me
/
guix
Archived
1
0
Fork 0
Code

gnu: libx11: Update to 1.6.4. 

* gnu/packages/xorg.scm (libx11): Update to 1.6.4.
[replacement]: Remove field.
(libx11/fixed): Remove variable.
* gnu/packages/patches/libx11-CVE-2016-7942.patch,
gnu/packages/patches/libx11-CVE-2016-7943.patch: Remove files.
* gnu/local.mk (dist_patch_DATA): Remove them.
master
Leo Famulari 2016-10-05 19:17:58 -04:00
parent b19c7989b7
commit 4dd841c1dc
No known key found for this signature in database
GPG Key ID: 2646FA30BACA7F08
4 changed files with 2 additions and 203 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
gnu/local.mk
View File

@ -668,8 +668,6 @@ dist_patch_DATA = \
%D%/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch \ %D%/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch \
%D%/packages/patches/libwmf-CVE-2015-4695.patch \ %D%/packages/patches/libwmf-CVE-2015-4695.patch \
%D%/packages/patches/libwmf-CVE-2015-4696.patch \ %D%/packages/patches/libwmf-CVE-2015-4696.patch \
%D%/packages/patches/libx11-CVE-2016-7942.patch \
%D%/packages/patches/libx11-CVE-2016-7943.patch \
%D%/packages/patches/libxfixes-CVE-2016-7944.patch \ %D%/packages/patches/libxfixes-CVE-2016-7944.patch \
%D%/packages/patches/libxi-CVE-2016-7945-CVE-2016-7946.patch \ %D%/packages/patches/libxi-CVE-2016-7945-CVE-2016-7946.patch \
%D%/packages/patches/libxrandr-CVE-2016-7947-CVE-2016-7948.patch \ %D%/packages/patches/libxrandr-CVE-2016-7947-CVE-2016-7948.patch \

76
gnu/packages/patches/libx11-CVE-2016-7942.patch
View File

@ -1,76 +0,0 @@
Fix CVE-2016-7942:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7942
Patch copied from upstream source repository:
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8ea762f94f4c942d898fdeb590a1630c83235c17
From 8ea762f94f4c942d898fdeb590a1630c83235c17 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sun, 25 Sep 2016 21:25:25 +0200
Subject: [PATCH] Validation of server responses in XGetImage()
Check if enough bytes were received for specified image type and
geometry. Otherwise GetPixel and other functions could trigger an
out of boundary read later on.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
---
src/GetImage.c | 29 ++++++++++++++++++++---------
1 file changed, 20 insertions(+), 9 deletions(-)
diff --git a/src/GetImage.c b/src/GetImage.c
index c461abc..ff32d58 100644
--- a/src/GetImage.c
+++ b/src/GetImage.c
@@ -59,6 +59,7 @@ XImage *XGetImage (
char *data;
unsigned long nbytes;
XImage *image;
+ int planes;
LockDisplay(dpy);
GetReq (GetImage, req);
/*
@@ -91,18 +92,28 @@ XImage *XGetImage (
return (XImage *) NULL;
}
_XReadPad (dpy, data, nbytes);
- if (format == XYPixmap)
- image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
- Ones (plane_mask &
- (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))),
- format, 0, data, width, height, dpy->bitmap_pad, 0);
- else /* format == ZPixmap */
- image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
- rep.depth, ZPixmap, 0, data, width, height,
- _XGetScanlinePad(dpy, (int) rep.depth), 0);
+ if (format == XYPixmap) {
+ image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
+ Ones (plane_mask &
+ (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))),
+ format, 0, data, width, height, dpy->bitmap_pad, 0);
+ planes = image->depth;
+ } else { /* format == ZPixmap */
+ image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
+ rep.depth, ZPixmap, 0, data, width, height,
+ _XGetScanlinePad(dpy, (int) rep.depth), 0);
+ planes = 1;
+ }
if (!image)
Xfree(data);
+ if (planes < 1 || image->height < 1 || image->bytes_per_line < 1 ||
+ INT_MAX / image->height <= image->bytes_per_line ||
+ INT_MAX / planes <= image->height * image->bytes_per_line ||
+ nbytes < planes * image->height * image->bytes_per_line) {
+ XDestroyImage(image);
+ image = NULL;
+ }
UnlockDisplay(dpy);
SyncHandle();
return (image);
--
2.10.1

113
gnu/packages/patches/libx11-CVE-2016-7943.patch
View File

@ -1,113 +0,0 @@
Fix CVE-2016-7943:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7943.
Patch copied from upstream source repository:
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8c29f1607a31dac0911e45a0dd3d74173822b3c9
From 8c29f1607a31dac0911e45a0dd3d74173822b3c9 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sun, 25 Sep 2016 21:22:57 +0200
Subject: [PATCH] The validation of server responses avoids out of boundary
accesses.
v2: FontNames.c return a NULL list whenever a single
length field from the server is incohent.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
---
src/FontNames.c | 23 +++++++++++++++++------
src/ListExt.c | 12 ++++++++----
src/ModMap.c | 3 ++-
3 files changed, 27 insertions(+), 11 deletions(-)
diff --git a/src/FontNames.c b/src/FontNames.c
index 21dcafe..e55f338 100644
--- a/src/FontNames.c
+++ b/src/FontNames.c
@@ -66,7 +66,7 @@ int *actualCount) /* RETURN */
if (rep.nFonts) {
flist = Xmalloc (rep.nFonts * sizeof(char *));
- if (rep.length < (INT_MAX >> 2)) {
+ if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
rlen = rep.length << 2;
ch = Xmalloc(rlen + 1);
/* +1 to leave room for last null-terminator */
@@ -93,11 +93,22 @@ int *actualCount) /* RETURN */
if (ch + length < chend) {
flist[i] = ch + 1; /* skip over length */
ch += length + 1; /* find next length ... */
- length = *(unsigned char *)ch;
- *ch = '\0'; /* and replace with null-termination */
- count++;
- } else
- flist[i] = NULL;
+ if (ch <= chend) {
+ length = *(unsigned char *)ch;
+ *ch = '\0'; /* and replace with null-termination */
+ count++;
+ } else {
+ Xfree(flist);
+ flist = NULL;
+ count = 0;
+ break;
+ }
+ } else {
+ Xfree(flist);
+ flist = NULL;
+ count = 0;
+ break;
+ }
}
}
*actualCount = count;
diff --git a/src/ListExt.c b/src/ListExt.c
index be6b989..0516e45 100644
--- a/src/ListExt.c
+++ b/src/ListExt.c
@@ -55,7 +55,7 @@ char **XListExtensions(
if (rep.nExtensions) {
list = Xmalloc (rep.nExtensions * sizeof (char *));
- if (rep.length < (INT_MAX >> 2)) {
+ if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
rlen = rep.length << 2;
ch = Xmalloc (rlen + 1);
/* +1 to leave room for last null-terminator */
@@ -80,9 +80,13 @@ char **XListExtensions(
if (ch + length < chend) {
list[i] = ch+1; /* skip over length */
ch += length + 1; /* find next length ... */
- length = *ch;
- *ch = '\0'; /* and replace with null-termination */
- count++;
+ if (ch <= chend) {
+ length = *ch;
+ *ch = '\0'; /* and replace with null-termination */
+ count++;
+ } else {
+ list[i] = NULL;
+ }
} else
list[i] = NULL;
}
diff --git a/src/ModMap.c b/src/ModMap.c
index a809aa2..49a5d08 100644
--- a/src/ModMap.c
+++ b/src/ModMap.c
@@ -42,7 +42,8 @@ XGetModifierMapping(register Display *dpy)
GetEmptyReq(GetModifierMapping, req);
(void) _XReply (dpy, (xReply *)&rep, 0, xFalse);
- if (rep.length < (INT_MAX >> 2)) {
+ if (rep.length < (INT_MAX >> 2) &&
+ (rep.length >> 1) == rep.numKeyPerModifier) {
nbytes = (unsigned long)rep.length << 2;
res = Xmalloc(sizeof (XModifierKeymap));
if (res)
--
2.10.1

14
gnu/packages/xorg.scm
View File

@ -5252,8 +5252,7 @@ draggable titlebars and borders.")
(define-public libx11 (define-public libx11
(package (package
(name "libx11") (name "libx11")
(replacement libx11/fixed) (version "1.6.4")
(version "1.6.3")
(source (source
(origin (origin
(method url-fetch) (method url-fetch)
@ -5263,7 +5262,7 @@ draggable titlebars and borders.")
".tar.bz2")) ".tar.bz2"))
(sha256 (sha256
(base32 (base32
"04c1vj53xq2xgyxx5vhln3wm2d76hh1n95fvs3myhligkz1sfcfg")))) "0hg46i6h92pmb7xp1cis2j43zq3fkdz89p0yv35w4vm17az4iixp"))))
(build-system gnu-build-system) (build-system gnu-build-system)
(outputs '("out" (outputs '("out"
"doc")) ;8 MiB of man pages + XML "doc")) ;8 MiB of man pages + XML
@ -5285,15 +5284,6 @@ draggable titlebars and borders.")
(description "Xorg Core X11 protocol client library.") (description "Xorg Core X11 protocol client library.")
(license license:x11))) (license license:x11)))
(define libx11/fixed
(package
(inherit libx11)
(source (origin
(inherit (package-source libx11))
(patches (search-patches
"libx11-CVE-2016-7942.patch"
"libx11-CVE-2016-7943.patch"))))))
;; packages of height 5 in the propagated-inputs tree ;; packages of height 5 in the propagated-inputs tree
(define-public libxcursor (define-public libxcursor