main/libxres: fix CVE-2013-1988

ref #1931
author: Natanael Copa <ncopa@alpinelinux.org> 2013-05-24 09:23:39 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2013-05-24 09:23:39 +0000
commit: b262cf6c02f0e15dc88618b6a9e1298ace184057 (patch)
tree: 874e073def3c2d40af28279fdc19026ff24ebfab /main/libxres
parent: f4a1e4bfe936b7b1c1364a8ebc769145f060ce25 (diff)
download: aports-b262cf6c02f0e15dc88618b6a9e1298ace184057.tar.bz2
aports-b262cf6c02f0e15dc88618b6a9e1298ace184057.tar.xz
5 files changed, 224 insertions, 9 deletions
diff --git a/main/libxres/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch b/main/libxres/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
new file mode 100644
index 000000000..b8ef330d8
--- /dev/null
+++ b/main/libxres/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
@@ -0,0 +1,36 @@
+From 83e7693515369d57dcd11c2bb1f03563f51bc500 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 18 Jan 2013 23:06:20 -0800
+Subject: [PATCH 1/4] Replace deprecated Automake INCLUDES variable with
+ AM_CPPFLAGS
+
+Excerpt https://lists.gnu.org/archive/html/automake/2012-12/msg00038.html
+
+  - Support for the long-deprecated INCLUDES variable will be removed
+    altogether in Automake 1.14.  The AM_CPPFLAGS variable should be
+    used instead.
+
+This variable was deprecated in Automake releases prior to 1.10, which is
+the current minimum level required to build X.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/Makefile.am b/src/Makefile.am
+index fd508da..bf66d68 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -10,7 +10,7 @@ AM_CFLAGS = \
+ 	$(XRES_CFLAGS) \
+ 	$(MALLOC_ZERO_CFLAGS)
+ 
+-INCLUDES = -I$(top_srcdir)/include
++AM_CPPFLAGS = -I$(top_srcdir)/include
+ 
+ libXRes_la_LDFLAGS = -version-number 1:0:0 -no-undefined
+ 
+-- 
+1.8.2.3
+
diff --git a/main/libxres/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch b/main/libxres/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
new file mode 100644
index 000000000..9f22c4fa5
--- /dev/null
+++ b/main/libxres/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
@@ -0,0 +1,75 @@
+From 69457711050ac3a53859ef11790a7ac815cd7d94 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 10:34:22 -0700
+Subject: [PATCH 2/4] Use _XEatDataWords to avoid overflow of rep.length
+ shifting
+
+rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ configure.ac |  6 ++++++
+ src/XRes.c   | 16 ++++++++++++++--
+ 2 files changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 90205cc..f68b689 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -50,6 +50,12 @@ XORG_CHECK_MALLOC_ZERO
+ # Obtain compiler/linker options for depedencies
+ PKG_CHECK_MODULES(XRES, x11 xext xextproto [resourceproto >= 1.2.0])
+ 
++# Check for _XEatDataWords function that may be patched into older Xlib release
++SAVE_LIBS="$LIBS"
++LIBS="$XRES_LIBS"
++AC_CHECK_FUNCS([_XEatDataWords])
++LIBS="$SAVE_LIBS"
++
+ AC_CONFIG_FILES([Makefile
+ 		src/Makefile
+ 		man/Makefile
+diff --git a/src/XRes.c b/src/XRes.c
+index 1744196..1ab1db8 100644
+--- a/src/XRes.c
++++ b/src/XRes.c
+@@ -13,6 +13,18 @@
+ #include <X11/extensions/XResproto.h>
+ #include <X11/extensions/XRes.h>
+ 
++#include <limits.h>
++
++#ifndef HAVE__XEATDATAWORDS
++static inline void _XEatDataWords(Display *dpy, unsigned long n)
++{
++# ifndef LONG64
++    if (n >= (ULONG_MAX >> 2))
++        _XIOError(dpy);
++# endif
++    _XEatData (dpy, n << 2);
++}
++#endif
+ 
+ static XExtensionInfo _xres_ext_info_data;
+ static XExtensionInfo *xres_ext_info = &_xres_ext_info_data;
+@@ -131,7 +143,7 @@ Status XResQueryClients (
+             *num_clients = rep.num_clients;
+             result = 1;
