diff options
Diffstat (limited to 'main')
-rw-r--r-- | main/libxfixes/APKBUILD | 16 | ||||
-rw-r--r-- | main/libxfixes/CVE-2013-1983.patch | 70 |
2 files changed, 6 insertions, 80 deletions
diff --git a/main/libxfixes/APKBUILD b/main/libxfixes/APKBUILD index b41372041..89decdb0e 100644 --- a/main/libxfixes/APKBUILD +++ b/main/libxfixes/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libxfixes -pkgver=5.0 -pkgrel=2 +pkgver=5.0.1 +pkgrel=0 pkgdesc="X11 miscellaneous 'fixes' extension library" url="http://xorg.freedesktop.org/" arch="all" @@ -10,8 +10,7 @@ depends= depends_dev="xproto fixesproto libx11-dev" makedepends="$depends_dev xextproto" subpackages="$pkgname-dev $pkgname-doc" -source="http://xorg.freedesktop.org/releases/individual/lib/libXfixes-$pkgver.tar.bz2 - CVE-2013-1983.patch" +source="http://xorg.freedesktop.org/releases/individual/lib/libXfixes-$pkgver.tar.bz2" _builddir="$srcdir"/libXfixes-$pkgver prepare() { @@ -34,9 +33,6 @@ package() { make DESTDIR="$pkgdir" install || return 1 rm "$pkgdir"/usr/lib/*.la || return 1 } -md5sums="678071bd7f9f7467e2fc712d81022318 libXfixes-5.0.tar.bz2 -cfd62d3f71592118ca0a6862cfe221b3 CVE-2013-1983.patch" -sha256sums="537a2446129242737a35db40081be4bbcc126e56c03bf5f2b142b10a79cda2e3 libXfixes-5.0.tar.bz2 -b1e261feb83e064ac1123cb3004f0ed9284b23abef34f4f5bb6a5d452aff1192 CVE-2013-1983.patch" -sha512sums="fd3071b52c657975b4321e6c7ebe433c43ea6944d04d2228da075aad394e962eec705e41a6c3a6bbc12f704765189116d1328c3111e457f23395ff6f57ae63d5 libXfixes-5.0.tar.bz2 -6c1e9d1261ece81d97af947a1543f313aebfeb8cc18c121bc51e8cc1142e49c4c5c21fb304d2d37af318c530551e02c029bfbce928d9caefb9432b1c5a4da66c CVE-2013-1983.patch" +md5sums="b985b85f8b9386c85ddcfe1073906b4d libXfixes-5.0.1.tar.bz2" +sha256sums="63bec085084fa3caaee5180490dd871f1eb2020ba9e9b39a30f93693ffc34767 libXfixes-5.0.1.tar.bz2" +sha512sums="b47c841db169d1b329eec9deb555799cd087a466326840f1f5349303ba79cff5850b1bb69c1ff38b3f522f24d61db58a0c01021e1ffea2896527167262fc7150 libXfixes-5.0.1.tar.bz2" diff --git a/main/libxfixes/CVE-2013-1983.patch b/main/libxfixes/CVE-2013-1983.patch deleted file mode 100644 index d0089d4f6..000000000 --- a/main/libxfixes/CVE-2013-1983.patch +++ /dev/null @@ -1,70 +0,0 @@ -From c480fe3271873ec7471b0cbd680f4dac18ca8904 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Sat, 13 Apr 2013 17:24:08 +0000 -Subject: integer overflow in XFixesGetCursorImage() [CVE-2013-1983] - -If the reported cursor dimensions or name length are too large, the -calculations to allocate memory for them may overflow, leaving us -writing beyond the bounds of the allocation. - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> ---- -diff --git a/src/Cursor.c b/src/Cursor.c -index 641b747..33590b7 100644 ---- a/src/Cursor.c -+++ b/src/Cursor.c -@@ -47,6 +47,7 @@ - #include <config.h> - #endif - #include "Xfixesint.h" -+#include <limits.h> - - void - XFixesSelectCursorInput (Display *dpy, -@@ -74,9 +75,9 @@ XFixesGetCursorImage (Display *dpy) - XFixesExtDisplayInfo *info = XFixesFindDisplay (dpy); - xXFixesGetCursorImageAndNameReq *req; - xXFixesGetCursorImageAndNameReply rep; -- int npixels; -- int nbytes_name; -- int nbytes, nread, rlength; -+ size_t npixels; -+ size_t nbytes_name; -+ size_t nbytes, nread, rlength; - XFixesCursorImage *image; - char *name; - -@@ -101,16 +102,21 @@ XFixesGetCursorImage (Display *dpy) - } - npixels = rep.width * rep.height; - nbytes_name = rep.nbytes; -- /* reply data length */ -- nbytes = (long) rep.length << 2; -- /* bytes of actual data in the reply */ -- nread = (npixels << 2) + nbytes_name; -- /* size of data returned to application */ -- rlength = (sizeof (XFixesCursorImage) + -- npixels * sizeof (unsigned long) + -- nbytes_name + 1); -+ if ((rep.length < (INT_MAX >> 2)) && -+ npixels < (((INT_MAX >> 3) - sizeof (XFixesCursorImage) - 1) -+ - nbytes_name)) { -+ /* reply data length */ -+ nbytes = (size_t) rep.length << 2; -+ /* bytes of actual data in the reply */ -+ nread = (npixels << 2) + nbytes_name; -+ /* size of data returned to application */ -+ rlength = (sizeof (XFixesCursorImage) + -+ npixels * sizeof (unsigned long) + -+ nbytes_name + 1); - -- image = (XFixesCursorImage *) Xmalloc (rlength); -+ image = Xmalloc (rlength); -+ } else -+ image = NULL; - if (!image) - { - _XEatDataWords(dpy, rep.length); --- -cgit v0.9.0.2-2-gbebe |