gnu: libxrender: Fix CVE-2016-{7949,7950}.
* gnu/packages/patches/libxrender-CVE-2016-7949.patch, gnu/packages/patches/libxrender-CVE-2016-7950.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/xorg.scm (libxrender)[replacement]: New field. (libxrender/fixed): New variable.master
parent
a300db1c7f
commit
666d40193c
|
@ -674,6 +674,8 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/libxfixes-CVE-2016-7944.patch \
|
||||
%D%/packages/patches/libxi-CVE-2016-7945-CVE-2016-7946.patch \
|
||||
%D%/packages/patches/libxrandr-CVE-2016-7947-CVE-2016-7948.patch \
|
||||
%D%/packages/patches/libxrender-CVE-2016-7949.patch \
|
||||
%D%/packages/patches/libxrender-CVE-2016-7950.patch \
|
||||
%D%/packages/patches/libxslt-generated-ids.patch \
|
||||
%D%/packages/patches/lirc-localstatedir.patch \
|
||||
%D%/packages/patches/llvm-for-extempore.patch \
|
||||
|
|
|
@ -0,0 +1,66 @@
|
|||
Fix CVE-2016-7949:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7949
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=9362c7ddd1af3b168953d0737877bc52d79c94f4
|
||||
|
||||
From 9362c7ddd1af3b168953d0737877bc52d79c94f4 Mon Sep 17 00:00:00 2001
|
||||
From: Tobias Stoeckmann <tobias@stoeckmann.org>
|
||||
Date: Sun, 25 Sep 2016 21:43:09 +0200
|
||||
Subject: [PATCH] Validate lengths while parsing server data.
|
||||
|
||||
Individual lengths inside received server data can overflow
|
||||
the previously reserved memory.
|
||||
|
||||
It is therefore important to validate every single length
|
||||
field to not overflow the previously agreed sum of all invidual
|
||||
length fields.
|
||||
|
||||
v2: consume remaining bytes in the reply buffer on error.
|
||||
|
||||
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
||||
Reviewed-by: Matthieu Herrb@laas.fr
|
||||
---
|
||||
src/Xrender.c | 18 ++++++++++++++++++
|
||||
1 file changed, 18 insertions(+)
|
||||
|
||||
diff --git a/src/Xrender.c b/src/Xrender.c
|
||||
index 3102eb2..71cf3e6 100644
|
||||
--- a/src/Xrender.c
|
||||
+++ b/src/Xrender.c
|
||||
@@ -533,12 +533,30 @@ XRenderQueryFormats (Display *dpy)
|
||||
screen->fallback = _XRenderFindFormat (xri, xScreen->fallback);
|
||||
screen->subpixel = SubPixelUnknown;
|
||||
xDepth = (xPictDepth *) (xScreen + 1);
|
||||
+ if (screen->ndepths > rep.numDepths) {
|
||||
+ Xfree (xri);
|
||||
+ Xfree (xData);
|
||||
+ _XEatDataWords (dpy, rep.length);
|
||||
+ UnlockDisplay (dpy);
|
||||
+ SyncHandle ();
|
||||
+ return 0;
|
||||
+ }
|
||||
+ rep.numDepths -= screen->ndepths;
|
||||
for (nd = 0; nd < screen->ndepths; nd++)
|
||||
{
|
||||
depth->depth = xDepth->depth;
|
||||
depth->nvisuals = xDepth->nPictVisuals;
|
||||
depth->visuals = visual;
|
||||
xVisual = (xPictVisual *) (xDepth + 1);
|
||||
+ if (depth->nvisuals > rep.numVisuals) {
|
||||
+ Xfree (xri);
|
||||
+ Xfree (xData);
|
||||
+ _XEatDataWords (dpy, rep.length);
|
||||
+ UnlockDisplay (dpy);
|
||||
+ SyncHandle ();
|
||||
+ return 0;
|
||||
+ }
|
||||
+ rep.numVisuals -= depth->nvisuals;
|
||||
for (nv = 0; nv < depth->nvisuals; nv++)
|
||||
{
|
||||
visual->visual = _XRenderFindVisual (dpy, xVisual->visual);
|
||||
--
|
||||
2.10.1
|
||||
|
|
@ -0,0 +1,73 @@
|
|||
Fix CVE-2016-7950:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7950
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=8fad00b0b647ee662ce4737ca15be033b7a21714
|
||||
|
||||
From 8fad00b0b647ee662ce4737ca15be033b7a21714 Mon Sep 17 00:00:00 2001
|
||||
From: Tobias Stoeckmann <tobias@stoeckmann.org>
|
||||
Date: Sun, 25 Sep 2016 21:42:09 +0200
|
||||
Subject: [PATCH] Avoid OOB write in XRenderQueryFilters
|
||||
|
||||
The memory for filter names is reserved right after receiving the reply.
|
||||
After that, filters are iterated and each individual filter name is
|
||||
stored in that reserved memory.
|
||||
|
||||
The individual name lengths are not checked for validity, which means
|
||||
that a malicious server can reserve less memory than it will write to
|
||||
during each iteration.
|
||||
|
||||
v2: consume remaining bytes in reply buffer on error.
|
||||
|
||||
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
||||
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
||||
---
|
||||
src/Filter.c | 13 ++++++++++++-
|
||||
1 file changed, 12 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/Filter.c b/src/Filter.c
|
||||
index edfa572..8d701eb 100644
|
||||
--- a/src/Filter.c
|
||||
+++ b/src/Filter.c
|
||||
@@ -38,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
|
||||
char *name;
|
||||
char len;
|
||||
int i;
|
||||
- unsigned long nbytes, nbytesAlias, nbytesName;
|
||||
+ unsigned long nbytes, nbytesAlias, nbytesName, reply_left;
|
||||
|
||||
if (!RenderHasExtension (info))
|
||||
return NULL;
|
||||
@@ -114,6 +114,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
|
||||
* Read the filter aliases
|
||||
*/
|
||||
_XRead16Pad (dpy, filters->alias, 2 * rep.numAliases);
|
||||
+ reply_left = 8 + rep.length - 2 * rep.numAliases;;
|
||||
|
||||
/*
|
||||
* Read the filter names
|
||||
@@ -122,9 +123,19 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
|
||||
{
|
||||
int l;
|
||||
_XRead (dpy, &len, 1);
|
||||
+ reply_left--;
|
||||
l = len & 0xff;
|
||||
+ if ((unsigned long)l + 1 > nbytesName) {
|
||||
+ _XEatDataWords(dpy, reply_left);
|
||||
+ Xfree(filters);
|
||||
+ UnlockDisplay (dpy);
|
||||
+ SyncHandle ();
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ nbytesName -= l + 1;
|
||||
filters->filter[i] = name;
|
||||
_XRead (dpy, name, l);
|
||||
+ reply_left -= l;
|
||||
name[l] = '\0';
|
||||
name += l + 1;
|
||||
}
|
||||
--
|
||||
2.10.1
|
||||
|
|
@ -4602,6 +4602,7 @@ cannot be adequately worked around on the client side of the wire.")
|
|||
(define-public libxrender
|
||||
(package
|
||||
(name "libxrender")
|
||||
(replacement libxrender/fixed)
|
||||
(version "0.9.9")
|
||||
(source
|
||||
(origin
|
||||
|
@ -4626,6 +4627,14 @@ cannot be adequately worked around on the client side of the wire.")
|
|||
(description "Library for the Render Extension to the X11 protocol.")
|
||||
(license license:x11)))
|
||||
|
||||
(define libxrender/fixed
|
||||
(package
|
||||
(inherit libxrender)
|
||||
(source (origin
|
||||
(inherit (package-source libxrender))
|
||||
(patches (search-patches
|
||||
"libxrender-CVE-2016-7949.patch"
|
||||
"libxrender-CVE-2016-7950.patch"))))))
|
||||
|
||||
(define-public libxtst
|
||||
(package
|
||||
|
|
Reference in New Issue