Bug#892032: jessie-pu: package wayland/1.6.0-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#892032: jessie-pu: package wayland/1.6.0-2
From: Héctor Orón Martínez <zumbi@debian.org>
Date: Sun, 04 Mar 2018 12:46:15 +0100
Message-id: <[🔎] 152016397563.6129.17543957900341475082.reportbug@polynomio.collabora.co.uk>
Reply-to: Héctor Orón Martínez <zumbi@debian.org>, 892032@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

  I would like to apply oldstable fix for #889681 in oldstable.
  I am attaching the patch I plan to upload to oldstable.
  Note, I have requested security team if they want to handle it via
  security queue or stable update instead.

Regards

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf

Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=ca_AD.utf8, LC_CTYPE=ca_AD.utf8 (charmap=UTF-8), LANGUAGE=ca_AD:ca (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

From 5df34123d130816a1acf506d8e9f1a1c3e3efcc8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?H=C3=A9ctor=20Or=C3=B3n=20Mart=C3=ADnez?= <zumbi@debian.org>
Date: Sun, 4 Mar 2018 12:29:17 +0100
Subject: [PATCH] debian/patches/CVE-2017-16612.patch: fix cursor integer
 overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Héctor Orón Martínez <zumbi@debian.org>
---
 debian/changelog                    | 11 +++++++++
 debian/patches/CVE-2017-16612.patch | 47 +++++++++++++++++++++++++++++++++++++
 debian/patches/series               |  1 +
 3 files changed, 59 insertions(+)
 create mode 100644 debian/patches/CVE-2017-16612.patch
 create mode 100644 debian/patches/series

diff --git a/debian/changelog b/debian/changelog
index 645a4bc..b6409a8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+wayland (1.6.0-2+deb8u1) stretch; urgency=medium
+
+  * debian/patches/CVE-2017-16612.patch: (Closes: #889681)
+    - libXcursor before 1.1.15 has various integer overflows that could lead
+      to heap buffer overflows when processing malicious cursors, e.g., with
+      programs like GIMP. It is also possible that an attack vector exists
+      against the related code in cursor/xcursor.c in Wayland through
+      1.14.0.
+
+ -- Héctor Orón Martínez <zumbi@debian.org>  Sun, 04 Mar 2018 12:27:36 +0100
+
 wayland (1.6.0-2) unstable; urgency=medium
 
   * Switch back to use upstream tarball.
diff --git a/debian/patches/CVE-2017-16612.patch b/debian/patches/CVE-2017-16612.patch
new file mode 100644
index 0000000..9d91f70
--- /dev/null
+++ b/debian/patches/CVE-2017-16612.patch
@@ -0,0 +1,47 @@
+commit 5d201df72f3d4f4cb8b8f75f980169b03507da38
+Author: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date:   Tue Nov 28 21:38:07 2017 +0100
+
+    cursor: Fix heap overflows when parsing malicious files.
+    
+    It is possible to trigger heap overflows due to an integer overflow
+    while parsing images.
+    
+    The integer overflow occurs because the chosen limit 0x10000 for
+    dimensions is too large for 32 bit systems, because each pixel takes
+    4 bytes. Properly chosen values allow an overflow which in turn will
+    lead to less allocated memory than needed for subsequent reads.
+    
+    See also: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8
+    Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=103961
+    
+    Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+    [Pekka: add link to the corresponding libXcursor commit]
+    Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
+
+diff --git a/cursor/xcursor.c b/cursor/xcursor.c
+index ca41c4a..689c702 100644
+--- a/cursor/xcursor.c
++++ b/cursor/xcursor.c
+@@ -202,6 +202,11 @@ XcursorImageCreate (int width, int height)
+ {
+     XcursorImage    *image;
+ 
++    if (width < 0 || height < 0)
++       return NULL;
++    if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
++       return NULL;
++
+     image = malloc (sizeof (XcursorImage) +
+ 		    width * height * sizeof (XcursorPixel));
+     if (!image)
+@@ -482,7 +487,8 @@ _XcursorReadImage (XcursorFile		*file,
+     if (!_XcursorReadUInt (file, &head.delay))
+ 	return NULL;
+     /* sanity check data */
+-    if (head.width >= 0x10000 || head.height > 0x10000)
++    if (head.width > XCURSOR_IMAGE_MAX_SIZE  ||
++	head.height > XCURSOR_IMAGE_MAX_SIZE)
+ 	return NULL;
+     if (head.width == 0 || head.height == 0)
+ 	return NULL;
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..4c42ec7
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2017-16612.patch
-- 
2.16.2

Reply to:

Follow-Ups:
- Bug#892032: jessie-pu: package wayland/1.6.0-2
  - From: Emilio Pozuelo Monfort <pochu@debian.org>

Prev by Date: Bug#892031: stretch-pu: package wayland/1.12.0-1
Next by Date: Bug#890189: stretch-pu: package libreoffice/1:5.2.7-1+deb9u3
Previous by thread: Bug#892031: stretch-pu: package wayland/1.12.0-1
Next by thread: Bug#892032: jessie-pu: package wayland/1.6.0-2
Index(es):
- Date
- Thread