gnu: libxtst: Update to 1.2.3.

* gnu/packages/xorg.scm (libxtst): Update to 1.2.3. [replacement]: Remove field. (libxtst/fixed): Remove variable. * gnu/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it.
2016-10-05 19:30:10 -04:00 · 2016-10-05 19:30:10 -04:00 · 82e6a4341b
parent 9eb76bd3e5
commit 82e6a4341b
3 changed files with 2 additions and 164 deletions
--- a/gnu/local.mk
+++ b/gnu/local.mk
@ -668,7 +668,6 @@ dist_patch_DATA =						\
  %D%/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch	\
  %D%/packages/patches/libwmf-CVE-2015-4695.patch		\
  %D%/packages/patches/libwmf-CVE-2015-4696.patch		\
  %D%/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch	\
  %D%/packages/patches/libxv-CVE-2016-5407.patch		\
  %D%/packages/patches/libxvmc-CVE-2016-7953.patch		\
  %D%/packages/patches/libxslt-generated-ids.patch		\
--- a/gnu/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch
+++ b/gnu/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch
@ -1,152 +0,0 @@
 Fix CVE-2016-7951 and CVE-2016-7952
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7951
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7952
 Patch copied from upstream source repository:
 https://cgit.freedesktop.org/xorg/lib/libXtst/commit/?id=9556ad67af3129ec4a7a4f4b54a0d59701beeae3
 From 9556ad67af3129ec4a7a4f4b54a0d59701beeae3 Mon Sep 17 00:00:00 2001
 From: Tobias Stoeckmann <tobias@stoeckmann.org>
 Date: Sun, 25 Sep 2016 21:37:01 +0200
 Subject: [PATCH] Out of boundary access and endless loop in libXtst
 A lack of range checks in libXtst allows out of boundary accesses.
 The checks have to be done in-place here, because it cannot be done
 without in-depth knowledge of the read data.
 If XRecordStartOfData, XRecordEndOfData, or XRecordClientDied
 without a client sequence have attached data, an endless loop would
 occur. The do-while-loop continues until the current index reaches
 the end. But in these cases, the current index would not be
 incremented, leading to an endless processing.
 Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
 Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
 ---
 src/XRecord.c | 43 +++++++++++++++++++++++++++++++++++++++----
 1 file changed, 39 insertions(+), 4 deletions(-)
 diff --git a/src/XRecord.c b/src/XRecord.c
 index 50420c0..fefd842 100644
 --- a/src/XRecord.c
 +++ b/src/XRecord.c
@@ -749,15 +749,23 @@ parse_reply_call_callback(
 	switch (rep->category) {
 	case XRecordFromServer:
 	    if (rep->elementHeader&XRecordFromServerTime) {
 +		if (current_index + 4 > rep->length << 2)
 +		    return Error;
 		EXTRACT_CARD32(rep->clientSwapped,
 			       reply->buf+current_index,
 			       data->server_time);
 		current_index += 4;
 	    }
 +	    if (current_index + 1 > rep->length << 2)
 +		return Error;
 	    switch (reply->buf[current_index]) {
 	    case X_Reply: /* reply */
 +		if (current_index + 8 > rep->length << 2)
 +		    return Error;
 		EXTRACT_CARD32(rep->clientSwapped,
 			       reply->buf+current_index+4, datum_bytes);
 +		if (datum_bytes < 0 || datum_bytes > ((INT_MAX >> 2) - 8))
 +		    return Error;
 		datum_bytes = (datum_bytes+8) << 2;
 		break;
 	    default: /* error or event */
@@ -766,52 +774,73 @@ parse_reply_call_callback(
 	    break;
 	case XRecordFromClient:
 	    if (rep->elementHeader&XRecordFromClientTime) {
 +		if (current_index + 4 > rep->length << 2)
 +		    return Error;
 		EXTRACT_CARD32(rep->clientSwapped,
 			       reply->buf+current_index,
 			       data->server_time);
 		current_index += 4;
 	    }
 	    if (rep->elementHeader&XRecordFromClientSequence) {
 +		if (current_index + 4 > rep->length << 2)
 +		    return Error;
 		EXTRACT_CARD32(rep->clientSwapped,
 			       reply->buf+current_index,
 			       data->client_seq);
 		current_index += 4;
 	    }
 +	    if (current_index + 4 > rep->length<<2)
 +		return Error;
 	    if (reply->buf[current_index+2] == 0
 		&& reply->buf[current_index+3] == 0) /* needn't swap 0 */
 	    {	/* BIG-REQUESTS */
 +		if (current_index + 8 > rep->length << 2)
 +		    return Error;
 		EXTRACT_CARD32(rep->clientSwapped,
 			       reply->buf+current_index+4, datum_bytes);
 	    } else {
 		EXTRACT_CARD16(rep->clientSwapped,
 			       reply->buf+current_index+2, datum_bytes);
 	    }
 +	    if (datum_bytes < 0 || datum_bytes > INT_MAX >> 2)
 +		return Error;
 	    datum_bytes <<= 2;
 	    break;
 	case XRecordClientStarted:
 +	    if (current_index + 8 > rep->length << 2)
 +		return Error;
 	    EXTRACT_CARD16(rep->clientSwapped,
 			   reply->buf+current_index+6, datum_bytes);
 	    datum_bytes = (datum_bytes+2) << 2;
 	    break;
 	case XRecordClientDied:
 	    if (rep->elementHeader&XRecordFromClientSequence) {
 +		if (current_index + 4 > rep->length << 2)
 +		    return Error;
 		EXTRACT_CARD32(rep->clientSwapped,
 			       reply->buf+current_index,
 			       data->client_seq);
 		current_index += 4;
 -	    }
 -	    /* fall through */
 +	    } else if (current_index < rep->length << 2)
 +		return Error;
 +	    datum_bytes = 0;
 +	    break;
 	case XRecordStartOfData:
 	case XRecordEndOfData:
 +	    if (current_index < rep->length << 2)
 +		return Error;
 	    datum_bytes = 0;
 +	    break;
 	}
 	if (datum_bytes > 0) {
 -	    if (current_index + datum_bytes > rep->length << 2)
 +	    if (INT_MAX - datum_bytes < (rep->length << 2) - current_index) {
 		fprintf(stderr,
 			"XRecord: %lu-byte reply claims %d-byte element (seq %lu)\n",
 -			(long)rep->length << 2, current_index + datum_bytes,
 +			(unsigned long)rep->length << 2, current_index + datum_bytes,
 			dpy->last_request_read);
 +		return Error;
 +	    }
 	    /*
 	     * This assignment (and indeed the whole buffer sharing
 	     * scheme) assumes arbitrary 4-byte boundaries are
@@ -863,6 +892,12 @@ XRecordEnableContext(Display *dpy, XRecordContext context,
 	    return 0;
 	}
 +	if (rep.length > INT_MAX >> 2) {
 +	    UnlockDisplay(dpy);
 +	    SyncHandle();
 +	    return 0;
 +	}
 +
 	if (rep.length > 0) {
 	    reply = alloc_reply_buffer(info, rep.length<<2);
 	    if (!reply) {
 -- 
 2.10.1
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@ -4629,8 +4629,7 @@ cannot be adequately worked around on the client side of the wire.")
 (define-public libxtst
  (package
    (name "libxtst")
-    (replacement libxtst/fixed)
+    (version "1.2.3")
    (version "1.2.2")
    (source
      (origin
        (method url-fetch)
@ -4640,7 +4639,7 @@ cannot be adequately worked around on the client side of the wire.")
               ".tar.bz2"))
        (sha256
          (base32
-            "1ngn161nq679ffmbwl81i2hn75jjg5b3ffv6n4jilpvyazypy2pg"))))
+            "012jpyj7xfm653a9jcfqbzxyywdmwb2b5wr1dwylx14f3f54jma6"))))
    (build-system gnu-build-system)
    (propagated-inputs
      `(("recordproto" ,recordproto)
@ -4665,14 +4664,6 @@ The RECORD extension supports the recording and reporting of all core X
 protocol and arbitrary X extension protocol.")
    (license license:x11)))
 (define libxtst/fixed
  (package
    (inherit libxtst)
    (source (origin
              (inherit (package-source libxtst))
              (patches (search-patches
                         "libxtst-CVE-2016-7951-CVE-2016-7952.patch"))))))
 (define-public libxv
  (package
    (name "libxv")