libxrender: Changes to 'debian-wheezy'

To: debian-x@lists.debian.org
Subject: libxrender: Changes to 'debian-wheezy'
From: Julien Cristau <jcristau@alioth.debian.org>
Date: Thu, 23 May 2013 18:59:10 +0000
Message-id: <E1UfajG-0002JM-HM@vasks.debian.org>

New branch 'debian-wheezy' available with the following commits:
commit 90ea8142eb33d733b6a348746868e90c3158d248
Author: Julien Cristau <jcristau@debian.org>
Date:   Tue May 14 19:29:23 2013 +0200

    Upload to wheezy-security

commit 32896bb3d2bd0990b4e3a16397f9b6b37c96b1a0
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri Apr 12 23:02:11 2013 -0700

    integer overflow in XRenderQueryPictIndexValues() [CVE-2013-1987 3/3]
    
    The length and numIndexValues members of the reply are both CARD32 and
    need to be bounds checked before multiplying by sizeof (XIndexValue) to
    avoid integer overflow leading to underallocation and writing data from
    the network past the end of the allocated buffer.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit baed2297c0fc2ba0e94e93ffc83b397cd9eabc24
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri Apr 12 23:02:11 2013 -0700

    integer overflow in XRenderQueryFormats() [CVE-2013-1987 2/3]
    
    The length, numFormats, numScreens, numDepths, and numVisuals members of
    the reply are all CARD32 and need to be bounds checked before multiplying
    and adding them together to come up with the total size to allocate, to
    avoid integer overflow leading to underallocation and writing data from
    the network past the end of the allocated buffer.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 89914eb45ff0f55f2a33fd1a1b0cbbb26a6441fc
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri Apr 12 22:45:20 2013 -0700

    integer overflow in XRenderQueryFilters() [CVE-2013-1987 1/3]
    
    The length, numFilters & numAliases members of the reply are all CARD32
    and need to be bounds checked before multiplying & adding them together
    to come up with the total size to allocate, to avoid integer overflow
    leading to underallocation and writing data from the network past the
    end of the allocated buffer.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 432e759ed95aa5486cb65d25b35253dad59b47af
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri May 3 22:48:11 2013 -0700

    Use _XEatDataWords to avoid overflow of rep.length bit shifting
    
    rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>

Reply to:

Prev by Date: libxtst: Changes to 'refs/tags/libxtst-2_1.2.1-1+deb7u1'
Next by Date: libxv: Changes to 'refs/tags/libxv-2_1.0.7-1+deb7u1'
Previous by thread: libxtst: Changes to 'refs/tags/libxtst-2_1.2.1-1+deb7u1'
Next by thread: libxv: Changes to 'refs/tags/libxv-2_1.0.7-1+deb7u1'
Index(es):
- Date
- Thread