Bug#909842: stretch-pu: package libx11/2:1.6.4-3
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Dear release team,
I would like to update libx11 in Stretch because it is currently
affected by CVE-2018-14598, CVE-2018-14599 and CVE-2018-14600. The
security team marked all issues as no-dsa. Please find attached the
debdiff. I had to refresh one unrelated patch because it did not apply
correctly. No other changes were made.
Regards,
Markus
diff -u libx11-1.6.4/debian/changelog libx11-1.6.4/debian/changelog
--- libx11-1.6.4/debian/changelog
+++ libx11-1.6.4/debian/changelog
@@ -1,3 +1,23 @@
+libx11 (2:1.6.4-3+deb9u1) stretch; urgency=high
+
+ * Non-maintainer upload.
+ * Fix CVE-2018-14598, CVE-2018-14599 and CVE-2018-14600:
+ * CVE-2018-14599:
+ The functions XGetFontPath, XListExtensions, and XListFonts are vulnerable
+ to an off-by-one override on malicious server responses.
+ * CVE-2018-14600:
+ The length value is interpreted as signed char on many systems (depending
+ on default signedness of char), which can lead to an out of boundary write
+ up to 128 bytes in front of the allocated storage, but limited to NUL
+ byte(s).
+ * CVE-2018-14598:
+ If the server sends a reply in which even the first string would overflow
+ the transmitted bytes, list[0] (or flist[0]) will be set to NULL and a
+ count of 0 is returned. This may trigger a segmentation fault leading to a
+ Denial of Service.
+
+ -- Markus Koschany <apo@debian.org> Sat, 29 Sep 2018 14:05:05 +0200
+
libx11 (2:1.6.4-3) unstable; urgency=high
[ Emilio Pozuelo Monfort ]
diff -u libx11-1.6.4/debian/patches/003_recognize_glibc_2.3.2_locale_names.diff libx11-1.6.4/debian/patches/003_recognize_glibc_2.3.2_locale_names.diff
--- libx11-1.6.4/debian/patches/003_recognize_glibc_2.3.2_locale_names.diff
+++ libx11-1.6.4/debian/patches/003_recognize_glibc_2.3.2_locale_names.diff
@@ -49,10 +49,8 @@
Partially submitted upstream. This is so large I don't expect it to all go in at once,
but any bit would help. --Nathanael
-Index: libx11/nls/compose.dir.pre
-===================================================================
---- libx11.orig/nls/compose.dir.pre
-+++ libx11/nls/compose.dir.pre
+--- a/nls/compose.dir.pre
++++ b/nls/compose.dir.pre
@@ -4,8 +4,13 @@ XCOMM The first word is the compose tabl
XCOMM and the second word is the full locale name.
XCOMM
@@ -234,7 +232,7 @@
en_US.UTF-8/Compose: ph_PH.UTF-8
en_US.UTF-8/Compose: pl_PL.UTF-8
en_US.UTF-8/Compose: pp_AN.UTF-8
-@@ -433,9 +466,11 @@ en_US.UTF-8/Compose: sd_IN@devanagari.U
+@@ -433,9 +466,11 @@ en_US.UTF-8/Compose: sd_IN.UTF-8@devana
en_US.UTF-8/Compose: se_NO.UTF-8
en_US.UTF-8/Compose: sh_BA.UTF-8
en_US.UTF-8/Compose: sh_YU.UTF-8
@@ -254,10 +252,8 @@
en_US.UTF-8/Compose: tl_PH.UTF-8
en_US.UTF-8/Compose: tn_ZA.UTF-8
en_US.UTF-8/Compose: tr_TR.UTF-8
-Index: libx11/nls/locale.alias.pre
-===================================================================
---- libx11.orig/nls/locale.alias.pre
-+++ libx11/nls/locale.alias.pre
+--- a/nls/locale.alias.pre
++++ b/nls/locale.alias.pre
@@ -311,6 +311,12 @@ en_CA.iso88591: en_CA.ISO8859-1
en_CA.ISO-8859-1: en_CA.ISO8859-1
en_CA.ISO_8859-1: en_CA.ISO8859-1
@@ -332,10 +328,8 @@
french: fr_FR.ISO8859-1
french.iso88591: fr_CH.ISO8859-1
galego: gl_ES.ISO8859-1
-Index: libx11/nls/locale.dir.pre
-===================================================================
---- libx11.orig/nls/locale.dir.pre
-+++ libx11/nls/locale.dir.pre
+--- a/nls/locale.dir.pre
++++ b/nls/locale.dir.pre
@@ -6,8 +6,11 @@ XCOMM
XCOMM
@@ -458,7 +452,7 @@
en_US.UTF-8/XLC_LOCALE: af_ZA.UTF-8
en_US.UTF-8/XLC_LOCALE: am_ET.UTF-8
en_US.UTF-8/XLC_LOCALE: ar_AA.UTF-8
-@@ -297,6 +319,7 @@ en_US.UTF-8/XLC_LOCALE: bn_BD.UTF-8
+@@ -298,6 +320,7 @@ en_US.UTF-8/XLC_LOCALE: bn_BD.UTF-8
en_US.UTF-8/XLC_LOCALE: bn_IN.UTF-8
en_US.UTF-8/XLC_LOCALE: bo_IN.UTF-8
en_US.UTF-8/XLC_LOCALE: br_FR.UTF-8
@@ -538,7 +532,7 @@
en_US.UTF-8/XLC_LOCALE: pp_AN.UTF-8
@@ -431,11 +467,13 @@ en_US.UTF-8/XLC_LOCALE:
en_US.UTF-8/XLC_LOCALE: sd_IN.UTF-8
- en_US.UTF-8/XLC_LOCALE: sd_IN@devanagari.UTF-8
+ en_US.UTF-8/XLC_LOCALE: sd_IN.UTF-8@devanagari
en_US.UTF-8/XLC_LOCALE: se_NO.UTF-8
+en_US.UTF-8/XLC_LOCALE: sid_ET.UTF-8
en_US.UTF-8/XLC_LOCALE: sh_BA.UTF-8
@@ -550,7 +544,7 @@
en_US.UTF-8/XLC_LOCALE: sq_AL.UTF-8
en_US.UTF-8/XLC_LOCALE: sr_CS.UTF-8
en_US.UTF-8/XLC_LOCALE: sr_ME.UTF-8
-@@ -451,6 +489,7 @@ en_US.UTF-8/XLC_LOCALE: tg_TJ.UTF-8
+@@ -452,6 +490,7 @@ en_US.UTF-8/XLC_LOCALE: tg_TJ.UTF-8
th_TH.UTF-8/XLC_LOCALE: th_TH.UTF-8
en_US.UTF-8/XLC_LOCALE: ti_ER.UTF-8
en_US.UTF-8/XLC_LOCALE: ti_ET.UTF-8
diff -u libx11-1.6.4/debian/patches/series libx11-1.6.4/debian/patches/series
--- libx11-1.6.4/debian/patches/series
+++ libx11-1.6.4/debian/patches/series
@@ -5,0 +6,3 @@
+CVE-2018-14599.patch
+CVE-2018-14600.patch
+CVE-2018-14598.patch
only in patch2:
unchanged:
--- libx11-1.6.4.orig/debian/patches/CVE-2018-14598.patch
+++ libx11-1.6.4/debian/patches/CVE-2018-14598.patch
@@ -0,0 +1,42 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sat, 29 Sep 2018 14:13:53 +0200
+Subject: CVE-2018-14598
+
+Origin: https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=e83722768fd5c467ef61fa159e8c6278770b45c2
+---
+ src/GetFPath.c | 5 +++++
+ src/ListExt.c | 5 +++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/src/GetFPath.c b/src/GetFPath.c
+index fe37fe8..dac553e 100644
+--- a/src/GetFPath.c
++++ b/src/GetFPath.c
+@@ -78,6 +78,11 @@ char **XGetFontPath(
+ length = *(unsigned char *)ch;
+ *ch = '\0'; /* and replace with null-termination */
+ count++;
++ } else if (i == 0) {
++ Xfree(flist);
++ Xfree(ch);
++ flist = NULL;
++ break;
+ } else
+ flist[i] = NULL;
+ }
+diff --git a/src/ListExt.c b/src/ListExt.c
+index 2a2e135..ceeb885 100644
+--- a/src/ListExt.c
++++ b/src/ListExt.c
+@@ -83,6 +83,11 @@ char **XListExtensions(
+ length = *(unsigned char *)ch;
+ *ch = '\0'; /* and replace with null-termination */
+ count++;
++ } else if (i == 0) {
++ Xfree(list);
++ Xfree(ch);
++ list = NULL;
++ break;
+ } else
+ list[i] = NULL;
+ }
only in patch2:
unchanged:
--- libx11-1.6.4.orig/debian/patches/CVE-2018-14599.patch
+++ libx11-1.6.4/debian/patches/CVE-2018-14599.patch
@@ -0,0 +1,85 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 29 Aug 2018 07:48:56 +0200
+Subject: CVE-2018-14599
+
+Origin: https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=b469da1430cdcee06e31c6251b83aede072a1ff0
+---
+ src/FontNames.c | 16 ++++------------
+ src/GetFPath.c | 2 +-
+ src/ListExt.c | 12 ++++--------
+ 3 files changed, 9 insertions(+), 21 deletions(-)
+
+diff --git a/src/FontNames.c b/src/FontNames.c
+index 31f671c..f185c11 100644
+--- a/src/FontNames.c
++++ b/src/FontNames.c
+@@ -88,24 +88,16 @@ int *actualCount) /* RETURN */
+ * unpack into null terminated strings.
+ */
+ chstart = ch;
+- chend = ch + (rlen + 1);
++ chend = ch + rlen;
+ length = *(unsigned char *)ch;
+ *ch = 1; /* make sure it is non-zero for XFreeFontNames */
+ for (i = 0; i < rep.nFonts; i++) {
+ if (ch + length < chend) {
+ flist[i] = ch + 1; /* skip over length */
+ ch += length + 1; /* find next length ... */
+- if (ch <= chend) {
+- length = *(unsigned char *)ch;
+- *ch = '\0'; /* and replace with null-termination */
+- count++;
+- } else {
+- Xfree(chstart);
+- Xfree(flist);
+- flist = NULL;
+- count = 0;
+- break;
+- }
++ length = *(unsigned char *)ch;
++ *ch = '\0'; /* and replace with null-termination */
++ count++;
+ } else {
+ Xfree(chstart);
+ Xfree(flist);
+diff --git a/src/GetFPath.c b/src/GetFPath.c
+index abd4a5d..cd56564 100644
+--- a/src/GetFPath.c
++++ b/src/GetFPath.c
+@@ -69,7 +69,7 @@ char **XGetFontPath(
+ /*
+ * unpack into null terminated strings.
+ */
+- chend = ch + (nbytes + 1);
++ chend = ch + nbytes;
+ length = *ch;
+ for (i = 0; i < rep.nPaths; i++) {
+ if (ch + length < chend) {
+diff --git a/src/ListExt.c b/src/ListExt.c
+index 9074315..421adb4 100644
+--- a/src/ListExt.c
++++ b/src/ListExt.c
+@@ -74,19 +74,15 @@ char **XListExtensions(
+ /*
+ * unpack into null terminated strings.
+ */
+- chend = ch + (rlen + 1);
++ chend = ch + rlen;
+ length = *ch;
+ for (i = 0; i < rep.nExtensions; i++) {
+ if (ch + length < chend) {
+ list[i] = ch+1; /* skip over length */
+ ch += length + 1; /* find next length ... */
+- if (ch <= chend) {
+- length = *ch;
+- *ch = '\0'; /* and replace with null-termination */
+- count++;
+- } else {
+- list[i] = NULL;
+- }
++ length = *ch;
++ *ch = '\0'; /* and replace with null-termination */
++ count++;
+ } else
+ list[i] = NULL;
+ }
only in patch2:
unchanged:
--- libx11-1.6.4.orig/debian/patches/CVE-2018-14600.patch
+++ libx11-1.6.4/debian/patches/CVE-2018-14600.patch
@@ -0,0 +1,48 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 29 Aug 2018 07:49:14 +0200
+Subject: CVE-2018-14600
+
+Origin: https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=dbf72805fd9d7b1846fe9a11b46f3994bfc27fea
+---
+ src/GetFPath.c | 4 ++--
+ src/ListExt.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/GetFPath.c b/src/GetFPath.c
+index cd56564..c99174a 100644
+--- a/src/GetFPath.c
++++ b/src/GetFPath.c
+@@ -70,12 +70,12 @@ char **XGetFontPath(
+ * unpack into null terminated strings.
+ */
+ chend = ch + nbytes;
+- length = *ch;
++ length = *(unsigned char *)ch;
+ for (i = 0; i < rep.nPaths; i++) {
+ if (ch + length < chend) {
+ flist[i] = ch+1; /* skip over length */
+ ch += length + 1; /* find next length ... */
+- length = *ch;
++ length = *(unsigned char *)ch;
+ *ch = '\0'; /* and replace with null-termination */
+ count++;
+ } else
+diff --git a/src/ListExt.c b/src/ListExt.c
+index 421adb4..6daa14d 100644
+--- a/src/ListExt.c
++++ b/src/ListExt.c
+@@ -75,12 +75,12 @@ char **XListExtensions(
+ * unpack into null terminated strings.
+ */
+ chend = ch + rlen;
+- length = *ch;
++ length = *(unsigned char *)ch;
+ for (i = 0; i < rep.nExtensions; i++) {
+ if (ch + length < chend) {
+ list[i] = ch+1; /* skip over length */
+ ch += length + 1; /* find next length ... */
+- length = *ch;
++ length = *(unsigned char *)ch;
+ *ch = '\0'; /* and replace with null-termination */
+ count++;
+ } else
Reply to: