diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-24 09:35:12 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-24 09:35:12 +0000 |
commit | dfac4cbecc1c27d53504a0d9a80019146c9c9bfb (patch) | |
tree | 945b47f0220d364a49d091c098baeeb874db2226 | |
parent | a04d1c8ff925273f3caf3a46393cf73ac2b96ab5 (diff) | |
download | aports-dfac4cbecc1c27d53504a0d9a80019146c9c9bfb.tar.bz2 aports-dfac4cbecc1c27d53504a0d9a80019146c9c9bfb.tar.xz |
main/libxvmc: fix CVE-2013-1990,CVE-2013-1999
ref #1931
7 files changed, 413 insertions, 7 deletions
diff --git a/main/libxvmc/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch b/main/libxvmc/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch new file mode 100644 index 0000000000..bba7803645 --- /dev/null +++ b/main/libxvmc/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch @@ -0,0 +1,111 @@ +From cf1a1dc1b9ca34a29d0471da9389f8eae70ddbd9 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 00:47:57 -0700 +Subject: [PATCH 1/6] Use _XEatDataWords to avoid overflow of rep.length + shifting + +rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + configure.ac | 6 ++++++ + src/XvMC.c | 24 ++++++++++++++++++------ + 2 files changed, 24 insertions(+), 6 deletions(-) + +diff --git a/configure.ac b/configure.ac +index b44f80d..f9d59a1 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -42,6 +42,12 @@ XORG_CHECK_MALLOC_ZERO + # Obtain compiler/linker options for depedencies + PKG_CHECK_MODULES(XVMC, x11 xext xv xextproto videoproto) + ++# Check for _XEatDataWords function that may be patched into older Xlib release ++SAVE_LIBS="$LIBS" ++LIBS="$XVMC_LIBS" ++AC_CHECK_FUNCS([_XEatDataWords]) ++LIBS="$SAVE_LIBS" ++ + # Checks for library functions. + AC_CHECK_FUNCS([shmat]) + +diff --git a/src/XvMC.c b/src/XvMC.c +index 5a4cf0d..b3e97ec 100644 +--- a/src/XvMC.c ++++ b/src/XvMC.c +@@ -16,6 +16,18 @@ + #include <sys/time.h> + #include <X11/extensions/Xext.h> + #include <X11/extensions/extutil.h> ++#include <limits.h> ++ ++#ifndef HAVE__XEATDATAWORDS ++static inline void _XEatDataWords(Display *dpy, unsigned long n) ++{ ++# ifndef LONG64 ++ if (n >= (ULONG_MAX >> 2)) ++ _XIOError(dpy); ++# endif ++ _XEatData (dpy, n << 2); ++} ++#endif + + static XExtensionInfo _xvmc_info_data; + static XExtensionInfo *xvmc_info = &_xvmc_info_data; +@@ -134,7 +146,7 @@ XvMCSurfaceInfo * XvMCListSurfaceTypes(Display *dpy, XvPortID port, int *num) + surface_info[i].flags = sinfo.flags; + } + } else +- _XEatData(dpy, rep.length << 2); ++ _XEatDataWords(dpy, rep.length); + } + + UnlockDisplay (dpy); +@@ -207,7 +219,7 @@ XvImageFormatValues * XvMCListSubpictureTypes ( + ret[i].scanline_order = Info.scanline_order; + } + } else +- _XEatData(dpy, rep.length << 2); ++ _XEatDataWords(dpy, rep.length); + } + + UnlockDisplay (dpy); +@@ -278,7 +290,7 @@ Status _xvmc_create_context ( + _XRead(dpy, (char*)(*priv_data), rep.length << 2); + *priv_count = rep.length; + } else +- _XEatData(dpy, rep.length << 2); ++ _XEatDataWords(dpy, rep.length); + } + + UnlockDisplay (dpy); +@@ -359,7 +371,7 @@ Status _xvmc_create_surface ( + _XRead(dpy, (char*)(*priv_data), rep.length << 2); + *priv_count = rep.length; + } else +- _XEatData(dpy, rep.length << 2); ++ _XEatDataWords(dpy, rep.length); + } + + UnlockDisplay (dpy); +@@ -449,7 +461,7 @@ Status _xvmc_create_subpicture ( + _XRead(dpy, (char*)(*priv_data), rep.length << 2); + *priv_count = rep.length; + } else +- _XEatData(dpy, rep.length << 2); ++ _XEatDataWords(dpy, rep.length); + } + + UnlockDisplay (dpy); +@@ -579,7 +591,7 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port, + + } else { + +- _XEatData(dpy, realSize); ++ _XEatDataWords(dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + return -1; +-- +1.8.2.3 + diff --git a/main/libxvmc/0002-integer-overflow-in-XvMCListSurfaceTypes-CVE-2013-19.patch b/main/libxvmc/0002-integer-overflow-in-XvMCListSurfaceTypes-CVE-2013-19.patch new file mode 100644 index 0000000000..7cc7d0631e --- /dev/null +++ b/main/libxvmc/0002-integer-overflow-in-XvMCListSurfaceTypes-CVE-2013-19.patch @@ -0,0 +1,35 @@ +From 2712383813b26475dc6713888414d842be57f8ca Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 00:50:02 -0700 +Subject: [PATCH 2/6] integer overflow in XvMCListSurfaceTypes() [CVE-2013-1990 + 1/2] + +rep.num is a CARD32 and needs to be bounds checked before multiplying +by sizeof(XvMCSurfaceInfo) to come up with the total size to allocate, +to avoid integer overflow leading to underallocation and writing data from +the network past the end of the allocated buffer. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/XvMC.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/XvMC.c b/src/XvMC.c +index b3e97ec..5d8c2cf 100644 +--- a/src/XvMC.c ++++ b/src/XvMC.c +@@ -123,8 +123,8 @@ XvMCSurfaceInfo * XvMCListSurfaceTypes(Display *dpy, XvPortID port, int *num) + } + + if(rep.num > 0) { +- surface_info = +- (XvMCSurfaceInfo*)Xmalloc(rep.num * sizeof(XvMCSurfaceInfo)); ++ if (rep.num < (INT_MAX / sizeof(XvMCSurfaceInfo))) ++ surface_info = Xmalloc(rep.num * sizeof(XvMCSurfaceInfo)); + + if(surface_info) { + xvmcSurfaceInfo sinfo; +-- +1.8.2.3 + diff --git a/main/libxvmc/0003-integer-overflow-in-XvMCListSubpictureTypes-CVE-2013.patch b/main/libxvmc/0003-integer-overflow-in-XvMCListSubpictureTypes-CVE-2013.patch new file mode 100644 index 0000000000..e6ffa44ecb --- /dev/null +++ b/main/libxvmc/0003-integer-overflow-in-XvMCListSubpictureTypes-CVE-2013.patch @@ -0,0 +1,35 @@ +From 478d4e5873eeee2ebdce6673e4e3469816ab63b8 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 00:50:02 -0700 +Subject: [PATCH 3/6] integer overflow in XvMCListSubpictureTypes() + [CVE-2013-1990 2/2] + +rep.num is a CARD32 and needs to be bounds checked before multiplying by +sizeof(XvImageFormatValues) to come up with the total size to allocate, +to avoid integer overflow leading to underallocation and writing data from +the network past the end of the allocated buffer. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/XvMC.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/XvMC.c b/src/XvMC.c +index 5d8c2cf..8d602ec 100644 +--- a/src/XvMC.c ++++ b/src/XvMC.c +@@ -184,8 +184,8 @@ XvImageFormatValues * XvMCListSubpictureTypes ( + } + + if(rep.num > 0) { +- ret = +- (XvImageFormatValues*)Xmalloc(rep.num * sizeof(XvImageFormatValues)); ++ if (rep.num < (INT_MAX / sizeof(XvImageFormatValues))) ++ ret = Xmalloc(rep.num * sizeof(XvImageFormatValues)); + + if(ret) { + xvImageFormatInfo Info; +-- +1.8.2.3 + diff --git a/main/libxvmc/0004-integer-overflow-in-_xvmc_create_.patch b/main/libxvmc/0004-integer-overflow-in-_xvmc_create_.patch new file mode 100644 index 0000000000..70298e45a4 --- /dev/null +++ b/main/libxvmc/0004-integer-overflow-in-_xvmc_create_.patch @@ -0,0 +1,54 @@ +From 5fd871e5f878810f8f8837725d548e07e89577ab Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 00:50:02 -0700 +Subject: [PATCH 4/6] integer overflow in _xvmc_create_*() + +rep.length is a CARD32 and should be bounds checked before left-shifting +by 2 bits to come up with the total size to allocate, though in these +cases, no buffer overflow should occur here, since the XRead call is passed +the same rep.length << 2 length argument, but the *priv_count returned to +the caller could be interpreted or used to calculate a larger buffer size +than was actually allocated, leading them to go out of bounds. + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/XvMC.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/XvMC.c b/src/XvMC.c +index 8d602ec..d8bc59d 100644 +--- a/src/XvMC.c ++++ b/src/XvMC.c +@@ -285,7 +285,8 @@ Status _xvmc_create_context ( + context->flags = rep.flags_return; + + if(rep.length) { +- *priv_data = Xmalloc(rep.length << 2); ++ if (rep.length < (INT_MAX >> 2)) ++ *priv_data = Xmalloc(rep.length << 2); + if(*priv_data) { + _XRead(dpy, (char*)(*priv_data), rep.length << 2); + *priv_count = rep.length; +@@ -366,7 +367,8 @@ Status _xvmc_create_surface ( + } + + if(rep.length) { +- *priv_data = Xmalloc(rep.length << 2); ++ if (rep.length < (INT_MAX >> 2)) ++ *priv_data = Xmalloc(rep.length << 2); + if(*priv_data) { + _XRead(dpy, (char*)(*priv_data), rep.length << 2); + *priv_count = rep.length; +@@ -456,7 +458,8 @@ Status _xvmc_create_subpicture ( + subpicture->component_order[3] = rep.component_order[3]; + + if(rep.length) { +- *priv_data = Xmalloc(rep.length << 2); ++ if (rep.length < (INT_MAX >> 2)) ++ *priv_data = Xmalloc(rep.length << 2); + if(*priv_data) { + _XRead(dpy, (char*)(*priv_data), rep.length << 2); + *priv_count = rep.length; +-- +1.8.2.3 + diff --git a/main/libxvmc/0005-Multiple-unvalidated-assumptions-in-XvMCGetDRInfo-CV.patch b/main/libxvmc/0005-Multiple-unvalidated-assumptions-in-XvMCGetDRInfo-CV.patch new file mode 100644 index 0000000000..fcefc106ee --- /dev/null +++ b/main/libxvmc/0005-Multiple-unvalidated-assumptions-in-XvMCGetDRInfo-CV.patch @@ -0,0 +1,94 @@ +From e9415ddef2ac81d4139bd32d5e9cda9394a60051 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 01:20:08 -0700 +Subject: [PATCH 5/6] Multiple unvalidated assumptions in XvMCGetDRInfo() + [CVE-2013-1999] + +The individual string sizes is assumed to not be more than the amount of +data read from the network, and could cause buffer overflow if they are. + +The strings returned from the X server are assumed to be null terminated, +and could cause callers to read past the end of the buffer if they are not. + +Also be sure to set the returned pointers to NULL, so callers don't try +accessing bad pointers on failure cases. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/XvMC.c | 36 +++++++++++++++++++----------------- + 1 file changed, 19 insertions(+), 17 deletions(-) + +diff --git a/src/XvMC.c b/src/XvMC.c +index d8bc59d..cb42487 100644 +--- a/src/XvMC.c ++++ b/src/XvMC.c +@@ -499,7 +499,6 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port, + XExtDisplayInfo *info = xvmc_find_display(dpy); + xvmcGetDRInfoReply rep; + xvmcGetDRInfoReq *req; +- char *tmpBuf = NULL; + CARD32 magic; + + #ifdef HAVE_SHMAT +@@ -510,6 +509,9 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port, + here.tz_dsttime = 0; + #endif + ++ *name = NULL; ++ *busID = NULL; ++ + XvMCCheckExtension (dpy, info, BadImplementation); + + LockDisplay (dpy); +@@ -568,31 +570,31 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port, + #endif + + if (rep.length > 0) { +- +- int realSize = rep.length << 2; +- +- tmpBuf = (char *) Xmalloc(realSize); +- if (tmpBuf) { +- *name = (char *) Xmalloc(rep.nameLen); +- if (*name) { +- *busID = (char *) Xmalloc(rep.busIDLen); +- if (! *busID) { +- XFree(*name); +- XFree(tmpBuf); +- } +- } else { +- XFree(tmpBuf); ++ unsigned long realSize = 0; ++ char *tmpBuf = NULL; ++ ++ if (rep.length < (INT_MAX >> 2)) { ++ realSize = rep.length << 2; ++ if (realSize >= (rep.nameLen + rep.busIDLen)) { ++ tmpBuf = Xmalloc(realSize); ++ *name = Xmalloc(rep.nameLen); ++ *busID = Xmalloc(rep.busIDLen); + } + } + + if (*name && *busID && tmpBuf) { +- + _XRead(dpy, tmpBuf, realSize); + strncpy(*name,tmpBuf,rep.nameLen); ++ name[rep.nameLen - 1] = '\0'; + strncpy(*busID,tmpBuf+rep.nameLen,rep.busIDLen); ++ busID[rep.busIDLen - 1] = '\0'; + XFree(tmpBuf); +- + } else { ++ XFree(*name); ++ *name = NULL; ++ XFree(*busID); ++ *name = NULL; ++ XFree(tmpBuf); + + _XEatDataWords(dpy, rep.length); + UnlockDisplay (dpy); +-- +1.8.2.3 + diff --git a/main/libxvmc/0006-Multiple-unvalidated-patches-in-CVE-2013-1999.patch b/main/libxvmc/0006-Multiple-unvalidated-patches-in-CVE-2013-1999.patch new file mode 100644 index 0000000000..725c99339d --- /dev/null +++ b/main/libxvmc/0006-Multiple-unvalidated-patches-in-CVE-2013-1999.patch @@ -0,0 +1,39 @@ +From 8c164524d229adb6141fdac8336b3823e7fe1a5d Mon Sep 17 00:00:00 2001 +From: Dave Airlie <airlied@redhat.com> +Date: Fri, 24 May 2013 14:47:30 +1000 +Subject: [PATCH 6/6] Multiple unvalidated patches in CVE-2013-1999 + +Al Viro pointed out that Debian started segfaulting in Xine for him, + +Reported-by: Al Viro +Signed-off-by: Dave Airlie <airlied@redhat.com> +--- + src/XvMC.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/XvMC.c b/src/XvMC.c +index cb42487..74c8b85 100644 +--- a/src/XvMC.c ++++ b/src/XvMC.c +@@ -585,15 +585,15 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port, + if (*name && *busID && tmpBuf) { + _XRead(dpy, tmpBuf, realSize); + strncpy(*name,tmpBuf,rep.nameLen); +- name[rep.nameLen - 1] = '\0'; ++ (*name)[rep.nameLen - 1] = '\0'; + strncpy(*busID,tmpBuf+rep.nameLen,rep.busIDLen); +- busID[rep.busIDLen - 1] = '\0'; ++ (*busID)[rep.busIDLen - 1] = '\0'; + XFree(tmpBuf); + } else { + XFree(*name); + *name = NULL; + XFree(*busID); +- *name = NULL; ++ *busID = NULL; + XFree(tmpBuf); + + _XEatDataWords(dpy, rep.length); +-- +1.8.2.3 + diff --git a/main/libxvmc/APKBUILD b/main/libxvmc/APKBUILD index 22eb462ddf..61c9dc6b8e 100644 --- a/main/libxvmc/APKBUILD +++ b/main/libxvmc/APKBUILD @@ -1,27 +1,65 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libxvmc pkgver=1.0.7 -pkgrel=0 +pkgrel=1 pkgdesc="X11 Video Motion Compensation extension library" url="http://xorg.freedesktop.org/" arch="all" license="custom" subpackages="$pkgname-dev" depends= -makedepends="pkgconfig libxv-dev libxext-dev libx11-dev" -source="http://xorg.freedesktop.org/releases/individual/lib/libXvMC-$pkgver.tar.bz2" - depends_dev="xproto videoproto libxv-dev libx11-dev libxext-dev" +makedepends="$depends_dev libtool autoconf automake util-macros" +source="http://xorg.freedesktop.org/releases/individual/lib/libXvMC-$pkgver.tar.bz2 + 0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch + 0002-integer-overflow-in-XvMCListSurfaceTypes-CVE-2013-19.patch + 0003-integer-overflow-in-XvMCListSubpictureTypes-CVE-2013.patch + 0004-integer-overflow-in-_xvmc_create_.patch + 0005-Multiple-unvalidated-assumptions-in-XvMCGetDRInfo-CV.patch + 0006-Multiple-unvalidated-patches-in-CVE-2013-1999.patch + " + +_builddir="$srcdir"/libXvMC-$pkgver +prepare() { + cd "$_builddir" + for i in $source; do + case $i in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done + libtoolize --force && aclocal && autoheader && autoconf \ + && automake --add-missing +} build() { - cd "$srcdir"/libXvMC-$pkgver + cd "$_builddir" ./configure --prefix=/usr --sysconfdir=/etc make || return 1 } package() { - cd "$srcdir"/libXvMC-$pkgver + cd "$_builddir" make DESTDIR="$pkgdir" install || return 1 rm "$pkgdir"/usr/lib/*.la } -md5sums="3340c99ff556ea2457b4be47f5cb96fa libXvMC-1.0.7.tar.bz2" +md5sums="3340c99ff556ea2457b4be47f5cb96fa libXvMC-1.0.7.tar.bz2 +839450035994be7232f049c3256967fd 0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch +c02e3cc2530cd053a2ce47b0627bfdff 0002-integer-overflow-in-XvMCListSurfaceTypes-CVE-2013-19.patch +6a87be93e8e173fb132eb2607abea6eb 0003-integer-overflow-in-XvMCListSubpictureTypes-CVE-2013.patch +4eb70517ff9e5d14ddd676de60a72fd4 0004-integer-overflow-in-_xvmc_create_.patch +0aedb6b617afe07376c243e401b1f417 0005-Multiple-unvalidated-assumptions-in-XvMCGetDRInfo-CV.patch +cbd25dbf846b42f2a5ba9a60f32005f3 0006-Multiple-unvalidated-patches-in-CVE-2013-1999.patch" +sha256sums="28f085fc8518a3dadfe355360705d50153051f09898093e69af806c0b437cea3 libXvMC-1.0.7.tar.bz2 +87f764bdb3a36c370f8f5e16ca29b9ed8ee7f57dc1f5470d3c9c2a320ec3329d 0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch +475e39742256f1e09f0b84a640ab1a43c88ed6a05498978fdebb5d727a7ecab3 0002-integer-overflow-in-XvMCListSurfaceTypes-CVE-2013-19.patch +dc08b02502ca6620d7db4d60868bbf0bac7537a1e2ee3007b1107071b106f82e 0003-integer-overflow-in-XvMCListSubpictureTypes-CVE-2013.patch +98eb319ef77103b823af9ea0a33396797f2f63e0160c90efa1159d811b6496b7 0004-integer-overflow-in-_xvmc_create_.patch +f40ac752770cf248b182c4074dde59a46b8cbab1cf48252ac4dac4d35f7a5309 0005-Multiple-unvalidated-assumptions-in-XvMCGetDRInfo-CV.patch +e7d2d21f5ed2109f3d62e6509bb85c020ba988d32667158bb1c4a7a16e561780 0006-Multiple-unvalidated-patches-in-CVE-2013-1999.patch" +sha512sums="c52175990062a2fb1636b7db589565e61d2e056e56a0954a8b98c1ccf8d72bf3182cd6f482762bf5ee4137fc24553a4d1b9c1e588671499b3b69b390f31c81e9 libXvMC-1.0.7.tar.bz2 +abd782276434449c2691eb4255e5b51625272191b38d7b3454c2dd3b958b24db1ac4fa1c93dfec060b9eacb3921542ee007b6848c94f299b6491f9a02dec23e8 0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch +5cec81d9649a70eedd87ffb961030612271830cf9d45686614d54698a331a09c49fbb1a1d0d60266e5b649dcbe8d6ab766422655fe623e0d4db8b393c7912721 0002-integer-overflow-in-XvMCListSurfaceTypes-CVE-2013-19.patch +e9f9f7bbff45f34b53b11c50a130135a594e49c1e95e2e3b75a74c951cde374a6c74542ccb3a25ff17d0b1fdf97d6ea41d59e7c56fd9565aa38ecd0e1bf0ec8b 0003-integer-overflow-in-XvMCListSubpictureTypes-CVE-2013.patch +eda4d1a3710f6237c827485fdc93b302aa49a7293f509719f8f17a5250f20505c995323089d713ba5f9142d9deb3c158d54ed31515c416dd00b1fbbb4c77ac6a 0004-integer-overflow-in-_xvmc_create_.patch +688efc3d0185af471e6829444f49f39204eb41c46a51cb861c78135b88b44b9a237d6e48c1524f13cc07615ada3945bf30f3374c582d496ed502bb61773c8eb1 0005-Multiple-unvalidated-assumptions-in-XvMCGetDRInfo-CV.patch +3c390b9c804c1a2d4b3a5c38ecdaa35770bc78e4e2dcd7ce10c2bcf80db41fb9ecbe135c1136635b35062fadcb122857047f59f53529282e5379969554fe18a6 0006-Multiple-unvalidated-patches-in-CVE-2013-1999.patch" |