) { + _XRead(dpy, tmpBuf, realSize); + strncpy(*name,tmpBuf,rep.nameLen); +- (*name)[rep.nameLen - 1] = '\0'; ++ (*name)[rep.nameLen == 0 ? 0 : rep.nameLen - 1] = '\0'; + strncpy(*busID,tmpBuf+rep.nameLen,rep.busIDLen); +- (*busID)[rep.busIDLen - 1] = '\0'; ++ (*busID)[rep.busIDLen == 0 ? 0 : rep.busIDLen - 1] = '\0'; + XFree(tmpBuf); + } else { + XFree(*name); +-- +cgit v0.10.2 + -- cgit v1.2.3