Bug#852954: marked as done (jessie-pu: package libxrender/1:0.9.8-1+deb8u1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 17 Jun 2018 20:18:06 +0100
with message-id <1529263086.2082.36.camel@adam-barratt.org.uk>
and subject line Re: Bug#852954: jessie-pu: package libxrender/1:0.9.8-1+deb8u1
has caused the Debian Bug report #852954,
regarding jessie-pu: package libxrender/1:0.9.8-1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
852954: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852954
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: jessie-pu: package libxrender/1:0.9.8-1+deb8u1
• From: Julien Cristau <jcristau@debian.org>
• Date: Sat, 28 Jan 2017 15:30:54 +0100
• Message-id: <20170128143054.wlek4ni4wf4x7hmc@betterave.cristau.org>

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

One more.

Cheers,
Julien

diff -u libxrender-0.9.8/debian/changelog libxrender-0.9.8/debian/changelog
--- libxrender-0.9.8/debian/changelog
+++ libxrender-0.9.8/debian/changelog
@@ -1,3 +1,11 @@
+libxrender (1:0.9.8-1+deb8u1) jessie; urgency=medium
+
+  * Insufficient validation of data from the X server
+    can cause out of boundary memory writes.  Addresses CVE-2016-7949 and
+    CVE-2016-7950.
+
+ -- Julien Cristau <jcristau@debian.org>  Sat, 28 Jan 2017 15:11:56 +0100
+
 libxrender (1:0.9.8-1) sid; urgency=low
 
   * New upstream release.
only in patch2:
unchanged:
--- libxrender-0.9.8.orig/src/Filter.c
+++ libxrender-0.9.8/src/Filter.c
@@ -38,7 +38,7 @@
     char			*name;
     char			len;
     int				i;
-    unsigned long		nbytes, nbytesAlias, nbytesName;
+    unsigned long		nbytes, nbytesAlias, nbytesName, reply_left;
 
     if (!RenderHasExtension (info))
 	return NULL;
@@ -114,6 +114,7 @@
      * Read the filter aliases
      */
     _XRead16Pad (dpy, filters->alias, 2 * rep.numAliases);
+    reply_left = 8 + rep.length - 2 * rep.numAliases;;
 
     /*
      * Read the filter names
@@ -122,9 +123,19 @@
     {
 	int	l;
 	_XRead (dpy, &len, 1);
+	reply_left--;
 	l = len & 0xff;
+	if ((unsigned long)l + 1 > nbytesName) {
+            _XEatDataWords(dpy, reply_left);
+	    Xfree(filters);
+	    UnlockDisplay (dpy);
+	    SyncHandle ();
+	    return NULL;
+	}
+	nbytesName -= l + 1;
 	filters->filter[i] = name;
 	_XRead (dpy, name, l);
+        reply_left -= l;
 	name[l] = '\0';
 	name += l + 1;
     }
only in patch2:
unchanged:
--- libxrender-0.9.8.orig/src/Xrender.c
+++ libxrender-0.9.8/src/Xrender.c
@@ -533,12 +533,30 @@
 	screen->fallback = _XRenderFindFormat (xri, xScreen->fallback);
 	screen->subpixel = SubPixelUnknown;
 	xDepth = (xPictDepth *) (xScreen + 1);
+	if (screen->ndepths > rep.numDepths) {
+	    Xfree (xri);
+	    Xfree (xData);
+	    _XEatDataWords (dpy, rep.length);
+	    UnlockDisplay (dpy);
+	    SyncHandle ();
+	    return 0;
+	}
+	rep.numDepths -= screen->ndepths;
 	for (nd = 0; nd < screen->ndepths; nd++)
 	{
 	    depth->depth = xDepth->depth;
 	    depth->nvisuals = xDepth->nPictVisuals;
 	    depth->visuals = visual;
 	    xVisual = (xPictVisual *) (xDepth + 1);
+	    if (depth->nvisuals > rep.numVisuals) {
+		Xfree (xri);
+		Xfree (xData);
+		_XEatDataWords (dpy, rep.length);
+		UnlockDisplay (dpy);
+		SyncHandle ();
+		return 0;
+	    }
+	    rep.numVisuals -= depth->nvisuals;
 	    for (nv = 0; nv < depth->nvisuals; nv++)
 	    {
 		visual->visual = _XRenderFindVisual (dpy, xVisual->visual);

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

• To: Julien Cristau <jcristau@debian.org>, 852954-done@bugs.debian.org
• Subject: Re: Bug#852954: jessie-pu: package libxrender/1:0.9.8-1+deb8u1
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sun, 17 Jun 2018 20:18:06 +0100
• Message-id: <1529263086.2082.36.camel@adam-barratt.org.uk>
• In-reply-to: <20170909124031.2brfqqzkgrzwxmpp@betterave.cristau.org>
• References: <20170128143054.wlek4ni4wf4x7hmc@betterave.cristau.org> <20170128143054.wlek4ni4wf4x7hmc@betterave.cristau.org> <20170909124031.2brfqqzkgrzwxmpp@betterave.cristau.org>

Control: tags -1 + wontfix

On Sat, 2017-09-09 at 14:40 +0200, Julien Cristau wrote:
> On Sat, Jan 28, 2017 at 15:30:54 +0100, Julien Cristau wrote:
> 
> > Package: release.debian.org
> > Severity: normal
> > Tags: jessie
> > User: release.debian.org@packages.debian.org
> > Usertags: pu
> > 
> > One more.
> > 
> 
> For the record this is blocked on getting resolution upstream on
> https://lists.x.org/pipermail/xorg-devel/2017-January/052247.html
> Poked again today, 
> https://lists.x.org/pipermail/xorg-devel/2017-September/054604.html


Unfortunately there was no further activity, and the window for getting
fixes in to the final point release for jessie (before it moves to LTS
support) has now closed.

Regards,

Adam

--- End Message ---