libxfixes: Changes to 'debian-wheezy'
New branch 'debian-wheezy' available with the following commits:
commit c81e603e72452e1ce6e552d3b233dc000aa7386a
Author: Julien Cristau <jcristau@debian.org>
Date: Tue May 14 10:15:00 2013 +0200
Upload to wheezy-security
commit c232971c7a1962cd7e0d46c38af6d237f568e69d
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 10:24:08 2013 -0700
integer overflow in XFixesGetCursorImage() [CVE-2013-1983]
If the reported cursor dimensions or name length are too large, the
calculations to allocate memory for them may overflow, leaving us
writing beyond the bounds of the allocation.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 0ffaf2df79d9977d091f9b427baa8fb9bdc8ef42
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 10:20:59 2013 -0700
Use _XEatDataWords to avoid overflow of _XEatData calculations
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reply to: