--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package libx11/2:1.6.2-3+deb8u1
- From: Julien Cristau <jcristau@debian.org>
- Date: Sat, 28 Jan 2017 14:29:03 +0100
- Message-id: <20170128132903.ssryngs6rtywehz7@betterave.cristau.org>
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
This is a bunch of CVE fixes, already in wheezy-lts and sid.
Cheers,
Julien
diff -u libx11-1.6.2/debian/changelog libx11-1.6.2/debian/changelog
--- libx11-1.6.2/debian/changelog
+++ libx11-1.6.2/debian/changelog
@@ -1,3 +1,11 @@
+libx11 (2:1.6.2-3+deb8u1) jessie; urgency=medium
+
+ * Insufficient validation of data from the X server can cause out of
+ boundary memory read (XGetImage()) or write (XListFonts()).
+ Addresses CVE-2016-7942 and CVE-2016-7943.
+
+ -- Julien Cristau <jcristau@debian.org> Sat, 28 Jan 2017 14:01:35 +0100
+
libx11 (2:1.6.2-3) unstable; urgency=medium
[ Julien Cristau ]
only in patch2:
unchanged:
--- libx11-1.6.2.orig/src/FontNames.c
+++ libx11-1.6.2/src/FontNames.c
@@ -43,6 +43,7 @@
register int length;
char **flist = NULL;
char *ch = NULL;
+ char *chstart;
char *chend;
int count = 0;
xListFontsReply rep;
@@ -66,7 +67,7 @@
if (rep.nFonts) {
flist = Xmalloc (rep.nFonts * sizeof(char *));
- if (rep.length < (INT_MAX >> 2)) {
+ if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
rlen = rep.length << 2;
ch = Xmalloc(rlen + 1);
/* +1 to leave room for last null-terminator */
@@ -86,6 +87,7 @@
/*
* unpack into null terminated strings.
*/
+ chstart = ch;
chend = ch + (rlen + 1);
length = *(unsigned char *)ch;
*ch = 1; /* make sure it is non-zero for XFreeFontNames */
@@ -93,11 +95,24 @@
if (ch + length < chend) {
flist[i] = ch + 1; /* skip over length */
ch += length + 1; /* find next length ... */
- length = *(unsigned char *)ch;
- *ch = '\0'; /* and replace with null-termination */
- count++;
- } else
- flist[i] = NULL;
+ if (ch <= chend) {
+ length = *(unsigned char *)ch;
+ *ch = '\0'; /* and replace with null-termination */
+ count++;
+ } else {
+ Xfree(chstart);
+ Xfree(flist);
+ flist = NULL;
+ count = 0;
+ break;
+ }
+ } else {
+ Xfree(chstart);
+ Xfree(flist);
+ flist = NULL;
+ count = 0;
+ break;
+ }
}
}
*actualCount = count;
only in patch2:
unchanged:
--- libx11-1.6.2.orig/src/GetImage.c
+++ libx11-1.6.2/src/GetImage.c
@@ -59,6 +59,7 @@
char *data;
unsigned long nbytes;
XImage *image;
+ int planes;
LockDisplay(dpy);
GetReq (GetImage, req);
/*
@@ -91,18 +92,28 @@
return (XImage *) NULL;
}
_XReadPad (dpy, data, nbytes);
- if (format == XYPixmap)
- image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
- Ones (plane_mask &
- (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))),
- format, 0, data, width, height, dpy->bitmap_pad, 0);
- else /* format == ZPixmap */
- image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
- rep.depth, ZPixmap, 0, data, width, height,
- _XGetScanlinePad(dpy, (int) rep.depth), 0);
+ if (format == XYPixmap) {
+ image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
+ Ones (plane_mask &
+ (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))),
+ format, 0, data, width, height, dpy->bitmap_pad, 0);
+ planes = image->depth;
+ } else { /* format == ZPixmap */
+ image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
+ rep.depth, ZPixmap, 0, data, width, height,
+ _XGetScanlinePad(dpy, (int) rep.depth), 0);
+ planes = 1;
+ }
if (!image)
Xfree(data);
+ if (planes < 1 || image->height < 1 || image->bytes_per_line < 1 ||
+ INT_MAX / image->height <= image->bytes_per_line ||
+ INT_MAX / planes <= image->height * image->bytes_per_line ||
+ nbytes < planes * image->height * image->bytes_per_line) {
+ XDestroyImage(image);
+ image = NULL;
+ }
UnlockDisplay(dpy);
SyncHandle();
return (image);
only in patch2:
unchanged:
--- libx11-1.6.2.orig/src/ListExt.c
+++ libx11-1.6.2/src/ListExt.c
@@ -55,7 +55,7 @@
if (rep.nExtensions) {
list = Xmalloc (rep.nExtensions * sizeof (char *));
- if (rep.length < (INT_MAX >> 2)) {
+ if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
rlen = rep.length << 2;
ch = Xmalloc (rlen + 1);
/* +1 to leave room for last null-terminator */
@@ -80,9 +80,13 @@
if (ch + length < chend) {
list[i] = ch+1; /* skip over length */
ch += length + 1; /* find next length ... */
- length = *ch;
- *ch = '\0'; /* and replace with null-termination */
- count++;
+ if (ch <= chend) {
+ length = *ch;
+ *ch = '\0'; /* and replace with null-termination */
+ count++;
+ } else {
+ list[i] = NULL;
+ }
} else
list[i] = NULL;
}
only in patch2:
unchanged:
--- libx11-1.6.2.orig/src/ModMap.c
+++ libx11-1.6.2/src/ModMap.c
@@ -42,7 +42,8 @@
GetEmptyReq(GetModifierMapping, req);
(void) _XReply (dpy, (xReply *)&rep, 0, xFalse);
- if (rep.length < (INT_MAX >> 2)) {
+ if (rep.length < (INT_MAX >> 2) &&
+ (rep.length >> 1) == rep.numKeyPerModifier) {
nbytes = (unsigned long)rep.length << 2;
res = Xmalloc(sizeof (XModifierKeymap));
if (res)
--- End Message ---