From a9923133bcabf62806552e5661d63f0347e205b6 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Thu, 6 Jun 2013 16:14:33 +0000 Subject: main/libxtst: upgrade to 1.2.2 --- ..._XEatDataWords-to-eat-data-in-error-cases.patch | 88 ---------------------- ...erflow-in-XRecordGetContext-CVE-2013-2063.patch | 81 -------------------- main/libxtst/APKBUILD | 22 ++---- 3 files changed, 6 insertions(+), 185 deletions(-) delete mode 100644 main/libxtst/0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch delete mode 100644 main/libxtst/0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch diff --git a/main/libxtst/0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch b/main/libxtst/0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch deleted file mode 100644 index 43fa1e0d7..000000000 --- a/main/libxtst/0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 46ed6283034b5b7d14584009453f5d974cfacf1e Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sat, 13 Apr 2013 11:05:27 -0700 -Subject: [PATCH 1/2] Use _XEatDataWords to eat data in error cases - -Avoids having to do calculcations based on response contents - -Signed-off-by: Alan Coopersmith ---- - configure.ac | 6 ++++++ - src/XRecord.c | 23 +++++++++++++++++------ - 2 files changed, 23 insertions(+), 6 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 7ef0153..d83d4d8 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -47,6 +47,12 @@ XORG_CHECK_SGML_DOCTOOLS(1.8) - # Obtain compiler/linker options for depedencies - PKG_CHECK_MODULES(XTST, x11 [xext >= 1.0.99.4] xi [recordproto >= 1.13.99.1] [xextproto >= 7.0.99.3] inputproto) - -+# Check for _XEatDataWords function that may be patched into older Xlib release -+SAVE_LIBS="$LIBS" -+LIBS="$XTST_LIBS" -+AC_CHECK_FUNCS([_XEatDataWords]) -+LIBS="$SAVE_LIBS" -+ - # Determine if the source for man pages is available - # It may already be present (tarball) or can be generated using xmlto - AM_CONDITIONAL([INSTALL_MANPAGES], -diff --git a/src/XRecord.c b/src/XRecord.c -index b65451c..ba628b6 100644 ---- a/src/XRecord.c -+++ b/src/XRecord.c -@@ -49,6 +49,9 @@ from The Open Group. - * By Stephen Gildea, X Consortium, and Martha Zimet, NCD. - */ - -+#ifdef HAVE_CONFIG_H -+#include -+#endif - #include - #include - #include -@@ -56,6 +59,18 @@ from The Open Group. - #include - #include - #include -+#include -+ -+#ifndef HAVE__XEATDATAWORDS -+static inline void _XEatDataWords(Display *dpy, unsigned long n) -+{ -+# ifndef LONG64 -+ if (n >= (ULONG_MAX >> 2)) -+ _XIOError(dpy); -+# endif -+ _XEatData (dpy, n << 2); -+} -+#endif - - static XExtensionInfo _xrecord_info_data; - static XExtensionInfo *xrecord_info = &_xrecord_info_data; -@@ -427,7 +442,7 @@ XRecordGetContext(Display *dpy, XRecordContext context, - - ret = (XRecordState*)Xmalloc(sizeof(XRecordState)); - if (!ret) { -- /* XXX - eat data */ -+ _XEatDataWords (dpy, rep.length); - UnlockDisplay(dpy); - SyncHandle(); - return 0; -@@ -446,11 +461,7 @@ XRecordGetContext(Display *dpy, XRecordContext context, - } - if (!client_inf || !client_inf_str) - { -- for(i = 0; i < count; i++) -- { -- _XEatData (dpy, sizeof(xRecordClientInfo)); -- _XEatData (dpy, SIZEOF(xRecordRange)); /* XXX - don't know how many */ -- } -+ _XEatDataWords (dpy, rep.length); - UnlockDisplay(dpy); - XRecordFreeState(ret); - SyncHandle(); --- -1.8.2.3 - diff --git a/main/libxtst/0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch b/main/libxtst/0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch deleted file mode 100644 index 661a464fd..000000000 --- a/main/libxtst/0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch +++ /dev/null @@ -1,81 +0,0 @@ -From e7e04b7be3f018ad636aba3a36bfc1cd80b9906d Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sat, 13 Apr 2013 11:27:26 -0700 -Subject: [PATCH 2/2] integer overflow in XRecordGetContext() [CVE-2013-2063] - -The nclients and nranges members of the reply are both CARD32 and need -to be bounds checked before multiplying by the size of the structs to -avoid integer overflow leading to underallocation and writing data from -the network past the end of the allocated buffer. - -Signed-off-by: Alan Coopersmith ---- - src/XRecord.c | 32 +++++++++++++++++++++----------- - 1 file changed, 21 insertions(+), 11 deletions(-) - -diff --git a/src/XRecord.c b/src/XRecord.c -index ba628b6..5bbd5ac 100644 ---- a/src/XRecord.c -+++ b/src/XRecord.c -@@ -420,11 +420,9 @@ XRecordGetContext(Display *dpy, XRecordContext context, - XExtDisplayInfo *info = find_display (dpy); - register xRecordGetContextReq *req; - xRecordGetContextReply rep; -- int count, i, rn; -+ unsigned int count, i, rn; - xRecordRange xrange; -- XRecordRange *ranges = NULL; - xRecordClientInfo xclient_inf; -- XRecordClientInfo **client_inf, *client_inf_str = NULL; - XRecordState *ret; - - XRecordCheckExtension (dpy, info, 0); -@@ -454,13 +452,18 @@ XRecordGetContext(Display *dpy, XRecordContext context, - - if (count) - { -- client_inf = (XRecordClientInfo **) Xcalloc(count, sizeof(XRecordClientInfo*)); -- ret->client_info = client_inf; -- if (client_inf != NULL) { -- client_inf_str = (XRecordClientInfo *) Xmalloc(count*sizeof(XRecordClientInfo)); -+ XRecordClientInfo **client_inf = NULL; -+ XRecordClientInfo *client_inf_str = NULL; -+ -+ if (count < (INT_MAX / sizeof(XRecordClientInfo))) { -+ client_inf = Xcalloc(count, sizeof(XRecordClientInfo *)); -+ if (client_inf != NULL) -+ client_inf_str = Xmalloc(count * sizeof(XRecordClientInfo)); - } -+ ret->client_info = client_inf; - if (!client_inf || !client_inf_str) - { -+ free(client_inf); - _XEatDataWords (dpy, rep.length); - UnlockDisplay(dpy); - XRecordFreeState(ret); -@@ -476,11 +479,18 @@ XRecordGetContext(Display *dpy, XRecordContext context, - - if (xclient_inf.nRanges) - { -- client_inf_str[i].ranges = (XRecordRange**) Xcalloc(xclient_inf.nRanges, sizeof(XRecordRange*)); -- if (client_inf_str[i].ranges != NULL) { -- ranges = (XRecordRange*) -- Xmalloc(xclient_inf.nRanges * sizeof(XRecordRange)); -+ XRecordRange *ranges = NULL; -+ -+ if (xclient_inf.nRanges < (INT_MAX / sizeof(XRecordRange))) { -+ client_inf_str[i].ranges = -+ Xcalloc(xclient_inf.nRanges, sizeof(XRecordRange *)); -+ if (client_inf_str[i].ranges != NULL) -+ ranges = -+ Xmalloc(xclient_inf.nRanges * sizeof(XRecordRange)); - } -+ else -+ client_inf_str[i].ranges = NULL; -+ - if (!client_inf_str[i].ranges || !ranges) { - /* XXX eat data */ - UnlockDisplay(dpy); --- -1.8.2.3 - diff --git a/main/libxtst/APKBUILD b/main/libxtst/APKBUILD index c87af4a04..30da3627f 100644 --- a/main/libxtst/APKBUILD +++ b/main/libxtst/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa pkgname=libxtst -pkgver=1.2.1 -pkgrel=1 +pkgver=1.2.2 +pkgrel=0 pkgdesc="X11 Testing -- Resource extension library" url="http://xorg.freedesktop.org/" arch="all" @@ -9,10 +9,8 @@ license="custom" subpackages="$pkgname-dev $pkgname-doc" depends= depends_dev="recordproto libx11-dev libxext-dev inputproto libxi-dev" -makedepends="$depends_dev libtool autoconf automake util-macros" +makedepends="$depends_dev" source="http://xorg.freedesktop.org/releases/individual/lib/libXtst-$pkgver.tar.bz2 - 0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch - 0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch " _builddir="$srcdir"/libXtst-$pkgver @@ -23,8 +21,6 @@ prepare() { *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; esac done - libtoolize --force && aclocal && autoheader && autoconf \ - && automake --add-missing } build() { @@ -41,12 +37,6 @@ package() { install -D -m644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/LICENSE } -md5sums="e8abc5c00c666f551cf26aa53819d592 libXtst-1.2.1.tar.bz2 -ef5006c916511e087973d797a60aaee1 0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch -641e6194973b4d324f8278faa821b87a 0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch" -sha256sums="7eea3e66e392aca3f9dad6238198753c28e1c32fa4903cbb7739607a2504e5e0 libXtst-1.2.1.tar.bz2 -bba7db9220b8a91b5ca71133af55414851d350e81c6142e74e7c44a3fc57c052 0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch -d67b95b9bf1587e48bc4009d1d100ed1ee3a611ed07869bb157290064986db6f 0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch" -sha512sums="287c10a761d30acc988399e23de1ecb7c90d8bd4d363cd03cd0a02eb232e37b0943f359fae76a8e68504ccadc2b7c0117bfebee75e00a0b6f58397658f8ebe0d libXtst-1.2.1.tar.bz2 -0144a420f78f5377acd2548355089596439437d1d19945532428a1cc5f263155f03ebfbba668f9c468525c579aa091d4ddf27006ec4d55246bd045a7e6ff9739 0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch -730a9ad7c8aafd8f161bf7cbbd4bbd2c62d4fc6cf50a69f5575a4c52e9a2d712e36bb4e3b9325f628a2f71115ce8797ac93aa7bf023d0abe7ba3603f33f47e81 0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch" +md5sums="25c6b366ac3dc7a12c5d79816ce96a59 libXtst-1.2.2.tar.bz2" +sha256sums="ef0a7ffd577e5f1a25b1663b375679529663a1880151beaa73e9186c8309f6d9 libXtst-1.2.2.tar.bz2" +sha512sums="1cf040f16d426e6a6d1cf8c0f966c171418c082165ae6e9bed6285cd45f144e4ef58bf74c6d34fd81e6894534d21df55efe5d0bc0b2a28f9bb9d74e168dd7369 libXtst-1.2.2.tar.bz2" -- cgit v1.2.3