--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: stretch-pu: package wayland/1.12.0-1
- From: Héctor Orón Martínez <zumbi@debian.org>
- Date: Sun, 04 Mar 2018 12:42:59 +0100
- Message-id: <152016377988.5808.10165200259783000124.reportbug@polynomio.collabora.co.uk>
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hello,
I would like to apply fix in stable for #889681.
I have asked security team if they want the fix via security queue or stable
update, however I have gotten no reply yet. I am attaching the patch I intend
to upload to stable if you acknowledge it.
Regards
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf
Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=ca_AD.utf8, LC_CTYPE=ca_AD.utf8 (charmap=UTF-8), LANGUAGE=ca_AD:ca (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
From 2471b0463e9395bd981f8b875e3280f1fc6b995f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?H=C3=A9ctor=20Or=C3=B3n=20Mart=C3=ADnez?= <zumbi@debian.org>
Date: Sun, 4 Mar 2018 11:54:40 +0100
Subject: [PATCH] debian/patches/CVE-2017-16612.patch: fix cursor integer
overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Héctor Orón Martínez <zumbi@debian.org>
---
debian/changelog | 11 +++++++++
debian/patches/CVE-2017-16612.patch | 47 +++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 59 insertions(+)
create mode 100644 debian/patches/CVE-2017-16612.patch
create mode 100644 debian/patches/series
diff --git a/debian/changelog b/debian/changelog
index 2f84b50..7495ef3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+wayland (1.12.0-1+deb9u1) stretch; urgency=medium
+
+ * debian/patches/CVE-2017-16612.patch: (Closes: #889681)
+ - libXcursor before 1.1.15 has various integer overflows that could lead
+ to heap buffer overflows when processing malicious cursors, e.g., with
+ programs like GIMP. It is also possible that an attack vector exists
+ against the related code in cursor/xcursor.c in Wayland through
+ 1.14.0.
+
+ -- Héctor Orón Martínez <zumbi@debian.org> Sun, 04 Mar 2018 11:43:29 +0100
+
wayland (1.12.0-1) unstable; urgency=medium
* New upstream release. Closes: #840752.
diff --git a/debian/patches/CVE-2017-16612.patch b/debian/patches/CVE-2017-16612.patch
new file mode 100644
index 0000000..9d91f70
--- /dev/null
+++ b/debian/patches/CVE-2017-16612.patch
@@ -0,0 +1,47 @@
+commit 5d201df72f3d4f4cb8b8f75f980169b03507da38
+Author: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Tue Nov 28 21:38:07 2017 +0100
+
+ cursor: Fix heap overflows when parsing malicious files.
+
+ It is possible to trigger heap overflows due to an integer overflow
+ while parsing images.
+
+ The integer overflow occurs because the chosen limit 0x10000 for
+ dimensions is too large for 32 bit systems, because each pixel takes
+ 4 bytes. Properly chosen values allow an overflow which in turn will
+ lead to less allocated memory than needed for subsequent reads.
+
+ See also: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8
+ Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=103961
+
+ Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+ [Pekka: add link to the corresponding libXcursor commit]
+ Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
+
+diff --git a/cursor/xcursor.c b/cursor/xcursor.c
+index ca41c4a..689c702 100644
+--- a/cursor/xcursor.c
++++ b/cursor/xcursor.c
+@@ -202,6 +202,11 @@ XcursorImageCreate (int width, int height)
+ {
+ XcursorImage *image;
+
++ if (width < 0 || height < 0)
++ return NULL;
++ if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
++ return NULL;
++
+ image = malloc (sizeof (XcursorImage) +
+ width * height * sizeof (XcursorPixel));
+ if (!image)
+@@ -482,7 +487,8 @@ _XcursorReadImage (XcursorFile *file,
+ if (!_XcursorReadUInt (file, &head.delay))
+ return NULL;
+ /* sanity check data */
+- if (head.width >= 0x10000 || head.height > 0x10000)
++ if (head.width > XCURSOR_IMAGE_MAX_SIZE ||
++ head.height > XCURSOR_IMAGE_MAX_SIZE)
+ return NULL;
+ if (head.width == 0 || head.height == 0)
+ return NULL;
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..4c42ec7
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2017-16612.patch
--
2.16.2
--- End Message ---
--- Begin Message ---
- To: 892031-close@bugs.debian.org
- Subject: Bug#892031: fixed in wayland 1.12.0-1+deb9u1
- From: Héctor Orón Martínez <zumbi@debian.org>
- Date: Tue, 18 Dec 2018 20:41:35 +0000
- Message-id: <E1gZMBL-000Fet-Ro@fasolo.debian.org>
Source: wayland
Source-Version: 1.12.0-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
wayland, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 892031@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Héctor Orón Martínez <zumbi@debian.org> (supplier of updated wayland package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 04 Mar 2018 11:43:29 +0100
Source: wayland
Binary: libwayland-client0 libwayland-server0 libwayland-cursor0 libwayland-dev libwayland-doc libwayland-bin
Architecture: source amd64 all
Version: 1.12.0-1+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Héctor Orón Martínez <zumbi@debian.org>
Description:
libwayland-bin - wayland compositor infrastructure - binary utilities
libwayland-client0 - wayland compositor infrastructure - client library
libwayland-cursor0 - wayland compositor infrastructure - cursor library
libwayland-dev - wayland compositor infrastructure - development files
libwayland-doc - wayland compositor infrastructure - documentation files
libwayland-server0 - wayland compositor infrastructure - server library
Closes: 889681 892031
Changes:
wayland (1.12.0-1+deb9u1) stretch; urgency=medium
.
* debian/patches/CVE-2017-16612.patch: (Closes: #889681, #892031)
- libXcursor before 1.1.15 has various integer overflows that could lead
to heap buffer overflows when processing malicious cursors, e.g., with
programs like GIMP. It is also possible that an attack vector exists
against the related code in cursor/xcursor.c in Wayland through
1.14.0.
Checksums-Sha1:
a41bb5a346815e96c071ef0aecb12879d4b2bcba 2423 wayland_1.12.0-1+deb9u1.dsc
bf1d6b9be795f5363cd2fd9d610d6bc6ed28f915 11267 wayland_1.12.0-1+deb9u1.diff.gz
3f926c3e41b0a8e8b79e96dc31b0403bced9c2d5 42750 libwayland-bin-dbgsym_1.12.0-1+deb9u1_amd64.deb
bc8d35d8c154a05379f6d0f8c07a7beb0512a4a4 21124 libwayland-bin_1.12.0-1+deb9u1_amd64.deb
03c551929e4a8928b3a312c08c82c9dd33690f31 45294 libwayland-client0-dbgsym_1.12.0-1+deb9u1_amd64.deb
33abc530b1a456504957ea3916b9818c4c8e8830 25052 libwayland-client0_1.12.0-1+deb9u1_amd64.deb
2b2c85c3c0c25a9c0e0c29823f936479db37969f 21412 libwayland-cursor0-dbgsym_1.12.0-1+deb9u1_amd64.deb
93498d651230301d291480df1be6cfeb9090e500 13472 libwayland-cursor0_1.12.0-1+deb9u1_amd64.deb
655235007794b5136f691c677c7b640367a37a71 96210 libwayland-dev_1.12.0-1+deb9u1_amd64.deb
f53d84f59fd59f724e7e529ee41c86b95f6bcb3e 161548 libwayland-doc_1.12.0-1+deb9u1_all.deb
e6f6dacc6b12d69eb408d3593a1489251826d2a0 62492 libwayland-server0-dbgsym_1.12.0-1+deb9u1_amd64.deb
7d16be28bb8797d12ed6d48c8e7094770d0a440b 30578 libwayland-server0_1.12.0-1+deb9u1_amd64.deb
d476b84403d41991400166c616631a74341889fa 10559 wayland_1.12.0-1+deb9u1_amd64.buildinfo
Checksums-Sha256:
564e0dde0f58781a2745c3bc930fcae5edc487405271012363bc0ab9a9354831 2423 wayland_1.12.0-1+deb9u1.dsc
263506a1fbb4a789ca87ee2c1bac81177c63f3b752010d8f7662e73e188f17e8 11267 wayland_1.12.0-1+deb9u1.diff.gz
3bc8599a6ac909157ea1e12213aab23c43b18fdc7c6ad0b9941c5e32c5686fb1 42750 libwayland-bin-dbgsym_1.12.0-1+deb9u1_amd64.deb
f81fef7d40dc0ce78444f90dcdd469b198b2373bf3e0b372c15b3b0c89832a43 21124 libwayland-bin_1.12.0-1+deb9u1_amd64.deb
b33b93cc08144420c5634aa8453536271d3d105c889a348b850a853eaf210f70 45294 libwayland-client0-dbgsym_1.12.0-1+deb9u1_amd64.deb
c1083bb3a1d55801733c8a44496c7c34f866a1276eb8fdd633e71540532bebac 25052 libwayland-client0_1.12.0-1+deb9u1_amd64.deb
25afd542df37a92f40bae37d040c784eb1a7dafd3c50bb1d58a7609aed7008bc 21412 libwayland-cursor0-dbgsym_1.12.0-1+deb9u1_amd64.deb
5d7818a942a4c99b8c94f216bf7583cebeb17e394abb5d18c7a79b71025dac71 13472 libwayland-cursor0_1.12.0-1+deb9u1_amd64.deb
13ac50c9822f20760165f5ef6e703460638531a84ee4d02e3d208d584e02149f 96210 libwayland-dev_1.12.0-1+deb9u1_amd64.deb
70ef68c227e586b7c1760549abcbceca04cdbccb90147d3269f5bb1dc70bb070 161548 libwayland-doc_1.12.0-1+deb9u1_all.deb
f8f71fdaf0d8c3e7dcee99ccf97e16461ee090de263e48d182f2887347937d1c 62492 libwayland-server0-dbgsym_1.12.0-1+deb9u1_amd64.deb
47160e3351f3601bcf554ad2f7a197bc85622bbcea0cf8213650226eddee44a8 30578 libwayland-server0_1.12.0-1+deb9u1_amd64.deb
e5ed3e3560e136165d504a0033be392fb60ec8e83c97971c17d9843afab30971 10559 wayland_1.12.0-1+deb9u1_amd64.buildinfo
Files:
771dd6860c01eaa66a94602bed2329bc 2423 x11 optional wayland_1.12.0-1+deb9u1.dsc
65622ef3d53a3e7a08a2ad299c6a61c5 11267 x11 optional wayland_1.12.0-1+deb9u1.diff.gz
c65f1926397b816a60f14a76e8284893 42750 debug extra libwayland-bin-dbgsym_1.12.0-1+deb9u1_amd64.deb
5b2ce82a68c455e438f55e18198a5222 21124 libdevel extra libwayland-bin_1.12.0-1+deb9u1_amd64.deb
e863486ea94d3221788dd0668f8d312f 45294 debug extra libwayland-client0-dbgsym_1.12.0-1+deb9u1_amd64.deb
4d7f139839d75c6e75ab91a7691d50bf 25052 libs optional libwayland-client0_1.12.0-1+deb9u1_amd64.deb
540cb090fc3c3a55f1affe9c3512fed6 21412 debug extra libwayland-cursor0-dbgsym_1.12.0-1+deb9u1_amd64.deb
116802b4f9c6497e9656c3626e3d44fc 13472 libs optional libwayland-cursor0_1.12.0-1+deb9u1_amd64.deb
0febb1bb126ef241526593b20b23c679 96210 libdevel extra libwayland-dev_1.12.0-1+deb9u1_amd64.deb
843ab092ca0911a537d6481f14e75189 161548 doc extra libwayland-doc_1.12.0-1+deb9u1_all.deb
79aab4e76a0c673ec91aa688ea4202b5 62492 debug extra libwayland-server0-dbgsym_1.12.0-1+deb9u1_amd64.deb
39208f757c657de88abd1f7a9c185b31 30578 libs optional libwayland-server0_1.12.0-1+deb9u1_amd64.deb
8af8a4786e31a74d22f9913c0029740d 10559 x11 optional wayland_1.12.0-1+deb9u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE6Q8IiVReeMgqnedOryKDqnbirHsFAlvm1gEACgkQryKDqnbi
rHuJphAAuMAniDrDQxqu73P1lwFOAPnKjheQOhEg4flOTEryODEFklD48XqvRRUD
Wk0suHvLVlG6RJFp6ubRu0K5hP6CmGTcWs/E0KdxUh72rUdLFipb0UXYXuz8wN5x
pR6/aNpKrcrFkwdBKUpVMaQk6LspPgHv49EvtqcGMSLD3A3ZO8wVA0ajizDOzvSg
hYxrf678JcBtvXDbiA84p9CWzEmq5MYtgDFVs1kaQDHI9oBwcuE9vo2rhX/5NBiG
L9m6WpV7Ep3ktqGVBRRcag6RTK1Y1FkhtIRdmThc3w/b0EYrjIaBvhO+PZGLkJAF
p+nKyT7IkFtiyJQXn93bTGNn2GAAr/unUnDK+HDn6WEO3IHTEGeGayd+F1H34Jse
iCC4uDwwTNxFoBQYyT1ssSxnp8SkfpO73sd8U4CqrRJ/JwlPoa8G7qsB/cVg3NRl
YuPQFUjBEaVrXtW/tJOxajquc7+w7iyFrhXN8QUpOy7gjbhMU/SZpdSKKKG0gigH
JJNEZoGQNuY3yqAk1mRDys5sR23hmKzlHD5o+bAP6z2ZUfNFnP+8yi8YusEM1p45
4Wid0cYJmNloDPgbusGMlp/GsxvNpttYCqepjNV6BuQT+5D0LDfouDW0l4GmVMm9
tvPP2L/URX3+IEZVap21/vCjGZEYaPThKugcfM/smpU6mHCZ188=
=3u5g
-----END PGP SIGNATURE-----
--- End Message ---