summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--main/libxfixes/APKBUILD16
-rw-r--r--main/libxfixes/CVE-2013-1983.patch70
2 files changed, 6 insertions, 80 deletions
diff --git a/main/libxfixes/APKBUILD b/main/libxfixes/APKBUILD
index b41372041..89decdb0e 100644
--- a/main/libxfixes/APKBUILD
+++ b/main/libxfixes/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libxfixes
-pkgver=5.0
-pkgrel=2
+pkgver=5.0.1
+pkgrel=0
pkgdesc="X11 miscellaneous 'fixes' extension library"
url="http://xorg.freedesktop.org/"
arch="all"
@@ -10,8 +10,7 @@ depends=
depends_dev="xproto fixesproto libx11-dev"
makedepends="$depends_dev xextproto"
subpackages="$pkgname-dev $pkgname-doc"
-source="http://xorg.freedesktop.org/releases/individual/lib/libXfixes-$pkgver.tar.bz2
- CVE-2013-1983.patch"
+source="http://xorg.freedesktop.org/releases/individual/lib/libXfixes-$pkgver.tar.bz2"
_builddir="$srcdir"/libXfixes-$pkgver
prepare() {
@@ -34,9 +33,6 @@ package() {
make DESTDIR="$pkgdir" install || return 1
rm "$pkgdir"/usr/lib/*.la || return 1
}
-md5sums="678071bd7f9f7467e2fc712d81022318 libXfixes-5.0.tar.bz2
-cfd62d3f71592118ca0a6862cfe221b3 CVE-2013-1983.patch"
-sha256sums="537a2446129242737a35db40081be4bbcc126e56c03bf5f2b142b10a79cda2e3 libXfixes-5.0.tar.bz2
-b1e261feb83e064ac1123cb3004f0ed9284b23abef34f4f5bb6a5d452aff1192 CVE-2013-1983.patch"
-sha512sums="fd3071b52c657975b4321e6c7ebe433c43ea6944d04d2228da075aad394e962eec705e41a6c3a6bbc12f704765189116d1328c3111e457f23395ff6f57ae63d5 libXfixes-5.0.tar.bz2
-6c1e9d1261ece81d97af947a1543f313aebfeb8cc18c121bc51e8cc1142e49c4c5c21fb304d2d37af318c530551e02c029bfbce928d9caefb9432b1c5a4da66c CVE-2013-1983.patch"
+md5sums="b985b85f8b9386c85ddcfe1073906b4d libXfixes-5.0.1.tar.bz2"
+sha256sums="63bec085084fa3caaee5180490dd871f1eb2020ba9e9b39a30f93693ffc34767 libXfixes-5.0.1.tar.bz2"
+sha512sums="b47c841db169d1b329eec9deb555799cd087a466326840f1f5349303ba79cff5850b1bb69c1ff38b3f522f24d61db58a0c01021e1ffea2896527167262fc7150 libXfixes-5.0.1.tar.bz2"
diff --git a/main/libxfixes/CVE-2013-1983.patch b/main/libxfixes/CVE-2013-1983.patch
deleted file mode 100644
index d0089d4f6..000000000
--- a/main/libxfixes/CVE-2013-1983.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From c480fe3271873ec7471b0cbd680f4dac18ca8904 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sat, 13 Apr 2013 17:24:08 +0000
-Subject: integer overflow in XFixesGetCursorImage() [CVE-2013-1983]
-
-If the reported cursor dimensions or name length are too large, the
-calculations to allocate memory for them may overflow, leaving us
-writing beyond the bounds of the allocation.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
-diff --git a/src/Cursor.c b/src/Cursor.c
-index 641b747..33590b7 100644
---- a/src/Cursor.c
-+++ b/src/Cursor.c
-@@ -47,6 +47,7 @@
- #include <config.h>
- #endif
- #include "Xfixesint.h"
-+#include <limits.h>
-
- void
- XFixesSelectCursorInput (Display *dpy,
-@@ -74,9 +75,9 @@ XFixesGetCursorImage (Display *dpy)
- XFixesExtDisplayInfo *info = XFixesFindDisplay (dpy);
- xXFixesGetCursorImageAndNameReq *req;
- xXFixesGetCursorImageAndNameReply rep;
-- int npixels;
-- int nbytes_name;
-- int nbytes, nread, rlength;
-+ size_t npixels;
-+ size_t nbytes_name;
-+ size_t nbytes, nread, rlength;
- XFixesCursorImage *image;
- char *name;
-
-@@ -101,16 +102,21 @@ XFixesGetCursorImage (Display *dpy)
- }
- npixels = rep.width * rep.height;
- nbytes_name = rep.nbytes;
-- /* reply data length */
-- nbytes = (long) rep.length << 2;
-- /* bytes of actual data in the reply */
-- nread = (npixels << 2) + nbytes_name;
-- /* size of data returned to application */
-- rlength = (sizeof (XFixesCursorImage) +
-- npixels * sizeof (unsigned long) +
-- nbytes_name + 1);
-+ if ((rep.length < (INT_MAX >> 2)) &&
-+ npixels < (((INT_MAX >> 3) - sizeof (XFixesCursorImage) - 1)
-+ - nbytes_name)) {
-+ /* reply data length */
-+ nbytes = (size_t) rep.length << 2;
-+ /* bytes of actual data in the reply */
-+ nread = (npixels << 2) + nbytes_name;
-+ /* size of data returned to application */
-+ rlength = (sizeof (XFixesCursorImage) +
-+ npixels * sizeof (unsigned long) +
-+ nbytes_name + 1);
-
-- image = (XFixesCursorImage *) Xmalloc (rlength);
-+ image = Xmalloc (rlength);
-+ } else
-+ image = NULL;
- if (!image)
- {
- _XEatDataWords(dpy, rep.length);
---
-cgit v0.9.0.2-2-gbebe