[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#970563: marked as done (buster-pu: package libx11/2:1.6.7-1+deb10u1)

Your message dated Sat, 26 Sep 2020 11:36:30 +0100
with message-id <d50ba4de424290cd2840a09ef19950156fcf51ab.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.6 point release
has caused the Debian Bug report #970563,
regarding buster-pu: package libx11/2:1.6.7-1+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
970563: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970563
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jcristau@debian.org, tjaalton@debian.org

This updates fixes a few security issues in libx11, which don't
warrant a DSA. Debdiff attached.

Cheers,
        Moritz

diff -u libx11-1.6.7/debian/changelog libx11-1.6.7/debian/changelog
--- libx11-1.6.7/debian/changelog
+++ libx11-1.6.7/debian/changelog
@@ -1,3 +1,10 @@
+libx11 (2:1.6.7-1+deb10u1) buster; urgency=medium
+
+  * CVE-2020-14344
+  * CVE-2020-14363 (Closes: #969008)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Fri, 11 Sep 2020 19:38:11 +0200
+
 libx11 (2:1.6.7-1) unstable; urgency=medium
 
   * New upstream release.
diff -u libx11-1.6.7/debian/patches/series libx11-1.6.7/debian/patches/series
--- libx11-1.6.7/debian/patches/series
+++ libx11-1.6.7/debian/patches/series
@@ -5,0 +6,2 @@
+CVE-2020-14344.diff
+CVE-2020-14363.diff
only in patch2:
unchanged:
--- libx11-1.6.7.orig/debian/patches/CVE-2020-14344.diff
+++ libx11-1.6.7/debian/patches/CVE-2020-14344.diff
@@ -0,0 +1,296 @@
+Backport of the following upstream commits to address CVE-2020-14344:
+
+0e6561efcfaa0ae7b5c74eac7e064b76d687544e
+1703b9f3435079d3c6021e1ee2ec34fd4978103d
+1a566c9e00e5f35c1f9e7f3d741a02e5170852b2
+2fcfcc49f3b1be854bb9085993a01d17c62acf60
+388b303c62aa35a245f1704211a023440ad2c488
+93fce3f4e79cbc737d6468a4f68ba3de1b83953b
+
+diff -Naur libx11-1.6.7.orig/modules/im/ximcp/imDefIc.c libx11-1.6.7/modules/im/ximcp/imDefIc.c
+--- libx11-1.6.7.orig/modules/im/ximcp/imDefIc.c	2018-10-09 16:27:08.000000000 +0200
++++ libx11-1.6.7/modules/im/ximcp/imDefIc.c	2020-09-11 17:30:58.689814672 +0200
+@@ -350,7 +350,7 @@
+ 	     + sizeof(INT16)
+ 	     + XIM_PAD(2 + buf_size);
+ 
+-    if (!(buf = Xmalloc(buf_size)))
++    if (!(buf = Xcalloc(buf_size, 1)))
+ 	return arg->name;
+     buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
+ 
+@@ -708,6 +708,7 @@
+ #endif /* XIM_CONNECTABLE */
+ 
+     _XimGetCurrentICValues(ic, &ic_values);
++    memset(tmp_buf, 0, sizeof(tmp_buf32));
+     buf = tmp_buf;
+     buf_size = XIM_HEADER_SIZE
+ 	+ sizeof(CARD16) + sizeof(CARD16) + sizeof(INT16) + sizeof(CARD16);
+@@ -730,7 +731,7 @@
+ 
+ 	buf_size += ret_len;
+ 	if (buf == tmp_buf) {
+-	    if (!(tmp = Xmalloc(buf_size + data_len))) {
++	    if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
+ 		return tmp_name;
+ 	    }
+ 	    memcpy(tmp, buf, buf_size);
+@@ -740,6 +741,7 @@
+ 		Xfree(buf);
+ 		return tmp_name;
+ 	    }
++            memset(&tmp[buf_size], 0, data_len);
+ 	    buf = tmp;
+ 	}
+     }
+diff -Naur libx11-1.6.7.orig/modules/im/ximcp/imDefIm.c libx11-1.6.7/modules/im/ximcp/imDefIm.c
+--- libx11-1.6.7.orig/modules/im/ximcp/imDefIm.c	2018-10-09 16:27:08.000000000 +0200
++++ libx11-1.6.7/modules/im/ximcp/imDefIm.c	2020-09-11 17:30:58.689814672 +0200
+@@ -62,6 +62,7 @@
+ #include "XimTrInt.h"
+ #include "Ximint.h"
+ 
++#include <limits.h>
+ 
+ int
+ _XimCheckDataSize(
+@@ -809,12 +810,16 @@
+     int			 buf_size;
+     int			 ret_code;
+     char		*locale_name;
++    size_t		 locale_len;
+ 
+     locale_name = im->private.proto.locale_name;
+-    len = strlen(locale_name);
+-    buf_b[0] = (BYTE)len;			   /* length of locale name */
+-    (void)strcpy((char *)&buf_b[1], locale_name);  /* locale name */
+-    len += sizeof(BYTE);			   /* sizeof length */
++    locale_len = strlen(locale_name);
++    if (locale_len > UCHAR_MAX)
++      return False;
++    memset(buf32, 0, sizeof(buf32));
++    buf_b[0] = (BYTE)locale_len;		/* length of locale name */
++    memcpy(&buf_b[1], locale_name, locale_len);	   /* locale name */
++    len = (INT16)(locale_len + sizeof(BYTE));	   /* sizeof length */
+     XIM_SET_PAD(buf_b, len);			   /* pad */
+ 
+     _XimSetHeader((XPointer)buf, XIM_OPEN, 0, &len);
+@@ -1289,6 +1294,7 @@
+ #endif /* XIM_CONNECTABLE */
+ 
+     _XimGetCurrentIMValues(im, &im_values);
++    memset(tmp_buf, 0, sizeof(tmp_buf32));
+     buf = tmp_buf;
+     buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16);
+     data_len = BUFSIZE - buf_size;
+@@ -1311,7 +1317,7 @@
+ 
+ 	buf_size += ret_len;
+ 	if (buf == tmp_buf) {
+-	    if (!(tmp = Xmalloc(buf_size + data_len))) {
++	    if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
+ 		return arg->name;
+ 	    }
+ 	    memcpy(tmp, buf, buf_size);
+@@ -1321,6 +1327,7 @@
+ 		Xfree(buf);
+ 		return arg->name;
+ 	    }
++            memset(&tmp[buf_size], 0, data_len);
+ 	    buf = tmp;
+ 	}
+     }
+@@ -1462,7 +1469,7 @@
+ 	     + sizeof(INT16)
+ 	     + XIM_PAD(buf_size);
+ 
+-    if (!(buf = Xmalloc(buf_size)))
++    if (!(buf = Xcalloc(buf_size, 1)))
+ 	return arg->name;
+     buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
+ 
+@@ -1724,7 +1731,7 @@
+ 	+ sizeof(CARD16)
+ 	+ detail_len;
+ 
+-    if (!(buf = Xmalloc(XIM_HEADER_SIZE + len)))
++    if (!(buf = Xcalloc(XIM_HEADER_SIZE + len, 1)))
+ 	goto free_detail_ptr;
+ 
+     buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
+@@ -1820,6 +1827,7 @@
+     int			 ret_code;
+ 
+     _XimGetCurrentIMValues(im, &im_values);
++    memset(tmp_buf, 0, sizeof(tmp_buf32));
+     buf = tmp_buf;
+     buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16);
+     data_len = BUFSIZE - buf_size;
+@@ -1842,7 +1850,7 @@
+ 
+ 	buf_size += ret_len;
+ 	if (buf == tmp_buf) {
+-	    if (!(tmp = Xmalloc(buf_size + data_len))) {
++	    if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
+ 		return False;
+ 	    }
+ 	    memcpy(tmp, buf, buf_size);
+@@ -1852,6 +1860,7 @@
+ 		Xfree(buf);
+ 		return False;
+ 	    }
++            memset(&tmp[buf_size], 0, data_len);
+ 	    buf = tmp;
+ 	}
+     }
+diff -Naur libx11-1.6.7.orig/modules/im/ximcp/imRmAttr.c libx11-1.6.7/modules/im/ximcp/imRmAttr.c
+--- libx11-1.6.7.orig/modules/im/ximcp/imRmAttr.c	2018-10-09 16:27:08.000000000 +0200
++++ libx11-1.6.7/modules/im/ximcp/imRmAttr.c	2020-09-11 17:31:32.348034612 +0200
+@@ -29,6 +29,8 @@
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
++
+ #include "Xlibint.h"
+ #include "Xlcint.h"
+ #include "Ximint.h"
+@@ -214,7 +216,7 @@
+     Xic			  ic,
+     XIMResourceList	  res,
+     CARD16		 *data,
+-    INT16		  data_len,
++    CARD16		  data_len,
+     XPointer		  value,
+     BITMASK32		  mode)
+ {
+@@ -250,18 +252,24 @@
+ 
+     case XimType_XIMStyles:
+ 	{
+-	    INT16		 num = data[0];
++	    CARD16		 num = data[0];
+ 	    register CARD32	*style_list = (CARD32 *)&data[2];
+ 	    XIMStyle		*style;
+ 	    XIMStyles		*rep;
+ 	    register int	 i;
+ 	    char		*p;
+-	    int			 alloc_len;
++	    unsigned int         alloc_len;
+ 
+ 	    if (!(value))
+ 		return False;
+ 
++	    if (num > (USHRT_MAX / sizeof(XIMStyle)))
++		return False;
++	    if ((2 * sizeof(CARD16) + (num * sizeof(CARD32))) > data_len)
++		return False;
+ 	    alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num;
++	    if (alloc_len < sizeof(XIMStyles))
++		return False;
+ 	    if (!(p = Xmalloc(alloc_len)))
+ 		return False;
+ 
+@@ -313,7 +321,7 @@
+ 
+     case XimType_XFontSet:
+ 	{
+-	    INT16	 len = data[0];
++	    CARD16	 len = data[0];
+ 	    char	*base_name;
+ 	    XFontSet	 rep = (XFontSet)NULL;
+ 	    char	**missing_list = NULL;
+@@ -324,11 +332,12 @@
+ 		return False;
+ 	    if (!ic)
+ 		return False;
+-
++	    if (len > data_len)
++		return False;
+ 	    if (!(base_name = Xmalloc(len + 1)))
+ 		return False;
+ 
+-	    (void)strncpy(base_name, (char *)&data[1], (int)len);
++	    (void)strncpy(base_name, (char *)&data[1], (size_t)len);
+ 	    base_name[len] = '\0';
+ 
+ 	    if (mode & XIM_PREEDIT_ATTR) {
+@@ -357,19 +366,25 @@
+ 
+     case XimType_XIMHotKeyTriggers:
+ 	{
+-	    INT32			 num = *((CARD32 *)data);
++	    CARD32			 num = *((CARD32 *)data);
+ 	    register CARD32		*key_list = (CARD32 *)&data[2];
+ 	    XIMHotKeyTrigger		*key;
+ 	    XIMHotKeyTriggers		*rep;
+ 	    register int		 i;
+ 	    char			*p;
+-	    int				 alloc_len;
++	    unsigned int		 alloc_len;
+ 
+ 	    if (!(value))
+ 		return False;
+ 
++	    if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger)))
++		return False;
++	    if ((2 * sizeof(CARD16) + (num * 3 * sizeof(CARD32))) > data_len)
++		return False;
+ 	    alloc_len = sizeof(XIMHotKeyTriggers)
+ 		      + sizeof(XIMHotKeyTrigger) * num;
++	    if (alloc_len < sizeof(XIMHotKeyTriggers))
++		return False;
+ 	    if (!(p = Xmalloc(alloc_len)))
+ 		return False;
+ 
+@@ -1378,13 +1393,13 @@
+ 
+ static unsigned int
+ _XimCountNumberOfAttr(
+-    INT16	 total,
+-    CARD16	*attr,
+-    int		*names_len)
++    CARD16	  total,
++    CARD16	 *attr,
++    unsigned int *names_len)
+ {
+     unsigned int n;
+-    INT16	 len;
+-    INT16	 min_len = sizeof(CARD16)	/* sizeof attribute ID */
++    CARD16	 len;
++    CARD16	 min_len = sizeof(CARD16)	/* sizeof attribute ID */
+ 			 + sizeof(CARD16)	/* sizeof type of value */
+ 			 + sizeof(INT16);	/* sizeof length of attribute */
+ 
+@@ -1392,6 +1407,9 @@
+     *names_len = 0;
+     while (total > min_len) {
+ 	len = attr[2];
++	if (len >= (total - min_len)) {
++	    return 0;
++	}
+ 	*names_len += (len + 1);
+ 	len += (min_len + XIM_PAD(len + 2));
+ 	total -= len;
+@@ -1406,17 +1424,15 @@
+     Xim			  im,
+     CARD16		 *buf)
+ {
+-    unsigned int	  n;
++    unsigned int	  n, names_len, values_len;
+     XIMResourceList	  res;
+     char		 *names;
+-    int			  names_len;
+     XPointer		  tmp;
+     XIMValuesList	 *values_list;
+     char		**values;
+-    int			  values_len;
+     register int	  i;
+-    INT16		  len;
+-    INT16		  min_len = sizeof(CARD16) /* sizeof attribute ID */
++    CARD16		  len;
++    CARD16		  min_len = sizeof(CARD16) /* sizeof attribute ID */
+ 				  + sizeof(CARD16) /* sizeof type of value */
+ 				  + sizeof(INT16); /* sizeof length of attr */
+     /*
only in patch2:
unchanged:
--- libx11-1.6.7.orig/debian/patches/CVE-2020-14363.diff
+++ libx11-1.6.7/debian/patches/CVE-2020-14363.diff
@@ -0,0 +1,31 @@
+From acdaaadcb3d85c61fd43669fc5dddf0f8c3f911d Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Thu, 13 Aug 2020 18:02:58 +0200
+Subject: [PATCH] Fix an integer overflow in init_om()
+
+CVE-2020-14363
+
+This can lead to a double free later, as reported by Jayden Rivers.
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ modules/om/generic/omGeneric.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/modules/om/generic/omGeneric.c b/modules/om/generic/omGeneric.c
+index c44acb88..406cec93 100644
+--- a/modules/om/generic/omGeneric.c
++++ b/modules/om/generic/omGeneric.c
+@@ -1908,7 +1908,8 @@ init_om(
+     char **required_list;
+     XOrientation *orientation;
+     char **value, buf[BUFSIZ], *bufptr;
+-    int count = 0, num = 0, length = 0;
++    int count = 0, num = 0;
++    unsigned int length = 0;
+ 
+     _XlcGetResource(lcd, "XLC_FONTSET", "on_demand_loading", &value, &count);
+     if (count > 0 && _XlcCompareISOLatin1(*value, "True") == 0)
+-- 
+GitLab
+

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.6

Hi,

Each of these bugs relates to an update that was included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: