libxres: Changes to 'debian-wheezy'
New branch 'debian-wheezy' available with the following commits:
commit ad7f2cb02dd3fa13f7fcfeae2d2f40df2729bb0e
Author: Julien Cristau <jcristau@debian.org>
Date: Tue May 14 00:32:27 2013 +0200
Upload to wheezy-security
commit 1205f5ae76cc0114694f31ed24313f225eabb678
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Apr 12 23:36:13 2013 -0700
integer overflow in XResQueryClientResources() [CVE-2013-1988 2/2]
The CARD32 rep.num_types needs to be bounds checked before multiplying
by sizeof(XResType) to avoid integer overflow leading to underallocation
and writing data from the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 04762076eb40d1ea06e0c091ef6348b421dc709d
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Apr 12 23:36:13 2013 -0700
integer overflow in XResQueryClients() [CVE-2013-1988 1/2]
The CARD32 rep.num_clients needs to be bounds checked before multiplying
by sizeof(XResClient) to avoid integer overflow leading to underallocation
and writing data from the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 330eb63c6f7526cf65ccf41d35411ebd24f4165a
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 10:34:22 2013 -0700
Use _XEatDataWords to avoid overflow of rep.length shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reply to: