From: Leo Famulari <leo@famulari.name>
To: guix-devel@gnu.org
Subject: [PATCH 2/8] gnu: libxfixes: Fix CVE-2016-7944.
Date: Wed, 5 Oct 2016 13:55:55 -0400 [thread overview]
Message-ID: <801fb6cbdac29f4cf585a4acda7697ee317d24e6.1475690088.git.leo@famulari.name> (raw)
In-Reply-To: <cover.1475690088.git.leo@famulari.name>
In-Reply-To: <cover.1475690088.git.leo@famulari.name>
* gnu/packages/patches/libxfixes-CVE-2016-7944.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/xorg.scm (libxfixes)[replacement]: New field.
(libxfixes/fixed): New variable.
---
gnu/local.mk | 1 +
gnu/packages/patches/libxfixes-CVE-2016-7944.patch | 62 ++++++++++++++++++++++
gnu/packages/xorg.scm | 8 +++
3 files changed, 71 insertions(+)
create mode 100644 gnu/packages/patches/libxfixes-CVE-2016-7944.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 03d07f6..9e875de 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -671,6 +671,7 @@ dist_patch_DATA = \
%D%/packages/patches/libwmf-CVE-2015-4696.patch \
%D%/packages/patches/libx11-CVE-2016-7942.patch \
%D%/packages/patches/libx11-CVE-2016-7943.patch \
+ %D%/packages/patches/libxfixes-CVE-2016-7944.patch \
%D%/packages/patches/libxslt-generated-ids.patch \
%D%/packages/patches/lirc-localstatedir.patch \
%D%/packages/patches/llvm-for-extempore.patch \
diff --git a/gnu/packages/patches/libxfixes-CVE-2016-7944.patch b/gnu/packages/patches/libxfixes-CVE-2016-7944.patch
new file mode 100644
index 0000000..2ce463f
--- /dev/null
+++ b/gnu/packages/patches/libxfixes-CVE-2016-7944.patch
@@ -0,0 +1,62 @@
+Fix CVE-2016-7944:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7944
+
+Patch copied from upstream source repository:
+
+https://cgit.freedesktop.org/xorg/lib/libXfixes/commit/?id=61c1039ee23a2d1de712843bed3480654d7ef42e
+
+From 61c1039ee23a2d1de712843bed3480654d7ef42e Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 25 Sep 2016 22:38:44 +0200
+Subject: [PATCH] Integer overflow on illegal server response
+
+The 32 bit field "rep.length" is not checked for validity, which allows
+an integer overflow on 32 bit systems.
+
+A malicious server could send INT_MAX as length, which gets multiplied
+by the size of XRectangle. In that case the client won't read the whole
+data from server, getting out of sync.
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ src/Region.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/src/Region.c b/src/Region.c
+index cb0cf6e..59bcc1a 100644
+--- a/src/Region.c
++++ b/src/Region.c
+@@ -23,6 +23,7 @@
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
+ #include "Xfixesint.h"
+
+ XserverRegion
+@@ -333,9 +334,17 @@ XFixesFetchRegionAndBounds (Display *dpy,
+ bounds->y = rep.y;
+ bounds->width = rep.width;
+ bounds->height = rep.height;
+- nbytes = (long) rep.length << 2;
+- nrects = rep.length >> 1;
+- rects = Xmalloc (nrects * sizeof (XRectangle));
++
++ if (rep.length < (INT_MAX >> 2)) {
++ nbytes = (long) rep.length << 2;
++ nrects = rep.length >> 1;
++ rects = Xmalloc (nrects * sizeof (XRectangle));
++ } else {
++ nbytes = 0;
++ nrects = 0;
++ rects = NULL;
++ }
++
+ if (!rects)
+ {
+ _XEatDataWords(dpy, rep.length);
+--
+2.10.1
+
diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 83dfd5d..5bd3aee 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -4823,6 +4823,7 @@ an X Window System display.")
(define-public libxfixes
(package
(name "libxfixes")
+ (replacement libxfixes/fixed)
(version "5.0.1")
(source
(origin
@@ -4847,6 +4848,13 @@ an X Window System display.")
(description "Library for the XFixes Extension to the X11 protocol.")
(license license:x11)))
+(define libxfixes/fixed
+ (package
+ (inherit libxfixes)
+ (source (origin
+ (inherit (package-source libxfixes))
+ (patches (search-patches
+ "libxfixes-CVE-2016-7944.patch"))))))
(define-public libxfont
(package
--
2.10.1
next prev parent reply other threads:[~2016-10-05 17:56 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-05 17:55 [PATCH 0/8] Xorg security updates for the master branch Leo Famulari
2016-10-05 17:55 ` [PATCH 1/8] gnu: libx11: Fix CVE-2016-{7942,7943} Leo Famulari
2016-10-05 17:55 ` Leo Famulari [this message]
2016-10-05 17:55 ` [PATCH 3/8] gnu: libxi: Fix CVE-2016-{7945,7946} Leo Famulari
2016-10-05 17:55 ` [PATCH 4/8] gnu: libxrandr: Fix CVE-2016-{7947,7948} Leo Famulari
2016-10-05 17:55 ` [PATCH 5/8] gnu: libxrender: Fix CVE-2016-{7949,7950} Leo Famulari
2016-10-05 17:55 ` [PATCH 6/8] gnu: libxtst: Fix CVE-2016-{7951,7952} Leo Famulari
2016-10-05 17:56 ` [PATCH 7/8] gnu: libxv: Fix CVE-2016-5407 Leo Famulari
2016-10-05 17:56 ` [PATCH 8/8] gnu: libxvmc: Fix CVE-2016-7953 Leo Famulari
2016-10-05 19:33 ` [PATCH 0/8] Xorg security updates for the master branch Leo Famulari
2016-10-05 21:17 ` Ludovic Courtès
2016-10-05 21:38 ` Leo Famulari
2016-10-05 23:44 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=801fb6cbdac29f4cf585a4acda7697ee317d24e6.1475690088.git.leo@famulari.name \
--to=leo@famulari.name \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).