commit libXext.1714 for openSUSE:12.2:Update

Hello community, here is the log from the commit of package libXext.1714 for openSUSE:12.2:Update checked in at 2013-06-14 16:50:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2:Update/libXext.1714 (Old) and /work/SRC/openSUSE:12.2:Update/.libXext.1714.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libXext.1714" Changes: -------- New Changes file: --- /dev/null 2013-06-12 16:57:03.272031756 +0200 +++ /work/SRC/openSUSE:12.2:Update/.libXext.1714.new/libXext.changes 2013-06-14 16:50:42.000000000 +0200 @@ -0,0 +1,168 @@ +------------------------------------------------------------------- +Wed May 29 13:46:41 UTC 2013 - sndirsch@suse.com + +- U_0001-integer-overflow-in-XcupGetReservedColormapEntries-C.patch, + U_0002-integer-overflow-in-XcupStoreColors-CVE-2013-1982-2-.patch, + U_0003-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch, + U_0004-integer-overflow-in-XeviGetVisualInfo-CVE-2013-1982-.patch, + U_0005-integer-overflow-in-XShapeGetRectangles-CVE-2013-198.patch, + U_0006-integer-overflow-in-XSyncListSystemCounters-CVE-2013.patch, + * integer overflow(s) in XcupGetReservedColormapEntries(), + XcupStoreColors(), XdbeGetVisualInfo(), XeviGetVisualInfo(), + XShapeGetRectangles(), XSyncListSystemCounters() [CVE-2013-1982] + (bnc#821665, bnc#815451) + +------------------------------------------------------------------- +Thu Apr 12 07:26:16 UTC 2012 - vuntz@opensuse.org + +- Update to version 1.3.1: + + Fixes for compiler warnings + + Improvements to formattings for all the included extension API + specs + + Improvements to the documentation +- Changes from version 1.3.0: + + New API functions to support the Fence Sync Objects added in + Sync extension version 3.1 + + Redefine the return values of several MIT-SHM API calls from + Status (#define Status int) to Bool (typedef int Bool) to + clarify the expected interpretation of the return values + + Fix build issues + + Documentation improvements + + Build system improvements + +------------------------------------------------------------------- +Sat Feb 11 18:46:20 UTC 2012 - jengelh@medozas.de + +- Rename xorg-x11-libXext to libXext and utilize shlib policy + +------------------------------------------------------------------- +Sat Feb 4 23:27:46 UTC 2012 - jengelh@medozas.de + +- Remove apparently unused (Build)Requires on Xdmcp, xtrans +- Remove redundant tags/sections like %clean + (see specfile guidelines) +- Parallel build with %_smp_mflags + +------------------------------------------------------------------- +Tue Dec 21 02:44:31 UTC 2010 - sndirsch@novell.com + +- bumped version number to 7.6_1.2.0 + +------------------------------------------------------------------- +Thu Oct 28 14:07:53 UTC 2010 - sndirsch@novell.com + +- libXext 1.2.0 + * This release of the catchall library for the X11 extensions + without their own libraries adds documentation for many more + of the extension API's, in the form of the documents formerly + delivered in xorg-docs, now moved here and translated from a + variety of formats to DocBook/XML. + +------------------------------------------------------------------- +Sat Sep 4 18:16:50 UTC 2010 - sndirsch@novell.com + +- update to release 1.1.2 +- bumped version number to 7.5_1.1.2 +- make use of %fdupes macro +- fixed Summary/Group entries in -devel package + +------------------------------------------------------------------- +Fri Apr 2 18:02:19 CEST 2010 - sndirsch@suse.de + +- bumped version number to 7.5 + +------------------------------------------------------------------- +Thu Jan 14 15:54:18 CET 2010 - ro@suse.de + +- update to 1.1.1 (needed for xserver 1.7) + +------------------------------------------------------------------- +Fri Jan 1 06:52:42 CET 2010 - sndirsch@suse.de + +- libXext-commit-8a91fc6.diff: + * Silence "Generic Event Extension missing on display" warning + (bnc #567828) + +------------------------------------------------------------------- +Mon Dec 14 18:22:59 CET 2009 - jengelh@medozas.de + +- add baselibs.conf as a source + +------------------------------------------------------------------- +Fri May 1 19:31:49 CEST 2009 - eich@suse.de + +- revert static library and .la file removal + for SUSE versions <= 11.1. + +------------------------------------------------------------------- +Tue Apr 21 20:24:35 CEST 2009 - crrodriguez@suse.de + +- remove static libraries and "la" files + +------------------------------------------------------------------- +Sun Mar 1 20:55:57 CET 2009 - sndirsch@suse.de + +- libXext 1.0.5 + +------------------------------------------------------------------- +Thu Sep 11 14:21:29 CEST 2008 - sndirsch@suse.de + +- bumped release number to 7.4 + +------------------------------------------------------------------- +Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de + +- added baselibs.conf file to build xxbit packages + for multilib support + +------------------------------------------------------------------- +Fri Feb 29 15:18:17 CET 2008 - sndirsch@suse.de + +- libXext 1.0.4 + * Coverity #467: security_error_list has fewer than + XSecurityNumberErrors + +------------------------------------------------------------------- +Wed Dec 26 08:25:18 CET 2007 - crrodriguez@suse.de + +- fix library-without-ldconfig-postun warning + +------------------------------------------------------------------- +Sat Sep 29 12:22:53 CEST 2007 - sndirsch@suse.de + +- bumped version to 7.3 + +------------------------------------------------------------------- +Fri Jan 26 07:13:18 CET 2007 - sndirsch@suse.de + +- updated to release 1.0.3 + * Add XShm.man and aliases to Makefile.am + * Man page spelling/typo fixes + * Replace static ChangeLog with dist-hook to generate from git log + * Sun bug 4985712: man pages needed for MIT-SHM extension functions + +------------------------------------------------------------------- +Sat Oct 14 06:08:23 CEST 2006 - sndirsch@suse.de + +- updated to X.Org 7.2RC1 + +------------------------------------------------------------------- +Wed Aug 2 16:12:11 CEST 2006 - sndirsch@suse.de + +- fix setup line + +------------------------------------------------------------------- +Fri Jul 28 14:44:28 CEST 2006 - sndirsch@suse.de + +- use "-fno-strict-aliasing" + +------------------------------------------------------------------- +Thu Jul 27 11:42:46 CEST 2006 - sndirsch@suse.de + +- use $RPM_OPT_FLAGS + +------------------------------------------------------------------- +Thu Jun 22 20:40:51 CEST 2006 - sndirsch@suse.de + +- created package + New: ---- U_0001-integer-overflow-in-XcupGetReservedColormapEntries-C.patch U_0002-integer-overflow-in-XcupStoreColors-CVE-2013-1982-2-.patch U_0003-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch U_0004-integer-overflow-in-XeviGetVisualInfo-CVE-2013-1982-.patch U_0005-integer-overflow-in-XShapeGetRectangles-CVE-2013-198.patch U_0006-integer-overflow-in-XSyncListSystemCounters-CVE-2013.patch baselibs.conf libXext-1.3.1.tar.bz2 libXext.changes libXext.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libXext.spec ++++++ # # spec file for package libXext # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: libXext %define lname libXext6 Version: 1.3.1 Release: 0 Summary: Common extensions to the X11 protocol License: MIT Group: Development/Libraries/C and C++ Url: http://xorg.freedesktop.org/ #Git-Clone: git://anongit.freedesktop.org/xorg/lib/libXext #Git-Web: http://cgit.freedesktop.org/xorg/lib/libXext/ Source: http://xorg.freedesktop.org/releases/individual/lib/%{name}-%{version}.tar.bz2 Patch0: U_0001-integer-overflow-in-XcupGetReservedColormapEntries-C.patch Patch1: U_0002-integer-overflow-in-XcupStoreColors-CVE-2013-1982-2-.patch Patch2: U_0003-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch Patch3: U_0004-integer-overflow-in-XeviGetVisualInfo-CVE-2013-1982-.patch Patch4: U_0005-integer-overflow-in-XShapeGetRectangles-CVE-2013-198.patch Patch5: U_0006-integer-overflow-in-XSyncListSystemCounters-CVE-2013.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build #git#BuildRequires: autoconf >= 2.60, automake, libtool BuildRequires: fdupes BuildRequires: pkgconfig BuildRequires: pkgconfig(x11) >= 1.1.99.1 BuildRequires: pkgconfig(xextproto) >= 7.1.99 BuildRequires: pkgconfig(xorg-macros) >= 1.12 BuildRequires: pkgconfig(xproto) >= 7.0.13 %description The Xext library contains a handful of X11 extensions: - Double Buffer extension (DBE/Xdbe) - Display Power Management Signaling (DPMS) extension - X11 Nonrectangular Window Shape extension (Xshape) - The MIT Shared Memory extension (MIT-SHM/Xshm) - TOG-CUP (colormap utilization policy) protocol extension (Xcup) - X Extended Visual Information extension (XEvi) - X11 Double-Buffering, Multi-Buffering, and Stereo extension (Xmbuf) %package -n %lname Summary: Common extensions to the X11 protocol Group: System/Libraries # O/P added for 12.2 Provides: xorg-x11-libXext = 7.6_%version-%release Obsoletes: xorg-x11-libXext < 7.6_%version-%release %description -n %lname The Xext library contains a handful of X11 extensions: - Double Buffer extension (DBE/Xdbe) - Display Power Management Signaling (DPMS) extension - X11 Nonrectangular Window Shape extension (Xshape) - The MIT Shared Memory extension (MIT-SHM/Xshm) - TOG-CUP (colormap) protocol extension (Xcup) - X Extended Visual Information extension (XEvi) - X11 Double-Buffering, Multi-Buffering, and Stereo extension (Xmbuf) %package devel Summary: Development files for the X11 Common Extensions library Group: Development/Libraries/C and C++ Requires: %lname = %version # O/P added for 12.2 Provides: xorg-x11-libXext-devel = 7.6_%version-%release Obsoletes: xorg-x11-libXext-devel < 7.6_%version-%release %description devel The Xext library contains a handful of X11 extensions: - Double Buffer extension (DBE/Xdbe) - Display Power Management Signaling (DPMS) extension - X11 Nonrectangular Window Shape extension (Xshape) - The MIT Shared Memory extension (MIT-SHM/Xshm) - TOG-CUP (colormap) protocol extension (Xcup) - X Extended Visual Information extension (XEvi) - X11 Double-Buffering, Multi-Buffering, and Stereo extension (Xmbuf) This package contains the development headers for the library found in %lname. %prep %setup -q %patch0 -p1 %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %build %configure --docdir=%_docdir/%name --disable-static make %{?_smp_mflags} %install %makeinstall rm -f "%buildroot/%_libdir"/*.la %fdupes %buildroot %post -n %lname -p /sbin/ldconfig %postun -n %lname -p /sbin/ldconfig %files -n %lname %defattr(-,root,root) %_libdir/libXext.so.6* %files devel %defattr(-,root,root) %_includedir/X11/* %_libdir/libXext.so %_libdir/pkgconfig/xext.pc %_mandir/man3/* %_docdir/%name %changelog ++++++ U_0001-integer-overflow-in-XcupGetReservedColormapEntries-C.patch ++++++

From d05f27a6f74cb419ad5a437f2e4690b17e7faee5 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sat, 9 Mar 2013 14:40:33 -0800 Subject: [PATCH] integer overflow in XcupGetReservedColormapEntries() [CVE-2013-1982 1/6]

If the computed number of entries is large enough that it overflows when multiplied by the size of a xColorItem struct, or is treated as negative when compared to the size of the stack allocated buffer, then memory corruption can occur when more bytes are read from the X server than the size of the buffer we allocated to hold them. Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith --- src/Xcup.c | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) Index: libXext-1.3.1/src/Xcup.c =================================================================== --- libXext-1.3.1.orig/src/Xcup.c +++ libXext-1.3.1/src/Xcup.c @@ -36,6 +36,7 @@ in this Software without prior written a #include #include #include +#include static XExtensionInfo _xcup_info_data; static XExtensionInfo *xcup_info = &_xcup_info_data; @@ -133,15 +134,19 @@ XcupGetReservedColormapEntries( req->xcupReqType = X_XcupGetReservedColormapEntries; req->screen = screen; if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) { - long nbytes; + unsigned long nbytes; xColorItem* rbufp; - int nentries = rep.length / 3; + unsigned int nentries = rep.length / 3; - nbytes = nentries * SIZEOF (xColorItem); - if (nentries > TYP_RESERVED_ENTRIES) - rbufp = (xColorItem*) Xmalloc (nbytes); - else - rbufp = rbuf; + if (nentries < (INT_MAX / SIZEOF (xColorItem))) { + nbytes = nentries * SIZEOF (xColorItem); + + if (nentries > TYP_RESERVED_ENTRIES) + rbufp = Xmalloc (nbytes); + else + rbufp = rbuf; + } else + rbufp = NULL; if (rbufp == NULL) { _XEatData (dpy, (unsigned long) nbytes); ++++++ U_0002-integer-overflow-in-XcupStoreColors-CVE-2013-1982-2-.patch ++++++

From 082d70b19848059ba78c9d1c315114fb07e8c0ef Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sat, 9 Mar 2013 14:40:33 -0800 Subject: [PATCH] integer overflow in XcupStoreColors() [CVE-2013-1982 2/6]

If the computed number of entries is large enough that it overflows when multiplied by the size of a xColorItem struct, or is treated as negative when compared to the size of the stack allocated buffer, then memory corruption can occur when more bytes are read from the X server than the size of the buffer we allocated to hold them. The requirement to match the number of colors specified by the caller makes this much harder to hit than the one in XcupGetReservedColormapEntries() Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith --- src/Xcup.c | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) Index: libXext-1.3.1/src/Xcup.c =================================================================== --- libXext-1.3.1.orig/src/Xcup.c +++ libXext-1.3.1/src/Xcup.c @@ -218,24 +218,21 @@ XcupStoreColors( } if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) { - long nbytes; + unsigned long nbytes; xColorItem* rbufp; xColorItem* cs; - int nentries = rep.length / 3; + unsigned int nentries = rep.length / 3; - nbytes = nentries * SIZEOF (xColorItem); + if ((nentries == ncolors) && + (nentries < (INT_MAX / SIZEOF (xColorItem)))) { + nbytes = nentries * SIZEOF (xColorItem); - if (nentries != ncolors) { - _XEatData (dpy, (unsigned long) nbytes); - UnlockDisplay (dpy); - SyncHandle (); - return False; - } - - if (ncolors > 256) - rbufp = (xColorItem*) Xmalloc (nbytes); - else - rbufp = rbuf; + if (ncolors > 256) + rbufp = Xmalloc (nbytes); + else + rbufp = rbuf; + } else + rbufp = NULL; if (rbufp == NULL) { _XEatData (dpy, (unsigned long) nbytes); ++++++ U_0003-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch ++++++

From 96d1da55a08c4cd52b763cb07bdce5cdcbec4da8 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sat, 9 Mar 2013 14:40:33 -0800 Subject: [PATCH] several integer overflows in XdbeGetVisualInfo() [CVE-2013-1982 3/6]

If the number of screens or visuals reported by the server is large enough that it overflows when multiplied by the size of the appropriate struct, then memory corruption can occur when more bytes are read from the X server than the size of the buffer we allocated to hold them. Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith --- src/Xdbe.c | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) Index: libXext-1.3.1/src/Xdbe.c =================================================================== --- libXext-1.3.1.orig/src/Xdbe.c +++ libXext-1.3.1/src/Xdbe.c @@ -39,6 +39,8 @@ #include #include #include +#include +#include "eat.h" static XExtensionInfo _dbe_info_data; static XExtensionInfo *dbe_info = &_dbe_info_data; @@ -352,9 +354,12 @@ XdbeScreenVisualInfo *XdbeGetVisualInfo *num_screens = rep.m; /* allocate list of visual information to be returned */ - if (!(scrVisInfo = - (XdbeScreenVisualInfo *)Xmalloc( - (unsigned)(*num_screens * sizeof(XdbeScreenVisualInfo))))) { + if ((*num_screens > 0) && (*num_screens < 65536)) + scrVisInfo = Xmalloc(*num_screens * sizeof(XdbeScreenVisualInfo)); + else + scrVisInfo = NULL; + if (scrVisInfo == NULL) { + _XEatDataWords(dpy, rep.length); UnlockDisplay (dpy); SyncHandle (); return NULL; @@ -362,25 +367,27 @@ XdbeScreenVisualInfo *XdbeGetVisualInfo for (i = 0; i < *num_screens; i++) { - int nbytes; int j; - long c; + unsigned long c; - _XRead32 (dpy, &c, sizeof(CARD32)); - scrVisInfo[i].count = c; + _XRead32 (dpy, (long *) &c, sizeof(CARD32)); - nbytes = scrVisInfo[i].count * sizeof(XdbeVisualInfo); + if (c < 65536) { + scrVisInfo[i].count = c; + scrVisInfo[i].visinfo = Xmalloc(c * sizeof(XdbeVisualInfo)); + } else + scrVisInfo[i].visinfo = NULL; /* if we can not allocate the list of visual/depth info * then free the lists that we already allocate as well * as the visual info list itself */ - if (!(scrVisInfo[i].visinfo = (XdbeVisualInfo *)Xmalloc( - (unsigned)nbytes))) { + if (scrVisInfo[i].visinfo == NULL) { for (j = 0; j < i; j++) { Xfree ((char *)scrVisInfo[j].visinfo); } Xfree ((char *)scrVisInfo); + _XEatDataWords(dpy, rep.length); UnlockDisplay (dpy); SyncHandle (); return NULL; Index: libXext-1.3.1/src/eat.h =================================================================== --- /dev/null +++ libXext-1.3.1/src/eat.h @@ -0,0 +1,40 @@ +/* + * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice (including the next + * paragraph) shall be included in all copies or substantial portions of the + * Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + +#ifndef HAVE__XEATDATAWORDS +#include /* for LONG64 on 64-bit platforms */ +#include + +static inline void _XEatDataWords(Display *dpy, unsigned long n) +{ +# ifndef LONG64 + if (n >= (ULONG_MAX >> 2)) + _XIOError(dpy); +# endif + _XEatData (dpy, n << 2); +} +#endif ++++++ U_0004-integer-overflow-in-XeviGetVisualInfo-CVE-2013-1982-.patch ++++++

From 67ecdcf7e29de9fa78b421122620525ed2c7db88 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sat, 9 Mar 2013 14:40:33 -0800 Subject: [PATCH] integer overflow in XeviGetVisualInfo() [CVE-2013-1982 4/6]

If the number of visuals or conflicts reported by the server is large enough that it overflows when multiplied by the size of the appropriate struct, then memory corruption can occur when more bytes are read from the X server than the size of the buffer we allocated to hold them. Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith --- src/XEVI.c | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) Index: libXext-1.3.1/src/XEVI.c =================================================================== --- libXext-1.3.1.orig/src/XEVI.c +++ libXext-1.3.1/src/XEVI.c @@ -30,6 +30,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. #include #include #include +#include static XExtensionInfo *xevi_info;/* needs to move to globals.c */ static const char *xevi_extension_name = EVINAME; #define XeviCheckExtension(dpy,i,val) \ @@ -163,13 +164,20 @@ Status XeviGetVisualInfo( return BadAccess; } Xfree(temp_visual); - sz_info = rep.n_info * sizeof(ExtendedVisualInfo); - sz_xInfo = rep.n_info * sz_xExtendedVisualInfo; - sz_conflict = rep.n_conflicts * sizeof(VisualID); - sz_xConflict = rep.n_conflicts * sz_VisualID32; - infoPtr = *evi_return = (ExtendedVisualInfo *)Xmalloc(sz_info + sz_conflict); - xInfoPtr = temp_xInfo = (xExtendedVisualInfo *)Xmalloc(sz_xInfo); - xConflictPtr = temp_conflict = (VisualID32 *)Xmalloc(sz_xConflict); + if ((rep.n_info < 65536) && (rep.n_conflicts < 65536)) { + sz_info = rep.n_info * sizeof(ExtendedVisualInfo); + sz_xInfo = rep.n_info * sz_xExtendedVisualInfo; + sz_conflict = rep.n_conflicts * sizeof(VisualID); + sz_xConflict = rep.n_conflicts * sz_VisualID32; + *evi_return = Xmalloc(sz_info + sz_conflict); + temp_xInfo = Xmalloc(sz_xInfo); + temp_conflict = Xmalloc(sz_xConflict); + } else { + sz_xInfo = sz_xConflict = 0; + *evi_return = NULL; + temp_xInfo = NULL; + temp_conflict = NULL; + } if (!*evi_return || !temp_xInfo || !temp_conflict) { _XEatData(dpy, (sz_xInfo + sz_xConflict + 3) & ~3); UnlockDisplay(dpy); @@ -186,6 +194,9 @@ Status XeviGetVisualInfo( _XRead(dpy, (char *)temp_conflict, sz_xConflict); UnlockDisplay(dpy); SyncHandle(); + infoPtr = *evi_return; + xInfoPtr = temp_xInfo; + xConflictPtr = temp_conflict; n_data = rep.n_info; conflict = (VisualID *)(infoPtr + n_data); while (n_data-- > 0) { ++++++ U_0005-integer-overflow-in-XShapeGetRectangles-CVE-2013-198.patch ++++++

From 6ecd96e8be3c33e2ffad6631cea4aa0a030d93c2 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sat, 9 Mar 2013 14:40:33 -0800 Subject: [PATCH] integer overflow in XShapeGetRectangles() [CVE-2013-1982 5/6]

If the number of rectangles reported by the server is large enough that it overflows when multiplied by the size of the appropriate struct, then memory corruption can occur when more bytes are read from the X server than the size of the buffer we allocated to hold them. Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith --- src/XShape.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) Index: libXext-1.3.1/src/XShape.c =================================================================== --- libXext-1.3.1.orig/src/XShape.c +++ libXext-1.3.1/src/XShape.c @@ -35,6 +35,7 @@ in this Software without prior written a #include #include #include +#include static XExtensionInfo _shape_info_data; static XExtensionInfo *shape_info = &_shape_info_data; @@ -442,7 +443,7 @@ XRectangle *XShapeGetRectangles ( xShapeGetRectanglesReply rep; XRectangle *rects; xRectangle *xrects; - int i; + unsigned int i; ShapeCheckExtension (dpy, info, (XRectangle *)NULL); @@ -460,20 +461,23 @@ XRectangle *XShapeGetRectangles ( *count = rep.nrects; *ordering = rep.ordering; rects = NULL; - if (*count) { - xrects = (xRectangle *) Xmalloc (*count * sizeof (xRectangle)); - rects = (XRectangle *) Xmalloc (*count * sizeof (XRectangle)); + if (rep.nrects) { + if (rep.nrects < (INT_MAX / sizeof (XRectangle))) { + xrects = Xmalloc (rep.nrects * sizeof (xRectangle)); + rects = Xmalloc (rep.nrects * sizeof (XRectangle)); + } else { + xrects = NULL; + rects = NULL; + } if (!xrects || !rects) { - if (xrects) - Xfree (xrects); - if (rects) - Xfree (rects); + Xfree (xrects); + Xfree (rects); _XEatData (dpy, *count * sizeof (xRectangle)); rects = NULL; *count = 0; } else { - _XRead (dpy, (char *) xrects, *count * sizeof (xRectangle)); - for (i = 0; i < *count; i++) { + _XRead (dpy, (char *) xrects, rep.nrects * sizeof (xRectangle)); + for (i = 0; i < rep.nrects; i++) { rects[i].x = (short) cvtINT16toInt (xrects[i].x); rects[i].y = (short) cvtINT16toInt (xrects[i].y); rects[i].width = xrects[i].width; ++++++ U_0006-integer-overflow-in-XSyncListSystemCounters-CVE-2013.patch ++++++

From dfe6e1f3b8ede3d0bab7a5fa57f73513a09ec649 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sat, 9 Mar 2013 14:40:33 -0800 Subject: [PATCH] integer overflow in XSyncListSystemCounters() [CVE-2013-1982 6/6]

If the number of counters or amount of data reported by the server is large enough that it overflows when multiplied by the size of the appropriate struct, then memory corruption can occur when more bytes are read from the X server than the size of the buffers we allocated to hold them. V2: Make sure we don't walk past the end of the reply when converting data from wire format to the structures returned to the caller. Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith --- src/XSync.c | 32 +++++++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) Index: libXext-1.3.1/src/XSync.c =================================================================== --- libXext-1.3.1.orig/src/XSync.c +++ libXext-1.3.1/src/XSync.c @@ -59,6 +59,7 @@ PERFORMANCE OF THIS SOFTWARE. #include #include #include +#include static XExtensionInfo _sync_info_data; static XExtensionInfo *sync_info = &_sync_info_data; @@ -351,19 +352,28 @@ XSyncListSystemCounters(Display *dpy, in if (rep.nCounters > 0) { xSyncSystemCounter *pWireSysCounter, *pNextWireSysCounter; + xSyncSystemCounter *pLastWireSysCounter; XSyncCounter counter; - int replylen; + unsigned int replylen; int i; - list = Xmalloc(rep.nCounters * sizeof(XSyncSystemCounter)); - replylen = rep.length << 2; - pWireSysCounter = Xmalloc ((unsigned) replylen + sizeof(XSyncCounter)); - /* +1 to leave room for last counter read-ahead */ + if (rep.nCounters < (INT_MAX / sizeof(XSyncSystemCounter))) + list = Xmalloc(rep.nCounters * sizeof(XSyncSystemCounter)); + if (rep.length < (INT_MAX >> 2)) { + replylen = rep.length << 2; + pWireSysCounter = Xmalloc (replylen + sizeof(XSyncCounter)); + /* +1 to leave room for last counter read-ahead */ + pLastWireSysCounter = (xSyncSystemCounter *) + ((char *)pWireSysCounter) + replylen; + } else { + replylen = 0; + pWireSysCounter = NULL; + } if ((!list) || (!pWireSysCounter)) { - if (list) Xfree((char *) list); - if (pWireSysCounter) Xfree((char *) pWireSysCounter); + Xfree(list); + Xfree(pWireSysCounter); _XEatData(dpy, (unsigned long) replylen); list = NULL; goto bail; @@ -387,6 +397,14 @@ XSyncListSystemCounters(Display *dpy, in pNextWireSysCounter = (xSyncSystemCounter *) (((char *)pWireSysCounter) + ((SIZEOF(xSyncSystemCounter) + pWireSysCounter->name_length + 3) & ~3)); + /* Make sure we haven't gone too far */ + if (pNextWireSysCounter > pLastWireSysCounter) { + Xfree(list); + Xfree(pWireSysCounter); + list = NULL; + goto bail; + } + counter = pNextWireSysCounter->counter; list[i].name = ((char *)pWireSysCounter) + ++++++ baselibs.conf ++++++ libXext6 provides "xorg-x11-libXext-<targettype> = 7.6_<version>" obsoletes "xorg-x11-libXext-<targettype> < 7.6_<version>" libXext-devel requires -libXext-<targettype> requires "libXext6-<targettype> = <version>" provides "xorg-x11-libXext-devel-<targettype> = 7.6_<version>" obsoletes "xorg-x11-libXext-devel-<targettype> < 7.6_<version>" -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org