From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: [PATCH 5/8] gnu: libxrender: Fix CVE-2016-{7949,7950}. Date: Wed, 5 Oct 2016 13:55:58 -0400 Message-ID: <5d332b04368aa9a97cc4f5ef6ca8dfe8cf5cf9df.1475690088.git.leo@famulari.name> References: Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:51917) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1brqQw-0004V1-Qu for guix-devel@gnu.org; Wed, 05 Oct 2016 13:56:50 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1brqQt-0000ze-MI for guix-devel@gnu.org; Wed, 05 Oct 2016 13:56:45 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:45567) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1brqQs-0000wG-Ap for guix-devel@gnu.org; Wed, 05 Oct 2016 13:56:43 -0400 Received: from localhost.localdomain (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148]) by mail.messagingengine.com (Postfix) with ESMTPA id 8065DF2D2A for ; Wed, 5 Oct 2016 13:56:25 -0400 (EDT) In-Reply-To: In-Reply-To: References: List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org * gnu/packages/patches/libxrender-CVE-2016-7949.patch, gnu/packages/patches/libxrender-CVE-2016-7950.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/xorg.scm (libxrender)[replacement]: New field. (libxrender/fixed): New variable. --- gnu/local.mk | 2 + .../patches/libxrender-CVE-2016-7949.patch | 66 +++++++++++++++++++ .../patches/libxrender-CVE-2016-7950.patch | 73 ++++++++++++++++++++++ gnu/packages/xorg.scm | 9 +++ 4 files changed, 150 insertions(+) create mode 100644 gnu/packages/patches/libxrender-CVE-2016-7949.patch create mode 100644 gnu/packages/patches/libxrender-CVE-2016-7950.patch diff --git a/gnu/local.mk b/gnu/local.mk index 22d63a9..ec237d9 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -674,6 +674,8 @@ dist_patch_DATA = \ %D%/packages/patches/libxfixes-CVE-2016-7944.patch \ %D%/packages/patches/libxi-CVE-2016-7945-CVE-2016-7946.patch \ %D%/packages/patches/libxrandr-CVE-2016-7947-CVE-2016-7948.patch \ + %D%/packages/patches/libxrender-CVE-2016-7949.patch \ + %D%/packages/patches/libxrender-CVE-2016-7950.patch \ %D%/packages/patches/libxslt-generated-ids.patch \ %D%/packages/patches/lirc-localstatedir.patch \ %D%/packages/patches/llvm-for-extempore.patch \ diff --git a/gnu/packages/patches/libxrender-CVE-2016-7949.patch b/gnu/packages/patches/libxrender-CVE-2016-7949.patch new file mode 100644 index 0000000..3a2be4e --- /dev/null +++ b/gnu/packages/patches/libxrender-CVE-2016-7949.patch @@ -0,0 +1,66 @@ +Fix CVE-2016-7949: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7949 + +Patch copied from upstream source repository: + +https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=9362c7ddd1af3b168953d0737877bc52d79c94f4 + +From 9362c7ddd1af3b168953d0737877bc52d79c94f4 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Sun, 25 Sep 2016 21:43:09 +0200 +Subject: [PATCH] Validate lengths while parsing server data. + +Individual lengths inside received server data can overflow +the previously reserved memory. + +It is therefore important to validate every single length +field to not overflow the previously agreed sum of all invidual +length fields. + +v2: consume remaining bytes in the reply buffer on error. + +Signed-off-by: Tobias Stoeckmann +Reviewed-by: Matthieu Herrb@laas.fr +--- + src/Xrender.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/src/Xrender.c b/src/Xrender.c +index 3102eb2..71cf3e6 100644 +--- a/src/Xrender.c ++++ b/src/Xrender.c +@@ -533,12 +533,30 @@ XRenderQueryFormats (Display *dpy) + screen->fallback = _XRenderFindFormat (xri, xScreen->fallback); + screen->subpixel = SubPixelUnknown; + xDepth = (xPictDepth *) (xScreen + 1); ++ if (screen->ndepths > rep.numDepths) { ++ Xfree (xri); ++ Xfree (xData); ++ _XEatDataWords (dpy, rep.length); ++ UnlockDisplay (dpy); ++ SyncHandle (); ++ return 0; ++ } ++ rep.numDepths -= screen->ndepths; + for (nd = 0; nd < screen->ndepths; nd++) + { + depth->depth = xDepth->depth; + depth->nvisuals = xDepth->nPictVisuals; + depth->visuals = visual; + xVisual = (xPictVisual *) (xDepth + 1); ++ if (depth->nvisuals > rep.numVisuals) { ++ Xfree (xri); ++ Xfree (xData); ++ _XEatDataWords (dpy, rep.length); ++ UnlockDisplay (dpy); ++ SyncHandle (); ++ return 0; ++ } ++ rep.numVisuals -= depth->nvisuals; + for (nv = 0; nv < depth->nvisuals; nv++) + { + visual->visual = _XRenderFindVisual (dpy, xVisual->visual); +-- +2.10.1 + diff --git a/gnu/packages/patches/libxrender-CVE-2016-7950.patch b/gnu/packages/patches/libxrender-CVE-2016-7950.patch new file mode 100644 index 0000000..1a64b6e --- /dev/null +++ b/gnu/packages/patches/libxrender-CVE-2016-7950.patch @@ -0,0 +1,73 @@ +Fix CVE-2016-7950: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7950 + +Patch copied from upstream source repository: + +https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=8fad00b0b647ee662ce4737ca15be033b7a21714 + +From 8fad00b0b647ee662ce4737ca15be033b7a21714 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Sun, 25 Sep 2016 21:42:09 +0200 +Subject: [PATCH] Avoid OOB write in XRenderQueryFilters + +The memory for filter names is reserved right after receiving the reply. +After that, filters are iterated and each individual filter name is +stored in that reserved memory. + +The individual name lengths are not checked for validity, which means +that a malicious server can reserve less memory than it will write to +during each iteration. + +v2: consume remaining bytes in reply buffer on error. + +Signed-off-by: Tobias Stoeckmann +Reviewed-by: Matthieu Herrb +--- + src/Filter.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/src/Filter.c b/src/Filter.c +index edfa572..8d701eb 100644 +--- a/src/Filter.c ++++ b/src/Filter.c +@@ -38,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable) + char *name; + char len; + int i; +- unsigned long nbytes, nbytesAlias, nbytesName; ++ unsigned long nbytes, nbytesAlias, nbytesName, reply_left; + + if (!RenderHasExtension (info)) + return NULL; +@@ -114,6 +114,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable) + * Read the filter aliases + */ + _XRead16Pad (dpy, filters->alias, 2 * rep.numAliases); ++ reply_left = 8 + rep.length - 2 * rep.numAliases;; + + /* + * Read the filter names +@@ -122,9 +123,19 @@ XRenderQueryFilters (Display *dpy, Drawable drawable) + { + int l; + _XRead (dpy, &len, 1); ++ reply_left--; + l = len & 0xff; ++ if ((unsigned long)l + 1 > nbytesName) { ++ _XEatDataWords(dpy, reply_left); ++ Xfree(filters); ++ UnlockDisplay (dpy); ++ SyncHandle (); ++ return NULL; ++ } ++ nbytesName -= l + 1; + filters->filter[i] = name; + _XRead (dpy, name, l); ++ reply_left -= l; + name[l] = '\0'; + name += l + 1; + } +-- +2.10.1 + diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm index b6cfbd6..2df6631 100644 --- a/gnu/packages/xorg.scm +++ b/gnu/packages/xorg.scm @@ -4602,6 +4602,7 @@ cannot be adequately worked around on the client side of the wire.") (define-public libxrender (package (name "libxrender") + (replacement libxrender/fixed) (version "0.9.9") (source (origin @@ -4626,6 +4627,14 @@ cannot be adequately worked around on the client side of the wire.") (description "Library for the Render Extension to the X11 protocol.") (license license:x11))) +(define libxrender/fixed + (package + (inherit libxrender) + (source (origin + (inherit (package-source libxrender)) + (patches (search-patches + "libxrender-CVE-2016-7949.patch" + "libxrender-CVE-2016-7950.patch")))))) (define-public libxtst (package -- 2.10.1