diff -u libxext-1.3.0/debian/control libxext-1.3.0/debian/control --- libxext-1.3.0/debian/control +++ libxext-1.3.0/debian/control @@ -1,7 +1,8 @@ Source: libxext Section: x11 Priority: optional -Maintainer: Debian X Strike Force +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian X Strike Force Uploaders: Cyril Brulebois Build-Depends: debhelper (>= 8.1.3), diff -u libxext-1.3.0/debian/changelog libxext-1.3.0/debian/changelog --- libxext-1.3.0/debian/changelog +++ libxext-1.3.0/debian/changelog @@ -1,3 +1,18 @@ +libxext (2:1.3.0-3ubuntu0.1) precise-security; urgency=low + + * SECURITY UPDATE: denial of service and possible code execution via + incorrect memory size calculations + - ca84a813716f9de691dc3f60390d83af4b5ae534 + - d05f27a6f74cb419ad5a437f2e4690b17e7faee5 + - 082d70b19848059ba78c9d1c315114fb07e8c0ef + - 96d1da55a08c4cd52b763cb07bdce5cdcbec4da8 + - 67ecdcf7e29de9fa78b421122620525ed2c7db88 + - 6ecd96e8be3c33e2ffad6631cea4aa0a030d93c2 + - dfe6e1f3b8ede3d0bab7a5fa57f73513a09ec649 + - CVE-2013-1982 + + -- Marc Deslauriers Tue, 28 May 2013 09:06:27 -0400 + libxext (2:1.3.0-3build1) precise; urgency=low * No-change rebuild against current pkgbinarymangler to fix broken only in patch2: unchanged: --- libxext-1.3.0.orig/COPYING +++ libxext-1.3.0/COPYING @@ -160,7 +160,8 @@ of the information in this document. This documentation is provided ``as is'' without express or implied warranty. -Copyright (c) 1999, 2005, 2006, Oracle and/or its affiliates. All rights reserved. +Copyright (c) 1999, 2005, 2006, 2013, Oracle and/or its affiliates. +All rights reserved. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), only in patch2: unchanged: --- libxext-1.3.0.orig/configure.ac +++ libxext-1.3.0/configure.ac @@ -39,6 +39,12 @@ # Obtain compiler/linker options for depedencies PKG_CHECK_MODULES(XEXT, [xproto >= 7.0.13] [x11 >= 1.1.99.1] [xextproto >= 7.1.99]) +# Check for _XEatDataWords function that may be patched into older Xlib releases +SAVE_LIBS="$LIBS" +LIBS="$XEXT_LIBS" +AC_CHECK_FUNCS([_XEatDataWords]) +LIBS="$SAVE_LIBS" + # Allow checking code with lint, sparse, etc. XORG_WITH_LINT XORG_LINT_LIBRARY([Xext]) only in patch2: unchanged: --- libxext-1.3.0.orig/src/Makefile.am +++ libxext-1.3.0/src/Makefile.am @@ -12,6 +12,7 @@ libXext_la_LIBADD = $(XEXT_LIBS) libXext_la_SOURCES = \ + eat.h \ DPMS.c \ MITMisc.c \ XAppgroup.c \ only in patch2: unchanged: --- libxext-1.3.0.orig/src/eat.h +++ libxext-1.3.0/src/eat.h @@ -0,0 +1,40 @@ +/* + * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice (including the next + * paragraph) shall be included in all copies or substantial portions of the + * Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + +#ifndef HAVE__XEATDATAWORDS +#include /* for LONG64 on 64-bit platforms */ +#include + +static inline void _XEatDataWords(Display *dpy, unsigned long n) +{ +# ifndef LONG64 + if (n >= (ULONG_MAX >> 2)) + _XIOError(dpy); +# endif + _XEatData (dpy, n << 2); +} +#endif only in patch2: unchanged: --- libxext-1.3.0.orig/src/Xdbe.c +++ libxext-1.3.0/src/Xdbe.c @@ -39,6 +39,8 @@ #include #include #include +#include +#include "eat.h" static XExtensionInfo _dbe_info_data; static XExtensionInfo *dbe_info = &_dbe_info_data; @@ -352,9 +354,12 @@ *num_screens = rep.m; /* allocate list of visual information to be returned */ - if (!(scrVisInfo = - (XdbeScreenVisualInfo *)Xmalloc( - (unsigned)(*num_screens * sizeof(XdbeScreenVisualInfo))))) { + if ((*num_screens > 0) && (*num_screens < 65536)) + scrVisInfo = Xmalloc(*num_screens * sizeof(XdbeScreenVisualInfo)); + else + scrVisInfo = NULL; + if (scrVisInfo == NULL) { + _XEatDataWords(dpy, rep.length); UnlockDisplay (dpy); SyncHandle (); return NULL; @@ -362,25 +367,27 @@ for (i = 0; i < *num_screens; i++) { - int nbytes; int j; - long c; + unsigned long c; - _XRead32 (dpy, &c, sizeof(CARD32)); - scrVisInfo[i].count = c; + _XRead32 (dpy, (long *) &c, sizeof(CARD32)); - nbytes = scrVisInfo[i].count * sizeof(XdbeVisualInfo); + if (c < 65536) { + scrVisInfo[i].count = c; + scrVisInfo[i].visinfo = Xmalloc(c * sizeof(XdbeVisualInfo)); + } else + scrVisInfo[i].visinfo = NULL; /* if we can not allocate the list of visual/depth info * then free the lists that we already allocate as well * as the visual info list itself */ - if (!(scrVisInfo[i].visinfo = (XdbeVisualInfo *)Xmalloc( - (unsigned)nbytes))) { + if (scrVisInfo[i].visinfo == NULL) { for (j = 0; j < i; j++) { Xfree ((char *)scrVisInfo[j].visinfo); } Xfree ((char *)scrVisInfo); + _XEatDataWords(dpy, rep.length); UnlockDisplay (dpy); SyncHandle (); return NULL; only in patch2: unchanged: --- libxext-1.3.0.orig/src/Xcup.c +++ libxext-1.3.0/src/Xcup.c @@ -36,6 +36,8 @@ #include #include #include +#include +#include "eat.h" static XExtensionInfo _xcup_info_data; static XExtensionInfo *xcup_info = &_xcup_info_data; @@ -133,18 +135,22 @@ req->xcupReqType = X_XcupGetReservedColormapEntries; req->screen = screen; if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) { - long nbytes; + unsigned long nbytes; xColorItem* rbufp; - int nentries = rep.length / 3; + unsigned int nentries = rep.length / 3; - nbytes = nentries * SIZEOF (xColorItem); - if (nentries > TYP_RESERVED_ENTRIES) - rbufp = (xColorItem*) Xmalloc (nbytes); - else - rbufp = rbuf; + if (nentries < (INT_MAX / SIZEOF (xColorItem))) { + nbytes = nentries * SIZEOF (xColorItem); + + if (nentries > TYP_RESERVED_ENTRIES) + rbufp = Xmalloc (nbytes); + else + rbufp = rbuf; + } else + rbufp = NULL; if (rbufp == NULL) { - _XEatData (dpy, (unsigned long) nbytes); + _XEatDataWords(dpy, rep.length); UnlockDisplay (dpy); SyncHandle (); return False; @@ -213,27 +219,24 @@ } if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) { - long nbytes; + unsigned long nbytes; xColorItem* rbufp; xColorItem* cs; - int nentries = rep.length / 3; - - nbytes = nentries * SIZEOF (xColorItem); - - if (nentries != ncolors) { - _XEatData (dpy, (unsigned long) nbytes); - UnlockDisplay (dpy); - SyncHandle (); - return False; - } + unsigned int nentries = rep.length / 3; - if (ncolors > 256) - rbufp = (xColorItem*) Xmalloc (nbytes); - else - rbufp = rbuf; + if ((nentries == ncolors) && + (nentries < (INT_MAX / SIZEOF (xColorItem)))) { + nbytes = nentries * SIZEOF (xColorItem); + + if (ncolors > 256) + rbufp = Xmalloc (nbytes); + else + rbufp = rbuf; + } else + rbufp = NULL; if (rbufp == NULL) { - _XEatData (dpy, (unsigned long) nbytes); + _XEatDataWords(dpy, rep.length); UnlockDisplay (dpy); SyncHandle (); return False; only in patch2: unchanged: --- libxext-1.3.0.orig/src/XShape.c +++ libxext-1.3.0/src/XShape.c @@ -35,6 +35,8 @@ #include #include #include +#include +#include "eat.h" static XExtensionInfo _shape_info_data; static XExtensionInfo *shape_info = &_shape_info_data; @@ -442,7 +444,7 @@ xShapeGetRectanglesReply rep; XRectangle *rects; xRectangle *xrects; - int i; + unsigned int i; ShapeCheckExtension (dpy, info, (XRectangle *)NULL); @@ -460,20 +462,23 @@ *count = rep.nrects; *ordering = rep.ordering; rects = NULL; - if (*count) { - xrects = (xRectangle *) Xmalloc (*count * sizeof (xRectangle)); - rects = (XRectangle *) Xmalloc (*count * sizeof (XRectangle)); + if (rep.nrects) { + if (rep.nrects < (INT_MAX / sizeof (XRectangle))) { + xrects = Xmalloc (rep.nrects * sizeof (xRectangle)); + rects = Xmalloc (rep.nrects * sizeof (XRectangle)); + } else { + xrects = NULL; + rects = NULL; + } if (!xrects || !rects) { - if (xrects) - Xfree (xrects); - if (rects) - Xfree (rects); - _XEatData (dpy, *count * sizeof (xRectangle)); + Xfree (xrects); + Xfree (rects); + _XEatDataWords (dpy, rep.length); rects = NULL; *count = 0; } else { - _XRead (dpy, (char *) xrects, *count * sizeof (xRectangle)); - for (i = 0; i < *count; i++) { + _XRead (dpy, (char *) xrects, rep.nrects * sizeof (xRectangle)); + for (i = 0; i < rep.nrects; i++) { rects[i].x = (short) cvtINT16toInt (xrects[i].x); rects[i].y = (short) cvtINT16toInt (xrects[i].y); rects[i].width = xrects[i].width; only in patch2: unchanged: --- libxext-1.3.0.orig/src/XSync.c +++ libxext-1.3.0/src/XSync.c @@ -59,6 +59,8 @@ #include #include #include +#include +#include "eat.h" static XExtensionInfo _sync_info_data; static XExtensionInfo *sync_info = &_sync_info_data; @@ -351,20 +353,29 @@ if (rep.nCounters > 0) { xSyncSystemCounter *pWireSysCounter, *pNextWireSysCounter; + xSyncSystemCounter *pLastWireSysCounter; XSyncCounter counter; - int replylen; + unsigned int replylen; int i; - list = Xmalloc(rep.nCounters * sizeof(XSyncSystemCounter)); - replylen = rep.length << 2; - pWireSysCounter = Xmalloc ((unsigned) replylen + sizeof(XSyncCounter)); - /* +1 to leave room for last counter read-ahead */ + if (rep.nCounters < (INT_MAX / sizeof(XSyncSystemCounter))) + list = Xmalloc(rep.nCounters * sizeof(XSyncSystemCounter)); + if (rep.length < (INT_MAX >> 2)) { + replylen = rep.length << 2; + pWireSysCounter = Xmalloc (replylen + sizeof(XSyncCounter)); + /* +1 to leave room for last counter read-ahead */ + pLastWireSysCounter = (xSyncSystemCounter *) + ((char *)pWireSysCounter) + replylen; + } else { + replylen = 0; + pWireSysCounter = NULL; + } if ((!list) || (!pWireSysCounter)) { - if (list) Xfree((char *) list); - if (pWireSysCounter) Xfree((char *) pWireSysCounter); - _XEatData(dpy, (unsigned long) replylen); + Xfree(list); + Xfree(pWireSysCounter); + _XEatDataWords(dpy, rep.length); list = NULL; goto bail; } @@ -387,6 +398,14 @@ pNextWireSysCounter = (xSyncSystemCounter *) (((char *)pWireSysCounter) + ((SIZEOF(xSyncSystemCounter) + pWireSysCounter->name_length + 3) & ~3)); + /* Make sure we haven't gone too far */ + if (pNextWireSysCounter > pLastWireSysCounter) { + Xfree(list); + Xfree(pWireSysCounter); + list = NULL; + goto bail; + } + counter = pNextWireSysCounter->counter; list[i].name = ((char *)pWireSysCounter) + only in patch2: unchanged: --- libxext-1.3.0.orig/src/XSecurity.c +++ libxext-1.3.0/src/XSecurity.c @@ -33,6 +33,7 @@ #include #include #include +#include "eat.h" static XExtensionInfo _Security_info_data; static XExtensionInfo *Security_info = &_Security_info_data; @@ -282,7 +283,7 @@ } else { - _XEatData(dpy, (unsigned long) (rep.dataLength + 3) & ~3); + _XEatDataWords(dpy, rep.length); } UnlockDisplay (dpy); only in patch2: unchanged: --- libxext-1.3.0.orig/src/XMultibuf.c +++ libxext-1.3.0/src/XMultibuf.c @@ -34,6 +34,7 @@ #include #include #include +#include "eat.h" static XExtensionInfo _multibuf_info_data; static XExtensionInfo *multibuf_info = &_multibuf_info_data; @@ -408,7 +409,7 @@ attr->buffers = (Multibuffer *) Xmalloc((unsigned) nbytes); nbytes = rep.length << 2; if (! attr->buffers) { - _XEatData(dpy, (unsigned long) nbytes); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); return (0); only in patch2: unchanged: --- libxext-1.3.0.orig/src/XEVI.c +++ libxext-1.3.0/src/XEVI.c @@ -30,6 +30,9 @@ #include #include #include +#include +#include "eat.h" + static XExtensionInfo *xevi_info;/* needs to move to globals.c */ static /* const */ char *xevi_extension_name = EVINAME; #define XeviCheckExtension(dpy,i,val) \ @@ -163,15 +166,22 @@ return BadAccess; } Xfree(temp_visual); - sz_info = rep.n_info * sizeof(ExtendedVisualInfo); - sz_xInfo = rep.n_info * sz_xExtendedVisualInfo; - sz_conflict = rep.n_conflicts * sizeof(VisualID); - sz_xConflict = rep.n_conflicts * sz_VisualID32; - infoPtr = *evi_return = (ExtendedVisualInfo *)Xmalloc(sz_info + sz_conflict); - xInfoPtr = temp_xInfo = (xExtendedVisualInfo *)Xmalloc(sz_xInfo); - xConflictPtr = temp_conflict = (VisualID32 *)Xmalloc(sz_xConflict); + if ((rep.n_info < 65536) && (rep.n_conflicts < 65536)) { + sz_info = rep.n_info * sizeof(ExtendedVisualInfo); + sz_xInfo = rep.n_info * sz_xExtendedVisualInfo; + sz_conflict = rep.n_conflicts * sizeof(VisualID); + sz_xConflict = rep.n_conflicts * sz_VisualID32; + *evi_return = Xmalloc(sz_info + sz_conflict); + temp_xInfo = Xmalloc(sz_xInfo); + temp_conflict = Xmalloc(sz_xConflict); + } else { + sz_xInfo = sz_xConflict = 0; + *evi_return = NULL; + temp_xInfo = NULL; + temp_conflict = NULL; + } if (!*evi_return || !temp_xInfo || !temp_conflict) { - _XEatData(dpy, (sz_xInfo + sz_xConflict + 3) & ~3); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); if (evi_return) @@ -186,6 +196,9 @@ _XRead(dpy, (char *)temp_conflict, sz_xConflict); UnlockDisplay(dpy); SyncHandle(); + infoPtr = *evi_return; + xInfoPtr = temp_xInfo; + xConflictPtr = temp_conflict; n_data = rep.n_info; conflict = (VisualID *)(infoPtr + n_data); while (n_data-- > 0) {