Fwd: libwayland-cursor heap overflow fix
FYI. libwayland-cursor0 has a bunch of reverse deps in stretch so this
may be of interest, though I'm not sure in which cases there's a
security boundary being crossed. (And we should fix this in sid in any
case.)
-------- Forwarded Message --------
Subject: libwayland-cursor heap overflow fix
Date: Wed, 29 Nov 2017 11:39:09 +0200
From: Pekka Paalanen <ppaalanen@gmail.com>
To: xorg-security@lists.x.org
CC: wayland-devel@lists.freedesktop.org
<wayland-devel@lists.freedesktop.org>
--Sig_/xB3GJvChK+eko+ekfi/KLUH
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Hi all,
I would like to bring to your attention a patch I have just merged into
wayland master:
https://cgit.freedesktop.org/wayland/wayland/commit/?id=3D5d201df72f3d4f4cb=
8b8f75f980169b03507da38
commit 5d201df72f3d4f4cb8b8f75f980169b03507da38
Author: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Tue Nov 28 21:38:07 2017 +0100
cursor: Fix heap overflows when parsing malicious files.
=20
It is possible to trigger heap overflows due to an integer overflow
while parsing images.
=20
The integer overflow occurs because the chosen limit 0x10000 for
dimensions is too large for 32 bit systems, because each pixel takes
4 bytes. Properly chosen values allow an overflow which in turn will
lead to less allocated memory than needed for subsequent reads.
=20
See also: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=
=3D4794b5dd34688158fb51a2943032569d3780c4b8
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=3D103961
=20
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
[Pekka: add link to the corresponding libXcursor commit]
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
This fix is not yet in any release, so would be nice if distributions
cherry-picked this into what they ship, the pick should be trivial for
any release so far.
The issue has existed in libwayland-cursor ever since it was
introduced, before wayland 1.0.0 release.
Thanks,
pq
--Sig_/xB3GJvChK+eko+ekfi/KLUH
Content-Type: application/pgp-signature
Content-Description: OpenPGP digital signature
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEJQjwWQChkWOYOIONI1/ltBGqqqcFAloegD0ACgkQI1/ltBGq
qqea9w/9G4EZ6g/+fg9b5TG4CqOwDOr7w3ULcLiqwatXe/MSNBO1/urm38R4a71X
bGijjpALD3oz3knINmstCgsOTPQtmvSRJ+3UKIwnm9CZEt0mABK4s9ayIii4F8tN
FnVigBksylewmTd/szD+RrwQJssU6E1IDqCwcGPJEvGMk8IKBaEZJr/ITVDlWNOY
HdqVgVkz/LlyqreW8UJ3zrcUaLA6//n7lc67Ht857Qi0DvpGFdtkz05Lgoh4nvx1
zlqvKwA8iEZ5IwSmKmgkoS6saaKKhPXfG/yf0zkKlO2+IrjDlgq5XV4SW5InvssA
Clp7398BiB8OQ7tLVvkG7nMULULe+owJPRMCGOgtQ32sSO47/Mv5ixFpkxCA+23E
YJGqyrnMZDOeAN1mJ9tFDCNFFEWRnAKjJeiWQclfTCiLE3FDyrGfOEt3rDSnQods
mYAIFrIpnJzokK8kaf1YGtygweTJemAn5eB5kOJ4Jzf9TFvuTSODy4673+kTOxwW
OFerdlH/s+vdP71ZkA4ZpHfaD6YsoePyYLazEZtDdhX5L0kIPB6IFbedqbUQgNBw
U00TJtUWx2sAvD/Q4r7D0U6fYUHW3YzBXH0Nn9X0SA0sVxVaseo3DL0cNpsFuPOy
RrxQEV/wkE+Z+Stc1Pl4stNYicxUNBlxMVclM87RKKqXfT9R0E0=
=bHlf
-----END PGP SIGNATURE-----
--Sig_/xB3GJvChK+eko+ekfi/KLUH--
_______________________________________________
xorg-security mailing list
xorg-security@lists.x.org
https://lists.x.org/mailman/listinfo/xorg-security
Reply to: