summaryrefslogtreecommitdiffstats
path: root/main
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2013-05-24 09:04:59 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2013-05-24 09:04:59 +0000
commit3e5921fae9eef23dbc7c56b7905ccbf9de168cea (patch)
tree71188cec981e5c2873b33ccb2250b3ae4f6f7ebf /main
parent04adcbb8d0e9999441ed2b2167b3dda47a0372c4 (diff)
downloadaports-3e5921fae9eef23dbc7c56b7905ccbf9de168cea.tar.bz2
aports-3e5921fae9eef23dbc7c56b7905ccbf9de168cea.tar.xz
main/libxinerama: fix CVE-2013-1985
ref #1931
Diffstat (limited to 'main')
-rw-r--r--main/libxinerama/0001-Use-_XEatDataWords-to-avoid-overflow-of-_XEatData-ca.patch78
-rw-r--r--main/libxinerama/0002-integer-overflow-in-XineramaQueryScreens-CVE-2013-19.patch76
-rw-r--r--main/libxinerama/APKBUILD35
3 files changed, 183 insertions, 6 deletions
diff --git a/main/libxinerama/0001-Use-_XEatDataWords-to-avoid-overflow-of-_XEatData-ca.patch b/main/libxinerama/0001-Use-_XEatDataWords-to-avoid-overflow-of-_XEatData-ca.patch
new file mode 100644
index 000000000..eb7009594
--- /dev/null
+++ b/main/libxinerama/0001-Use-_XEatDataWords-to-avoid-overflow-of-_XEatData-ca.patch
@@ -0,0 +1,78 @@
+From 7ce3ce4be46087f9cc57cb415875abaaa961f734 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 4 May 2013 09:21:14 -0700
+Subject: [PATCH 1/2] Use _XEatDataWords to avoid overflow of _XEatData
+ calculations
+
+rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ configure.ac | 6 ++++++
+ src/Xinerama.c | 19 ++++++++++++++++++-
+ 2 files changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index e335508..046a1aa 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -42,6 +42,12 @@ XORG_CHECK_MALLOC_ZERO
+ # Obtain compiler/linker options for depedencies
+ PKG_CHECK_MODULES(XINERAMA, x11 xext xextproto [xineramaproto >= 1.1.99.1])
+
++# Check for _XEatDataWords function that may be patched into older Xlib releases
++SAVE_LIBS="$LIBS"
++LIBS="$XINERAMA_LIBS"
++AC_CHECK_FUNCS([_XEatDataWords])
++LIBS="$SAVE_LIBS"
++
+ # Allow checking code with lint, sparse, etc.
+ XORG_WITH_LINT
+ LINT_FLAGS="${LINT_FLAGS} ${XINERAMA_CFLAGS}"
+diff --git a/src/Xinerama.c b/src/Xinerama.c
+index 7d7e4d8..04189b6 100644
+--- a/src/Xinerama.c
++++ b/src/Xinerama.c
+@@ -23,6 +23,10 @@ dealings in this Software without prior written authorization from Digital
+ Equipment Corporation.
+ ******************************************************************/
+
++#ifdef HAVE_CONFIG_H
++# include "config.h"
++#endif
++
+ #include <X11/Xlibint.h>
+ #include <X11/Xutil.h>
+ #include <X11/extensions/Xext.h>
+@@ -31,6 +35,19 @@ Equipment Corporation.
+ #include <X11/extensions/panoramiXproto.h>
+ #include <X11/extensions/Xinerama.h>
+
++#ifndef HAVE__XEATDATAWORDS
++#include <X11/Xmd.h> /* for LONG64 on 64-bit platforms */
++#include <limits.h>
++
++static inline void _XEatDataWords(Display *dpy, unsigned long n)
++{
++# ifndef LONG64
++ if (n >= (ULONG_MAX >> 2))
++ _XIOError(dpy);
++# endif
++ _XEatData (dpy, n << 2);
++}
++#endif
+
+ static XExtensionInfo _panoramiX_ext_info_data;
+ static XExtensionInfo *panoramiX_ext_info = &_panoramiX_ext_info_data;
+@@ -302,7 +319,7 @@ XineramaQueryScreens(
+
+ *number = rep.number;
+ } else
+- _XEatData(dpy, rep.length << 2);
++ _XEatDataWords(dpy, rep.length);
+ } else {
+ *number = 0;
+ }
+--
+1.8.2.3
+
diff --git a/main/libxinerama/0002-integer-overflow-in-XineramaQueryScreens-CVE-2013-19.patch b/main/libxinerama/0002-integer-overflow-in-XineramaQueryScreens-CVE-2013-19.patch
new file mode 100644
index 000000000..a0ce966b9
--- /dev/null
+++ b/main/libxinerama/0002-integer-overflow-in-XineramaQueryScreens-CVE-2013-19.patch
@@ -0,0 +1,76 @@
+From 99c644fc8488657bdd106717df7446d606f9ef22 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 8 Mar 2013 19:55:55 -0800
+Subject: [PATCH 2/2] integer overflow in XineramaQueryScreens()
+ [CVE-2013-1985]
+
+If the reported number of screens is too large, the calculations to
+allocate memory for them may overflow, leaving us writing beyond the
+bounds of the allocation.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/Xinerama.c | 44 ++++++++++++++++++++++++++++----------------
+ 1 file changed, 28 insertions(+), 16 deletions(-)
+
+diff --git a/src/Xinerama.c b/src/Xinerama.c
+index 04189b6..67a35b5 100644
+--- a/src/Xinerama.c
++++ b/src/Xinerama.c
+@@ -303,24 +303,36 @@ XineramaQueryScreens(
+ return NULL;
+ }
+
+- if(rep.number) {
+- if((scrnInfo = Xmalloc(sizeof(XineramaScreenInfo) * rep.number))) {
++ /*
++ * rep.number is a CARD32 so could be as large as 2^32
++ * The X11 protocol limits the total screen size to 64k x 64k,
++ * and no screen can be smaller than a pixel. While technically
++ * that means we could theoretically reach 2^32 screens, and that's
++ * not even taking overlap into account, Xorg is currently limited
++ * to 16 screens, and few known servers have a much higher limit,
++ * so 1024 seems more than enough to prevent both integer overflow
++ * and insane X server responses causing massive memory allocation.
++ */
++ if ((rep.number > 0) && (rep.number <= 1024))
++ scrnInfo = Xmalloc(sizeof(XineramaScreenInfo) * rep.number);
++ if (scrnInfo != NULL) {
++ int i;
++
++ for (i = 0; i < rep.number; i++) {
+ xXineramaScreenInfo scratch;
+- int i;
+-
+- for(i = 0; i < rep.number; i++) {
+- _XRead(dpy, (char*)(&scratch), sz_XineramaScreenInfo);
+- scrnInfo[i].screen_number = i;
+- scrnInfo[i].x_org = scratch.x_org;
+- scrnInfo[i].y_org = scratch.y_org;
+- scrnInfo[i].width = scratch.width;
+- scrnInfo[i].height = scratch.height;
+- }
+-
+- *number = rep.number;
+- } else
+- _XEatDataWords(dpy, rep.length);
++
++ _XRead(dpy, (char*)(&scratch), sz_XineramaScreenInfo);
++
++ scrnInfo[i].screen_number = i;
++ scrnInfo[i].x_org = scratch.x_org;
++ scrnInfo[i].y_org = scratch.y_org;
++ scrnInfo[i].width = scratch.width;
++ scrnInfo[i].height = scratch.height;
++ }
++
++ *number = rep.number;
+ } else {
++ _XEatDataWords(dpy, rep.length);
+ *number = 0;
+ }
+
+--
+1.8.2.3
+
diff --git a/main/libxinerama/APKBUILD b/main/libxinerama/APKBUILD
index 0b5f65605..36c75c940 100644
--- a/main/libxinerama/APKBUILD
+++ b/main/libxinerama/APKBUILD
@@ -1,26 +1,49 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libxinerama
pkgver=1.1.2
-pkgrel=0
+pkgrel=1
pkgdesc="X11 Xinerama extension library"
url="http://xorg.freedesktop.org/"
arch="all"
license="custom"
subpackages="$pkgname-dev $pkgname-doc"
depends=
-makedepends="pkgconfig libxext-dev libx11-dev xineramaproto"
-source="http://xorg.freedesktop.org/releases/individual/lib/libXinerama-$pkgver.tar.bz2"
depends_dev="xineramaproto libx11-dev libxext-dev"
+makedepends="$depends_dev libtool automake autoconf util-macros"
+source="http://xorg.freedesktop.org/releases/individual/lib/libXinerama-$pkgver.tar.bz2
+ 0001-Use-_XEatDataWords-to-avoid-overflow-of-_XEatData-ca.patch
+ 0002-integer-overflow-in-XineramaQueryScreens-CVE-2013-19.patch
+ "
+
+_builddir="$srcdir"/libXinerama-$pkgver
+prepare() {
+ cd "$_builddir"
+ for i in $source; do
+ case $i in
+ *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+ esac
+ done
+ libtoolize --force && aclocal && autoheader && autoconf \
+ && automake --add-missing
+}
build() {
- cd "$srcdir"/libXinerama-$pkgver
+ cd "$_builddir"
./configure --prefix=/usr
make || return 1
}
package() {
- cd "$srcdir"/libXinerama-$pkgver
+ cd "$_builddir"
make DESTDIR="$pkgdir" install || return 1
rm "$pkgdir"/usr/lib/*.la || return 1
}
-md5sums="cb45d6672c93a608f003b6404f1dd462 libXinerama-1.1.2.tar.bz2"
+md5sums="cb45d6672c93a608f003b6404f1dd462 libXinerama-1.1.2.tar.bz2
+a315f9665077ca4b845a7176a6a761e6 0001-Use-_XEatDataWords-to-avoid-overflow-of-_XEatData-ca.patch
+0fccb7f32a31711cadf04d1f68326ea7 0002-integer-overflow-in-XineramaQueryScreens-CVE-2013-19.patch"
+sha256sums="a4e77c2fd88372e4ae365f3ca0434a23613da96c5b359b1a64bf43614ec06aac libXinerama-1.1.2.tar.bz2
+78201bfc1c9cafb0180373c0dc65edb0051f8ca541024effbfe1e146c71fb830 0001-Use-_XEatDataWords-to-avoid-overflow-of-_XEatData-ca.patch
+21a7aeecf921b7cd237410458947c3fdcec45b9e4af4c94c603b1d22ee31bd0c 0002-integer-overflow-in-XineramaQueryScreens-CVE-2013-19.patch"
+sha512sums="3bddf3daec22476e02bedaf3a995943c45810033dea022472130b05500985fc402e3d766c4d86acefc0237fc1b5d06ddb28377093097eeef0f9bfcbd7e2e84dc libXinerama-1.1.2.tar.bz2
+270ac2ffef12bec7629041f3a89ea3dae11f186772a8abbdbee4d2331528f670d2920a7510fa957fc8596bd66ee93f6bb3df030be6de7fdbd71de3cba486fe9f 0001-Use-_XEatDataWords-to-avoid-overflow-of-_XEatData-ca.patch
+336e07a24379af596bb6ee7efa8adfe93109aa84fa5a3013edeebc2a6ecc4b88433ef60d3ffb4c71c02103b693bb5391bac7a45e177188e41139f5f4ae2c2f6b 0002-integer-overflow-in-XineramaQueryScreens-CVE-2013-19.patch"