Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
And another one.
Cheers,
Julien
diff -u libxtst-1.2.2/debian/changelog libxtst-1.2.2/debian/changelog
--- libxtst-1.2.2/debian/changelog
+++ libxtst-1.2.2/debian/changelog
@@ -1,3 +1,11 @@
+libxtst (2:1.2.2-1+deb8u1) jessie; urgency=medium
+
+ * Insufficient validation of data from the X server can cause out of
+ boundary memory access or endless loops. Addresses CVE-2016-7951 and
+ CVE-2016-7952.
+
+ -- Julien Cristau <jcristau@debian.org> Sat, 28 Jan 2017 15:53:24 +0100
+
libxtst (2:1.2.2-1) unstable; urgency=low
* New upstream release.
only in patch2:
unchanged:
--- libxtst-1.2.2.orig/src/XRecord.c
+++ libxtst-1.2.2/src/XRecord.c
@@ -760,15 +760,23 @@
switch (rep->category) {
case XRecordFromServer:
if (rep->elementHeader&XRecordFromServerTime) {
+ if (current_index + 4 > rep->length << 2)
+ return Error;
EXTRACT_CARD32(rep->clientSwapped,
reply->buf+current_index,
data->server_time);
current_index += 4;
}
+ if (current_index + 1 > rep->length << 2)
+ return Error;
switch (reply->buf[current_index]) {
case X_Reply: /* reply */
+ if (current_index + 8 > rep->length << 2)
+ return Error;
EXTRACT_CARD32(rep->clientSwapped,
reply->buf+current_index+4, datum_bytes);
+ if (datum_bytes < 0 || datum_bytes > ((INT_MAX >> 2) - 8))
+ return Error;
datum_bytes = (datum_bytes+8) << 2;
break;
default: /* error or event */
@@ -777,52 +785,73 @@
break;
case XRecordFromClient:
if (rep->elementHeader&XRecordFromClientTime) {
+ if (current_index + 4 > rep->length << 2)
+ return Error;
EXTRACT_CARD32(rep->clientSwapped,
reply->buf+current_index,
data->server_time);
current_index += 4;
}
if (rep->elementHeader&XRecordFromClientSequence) {
+ if (current_index + 4 > rep->length << 2)
+ return Error;
EXTRACT_CARD32(rep->clientSwapped,
reply->buf+current_index,
data->client_seq);
current_index += 4;
}
+ if (current_index + 4 > rep->length<<2)
+ return Error;
if (reply->buf[current_index+2] == 0
&& reply->buf[current_index+3] == 0) /* needn't swap 0 */
{ /* BIG-REQUESTS */
+ if (current_index + 8 > rep->length << 2)
+ return Error;
EXTRACT_CARD32(rep->clientSwapped,
reply->buf+current_index+4, datum_bytes);
} else {
EXTRACT_CARD16(rep->clientSwapped,
reply->buf+current_index+2, datum_bytes);
}
+ if (datum_bytes < 0 || datum_bytes > INT_MAX >> 2)
+ return Error;
datum_bytes <<= 2;
break;
case XRecordClientStarted:
+ if (current_index + 8 > rep->length << 2)
+ return Error;
EXTRACT_CARD16(rep->clientSwapped,
reply->buf+current_index+6, datum_bytes);
datum_bytes = (datum_bytes+2) << 2;
break;
case XRecordClientDied:
if (rep->elementHeader&XRecordFromClientSequence) {
+ if (current_index + 4 > rep->length << 2)
+ return Error;
EXTRACT_CARD32(rep->clientSwapped,
reply->buf+current_index,
data->client_seq);
current_index += 4;
- }
- /* fall through */
+ } else if (current_index < rep->length << 2)
+ return Error;
+ datum_bytes = 0;
+ break;
case XRecordStartOfData:
case XRecordEndOfData:
+ if (current_index < rep->length << 2)
+ return Error;
datum_bytes = 0;
+ break;
}
if (datum_bytes > 0) {
- if (current_index + datum_bytes > rep->length << 2)
+ if (INT_MAX - datum_bytes < (rep->length << 2) - current_index) {
fprintf(stderr,
"XRecord: %lu-byte reply claims %d-byte element (seq %lu)\n",
- (long)rep->length << 2, current_index + datum_bytes,
+ (unsigned long)rep->length << 2, current_index + datum_bytes,
dpy->last_request_read);
+ return Error;
+ }
/*
* This assignment (and indeed the whole buffer sharing
* scheme) assumes arbitrary 4-byte boundaries are
@@ -872,6 +901,12 @@
UnlockDisplay(dpy);
SyncHandle();
return 0;
+ }
+
+ if (rep.length > INT_MAX >> 2) {
+ UnlockDisplay(dpy);
+ SyncHandle();
+ return 0;
}
if (rep.length > 0) {
Attachment:
signature.asc
Description: PGP signature