[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

libxi: Changes to 'debian-wheezy'

New branch 'debian-wheezy' available with the following commits:
commit 0649038feb3587a78c23f869bc5614da383bc4ea
Author: Julien Cristau <jcristau@debian.org>
Date:   Wed May 15 14:36:11 2013 +0200

    Upload to wheezy-security

commit 8075993a30fcdfc8de6c267a3ff9866cc26a1f3a
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Mar 10 00:16:22 2013 -0800

    sign extension issue in XListInputDevices() [CVE-2013-1995]
    
    nptr is (signed) char, which can be negative, and will sign extend
    when added to the int size, which means size can be subtracted from,
    leading to allocating too small a buffer to hold the data being copied
    from the X server's reply.
    
    v2: check that string size fits inside the data read from the server,
        so that we don't read out of bounds either
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit ca75859724e942ce6432c5a822e6ab12c3882883
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Mar 10 00:22:14 2013 -0800

    Avoid integer overflow in XListInputDevices() [CVE-2013-1984 8/8]
    
    If the length of the reply as reported by the Xserver is too long, it
    could overflow the calculation for the size of the buffer to copy the
    reply into, causing memory corruption.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit deea43ac0efc7486e7ba4338ab532a4c0cb71df1
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Mar 10 13:30:55 2013 -0700

    Avoid integer overflow in XGetDeviceProperties() [CVE-2013-1984 7/8]
    
    If the number of items as reported by the Xserver is too large, it
    could overflow the calculation for the size of the buffer to copy the
    reply into, causing memory corruption.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit d4892961bfdaf2de8a8fa7a0190718e2a35f12fa
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Mar 9 22:55:23 2013 -0800

    integer overflow in XIGetSelectedEvents() [CVE-2013-1984 6/8]
    
    If the number of events or masks reported by the server is large enough
    that it overflows when multiplied by the size of the appropriate struct,
    or the sizes overflow as they are totaled up, then memory corruption can
    occur when more bytes are copied from the X server reply than the size
    of the buffer we allocated to hold them.
    
    v2: check that reply size fits inside the data read from the server,
        so that we don't read out of bounds either
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit b7bc1061d909a0eb12a30fd1a8b17340552f1fb5
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Mar 9 22:55:23 2013 -0800

    integer overflow in XIGetProperty() [CVE-2013-1984 5/8]
    
    If the number of items reported by the server is large enough that
    it overflows when multiplied by the size of the appropriate item type,
    then memory corruption can occur when more bytes are copied from the
    X server reply than the size of the buffer we allocated to hold them.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit ba51a5cb3555ecff5fe0f7f471c3d7b637b1c574
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Mar 9 22:55:23 2013 -0800

    integer overflow in XGetDeviceMotionEvents() [CVE-2013-1984 4/8]
    
    If the number of events or axes reported by the server is large enough
    that it overflows when multiplied by the size of the appropriate struct,
    then memory corruption can occur when more bytes are copied from the
    X server reply than the size of the buffer we allocated to hold them.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit f6fa21eeb259336af210102ee69204fdab4a4c5b
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Mar 9 22:55:23 2013 -0800

    integer overflow in XGetDeviceDontPropagateList() [CVE-2013-1984 3/8]
    
    If the number of event classes reported by the server is large enough
    that it overflows when multiplied by the size of the appropriate struct,
    then memory corruption can occur when more bytes are copied from the
    X server reply than the size of the buffer we allocated to hold them.
    
    V2: EatData if count is 0 but length is > 0 to avoid XIOErrors
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 2fbecda1713d2ba763d001d30e7d5146336d3ec0
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Mar 9 22:55:23 2013 -0800

    integer overflow in XGetFeedbackControl() [CVE-2013-1984 2/8]
    
    If the number of feedbacks reported by the server is large enough that
    it overflows when multiplied by the size of the appropriate struct, or
    if the total size of all the feedback structures overflows when added
    together, then memory corruption can occur when more bytes are copied from
    the X server reply than the size of the buffer we allocated to hold them.
    
    v2: check that reply size fits inside the data read from the server, so
        we don't read out of bounds either
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 67c0681049ca4d7f7b96c0b01a0f9bb76625d75c
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Mar 9 22:55:23 2013 -0800

    integer overflow in XGetDeviceControl() [CVE-2013-1984 1/8]
    
    If the number of valuators reported by the server is large enough that
    it overflows when multiplied by the size of the appropriate struct, then
    memory corruption can occur when more bytes are copied from the X server
    reply than the size of the buffer we allocated to hold them.
    
    v2: check that reply size fits inside the data read from the server, so
    we don't read out of bounds either
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 6c102132d0dd3b639b1c018af6d45f0dffa6d457
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri Apr 26 22:48:36 2013 -0700

    unvalidated lengths in XQueryDeviceState() [CVE-2013-1998 3/3]
    
    If the lengths given for each class state in the reply add up to more
    than the rep.length, we could read past the end of the buffer allocated
    to hold the data read from the server.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 879dd6ce1d3ec05856ca77e56285a1440ed58b23
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Mar 9 23:37:23 2013 -0800

    memory corruption in _XIPassiveGrabDevice() [CVE-2013-1998 2/3]
    
    If the server returned more modifiers than the caller asked for,
    we'd just keep copying past the end of the array provided by the
    caller, writing over who-knows-what happened to be there.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 2f749f116a4156f63cc6b8ec2a0b81dbbb8bf3da
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Mar 9 22:26:52 2013 -0800

    Stack buffer overflow in XGetDeviceButtonMapping() [CVE-2013-1998 1/3]
    
    We copy the entire reply sent by the server into the fixed size
    mapping[] array on the stack, even if the server says it's a larger
    size than the mapping array can hold.  HULK SMASH STACK!
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit fc02906650e9c9d0f811009fd0c4b311189e1210
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Wed May 1 23:58:39 2013 -0700

    Use _XEatDataWords to avoid overflow of rep.length bit shifting
    
    rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Julien Cristau <jcristau@debian.org>
Reply to: