[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

libdmx: Changes to 'debian-wheezy'

New branch 'debian-wheezy' available with the following commits:
commit 0df9b05bf69b1413433577d5e46c280290456c8b
Author: Julien Cristau <jcristau@debian.org>
Date:   Wed May 15 20:13:37 2013 +0200

    Upload to wheezy-security

commit e99aaae2ee15d977496a51d67378987aaf9cf298
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Mar 9 13:48:28 2013 -0800

    integer overflow in DMXGetInputAttributes() [CVE-2013-1992 3/3]
    
    If the server provided nameLength causes integer overflow
    when padding length is added, a smaller buffer would be allocated
    than the amount of data written to it.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit aa72ec9eb440898789c2bcdd4446f07e416628e3
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Mar 9 13:48:28 2013 -0800

    integer overflow in DMXGetWindowAttributes() [CVE-2013-1992 2/3]
    
    If the server provided screenCount causes integer overflow when
    multiplied by the size of each array element, a smaller buffer
    would be allocated than the amount of data written to it.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit b03b651fda6a8e4e45c7c9515a8409727d64eb3f
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Mar 9 13:48:28 2013 -0800

    integer overflow in DMXGetScreenAttributes() [CVE-2013-1992 1/3]
    
    If the server provided displayNameLength causes integer overflow
    when padding length is added, a smaller buffer would be allocated
    than the amount of data written to it.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 7aeea88767897d1208baeed4e6386a55e448606a
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri May 3 23:10:47 2013 -0700

    Use _XEatDataWords to avoid overflow of rep.length bit shifting
    
    rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>
Reply to: