diff -u libxrandr-1.3.2/debian/changelog libxrandr-1.3.2/debian/changelog --- libxrandr-1.3.2/debian/changelog +++ libxrandr-1.3.2/debian/changelog @@ -1,3 +1,12 @@ +libxrandr (2:1.3.2-2ubuntu0.2) precise-security; urgency=low + + * SECURITY UPDATE: denial of service and possible code execution via + incorrect memory size calculations + - debian/patches/CVE-2013-1986.patch: fix multiple overflows. + - CVE-2013-1986 + + -- Marc Deslauriers Tue, 28 May 2013 10:53:26 -0400 + libxrandr (2:1.3.2-2ubuntu0.1) precise-proposed; urgency=low * fix-kwin-crashes-on-xrandr-update-on-NX.diff: Fix kwin crashing on diff -u libxrandr-1.3.2/debian/patches/series libxrandr-1.3.2/debian/patches/series --- libxrandr-1.3.2/debian/patches/series +++ libxrandr-1.3.2/debian/patches/series @@ -1,0 +2 @@ +CVE-2013-1986.patch diff -u libxrandr-1.3.2/debian/patches/fix-kwin-crashes-on-xrandr-update-on-NX.diff libxrandr-1.3.2/debian/patches/fix-kwin-crashes-on-xrandr-update-on-NX.diff --- libxrandr-1.3.2/debian/patches/fix-kwin-crashes-on-xrandr-update-on-NX.diff +++ libxrandr-1.3.2/debian/patches/fix-kwin-crashes-on-xrandr-update-on-NX.diff @@ -11,13 +11,13 @@ src/Xrandr.c | 4 ++++ 1 file changed, 4 insertions(+) -diff --git a/src/Xrandr.c b/src/Xrandr.c -index b1e97ec..9a56636 100644 ---- a/src/Xrandr.c -+++ b/src/Xrandr.c -@@ -483,6 +483,10 @@ int XRRUpdateConfiguration(XEvent *event) +Index: libxrandr-1.3.2/src/Xrandr.c +=================================================================== +--- libxrandr-1.3.2.orig/src/Xrandr.c 2013-05-28 10:50:48.577399930 -0400 ++++ libxrandr-1.3.2/src/Xrandr.c 2013-05-28 10:50:48.573399930 -0400 +@@ -420,6 +420,10 @@ scevent = (XRRScreenChangeNotifyEvent *) event; - snum = XRRRootToScreen(dpy, + snum = XRRRootToScreen(dpy, ((XRRScreenChangeNotifyEvent *) event)->root); + /* check for return value, fails on nx */ + if (snum == -1 ) { @@ -29,3 +28,0 @@ --- -1.7.10.4 - only in patch2: unchanged: --- libxrandr-1.3.2.orig/debian/patches/CVE-2013-1986.patch +++ libxrandr-1.3.2/debian/patches/CVE-2013-1986.patch @@ -0,0 +1,239 @@ +Description: fix denial of service and possible code execution via + incorrect memory size calculations +Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=1c7ad6773ce6be00dcd6e51e9be08f203abe5071 +Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=0e79d96c36aef5889ae2e2a3fc2e96e93f30dc21 +Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=289a1927949e6f278c18d115772e454837702e35 +Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=c90f74497dbcb96854346435349c6e2207b530c5 + +Index: libxrandr-1.3.2/configure.ac +=================================================================== +--- libxrandr-1.3.2.orig/configure.ac 2013-05-28 10:52:03.305401844 -0400 ++++ libxrandr-1.3.2/configure.ac 2013-05-28 10:52:03.301401843 -0400 +@@ -56,6 +56,12 @@ + # Obtain compiler/linker options for depedencies + PKG_CHECK_MODULES(RANDR, x11 randrproto >= $RANDR_VERSION xext xextproto xrender renderproto) + ++# Check for _XEatDataWords function that may be patched into older Xlib release ++SAVE_LIBS="$LIBS" ++LIBS="$RANDR_LIBS" ++AC_CHECK_FUNCS([_XEatDataWords]) ++LIBS="$SAVE_LIBS" ++ + AC_CONFIG_FILES([Makefile + src/Makefile + man/Makefile +Index: libxrandr-1.3.2/src/Xrandrint.h +=================================================================== +--- libxrandr-1.3.2.orig/src/Xrandrint.h 2013-05-28 10:52:03.305401844 -0400 ++++ libxrandr-1.3.2/src/Xrandrint.h 2013-05-28 10:52:03.301401843 -0400 +@@ -42,6 +42,19 @@ + + XExtDisplayInfo *XRRFindDisplay (Display *dpy); + ++#ifndef HAVE__XEATDATAWORDS ++#include /* for LONG64 on 64-bit platforms */ ++#include ++ ++static inline void _XEatDataWords(Display *dpy, unsigned long n) ++{ ++# ifndef LONG64 ++ if (n >= (ULONG_MAX >> 2)) ++ _XIOError(dpy); ++# endif ++ _XEatData (dpy, n << 2); ++} ++#endif + + /* deliberately opaque internal data structure; can be extended, + but not reordered */ +Index: libxrandr-1.3.2/src/XrrCrtc.c +=================================================================== +--- libxrandr-1.3.2.orig/src/XrrCrtc.c 2013-05-28 10:52:03.305401844 -0400 ++++ libxrandr-1.3.2/src/XrrCrtc.c 2013-05-28 10:52:03.301401843 -0400 +@@ -74,7 +74,7 @@ + + xci = (XRRCrtcInfo *) Xmalloc(rbytes); + if (xci == NULL) { +- _XEatData (dpy, (unsigned long) nbytes); ++ _XEatDataWords (dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + return NULL; +@@ -203,7 +203,7 @@ + + if (!crtc_gamma) + { +- _XEatData (dpy, (unsigned long) nbytes); ++ _XEatDataWords (dpy, rep.length); + goto out; + } + _XRead16 (dpy, crtc_gamma->red, rep.size * 2); +@@ -397,7 +397,7 @@ + int extraBytes = rep.length * 4 - CrtcTransformExtra; + extra = Xmalloc (extraBytes); + if (!extra) { +- _XEatData (dpy, extraBytes); ++ _XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2)); + UnlockDisplay (dpy); + SyncHandle (); + return False; +Index: libxrandr-1.3.2/src/XrrOutput.c +=================================================================== +--- libxrandr-1.3.2.orig/src/XrrOutput.c 2013-05-28 10:52:03.305401844 -0400 ++++ libxrandr-1.3.2/src/XrrOutput.c 2013-05-28 10:52:03.301401843 -0400 +@@ -81,7 +81,7 @@ + + xoi = (XRROutputInfo *) Xmalloc(rbytes); + if (xoi == NULL) { +- _XEatData (dpy, (unsigned long) nbytes); ++ _XEatDataWords (dpy, rep.length - (OutputInfoExtra >> 2)); + UnlockDisplay (dpy); + SyncHandle (); + return NULL; +Index: libxrandr-1.3.2/src/XrrProperty.c +=================================================================== +--- libxrandr-1.3.2.orig/src/XrrProperty.c 2013-05-28 10:52:03.305401844 -0400 ++++ libxrandr-1.3.2/src/XrrProperty.c 2013-05-28 10:52:03.301401843 -0400 +@@ -31,6 +31,7 @@ + #include + #include + #include "Xrandrint.h" ++#include + + Atom * + XRRListOutputProperties (Display *dpy, RROutput output, int *nprop) +@@ -62,7 +63,7 @@ + + props = (Atom *) Xmalloc (rbytes); + if (props == NULL) { +- _XEatData (dpy, nbytes); ++ _XEatDataWords (dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + *nprop = 0; +@@ -84,7 +85,7 @@ + XExtDisplayInfo *info = XRRFindDisplay(dpy); + xRRQueryOutputPropertyReply rep; + xRRQueryOutputPropertyReq *req; +- int rbytes, nbytes; ++ unsigned int rbytes, nbytes; + XRRPropertyInfo *prop_info; + + RRCheckExtension (dpy, info, NULL); +@@ -102,12 +103,16 @@ + return NULL; + } + +- rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long); +- nbytes = rep.length << 2; ++ if (rep.length < ((INT_MAX / sizeof(long)) - sizeof (XRRPropertyInfo))) { ++ rbytes = sizeof (XRRPropertyInfo) + (rep.length * sizeof (long)); ++ nbytes = rep.length << 2; ++ ++ prop_info = Xmalloc (rbytes); ++ } else ++ prop_info = NULL; + +- prop_info = (XRRPropertyInfo *) Xmalloc (rbytes); + if (prop_info == NULL) { +- _XEatData (dpy, nbytes); ++ _XEatDataWords(dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + return NULL; +@@ -252,7 +257,14 @@ + XExtDisplayInfo *info = XRRFindDisplay(dpy); + xRRGetOutputPropertyReply rep; + xRRGetOutputPropertyReq *req; +- long nbytes, rbytes; ++ unsigned long nbytes, rbytes; ++ ++ /* Always initialize return values, in case callers fail to initialize ++ them and fail to check the return code for an error. */ ++ *actual_type = None; ++ *actual_format = 0; ++ *nitems = *bytes_after = 0L; ++ *prop = (unsigned char *) NULL; + + RRCheckExtension (dpy, info, 1); + +@@ -275,36 +287,41 @@ + return ((xError *)&rep)->errorCode; + } + +- *prop = (unsigned char *) NULL; + if (rep.propertyType != None) { ++ int format = rep.format; ++ ++ /* ++ * Protect against both integer overflow and just plain oversized ++ * memory allocation - no server should ever return this many props. ++ */ ++ if (rep.nItems >= (INT_MAX >> 4)) ++ format = -1; /* fall through to default error case */ ++ + /* + * One extra byte is malloced than is needed to contain the property + * data, but this last byte is null terminated and convenient for + * returning string properties, so the client doesn't then have to + * recopy the string to make it null terminated. + */ +- switch (rep.format) { ++ switch (format) { + case 8: + nbytes = rep.nItems; + rbytes = rep.nItems + 1; +- if (rbytes > 0 && +- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) ++ if (rbytes > 0 && (*prop = Xmalloc (rbytes))) + _XReadPad (dpy, (char *) *prop, nbytes); + break; + + case 16: + nbytes = rep.nItems << 1; + rbytes = rep.nItems * sizeof (short) + 1; +- if (rbytes > 0 && +- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) ++ if (rbytes > 0 && (*prop = Xmalloc (rbytes))) + _XRead16Pad (dpy, (short *) *prop, nbytes); + break; + + case 32: + nbytes = rep.nItems << 2; + rbytes = rep.nItems * sizeof (long) + 1; +- if (rbytes > 0 && +- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) ++ if (rbytes > 0 && (*prop = Xmalloc (rbytes))) + _XRead32 (dpy, (long *) *prop, nbytes); + break; + +@@ -313,14 +330,13 @@ + * This part of the code should never be reached. If it is, + * the server sent back a property with an invalid format. + */ +- nbytes = rep.length << 2; +- _XEatData(dpy, (unsigned long) nbytes); ++ _XEatDataWords(dpy, rep.length); + UnlockDisplay(dpy); + SyncHandle(); + return(BadImplementation); + } + if (! *prop) { +- _XEatData(dpy, (unsigned long) nbytes); ++ _XEatDataWords(dpy, rep.length); + UnlockDisplay(dpy); + SyncHandle(); + return(BadAlloc); +Index: libxrandr-1.3.2/src/XrrScreen.c +=================================================================== +--- libxrandr-1.3.2.orig/src/XrrScreen.c 2013-05-28 10:52:03.305401844 -0400 ++++ libxrandr-1.3.2/src/XrrScreen.c 2013-05-28 10:52:03.301401843 -0400 +@@ -129,7 +129,7 @@ + if (xrsr == NULL || wire_names == NULL) { + if (xrsr) Xfree (xrsr); + if (wire_names) Xfree (wire_names); +- _XEatData (dpy, (unsigned long) nbytes); ++ _XEatDataWords (dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + return NULL;