diff -u libx11-1.6.3/debian/changelog libx11-1.6.3/debian/changelog --- libx11-1.6.3/debian/changelog +++ libx11-1.6.3/debian/changelog @@ -1,3 +1,28 @@ +libx11 (2:1.6.3-1ubuntu2.2) xenial-security; urgency=medium + + * SECURITY UPDATE: integer overflow and heap overflow in XIM client + - debian/patches/CVE-2020-14344-1.patch: fix signed length values in + modules/im/ximcp/imRmAttr.c. + - debian/patches/CVE-2020-14344-2.patch: fix integer overflows in + modules/im/ximcp/imRmAttr.c. + - debian/patches/CVE-2020-14344-3.patch: fix more unchecked lengths in + modules/im/ximcp/imRmAttr.c. + - debian/patches/CVE-2020-14344-4.patch: zero out buffers in functions + in modules/im/ximcp/imDefIc.c, modules/im/ximcp/imDefIm.c. + - debian/patches/CVE-2020-14344-5.patch: change the data_len parameter + to CARD16 in modules/im/ximcp/imRmAttr.c. + - debian/patches/CVE-2020-14344-6.patch: fix size calculation in + modules/im/ximcp/imRmAttr.c. + - debian/patches/CVE-2020-14344-7.patch: fix input clients connecting + to server in modules/im/ximcp/imRmAttr.c. + - CVE-2020-14344 + * SECURITY UPDATE: integer overflow and double free in locale handling + - debian/patches/CVE-2020-14363.patch: fix an integer overflow in + modules/om/generic/omGeneric.c. + - CVE-2020-14363 + + -- Marc Deslauriers Mon, 31 Aug 2020 12:11:23 -0400 + libx11 (2:1.6.3-1ubuntu2.1) xenial-security; urgency=medium * SECURITY UPDATE: Out-of-bounds read diff -u libx11-1.6.3/debian/patches/series libx11-1.6.3/debian/patches/series --- libx11-1.6.3/debian/patches/series +++ libx11-1.6.3/debian/patches/series @@ -11,0 +12,8 @@ +CVE-2020-14344-1.patch +CVE-2020-14344-2.patch +CVE-2020-14344-3.patch +CVE-2020-14344-4.patch +CVE-2020-14344-5.patch +CVE-2020-14344-6.patch +CVE-2020-14344-7.patch +CVE-2020-14363.patch only in patch2: unchanged: --- libx11-1.6.3.orig/debian/patches/CVE-2020-14344-1.patch +++ libx11-1.6.3/debian/patches/CVE-2020-14344-1.patch @@ -0,0 +1,71 @@ +From 0e6561efcfaa0ae7b5c74eac7e064b76d687544e Mon Sep 17 00:00:00 2001 +From: Todd Carson +Date: Fri, 24 Jul 2020 19:33:30 +0200 +Subject: [PATCH] Fix signed length values in _XimGetAttributeID() + +The lengths are unsigned according to the specification. Passing +negative values can lead to data corruption. + +Signed-off-by: Matthieu Herrb +Reviewed-by: Matthieu Herrb +--- + modules/im/ximcp/imRmAttr.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c +index 9d4e4625..d5d1939e 100644 +--- a/modules/im/ximcp/imRmAttr.c ++++ b/modules/im/ximcp/imRmAttr.c +@@ -1378,13 +1378,13 @@ _XimEncodeSavedICATTRIBUTE( + + static unsigned int + _XimCountNumberOfAttr( +- INT16 total, +- CARD16 *attr, +- int *names_len) ++ CARD16 total, ++ CARD16 *attr, ++ unsigned int *names_len) + { + unsigned int n; +- INT16 len; +- INT16 min_len = sizeof(CARD16) /* sizeof attribute ID */ ++ CARD16 len; ++ CARD16 min_len = sizeof(CARD16) /* sizeof attribute ID */ + + sizeof(CARD16) /* sizeof type of value */ + + sizeof(INT16); /* sizeof length of attribute */ + +@@ -1392,6 +1392,9 @@ _XimCountNumberOfAttr( + *names_len = 0; + while (total > min_len) { + len = attr[2]; ++ if (len >= (total - min_len)) { ++ return 0; ++ } + *names_len += (len + 1); + len += (min_len + XIM_PAD(len + 2)); + total -= len; +@@ -1406,17 +1409,15 @@ _XimGetAttributeID( + Xim im, + CARD16 *buf) + { +- unsigned int n; ++ unsigned int n, names_len, values_len; + XIMResourceList res; + char *names; +- int names_len; + XPointer tmp; + XIMValuesList *values_list; + char **values; +- int values_len; + register int i; +- INT16 len; +- INT16 min_len = sizeof(CARD16) /* sizeof attribute ID */ ++ CARD16 len; ++ CARD16 min_len = sizeof(CARD16) /* sizeof attribute ID */ + + sizeof(CARD16) /* sizeof type of value */ + + sizeof(INT16); /* sizeof length of attr */ + /* +-- +GitLab + only in patch2: unchanged: --- libx11-1.6.3.orig/debian/patches/CVE-2020-14344-2.patch +++ libx11-1.6.3/debian/patches/CVE-2020-14344-2.patch @@ -0,0 +1,82 @@ +From 388b303c62aa35a245f1704211a023440ad2c488 Mon Sep 17 00:00:00 2001 +From: Todd Carson +Date: Fri, 24 Jul 2020 19:36:51 +0200 +Subject: [PATCH] fix integer overflows in _XimAttributeToValue() + +Signed-off-by: Matthieu Herrb +Reviewed-by: Matthieu Herrb +--- + modules/im/ximcp/imRmAttr.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c +index d5d1939e..db3639de 100644 +--- a/modules/im/ximcp/imRmAttr.c ++++ b/modules/im/ximcp/imRmAttr.c +@@ -29,6 +29,8 @@ PERFORMANCE OF THIS SOFTWARE. + #ifdef HAVE_CONFIG_H + #include + #endif ++#include ++ + #include "Xlibint.h" + #include "Xlcint.h" + #include "Ximint.h" +@@ -250,18 +252,24 @@ _XimAttributeToValue( + + case XimType_XIMStyles: + { +- INT16 num = data[0]; ++ CARD16 num = data[0]; + register CARD32 *style_list = (CARD32 *)&data[2]; + XIMStyle *style; + XIMStyles *rep; + register int i; + char *p; +- int alloc_len; ++ unsigned int alloc_len; + + if (!(value)) + return False; + ++ if (num > (USHRT_MAX / sizeof(XIMStyle))) ++ return False; ++ if ((sizeof(num) + (num * sizeof(XIMStyle))) > data_len) ++ return False; + alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num; ++ if (alloc_len < sizeof(XIMStyles)) ++ return False; + if (!(p = Xmalloc(alloc_len))) + return False; + +@@ -357,19 +365,25 @@ _XimAttributeToValue( + + case XimType_XIMHotKeyTriggers: + { +- INT32 num = *((CARD32 *)data); ++ CARD32 num = *((CARD32 *)data); + register CARD32 *key_list = (CARD32 *)&data[2]; + XIMHotKeyTrigger *key; + XIMHotKeyTriggers *rep; + register int i; + char *p; +- int alloc_len; ++ unsigned int alloc_len; + + if (!(value)) + return False; + ++ if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger))) ++ return False; ++ if ((sizeof(num) + (num * sizeof(XIMHotKeyTrigger))) > data_len) ++ return False; + alloc_len = sizeof(XIMHotKeyTriggers) + + sizeof(XIMHotKeyTrigger) * num; ++ if (alloc_len < sizeof(XIMHotKeyTriggers)) ++ return False; + if (!(p = Xmalloc(alloc_len))) + return False; + +-- +GitLab + only in patch2: unchanged: --- libx11-1.6.3.orig/debian/patches/CVE-2020-14344-3.patch +++ libx11-1.6.3/debian/patches/CVE-2020-14344-3.patch @@ -0,0 +1,42 @@ +From 2fcfcc49f3b1be854bb9085993a01d17c62acf60 Mon Sep 17 00:00:00 2001 +From: Todd Carson +Date: Fri, 24 Jul 2020 20:22:44 +0200 +Subject: [PATCH] Fix more unchecked lengths + +Signed-off-by: Matthieu Herrb +Reviewed-by: Matthieu Herrb +--- + modules/im/ximcp/imRmAttr.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c +index db3639de..b7591a07 100644 +--- a/modules/im/ximcp/imRmAttr.c ++++ b/modules/im/ximcp/imRmAttr.c +@@ -321,7 +321,7 @@ _XimAttributeToValue( + + case XimType_XFontSet: + { +- INT16 len = data[0]; ++ CARD16 len = data[0]; + char *base_name; + XFontSet rep = (XFontSet)NULL; + char **missing_list = NULL; +@@ -332,11 +332,12 @@ _XimAttributeToValue( + return False; + if (!ic) + return False; +- ++ if (len > data_len) ++ return False; + if (!(base_name = Xmalloc(len + 1))) + return False; + +- (void)strncpy(base_name, (char *)&data[1], (int)len); ++ (void)strncpy(base_name, (char *)&data[1], (size_t)len); + base_name[len] = '\0'; + + if (mode & XIM_PREEDIT_ATTR) { +-- +GitLab + only in patch2: unchanged: --- libx11-1.6.3.orig/debian/patches/CVE-2020-14344-4.patch +++ libx11-1.6.3/debian/patches/CVE-2020-14344-4.patch @@ -0,0 +1,150 @@ +From 1a566c9e00e5f35c1f9e7f3d741a02e5170852b2 Mon Sep 17 00:00:00 2001 +From: Todd Carson +Date: Fri, 24 Jul 2020 20:59:32 +0200 +Subject: [PATCH] Zero out buffers in functions + +It looks like uninitialized stack or heap memory can leak +out via padding bytes. + +Signed-off-by: Matthieu Herrb +Reviewed-by: Matthieu Herrb +--- + modules/im/ximcp/imDefIc.c | 6 ++++-- + modules/im/ximcp/imDefIm.c | 25 +++++++++++++++++-------- + 2 files changed, 21 insertions(+), 10 deletions(-) + +--- a/modules/im/ximcp/imDefIc.c ++++ b/modules/im/ximcp/imDefIc.c +@@ -351,7 +351,7 @@ _XimProtoGetICValues( + + sizeof(INT16) + + XIM_PAD(2 + buf_size); + +- if (!(buf = Xmalloc(buf_size))) ++ if (!(buf = Xcalloc(buf_size, 1))) + return arg->name; + buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE]; + +@@ -709,6 +709,7 @@ _XimProtoSetICValues( + #endif /* XIM_CONNECTABLE */ + + _XimGetCurrentICValues(ic, &ic_values); ++ memset(tmp_buf, 0, sizeof(tmp_buf32)); + buf = tmp_buf; + buf_size = XIM_HEADER_SIZE + + sizeof(CARD16) + sizeof(CARD16) + sizeof(INT16) + sizeof(CARD16); +@@ -731,7 +732,7 @@ _XimProtoSetICValues( + + buf_size += ret_len; + if (buf == tmp_buf) { +- if (!(tmp = Xmalloc(buf_size + data_len))) { ++ if (!(tmp = Xcalloc(buf_size + data_len, 1))) { + return tmp_name; + } + memcpy(tmp, buf, buf_size); +@@ -741,6 +742,7 @@ _XimProtoSetICValues( + Xfree(buf); + return tmp_name; + } ++ memset(&tmp[buf_size], 0, data_len); + buf = tmp; + } + } +--- a/modules/im/ximcp/imDefIm.c ++++ b/modules/im/ximcp/imDefIm.c +@@ -62,6 +62,7 @@ PERFORMANCE OF THIS SOFTWARE. + #include "XimTrInt.h" + #include "Ximint.h" + ++#include + + int + _XimCheckDataSize( +@@ -809,12 +810,16 @@ _XimOpen( + int buf_size; + int ret_code; + char *locale_name; ++ size_t locale_len; + + locale_name = im->private.proto.locale_name; +- len = strlen(locale_name); +- buf_b[0] = (BYTE)len; /* length of locale name */ +- (void)strcpy((char *)&buf_b[1], locale_name); /* locale name */ +- len += sizeof(BYTE); /* sizeof length */ ++ locale_len = strlen(locale_name); ++ if (locale_len > UCHAR_MAX) ++ return False; ++ memset(buf32, 0, sizeof(buf32)); ++ buf_b[0] = (BYTE)locale_len; /* length of locale name */ ++ memcpy(&buf_b[1], locale_name, locale_len); /* locale name */ ++ len = (INT16)(locale_len + sizeof(BYTE)); /* sizeof length */ + XIM_SET_PAD(buf_b, len); /* pad */ + + _XimSetHeader((XPointer)buf, XIM_OPEN, 0, &len); +@@ -1289,6 +1294,7 @@ _XimProtoSetIMValues( + #endif /* XIM_CONNECTABLE */ + + _XimGetCurrentIMValues(im, &im_values); ++ memset(tmp_buf, 0, sizeof(tmp_buf32)); + buf = tmp_buf; + buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16); + data_len = BUFSIZE - buf_size; +@@ -1311,7 +1317,7 @@ _XimProtoSetIMValues( + + buf_size += ret_len; + if (buf == tmp_buf) { +- if (!(tmp = Xmalloc(buf_size + data_len))) { ++ if (!(tmp = Xcalloc(buf_size + data_len, 1))) { + return arg->name; + } + memcpy(tmp, buf, buf_size); +@@ -1321,6 +1327,7 @@ _XimProtoSetIMValues( + Xfree(buf); + return arg->name; + } ++ memset(&tmp[buf_size], 0, data_len); + buf = tmp; + } + } +@@ -1462,7 +1469,7 @@ _XimProtoGetIMValues( + + sizeof(INT16) + + XIM_PAD(buf_size); + +- if (!(buf = Xmalloc(buf_size))) ++ if (!(buf = Xcalloc(buf_size, 1))) + return arg->name; + buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE]; + +@@ -1724,7 +1731,7 @@ _XimEncodingNegotiation( + + sizeof(CARD16) + + detail_len; + +- if (!(buf = Xmalloc(XIM_HEADER_SIZE + len))) ++ if (!(buf = Xcalloc(XIM_HEADER_SIZE + len, 1))) + goto free_detail_ptr; + + buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE]; +@@ -1820,6 +1827,7 @@ _XimSendSavedIMValues( + int ret_code; + + _XimGetCurrentIMValues(im, &im_values); ++ memset(tmp_buf, 0, sizeof(tmp_buf32)); + buf = tmp_buf; + buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16); + data_len = BUFSIZE - buf_size; +@@ -1842,7 +1850,7 @@ _XimSendSavedIMValues( + + buf_size += ret_len; + if (buf == tmp_buf) { +- if (!(tmp = Xmalloc(buf_size + data_len))) { ++ if (!(tmp = Xcalloc(buf_size + data_len, 1))) { + return False; + } + memcpy(tmp, buf, buf_size); +@@ -1852,6 +1860,7 @@ _XimSendSavedIMValues( + Xfree(buf); + return False; + } ++ memset(&tmp[buf_size], 0, data_len); + buf = tmp; + } + } only in patch2: unchanged: --- libx11-1.6.3.orig/debian/patches/CVE-2020-14344-5.patch +++ libx11-1.6.3/debian/patches/CVE-2020-14344-5.patch @@ -0,0 +1,32 @@ +From 1703b9f3435079d3c6021e1ee2ec34fd4978103d Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Fri, 24 Jul 2020 21:09:10 +0200 +Subject: [PATCH] Change the data_len parameter of _XimAttributeToValue() to + CARD16 + +It's coming from a length in the protocol (unsigned) and passed +to functions that expect unsigned int parameters (_XCopyToArg() +and memcpy()). + +Signed-off-by: Matthieu Herrb +Reviewed-by: Todd Carson +--- + modules/im/ximcp/imRmAttr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c +index b7591a07..2491908e 100644 +--- a/modules/im/ximcp/imRmAttr.c ++++ b/modules/im/ximcp/imRmAttr.c +@@ -216,7 +216,7 @@ _XimAttributeToValue( + Xic ic, + XIMResourceList res, + CARD16 *data, +- INT16 data_len, ++ CARD16 data_len, + XPointer value, + BITMASK32 mode) + { +-- +GitLab + only in patch2: unchanged: --- libx11-1.6.3.orig/debian/patches/CVE-2020-14344-6.patch +++ libx11-1.6.3/debian/patches/CVE-2020-14344-6.patch @@ -0,0 +1,51 @@ +From 93fce3f4e79cbc737d6468a4f68ba3de1b83953b Mon Sep 17 00:00:00 2001 +From: Yichao Yu +Date: Sun, 2 Aug 2020 13:43:58 -0400 +Subject: [PATCH] Fix size calculation in `_XimAttributeToValue`. + +The check here guards the read below. +For `XimType_XIMStyles`, these are `num` of `CARD32` and for `XimType_XIMHotKeyTriggers` +these are `num` of `XIMTRIGGERKEY` ref[1] which is defined as 3 x `CARD32`. +(There are data after the `XIMTRIGGERKEY` according to the spec but they are not read by this +function and doesn't need to be checked.) + +The old code here used the native datatype size instead of the wire protocol size causing +the check to always fail. + +Also fix the size calculation for the header (size). It is 2 x CARD16 for both types +despite the unused `CARD16` for `XimType_XIMStyles`. + +[1] https://www.x.org/releases/X11R7.6/doc/libX11/specs/XIM/xim.html#Input_Method_Styles + +This fixes a regression caused by 388b303c62aa35a245f1704211a023440ad2c488 in 1.6.10. + +Fix #116 +--- + modules/im/ximcp/imRmAttr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c +index 2491908e..919c5564 100644 +--- a/modules/im/ximcp/imRmAttr.c ++++ b/modules/im/ximcp/imRmAttr.c +@@ -265,7 +265,7 @@ _XimAttributeToValue( + + if (num > (USHRT_MAX / sizeof(XIMStyle))) + return False; +- if ((sizeof(num) + (num * sizeof(XIMStyle))) > data_len) ++ if ((2 * sizeof(CARD16) + (num * sizeof(CARD32))) > data_len) + return False; + alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num; + if (alloc_len < sizeof(XIMStyles)) +@@ -379,7 +379,7 @@ _XimAttributeToValue( + + if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger))) + return False; +- if ((sizeof(num) + (num * sizeof(XIMHotKeyTrigger))) > data_len) ++ if ((2 * sizeof(CARD16) + (num * 3 * sizeof(CARD32))) > data_len) + return False; + alloc_len = sizeof(XIMHotKeyTriggers) + + sizeof(XIMHotKeyTrigger) * num; +-- +GitLab + only in patch2: unchanged: --- libx11-1.6.3.orig/debian/patches/CVE-2020-14344-7.patch +++ libx11-1.6.3/debian/patches/CVE-2020-14344-7.patch @@ -0,0 +1,32 @@ +From d15c24c8b44be5e4054c8ecd0ff9dcf2c8e18e5b Mon Sep 17 00:00:00 2001 +From: Niclas Zeising +Date: Tue, 11 Aug 2020 13:44:38 +0200 +Subject: [PATCH] Fix input clients connecting to server + +Fix a bug where some input clients can't connect to the input server. +This fixes #117. + +FreeBSD bugzilla reference: +https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248549 + +Signed-off-by: Niclas Zeising +--- + modules/im/ximcp/imRmAttr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c +index 919c5564..709e64ab 100644 +--- a/modules/im/ximcp/imRmAttr.c ++++ b/modules/im/ximcp/imRmAttr.c +@@ -1407,7 +1407,7 @@ _XimCountNumberOfAttr( + *names_len = 0; + while (total > min_len) { + len = attr[2]; +- if (len >= (total - min_len)) { ++ if (len > (total - min_len)) { + return 0; + } + *names_len += (len + 1); +-- +GitLab + only in patch2: unchanged: --- libx11-1.6.3.orig/debian/patches/CVE-2020-14363.patch +++ libx11-1.6.3/debian/patches/CVE-2020-14363.patch @@ -0,0 +1,26 @@ +From acdaaadcb3d85c61fd43669fc5dddf0f8c3f911d Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Thu, 13 Aug 2020 18:02:58 +0200 +Subject: [PATCH] Fix an integer overflow in init_om() + +CVE-2020-14363 + +This can lead to a double free later, as reported by Jayden Rivers. + +Signed-off-by: Matthieu Herrb +--- + modules/om/generic/omGeneric.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/modules/om/generic/omGeneric.c ++++ b/modules/om/generic/omGeneric.c +@@ -1977,7 +1977,8 @@ init_om( + char **required_list; + XOrientation *orientation; + char **value, buf[BUFSIZ], *bufptr; +- int count = 0, num = 0, length = 0; ++ int count = 0, num = 0; ++ unsigned int length = 0; + + _XlcGetResource(lcd, "XLC_FONTSET", "on_demand_loading", &value, &count); + if (count > 0 && _XlcCompareISOLatin1(*value, "True") == 0)