diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-27 14:31:43 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-27 14:37:26 +0000 |
commit | 2f5911458fe8d62dab1d3f01e2140015ee63829a (patch) | |
tree | 8c8c7d910bc4920c6119607ef375c6df6dbd75d1 | |
parent | d1476ec6f4aaced12fc3dc3a4620a0a44fc54fd6 (diff) | |
download | alpine_aports-2f5911458fe8d62dab1d3f01e2140015ee63829a.tar.bz2 alpine_aports-2f5911458fe8d62dab1d3f01e2140015ee63829a.tar.xz alpine_aports-2f5911458fe8d62dab1d3f01e2140015ee63829a.zip |
main/libxtst: fix CVE-2013-2063
ref #1931
fixes #1968
(cherry picked from commit ca33affea49de655ea0a1aa27accea11f84df7c1)
3 files changed, 199 insertions, 8 deletions
diff --git a/main/libxtst/0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch b/main/libxtst/0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch new file mode 100644 index 0000000000..43fa1e0d76 --- /dev/null +++ b/main/libxtst/0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch | |||
@@ -0,0 +1,88 @@ | |||
1 | From 46ed6283034b5b7d14584009453f5d974cfacf1e Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
3 | Date: Sat, 13 Apr 2013 11:05:27 -0700 | ||
4 | Subject: [PATCH 1/2] Use _XEatDataWords to eat data in error cases | ||
5 | |||
6 | Avoids having to do calculcations based on response contents | ||
7 | |||
8 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
9 | --- | ||
10 | configure.ac | 6 ++++++ | ||
11 | src/XRecord.c | 23 +++++++++++++++++------ | ||
12 | 2 files changed, 23 insertions(+), 6 deletions(-) | ||
13 | |||
14 | diff --git a/configure.ac b/configure.ac | ||
15 | index 7ef0153..d83d4d8 100644 | ||
16 | --- a/configure.ac | ||
17 | +++ b/configure.ac | ||
18 | @@ -47,6 +47,12 @@ XORG_CHECK_SGML_DOCTOOLS(1.8) | ||
19 | # Obtain compiler/linker options for depedencies | ||
20 | PKG_CHECK_MODULES(XTST, x11 [xext >= 1.0.99.4] xi [recordproto >= 1.13.99.1] [xextproto >= 7.0.99.3] inputproto) | ||
21 | |||
22 | +# Check for _XEatDataWords function that may be patched into older Xlib release | ||
23 | +SAVE_LIBS="$LIBS" | ||
24 | +LIBS="$XTST_LIBS" | ||
25 | +AC_CHECK_FUNCS([_XEatDataWords]) | ||
26 | +LIBS="$SAVE_LIBS" | ||
27 | + | ||
28 | # Determine if the source for man pages is available | ||
29 | # It may already be present (tarball) or can be generated using xmlto | ||
30 | AM_CONDITIONAL([INSTALL_MANPAGES], | ||
31 | diff --git a/src/XRecord.c b/src/XRecord.c | ||
32 | index b65451c..ba628b6 100644 | ||
33 | --- a/src/XRecord.c | ||
34 | +++ b/src/XRecord.c | ||
35 | @@ -49,6 +49,9 @@ from The Open Group. | ||
36 | * By Stephen Gildea, X Consortium, and Martha Zimet, NCD. | ||
37 | */ | ||
38 | |||
39 | +#ifdef HAVE_CONFIG_H | ||
40 | +#include <config.h> | ||
41 | +#endif | ||
42 | #include <stdio.h> | ||
43 | #include <assert.h> | ||
44 | #include <X11/Xlibint.h> | ||
45 | @@ -56,6 +59,18 @@ from The Open Group. | ||
46 | #include <X11/extensions/extutil.h> | ||
47 | #include <X11/extensions/recordproto.h> | ||
48 | #include <X11/extensions/record.h> | ||
49 | +#include <limits.h> | ||
50 | + | ||
51 | +#ifndef HAVE__XEATDATAWORDS | ||
52 | +static inline void _XEatDataWords(Display *dpy, unsigned long n) | ||
53 | +{ | ||
54 | +# ifndef LONG64 | ||
55 | + if (n >= (ULONG_MAX >> 2)) | ||
56 | + _XIOError(dpy); | ||
57 | +# endif | ||
58 | + _XEatData (dpy, n << 2); | ||
59 | +} | ||
60 | +#endif | ||
61 | |||
62 | static XExtensionInfo _xrecord_info_data; | ||
63 | static XExtensionInfo *xrecord_info = &_xrecord_info_data; | ||
64 | @@ -427,7 +442,7 @@ XRecordGetContext(Display *dpy, XRecordContext context, | ||
65 | |||
66 | ret = (XRecordState*)Xmalloc(sizeof(XRecordState)); | ||
67 | if (!ret) { | ||
68 | - /* XXX - eat data */ | ||
69 | + _XEatDataWords (dpy, rep.length); | ||
70 | UnlockDisplay(dpy); | ||
71 | SyncHandle(); | ||
72 | return 0; | ||
73 | @@ -446,11 +461,7 @@ XRecordGetContext(Display *dpy, XRecordContext context, | ||
74 | } | ||
75 | if (!client_inf || !client_inf_str) | ||
76 | { | ||
77 | - for(i = 0; i < count; i++) | ||
78 | - { | ||
79 | - _XEatData (dpy, sizeof(xRecordClientInfo)); | ||
80 | - _XEatData (dpy, SIZEOF(xRecordRange)); /* XXX - don't know how many */ | ||
81 | - } | ||
82 | + _XEatDataWords (dpy, rep.length); | ||
83 | UnlockDisplay(dpy); | ||
84 | XRecordFreeState(ret); | ||
85 | SyncHandle(); | ||
86 | -- | ||
87 | 1.8.2.3 | ||
88 | |||
diff --git a/main/libxtst/0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch b/main/libxtst/0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch new file mode 100644 index 0000000000..661a464fd0 --- /dev/null +++ b/main/libxtst/0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch | |||
@@ -0,0 +1,81 @@ | |||
1 | From e7e04b7be3f018ad636aba3a36bfc1cd80b9906d Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
3 | Date: Sat, 13 Apr 2013 11:27:26 -0700 | ||
4 | Subject: [PATCH 2/2] integer overflow in XRecordGetContext() [CVE-2013-2063] | ||
5 | |||
6 | The nclients and nranges members of the reply are both CARD32 and need | ||
7 | to be bounds checked before multiplying by the size of the structs to | ||
8 | avoid integer overflow leading to underallocation and writing data from | ||
9 | the network past the end of the allocated buffer. | ||
10 | |||
11 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
12 | --- | ||
13 | src/XRecord.c | 32 +++++++++++++++++++++----------- | ||
14 | 1 file changed, 21 insertions(+), 11 deletions(-) | ||
15 | |||
16 | diff --git a/src/XRecord.c b/src/XRecord.c | ||
17 | index ba628b6..5bbd5ac 100644 | ||
18 | --- a/src/XRecord.c | ||
19 | +++ b/src/XRecord.c | ||
20 | @@ -420,11 +420,9 @@ XRecordGetContext(Display *dpy, XRecordContext context, | ||
21 | XExtDisplayInfo *info = find_display (dpy); | ||
22 | register xRecordGetContextReq *req; | ||
23 | xRecordGetContextReply rep; | ||
24 | - int count, i, rn; | ||
25 | + unsigned int count, i, rn; | ||
26 | xRecordRange xrange; | ||
27 | - XRecordRange *ranges = NULL; | ||
28 | xRecordClientInfo xclient_inf; | ||
29 | - XRecordClientInfo **client_inf, *client_inf_str = NULL; | ||
30 | XRecordState *ret; | ||
31 | |||
32 | XRecordCheckExtension (dpy, info, 0); | ||
33 | @@ -454,13 +452,18 @@ XRecordGetContext(Display *dpy, XRecordContext context, | ||
34 | |||
35 | if (count) | ||
36 | { | ||
37 | - client_inf = (XRecordClientInfo **) Xcalloc(count, sizeof(XRecordClientInfo*)); | ||
38 | - ret->client_info = client_inf; | ||
39 | - if (client_inf != NULL) { | ||
40 | - client_inf_str = (XRecordClientInfo *) Xmalloc(count*sizeof(XRecordClientInfo)); | ||
41 | + XRecordClientInfo **client_inf = NULL; | ||
42 | + XRecordClientInfo *client_inf_str = NULL; | ||
43 | + | ||
44 | + if (count < (INT_MAX / sizeof(XRecordClientInfo))) { | ||
45 | + client_inf = Xcalloc(count, sizeof(XRecordClientInfo *)); | ||
46 | + if (client_inf != NULL) | ||
47 | + client_inf_str = Xmalloc(count * sizeof(XRecordClientInfo)); | ||
48 | } | ||
49 | + ret->client_info = client_inf; | ||
50 | if (!client_inf || !client_inf_str) | ||
51 | { | ||
52 | + free(client_inf); | ||
53 | _XEatDataWords (dpy, rep.length); | ||
54 | UnlockDisplay(dpy); | ||
55 | XRecordFreeState(ret); | ||
56 | @@ -476,11 +479,18 @@ XRecordGetContext(Display *dpy, XRecordContext context, | ||
57 | |||
58 | if (xclient_inf.nRanges) | ||
59 | { | ||
60 | - client_inf_str[i].ranges = (XRecordRange**) Xcalloc(xclient_inf.nRanges, sizeof(XRecordRange*)); | ||
61 | - if (client_inf_str[i].ranges != NULL) { | ||
62 | - ranges = (XRecordRange*) | ||
63 | - Xmalloc(xclient_inf.nRanges * sizeof(XRecordRange)); | ||
64 | + XRecordRange *ranges = NULL; | ||
65 | + | ||
66 | + if (xclient_inf.nRanges < (INT_MAX / sizeof(XRecordRange))) { | ||
67 | + client_inf_str[i].ranges = | ||
68 | + Xcalloc(xclient_inf.nRanges, sizeof(XRecordRange *)); | ||
69 | + if (client_inf_str[i].ranges != NULL) | ||
70 | + ranges = | ||
71 | + Xmalloc(xclient_inf.nRanges * sizeof(XRecordRange)); | ||
72 | } | ||
73 | + else | ||
74 | + client_inf_str[i].ranges = NULL; | ||
75 | + | ||
76 | if (!client_inf_str[i].ranges || !ranges) { | ||
77 | /* XXX eat data */ | ||
78 | UnlockDisplay(dpy); | ||
79 | -- | ||
80 | 1.8.2.3 | ||
81 | |||
diff --git a/main/libxtst/APKBUILD b/main/libxtst/APKBUILD index c4eb84bf9a..c87af4a041 100644 --- a/main/libxtst/APKBUILD +++ b/main/libxtst/APKBUILD | |||
@@ -1,30 +1,52 @@ | |||
1 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> | 1 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> |
2 | pkgname=libxtst | 2 | pkgname=libxtst |
3 | pkgver=1.2.1 | 3 | pkgver=1.2.1 |
4 | pkgrel=0 | 4 | pkgrel=1 |
5 | pkgdesc="X11 Testing -- Resource extension library" | 5 | pkgdesc="X11 Testing -- Resource extension library" |
6 | url="http://xorg.freedesktop.org/" | 6 | url="http://xorg.freedesktop.org/" |
7 | arch="all" | 7 | arch="all" |
8 | license="custom" | 8 | license="custom" |
9 | subpackages="$pkgname-dev $pkgname-doc" | 9 | subpackages="$pkgname-dev $pkgname-doc" |
10 | depends= | 10 | depends= |
11 | makedepends="pkgconfig libxext-dev libxi-dev recordproto inputproto" | ||
12 | source="http://xorg.freedesktop.org/releases/individual/lib/libXtst-$pkgver.tar.bz2" | ||
13 | depends_dev="recordproto libx11-dev libxext-dev inputproto libxi-dev" | 11 | depends_dev="recordproto libx11-dev libxext-dev inputproto libxi-dev" |
12 | makedepends="$depends_dev libtool autoconf automake util-macros" | ||
13 | source="http://xorg.freedesktop.org/releases/individual/lib/libXtst-$pkgver.tar.bz2 | ||
14 | 0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch | ||
15 | 0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch | ||
16 | " | ||
14 | 17 | ||
15 | build () | 18 | _builddir="$srcdir"/libXtst-$pkgver |
16 | { | 19 | prepare() { |
17 | cd "$srcdir"/libXtst-$pkgver | 20 | cd "$_builddir" |
21 | for i in $source; do | ||
22 | case $i in | ||
23 | *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; | ||
24 | esac | ||
25 | done | ||
26 | libtoolize --force && aclocal && autoheader && autoconf \ | ||
27 | && automake --add-missing | ||
28 | } | ||
29 | |||
30 | build() { | ||
31 | cd "$_builddir" | ||
18 | ./configure --prefix=/usr \ | 32 | ./configure --prefix=/usr \ |
19 | --build=${CHOST} --host=${CHOST} | 33 | --build=${CHOST} --host=${CHOST} |
20 | make || return 1 | 34 | make || return 1 |
21 | } | 35 | } |
22 | 36 | ||
23 | package() { | 37 | package() { |
24 | cd "$srcdir"/libXtst-$pkgver | 38 | cd "$_builddir" |
25 | make DESTDIR="$pkgdir" install || return 1 | 39 | make DESTDIR="$pkgdir" install || return 1 |
26 | rm "$pkgdir"/usr/lib/*.la || return 1 | 40 | rm "$pkgdir"/usr/lib/*.la || return 1 |
27 | install -D -m644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/LICENSE | 41 | install -D -m644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/LICENSE |
28 | } | 42 | } |
29 | 43 | ||
30 | md5sums="e8abc5c00c666f551cf26aa53819d592 libXtst-1.2.1.tar.bz2" | 44 | md5sums="e8abc5c00c666f551cf26aa53819d592 libXtst-1.2.1.tar.bz2 |
45 | ef5006c916511e087973d797a60aaee1 0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch | ||
46 | 641e6194973b4d324f8278faa821b87a 0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch" | ||
47 | sha256sums="7eea3e66e392aca3f9dad6238198753c28e1c32fa4903cbb7739607a2504e5e0 libXtst-1.2.1.tar.bz2 | ||
48 | bba7db9220b8a91b5ca71133af55414851d350e81c6142e74e7c44a3fc57c052 0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch | ||
49 | d67b95b9bf1587e48bc4009d1d100ed1ee3a611ed07869bb157290064986db6f 0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch" | ||
50 | sha512sums="287c10a761d30acc988399e23de1ecb7c90d8bd4d363cd03cd0a02eb232e37b0943f359fae76a8e68504ccadc2b7c0117bfebee75e00a0b6f58397658f8ebe0d libXtst-1.2.1.tar.bz2 | ||
51 | 0144a420f78f5377acd2548355089596439437d1d19945532428a1cc5f263155f03ebfbba668f9c468525c579aa091d4ddf27006ec4d55246bd045a7e6ff9739 0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch | ||
52 | 730a9ad7c8aafd8f161bf7cbbd4bbd2c62d4fc6cf50a69f5575a4c52e9a2d712e36bb4e3b9325f628a2f71115ce8797ac93aa7bf023d0abe7ba3603f33f47e81 0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch" | ||