Fwd: libwayland-cursor heap overflow fix

To: team@security.debian.org, wayland@packages.debian.org
Subject: Fwd: libwayland-cursor heap overflow fix
From: Julien Cristau <jcristau@debian.org>
Date: Tue, 12 Dec 2017 23:33:41 -0600
Message-id: <[🔎] 8c33d687-900a-6bbb-ed4f-13ad487d5dfe@debian.org>
In-reply-to: <20171129113909.2b7d123b@eldfell>
References: <20171129113909.2b7d123b@eldfell>

FYI.  libwayland-cursor0 has a bunch of reverse deps in stretch so this
may be of interest, though I'm not sure in which cases there's a
security boundary being crossed.  (And we should fix this in sid in any
case.)

-------- Forwarded Message --------
Subject: libwayland-cursor heap overflow fix
Date: Wed, 29 Nov 2017 11:39:09 +0200
From: Pekka Paalanen <ppaalanen@gmail.com>
To: xorg-security@lists.x.org
CC: wayland-devel@lists.freedesktop.org
<wayland-devel@lists.freedesktop.org>

--Sig_/xB3GJvChK+eko+ekfi/KLUH
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

Hi all,

I would like to bring to your attention a patch I have just merged into
wayland master:

https://cgit.freedesktop.org/wayland/wayland/commit/?id=3D5d201df72f3d4f4cb=
8b8f75f980169b03507da38

commit 5d201df72f3d4f4cb8b8f75f980169b03507da38
Author: Tobias Stoeckmann <tobias@stoeckmann.org>
Date:   Tue Nov 28 21:38:07 2017 +0100

    cursor: Fix heap overflows when parsing malicious files.
   =20
    It is possible to trigger heap overflows due to an integer overflow
    while parsing images.
   =20
    The integer overflow occurs because the chosen limit 0x10000 for
    dimensions is too large for 32 bit systems, because each pixel takes
    4 bytes. Properly chosen values allow an overflow which in turn will
    lead to less allocated memory than needed for subsequent reads.
   =20
    See also: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=
=3D4794b5dd34688158fb51a2943032569d3780c4b8
    Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=3D103961
   =20
    Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
    [Pekka: add link to the corresponding libXcursor commit]
    Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>

This fix is not yet in any release, so would be nice if distributions
cherry-picked this into what they ship, the pick should be trivial for
any release so far.

The issue has existed in libwayland-cursor ever since it was
introduced, before wayland 1.0.0 release.


Thanks,
pq

--Sig_/xB3GJvChK+eko+ekfi/KLUH
Content-Type: application/pgp-signature
Content-Description: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEJQjwWQChkWOYOIONI1/ltBGqqqcFAloegD0ACgkQI1/ltBGq
qqea9w/9G4EZ6g/+fg9b5TG4CqOwDOr7w3ULcLiqwatXe/MSNBO1/urm38R4a71X
bGijjpALD3oz3knINmstCgsOTPQtmvSRJ+3UKIwnm9CZEt0mABK4s9ayIii4F8tN
FnVigBksylewmTd/szD+RrwQJssU6E1IDqCwcGPJEvGMk8IKBaEZJr/ITVDlWNOY
HdqVgVkz/LlyqreW8UJ3zrcUaLA6//n7lc67Ht857Qi0DvpGFdtkz05Lgoh4nvx1
zlqvKwA8iEZ5IwSmKmgkoS6saaKKhPXfG/yf0zkKlO2+IrjDlgq5XV4SW5InvssA
Clp7398BiB8OQ7tLVvkG7nMULULe+owJPRMCGOgtQ32sSO47/Mv5ixFpkxCA+23E
YJGqyrnMZDOeAN1mJ9tFDCNFFEWRnAKjJeiWQclfTCiLE3FDyrGfOEt3rDSnQods
mYAIFrIpnJzokK8kaf1YGtygweTJemAn5eB5kOJ4Jzf9TFvuTSODy4673+kTOxwW
OFerdlH/s+vdP71ZkA4ZpHfaD6YsoePyYLazEZtDdhX5L0kIPB6IFbedqbUQgNBw
U00TJtUWx2sAvD/Q4r7D0U6fYUHW3YzBXH0Nn9X0SA0sVxVaseo3DL0cNpsFuPOy
RrxQEV/wkE+Z+Stc1Pl4stNYicxUNBlxMVclM87RKKqXfT9R0E0=
=bHlf
-----END PGP SIGNATURE-----

--Sig_/xB3GJvChK+eko+ekfi/KLUH--

_______________________________________________
xorg-security mailing list
xorg-security@lists.x.org
https://lists.x.org/mailman/listinfo/xorg-security

Reply to:

Prev by Date: Bug#884261: libgl1-mesa-dev: libGL.so is missing from 17.2.5-1
Next by Date: Radeon 4250 takes too much memory
Previous by thread: Bug#884261: marked as done (libgl1-mesa-dev: libGL.so is missing from 17.2.5-1)
Next by thread: Radeon 4250 takes too much memory
Index(es):
- Date
- Thread