From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: [PATCH 7/8] gnu: libxv: Fix CVE-2016-5407. Date: Wed, 5 Oct 2016 13:56:00 -0400 Message-ID: <60f5962dcbd091f6425c8e3cfe3f324f7bfade04.1475690088.git.leo@famulari.name> References: Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:51915) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1brqQw-0004Uj-FT for guix-devel@gnu.org; Wed, 05 Oct 2016 13:56:49 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1brqQt-0000zX-LV for guix-devel@gnu.org; Wed, 05 Oct 2016 13:56:45 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:33652) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1brqQs-0000wJ-Ap for guix-devel@gnu.org; Wed, 05 Oct 2016 13:56:43 -0400 Received: from localhost.localdomain (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148]) by mail.messagingengine.com (Postfix) with ESMTPA id C74EBF2C78 for ; Wed, 5 Oct 2016 13:56:25 -0400 (EDT) In-Reply-To: In-Reply-To: References: List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org * gnu/packages/patches/libxv-CVE-2016-5407.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/xorg.scm (libxv)[replacement]: New field. (libxv/fixed): New variable. --- gnu/local.mk | 1 + gnu/packages/patches/libxv-CVE-2016-5407.patch | 162 +++++++++++++++++++++++++ gnu/packages/xorg.scm | 8 ++ 3 files changed, 171 insertions(+) create mode 100644 gnu/packages/patches/libxv-CVE-2016-5407.patch diff --git a/gnu/local.mk b/gnu/local.mk index 7489ab7..92b5e66 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -677,6 +677,7 @@ dist_patch_DATA = \ %D%/packages/patches/libxrender-CVE-2016-7949.patch \ %D%/packages/patches/libxrender-CVE-2016-7950.patch \ %D%/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch \ + %D%/packages/patches/libxv-CVE-2016-5407.patch \ %D%/packages/patches/libxslt-generated-ids.patch \ %D%/packages/patches/lirc-localstatedir.patch \ %D%/packages/patches/llvm-for-extempore.patch \ diff --git a/gnu/packages/patches/libxv-CVE-2016-5407.patch b/gnu/packages/patches/libxv-CVE-2016-5407.patch new file mode 100644 index 0000000..e6a76c9 --- /dev/null +++ b/gnu/packages/patches/libxv-CVE-2016-5407.patch @@ -0,0 +1,162 @@ +Fix CVE-2016-5407: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5407 + +Patch copied from upstream source repository: + +https://cgit.freedesktop.org/xorg/lib/libXv/commit/?id=d9da580b46a28ab497de2e94fdc7b9ff953dab17 + +From d9da580b46a28ab497de2e94fdc7b9ff953dab17 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Sun, 25 Sep 2016 21:30:03 +0200 +Subject: [PATCH] Protocol handling issues in libXv - CVE-2016-5407 + +The Xv query functions for adaptors and encodings suffer from out of +boundary accesses if a hostile X server sends a maliciously crafted +response. + +A previous fix already checks the received length against fixed values +but ignores additional length specifications which are stored inside +the received data. + +These lengths are accessed in a for-loop. The easiest way to guarantee +a correct processing is by validating all lengths against the +remaining size left before accessing referenced memory. + +This makes the previously applied check obsolete, therefore I removed +it. + +Signed-off-by: Tobias Stoeckmann +Reviewed-by: Matthieu Herrb +--- + src/Xv.c | 46 +++++++++++++++++++++++++++++----------------- + 1 file changed, 29 insertions(+), 17 deletions(-) + +diff --git a/src/Xv.c b/src/Xv.c +index e47093a..be450c4 100644 +--- a/src/Xv.c ++++ b/src/Xv.c +@@ -158,6 +158,7 @@ XvQueryAdaptors( + size_t size; + unsigned int ii, jj; + char *name; ++ char *end; + XvAdaptorInfo *pas = NULL, *pa; + XvFormat *pfs, *pf; + char *buffer = NULL; +@@ -197,17 +198,13 @@ XvQueryAdaptors( + /* GET INPUT ADAPTORS */ + + if (rep.num_adaptors == 0) { +- /* If there's no adaptors, there's nothing more to do. */ ++ /* If there are no adaptors, there's nothing more to do. */ + status = Success; + goto out; + } + +- if (size < (rep.num_adaptors * sz_xvAdaptorInfo)) { +- /* If there's not enough data for the number of adaptors, +- then we have a problem. */ +- status = XvBadReply; +- goto out; +- } ++ u.buffer = buffer; ++ end = buffer + size; + + size = rep.num_adaptors * sizeof(XvAdaptorInfo); + if ((pas = Xmalloc(size)) == NULL) { +@@ -225,9 +222,12 @@ XvQueryAdaptors( + pa++; + } + +- u.buffer = buffer; + pa = pas; + for (ii = 0; ii < rep.num_adaptors; ii++) { ++ if (u.buffer + sz_xvAdaptorInfo > end) { ++ status = XvBadReply; ++ goto out; ++ } + pa->type = u.pa->type; + pa->base_id = u.pa->base_id; + pa->num_ports = u.pa->num_ports; +@@ -239,6 +239,10 @@ XvQueryAdaptors( + size = u.pa->name_size; + u.buffer += pad_to_int32(sz_xvAdaptorInfo); + ++ if (u.buffer + size > end) { ++ status = XvBadReply; ++ goto out; ++ } + if ((name = Xmalloc(size + 1)) == NULL) { + status = XvBadAlloc; + goto out; +@@ -259,6 +263,11 @@ XvQueryAdaptors( + + pf = pfs; + for (jj = 0; jj < pa->num_formats; jj++) { ++ if (u.buffer + sz_xvFormat > end) { ++ Xfree(pfs); ++ status = XvBadReply; ++ goto out; ++ } + pf->depth = u.pf->depth; + pf->visual_id = u.pf->visual; + pf++; +@@ -327,6 +336,7 @@ XvQueryEncodings( + size_t size; + unsigned int jj; + char *name; ++ char *end; + XvEncodingInfo *pes = NULL, *pe; + char *buffer = NULL; + union { +@@ -364,17 +374,13 @@ XvQueryEncodings( + /* GET ENCODINGS */ + + if (rep.num_encodings == 0) { +- /* If there's no encodings, there's nothing more to do. */ ++ /* If there are no encodings, there's nothing more to do. */ + status = Success; + goto out; + } + +- if (size < (rep.num_encodings * sz_xvEncodingInfo)) { +- /* If there's not enough data for the number of adaptors, +- then we have a problem. */ +- status = XvBadReply; +- goto out; +- } ++ u.buffer = buffer; ++ end = buffer + size; + + size = rep.num_encodings * sizeof(XvEncodingInfo); + if ((pes = Xmalloc(size)) == NULL) { +@@ -391,10 +397,12 @@ XvQueryEncodings( + pe++; + } + +- u.buffer = buffer; +- + pe = pes; + for (jj = 0; jj < rep.num_encodings; jj++) { ++ if (u.buffer + sz_xvEncodingInfo > end) { ++ status = XvBadReply; ++ goto out; ++ } + pe->encoding_id = u.pe->encoding; + pe->width = u.pe->width; + pe->height = u.pe->height; +@@ -405,6 +413,10 @@ XvQueryEncodings( + size = u.pe->name_size; + u.buffer += pad_to_int32(sz_xvEncodingInfo); + ++ if (u.buffer + size > end) { ++ status = XvBadReply; ++ goto out; ++ } + if ((name = Xmalloc(size + 1)) == NULL) { + status = XvBadAlloc; + goto out; +-- +2.10.1 + diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm index 111de2b..448ac65 100644 --- a/gnu/packages/xorg.scm +++ b/gnu/packages/xorg.scm @@ -4686,6 +4686,7 @@ protocol and arbitrary X extension protocol.") (define-public libxv (package (name "libxv") + (replacement libxv/fixed) (version "1.0.10") (source (origin @@ -4711,6 +4712,13 @@ protocol and arbitrary X extension protocol.") (description "Library for the X Video Extension to the X11 protocol.") (license license:x11))) +(define libxv/fixed + (package + (inherit libxv) + (source (origin + (inherit (package-source libxv)) + (patches (search-patches + "libxv-CVE-2016-5407.patch")))))) (define-public mkfontdir (package -- 2.10.1