mirror of
https://gitlab.alpinelinux.org/alpine/aports.git
synced 2026-05-04 20:06:43 +02:00
Natanael Copa
parent
81511f0ba3
commit
ca33affea4
@ -0,0 +1,88 @@
|
||||
From 46ed6283034b5b7d14584009453f5d974cfacf1e Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Sat, 13 Apr 2013 11:05:27 -0700
|
||||
Subject: [PATCH 1/2] Use _XEatDataWords to eat data in error cases
|
||||
|
||||
Avoids having to do calculcations based on response contents
|
||||
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
---
|
||||
configure.ac | 6 ++++++
|
||||
src/XRecord.c | 23 +++++++++++++++++------
|
||||
2 files changed, 23 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 7ef0153..d83d4d8 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -47,6 +47,12 @@ XORG_CHECK_SGML_DOCTOOLS(1.8)
|
||||
# Obtain compiler/linker options for depedencies
|
||||
PKG_CHECK_MODULES(XTST, x11 [xext >= 1.0.99.4] xi [recordproto >= 1.13.99.1] [xextproto >= 7.0.99.3] inputproto)
|
||||
|
||||
+# Check for _XEatDataWords function that may be patched into older Xlib release
|
||||
+SAVE_LIBS="$LIBS"
|
||||
+LIBS="$XTST_LIBS"
|
||||
+AC_CHECK_FUNCS([_XEatDataWords])
|
||||
+LIBS="$SAVE_LIBS"
|
||||
+
|
||||
# Determine if the source for man pages is available
|
||||
# It may already be present (tarball) or can be generated using xmlto
|
||||
AM_CONDITIONAL([INSTALL_MANPAGES],
|
||||
diff --git a/src/XRecord.c b/src/XRecord.c
|
||||
index b65451c..ba628b6 100644
|
||||
--- a/src/XRecord.c
|
||||
+++ b/src/XRecord.c
|
||||
@@ -49,6 +49,9 @@ from The Open Group.
|
||||
* By Stephen Gildea, X Consortium, and Martha Zimet, NCD.
|
||||
*/
|
||||
|
||||
+#ifdef HAVE_CONFIG_H
|
||||
+#include <config.h>
|
||||
+#endif
|
||||
#include <stdio.h>
|
||||
#include <assert.h>
|
||||
#include <X11/Xlibint.h>
|
||||
@@ -56,6 +59,18 @@ from The Open Group.
|
||||
#include <X11/extensions/extutil.h>
|
||||
#include <X11/extensions/recordproto.h>
|
||||
#include <X11/extensions/record.h>
|
||||
+#include <limits.h>
|
||||
+
|
||||
+#ifndef HAVE__XEATDATAWORDS
|
||||
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
|
||||
+{
|
||||
+# ifndef LONG64
|
||||
+ if (n >= (ULONG_MAX >> 2))
|
||||
+ _XIOError(dpy);
|
||||
+# endif
|
||||
+ _XEatData (dpy, n << 2);
|
||||
+}
|
||||
+#endif
|
||||
|
||||
static XExtensionInfo _xrecord_info_data;
|
||||
static XExtensionInfo *xrecord_info = &_xrecord_info_data;
|
||||
@@ -427,7 +442,7 @@ XRecordGetContext(Display *dpy, XRecordContext context,
|
||||
|
||||
ret = (XRecordState*)Xmalloc(sizeof(XRecordState));
|
||||
if (!ret) {
|
||||
- /* XXX - eat data */
|
||||
+ _XEatDataWords (dpy, rep.length);
|
||||
UnlockDisplay(dpy);
|
||||
SyncHandle();
|
||||
return 0;
|
||||
@@ -446,11 +461,7 @@ XRecordGetContext(Display *dpy, XRecordContext context,
|
||||
}
|
||||
if (!client_inf || !client_inf_str)
|
||||
{
|
||||
- for(i = 0; i < count; i++)
|
||||
- {
|
||||
- _XEatData (dpy, sizeof(xRecordClientInfo));
|
||||
- _XEatData (dpy, SIZEOF(xRecordRange)); /* XXX - don't know how many */
|
||||
- }
|
||||
+ _XEatDataWords (dpy, rep.length);
|
||||
UnlockDisplay(dpy);
|
||||
XRecordFreeState(ret);
|
||||
SyncHandle();
|
||||
--
|
||||
1.8.2.3
|
||||
|
||||
@ -0,0 +1,81 @@
|
||||
From e7e04b7be3f018ad636aba3a36bfc1cd80b9906d Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Sat, 13 Apr 2013 11:27:26 -0700
|
||||
Subject: [PATCH 2/2] integer overflow in XRecordGetContext() [CVE-2013-2063]
|
||||
|
||||
The nclients and nranges members of the reply are both CARD32 and need
|
||||
to be bounds checked before multiplying by the size of the structs to
|
||||
avoid integer overflow leading to underallocation and writing data from
|
||||
the network past the end of the allocated buffer.
|
||||
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
---
|
||||
src/XRecord.c | 32 +++++++++++++++++++++-----------
|
||||
1 file changed, 21 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/src/XRecord.c b/src/XRecord.c
|
||||
index ba628b6..5bbd5ac 100644
|
||||
--- a/src/XRecord.c
|
||||
+++ b/src/XRecord.c
|
||||
@@ -420,11 +420,9 @@ XRecordGetContext(Display *dpy, XRecordContext context,
|
||||
XExtDisplayInfo *info = find_display (dpy);
|
||||
register xRecordGetContextReq *req;
|
||||
xRecordGetContextReply rep;
|
||||
- int count, i, rn;
|
||||
+ unsigned int count, i, rn;
|
||||
xRecordRange xrange;
|
||||
- XRecordRange *ranges = NULL;
|
||||
xRecordClientInfo xclient_inf;
|
||||
- XRecordClientInfo **client_inf, *client_inf_str = NULL;
|
||||
XRecordState *ret;
|
||||
|
||||
XRecordCheckExtension (dpy, info, 0);
|
||||
@@ -454,13 +452,18 @@ XRecordGetContext(Display *dpy, XRecordContext context,
|
||||
|
||||
if (count)
|
||||
{
|
||||
- client_inf = (XRecordClientInfo **) Xcalloc(count, sizeof(XRecordClientInfo*));
|
||||
- ret->client_info = client_inf;
|
||||
- if (client_inf != NULL) {
|
||||
- client_inf_str = (XRecordClientInfo *) Xmalloc(count*sizeof(XRecordClientInfo));
|
||||
+ XRecordClientInfo **client_inf = NULL;
|
||||
+ XRecordClientInfo *client_inf_str = NULL;
|
||||
+
|
||||
+ if (count < (INT_MAX / sizeof(XRecordClientInfo))) {
|
||||
+ client_inf = Xcalloc(count, sizeof(XRecordClientInfo *));
|
||||
+ if (client_inf != NULL)
|
||||
+ client_inf_str = Xmalloc(count * sizeof(XRecordClientInfo));
|
||||
}
|
||||
+ ret->client_info = client_inf;
|
||||
if (!client_inf || !client_inf_str)
|
||||
{
|
||||
+ free(client_inf);
|
||||
_XEatDataWords (dpy, rep.length);
|
||||
UnlockDisplay(dpy);
|
||||
XRecordFreeState(ret);
|
||||
@@ -476,11 +479,18 @@ XRecordGetContext(Display *dpy, XRecordContext context,
|
||||
|
||||
if (xclient_inf.nRanges)
|
||||
{
|
||||
- client_inf_str[i].ranges = (XRecordRange**) Xcalloc(xclient_inf.nRanges, sizeof(XRecordRange*));
|
||||
- if (client_inf_str[i].ranges != NULL) {
|
||||
- ranges = (XRecordRange*)
|
||||
- Xmalloc(xclient_inf.nRanges * sizeof(XRecordRange));
|
||||
+ XRecordRange *ranges = NULL;
|
||||
+
|
||||
+ if (xclient_inf.nRanges < (INT_MAX / sizeof(XRecordRange))) {
|
||||
+ client_inf_str[i].ranges =
|
||||
+ Xcalloc(xclient_inf.nRanges, sizeof(XRecordRange *));
|
||||
+ if (client_inf_str[i].ranges != NULL)
|
||||
+ ranges =
|
||||
+ Xmalloc(xclient_inf.nRanges * sizeof(XRecordRange));
|
||||
}
|
||||
+ else
|
||||
+ client_inf_str[i].ranges = NULL;
|
||||
+
|
||||
if (!client_inf_str[i].ranges || !ranges) {
|
||||
/* XXX eat data */
|
||||
UnlockDisplay(dpy);
|
||||
--
|
||||
1.8.2.3
|
||||
|
||||
@ -1,30 +1,52 @@
|
||||
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
|
||||
pkgname=libxtst
|
||||
pkgver=1.2.1
|
||||
pkgrel=0
|
||||
pkgrel=1
|
||||
pkgdesc="X11 Testing -- Resource extension library"
|
||||
url="http://xorg.freedesktop.org/"
|
||||
arch="all"
|
||||
license="custom"
|
||||
subpackages="$pkgname-dev $pkgname-doc"
|
||||
depends=
|
||||
makedepends="pkgconfig libxext-dev libxi-dev recordproto inputproto"
|
||||
source="http://xorg.freedesktop.org/releases/individual/lib/libXtst-$pkgver.tar.bz2"
|
||||
depends_dev="recordproto libx11-dev libxext-dev inputproto libxi-dev"
|
||||
makedepends="$depends_dev libtool autoconf automake util-macros"
|
||||
source="http://xorg.freedesktop.org/releases/individual/lib/libXtst-$pkgver.tar.bz2
|
||||
0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch
|
||||
0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch
|
||||
"
|
||||
|
||||
build ()
|
||||
{
|
||||
cd "$srcdir"/libXtst-$pkgver
|
||||
_builddir="$srcdir"/libXtst-$pkgver
|
||||
prepare() {
|
||||
cd "$_builddir"
|
||||
for i in $source; do
|
||||
case $i in
|
||||
*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
|
||||
esac
|
||||
done
|
||||
libtoolize --force && aclocal && autoheader && autoconf \
|
||||
&& automake --add-missing
|
||||
}
|
||||
|
||||
build() {
|
||||
cd "$_builddir"
|
||||
./configure --prefix=/usr \
|
||||
--build=${CHOST} --host=${CHOST}
|
||||
make || return 1
|
||||
}
|
||||
|
||||
package() {
|
||||
cd "$srcdir"/libXtst-$pkgver
|
||||
cd "$_builddir"
|
||||
make DESTDIR="$pkgdir" install || return 1
|
||||
rm "$pkgdir"/usr/lib/*.la || return 1
|
||||
install -D -m644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/LICENSE
|
||||
}
|
||||
|
||||
md5sums="e8abc5c00c666f551cf26aa53819d592 libXtst-1.2.1.tar.bz2"
|
||||
md5sums="e8abc5c00c666f551cf26aa53819d592 libXtst-1.2.1.tar.bz2
|
||||
ef5006c916511e087973d797a60aaee1 0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch
|
||||
641e6194973b4d324f8278faa821b87a 0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch"
|
||||
sha256sums="7eea3e66e392aca3f9dad6238198753c28e1c32fa4903cbb7739607a2504e5e0 libXtst-1.2.1.tar.bz2
|
||||
bba7db9220b8a91b5ca71133af55414851d350e81c6142e74e7c44a3fc57c052 0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch
|
||||
d67b95b9bf1587e48bc4009d1d100ed1ee3a611ed07869bb157290064986db6f 0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch"
|
||||
sha512sums="287c10a761d30acc988399e23de1ecb7c90d8bd4d363cd03cd0a02eb232e37b0943f359fae76a8e68504ccadc2b7c0117bfebee75e00a0b6f58397658f8ebe0d libXtst-1.2.1.tar.bz2
|
||||
0144a420f78f5377acd2548355089596439437d1d19945532428a1cc5f263155f03ebfbba668f9c468525c579aa091d4ddf27006ec4d55246bd045a7e6ff9739 0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch
|
||||
730a9ad7c8aafd8f161bf7cbbd4bbd2c62d4fc6cf50a69f5575a4c52e9a2d712e36bb4e3b9325f628a2f71115ce8797ac93aa7bf023d0abe7ba3603f33f47e81 0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch"
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user