Commit 35abd83d authored by Natanael Copa's avatar Natanael Copa

main/libxp: upgrade to 1.0.2

parent 61e1807d
From 41aab7d289aba2aaf3839e96d0c9e2f15ede4bd1 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri, 18 Jan 2013 23:03:57 -0800
Subject: [PATCH 1/5] Replace deprecated Automake INCLUDES variable with
AM_CPPFLAGS
Excerpt https://lists.gnu.org/archive/html/automake/2012-12/msg00038.html
- Support for the long-deprecated INCLUDES variable will be removed
altogether in Automake 1.14. The AM_CPPFLAGS variable should be
used instead.
This variable was deprecated in Automake releases prior to 1.10, which is
the current minimum level required to build X.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/Makefile.am b/src/Makefile.am
index 3ca2659..f42b633 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -24,7 +24,7 @@ libXp_la_LIBADD = $(XPRINT_LIBS)
AM_CFLAGS = $(CWARNFLAGS) $(XPRINT_CFLAGS) $(MALLOC_ZERO_CFLAGS)
-INCLUDES = -I$(top_srcdir)/include/X11/extensions
+AM_CPPFLAGS = -I$(top_srcdir)/include/X11/extensions
#
# Library version number. This must match old versions on
--
1.8.2.3
From 776e739b1690c7de11e50e2ae2a77d98bd69a3d6 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Wed, 23 May 2012 21:48:59 -0700
Subject: [PATCH] Stop trying to use NULL for Status values
Fixes gcc errors in 64-bit builds:
XpNotifyPdm.c: In function 'XpGetPdmStartParams':
XpNotifyPdm.c:234:10: error: cast from pointer to integer of different size
XpNotifyPdm.c:271:10: error: cast from pointer to integer of different size
XpNotifyPdm.c:286:10: error: cast from pointer to integer of different size
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/XpNotifyPdm.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/XpNotifyPdm.c b/src/XpNotifyPdm.c
index c1ceb8e..579923c 100644
--- a/src/XpNotifyPdm.c
+++ b/src/XpNotifyPdm.c
@@ -231,7 +231,7 @@ XpGetPdmStartParams (
/*
* Error - cannot determine or establish a selection_display.
*/
- return( (Status) NULL );
+ return( (Status) 0 );
}
/*
@@ -268,7 +268,7 @@ XpGetPdmStartParams (
XCloseDisplay( *selection_display );
*selection_display = (Display *) NULL;
}
- return( (Status) NULL );
+ return( (Status) 0 );
}
status = XmbTextListToTextProperty( *selection_display, list, 6,
@@ -283,7 +283,7 @@ XpGetPdmStartParams (
XCloseDisplay( *selection_display );
*selection_display = (Display *) NULL;
}
- return( (Status) NULL );
+ return( (Status) 0 );
}
*type = text_prop.encoding;
--
1.8.2.3
From 15ec6d1d0bb8c4cb24a190ed34e63312a0623670 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri, 3 May 2013 22:30:36 -0700
Subject: [PATCH 2/5] Use _XEatDataWords to avoid overflow of rep.length bit
shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
configure.ac | 6 ++++++
src/XpExtUtil.h | 14 ++++++++++++++
2 files changed, 20 insertions(+)
diff --git a/configure.ac b/configure.ac
index 50b029c..16b966c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -45,6 +45,12 @@ AC_PROG_LIBTOOL
# Check for X and print proto
PKG_CHECK_MODULES(XPRINT, x11 xext xextproto xau printproto)
+# Check for _XEatDataWords function that may be patched into older Xlib release
+SAVE_LIBS="$LIBS"
+LIBS="$XPRINT_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
AC_CONFIG_FILES([Makefile
src/Makefile
man/Makefile
diff --git a/src/XpExtUtil.h b/src/XpExtUtil.h
index d479a95..1889825 100644
--- a/src/XpExtUtil.h
+++ b/src/XpExtUtil.h
@@ -48,6 +48,20 @@ extern char *_xpstrdup(
const char * /* str */
);
+#ifndef HAVE__XEATDATAWORDS
+#include <X11/Xmd.h> /* for LONG64 on 64-bit platforms */
+#include <limits.h>
+
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+ if (n >= (ULONG_MAX >> 2))
+ _XIOError(dpy);
+# endif
+ _XEatData (dpy, n << 2);
+}
+#endif
+
_XFUNCPROTOEND
#endif /* _XPEXTUTIL_H */
--
1.8.2.3
From babb1fc823ab3be192c48fe115feeb0d57f74d05 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri, 26 Apr 2013 23:59:25 -0700
Subject: [PATCH 3/5] integer overflow in XpGetAttributes & XpGetOneAttribute
[CVE-2013-2062 1/3]
stringLen & valueLen are CARD32s and need to be bounds checked before adding
one to them to come up with the total size to allocate, to avoid integer
overflow leading to underallocation and writing data from the network past
the end of the allocated buffer.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/XpAttr.c | 36 +++++++++++++++++++-----------------
1 file changed, 19 insertions(+), 17 deletions(-)
diff --git a/src/XpAttr.c b/src/XpAttr.c
index 6818daf..665e2e8 100644
--- a/src/XpAttr.c
+++ b/src/XpAttr.c
@@ -48,6 +48,7 @@
#include <stdio.h>
#include <sys/stat.h>
+#include <limits.h>
char *
XpGetAttributes (
@@ -83,17 +84,18 @@ XpGetAttributes (
/*
* Read pool and return to caller.
*/
- buf = Xmalloc( (unsigned) rep.stringLen + 1 );
+ if (rep.stringLen < INT_MAX)
+ buf = Xmalloc(rep.stringLen + 1);
+ else
+ buf = NULL;
if (!buf) {
- UnlockDisplay(dpy);
- SyncHandle();
- return( (char *) NULL ); /* malloc error */
+ _XEatDataWords(dpy, rep.length);
+ }
+ else {
+ _XReadPad (dpy, (char *) buf, rep.stringLen );
+ buf[rep.stringLen] = 0;
}
-
- _XReadPad (dpy, (char *) buf, (long) rep.stringLen );
-
- buf[rep.stringLen] = 0;
UnlockDisplay(dpy);
SyncHandle();
@@ -144,18 +146,18 @@ XpGetOneAttribute (
/*
* Read variable answer.
*/
- buf = Xmalloc( (unsigned) rep.valueLen + 1 );
+ if (rep.valueLen < INT_MAX)
+ buf = Xmalloc(rep.valueLen + 1);
+ else
+ buf = NULL;
if (!buf) {
- UnlockDisplay(dpy);
- SyncHandle();
- return( (char *) NULL ); /* malloc error */
+ _XEatDataWords(dpy, rep.length);
+ }
+ else {
+ _XReadPad (dpy, (char *) buf, rep.valueLen);
+ buf[rep.valueLen] = 0;
}
-
- buf[rep.valueLen] = 0;
-
- _XReadPad (dpy, (char *) buf, (long) rep.valueLen );
- buf[rep.valueLen] = 0;
UnlockDisplay(dpy);
SyncHandle();
--
1.8.2.3
From cc90f6be64bfd6973ae270b9bff494f577e1bda7 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri, 26 Apr 2013 23:59:25 -0700
Subject: [PATCH 4/5] integer overflows in XpGetPrinterList() [CVE-2013-2062
2/3]
listCount is a CARD32 that needs to be bounds checked before it is
multiplied by the size of the structs to allocate, and the string
lengths are CARD32s and need to be bounds checked before adding one
to them to come up with the total size to allocate, to avoid integer
overflow leading to underallocation and writing data from the network
past the end of the allocated buffer.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/XpPrinter.c | 43 +++++++++++++++++++++++--------------------
1 file changed, 23 insertions(+), 20 deletions(-)
diff --git a/src/XpPrinter.c b/src/XpPrinter.c
index bdc96e6..03b18c4 100644
--- a/src/XpPrinter.c
+++ b/src/XpPrinter.c
@@ -42,6 +42,7 @@
#include <X11/extensions/Printstr.h>
#include <X11/Xlibint.h>
#include "XpExtUtil.h"
+#include <limits.h>
#define _XpPadOut(len) (((len) + 3) & ~3)
@@ -62,7 +63,7 @@ XpGetPrinterList (
long dataLenVR;
CARD8 *dataVR; /* aka STRING8 */
- XPPrinterList ptr_list;
+ XPPrinterList ptr_list = NULL;
XExtDisplayInfo *info = (XExtDisplayInfo *) xp_find_display (dpy);
@@ -128,13 +129,12 @@ XpGetPrinterList (
*list_count = rep.listCount;
if (*list_count) {
- ptr_list = (XPPrinterList)
- Xmalloc( (unsigned) (sizeof(XPPrinterRec) * (*list_count + 1)));
+ if (rep.listCount < (INT_MAX / sizeof(XPPrinterRec)))
+ ptr_list = Xmalloc(sizeof(XPPrinterRec) * (*list_count + 1));
if (!ptr_list) {
- UnlockDisplay(dpy);
- SyncHandle();
- return ( (XPPrinterList) NULL ); /* malloc error */
+ _XEatDataWords(dpy, rep.length);
+ goto out;
}
/*
@@ -150,16 +150,17 @@ XpGetPrinterList (
_XRead32 (dpy, &dataLenVR, (long) sizeof(CARD32) );
if (dataLenVR) {
- dataVR = (CARD8 *) Xmalloc( (unsigned) dataLenVR + 1 );
+ if (dataLenVR < INT_MAX)
+ dataVR = Xmalloc(dataLenVR + 1);
+ else
+ dataVR = NULL;
if (!dataVR) {
- UnlockDisplay(dpy);
- SyncHandle();
- return ( (XPPrinterList) NULL ); /* malloc error */
+ _XEatData(dpy, dataLenVR);
+ } else {
+ _XReadPad (dpy, (char *) dataVR, (long) dataLenVR);
+ dataVR[dataLenVR] = 0;
}
-
- _XReadPad (dpy, (char *) dataVR, (long) dataLenVR);
- dataVR[dataLenVR] = 0;
ptr_list[i].name = (char *) dataVR;
}
else {
@@ -172,16 +173,17 @@ XpGetPrinterList (
_XRead32 (dpy, &dataLenVR, (long) sizeof(CARD32) );
if (dataLenVR) {
- dataVR = (CARD8 *) Xmalloc( (unsigned) dataLenVR + 1 );
+ if (dataLenVR < INT_MAX)
+ dataVR = Xmalloc(dataLenVR + 1);
+ else
+ dataVR = NULL;
if (!dataVR) {
- UnlockDisplay(dpy);
- SyncHandle();
- return ( (XPPrinterList) NULL ); /* malloc error */
+ _XEatData(dpy, dataLenVR);
+ } else {
+ _XReadPad (dpy, (char *) dataVR, (long) dataLenVR);
+ dataVR[dataLenVR] = 0;
}
-
- _XReadPad (dpy, (char *) dataVR, (long) dataLenVR);
- dataVR[dataLenVR] = 0;
ptr_list[i].desc = (char *) dataVR;
}
else {
@@ -193,6 +195,7 @@ XpGetPrinterList (
ptr_list = (XPPrinterList) NULL;
}
+ out:
UnlockDisplay(dpy);
SyncHandle();
--
1.8.2.3
From e111065f6dd790c820fa67ea31055b18c68481e3 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri, 26 Apr 2013 23:59:25 -0700
Subject: [PATCH 5/5] integer overflows in XpQueryScreens() [CVE-2013-2062 3/3]
listCount is a CARD32 that needs to be bounds checked before it is
multiplied by the size of the pointers to allocate, to avoid integer
overflow leading to underallocation and writing data from the network
past the end of the allocated buffer.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/XpScreens.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/src/XpScreens.c b/src/XpScreens.c
index 815dfbf..b31e554 100644
--- a/src/XpScreens.c
+++ b/src/XpScreens.c
@@ -42,6 +42,7 @@
#include <X11/extensions/Printstr.h>
#include <X11/Xlibint.h>
#include "XpExtUtil.h"
+#include <limits.h>
Screen **
@@ -82,19 +83,17 @@ XpQueryScreens (
*list_count = rep.listCount;
if (*list_count) {
- scr_list = (Screen **)
- Xmalloc( (unsigned) (sizeof(Screen *) * *list_count) );
+ if (rep.listCount < (INT_MAX / sizeof(Screen *)))
+ scr_list = Xmalloc(sizeof(Screen *) * *list_count);
+ else
+ scr_list = NULL;
if (!scr_list) {
- UnlockDisplay(dpy);
- SyncHandle();
- return ( (Screen **) NULL ); /* malloc error */
+ _XEatDataWords(dpy, rep.length);
+ goto out;
}
i = 0;
while(i < *list_count){
- /*
- * Pull printer length and then name.
- */
_XRead32 (dpy, &rootWindow, (long) sizeof(CARD32) );
scr_list[i] = NULL;
for ( j = 0; j < XScreenCount(dpy); j++ ) {
@@ -118,6 +117,7 @@ XpQueryScreens (
scr_list = (Screen **) NULL;
}
+ out:
UnlockDisplay(dpy);
SyncHandle();
--
1.8.2.3
# Contributor: Natanael Copa <ncopa@alpinelinux.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libxp
pkgver=1.0.1
pkgrel=3
pkgver=1.0.2
pkgrel=0
pkgdesc="X.Org X11 libXp runtime library"
url="http://www.x.org"
arch="all"
license="MIT"
depends=
depends_dev="libx11-dev libxext-dev libxau-dev printproto"
makedepends="$depends_dev libtool autoconf automake util-macros"
makedepends="$depends_dev"
install=""
subpackages="$pkgname-dev $pkgname-doc"
source="http://xorg.freedesktop.org/releases/individual/lib/libXp-$pkgver.tar.bz2
0001-Stop-trying-to-use-NULL-for-Status-values.patch
0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch
0004-integer-overflows-in-XpGetPrinterList-CVE-2013-2062-.patch
0005-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch
"
_builddir="$srcdir"/libXp-$pkgver
......@@ -30,8 +24,6 @@ prepare() {
*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
esac
done
libtoolize --force && aclocal && autoheader && autoconf \
&& automake --add-missing
}
build() {
......@@ -51,24 +43,6 @@ package() {
rm "$pkgdir"/usr/lib/*.la || return 1
}
md5sums="7ae1d63748e79086bd51a633da1ff1a9 libXp-1.0.1.tar.bz2
b52d9e1211abece91ce91b96cbeec7da 0001-Stop-trying-to-use-NULL-for-Status-values.patch
dfc36d7aa39348115edbed43e7b3bacd 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
8d99d975ee248d292c57f0539a74f444 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
0affd2550812541d7c6e03b10a882a39 0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch
74e9e315a2b7b714c2ebbc69e4478723 0004-integer-overflows-in-XpGetPrinterList-CVE-2013-2062-.patch
59085b08c7ae142238ee20af93836926 0005-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch"
sha256sums="71d1f260005616d646b8c8788365f2b7d93911dac57bb53b65753d9f9e6443d2 libXp-1.0.1.tar.bz2
6cd5d7b70861a35434f87c8494755ee125945b9bfb6189314c94edcf806aa104 0001-Stop-trying-to-use-NULL-for-Status-values.patch
666273216e13b759e85cf84c345e9253771e729f605987e580ad55b0ad7651a3 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
f128151ebd1206d85c6ee55d1558fb1e3f446a7334466571818850096fec7a87 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
ad96f0031978dd8befa29bde872a8a9b40e4fbfccf42cd22e201f975564db3b6 0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch
cbadbece5e73d568826b19b2f743860c8dfe47f4077accffa939cc51a79ead0c 0004-integer-overflows-in-XpGetPrinterList-CVE-2013-2062-.patch
0a597afeab8bd76dcd72fec97efd0a8db12c1dd1d9f431085e061aa1b6ca1f3d 0005-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch"
sha512sums="0707256ae344b847f1a5bbf85f9e6e6f926be3bee10858e3c92932ee02007fdb908cb64a6f2ce0de501f99117e4582c1bcf9bc6f921490d42cabbfb997d731bd libXp-1.0.1.tar.bz2
ac9c215a03b6408c72bcd017d4059f09bc7e0345a90ee79a29476534316c57057a9ada717af4f3ec511cf19c57f4e98bee05856b8cbb6c14b83e1bf9349797f9 0001-Stop-trying-to-use-NULL-for-Status-values.patch
5a55658cedbf6ac8d410f19ceed0ef38d65a81ef54e9ffde86ac285c477669d760a1b5c2d9791aff50d48698298bcfdd3290e1b95321c62230809a8a65222127 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
9a94b99f96d03e436450daa40e54d3d091d362e76428a4bc0fdacb38b3582c1a18ad5b1824621282892bc3f9e0964bae2d8e15ccdfc5c27a426f118c7a7336c8 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
48d47a8878f2f3663c1e00091c6190ae9d4b0e08594cfb87d4810e726caf5a138100ef59d0fdb352cb5805ab3268bedde86f20d4637533f81d71451fc0989f20 0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch
5b6e0c05209546c6ef29bc6ed9a24b4117d8a4983fc49abf554920d189fd73d97198c4428951177f7b21dcd968d786c98fa5b53d457946e9b79504fc6ed7c9f6 0004-integer-overflows-in-XpGetPrinterList-CVE-2013-2062-.patch
8242840592974a57e98e9c6dfed73031f632dc26b88ba2bf40016c9778955476490eb14766de6a02429ad56066f228d23b3cd9c0772585c020be3b6dec32b522 0005-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch"
md5sums="bb038577c7f4e42a1b675fa6451bc4aa libXp-1.0.2.tar.bz2"
sha256sums="952fe5b5e90abd2cf04739aef3a9b63a253cd9309ed066a82bab7ca9112fd0b5 libXp-1.0.2.tar.bz2"
sha512sums="39670864e29db469060bdd66c7f4a64aadfd07506367617b8c2c91b91553b4e632ff70ebe59fc0198cdb7f12874e380a8bffcae7c192b0028bc5c52faf2bdc52 libXp-1.0.2.tar.bz2"
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment