libxrandr: Changes to 'debian-wheezy'
New branch 'debian-wheezy' available with the following commits:
commit 4be7eec960a21a8f30b4ef734e3eea0d3822c6bc
Author: Julien Cristau <jcristau@debian.org>
Date: Tue May 14 19:00:48 2013 +0200
Upload to wheezy-security
commit 2ee6511dfc3c3cd766021d26554643bd984b18ac
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat May 4 21:47:50 2013 -0700
Make XRRGet*Property() always initialize returned values
Avoids memory corruption and other errors when callers access them
without checking to see if the calls returned an error value.
Callers are still required to check for errors, this just reduces the
damage when they don't.
(Same as reported against libX11 XGetWindowProperty by Ilja Van Sprundel)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit d4946df6b4c2352b91786253d9bbfb098f59a821
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat May 4 21:37:49 2013 -0700
integer overflow in XRRGetOutputProperty() [CVE-2013-1986 3/4]
If the reported number of properties is too large, the calculations
to allocate memory for them may overflow, leaving us returning less
memory to the caller than implied by the value written to *nitems.
(Same as reported against libX11 XGetWindowProperty by Ilja Van Sprundel)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 30f848810239641ba6399f4f379ff1325359ce26
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Apr 12 21:44:59 2013 -0700
integer overflow in XRRQueryOutputProperty() [CVE-2013-1986 1/4]
rep.length is a CARD32, while rbytes was a signed int, so
rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long);
could result in integer overflow, leading to an undersized malloc
and reading data off the connection and writing it past the end of
the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit e3c51160c87bc8cfe43f944df641bc1e627797ec
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri May 3 23:29:22 2013 -0700
Use _XEatDataWords to avoid overflow of rep.length bit shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reply to: