diff options
3 files changed, 6 insertions, 170 deletions
diff --git a/main/libxinerama/0001-Use-_XEatDataWords-to-avoid-overflow-of-_XEatData-ca.patch b/main/libxinerama/0001-Use-_XEatDataWords-to-avoid-overflow-of-_XEatData-ca.patch deleted file mode 100644 index eb7009594..000000000 --- a/main/libxinerama/0001-Use-_XEatDataWords-to-avoid-overflow-of-_XEatData-ca.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 7ce3ce4be46087f9cc57cb415875abaaa961f734 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Sat, 4 May 2013 09:21:14 -0700 -Subject: [PATCH 1/2] Use _XEatDataWords to avoid overflow of _XEatData - calculations - -rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds - -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> ---- - configure.ac | 6 ++++++ - src/Xinerama.c | 19 ++++++++++++++++++- - 2 files changed, 24 insertions(+), 1 deletion(-) - -diff --git a/configure.ac b/configure.ac -index e335508..046a1aa 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -42,6 +42,12 @@ XORG_CHECK_MALLOC_ZERO - # Obtain compiler/linker options for depedencies - PKG_CHECK_MODULES(XINERAMA, x11 xext xextproto [xineramaproto >= 1.1.99.1]) - -+# Check for _XEatDataWords function that may be patched into older Xlib releases -+SAVE_LIBS="$LIBS" -+LIBS="$XINERAMA_LIBS" -+AC_CHECK_FUNCS([_XEatDataWords]) -+LIBS="$SAVE_LIBS" -+ - # Allow checking code with lint, sparse, etc. - XORG_WITH_LINT - LINT_FLAGS="${LINT_FLAGS} ${XINERAMA_CFLAGS}" -diff --git a/src/Xinerama.c b/src/Xinerama.c -index 7d7e4d8..04189b6 100644 ---- a/src/Xinerama.c -+++ b/src/Xinerama.c -@@ -23,6 +23,10 @@ dealings in this Software without prior written authorization from Digital - Equipment Corporation. - ******************************************************************/ - -+#ifdef HAVE_CONFIG_H -+# include "config.h" -+#endif -+ - #include <X11/Xlibint.h> - #include <X11/Xutil.h> - #include <X11/extensions/Xext.h> -@@ -31,6 +35,19 @@ Equipment Corporation. - #include <X11/extensions/panoramiXproto.h> - #include <X11/extensions/Xinerama.h> - -+#ifndef HAVE__XEATDATAWORDS -+#include <X11/Xmd.h> /* for LONG64 on 64-bit platforms */ -+#include <limits.h> -+ -+static inline void _XEatDataWords(Display *dpy, unsigned long n) -+{ -+# ifndef LONG64 -+ if (n >= (ULONG_MAX >> 2)) -+ _XIOError(dpy); -+# endif -+ _XEatData (dpy, n << 2); -+} -+#endif - - static XExtensionInfo _panoramiX_ext_info_data; - static XExtensionInfo *panoramiX_ext_info = &_panoramiX_ext_info_data; -@@ -302,7 +319,7 @@ XineramaQueryScreens( - - *number = rep.number; - } else -- _XEatData(dpy, rep.length << 2); -+ _XEatDataWords(dpy, rep.length); - } else { - *number = 0; - } --- -1.8.2.3 - diff --git a/main/libxinerama/0002-integer-overflow-in-XineramaQueryScreens-CVE-2013-19.patch b/main/libxinerama/0002-integer-overflow-in-XineramaQueryScreens-CVE-2013-19.patch deleted file mode 100644 index a0ce966b9..000000000 --- a/main/libxinerama/0002-integer-overflow-in-XineramaQueryScreens-CVE-2013-19.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 99c644fc8488657bdd106717df7446d606f9ef22 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Fri, 8 Mar 2013 19:55:55 -0800 -Subject: [PATCH 2/2] integer overflow in XineramaQueryScreens() - [CVE-2013-1985] - -If the reported number of screens is too large, the calculations to -allocate memory for them may overflow, leaving us writing beyond the -bounds of the allocation. - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> ---- - src/Xinerama.c | 44 ++++++++++++++++++++++++++++---------------- - 1 file changed, 28 insertions(+), 16 deletions(-) - -diff --git a/src/Xinerama.c b/src/Xinerama.c -index 04189b6..67a35b5 100644 ---- a/src/Xinerama.c -+++ b/src/Xinerama.c -@@ -303,24 +303,36 @@ XineramaQueryScreens( - return NULL; - } - -- if(rep.number) { -- if((scrnInfo = Xmalloc(sizeof(XineramaScreenInfo) * rep.number))) { -+ /* -+ * rep.number is a CARD32 so could be as large as 2^32 -+ * The X11 protocol limits the total screen size to 64k x 64k, -+ * and no screen can be smaller than a pixel. While technically -+ * that means we could theoretically reach 2^32 screens, and that's -+ * not even taking overlap into account, Xorg is currently limited -+ * to 16 screens, and few known servers have a much higher limit, -+ * so 1024 seems more than enough to prevent both integer overflow -+ * and insane X server responses causing massive memory allocation. -+ */ -+ if ((rep.number > 0) && (rep.number <= 1024)) -+ scrnInfo = Xmalloc(sizeof(XineramaScreenInfo) * rep.number); -+ if (scrnInfo != NULL) { -+ int i; -+ -+ for (i = 0; i < rep.number; i++) { - xXineramaScreenInfo scratch; -- int i; -- -- for(i = 0; i < rep.number; i++) { -- _XRead(dpy, (char*)(&scratch), sz_XineramaScreenInfo); -- scrnInfo[i].screen_number = i; -- scrnInfo[i].x_org = scratch.x_org; -- scrnInfo[i].y_org = scratch.y_org; -- scrnInfo[i].width = scratch.width; -- scrnInfo[i].height = scratch.height; -- } -- -- *number = rep.number; -- } else -- _XEatDataWords(dpy, rep.length); -+ -+ _XRead(dpy, (char*)(&scratch), sz_XineramaScreenInfo); -+ -+ scrnInfo[i].screen_number = i; -+ scrnInfo[i].x_org = scratch.x_org; -+ scrnInfo[i].y_org = scratch.y_org; -+ scrnInfo[i].width = scratch.width; -+ scrnInfo[i].height = scratch.height; -+ } -+ -+ *number = rep.number; - } else { -+ _XEatDataWords(dpy, rep.length); - *number = 0; - } - --- -1.8.2.3 - diff --git a/main/libxinerama/APKBUILD b/main/libxinerama/APKBUILD index 36c75c940..2d5465f24 100644 --- a/main/libxinerama/APKBUILD +++ b/main/libxinerama/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libxinerama -pkgver=1.1.2 -pkgrel=1 +pkgver=1.1.3 +pkgrel=0 pkgdesc="X11 Xinerama extension library" url="http://xorg.freedesktop.org/" arch="all" @@ -9,10 +9,8 @@ license="custom" subpackages="$pkgname-dev $pkgname-doc" depends= depends_dev="xineramaproto libx11-dev libxext-dev" -makedepends="$depends_dev libtool automake autoconf util-macros" +makedepends="$depends_dev" source="http://xorg.freedesktop.org/releases/individual/lib/libXinerama-$pkgver.tar.bz2 - 0001-Use-_XEatDataWords-to-avoid-overflow-of-_XEatData-ca.patch - 0002-integer-overflow-in-XineramaQueryScreens-CVE-2013-19.patch " _builddir="$srcdir"/libXinerama-$pkgver @@ -23,8 +21,6 @@ prepare() { *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; esac done - libtoolize --force && aclocal && autoheader && autoconf \ - && automake --add-missing } build() { @@ -38,12 +34,6 @@ package() { make DESTDIR="$pkgdir" install || return 1 rm "$pkgdir"/usr/lib/*.la || return 1 } -md5sums="cb45d6672c93a608f003b6404f1dd462 libXinerama-1.1.2.tar.bz2 -a315f9665077ca4b845a7176a6a761e6 0001-Use-_XEatDataWords-to-avoid-overflow-of-_XEatData-ca.patch -0fccb7f32a31711cadf04d1f68326ea7 0002-integer-overflow-in-XineramaQueryScreens-CVE-2013-19.patch" -sha256sums="a4e77c2fd88372e4ae365f3ca0434a23613da96c5b359b1a64bf43614ec06aac libXinerama-1.1.2.tar.bz2 -78201bfc1c9cafb0180373c0dc65edb0051f8ca541024effbfe1e146c71fb830 0001-Use-_XEatDataWords-to-avoid-overflow-of-_XEatData-ca.patch -21a7aeecf921b7cd237410458947c3fdcec45b9e4af4c94c603b1d22ee31bd0c 0002-integer-overflow-in-XineramaQueryScreens-CVE-2013-19.patch" -sha512sums="3bddf3daec22476e02bedaf3a995943c45810033dea022472130b05500985fc402e3d766c4d86acefc0237fc1b5d06ddb28377093097eeef0f9bfcbd7e2e84dc libXinerama-1.1.2.tar.bz2 -270ac2ffef12bec7629041f3a89ea3dae11f186772a8abbdbee4d2331528f670d2920a7510fa957fc8596bd66ee93f6bb3df030be6de7fdbd71de3cba486fe9f 0001-Use-_XEatDataWords-to-avoid-overflow-of-_XEatData-ca.patch -336e07a24379af596bb6ee7efa8adfe93109aa84fa5a3013edeebc2a6ecc4b88433ef60d3ffb4c71c02103b693bb5391bac7a45e177188e41139f5f4ae2c2f6b 0002-integer-overflow-in-XineramaQueryScreens-CVE-2013-19.patch" +md5sums="9336dc46ae3bf5f81c247f7131461efd libXinerama-1.1.3.tar.bz2" +sha256sums="7a45699f1773095a3f821e491cbd5e10c887c5a5fce5d8d3fced15c2ff7698e2 libXinerama-1.1.3.tar.bz2" +sha512sums="c9f059697c04fdc600d9e63873e924032d6cff456674ee28a885270c54722d96df0ef7a78432c2bdc0844241f115e00ad730c29d84681efc1c45a2e1acb3288c libXinerama-1.1.3.tar.bz2" |