+         } else {
+-            _XEatData(dpy, rep.length << 2);
++            _XEatDataWords(dpy, rep.length);
+         }
+     }
+ 
+@@ -183,7 +195,7 @@ Status XResQueryClientResources (
+             *num_types = rep.num_types;
+             result = 1;
+         } else {
+-            _XEatData(dpy, rep.length << 2);
++            _XEatDataWords(dpy, rep.length);
+         }
+     }
+ 
+-- 
+1.8.2.3
+
diff --git a/main/libxres/0003-integer-overflow-in-XResQueryClients-CVE-2013-1988-1.patch b/main/libxres/0003-integer-overflow-in-XResQueryClients-CVE-2013-1988-1.patch
new file mode 100644
index 000000000..e851c092f
--- /dev/null
+++ b/main/libxres/0003-integer-overflow-in-XResQueryClients-CVE-2013-1988-1.patch
@@ -0,0 +1,37 @@
+From b053d215b80e721f9afdc5794e4f3f4f2aee0141 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 12 Apr 2013 23:36:13 -0700
+Subject: [PATCH 3/4] integer overflow in XResQueryClients() [CVE-2013-1988
+ 1/2]
+
+The CARD32 rep.num_clients needs to be bounds checked before multiplying
+by sizeof(XResClient) to avoid integer overflow leading to underallocation
+and writing data from the network past the end of the allocated buffer.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XRes.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/XRes.c b/src/XRes.c
+index 1ab1db8..c989985 100644
+--- a/src/XRes.c
++++ b/src/XRes.c
+@@ -130,7 +130,12 @@ Status XResQueryClients (
+     }
+ 
+     if(rep.num_clients) {
+-        if((clnts = Xmalloc(sizeof(XResClient) * rep.num_clients))) {
++        if (rep.num_clients < (INT_MAX / sizeof(XResClient)))
++            clnts = Xmalloc(sizeof(XResClient) * rep.num_clients);
++        else
++            clnts = NULL;
++
++        if (clnts != NULL) {
+             xXResClient scratch;
+             int i;
+ 
+-- 
+1.8.2.3
+
diff --git a/main/libxres/0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch b/main/libxres/0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch
new file mode 100644
index 000000000..bca2bb026
--- /dev/null
+++ b/main/libxres/0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch
@@ -0,0 +1,37 @@
+From f468184963e53feda848853c4aefd0197b2cc116 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 12 Apr 2013 23:36:13 -0700
+Subject: [PATCH 4/4] integer overflow in XResQueryClientResources()
+ [CVE-2013-1988 2/2]
+
+The CARD32 rep.num_types needs to be bounds checked before multiplying
+by sizeof(XResType) to avoid integer overflow leading to underallocation
+and writing data from the network past the end of the allocated buffer.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XRes.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/XRes.c b/src/XRes.c
+index c989985..51e905f 100644
+--- a/src/XRes.c
++++ b/src/XRes.c
+@@ -187,7 +187,12 @@ Status XResQueryClientResources (
+     }
+ 
+     if(rep.num_types) {
+-        if((typs = Xmalloc(sizeof(XResType) * rep.num_types))) {
++        if (rep.num_types < (INT_MAX / sizeof(XResType)))
++            typs = Xmalloc(sizeof(XResType) * rep.num_types);
++        else
++            typs = NULL;
++
++        if (typs != NULL) {
+             xXResType scratch;
+             int i;
+ 
+-- 
+1.8.2.3
+
diff --git a/main/libxres/APKBUILD b/main/libxres/APKBUILD
index fc23b9d49..705ca3e2d 100644
--- a/main/libxres/APKBUILD
+++ b/main/libxres/APKBUILD
@@ -1,30 +1,60 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libxres
 pkgver=1.0.6
-pkgrel=0
+pkgrel=1
 pkgdesc="X11 Resource extension library"
 url="http://xorg.freedesktop.org"
 arch="all"
 license="custom"
 subpackages="$pkgname-dev $pkgname-doc"
-makedepends="pkgconfig libxext-dev resourceproto"
 depends=
-source="http://xorg.freedesktop.org/releases/individual/lib/libXres-$pkgver.tar.bz2"
+depends_dev="xproto resourceproto libx11-dev libxext-dev"
+makedepends="$depends_dev libtool autoconf automake util-macros"
+source="http://xorg.freedesktop.org/releases/individual/lib/libXres-$pkgver.tar.bz2
+	0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
+	0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
+	0003-integer-overflow-in-XResQueryClients-CVE-2013-1988-1.patch
+	0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch
+	"
 
-depends_dev="xproto libx11-dev libxext-dev"
-build ()
-{
-	cd "$srcdir"/libXres-$pkgver
+_builddir="$srcdir"/libXres-$pkgver
+prepare() {
+	cd "$_builddir"
+	for i in $source; do
+		case $i in
+		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+		esac
+	done
+	libtoolize --force && aclocal && autoheader && autoconf \
+		&& automake --add-missing
+}
+
+build() {
+	cd "$_builddir"
 	./configure --prefix=/usr \
 		--sysconfdir=/etc 
 	make || return 1
 }
 
 package() {
-	cd "$srcdir"/libXres-$pkgver
+	cd "$_builddir"
 	make DESTDIR="$pkgdir" install || return 1
 	rm "$pkgdir"/usr/lib/*.la
 	install -D -m644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/LICENSE
 }
 
-md5sums="80d0c6d8522fa7a645e4f522e9a9cd20  libXres-1.0.6.tar.bz2"
+md5sums="80d0c6d8522fa7a645e4f522e9a9cd20  libXres-1.0.6.tar.bz2
+1c9e87b0d44dd1e3630c2dace1885f5c  0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
+b846d11e2aded99e05b17f582704a2b8  0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
+d30b38ef42f65a9409ff53df81257ca2  0003-integer-overflow-in-XResQueryClients-CVE-2013-1988-1.patch
+791bd7a8effc52ed2e5ae266729b317a  0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch"
+sha256sums="ff8661c925e8b182f98ae98f02bbd93c55259ef7f34a92c1a126b6074ebde890  libXres-1.0.6.tar.bz2
+6069a7690f226a98e5ca898e0213f96672ad47a3ce2fbd4079cce185bf7842e2  0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
+5ae734771ea853177771b7ef566c1ebc8a365c301353fc1883007d2c560df26e  0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
+c40579e8ce20316710339fe1c497b3b75e641a1de66321892f40b71ca0e316db  0003-integer-overflow-in-XResQueryClients-CVE-2013-1988-1.patch
+4ce80a734022df47f5c6b6bbb984446c67ca2dff7231dee5c1686f496bf6ab30  0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch"
+sha512sums="ba884e32446946520d1ba81764fac64f5350fb109cff1846e839c2a9ef11708ebd39d4434525a373af0c10250fc5f508a34f965f9e2312d5bc50ccbefbafa65c  libXres-1.0.6.tar.bz2
+ffa4def53bd8e99120526e55d5eb025e135517e8d6d43fb6abd64ec9c3c4234d026bdb5d35477292aecb3a56f44041a2b1338909997bc671adca43f175d9f774  0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
+6a9d2e50b5bf128c5a9366b227b4d0649388aea5907e180346ac53ddb0685afad05d22d24b7953e7c323292153aa5867582adf9940420da69eef2b67ff0597d3  0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
+ea313a26f8ffffcaa8de2a813e8df775b534895b0d8400640292e94465a80b20daf3ee45db25695e6ca867f298b6490beeb5b5bf67065b001e4a9f971534c474  0003-integer-overflow-in-XResQueryClients-CVE-2013-1988-1.patch
+d8b4be3b9a69f33c32254f23dfa51fd4154ea1afae498aea2ab841a7d98e526af666b4a3b9df8f011f04d440e6f20ea0e9c58627eb7030992a2e0897b8f02ad7  0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch"
author	Natanael Copa <ncopa@alpinelinux.org>	2013-05-24 09:23:39 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2013-05-24 09:23:39 +0000
commit	b262cf6c02f0e15dc88618b6a9e1298ace184057 (patch)
tree	874e073def3c2d40af28279fdc19026ff24ebfab /main/libxres
parent	f4a1e4bfe936b7b1c1364a8ebc769145f060ce25 (diff)
download	aports-b262cf6c02f0e15dc88618b6a9e1298ace184057.tar.bz2 aports-b262cf6c02f0e15dc88618b6a9e1298ace184057.tar.xz