libxrandr: Changes to 'debian-wheezy'

To: debian-x@lists.debian.org
Subject: libxrandr: Changes to 'debian-wheezy'
From: Julien Cristau <jcristau@alioth.debian.org>
Date: Thu, 23 May 2013 18:59:08 +0000
Message-id: <E1UfajE-0002IW-SS@vasks.debian.org>

New branch 'debian-wheezy' available with the following commits:
commit 4be7eec960a21a8f30b4ef734e3eea0d3822c6bc
Author: Julien Cristau <jcristau@debian.org>
Date:   Tue May 14 19:00:48 2013 +0200

    Upload to wheezy-security

commit 2ee6511dfc3c3cd766021d26554643bd984b18ac
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat May 4 21:47:50 2013 -0700

    Make XRRGet*Property() always initialize returned values
    
    Avoids memory corruption and other errors when callers access them
    without checking to see if the calls returned an error value.
    
    Callers are still required to check for errors, this just reduces the
    damage when they don't.
    
    (Same as reported against libX11 XGetWindowProperty by Ilja Van Sprundel)
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit d4946df6b4c2352b91786253d9bbfb098f59a821
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat May 4 21:37:49 2013 -0700

    integer overflow in XRRGetOutputProperty() [CVE-2013-1986 3/4]
    
    If the reported number of properties is too large, the calculations
    to allocate memory for them may overflow, leaving us returning less
    memory to the caller than implied by the value written to *nitems.
    
    (Same as reported against libX11 XGetWindowProperty by Ilja Van Sprundel)
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 30f848810239641ba6399f4f379ff1325359ce26
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri Apr 12 21:44:59 2013 -0700

    integer overflow in XRRQueryOutputProperty() [CVE-2013-1986 1/4]
    
    rep.length is a CARD32, while rbytes was a signed int, so
       rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long);
    could result in integer overflow, leading to an undersized malloc
    and reading data off the connection and writing it past the end of
    the allocated buffer.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit e3c51160c87bc8cfe43f944df641bc1e627797ec
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri May 3 23:29:22 2013 -0700

    Use _XEatDataWords to avoid overflow of rep.length bit shifting
    
    rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>

Reply to:

Prev by Date: libxi: Changes to 'refs/tags/libxi-2_1.6.1-1+deb7u1'
Next by Date: libxrandr: Changes to 'refs/tags/libxrandr-2_1.3.2-2+deb7u1'
Previous by thread: libxi: Changes to 'refs/tags/libxi-2_1.6.1-1+deb7u1'
Next by thread: libxrandr: Changes to 'refs/tags/libxrandr-2_1.3.2-2+deb7u1'
Index(es):
- Date
- Thread