Bug#660411: libxi6: Memory corruption when used with recent X servers
Package: libxi6
Version: 2:1.3-6
Severity: important
Tags: upstream patch
libXi can cause heap corruption if it receices unknown device classes
in input devices, as it does not allocate any space to unknown classes,
yet it stores type and ID information of that class. If the unknown classes
are at the end of the list, 8 bytes following the allocated class info
block are corrupted.
This behaviour is observable with current X servers in experimental. As
heap corruption is a security problem (malign X servers could try to exploit
client code using Xinput2), fixing this bug might be eligible for a stable
update.
Commit
http://cgit.freedesktop.org/xorg/lib/libXi/commit/?id=635c2c029b1e73311c3f650bcaf7eeb9e782134b
fixes the problem and applies (with offset and fuzz, though).
Regards,
Michael Karcher
-- System Information:
Debian Release: 6.0.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i586)
Kernel: Linux 2.6.32-5-486
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libxi6 depends on:
ii libc6 2.11.3-2 Embedded GNU C Library: Shared lib
ii libx11-6 2:1.3.3-4 X11 client-side library
ii libxext6 2:1.1.2-1 X11 miscellaneous extension librar
libxi6 recommends no packages.
libxi6 suggests no packages.
-- no debconf information
Reply to: