libxcursor: Changes to 'debian-wheezy'

To: debian-x@lists.debian.org
Subject: libxcursor: Changes to 'debian-wheezy'
From: Julien Cristau <jcristau@alioth.debian.org>
Date: Thu, 23 May 2013 18:58:59 +0000
Message-id: <E1Ufaj5-0002DX-By@vasks.debian.org>

New branch 'debian-wheezy' available with the following commits:
commit 9dccb86d48d47d6735fb40c2c56858f7a299b0a3
Author: Julien Cristau <jcristau@debian.org>
Date:   Tue May 14 00:41:37 2013 +0200

    Upload to wheezy-security

commit e9cba4fa285f4eb93cea8a8ea1d8d98bce205fb7
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri Apr 12 21:17:28 2013 -0700

    signedness bug & integer overflow in _XcursorFileHeaderCreate() [CVE-2013-2003]
    
    When parsing cursor files, a user defined (e.g. through environment
    variables) cursor file is opened and parsed.
    
    The header is read in _XcursorReadFileHeader(), which reads an unsigned
    int for the number of toc structures in the header, but it was being
    passed to _XcursorFileHeaderCreate() as a signed int to allocate those
    structures.  If the number was negative, it would pass the bounds check
    and could overflow the calculation for how much memory to allocate to
    store the data being read, leading to overflowing the buffer with the
    data read from the user controlled file.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>

Reply to:

Prev by Date: libxres: Changes to 'refs/tags/libxres-2_1.0.6-1+deb7u1'
Next by Date: libxcursor: Changes to 'refs/tags/libxcursor-1_1.1.13-1+deb7u1'
Previous by thread: libxres: Changes to 'refs/tags/libxres-2_1.0.6-1+deb7u1'
Next by thread: libxcursor: Changes to 'refs/tags/libxcursor-1_1.1.13-1+deb7u1'
Index(es):
- Date
- Thread