Bug#970563: buster-pu: package libx11/2:1.6.7-1+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jcristau@debian.org, tjaalton@debian.org
This updates fixes a few security issues in libx11, which don't
warrant a DSA. Debdiff attached.
Cheers,
Moritz
diff -u libx11-1.6.7/debian/changelog libx11-1.6.7/debian/changelog
--- libx11-1.6.7/debian/changelog
+++ libx11-1.6.7/debian/changelog
@@ -1,3 +1,10 @@
+libx11 (2:1.6.7-1+deb10u1) buster; urgency=medium
+
+ * CVE-2020-14344
+ * CVE-2020-14363 (Closes: #969008)
+
+ -- Moritz Mühlenhoff <jmm@debian.org> Fri, 11 Sep 2020 19:38:11 +0200
+
libx11 (2:1.6.7-1) unstable; urgency=medium
* New upstream release.
diff -u libx11-1.6.7/debian/patches/series libx11-1.6.7/debian/patches/series
--- libx11-1.6.7/debian/patches/series
+++ libx11-1.6.7/debian/patches/series
@@ -5,0 +6,2 @@
+CVE-2020-14344.diff
+CVE-2020-14363.diff
only in patch2:
unchanged:
--- libx11-1.6.7.orig/debian/patches/CVE-2020-14344.diff
+++ libx11-1.6.7/debian/patches/CVE-2020-14344.diff
@@ -0,0 +1,296 @@
+Backport of the following upstream commits to address CVE-2020-14344:
+
+0e6561efcfaa0ae7b5c74eac7e064b76d687544e
+1703b9f3435079d3c6021e1ee2ec34fd4978103d
+1a566c9e00e5f35c1f9e7f3d741a02e5170852b2
+2fcfcc49f3b1be854bb9085993a01d17c62acf60
+388b303c62aa35a245f1704211a023440ad2c488
+93fce3f4e79cbc737d6468a4f68ba3de1b83953b
+
+diff -Naur libx11-1.6.7.orig/modules/im/ximcp/imDefIc.c libx11-1.6.7/modules/im/ximcp/imDefIc.c
+--- libx11-1.6.7.orig/modules/im/ximcp/imDefIc.c 2018-10-09 16:27:08.000000000 +0200
++++ libx11-1.6.7/modules/im/ximcp/imDefIc.c 2020-09-11 17:30:58.689814672 +0200
+@@ -350,7 +350,7 @@
+ + sizeof(INT16)
+ + XIM_PAD(2 + buf_size);
+
+- if (!(buf = Xmalloc(buf_size)))
++ if (!(buf = Xcalloc(buf_size, 1)))
+ return arg->name;
+ buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
+
+@@ -708,6 +708,7 @@
+ #endif /* XIM_CONNECTABLE */
+
+ _XimGetCurrentICValues(ic, &ic_values);
++ memset(tmp_buf, 0, sizeof(tmp_buf32));
+ buf = tmp_buf;
+ buf_size = XIM_HEADER_SIZE
+ + sizeof(CARD16) + sizeof(CARD16) + sizeof(INT16) + sizeof(CARD16);
+@@ -730,7 +731,7 @@
+
+ buf_size += ret_len;
+ if (buf == tmp_buf) {
+- if (!(tmp = Xmalloc(buf_size + data_len))) {
++ if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
+ return tmp_name;
+ }
+ memcpy(tmp, buf, buf_size);
+@@ -740,6 +741,7 @@
+ Xfree(buf);
+ return tmp_name;
+ }
++ memset(&tmp[buf_size], 0, data_len);
+ buf = tmp;
+ }
+ }
+diff -Naur libx11-1.6.7.orig/modules/im/ximcp/imDefIm.c libx11-1.6.7/modules/im/ximcp/imDefIm.c
+--- libx11-1.6.7.orig/modules/im/ximcp/imDefIm.c 2018-10-09 16:27:08.000000000 +0200
++++ libx11-1.6.7/modules/im/ximcp/imDefIm.c 2020-09-11 17:30:58.689814672 +0200
+@@ -62,6 +62,7 @@
+ #include "XimTrInt.h"
+ #include "Ximint.h"
+
++#include <limits.h>
+
+ int
+ _XimCheckDataSize(
+@@ -809,12 +810,16 @@
+ int buf_size;
+ int ret_code;
+ char *locale_name;
++ size_t locale_len;
+
+ locale_name = im->private.proto.locale_name;
+- len = strlen(locale_name);
+- buf_b[0] = (BYTE)len; /* length of locale name */
+- (void)strcpy((char *)&buf_b[1], locale_name); /* locale name */
+- len += sizeof(BYTE); /* sizeof length */
++ locale_len = strlen(locale_name);
++ if (locale_len > UCHAR_MAX)
++ return False;
++ memset(buf32, 0, sizeof(buf32));
++ buf_b[0] = (BYTE)locale_len; /* length of locale name */
++ memcpy(&buf_b[1], locale_name, locale_len); /* locale name */
++ len = (INT16)(locale_len + sizeof(BYTE)); /* sizeof length */
+ XIM_SET_PAD(buf_b, len); /* pad */
+
+ _XimSetHeader((XPointer)buf, XIM_OPEN, 0, &len);
+@@ -1289,6 +1294,7 @@
+ #endif /* XIM_CONNECTABLE */
+
+ _XimGetCurrentIMValues(im, &im_values);
++ memset(tmp_buf, 0, sizeof(tmp_buf32));
+ buf = tmp_buf;
+ buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16);
+ data_len = BUFSIZE - buf_size;
+@@ -1311,7 +1317,7 @@
+
+ buf_size += ret_len;
+ if (buf == tmp_buf) {
+- if (!(tmp = Xmalloc(buf_size + data_len))) {
++ if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
+ return arg->name;
+ }
+ memcpy(tmp, buf, buf_size);
+@@ -1321,6 +1327,7 @@
+ Xfree(buf);
+ return arg->name;
+ }
++ memset(&tmp[buf_size], 0, data_len);
+ buf = tmp;
+ }
+ }
+@@ -1462,7 +1469,7 @@
+ + sizeof(INT16)
+ + XIM_PAD(buf_size);
+
+- if (!(buf = Xmalloc(buf_size)))
++ if (!(buf = Xcalloc(buf_size, 1)))
+ return arg->name;
+ buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
+
+@@ -1724,7 +1731,7 @@
+ + sizeof(CARD16)
+ + detail_len;
+
+- if (!(buf = Xmalloc(XIM_HEADER_SIZE + len)))
++ if (!(buf = Xcalloc(XIM_HEADER_SIZE + len, 1)))
+ goto free_detail_ptr;
+
+ buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
+@@ -1820,6 +1827,7 @@
+ int ret_code;
+
+ _XimGetCurrentIMValues(im, &im_values);
++ memset(tmp_buf, 0, sizeof(tmp_buf32));
+ buf = tmp_buf;
+ buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16);
+ data_len = BUFSIZE - buf_size;
+@@ -1842,7 +1850,7 @@
+
+ buf_size += ret_len;
+ if (buf == tmp_buf) {
+- if (!(tmp = Xmalloc(buf_size + data_len))) {
++ if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
+ return False;
+ }
+ memcpy(tmp, buf, buf_size);
+@@ -1852,6 +1860,7 @@
+ Xfree(buf);
+ return False;
+ }
++ memset(&tmp[buf_size], 0, data_len);
+ buf = tmp;
+ }
+ }
+diff -Naur libx11-1.6.7.orig/modules/im/ximcp/imRmAttr.c libx11-1.6.7/modules/im/ximcp/imRmAttr.c
+--- libx11-1.6.7.orig/modules/im/ximcp/imRmAttr.c 2018-10-09 16:27:08.000000000 +0200
++++ libx11-1.6.7/modules/im/ximcp/imRmAttr.c 2020-09-11 17:31:32.348034612 +0200
+@@ -29,6 +29,8 @@
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
++
+ #include "Xlibint.h"
+ #include "Xlcint.h"
+ #include "Ximint.h"
+@@ -214,7 +216,7 @@
+ Xic ic,
+ XIMResourceList res,
+ CARD16 *data,
+- INT16 data_len,
++ CARD16 data_len,
+ XPointer value,
+ BITMASK32 mode)
+ {
+@@ -250,18 +252,24 @@
+
+ case XimType_XIMStyles:
+ {
+- INT16 num = data[0];
++ CARD16 num = data[0];
+ register CARD32 *style_list = (CARD32 *)&data[2];
+ XIMStyle *style;
+ XIMStyles *rep;
+ register int i;
+ char *p;
+- int alloc_len;
++ unsigned int alloc_len;
+
+ if (!(value))
+ return False;
+
++ if (num > (USHRT_MAX / sizeof(XIMStyle)))
++ return False;
++ if ((2 * sizeof(CARD16) + (num * sizeof(CARD32))) > data_len)
++ return False;
+ alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num;
++ if (alloc_len < sizeof(XIMStyles))
++ return False;
+ if (!(p = Xmalloc(alloc_len)))
+ return False;
+
+@@ -313,7 +321,7 @@
+
+ case XimType_XFontSet:
+ {
+- INT16 len = data[0];
++ CARD16 len = data[0];
+ char *base_name;
+ XFontSet rep = (XFontSet)NULL;
+ char **missing_list = NULL;
+@@ -324,11 +332,12 @@
+ return False;
+ if (!ic)
+ return False;
+-
++ if (len > data_len)
++ return False;
+ if (!(base_name = Xmalloc(len + 1)))
+ return False;
+
+- (void)strncpy(base_name, (char *)&data[1], (int)len);
++ (void)strncpy(base_name, (char *)&data[1], (size_t)len);
+ base_name[len] = '\0';
+
+ if (mode & XIM_PREEDIT_ATTR) {
+@@ -357,19 +366,25 @@
+
+ case XimType_XIMHotKeyTriggers:
+ {
+- INT32 num = *((CARD32 *)data);
++ CARD32 num = *((CARD32 *)data);
+ register CARD32 *key_list = (CARD32 *)&data[2];
+ XIMHotKeyTrigger *key;
+ XIMHotKeyTriggers *rep;
+ register int i;
+ char *p;
+- int alloc_len;
++ unsigned int alloc_len;
+
+ if (!(value))
+ return False;
+
++ if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger)))
++ return False;
++ if ((2 * sizeof(CARD16) + (num * 3 * sizeof(CARD32))) > data_len)
++ return False;
+ alloc_len = sizeof(XIMHotKeyTriggers)
+ + sizeof(XIMHotKeyTrigger) * num;
++ if (alloc_len < sizeof(XIMHotKeyTriggers))
++ return False;
+ if (!(p = Xmalloc(alloc_len)))
+ return False;
+
+@@ -1378,13 +1393,13 @@
+
+ static unsigned int
+ _XimCountNumberOfAttr(
+- INT16 total,
+- CARD16 *attr,
+- int *names_len)
++ CARD16 total,
++ CARD16 *attr,
++ unsigned int *names_len)
+ {
+ unsigned int n;
+- INT16 len;
+- INT16 min_len = sizeof(CARD16) /* sizeof attribute ID */
++ CARD16 len;
++ CARD16 min_len = sizeof(CARD16) /* sizeof attribute ID */
+ + sizeof(CARD16) /* sizeof type of value */
+ + sizeof(INT16); /* sizeof length of attribute */
+
+@@ -1392,6 +1407,9 @@
+ *names_len = 0;
+ while (total > min_len) {
+ len = attr[2];
++ if (len >= (total - min_len)) {
++ return 0;
++ }
+ *names_len += (len + 1);
+ len += (min_len + XIM_PAD(len + 2));
+ total -= len;
+@@ -1406,17 +1424,15 @@
+ Xim im,
+ CARD16 *buf)
+ {
+- unsigned int n;
++ unsigned int n, names_len, values_len;
+ XIMResourceList res;
+ char *names;
+- int names_len;
+ XPointer tmp;
+ XIMValuesList *values_list;
+ char **values;
+- int values_len;
+ register int i;
+- INT16 len;
+- INT16 min_len = sizeof(CARD16) /* sizeof attribute ID */
++ CARD16 len;
++ CARD16 min_len = sizeof(CARD16) /* sizeof attribute ID */
+ + sizeof(CARD16) /* sizeof type of value */
+ + sizeof(INT16); /* sizeof length of attr */
+ /*
only in patch2:
unchanged:
--- libx11-1.6.7.orig/debian/patches/CVE-2020-14363.diff
+++ libx11-1.6.7/debian/patches/CVE-2020-14363.diff
@@ -0,0 +1,31 @@
+From acdaaadcb3d85c61fd43669fc5dddf0f8c3f911d Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Thu, 13 Aug 2020 18:02:58 +0200
+Subject: [PATCH] Fix an integer overflow in init_om()
+
+CVE-2020-14363
+
+This can lead to a double free later, as reported by Jayden Rivers.
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ modules/om/generic/omGeneric.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/modules/om/generic/omGeneric.c b/modules/om/generic/omGeneric.c
+index c44acb88..406cec93 100644
+--- a/modules/om/generic/omGeneric.c
++++ b/modules/om/generic/omGeneric.c
+@@ -1908,7 +1908,8 @@ init_om(
+ char **required_list;
+ XOrientation *orientation;
+ char **value, buf[BUFSIZ], *bufptr;
+- int count = 0, num = 0, length = 0;
++ int count = 0, num = 0;
++ unsigned int length = 0;
+
+ _XlcGetResource(lcd, "XLC_FONTSET", "on_demand_loading", &value, &count);
+ if (count > 0 && _XlcCompareISOLatin1(*value, "True") == 0)
+--
+GitLab
+
Reply to: