[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#892032: marked as done (jessie-pu: package wayland/1.6.0-2)

Your message dated Sun, 17 Jun 2018 19:11:47 +0100
with message-id <20180617181147.usug7yfrz6g43nx7@powdarrmonkey.net>
and subject line Re: Bug#892032: jessie-pu: package wayland/1.6.0-2
has caused the Debian Bug report #892032,
regarding jessie-pu: package wayland/1.6.0-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
892032: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892032
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

  I would like to apply oldstable fix for #889681 in oldstable.
  I am attaching the patch I plan to upload to oldstable.
  Note, I have requested security team if they want to handle it via
  security queue or stable update instead.

Regards

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf

Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=ca_AD.utf8, LC_CTYPE=ca_AD.utf8 (charmap=UTF-8), LANGUAGE=ca_AD:ca (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

From 5df34123d130816a1acf506d8e9f1a1c3e3efcc8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?H=C3=A9ctor=20Or=C3=B3n=20Mart=C3=ADnez?= <zumbi@debian.org>
Date: Sun, 4 Mar 2018 12:29:17 +0100
Subject: [PATCH] debian/patches/CVE-2017-16612.patch: fix cursor integer
 overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Héctor Orón Martínez <zumbi@debian.org>
---
 debian/changelog                    | 11 +++++++++
 debian/patches/CVE-2017-16612.patch | 47 +++++++++++++++++++++++++++++++++++++
 debian/patches/series               |  1 +
 3 files changed, 59 insertions(+)
 create mode 100644 debian/patches/CVE-2017-16612.patch
 create mode 100644 debian/patches/series

diff --git a/debian/changelog b/debian/changelog
index 645a4bc..b6409a8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+wayland (1.6.0-2+deb8u1) stretch; urgency=medium
+
+  * debian/patches/CVE-2017-16612.patch: (Closes: #889681)
+    - libXcursor before 1.1.15 has various integer overflows that could lead
+      to heap buffer overflows when processing malicious cursors, e.g., with
+      programs like GIMP. It is also possible that an attack vector exists
+      against the related code in cursor/xcursor.c in Wayland through
+      1.14.0.
+
+ -- Héctor Orón Martínez <zumbi@debian.org>  Sun, 04 Mar 2018 12:27:36 +0100
+
 wayland (1.6.0-2) unstable; urgency=medium
 
   * Switch back to use upstream tarball.
diff --git a/debian/patches/CVE-2017-16612.patch b/debian/patches/CVE-2017-16612.patch
new file mode 100644
index 0000000..9d91f70
--- /dev/null
+++ b/debian/patches/CVE-2017-16612.patch
@@ -0,0 +1,47 @@
+commit 5d201df72f3d4f4cb8b8f75f980169b03507da38
+Author: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date:   Tue Nov 28 21:38:07 2017 +0100
+
+    cursor: Fix heap overflows when parsing malicious files.
+    
+    It is possible to trigger heap overflows due to an integer overflow
+    while parsing images.
+    
+    The integer overflow occurs because the chosen limit 0x10000 for
+    dimensions is too large for 32 bit systems, because each pixel takes
+    4 bytes. Properly chosen values allow an overflow which in turn will
+    lead to less allocated memory than needed for subsequent reads.
+    
+    See also: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8
+    Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=103961
+    
+    Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+    [Pekka: add link to the corresponding libXcursor commit]
+    Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
+
+diff --git a/cursor/xcursor.c b/cursor/xcursor.c
+index ca41c4a..689c702 100644
+--- a/cursor/xcursor.c
++++ b/cursor/xcursor.c
+@@ -202,6 +202,11 @@ XcursorImageCreate (int width, int height)
+ {
+     XcursorImage    *image;
+ 
++    if (width < 0 || height < 0)
++       return NULL;
++    if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
++       return NULL;
++
+     image = malloc (sizeof (XcursorImage) +
+ 		    width * height * sizeof (XcursorPixel));
+     if (!image)
+@@ -482,7 +487,8 @@ _XcursorReadImage (XcursorFile		*file,
+     if (!_XcursorReadUInt (file, &head.delay))
+ 	return NULL;
+     /* sanity check data */
+-    if (head.width >= 0x10000 || head.height > 0x10000)
++    if (head.width > XCURSOR_IMAGE_MAX_SIZE  ||
++	head.height > XCURSOR_IMAGE_MAX_SIZE)
+ 	return NULL;
+     if (head.width == 0 || head.height == 0)
+ 	return NULL;
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..4c42ec7
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2017-16612.patch
-- 
2.16.2

--- End Message ---
--- Begin Message --- 
Control: tag -1 wontfix

Hi,

This request was approved and tagged 'confirmed', but no upload was
subsequently made. With the final point release for Jessie now being
prepared, it's unfortunately too late for this package to be updated.

Thanks,

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

--- End Message ---
Reply to: