unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: Leo Famulari <leo@famulari.name>
To: guix-devel@gnu.org
Subject: [PATCH 7/8] gnu: libxv: Fix CVE-2016-5407.
Date: Wed,  5 Oct 2016 13:56:00 -0400	[thread overview]
Message-ID: <60f5962dcbd091f6425c8e3cfe3f324f7bfade04.1475690088.git.leo@famulari.name> (raw)
In-Reply-To: <cover.1475690088.git.leo@famulari.name>
In-Reply-To: <cover.1475690088.git.leo@famulari.name>

* gnu/packages/patches/libxv-CVE-2016-5407.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/xorg.scm (libxv)[replacement]: New field.
(libxv/fixed): New variable.
---
 gnu/local.mk                                   |   1 +
 gnu/packages/patches/libxv-CVE-2016-5407.patch | 162 +++++++++++++++++++++++++
 gnu/packages/xorg.scm                          |   8 ++
 3 files changed, 171 insertions(+)
 create mode 100644 gnu/packages/patches/libxv-CVE-2016-5407.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 7489ab7..92b5e66 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -677,6 +677,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/libxrender-CVE-2016-7949.patch		\
   %D%/packages/patches/libxrender-CVE-2016-7950.patch		\
   %D%/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch	\
+  %D%/packages/patches/libxv-CVE-2016-5407.patch		\
   %D%/packages/patches/libxslt-generated-ids.patch		\
   %D%/packages/patches/lirc-localstatedir.patch			\
   %D%/packages/patches/llvm-for-extempore.patch			\
diff --git a/gnu/packages/patches/libxv-CVE-2016-5407.patch b/gnu/packages/patches/libxv-CVE-2016-5407.patch
new file mode 100644
index 0000000..e6a76c9
--- /dev/null
+++ b/gnu/packages/patches/libxv-CVE-2016-5407.patch
@@ -0,0 +1,162 @@
+Fix CVE-2016-5407:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5407
+
+Patch copied from upstream source repository:
+
+https://cgit.freedesktop.org/xorg/lib/libXv/commit/?id=d9da580b46a28ab497de2e94fdc7b9ff953dab17
+
+From d9da580b46a28ab497de2e94fdc7b9ff953dab17 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 25 Sep 2016 21:30:03 +0200
+Subject: [PATCH] Protocol handling issues in libXv - CVE-2016-5407
+
+The Xv query functions for adaptors and encodings suffer from out of
+boundary accesses if a hostile X server sends a maliciously crafted
+response.
+
+A previous fix already checks the received length against fixed values
+but ignores additional length specifications which are stored inside
+the received data.
+
+These lengths are accessed in a for-loop. The easiest way to guarantee
+a correct processing is by validating all lengths against the
+remaining size left before accessing referenced memory.
+
+This makes the previously applied check obsolete, therefore I removed
+it.
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ src/Xv.c | 46 +++++++++++++++++++++++++++++-----------------
+ 1 file changed, 29 insertions(+), 17 deletions(-)
+
+diff --git a/src/Xv.c b/src/Xv.c
+index e47093a..be450c4 100644
+--- a/src/Xv.c
++++ b/src/Xv.c
+@@ -158,6 +158,7 @@ XvQueryAdaptors(
+     size_t size;
+     unsigned int ii, jj;
+     char *name;
++    char *end;
+     XvAdaptorInfo *pas = NULL, *pa;
+     XvFormat *pfs, *pf;
+     char *buffer = NULL;
+@@ -197,17 +198,13 @@ XvQueryAdaptors(
+     /* GET INPUT ADAPTORS */
+ 
+     if (rep.num_adaptors == 0) {
+-        /* If there's no adaptors, there's nothing more to do. */
++        /* If there are no adaptors, there's nothing more to do. */
+         status = Success;
+         goto out;
+     }
+ 
+-    if (size < (rep.num_adaptors * sz_xvAdaptorInfo)) {
+-        /* If there's not enough data for the number of adaptors,
+-           then we have a problem. */
+-        status = XvBadReply;
+-        goto out;
+-    }
++    u.buffer = buffer;
++    end = buffer + size;
+ 
+     size = rep.num_adaptors * sizeof(XvAdaptorInfo);
+     if ((pas = Xmalloc(size)) == NULL) {
+@@ -225,9 +222,12 @@ XvQueryAdaptors(
+         pa++;
+     }
+ 
+-    u.buffer = buffer;
+     pa = pas;
+     for (ii = 0; ii < rep.num_adaptors; ii++) {
++        if (u.buffer + sz_xvAdaptorInfo > end) {
++            status = XvBadReply;
++            goto out;
++        }
+         pa->type = u.pa->type;
+         pa->base_id = u.pa->base_id;
+         pa->num_ports = u.pa->num_ports;
+@@ -239,6 +239,10 @@ XvQueryAdaptors(
+         size = u.pa->name_size;
+         u.buffer += pad_to_int32(sz_xvAdaptorInfo);
+ 
++        if (u.buffer + size > end) {
++            status = XvBadReply;
++            goto out;
++        }
+         if ((name = Xmalloc(size + 1)) == NULL) {
+             status = XvBadAlloc;
+             goto out;
+@@ -259,6 +263,11 @@ XvQueryAdaptors(
+ 
+         pf = pfs;
+         for (jj = 0; jj < pa->num_formats; jj++) {
++            if (u.buffer + sz_xvFormat > end) {
++                Xfree(pfs);
++                status = XvBadReply;
++                goto out;
++            }
+             pf->depth = u.pf->depth;
+             pf->visual_id = u.pf->visual;
+             pf++;
+@@ -327,6 +336,7 @@ XvQueryEncodings(
+     size_t size;
+     unsigned int jj;
+     char *name;
++    char *end;
+     XvEncodingInfo *pes = NULL, *pe;
+     char *buffer = NULL;
+     union {
+@@ -364,17 +374,13 @@ XvQueryEncodings(
+     /* GET ENCODINGS */
+ 
+     if (rep.num_encodings == 0) {
+-        /* If there's no encodings, there's nothing more to do. */
++        /* If there are no encodings, there's nothing more to do. */
+         status = Success;
+         goto out;
+     }
+ 
+-    if (size < (rep.num_encodings * sz_xvEncodingInfo)) {
+-        /* If there's not enough data for the number of adaptors,
+-           then we have a problem. */
+-        status = XvBadReply;
+-        goto out;
+-    }
++    u.buffer = buffer;
++    end = buffer + size;
+ 
+     size = rep.num_encodings * sizeof(XvEncodingInfo);
+     if ((pes = Xmalloc(size)) == NULL) {
+@@ -391,10 +397,12 @@ XvQueryEncodings(
+         pe++;
+     }
+ 
+-    u.buffer = buffer;
+-
+     pe = pes;
+     for (jj = 0; jj < rep.num_encodings; jj++) {
++        if (u.buffer + sz_xvEncodingInfo > end) {
++            status = XvBadReply;
++            goto out;
++        }
+         pe->encoding_id = u.pe->encoding;
+         pe->width = u.pe->width;
+         pe->height = u.pe->height;
+@@ -405,6 +413,10 @@ XvQueryEncodings(
+         size = u.pe->name_size;
+         u.buffer += pad_to_int32(sz_xvEncodingInfo);
+ 
++        if (u.buffer + size > end) {
++            status = XvBadReply;
++            goto out;
++        }
+         if ((name = Xmalloc(size + 1)) == NULL) {
+             status = XvBadAlloc;
+             goto out;
+-- 
+2.10.1
+
diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 111de2b..448ac65 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -4686,6 +4686,7 @@ protocol and arbitrary X extension protocol.")
 (define-public libxv
   (package
     (name "libxv")
+    (replacement libxv/fixed)
     (version "1.0.10")
     (source
       (origin
@@ -4711,6 +4712,13 @@ protocol and arbitrary X extension protocol.")
     (description "Library for the X Video Extension to the X11 protocol.")
     (license license:x11)))
 
+(define libxv/fixed
+  (package
+    (inherit libxv)
+    (source (origin
+              (inherit (package-source libxv))
+              (patches (search-patches
+                         "libxv-CVE-2016-5407.patch"))))))
 
 (define-public mkfontdir
   (package
-- 
2.10.1

  parent reply	other threads:[~2016-10-05 17:56 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-10-05 17:55 [PATCH 0/8] Xorg security updates for the master branch Leo Famulari
2016-10-05 17:55 ` [PATCH 1/8] gnu: libx11: Fix CVE-2016-{7942,7943} Leo Famulari
2016-10-05 17:55 ` [PATCH 2/8] gnu: libxfixes: Fix CVE-2016-7944 Leo Famulari
2016-10-05 17:55 ` [PATCH 3/8] gnu: libxi: Fix CVE-2016-{7945,7946} Leo Famulari
2016-10-05 17:55 ` [PATCH 4/8] gnu: libxrandr: Fix CVE-2016-{7947,7948} Leo Famulari
2016-10-05 17:55 ` [PATCH 5/8] gnu: libxrender: Fix CVE-2016-{7949,7950} Leo Famulari
2016-10-05 17:55 ` [PATCH 6/8] gnu: libxtst: Fix CVE-2016-{7951,7952} Leo Famulari
2016-10-05 17:56 ` Leo Famulari [this message]
2016-10-05 17:56 ` [PATCH 8/8] gnu: libxvmc: Fix CVE-2016-7953 Leo Famulari
2016-10-05 19:33 ` [PATCH 0/8] Xorg security updates for the master branch Leo Famulari
2016-10-05 21:17 ` Ludovic Courtès
2016-10-05 21:38   ` Leo Famulari
2016-10-05 23:44     ` Leo Famulari

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=60f5962dcbd091f6425c8e3cfe3f324f7bfade04.1475690088.git.leo@famulari.name \
    --to=leo@famulari.name \
    --cc=guix-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).