libxxf86dga: Changes to 'debian-wheezy'
New branch 'debian-wheezy' available with the following commits:
commit 4825015c94dfaeeb7529986367906086bf1d5c41
Author: Julien Cristau <jcristau@debian.org>
Date: Wed May 15 18:56:27 2013 +0200
Upload to wheezy-security
commit 9ebc6176dee7bad0e78f13fa8d5171df07ed4293
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 12:53:49 2013 -0700
integer overflow in XDGAOpenFramebuffer()
rep.length is a CARD32 and should be bounds checked before left shifting
to come up with the size to allocate and read from the network, though
since both functions take the same size, there should be no way for the
buffer to be overflowed in this case.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 2147c46853f29439f860114fde7f9617cf3a7449
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 12:45:41 2013 -0700
buffer overflow in XDGASetMode() [CVE-2013-2000 2/2]
When reading the name strings for the mode off the network, we never
checked to make sure the length of the name strings didn't overflow
the size of the buffer we'd allocated based on the reported rep.length
for the total reply size.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 1a9f4506132921b3de3512e03857239d3debd65d
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 12:38:25 2013 -0700
integer overflow & underflow in XDGASetMode() [CVE-2013-1991 2/2]
rep.length is a CARD32 and needs to be bounds checked before bit shifting
and subtracting sz_xXDGAModeInfo to come up with the total size to allocate,
to avoid integer overflow or underflow leading to underallocation and
writing data from the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 3824bb711847805ae72d6e29c00ccdcaa27fe936
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 12:27:10 2013 -0700
buffer overflow in XDGAQueryModes() [CVE-2013-2000 1/2]
When reading the name strings for the modes off the network, we never
checked to make sure the length of the individual name strings didn't
overflow the size of the buffer we'd allocated based on the reported
rep.length for the total reply size.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 7b660492996b63665241815382d8faaac7f014d7
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 12:18:57 2013 -0700
integer overflow in XDGAQueryModes() [CVE-2013-1991 1/2]
number is a CARD32 and needs to be bounds checked before multiplying by
sizeof(XDGAmode) to come up with the total size to allocate, to avoid
integer overflow leading to underallocation and writing data from the
network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 160d1d35312fd8a315429ce4d78c16ecd61faebe
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 12:05:25 2013 -0700
Use _XEatDataWords to avoid overflow of rep.length shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reply to: