From b262cf6c02f0e15dc88618b6a9e1298ace184057 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Fri, 24 May 2013 09:23:39 +0000 Subject: main/libxres: fix CVE-2013-1988 ref #1931 --- ...recated-Automake-INCLUDES-variable-with-A.patch | 36 +++++++++++ ...taWords-to-avoid-overflow-of-rep.length-s.patch | 75 ++++++++++++++++++++++ ...rflow-in-XResQueryClients-CVE-2013-1988-1.patch | 37 +++++++++++ ...rflow-in-XResQueryClientResources-CVE-201.patch | 37 +++++++++++ main/libxres/APKBUILD | 48 +++++++++++--- 5 files changed, 224 insertions(+), 9 deletions(-) create mode 100644 main/libxres/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch create mode 100644 main/libxres/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch create mode 100644 main/libxres/0003-integer-overflow-in-XResQueryClients-CVE-2013-1988-1.patch create mode 100644 main/libxres/0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch (limited to 'main') diff --git a/main/libxres/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch b/main/libxres/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch new file mode 100644 index 0000000000..b8ef330d8d --- /dev/null +++ b/main/libxres/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch @@ -0,0 +1,36 @@ +From 83e7693515369d57dcd11c2bb1f03563f51bc500 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 18 Jan 2013 23:06:20 -0800 +Subject: [PATCH 1/4] Replace deprecated Automake INCLUDES variable with + AM_CPPFLAGS + +Excerpt https://lists.gnu.org/archive/html/automake/2012-12/msg00038.html + + - Support for the long-deprecated INCLUDES variable will be removed + altogether in Automake 1.14. The AM_CPPFLAGS variable should be + used instead. + +This variable was deprecated in Automake releases prior to 1.10, which is +the current minimum level required to build X. + +Signed-off-by: Alan Coopersmith +--- + src/Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/Makefile.am b/src/Makefile.am +index fd508da..bf66d68 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -10,7 +10,7 @@ AM_CFLAGS = \ + $(XRES_CFLAGS) \ + $(MALLOC_ZERO_CFLAGS) + +-INCLUDES = -I$(top_srcdir)/include ++AM_CPPFLAGS = -I$(top_srcdir)/include + + libXRes_la_LDFLAGS = -version-number 1:0:0 -no-undefined + +-- +1.8.2.3 + diff --git a/main/libxres/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch b/main/libxres/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch new file mode 100644 index 0000000000..9f22c4fa5b --- /dev/null +++ b/main/libxres/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch @@ -0,0 +1,75 @@ +From 69457711050ac3a53859ef11790a7ac815cd7d94 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 13 Apr 2013 10:34:22 -0700 +Subject: [PATCH 2/4] Use _XEatDataWords to avoid overflow of rep.length + shifting + +rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds + +Signed-off-by: Alan Coopersmith +--- + configure.ac | 6 ++++++ + src/XRes.c | 16 ++++++++++++++-- + 2 files changed, 20 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 90205cc..f68b689 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -50,6 +50,12 @@ XORG_CHECK_MALLOC_ZERO + # Obtain compiler/linker options for depedencies + PKG_CHECK_MODULES(XRES, x11 xext xextproto [resourceproto >= 1.2.0]) + ++# Check for _XEatDataWords function that may be patched into older Xlib release ++SAVE_LIBS="$LIBS" ++LIBS="$XRES_LIBS" ++AC_CHECK_FUNCS([_XEatDataWords]) ++LIBS="$SAVE_LIBS" ++ + AC_CONFIG_FILES([Makefile + src/Makefile + man/Makefile +diff --git a/src/XRes.c b/src/XRes.c +index 1744196..1ab1db8 100644 +--- a/src/XRes.c ++++ b/src/XRes.c +@@ -13,6 +13,18 @@ + #include + #include + ++#include ++ ++#ifndef HAVE__XEATDATAWORDS ++static inline void _XEatDataWords(Display *dpy, unsigned long n) ++{ ++# ifndef LONG64 ++ if (n >= (ULONG_MAX >> 2)) ++ _XIOError(dpy); ++# endif ++ _XEatData (dpy, n << 2); ++} ++#endif + + static XExtensionInfo _xres_ext_info_data; + static XExtensionInfo *xres_ext_info = &_xres_ext_info_data; +@@ -131,7 +143,7 @@ Status XResQueryClients ( + *num_clients = rep.num_clients; + result = 1; + } else { +- _XEatData(dpy, rep.length << 2); ++ _XEatDataWords(dpy, rep.length); + } + } + +@@ -183,7 +195,7 @@ Status XResQueryClientResources ( + *num_types = rep.num_types; + result = 1; + } else { +- _XEatData(dpy, rep.length << 2); ++ _XEatDataWords(dpy, rep.length); + } + } + +-- +1.8.2.3 + diff --git a/main/libxres/0003-integer-overflow-in-XResQueryClients-CVE-2013-1988-1.patch b/main/libxres/0003-integer-overflow-in-XResQueryClients-CVE-2013-1988-1.patch new file mode 100644 index 0000000000..e851c092f1 --- /dev/null +++ b/main/libxres/0003-integer-overflow-in-XResQueryClients-CVE-2013-1988-1.patch @@ -0,0 +1,37 @@ +From b053d215b80e721f9afdc5794e4f3f4f2aee0141 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 12 Apr 2013 23:36:13 -0700 +Subject: [PATCH 3/4] integer overflow in XResQueryClients() [CVE-2013-1988 + 1/2] + +The CARD32 rep.num_clients needs to be bounds checked before multiplying +by sizeof(XResClient) to avoid integer overflow leading to underallocation +and writing data from the network past the end of the allocated buffer. + +Reported-by: Ilja Van Sprundel +Signed-off-by: Alan Coopersmith +--- + src/XRes.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/XRes.c b/src/XRes.c +index 1ab1db8..c989985 100644 +--- a/src/XRes.c ++++ b/src/XRes.c +@@ -130,7 +130,12 @@ Status XResQueryClients ( + } + + if(rep.num_clients) { +- if((clnts = Xmalloc(sizeof(XResClient) * rep.num_clients))) { ++ if (rep.num_clients < (INT_MAX / sizeof(XResClient))) ++ clnts = Xmalloc(sizeof(XResClient) * rep.num_clients); ++ else ++ clnts = NULL; ++ ++ if (clnts != NULL) { + xXResClient scratch; + int i; + +-- +1.8.2.3 + diff --git a/main/libxres/0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch b/main/libxres/0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch new file mode 100644 index 0000000000..bca2bb0260 --- /dev/null +++ b/main/libxres/0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch @@ -0,0 +1,37 @@ +From f468184963e53feda848853c4aefd0197b2cc116 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 12 Apr 2013 23:36:13 -0700 +Subject: [PATCH 4/4] integer overflow in XResQueryClientResources() + [CVE-2013-1988 2/2] + +The CARD32 rep.num_types needs to be bounds checked before multiplying +by sizeof(XResType) to avoid integer overflow leading to underallocation +and writing data from the network past the end of the allocated buffer. + +Reported-by: Ilja Van Sprundel +Signed-off-by: Alan Coopersmith +--- + src/XRes.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/XRes.c b/src/XRes.c +index c989985..51e905f 100644 +--- a/src/XRes.c ++++ b/src/XRes.c +@@ -187,7 +187,12 @@ Status XResQueryClientResources ( + } + + if(rep.num_types) { +- if((typs = Xmalloc(sizeof(XResType) * rep.num_types))) { ++ if (rep.num_types < (INT_MAX / sizeof(XResType))) ++ typs = Xmalloc(sizeof(XResType) * rep.num_types); ++ else ++ typs = NULL; ++ ++ if (typs != NULL) { + xXResType scratch; + int i; + +-- +1.8.2.3 + diff --git a/main/libxres/APKBUILD b/main/libxres/APKBUILD index fc23b9d49e..705ca3e2dc 100644 --- a/main/libxres/APKBUILD +++ b/main/libxres/APKBUILD @@ -1,30 +1,60 @@ # Maintainer: Natanael Copa pkgname=libxres pkgver=1.0.6 -pkgrel=0 +pkgrel=1 pkgdesc="X11 Resource extension library" url="http://xorg.freedesktop.org" arch="all" license="custom" subpackages="$pkgname-dev $pkgname-doc" -makedepends="pkgconfig libxext-dev resourceproto" depends= -source="http://xorg.freedesktop.org/releases/individual/lib/libXres-$pkgver.tar.bz2" +depends_dev="xproto resourceproto libx11-dev libxext-dev" +makedepends="$depends_dev libtool autoconf automake util-macros" +source="http://xorg.freedesktop.org/releases/individual/lib/libXres-$pkgver.tar.bz2 + 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch + 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch + 0003-integer-overflow-in-XResQueryClients-CVE-2013-1988-1.patch + 0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch + " -depends_dev="xproto libx11-dev libxext-dev" -build () -{ - cd "$srcdir"/libXres-$pkgver +_builddir="$srcdir"/libXres-$pkgver +prepare() { + cd "$_builddir" + for i in $source; do + case $i in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done + libtoolize --force && aclocal && autoheader && autoconf \ + && automake --add-missing +} + +build() { + cd "$_builddir" ./configure --prefix=/usr \ --sysconfdir=/etc make || return 1 } package() { - cd "$srcdir"/libXres-$pkgver + cd "$_builddir" make DESTDIR="$pkgdir" install || return 1 rm "$pkgdir"/usr/lib/*.la install -D -m644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/LICENSE } -md5sums="80d0c6d8522fa7a645e4f522e9a9cd20 libXres-1.0.6.tar.bz2" +md5sums="80d0c6d8522fa7a645e4f522e9a9cd20 libXres-1.0.6.tar.bz2 +1c9e87b0d44dd1e3630c2dace1885f5c 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch +b846d11e2aded99e05b17f582704a2b8 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch +d30b38ef42f65a9409ff53df81257ca2 0003-integer-overflow-in-XResQueryClients-CVE-2013-1988-1.patch +791bd7a8effc52ed2e5ae266729b317a 0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch" +sha256sums="ff8661c925e8b182f98ae98f02bbd93c55259ef7f34a92c1a126b6074ebde890 libXres-1.0.6.tar.bz2 +6069a7690f226a98e5ca898e0213f96672ad47a3ce2fbd4079cce185bf7842e2 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch +5ae734771ea853177771b7ef566c1ebc8a365c301353fc1883007d2c560df26e 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch +c40579e8ce20316710339fe1c497b3b75e641a1de66321892f40b71ca0e316db 0003-integer-overflow-in-XResQueryClients-CVE-2013-1988-1.patch +4ce80a734022df47f5c6b6bbb984446c67ca2dff7231dee5c1686f496bf6ab30 0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch" +sha512sums="ba884e32446946520d1ba81764fac64f5350fb109cff1846e839c2a9ef11708ebd39d4434525a373af0c10250fc5f508a34f965f9e2312d5bc50ccbefbafa65c libXres-1.0.6.tar.bz2 +ffa4def53bd8e99120526e55d5eb025e135517e8d6d43fb6abd64ec9c3c4234d026bdb5d35477292aecb3a56f44041a2b1338909997bc671adca43f175d9f774 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch +6a9d2e50b5bf128c5a9366b227b4d0649388aea5907e180346ac53ddb0685afad05d22d24b7953e7c323292153aa5867582adf9940420da69eef2b67ff0597d3 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch +ea313a26f8ffffcaa8de2a813e8df775b534895b0d8400640292e94465a80b20daf3ee45db25695e6ca867f298b6490beeb5b5bf67065b001e4a9f971534c474 0003-integer-overflow-in-XResQueryClients-CVE-2013-1988-1.patch +d8b4be3b9a69f33c32254f23dfa51fd4154ea1afae498aea2ab841a7d98e526af666b4a3b9df8f011f04d440e6f20ea0e9c58627eb7030992a2e0897b8f02ad7 0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch" -- cgit v1.2.3