diff -u libxinerama-1.1.1/debian/control libxinerama-1.1.1/debian/control --- libxinerama-1.1.1/debian/control +++ libxinerama-1.1.1/debian/control @@ -1,7 +1,8 @@ Source: libxinerama Section: x11 Priority: optional -Maintainer: Debian X Strike Force +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian X Strike Force Uploaders: Cyril Brulebois Build-Depends: debhelper (>= 8.1.3), diff -u libxinerama-1.1.1/debian/changelog libxinerama-1.1.1/debian/changelog --- libxinerama-1.1.1/debian/changelog +++ libxinerama-1.1.1/debian/changelog @@ -1,3 +1,13 @@ +libxinerama (2:1.1.1-3ubuntu0.1) precise-security; urgency=low + + * SECURITY UPDATE: denial of service and possible code execution via + incorrect memory size calculations + - 7ce3ce4be46087f9cc57cb415875abaaa961f734 + - 99c644fc8488657bdd106717df7446d606f9ef22 + - CVE-2013-1985 + + -- Marc Deslauriers Tue, 28 May 2013 10:02:42 -0400 + libxinerama (2:1.1.1-3build1) precise; urgency=low * No-change rebuild against current pkgbinarymangler to fix broken only in patch2: unchanged: --- libxinerama-1.1.1.orig/configure.ac +++ libxinerama-1.1.1/configure.ac @@ -42,6 +42,12 @@ # Check for dependencies PKG_CHECK_MODULES(XINERAMA, x11 xext xextproto [xineramaproto >= 1.1.99.1]) +# Check for _XEatDataWords function that may be patched into older Xlib releases +SAVE_LIBS="$LIBS" +LIBS="$XINERAMA_LIBS" +AC_CHECK_FUNCS([_XEatDataWords]) +LIBS="$SAVE_LIBS" + dnl Allow checking code with lint, sparse, etc. XORG_WITH_LINT LINT_FLAGS="${LINT_FLAGS} ${XINERAMA_CFLAGS}" only in patch2: unchanged: --- libxinerama-1.1.1.orig/src/Xinerama.c +++ libxinerama-1.1.1/src/Xinerama.c @@ -23,6 +23,10 @@ Equipment Corporation. ******************************************************************/ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include #include @@ -31,6 +35,19 @@ #include #include +#ifndef HAVE__XEATDATAWORDS +#include /* for LONG64 on 64-bit platforms */ +#include + +static inline void _XEatDataWords(Display *dpy, unsigned long n) +{ +# ifndef LONG64 + if (n >= (ULONG_MAX >> 2)) + _XIOError(dpy); +# endif + _XEatData (dpy, n << 2); +} +#endif static XExtensionInfo _panoramiX_ext_info_data; static XExtensionInfo *panoramiX_ext_info = &_panoramiX_ext_info_data; @@ -286,24 +303,36 @@ return NULL; } - if(rep.number) { - if((scrnInfo = Xmalloc(sizeof(XineramaScreenInfo) * rep.number))) { + /* + * rep.number is a CARD32 so could be as large as 2^32 + * The X11 protocol limits the total screen size to 64k x 64k, + * and no screen can be smaller than a pixel. While technically + * that means we could theoretically reach 2^32 screens, and that's + * not even taking overlap into account, Xorg is currently limited + * to 16 screens, and few known servers have a much higher limit, + * so 1024 seems more than enough to prevent both integer overflow + * and insane X server responses causing massive memory allocation. + */ + if ((rep.number > 0) && (rep.number <= 1024)) + scrnInfo = Xmalloc(sizeof(XineramaScreenInfo) * rep.number); + if (scrnInfo != NULL) { + int i; + + for (i = 0; i < rep.number; i++) { xXineramaScreenInfo scratch; - int i; - for(i = 0; i < rep.number; i++) { - _XRead(dpy, (char*)(&scratch), sz_XineramaScreenInfo); - scrnInfo[i].screen_number = i; - scrnInfo[i].x_org = scratch.x_org; - scrnInfo[i].y_org = scratch.y_org; - scrnInfo[i].width = scratch.width; - scrnInfo[i].height = scratch.height; - } - - *number = rep.number; - } else - _XEatData(dpy, rep.length << 2); + _XRead(dpy, (char*)(&scratch), sz_XineramaScreenInfo); + + scrnInfo[i].screen_number = i; + scrnInfo[i].x_org = scratch.x_org; + scrnInfo[i].y_org = scratch.y_org; + scrnInfo[i].width = scratch.width; + scrnInfo[i].height = scratch.height; + } + + *number = rep.number; } else { + _XEatDataWords(dpy, rep.length); *number = 0; }