From b26655eaa38290e14b41bf0dd3645030445f42d7 Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Fri, 24 May 2013 08:11:41 +0000
Subject: main/libxfixes: fix for CVE-2013-1983

ref #1931
---
 main/libxfixes/APKBUILD            | 25 +++++++++++---
 main/libxfixes/CVE-2013-1983.patch | 70 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 90 insertions(+), 5 deletions(-)
 create mode 100644 main/libxfixes/CVE-2013-1983.patch

(limited to 'main/libxfixes')

diff --git a/main/libxfixes/APKBUILD b/main/libxfixes/APKBUILD
index df130f988..b41372041 100644
--- a/main/libxfixes/APKBUILD
+++ b/main/libxfixes/APKBUILD
@@ -1,18 +1,28 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libxfixes
 pkgver=5.0
-pkgrel=1
+pkgrel=2
 pkgdesc="X11 miscellaneous 'fixes' extension library"
 url="http://xorg.freedesktop.org/"
 arch="all"
 license="custom"
 depends=
-makedepends="pkgconfig xproto libx11-dev fixesproto xextproto"
+depends_dev="xproto fixesproto libx11-dev"
+makedepends="$depends_dev xextproto"
 subpackages="$pkgname-dev $pkgname-doc"
-source="http://xorg.freedesktop.org/releases/individual/lib/libXfixes-$pkgver.tar.bz2"
+source="http://xorg.freedesktop.org/releases/individual/lib/libXfixes-$pkgver.tar.bz2
+	CVE-2013-1983.patch"
 
-depends_dev="xproto fixesproto libx11-dev"
 _builddir="$srcdir"/libXfixes-$pkgver
+prepare() {
+	cd "$_builddir"
+	for i in $source; do
+		case $i in
+		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+		esac
+	done
+}
+
 build() {
 	cd "$_builddir"
 	./configure --prefix=/usr --sysconfdir=/etc --build=${CHOST} --host=${CHOST}
@@ -24,4 +34,9 @@ package() {
 	make DESTDIR="$pkgdir" install || return 1
 	rm "$pkgdir"/usr/lib/*.la || return 1
 }
-md5sums="678071bd7f9f7467e2fc712d81022318  libXfixes-5.0.tar.bz2"
+md5sums="678071bd7f9f7467e2fc712d81022318  libXfixes-5.0.tar.bz2
+cfd62d3f71592118ca0a6862cfe221b3  CVE-2013-1983.patch"
+sha256sums="537a2446129242737a35db40081be4bbcc126e56c03bf5f2b142b10a79cda2e3  libXfixes-5.0.tar.bz2
+b1e261feb83e064ac1123cb3004f0ed9284b23abef34f4f5bb6a5d452aff1192  CVE-2013-1983.patch"
+sha512sums="fd3071b52c657975b4321e6c7ebe433c43ea6944d04d2228da075aad394e962eec705e41a6c3a6bbc12f704765189116d1328c3111e457f23395ff6f57ae63d5  libXfixes-5.0.tar.bz2
+6c1e9d1261ece81d97af947a1543f313aebfeb8cc18c121bc51e8cc1142e49c4c5c21fb304d2d37af318c530551e02c029bfbce928d9caefb9432b1c5a4da66c  CVE-2013-1983.patch"
diff --git a/main/libxfixes/CVE-2013-1983.patch b/main/libxfixes/CVE-2013-1983.patch
new file mode 100644
index 000000000..d0089d4f6
--- /dev/null
+++ b/main/libxfixes/CVE-2013-1983.patch
@@ -0,0 +1,70 @@
+From c480fe3271873ec7471b0cbd680f4dac18ca8904 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 17:24:08 +0000
+Subject: integer overflow in XFixesGetCursorImage() [CVE-2013-1983]
+
+If the reported cursor dimensions or name length are too large, the
+calculations to allocate memory for them may overflow, leaving us
+writing beyond the bounds of the allocation.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+diff --git a/src/Cursor.c b/src/Cursor.c
+index 641b747..33590b7 100644
+--- a/src/Cursor.c
++++ b/src/Cursor.c
+@@ -47,6 +47,7 @@
+ #include <config.h>
+ #endif
+ #include "Xfixesint.h"
++#include <limits.h>
+ 
+ void
+ XFixesSelectCursorInput (Display	*dpy,
+@@ -74,9 +75,9 @@ XFixesGetCursorImage (Display *dpy)
+     XFixesExtDisplayInfo		*info = XFixesFindDisplay (dpy);
+     xXFixesGetCursorImageAndNameReq	*req;
+     xXFixesGetCursorImageAndNameReply	rep;
+-    int					npixels;
+-    int					nbytes_name;
+-    int					nbytes, nread, rlength;
++    size_t				npixels;
++    size_t				nbytes_name;
++    size_t				nbytes, nread, rlength;
+     XFixesCursorImage			*image;
+     char				*name;
+ 
+@@ -101,16 +102,21 @@ XFixesGetCursorImage (Display *dpy)
+     }
+     npixels = rep.width * rep.height;
+     nbytes_name = rep.nbytes;
+-    /* reply data length */
+-    nbytes = (long) rep.length << 2;
+-    /* bytes of actual data in the reply */
+-    nread = (npixels << 2) + nbytes_name;
+-    /* size of data returned to application */
+-    rlength = (sizeof (XFixesCursorImage) + 
+-	       npixels * sizeof (unsigned long) +
+-	       nbytes_name + 1);
++    if ((rep.length < (INT_MAX >> 2)) &&
++	npixels < (((INT_MAX >> 3) - sizeof (XFixesCursorImage) - 1)
++		   - nbytes_name)) {
++	/* reply data length */
++	nbytes = (size_t) rep.length << 2;
++	/* bytes of actual data in the reply */
++	nread = (npixels << 2) + nbytes_name;
++	/* size of data returned to application */
++	rlength = (sizeof (XFixesCursorImage) +
++		   npixels * sizeof (unsigned long) +
++		   nbytes_name + 1);
+ 
+-    image = (XFixesCursorImage *) Xmalloc (rlength);
++	image = Xmalloc (rlength);
++    } else
++	image = NULL;
+     if (!image)
+     {
+ 	_XEatDataWords(dpy, rep.length);
+--
+cgit v0.9.0.2-2-gbebe
-- 
cgit v1.2.3