From ba5259e879b12c3266333e072624037d67f37be4 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Thu, 6 Jun 2013 16:16:02 +0000 Subject: main/libxxf86dga: upgrade to 1.1.4 --- ...taWords-to-avoid-overflow-of-rep.length-s.patch | 76 ---------------------- ...rflow-in-XDGAQueryModes-CVE-2013-1991-1-2.patch | 52 --------------- ...rflow-in-XDGAQueryModes-CVE-2013-2000-1-2.patch | 43 ------------ ...rflow-underflow-in-XDGASetMode-CVE-2013-1.patch | 53 --------------- ...overflow-in-XDGASetMode-CVE-2013-2000-2-2.patch | 40 ------------ ...6-integer-overflow-in-XDGAOpenFramebuffer.patch | 40 ------------ main/libxxf86dga/APKBUILD | 14 ++-- 7 files changed, 6 insertions(+), 312 deletions(-) delete mode 100644 main/libxxf86dga/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch delete mode 100644 main/libxxf86dga/0002-integer-overflow-in-XDGAQueryModes-CVE-2013-1991-1-2.patch delete mode 100644 main/libxxf86dga/0003-buffer-overflow-in-XDGAQueryModes-CVE-2013-2000-1-2.patch delete mode 100644 main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch delete mode 100644 main/libxxf86dga/0005-buffer-overflow-in-XDGASetMode-CVE-2013-2000-2-2.patch delete mode 100644 main/libxxf86dga/0006-integer-overflow-in-XDGAOpenFramebuffer.patch (limited to 'main') diff --git a/main/libxxf86dga/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch b/main/libxxf86dga/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch deleted file mode 100644 index 5a77d4cc40..0000000000 --- a/main/libxxf86dga/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 6fa471be7a005bde97bcb5ca5a17662ea8d32587 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sat, 13 Apr 2013 12:05:25 -0700 -Subject: [PATCH 1/6] Use _XEatDataWords to avoid overflow of rep.length - shifting - -rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds - -Signed-off-by: Alan Coopersmith ---- - configure.ac | 6 ++++++ - src/XF86DGA2.c | 17 ++++++++++++++++- - 2 files changed, 22 insertions(+), 1 deletion(-) - -diff --git a/configure.ac b/configure.ac -index 0558326..955fa3c 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -22,6 +22,12 @@ XORG_CHECK_MALLOC_ZERO - # Obtain compiler/linker options for depedencies - PKG_CHECK_MODULES(XXF86DGA, xproto x11 xextproto xext [xf86dgaproto >= 2.0.99.2]) - -+# Check for _XEatDataWords function that may be patched into older Xlib release -+SAVE_LIBS="$LIBS" -+LIBS="$XXF86DGA_LIBS" -+AC_CHECK_FUNCS([_XEatDataWords]) -+LIBS="$SAVE_LIBS" -+ - AC_CONFIG_FILES([Makefile - src/Makefile - man/Makefile -diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c -index 964de18..c17c7f1 100644 ---- a/src/XF86DGA2.c -+++ b/src/XF86DGA2.c -@@ -6,6 +6,9 @@ Copyright (c) 1995,1996 The XFree86 Project, Inc - */ - - /* THIS IS NOT AN X CONSORTIUM STANDARD */ -+#ifdef HAVE_CONFIG_H -+#include -+#endif - - #ifdef __UNIXOS2__ /* needed here to override certain constants in X headers */ - #define INCL_DOS -@@ -22,6 +25,18 @@ Copyright (c) 1995,1996 The XFree86 Project, Inc - #include - - #include -+#include -+ -+#ifndef HAVE__XEATDATAWORDS -+static inline void _XEatDataWords(Display *dpy, unsigned long n) -+{ -+# ifndef LONG64 -+ if (n >= (ULONG_MAX >> 2)) -+ _XIOError(dpy); -+# endif -+ _XEatData (dpy, n << 2); -+} -+#endif - - /* If you change this, change the Bases[] array below as well */ - #define MAX_HEADS 16 -@@ -342,7 +357,7 @@ XDGAMode* XDGAQueryModes( - } - *num = rep.number; - } else -- _XEatData(dpy, rep.length << 2); -+ _XEatDataWords(dpy, rep.length); - } - } - --- -1.8.2.3 - diff --git a/main/libxxf86dga/0002-integer-overflow-in-XDGAQueryModes-CVE-2013-1991-1-2.patch b/main/libxxf86dga/0002-integer-overflow-in-XDGAQueryModes-CVE-2013-1991-1-2.patch deleted file mode 100644 index c3d190b546..0000000000 --- a/main/libxxf86dga/0002-integer-overflow-in-XDGAQueryModes-CVE-2013-1991-1-2.patch +++ /dev/null @@ -1,52 +0,0 @@ -From f4a8dd63af518640468d82948f450aad4b2b1e6a Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sat, 13 Apr 2013 12:18:57 -0700 -Subject: [PATCH 2/6] integer overflow in XDGAQueryModes() [CVE-2013-1991 1/2] - -number is a CARD32 and needs to be bounds checked before multiplying by -sizeof(XDGAmode) to come up with the total size to allocate, to avoid -integer overflow leading to underallocation and writing data from the -network past the end of the allocated buffer. - -Reported-by: Ilja Van Sprundel -Signed-off-by: Alan Coopersmith ---- - src/XF86DGA2.c | 19 ++++++++++++------- - 1 file changed, 12 insertions(+), 7 deletions(-) - -diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c -index c17c7f1..8830266 100644 ---- a/src/XF86DGA2.c -+++ b/src/XF86DGA2.c -@@ -312,16 +312,21 @@ XDGAMode* XDGAQueryModes( - if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) { - if(rep.length) { - xXDGAModeInfo info; -- int i, size; -+ unsigned long size = 0; - char *offset; - -- size = rep.length << 2; -- size -= rep.number * sz_xXDGAModeInfo; /* find text size */ -- modes = (XDGAMode*)Xmalloc((rep.number * sizeof(XDGAMode)) + size); -- offset = (char*)(&modes[rep.number]); /* start of text */ -- -+ if ((rep.length < (INT_MAX >> 2)) && -+ (rep.number < (INT_MAX / sizeof(XDGAMode)))) { -+ size = rep.length << 2; -+ if (size > (rep.number * sz_xXDGAModeInfo)) { -+ size -= rep.number * sz_xXDGAModeInfo; /* find text size */ -+ modes = Xmalloc((rep.number * sizeof(XDGAMode)) + size); -+ offset = (char*)(&modes[rep.number]); /* start of text */ -+ } -+ } - -- if(modes) { -+ if (modes != NULL) { -+ unsigned int i; - for(i = 0; i < rep.number; i++) { - _XRead(dpy, (char*)(&info), sz_xXDGAModeInfo); - --- -1.8.2.3 - diff --git a/main/libxxf86dga/0003-buffer-overflow-in-XDGAQueryModes-CVE-2013-2000-1-2.patch b/main/libxxf86dga/0003-buffer-overflow-in-XDGAQueryModes-CVE-2013-2000-1-2.patch deleted file mode 100644 index 9123d7f3ba..0000000000 --- a/main/libxxf86dga/0003-buffer-overflow-in-XDGAQueryModes-CVE-2013-2000-1-2.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 5dcfa6a8cf2df39828da733e5945e730518c27b3 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sat, 13 Apr 2013 12:27:10 -0700 -Subject: [PATCH 3/6] buffer overflow in XDGAQueryModes() [CVE-2013-2000 1/2] - -When reading the name strings for the modes off the network, we never -checked to make sure the length of the individual name strings didn't -overflow the size of the buffer we'd allocated based on the reported -rep.length for the total reply size. - -Reported-by: Ilja Van Sprundel -Signed-off-by: Alan Coopersmith ---- - src/XF86DGA2.c | 13 ++++++++++--- - 1 file changed, 10 insertions(+), 3 deletions(-) - -diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c -index 8830266..b5145ee 100644 ---- a/src/XF86DGA2.c -+++ b/src/XF86DGA2.c -@@ -356,9 +356,16 @@ XDGAMode* XDGAQueryModes( - modes[i].reserved1 = info.reserved1; - modes[i].reserved2 = info.reserved2; - -- _XRead(dpy, offset, info.name_size); -- modes[i].name = offset; -- offset += info.name_size; -+ if (info.name_size > 0 && info.name_size <= size) { -+ _XRead(dpy, offset, info.name_size); -+ modes[i].name = offset; -+ modes[i].name[info.name_size - 1] = '\0'; -+ offset += info.name_size; -+ size -= info.name_size; -+ } else { -+ _XEatData(dpy, info.name_size); -+ modes[i].name = NULL; -+ } - } - *num = rep.number; - } else --- -1.8.2.3 - diff --git a/main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch b/main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch deleted file mode 100644 index 7a44a074ba..0000000000 --- a/main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch +++ /dev/null @@ -1,53 +0,0 @@ -From f89cf306a60facdf102696840bc05acebd7d1772 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sat, 13 Apr 2013 12:38:25 -0700 -Subject: [PATCH 4/6] integer overflow & underflow in XDGASetMode() - [CVE-2013-1991 2/2] - -rep.length is a CARD32 and needs to be bounds checked before bit shifting -and subtracting sz_xXDGAModeInfo to come up with the total size to allocate, -to avoid integer overflow or underflow leading to underallocation and -writing data from the network past the end of the allocated buffer. - -Reported-by: Ilja Van Sprundel -Signed-off-by: Alan Coopersmith ---- - src/XF86DGA2.c | 13 +++++++++---- - 1 file changed, 9 insertions(+), 4 deletions(-) - -diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c -index b5145ee..90ca918 100644 ---- a/src/XF86DGA2.c -+++ b/src/XF86DGA2.c -@@ -405,12 +405,15 @@ XDGASetMode( - if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) { - if(rep.length) { - xXDGAModeInfo info; -- int size; -+ unsigned long size; - -- size = rep.length << 2; -- size -= sz_xXDGAModeInfo; /* get text size */ -+ if ((rep.length < (INT_MAX >> 2)) && -+ (rep.length > (sz_xXDGAModeInfo >> 2))) { -+ size = rep.length << 2; -+ size -= sz_xXDGAModeInfo; /* get text size */ - -- dev = (XDGADevice*)Xmalloc(sizeof(XDGADevice) + size); -+ dev = Xmalloc(sizeof(XDGADevice) + size); -+ } - - if(dev) { - _XRead(dpy, (char*)(&info), sz_xXDGAModeInfo); -@@ -451,6 +454,8 @@ XDGASetMode( - dev->data += rep.offset; - } - /* not sure what to do if the allocation fails */ -+ else -+ _XEatDataWords(dpy, rep.length); - } - } - --- -1.8.2.3 - diff --git a/main/libxxf86dga/0005-buffer-overflow-in-XDGASetMode-CVE-2013-2000-2-2.patch b/main/libxxf86dga/0005-buffer-overflow-in-XDGASetMode-CVE-2013-2000-2-2.patch deleted file mode 100644 index 70ed6aef78..0000000000 --- a/main/libxxf86dga/0005-buffer-overflow-in-XDGASetMode-CVE-2013-2000-2-2.patch +++ /dev/null @@ -1,40 +0,0 @@ -From b69d6d51a82b1d1e8c68a233360acb742c879375 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sat, 13 Apr 2013 12:45:41 -0700 -Subject: [PATCH 5/6] buffer overflow in XDGASetMode() [CVE-2013-2000 2/2] - -When reading the name strings for the mode off the network, we never -checked to make sure the length of the name strings didn't overflow -the size of the buffer we'd allocated based on the reported rep.length -for the total reply size. - -Reported-by: Ilja Van Sprundel -Signed-off-by: Alan Coopersmith ---- - src/XF86DGA2.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c -index 90ca918..4d13677 100644 ---- a/src/XF86DGA2.c -+++ b/src/XF86DGA2.c -@@ -444,8 +444,14 @@ XDGASetMode( - dev->mode.reserved1 = info.reserved1; - dev->mode.reserved2 = info.reserved2; - -- dev->mode.name = (char*)(&dev[1]); -- _XRead(dpy, dev->mode.name, info.name_size); -+ if (info.name_size > 0 && info.name_size <= size) { -+ dev->mode.name = (char*)(&dev[1]); -+ _XRead(dpy, dev->mode.name, info.name_size); -+ dev->mode.name[info.name_size - 1] = '\0'; -+ } else { -+ dev->mode.name = NULL; -+ _XEatDataWords(dpy, rep.length); -+ } - - dev->pixmap = (rep.flags & XDGAPixmap) ? pid : 0; - dev->data = XDGAGetMappedMemory(screen); --- -1.8.2.3 - diff --git a/main/libxxf86dga/0006-integer-overflow-in-XDGAOpenFramebuffer.patch b/main/libxxf86dga/0006-integer-overflow-in-XDGAOpenFramebuffer.patch deleted file mode 100644 index c21b1261fd..0000000000 --- a/main/libxxf86dga/0006-integer-overflow-in-XDGAOpenFramebuffer.patch +++ /dev/null @@ -1,40 +0,0 @@ -From a8dc6be3213bc91dec5e25535ef4bad5a9456af0 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sat, 13 Apr 2013 12:53:49 -0700 -Subject: [PATCH 6/6] integer overflow in XDGAOpenFramebuffer() - -rep.length is a CARD32 and should be bounds checked before left shifting -to come up with the size to allocate and read from the network, though -since both functions take the same size, there should be no way for the -buffer to be overflowed in this case. - -Signed-off-by: Alan Coopersmith ---- - src/XF86DGA2.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c -index 4d13677..9c656e6 100644 ---- a/src/XF86DGA2.c -+++ b/src/XF86DGA2.c -@@ -250,9 +250,14 @@ Bool XDGAOpenFramebuffer( - return False; - } - -- if(rep.length) { -- deviceName = Xmalloc(rep.length << 2); -- _XRead(dpy, deviceName, rep.length << 2); -+ if (rep.length) { -+ if (rep.length < (INT_MAX >> 2)) { -+ unsigned long size = rep.length << 2; -+ deviceName = Xmalloc(size); -+ _XRead(dpy, deviceName, size); -+ deviceName[size - 1] = '\0'; -+ } else -+ _XEatDataWords(dpy, rep.length); - } - - ret = XDGAMapFramebuffer(screen, deviceName, --- -1.8.2.3 - diff --git a/main/libxxf86dga/APKBUILD b/main/libxxf86dga/APKBUILD index ecb2143441..464301d61c 100644 --- a/main/libxxf86dga/APKBUILD +++ b/main/libxxf86dga/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa pkgname=libxxf86dga -pkgver=1.1.3 -pkgrel=1 +pkgver=1.1.4 +pkgrel=0 pkgdesc="X11 Direct Graphics Access extension library" url="http://xorg.freedesktop.org/" arch="all" @@ -9,7 +9,7 @@ license="custom" subpackages="$pkgname-dev $pkgname-doc" depends= depends_dev="xf86dgaproto libxext-dev libx11-dev" -makedepends="$depends_dev libtool autoconf automake util-macros" +makedepends="$depends_dev" source="http://xorg.freedesktop.org/releases/individual/lib/libXxf86dga-$pkgver.tar.bz2" _builddir="$srcdir"/libXxf86dga-$pkgver @@ -20,8 +20,6 @@ prepare() { *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; esac done - libtoolize --force && aclocal && autoheader && autoconf \ - && automake --add-missing } build() { @@ -35,6 +33,6 @@ package() { make DESTDIR="$pkgdir" install || return 1 rm "$pkgdir"/usr/lib/*.la } -md5sums="b7f38465c46e7145782d37dbb9da8c09 libXxf86dga-1.1.3.tar.bz2" -sha256sums="551fa374dbef0f977de1f35d005fa9ffe92b7a87e82dbe62d6a4640f5b0b4994 libXxf86dga-1.1.3.tar.bz2" -sha512sums="84129573f7491dff92c7072312bbadac7e7b9698b937e65c7bbf94d9b2e17a5448743e557c92c196738ddaa6d70917300f73c943e0c2507402df7bc31d5dd6d0 libXxf86dga-1.1.3.tar.bz2" +md5sums="d7dd9b9df336b7dd4028b6b56542ff2c libXxf86dga-1.1.4.tar.bz2" +sha256sums="8eecd4b6c1df9a3704c04733c2f4fa93ef469b55028af5510b25818e2456c77e libXxf86dga-1.1.4.tar.bz2" +sha512sums="58d81a7850275fc8382018bcc56dbc65b4200828b1f1379dcee3da1878f12a83ee681a9d474bcd564d99bf93bedfeb7b243370e0ebb89177652b37cee158a3f2 libXxf86dga-1.1.4.tar.bz2" -- cgit v1.2.3