libx11: Changes to 'debian-experimental'
debian/changelog | 20 ++++++
debian/control | 3 -
debian/patches/022_CVE-2007-1667.diff | 100 ++++++++++++++++++++++++++++++++++
debian/patches/series | 1
4 files changed, 122 insertions(+), 2 deletions(-)
New commits:
commit b3461531cf9b73801b2613433b512f38958bfdbd
Author: Julien Cristau <jcristau@debian.org>
Date: Sat Apr 7 16:40:57 2007 +0200
Add XS-Vcs-Git and XS-Vcs-Browse in debian/control.
diff --git a/debian/changelog b/debian/changelog
index e4fa393..a6ccac6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,13 @@
libx11 (2:1.1.1-2) UNRELEASED; urgency=low
+ [ Brice Goglin ]
* Drop -DLIBXCURSOR from CFLAGS since upstream default is now correct
(closes: #392618).
- -- Brice Goglin <Brice.Goglin@ens-lyon.org> Sun, 11 Feb 2007 23:14:22 +0100
+ [ Julien Cristau ]
+ * Add XS-Vcs-Git and XS-Vcs-Browse in debian/control.
+
+ -- Julien Cristau <jcristau@debian.org> Sat, 07 Apr 2007 16:40:20 +0200
libx11 (2:1.1.1-1) experimental; urgency=low
diff --git a/debian/control b/debian/control
index ef632ae..60df29e 100644
--- a/debian/control
+++ b/debian/control
@@ -5,7 +5,8 @@ Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Uploaders: David Nusinow <dnusinow@debian.org>, Josh Triplett <josh@freedesktop.org>, Jamey Sharp <sharpone@debian.org>, Julien Cristau <jcristau@debian.org>
Build-Depends: debhelper (>= 5.0.0), pkg-config, xtrans-dev, x11proto-core-dev, x11proto-kb-dev, x11proto-input-dev, x11proto-xext-dev, x11proto-xf86bigfont-dev, libxcb1-dev (>= 0.9.92), libxcb-xlib0-dev (>= 0.9.92), quilt
Standards-Version: 3.7.2
-XS-Vcs-Git: git://anongit.freedesktop.org/git/xorg/lib/libX11
+XS-Vcs-Git: git://git.debian.org/git/pkg-xorg/lib/libx11
+XS-Vcs-Browse: http://git.debian.org/?p=pkg-xorg/lib/libx11.git
Package: libx11-6
Section: libs
commit 14e0d107a272906349365b1f48888cee0fd86016
Author: Julien Cristau <jcristau@debian.org>
Date: Tue Apr 3 18:53:08 2007 +0200
Fix CVE-2007-1667.
Grab patch from upstream git to fix CVE-2007-1667 (the patch included in
2:1.0.3-6 was incomplete). This closes: #414045.
diff --git a/debian/changelog b/debian/changelog
index c491cc9..592ee01 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libx11 (2:1.0.3-7) unstable; urgency=high
+
+ * Grab patch from upstream git to fix CVE-2007-1667 (the patch included in
+ 2:1.0.3-6 was incomplete). This closes: #414045.
+
+ -- Julien Cristau <jcristau@debian.org> Tue, 03 Apr 2007 18:45:51 +0200
+
libx11 (2:1.0.3-6) unstable; urgency=high
* Add patch by Daniel Kobras <kobras@debian.org> to add more input
diff --git a/debian/patches/022_CVE-2007-1667.diff b/debian/patches/022_CVE-2007-1667.diff
new file mode 100644
index 0000000..6872e39
--- /dev/null
+++ b/debian/patches/022_CVE-2007-1667.diff
@@ -0,0 +1,100 @@
+From 7dc7ef398b6ad90ccd1680ed9cd1cfdd47312f5a Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@roadrock.(none)>
+Date: Tue, 3 Apr 2007 15:39:52 +0200
+Subject: [PATCH] Multiple integer overflows in the XGetPixel() and XInitImage functions
+
+CVE-2007-1667
+---
+ src/ImUtil.c | 33 +++++++++++++++++++++++----------
+ 1 files changed, 23 insertions(+), 10 deletions(-)
+
+diff --git a/src/ImUtil.c b/src/ImUtil.c
+index 83fd030..9e667bb 100644
+--- a/src/ImUtil.c
++++ b/src/ImUtil.c
+@@ -327,12 +327,13 @@ XImage *XCreateImage (dpy, visual, depth, format, offset, data, width, height,
+ {
+ register XImage *image;
+ int bits_per_pixel = 1;
++ int min_bytes_per_line;
+
+ if (depth == 0 || depth > 32 ||
+ (format != XYBitmap && format != XYPixmap && format != ZPixmap) ||
+ (format == XYBitmap && depth != 1) ||
+ (xpad != 8 && xpad != 16 && xpad != 32) ||
+- offset < 0 || image_bytes_per_line < 0)
++ offset < 0)
+ return (XImage *) NULL;
+ if ((image = (XImage *) Xcalloc(1, (unsigned) sizeof(XImage))) == NULL)
+ return (XImage *) NULL;
+@@ -363,16 +364,21 @@ XImage *XCreateImage (dpy, visual, depth, format, offset, data, width, height,
+ /*
+ * compute per line accelerator.
+ */
+- if (image_bytes_per_line == 0)
+ {
+ if (format == ZPixmap)
+- image->bytes_per_line =
++ min_bytes_per_line =
+ ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
+ else
+- image->bytes_per_line =
++ min_bytes_per_line =
+ ROUNDUP((width + offset), image->bitmap_pad);
+ }
+- else image->bytes_per_line = image_bytes_per_line;
++ if (image_bytes_per_line == 0) {
++ image->bytes_per_line = min_bytes_per_line;
++ } else if (image_bytes_per_line < min_bytes_per_line) {
++ return 0;
++ } else {
++ image->bytes_per_line = image_bytes_per_line;
++ }
+
+ image->bits_per_pixel = bits_per_pixel;
+ image->obdata = NULL;
+@@ -384,7 +390,11 @@ XImage *XCreateImage (dpy, visual, depth, format, offset, data, width, height,
+ Status XInitImage (image)
+ XImage *image;
+ {
++ int min_bytes_per_line;
++
+ if (image->depth == 0 || image->depth > 32 ||
++ image->bits_per_pixel > 32 || image->bitmap_unit > 32 ||
++ image->bits_per_pixel < 0 || image->bitmap_unit < 0 ||
+ (image->format != XYBitmap &&
+ image->format != XYPixmap &&
+ image->format != ZPixmap) ||
+@@ -392,21 +402,24 @@ Status XInitImage (image)
+ (image->bitmap_pad != 8 &&
+ image->bitmap_pad != 16 &&
+ image->bitmap_pad != 32) ||
+- image->xoffset < 0 || image->bytes_per_line < 0)
++ image->xoffset < 0)
+ return 0;
+
+ /*
+ * compute per line accelerator.
+ */
+- if (image->bytes_per_line == 0)
+- {
+ if (image->format == ZPixmap)
+- image->bytes_per_line =
++ min_bytes_per_line =
+ ROUNDUP((image->bits_per_pixel * image->width),
+ image->bitmap_pad);
+ else
+- image->bytes_per_line =
++ min_bytes_per_line =
+ ROUNDUP((image->width + image->xoffset), image->bitmap_pad);
++
++ if (image->bytes_per_line == 0) {
++ image->bytes_per_line = min_bytes_per_line;
++ } else if (image->bytes_per_line < min_bytes_per_line) {
++ return 0;
+ }
+
+ _XInitImageFuncPtrs (image);
+--
+1.5.0.3
+
diff --git a/debian/patches/022_XInitImage_input_validate.diff b/debian/patches/022_XInitImage_input_validate.diff
deleted file mode 100644
index e22ca19..0000000
--- a/debian/patches/022_XInitImage_input_validate.diff
+++ /dev/null
@@ -1,19 +0,0 @@
-Add more input validation to XInitImage(), to avoid buffer overflow in
-XGetPixel(), which assumes sane values.
-Debian bug #414045.
-
-This patch by Daniel Kobras <kobras@debian.org>
-
-Index: libx11/src/ImUtil.c
-===================================================================
---- libx11.orig/src/ImUtil.c 2007-03-09 02:21:29.000000000 +0100
-+++ libx11/src/ImUtil.c 2007-03-09 02:22:34.000000000 +0100
-@@ -385,6 +385,8 @@
- XImage *image;
- {
- if (image->depth == 0 || image->depth > 32 ||
-+ image->bits_per_pixel > 32 || image->bitmap_unit > 32 ||
-+ image->bits_per_pixel < 0 || image->bitmap_unit < 0 ||
- (image->format != XYBitmap &&
- image->format != XYPixmap &&
- image->format != ZPixmap) ||
diff --git a/debian/patches/series b/debian/patches/series
index d10a1c1..aeb3102 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -15,4 +15,4 @@
019_new_autoconf.diff
020_CVE-2006-5397.diff
021_compose_fclose.diff
-022_XInitImage_input_validate.diff
+022_CVE-2007-1667.diff
commit dc9db50d754976bdd0df34faf0cd6296adb2e208
Author: Julien Cristau <jcristau@debian.org>
Date: Fri Mar 9 02:28:49 2007 +0100
Fix security issue in XInitImage()
Add patch by Daniel Kobras <kobras@debian.org> to add more input
validation to XInitImage(), to fix security issues (closes: #414045).
diff --git a/debian/changelog b/debian/changelog
index 96c857f..c491cc9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libx11 (2:1.0.3-6) unstable; urgency=high
+
+ * Add patch by Daniel Kobras <kobras@debian.org> to add more input
+ validation to XInitImage(), to fix security issues (closes: #414045).
+
+ -- Julien Cristau <jcristau@debian.org> Fri, 9 Mar 2007 02:23:06 +0100
+
libx11 (2:1.0.3-5) unstable; urgency=high
* Remove /usr/X11R6/lib from /etc/ld.so.conf in postinst if it's no longer
diff --git a/debian/patches/022_XInitImage_input_validate.diff b/debian/patches/022_XInitImage_input_validate.diff
new file mode 100644
index 0000000..e22ca19
--- /dev/null
+++ b/debian/patches/022_XInitImage_input_validate.diff
@@ -0,0 +1,19 @@
+Add more input validation to XInitImage(), to avoid buffer overflow in
+XGetPixel(), which assumes sane values.
+Debian bug #414045.
+
+This patch by Daniel Kobras <kobras@debian.org>
+
+Index: libx11/src/ImUtil.c
+===================================================================
+--- libx11.orig/src/ImUtil.c 2007-03-09 02:21:29.000000000 +0100
++++ libx11/src/ImUtil.c 2007-03-09 02:22:34.000000000 +0100
+@@ -385,6 +385,8 @@
+ XImage *image;
+ {
+ if (image->depth == 0 || image->depth > 32 ||
++ image->bits_per_pixel > 32 || image->bitmap_unit > 32 ||
++ image->bits_per_pixel < 0 || image->bitmap_unit < 0 ||
+ (image->format != XYBitmap &&
+ image->format != XYPixmap &&
+ image->format != ZPixmap) ||
diff --git a/debian/patches/series b/debian/patches/series
index 1364571..d10a1c1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -15,3 +15,4 @@
019_new_autoconf.diff
020_CVE-2006-5397.diff
021_compose_fclose.diff
+022_XInitImage_input_validate.diff
Reply to: