Commit 6dea6bb7 authored by Natanael Copa's avatar Natanael Copa

main/libxres: upgrade to 1.0.7

parent 1d7e3d39
From 83e7693515369d57dcd11c2bb1f03563f51bc500 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri, 18 Jan 2013 23:06:20 -0800
Subject: [PATCH 1/4] Replace deprecated Automake INCLUDES variable with
AM_CPPFLAGS
Excerpt https://lists.gnu.org/archive/html/automake/2012-12/msg00038.html
- Support for the long-deprecated INCLUDES variable will be removed
altogether in Automake 1.14. The AM_CPPFLAGS variable should be
used instead.
This variable was deprecated in Automake releases prior to 1.10, which is
the current minimum level required to build X.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/Makefile.am b/src/Makefile.am
index fd508da..bf66d68 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -10,7 +10,7 @@ AM_CFLAGS = \
$(XRES_CFLAGS) \
$(MALLOC_ZERO_CFLAGS)
-INCLUDES = -I$(top_srcdir)/include
+AM_CPPFLAGS = -I$(top_srcdir)/include
libXRes_la_LDFLAGS = -version-number 1:0:0 -no-undefined
--
1.8.2.3
From 69457711050ac3a53859ef11790a7ac815cd7d94 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 10:34:22 -0700
Subject: [PATCH 2/4] Use _XEatDataWords to avoid overflow of rep.length
shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
configure.ac | 6 ++++++
src/XRes.c | 16 ++++++++++++++--
2 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index 90205cc..f68b689 100644
--- a/configure.ac
+++ b/configure.ac
@@ -50,6 +50,12 @@ XORG_CHECK_MALLOC_ZERO
# Obtain compiler/linker options for depedencies
PKG_CHECK_MODULES(XRES, x11 xext xextproto [resourceproto >= 1.2.0])
+# Check for _XEatDataWords function that may be patched into older Xlib release
+SAVE_LIBS="$LIBS"
+LIBS="$XRES_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
AC_CONFIG_FILES([Makefile
src/Makefile
man/Makefile
diff --git a/src/XRes.c b/src/XRes.c
index 1744196..1ab1db8 100644
--- a/src/XRes.c
+++ b/src/XRes.c
@@ -13,6 +13,18 @@
#include <X11/extensions/XResproto.h>
#include <X11/extensions/XRes.h>
+#include <limits.h>
+
+#ifndef HAVE__XEATDATAWORDS
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+ if (n >= (ULONG_MAX >> 2))
+ _XIOError(dpy);
+# endif
+ _XEatData (dpy, n << 2);
+}
+#endif
static XExtensionInfo _xres_ext_info_data;
static XExtensionInfo *xres_ext_info = &_xres_ext_info_data;
@@ -131,7 +143,7 @@ Status XResQueryClients (
*num_clients = rep.num_clients;
result = 1;
} else {
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
}
@@ -183,7 +195,7 @@ Status XResQueryClientResources (
*num_types = rep.num_types;
result = 1;
} else {
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
}
--
1.8.2.3
From b053d215b80e721f9afdc5794e4f3f4f2aee0141 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri, 12 Apr 2013 23:36:13 -0700
Subject: [PATCH 3/4] integer overflow in XResQueryClients() [CVE-2013-1988
1/2]
The CARD32 rep.num_clients needs to be bounds checked before multiplying
by sizeof(XResClient) to avoid integer overflow leading to underallocation
and writing data from the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/XRes.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/XRes.c b/src/XRes.c
index 1ab1db8..c989985 100644
--- a/src/XRes.c
+++ b/src/XRes.c
@@ -130,7 +130,12 @@ Status XResQueryClients (
}
if(rep.num_clients) {
- if((clnts = Xmalloc(sizeof(XResClient) * rep.num_clients))) {
+ if (rep.num_clients < (INT_MAX / sizeof(XResClient)))
+ clnts = Xmalloc(sizeof(XResClient) * rep.num_clients);
+ else
+ clnts = NULL;
+
+ if (clnts != NULL) {
xXResClient scratch;
int i;
--
1.8.2.3
From f468184963e53feda848853c4aefd0197b2cc116 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri, 12 Apr 2013 23:36:13 -0700
Subject: [PATCH 4/4] integer overflow in XResQueryClientResources()
[CVE-2013-1988 2/2]
The CARD32 rep.num_types needs to be bounds checked before multiplying
by sizeof(XResType) to avoid integer overflow leading to underallocation
and writing data from the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/XRes.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/XRes.c b/src/XRes.c
index c989985..51e905f 100644
--- a/src/XRes.c
+++ b/src/XRes.c
@@ -187,7 +187,12 @@ Status XResQueryClientResources (
}
if(rep.num_types) {
- if((typs = Xmalloc(sizeof(XResType) * rep.num_types))) {
+ if (rep.num_types < (INT_MAX / sizeof(XResType)))
+ typs = Xmalloc(sizeof(XResType) * rep.num_types);
+ else
+ typs = NULL;
+
+ if (typs != NULL) {
xXResType scratch;
int i;
--
1.8.2.3
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libxres
pkgver=1.0.6
pkgrel=1
pkgver=1.0.7
pkgrel=0
pkgdesc="X11 Resource extension library"
url="http://xorg.freedesktop.org"
arch="all"
......@@ -9,12 +9,8 @@ license="custom"
subpackages="$pkgname-dev $pkgname-doc"
depends=
depends_dev="xproto resourceproto libx11-dev libxext-dev"
makedepends="$depends_dev libtool autoconf automake util-macros"
makedepends="$depends_dev"
source="http://xorg.freedesktop.org/releases/individual/lib/libXres-$pkgver.tar.bz2
0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
0003-integer-overflow-in-XResQueryClients-CVE-2013-1988-1.patch
0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch
"
_builddir="$srcdir"/libXres-$pkgver
......@@ -25,8 +21,6 @@ prepare() {
*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
esac
done
libtoolize --force && aclocal && autoheader && autoconf \
&& automake --add-missing
}
build() {
......@@ -43,18 +37,6 @@ package() {
install -D -m644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/LICENSE
}
md5sums="80d0c6d8522fa7a645e4f522e9a9cd20 libXres-1.0.6.tar.bz2
1c9e87b0d44dd1e3630c2dace1885f5c 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
b846d11e2aded99e05b17f582704a2b8 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
d30b38ef42f65a9409ff53df81257ca2 0003-integer-overflow-in-XResQueryClients-CVE-2013-1988-1.patch
791bd7a8effc52ed2e5ae266729b317a 0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch"
sha256sums="ff8661c925e8b182f98ae98f02bbd93c55259ef7f34a92c1a126b6074ebde890 libXres-1.0.6.tar.bz2
6069a7690f226a98e5ca898e0213f96672ad47a3ce2fbd4079cce185bf7842e2 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
5ae734771ea853177771b7ef566c1ebc8a365c301353fc1883007d2c560df26e 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
c40579e8ce20316710339fe1c497b3b75e641a1de66321892f40b71ca0e316db 0003-integer-overflow-in-XResQueryClients-CVE-2013-1988-1.patch
4ce80a734022df47f5c6b6bbb984446c67ca2dff7231dee5c1686f496bf6ab30 0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch"
sha512sums="ba884e32446946520d1ba81764fac64f5350fb109cff1846e839c2a9ef11708ebd39d4434525a373af0c10250fc5f508a34f965f9e2312d5bc50ccbefbafa65c libXres-1.0.6.tar.bz2
ffa4def53bd8e99120526e55d5eb025e135517e8d6d43fb6abd64ec9c3c4234d026bdb5d35477292aecb3a56f44041a2b1338909997bc671adca43f175d9f774 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
6a9d2e50b5bf128c5a9366b227b4d0649388aea5907e180346ac53ddb0685afad05d22d24b7953e7c323292153aa5867582adf9940420da69eef2b67ff0597d3 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
ea313a26f8ffffcaa8de2a813e8df775b534895b0d8400640292e94465a80b20daf3ee45db25695e6ca867f298b6490beeb5b5bf67065b001e4a9f971534c474 0003-integer-overflow-in-XResQueryClients-CVE-2013-1988-1.patch
d8b4be3b9a69f33c32254f23dfa51fd4154ea1afae498aea2ab841a7d98e526af666b4a3b9df8f011f04d440e6f20ea0e9c58627eb7030992a2e0897b8f02ad7 0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch"
md5sums="45ef29206a6b58254c81bea28ec6c95f libXres-1.0.7.tar.bz2"
sha256sums="26899054aa87f81b17becc68e8645b240f140464cf90c42616ebb263ec5fa0e5 libXres-1.0.7.tar.bz2"
sha512sums="796a79ab694317910442cb10a936711df9dde95764eef11efb8dedc85114977e56409de2f640553f1ad492325df178b8cfbeaeec3f03bf084638c555e44292e0 libXres-1.0.7.tar.bz2"
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment