libdmx: Changes to 'debian-wheezy'
New branch 'debian-wheezy' available with the following commits:
commit 0df9b05bf69b1413433577d5e46c280290456c8b
Author: Julien Cristau <jcristau@debian.org>
Date: Wed May 15 20:13:37 2013 +0200
Upload to wheezy-security
commit e99aaae2ee15d977496a51d67378987aaf9cf298
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 9 13:48:28 2013 -0800
integer overflow in DMXGetInputAttributes() [CVE-2013-1992 3/3]
If the server provided nameLength causes integer overflow
when padding length is added, a smaller buffer would be allocated
than the amount of data written to it.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit aa72ec9eb440898789c2bcdd4446f07e416628e3
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 9 13:48:28 2013 -0800
integer overflow in DMXGetWindowAttributes() [CVE-2013-1992 2/3]
If the server provided screenCount causes integer overflow when
multiplied by the size of each array element, a smaller buffer
would be allocated than the amount of data written to it.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit b03b651fda6a8e4e45c7c9515a8409727d64eb3f
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 9 13:48:28 2013 -0800
integer overflow in DMXGetScreenAttributes() [CVE-2013-1992 1/3]
If the server provided displayNameLength causes integer overflow
when padding length is added, a smaller buffer would be allocated
than the amount of data written to it.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 7aeea88767897d1208baeed4e6386a55e448606a
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri May 3 23:10:47 2013 -0700
Use _XEatDataWords to avoid overflow of rep.length bit shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reply to: