libxi: Changes to 'debian-unstable'
ChangeLog | 517 +++++++++++++++++++++++++++++++++++++++
autogen.sh | 4
configure.ac | 13
debian/changelog | 21 +
debian/compat | 2
debian/control | 8
debian/libxi-dev.install | 1
debian/libxi-dev.manpages | 1
debian/libxi6.symbols | 2
debian/patches/series | 2
debian/rules | 23 -
include/X11/extensions/XInput2.h | 47 +++
man/Makefile.am | 9
man/XGetDeviceControl.txt | 12
man/XIBarrierReleasePointer.txt | 76 +++++
man/XIGrabButton.txt | 3
src/Makefile.am | 4
src/XExtInt.c | 110 +++++---
src/XGMotion.c | 24 +
src/XGetBMap.c | 21 -
src/XGetDCtl.c | 41 ++-
src/XGetDProp.c | 64 ++--
src/XGetFCtl.c | 40 ++-
src/XGetKMap.c | 2
src/XGetMMap.c | 2
src/XGetProp.c | 16 -
src/XGtSelect.c | 2
src/XIBarrier.c | 81 ++++++
src/XIGrabDevice.c | 19 -
src/XIPassiveGrab.c | 12
src/XIProperties.c | 18 -
src/XIQueryVersion.c | 6
src/XISelEv.c | 65 +++-
src/XIint.h | 15 +
src/XListDProp.c | 2
src/XListDev.c | 31 +-
src/XOpenDev.c | 2
src/XQueryDv.c | 19 -
src/config.h.in | 71 -----
xi.pc.in | 2
40 files changed, 1147 insertions(+), 263 deletions(-)
New commits:
commit a536a94af6b825f838cac96b9f11971a6966ae40
Author: Julien Cristau <jcristau@debian.org>
Date: Sun Jun 30 15:51:05 2013 +0200
Upload to unstable
diff --git a/debian/changelog b/debian/changelog
index acb24af..61e151a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-libxi (2:1.7.1.901-1) UNRELEASED; urgency=low
+libxi (2:1.7.1.901-1) unstable; urgency=low
* New upstream release candidate.
@@ -17,7 +17,7 @@ libxi (2:1.7.1.901-1) UNRELEASED; urgency=low
* Fix clean rule for config.h.in.
* Use dh_prep instead of dh_clean -k.
- -- Timo Aaltonen <tjaalton@ubuntu.com> Wed, 06 Feb 2013 23:43:08 +0200
+ -- Julien Cristau <jcristau@debian.org> Sun, 30 Jun 2013 15:51:02 +0200
libxi (2:1.6.1-1) unstable; urgency=low
commit 5e923a687c4391fcd9828ce551a18b901a324c42
Author: Julien Cristau <jcristau@debian.org>
Date: Sun Jun 30 15:51:01 2013 +0200
Use dh_prep instead of dh_clean -k.
diff --git a/debian/changelog b/debian/changelog
index 66989a9..acb24af 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -15,6 +15,7 @@ libxi (2:1.7.1.901-1) UNRELEASED; urgency=low
* Bump debhelper compat level to 7.
* Simplify installing manpages.
* Fix clean rule for config.h.in.
+ * Use dh_prep instead of dh_clean -k.
-- Timo Aaltonen <tjaalton@ubuntu.com> Wed, 06 Feb 2013 23:43:08 +0200
diff --git a/debian/rules b/debian/rules
index 83871c1..40fb02a 100755
--- a/debian/rules
+++ b/debian/rules
@@ -69,7 +69,7 @@ clean: xsfclean
install: build
dh_testdir
dh_testroot
- dh_clean -k
+ dh_prep
dh_installdirs
cd build && $(MAKE) DESTDIR=$(CURDIR)/debian/tmp install
commit c218add56ca740a5b177d51837595b3cbb12dc3e
Author: Julien Cristau <jcristau@debian.org>
Date: Sun Jun 30 15:42:44 2013 +0200
Fix clean rule for config.h.in.
diff --git a/debian/changelog b/debian/changelog
index bb9946f..66989a9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -14,6 +14,7 @@ libxi (2:1.7.1.901-1) UNRELEASED; urgency=low
* Disable silent build rules.
* Bump debhelper compat level to 7.
* Simplify installing manpages.
+ * Fix clean rule for config.h.in.
-- Timo Aaltonen <tjaalton@ubuntu.com> Wed, 06 Feb 2013 23:43:08 +0200
diff --git a/debian/rules b/debian/rules
index d4c418e..83871c1 100755
--- a/debian/rules
+++ b/debian/rules
@@ -62,7 +62,7 @@ clean: xsfclean
rm -rf autom4te.cache */autom4te.cache
rm -rf build
find -name Makefile.in -delete
- rm -f INSTALL compile config.guess config.sub configure config.h.in
+ rm -f INSTALL compile config.guess config.sub configure src/config.h.in
rm -f depcomp install-sh ltmain.sh missing aclocal.m4 mkinstalldirs
dh_clean
diff --git a/src/config.h.in b/src/config.h.in
deleted file mode 100644
index 1b81ba9..0000000
--- a/src/config.h.in
+++ /dev/null
@@ -1,71 +0,0 @@
-/* src/config.h.in. Generated from configure.ac by autoheader. */
-
-/* Define to 1 if you have the <dlfcn.h> header file. */
-#undef HAVE_DLFCN_H
-
-/* Define to 1 if you have the <inttypes.h> header file. */
-#undef HAVE_INTTYPES_H
-
-/* Define to 1 if you have the <memory.h> header file. */
-#undef HAVE_MEMORY_H
-
-/* Define to 1 if you have the <stdint.h> header file. */
-#undef HAVE_STDINT_H
-
-/* Define to 1 if you have the <stdlib.h> header file. */
-#undef HAVE_STDLIB_H
-
-/* Define to 1 if you have the <strings.h> header file. */
-#undef HAVE_STRINGS_H
-
-/* Define to 1 if you have the <string.h> header file. */
-#undef HAVE_STRING_H
-
-/* Define to 1 if you have the <sys/stat.h> header file. */
-#undef HAVE_SYS_STAT_H
-
-/* Define to 1 if you have the <sys/types.h> header file. */
-#undef HAVE_SYS_TYPES_H
-
-/* Define to 1 if you have the <unistd.h> header file. */
-#undef HAVE_UNISTD_H
-
-/* Define to the sub-directory in which libtool stores uninstalled libraries.
- */
-#undef LT_OBJDIR
-
-/* Name of package */
-#undef PACKAGE
-
-/* Define to the address where bug reports for this package should be sent. */
-#undef PACKAGE_BUGREPORT
-
-/* Define to the full name of this package. */
-#undef PACKAGE_NAME
-
-/* Define to the full name and version of this package. */
-#undef PACKAGE_STRING
-
-/* Define to the one symbol short name of this package. */
-#undef PACKAGE_TARNAME
-
-/* Define to the home page for this package. */
-#undef PACKAGE_URL
-
-/* Define to the version of this package. */
-#undef PACKAGE_VERSION
-
-/* Major version of this package */
-#undef PACKAGE_VERSION_MAJOR
-
-/* Minor version of this package */
-#undef PACKAGE_VERSION_MINOR
-
-/* Patch version of this package */
-#undef PACKAGE_VERSION_PATCHLEVEL
-
-/* Define to 1 if you have the ANSI C header files. */
-#undef STDC_HEADERS
-
-/* Version number of package */
-#undef VERSION
commit 4a11c07ff2c6b7fd1de80cbbd8517bf7d76814ab
Author: Julien Cristau <jcristau@debian.org>
Date: Sun Jun 30 15:38:44 2013 +0200
Simplify installing manpages.
diff --git a/debian/changelog b/debian/changelog
index 8570213..bb9946f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -13,6 +13,7 @@ libxi (2:1.7.1.901-1) UNRELEASED; urgency=low
* Use dpkg-buildflags.
* Disable silent build rules.
* Bump debhelper compat level to 7.
+ * Simplify installing manpages.
-- Timo Aaltonen <tjaalton@ubuntu.com> Wed, 06 Feb 2013 23:43:08 +0200
diff --git a/debian/libxi-dev.install b/debian/libxi-dev.install
index 5f68330..6eb611b 100644
--- a/debian/libxi-dev.install
+++ b/debian/libxi-dev.install
@@ -4,3 +4,4 @@ usr/lib/*/pkgconfig/xi.pc
usr/include/X11/extensions/
usr/share/doc/libXi/*.html usr/share/doc/libxi-dev
usr/share/doc/libXi/*.txt usr/share/doc/libxi-dev
+usr/share/man/man3
diff --git a/debian/libxi-dev.manpages b/debian/libxi-dev.manpages
deleted file mode 100644
index 7c72677..0000000
--- a/debian/libxi-dev.manpages
+++ /dev/null
@@ -1 +0,0 @@
-debian/tmp/usr/share/man/man3/*
diff --git a/debian/rules b/debian/rules
index ab3912d..d4c418e 100755
--- a/debian/rules
+++ b/debian/rules
@@ -82,7 +82,7 @@ binary-arch: build install
dh_installdocs
find debian/tmp -name '*.xml' -delete
find debian/tmp -name '*.db' -delete
- dh_install --fail-missing --exclude=libXi.la --exclude=usr/share/man/man3
+ dh_install --fail-missing --exclude=libXi.la
dh_installman
dh_installchangelogs
dh_link
commit fae2d21774ae5d1259664fdda5441fd217439d5a
Author: Julien Cristau <jcristau@debian.org>
Date: Sun Jun 30 15:37:22 2013 +0200
Bump debhelper compat level to 7.
diff --git a/debian/changelog b/debian/changelog
index 5ebf177..8570213 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -12,6 +12,7 @@ libxi (2:1.7.1.901-1) UNRELEASED; urgency=low
[ Julien Cristau ]
* Use dpkg-buildflags.
* Disable silent build rules.
+ * Bump debhelper compat level to 7.
-- Timo Aaltonen <tjaalton@ubuntu.com> Wed, 06 Feb 2013 23:43:08 +0200
diff --git a/debian/compat b/debian/compat
index 7ed6ff8..7f8f011 100644
--- a/debian/compat
+++ b/debian/compat
@@ -1 +1 @@
-5
+7
diff --git a/debian/rules b/debian/rules
index 069d899..ab3912d 100755
--- a/debian/rules
+++ b/debian/rules
@@ -82,9 +82,9 @@ binary-arch: build install
dh_installdocs
find debian/tmp -name '*.xml' -delete
find debian/tmp -name '*.db' -delete
- dh_install --sourcedir=debian/tmp --fail-missing --exclude=libXi.la --exclude=usr/share/man/man3
+ dh_install --fail-missing --exclude=libXi.la --exclude=usr/share/man/man3
dh_installman
- dh_installchangelogs ChangeLog
+ dh_installchangelogs
dh_link
dh_strip -p$(PACKAGE) --dbg-package=$(PACKAGE)-dbg
dh_strip -N$(PACKAGE)
commit dcc2345a792ab73ca98dda18a47fd80b5d38f96e
Author: Julien Cristau <jcristau@debian.org>
Date: Sun Jun 30 15:29:06 2013 +0200
Disable silent build rules.
diff --git a/debian/changelog b/debian/changelog
index d5d2804..5ebf177 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -11,6 +11,7 @@ libxi (2:1.7.1.901-1) UNRELEASED; urgency=low
[ Julien Cristau ]
* Use dpkg-buildflags.
+ * Disable silent build rules.
-- Timo Aaltonen <tjaalton@ubuntu.com> Wed, 06 Feb 2013 23:43:08 +0200
diff --git a/debian/rules b/debian/rules
index 6cbcf80..069d899 100755
--- a/debian/rules
+++ b/debian/rules
@@ -36,6 +36,7 @@ build/config.status: configure
cd build && \
../configure --prefix=/usr --mandir=\$${prefix}/share/man \
--infodir=\$${prefix}/share/info \
+ --disable-silent-rules \
--with-xmlto \
--without-fop \
--libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH) \
commit ee476ab098bcc1d9a39ee12ee118d255a6738f0d
Author: Julien Cristau <jcristau@debian.org>
Date: Sun Jun 30 15:28:30 2013 +0200
Use dpkg-buildflags.
diff --git a/debian/changelog b/debian/changelog
index ff9c9a5..d5d2804 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,9 @@ libxi (2:1.7.1.901-1) UNRELEASED; urgency=low
* rules: Bump shlibs.
* control: Add libfixes-dev to build-deps and libxi-dev Depends.
+ [ Julien Cristau ]
+ * Use dpkg-buildflags.
+
-- Timo Aaltonen <tjaalton@ubuntu.com> Wed, 06 Feb 2013 23:43:08 +0200
libxi (2:1.6.1-1) unstable; urgency=low
diff --git a/debian/control b/debian/control
index 3161890..e947000 100644
--- a/debian/control
+++ b/debian/control
@@ -5,6 +5,8 @@ Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Uploaders: Drew Parsons <dparsons@debian.org>, Cyril Brulebois <kibi@debian.org>
Build-Depends:
debhelper (>= 8.1.3),
+# dpkg-buildflags --export=configure
+ dpkg-dev (>= 1.16.1),
x11proto-core-dev (>= 7.0.13),
x11proto-xext-dev (>= 7.0.3),
x11proto-input-dev (>= 2.2.99.1),
diff --git a/debian/rules b/debian/rules
index 3c97ff8..6cbcf80 100755
--- a/debian/rules
+++ b/debian/rules
@@ -12,12 +12,6 @@ PACKAGE = libxi6
include debian/xsfbs/xsfbs.mk
-CFLAGS = -Wall -g
-ifneq (,$(filter noopt,$(DEB_BUILD_OPTIONS)))
- CFLAGS += -O0
-else
- CFLAGS += -O2
-endif
ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
MAKEFLAGS += -j$(NUMJOBS)
@@ -32,6 +26,7 @@ ifeq ($(DEB_BUILD_GNU_TYPE), $(DEB_HOST_GNU_TYPE))
else
confflags += --build=$(DEB_BUILD_GNU_TYPE) --host=$(DEB_HOST_GNU_TYPE)
endif
+confflags += $(shell DEB_CFLAGS_MAINT_APPEND=-Wall dpkg-buildflags --export=configure)
configure: $(STAMP_DIR)/patch
autoreconf -vfi
@@ -40,12 +35,11 @@ build/config.status: configure
mkdir -p build
cd build && \
../configure --prefix=/usr --mandir=\$${prefix}/share/man \
- --infodir=\$${prefix}/share/info $(confflags) \
+ --infodir=\$${prefix}/share/info \
--with-xmlto \
--without-fop \
--libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH) \
- CFLAGS="$(CFLAGS)"
-
+ $(confflags)
build: build-indep build-arch
build-indep:
commit a9bd8d6151f43a7839e35b9d56a78a840d0967a8
Author: Julien Cristau <jcristau@debian.org>
Date: Sun Jun 30 15:24:38 2013 +0200
Bump changelogs
diff --git a/ChangeLog b/ChangeLog
index 4e2a391..cf57166 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,303 @@
+commit 957a9d64afd76f878ce6c5570f369e2a7fc1e772
+Author: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu Jun 27 08:47:16 2013 +1000
+
+ libXi 1.7.1.901
+
+ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+commit 62033a9c83bcdc75b9f1452ce24729eefa8f4dc0
+Author: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu Jun 27 06:25:02 2013 +1000
+
+ Include limits.h to prevent build error: missing INT_MAX
+
+ Introduced in 4c8e9bcab459ea5f870d3e56eff15f931807f9b7.
+
+ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+commit 0f3f5a36d5fc6dc53f69f48a0c83aef6a1fcf381
+Author: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue May 28 15:52:34 2013 +1000
+
+ If the XGetDeviceDontPropagateList reply has an invalid length, return 0
+
+ If we skip over the reply data, return 0 as number of event classes.
+
+ Follow-up to 6dd6dc51a2935c72774be81e5cc2ba2c30e9feff.
+
+ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+commit 35ae16dc2f16b24a22625b2d9f76a2128b673a6c
+Author: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue May 28 15:52:33 2013 +1000
+
+ Change size += to size = in XGetDeviceControl
+
+ size += blah is technically correct but it implies that we're looping or
+ otherwise incrementing the size. Which we don't, it's only ever set once.
+
+ Change this to avoid reviewer confusion.
+
+ Reported-by: Dave "color-me-confused" Airlie <airlied@redhat.com>
+ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+commit 4c8e9bcab459ea5f870d3e56eff15f931807f9b7
+Author: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue May 28 15:52:32 2013 +1000
+
+ Fix potential corruption in mask_len handling
+
+ First: check for allocation failure on the mask.
+ XI2 requires that the mask is zeroed, so we can't just Data() the mask
+ provided by the client (it will pad) - we need a tmp buffer. Make sure that
+ doesn't fail.
+
+ Second:
+ req->mask_len is a uint16_t, so check against malicious mask_lens that would
+ cause us to corrupt memory on copy, as the code always allocates
+ req->mask_len * 4, but copies mask->mask_len bytes.
+
+ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+commit 661c45ca17c434dbd342a46fd3fb813852ae0ca9
+Author: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue May 21 12:23:05 2013 +1000
+
+ Don't overwrite the cookies serial number
+
+ serial != sequenceNumber, see _XSetLastRequestRead()
+
+ cookie->serial is already set at this point, setting it again directly from
+ the sequenceNumber of the event causes a bunch of weird issues such as
+ scrollbars and text drag-n-drop breaking.
+
+ https://bugzilla.redhat.com/show_bug.cgi?id=965347
+
+ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+commit 81b4df8ac6aa1520c41c3526961014a6f115cc46
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sun Mar 10 00:16:22 2013 -0800
+
+ sign extension issue in XListInputDevices() [CVE-2013-1995]
+
+ nptr is (signed) char, which can be negative, and will sign extend
+ when added to the int size, which means size can be subtracted from,
+ leading to allocating too small a buffer to hold the data being copied
+ from the X server's reply.
+
+ v2: check that string size fits inside the data read from the server,
+ so that we don't read out of bounds either
+
+ Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+commit ef82512288d8ca36ac0beeb289f158195b0a8cae
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sun Mar 10 00:22:14 2013 -0800
+
+ Avoid integer overflow in XListInputDevices() [CVE-2013-1984 8/8]
+
+ If the length of the reply as reported by the Xserver is too long, it
+ could overflow the calculation for the size of the buffer to copy the
+ reply into, causing memory corruption.
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+commit 17071c1c608247800b2ca03a35b1fcc9c4cabe6c
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sun Mar 10 13:30:55 2013 -0700
+
+ Avoid integer overflow in XGetDeviceProperties() [CVE-2013-1984 7/8]
+
+ If the number of items as reported by the Xserver is too large, it
+ could overflow the calculation for the size of the buffer to copy the
+ reply into, causing memory corruption.
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+commit 528419b9ef437e7eeafb41bf45e8ff7d818bd845
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Mar 9 22:55:23 2013 -0800
+
+ integer overflow in XIGetSelectedEvents() [CVE-2013-1984 6/8]
+
+ If the number of events or masks reported by the server is large enough
+ that it overflows when multiplied by the size of the appropriate struct,
+ or the sizes overflow as they are totaled up, then memory corruption can
+ occur when more bytes are copied from the X server reply than the size
+ of the buffer we allocated to hold them.
+
+ v2: check that reply size fits inside the data read from the server,
+ so that we don't read out of bounds either
+
+ Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+commit 242f92b490a695fbab244af5bad11b71f897c732
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Mar 9 22:55:23 2013 -0800
+
+ integer overflow in XIGetProperty() [CVE-2013-1984 5/8]
+
+ If the number of items reported by the server is large enough that
+ it overflows when multiplied by the size of the appropriate item type,
+ then memory corruption can occur when more bytes are copied from the
+ X server reply than the size of the buffer we allocated to hold them.
+
+ Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+commit bb922ed4253b35590f0369f32a917ff89ade0830
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Mar 9 22:55:23 2013 -0800
+
+ integer overflow in XGetDeviceMotionEvents() [CVE-2013-1984 4/8]
+
+ If the number of events or axes reported by the server is large enough
+ that it overflows when multiplied by the size of the appropriate struct,
+ then memory corruption can occur when more bytes are copied from the
+ X server reply than the size of the buffer we allocated to hold them.
+
+ Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+commit 6dd6dc51a2935c72774be81e5cc2ba2c30e9feff
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Mar 9 22:55:23 2013 -0800
+
+ integer overflow in XGetDeviceDontPropagateList() [CVE-2013-1984 3/8]
+
+ If the number of event classes reported by the server is large enough
+ that it overflows when multiplied by the size of the appropriate struct,
+ then memory corruption can occur when more bytes are copied from the
+ X server reply than the size of the buffer we allocated to hold them.
+
+ V2: EatData if count is 0 but length is > 0 to avoid XIOErrors
+
+ Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+commit 322ee3576789380222d4403366e4fd12fb24cb6a
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Mar 9 22:55:23 2013 -0800
+
+ integer overflow in XGetFeedbackControl() [CVE-2013-1984 2/8]
+
+ If the number of feedbacks reported by the server is large enough that
+ it overflows when multiplied by the size of the appropriate struct, or
+ if the total size of all the feedback structures overflows when added
+ together, then memory corruption can occur when more bytes are copied from
+ the X server reply than the size of the buffer we allocated to hold them.
+
+ v2: check that reply size fits inside the data read from the server, so
+ we don't read out of bounds either
+
+ Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+commit b0b13c12a8079a5a0e7f43b2b8983699057b2cec
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Mar 9 22:55:23 2013 -0800
+
+ integer overflow in XGetDeviceControl() [CVE-2013-1984 1/8]
+
+ If the number of valuators reported by the server is large enough that
+ it overflows when multiplied by the size of the appropriate struct, then
+ memory corruption can occur when more bytes are copied from the X server
+ reply than the size of the buffer we allocated to hold them.
+
+ v2: check that reply size fits inside the data read from the server, so
+ we don't read out of bounds either
+
+ Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+commit 5398ac0797f7516f2c9b8f2869a6c6d071437352
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri Apr 26 22:48:36 2013 -0700
+
+ unvalidated lengths in XQueryDeviceState() [CVE-2013-1998 3/3]
+
+ If the lengths given for each class state in the reply add up to more
+ than the rep.length, we could read past the end of the buffer allocated
+ to hold the data read from the server.
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+commit 91434737f592e8f5cc1762383882a582b55fc03a
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Mar 9 23:37:23 2013 -0800
+
+ memory corruption in _XIPassiveGrabDevice() [CVE-2013-1998 2/3]
+
+ If the server returned more modifiers than the caller asked for,
+ we'd just keep copying past the end of the array provided by the
+ caller, writing over who-knows-what happened to be there.
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+commit f3e08e4fbe40016484ba795feecf1a742170ffc1
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Mar 9 22:26:52 2013 -0800
+
+ Stack buffer overflow in XGetDeviceButtonMapping() [CVE-2013-1998 1/3]
+
+ We copy the entire reply sent by the server into the fixed size
+ mapping[] array on the stack, even if the server says it's a larger
+ size than the mapping array can hold. HULK SMASH STACK!
+
+ Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+commit 59b8e1388a687f871831ac5a9e0ac11de75e2516
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Wed May 1 23:58:39 2013 -0700
+
+ Use _XEatDataWords to avoid overflow of rep.length bit shifting
+
+ rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+commit 5d43d4914dcabb6de69859567061e99300e56ef4
+Author: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Fri May 17 09:07:44 2013 +1000
+
+ Copy the sequence number into the target event too (#64687)
+
+ X.Org Bug 64687 <http://bugs.freedesktop.org/show_bug.cgi?id=64687>
+
+ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+ Reviewed-by: Jasper St. Pierre <jstpierre@mecheye.net>
+
+commit bb82c72a1d69eaf60b7586570faf797df967f661
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Mon Apr 29 18:39:34 2013 -0700
+
+ Expand comment on the memory vs. reply ordering in XIGetSelectedEvents()
+
+ Unpacking from the wire involves un-interleaving the structs & masks,
+ which wasn't obvious to me the first time I read it, so make notes
+ before I forget again.
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
commit 26cb4573cbb8808ce9d5c75c16bd613b2f03a368
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date: Fri Apr 5 09:34:48 2013 +1000
diff --git a/debian/changelog b/debian/changelog
index 2b028c1..ff9c9a5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,8 @@
-libxi (2:1.7.1-1) UNRELEASED; urgency=low
+libxi (2:1.7.1.901-1) UNRELEASED; urgency=low
- * New upstream release.
+ * New upstream release candidate.
+
+ [ Timo Aaltonen ]
* control: Bump policy to 3.9.4, no changes.
* control: Bump x11proto-input-dev build-dep to 2.2.99.1.
* libxi6.symbols: Added new symbols.
commit 957a9d64afd76f878ce6c5570f369e2a7fc1e772
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date: Thu Jun 27 08:47:16 2013 +1000
libXi 1.7.1.901
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
diff --git a/configure.ac b/configure.ac
index f5ef1e2..18d895b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,7 +1,7 @@
# Initialize Autoconf
AC_PREREQ([2.60])
-AC_INIT([libXi], [1.7.1],
+AC_INIT([libXi], [1.7.1.901],
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXi])
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_HEADERS([src/config.h])
commit 62033a9c83bcdc75b9f1452ce24729eefa8f4dc0
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date: Thu Jun 27 06:25:02 2013 +1000
Include limits.h to prevent build error: missing INT_MAX
Introduced in 4c8e9bcab459ea5f870d3e56eff15f931807f9b7.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
diff --git a/src/XIGrabDevice.c b/src/XIGrabDevice.c
index 2bff3d8..a8c5697 100644
--- a/src/XIGrabDevice.c
+++ b/src/XIGrabDevice.c
@@ -31,6 +31,7 @@
#include <X11/extensions/XI2proto.h>
#include <X11/extensions/XInput2.h>
#include <X11/extensions/extutil.h>
+#include <limits.h>
#include "XIint.h"
diff --git a/src/XIPassiveGrab.c b/src/XIPassiveGrab.c
index 4ed2f09..baadccb 100644
--- a/src/XIPassiveGrab.c
+++ b/src/XIPassiveGrab.c
@@ -30,6 +30,7 @@
#include <X11/extensions/XI2proto.h>
#include <X11/extensions/XInput2.h>
#include <X11/extensions/extutil.h>
+#include <limits.h>
#include "XIint.h"
static int
commit 0f3f5a36d5fc6dc53f69f48a0c83aef6a1fcf381
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue May 28 15:52:34 2013 +1000
If the XGetDeviceDontPropagateList reply has an invalid length, return 0
If we skip over the reply data, return 0 as number of event classes.
Follow-up to 6dd6dc51a2935c72774be81e5cc2ba2c30e9feff.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
diff --git a/src/XGetProp.c b/src/XGetProp.c
index b49328c..8c69ef2 100644
--- a/src/XGetProp.c
+++ b/src/XGetProp.c
@@ -104,8 +104,10 @@ XGetDeviceDontPropagateList(
_XRead(dpy, (char *)(&ec), sizeof(CARD32));
list[i] = (XEventClass) ec;
}
- } else
+ } else {
+ *count = 0;
_XEatDataWords(dpy, rep.length);
+ }
}
UnlockDisplay(dpy);
commit 35ae16dc2f16b24a22625b2d9f76a2128b673a6c
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue May 28 15:52:33 2013 +1000
Change size += to size = in XGetDeviceControl
size += blah is technically correct but it implies that we're looping or
otherwise incrementing the size. Which we don't, it's only ever set once.
Change this to avoid reviewer confusion.
Reported-by: Dave "color-me-confused" Airlie <airlied@redhat.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
diff --git a/src/XGetDCtl.c b/src/XGetDCtl.c
index 51ed0ae..b576aa5 100644
--- a/src/XGetDCtl.c
+++ b/src/XGetDCtl.c
@@ -122,34 +122,34 @@ XGetDeviceControl(
val_size = 3 * sizeof(int) * r->num_valuators;
if ((sizeof(xDeviceResolutionState) + val_size) > nbytes)
goto out;
- size += sizeof(XDeviceResolutionState) + val_size;
+ size = sizeof(XDeviceResolutionState) + val_size;
break;
}
case DEVICE_ABS_CALIB:
{
if (sizeof(xDeviceAbsCalibState) > nbytes)
goto out;
- size += sizeof(XDeviceAbsCalibState);
+ size = sizeof(XDeviceAbsCalibState);
break;
}
case DEVICE_ABS_AREA:
{
if (sizeof(xDeviceAbsAreaState) > nbytes)
goto out;
- size += sizeof(XDeviceAbsAreaState);
+ size = sizeof(XDeviceAbsAreaState);
break;
}
case DEVICE_CORE:
{
if (sizeof(xDeviceCoreState) > nbytes)
goto out;
- size += sizeof(XDeviceCoreState);
+ size = sizeof(XDeviceCoreState);
break;
}
default:
if (d->length > nbytes)
goto out;
- size += d->length;
+ size = d->length;
break;
}
commit 4c8e9bcab459ea5f870d3e56eff15f931807f9b7
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue May 28 15:52:32 2013 +1000
Fix potential corruption in mask_len handling
First: check for allocation failure on the mask.
XI2 requires that the mask is zeroed, so we can't just Data() the mask
provided by the client (it will pad) - we need a tmp buffer. Make sure that
doesn't fail.
Second:
req->mask_len is a uint16_t, so check against malicious mask_lens that would
cause us to corrupt memory on copy, as the code always allocates
req->mask_len * 4, but copies mask->mask_len bytes.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
diff --git a/src/XIGrabDevice.c b/src/XIGrabDevice.c
index dd1bd10..2bff3d8 100644
--- a/src/XIGrabDevice.c
+++ b/src/XIGrabDevice.c
@@ -50,6 +50,17 @@ XIGrabDevice(Display* dpy, int deviceid, Window grab_window, Time time,
if (_XiCheckExtInit(dpy, XInput_2_0, extinfo) == -1)
return (NoSuchExtension);
+ if (mask->mask_len > INT_MAX - 3 ||
+ (mask->mask_len + 3)/4 >= 0xffff)
+ return BadValue;
+
+ /* mask->mask_len is in bytes, but we need 4-byte units on the wire,
+ * and they need to be padded with 0 */
+ len = (mask->mask_len + 3)/4;
+ buff = calloc(4, len);
+ if (!buff)
+ return BadAlloc;
+
GetReq(XIGrabDevice, req);
req->reqType = extinfo->codes->major_opcode;
req->ReqType = X_XIGrabDevice;
@@ -59,14 +70,9 @@ XIGrabDevice(Display* dpy, int deviceid, Window grab_window, Time time,
req->grab_mode = grab_mode;
req->paired_device_mode = paired_device_mode;
req->owner_events = owner_events;
- req->mask_len = (mask->mask_len + 3)/4;
+ req->mask_len = len;
req->cursor = cursor;
-
- /* mask->mask_len is in bytes, but we need 4-byte units on the wire,
- * and they need to be padded with 0 */
- len = req->mask_len;
- buff = calloc(1, len * 4);
memcpy(buff, mask->mask, mask->mask_len);
SetReqLen(req, len, len);
diff --git a/src/XIPassiveGrab.c b/src/XIPassiveGrab.c
index 53b4084..4ed2f09 100644
--- a/src/XIPassiveGrab.c
+++ b/src/XIPassiveGrab.c
@@ -51,6 +51,14 @@ _XIPassiveGrabDevice(Display* dpy, int deviceid, int grabtype, int detail,
if (_XiCheckExtInit(dpy, XInput_2_0, extinfo) == -1)
return -1;
+ if (mask->mask_len > INT_MAX - 3 ||
+ (mask->mask_len + 3)/4 >= 0xffff)
+ return -1;
+
+ buff = calloc(4, (mask->mask_len + 3)/4);
+ if (!buff)
+ return -1;
+
GetReq(XIPassiveGrabDevice, req);
req->reqType = extinfo->codes->major_opcode;
req->ReqType = X_XIPassiveGrabDevice;
@@ -68,7 +76,6 @@ _XIPassiveGrabDevice(Display* dpy, int deviceid, int grabtype, int detail,
len = req->mask_len + num_modifiers;
SetReqLen(req, len, len);
- buff = calloc(4, req->mask_len);
memcpy(buff, mask->mask, mask->mask_len);
Data(dpy, buff, req->mask_len * 4);
for (i = 0; i < num_modifiers; i++)
diff --git a/src/XISelEv.c b/src/XISelEv.c
index 0471bef..55c0a6a 100644
--- a/src/XISelEv.c
+++ b/src/XISelEv.c
@@ -53,6 +53,8 @@ XISelectEvents(Display* dpy, Window win, XIEventMask* masks, int num_masks)
int i;
int len = 0;
int r = Success;
+ int max_mask_len = 0;
+ char *buff;
XExtDisplayInfo *info = XInput_find_display(dpy);
LockDisplay(dpy);
@@ -60,6 +62,26 @@ XISelectEvents(Display* dpy, Window win, XIEventMask* masks, int num_masks)
r = NoSuchExtension;
goto out;
}
+
+ for (i = 0; i < num_masks; i++) {
+ current = &masks[i];
+ if (current->mask_len > INT_MAX - 3 ||
+ (current->mask_len + 3)/4 >= 0xffff) {
+ r = -1;
+ goto out;
+ }
+ if (current->mask_len > max_mask_len)
+ max_mask_len = current->mask_len;
+ }
+
+ /* max_mask_len is in bytes, but we need 4-byte units on the wire,
+ * and they need to be padded with 0 */
+ buff = calloc(4, ((max_mask_len + 3)/4));
+ if (!buff) {
+ r = -1;
+ goto out;
+ }
+
Reply to: