aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeonardo Arena <rnalrd@alpinelinux.org>2016-10-19 11:54:21 +0000
committerLeonardo Arena <rnalrd@alpinelinux.org>2016-10-19 11:54:56 +0000
commit28cfd0e5313c4075e486c29630eb0a7684c551c5 (patch)
tree7081f793017b8ede07011df24151a74b8b97c846
parent4a1b4e625d7773e50bb708eb6d94244ed8cf29e0 (diff)
downloadaports-28cfd0e5313c4075e486c29630eb0a7684c551c5.tar.gz
aports-28cfd0e5313c4075e486c29630eb0a7684c551c5.tar.bz2
aports-28cfd0e5313c4075e486c29630eb0a7684c551c5.tar.xz
main/libxrender: security fix (CVE-2016-7949, CVE-2016-7950)
Fixes #6291
-rw-r--r--main/libxrender/APKBUILD31
-rw-r--r--main/libxrender/CVE-2016-7949.patch55
-rw-r--r--main/libxrender/CVE-2016-7950.patch62
3 files changed, 143 insertions, 5 deletions
diff --git a/main/libxrender/APKBUILD b/main/libxrender/APKBUILD
index 0e4df547b1..5659255c03 100644
--- a/main/libxrender/APKBUILD
+++ b/main/libxrender/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libxrender
pkgver=0.9.9
-pkgrel=1
+pkgrel=2
pkgdesc="X Rendering Extension client library"
url="http://xorg.freedesktop.org/"
arch="all"
@@ -10,10 +10,25 @@ subpackages="$pkgname-dev"
depends=
depends_dev="renderproto libx11-dev"
makedepends="$depends_dev"
-source="http://xorg.freedesktop.org/releases/individual/lib/libXrender-$pkgver.tar.bz2"
+source="http://xorg.freedesktop.org/releases/individual/lib/libXrender-$pkgver.tar.bz2
+ CVE-2016-7949.patch
+ CVE-2016-7950.patch
+ "
+# secfix:
+# 0.9.9-r2:
+# - CVE-2016-7949
+# - CVE-2016-7950
_builddir="$srcdir"/libXrender-$pkgver
+prepare() {
+ cd "$_builddir"
+ for i in $source; do
+ case $i in
+ *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+ esac
+ done
+}
build() {
cd "$_builddir"
@@ -29,6 +44,12 @@ package() {
cd "$_builddir"
make DESTDIR="$pkgdir" install || return 1
}
-md5sums="5db92962b124ca3a8147daae4adbd622 libXrender-0.9.9.tar.bz2"
-sha256sums="fc2fe57980a14092426dffcd1f2d9de0987b9d40adea663bd70d6342c0e9be1a libXrender-0.9.9.tar.bz2"
-sha512sums="6bb6d18d6a1b26631921b19b95a18556296208578f59fbdb7dd81f09bd9399021a2c72e7fc1504134cd004722153dc5b43fef49347aea54d4748fa22d3b6e9a7 libXrender-0.9.9.tar.bz2"
+md5sums="5db92962b124ca3a8147daae4adbd622 libXrender-0.9.9.tar.bz2
+b56b7ae39fe72a275bc7d099cc4f4747 CVE-2016-7949.patch
+8b617baf500dabd468acbdcb927f62ee CVE-2016-7950.patch"
+sha256sums="fc2fe57980a14092426dffcd1f2d9de0987b9d40adea663bd70d6342c0e9be1a libXrender-0.9.9.tar.bz2
+c11355d17b5107c57b9bcf1102af0b16dcac1732c452852d158acb156ff0f166 CVE-2016-7949.patch
+121a68f14e8cdd5ceb7953ea89e7b0f210752f9c37a85149c38fa8e97fa3f54f CVE-2016-7950.patch"
+sha512sums="6bb6d18d6a1b26631921b19b95a18556296208578f59fbdb7dd81f09bd9399021a2c72e7fc1504134cd004722153dc5b43fef49347aea54d4748fa22d3b6e9a7 libXrender-0.9.9.tar.bz2
+13cac3bdfe8a427b275ebae43624f96fb750b726d01f52f5400b29169ec00d512d114a2f9a0a4050ab96663444670f80fbe2143d0628c529419071363843463e CVE-2016-7949.patch
+26df80fafc75369d942659a3c04919bf8d8d8547fff4b60149186c2ff4a375e58654f6d22089614832fce8a5f86c16a966394defa17aaea9a83967bedf7e33e4 CVE-2016-7950.patch"
diff --git a/main/libxrender/CVE-2016-7949.patch b/main/libxrender/CVE-2016-7949.patch
new file mode 100644
index 0000000000..60ee0674a3
--- /dev/null
+++ b/main/libxrender/CVE-2016-7949.patch
@@ -0,0 +1,55 @@
+From 9362c7ddd1af3b168953d0737877bc52d79c94f4 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 25 Sep 2016 21:43:09 +0200
+Subject: Validate lengths while parsing server data.
+
+Individual lengths inside received server data can overflow
+the previously reserved memory.
+
+It is therefore important to validate every single length
+field to not overflow the previously agreed sum of all invidual
+length fields.
+
+v2: consume remaining bytes in the reply buffer on error.
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Reviewed-by: Matthieu Herrb@laas.fr
+
+diff --git a/src/Xrender.c b/src/Xrender.c
+index 3102eb2..71cf3e6 100644
+--- a/src/Xrender.c
++++ b/src/Xrender.c
+@@ -533,12 +533,30 @@ XRenderQueryFormats (Display *dpy)
+ screen->fallback = _XRenderFindFormat (xri, xScreen->fallback);
+ screen->subpixel = SubPixelUnknown;
+ xDepth = (xPictDepth *) (xScreen + 1);
++ if (screen->ndepths > rep.numDepths) {
++ Xfree (xri);
++ Xfree (xData);
++ _XEatDataWords (dpy, rep.length);
++ UnlockDisplay (dpy);
++ SyncHandle ();
++ return 0;
++ }
++ rep.numDepths -= screen->ndepths;
+ for (nd = 0; nd < screen->ndepths; nd++)
+ {
+ depth->depth = xDepth->depth;
+ depth->nvisuals = xDepth->nPictVisuals;
+ depth->visuals = visual;
+ xVisual = (xPictVisual *) (xDepth + 1);
++ if (depth->nvisuals > rep.numVisuals) {
++ Xfree (xri);
++ Xfree (xData);
++ _XEatDataWords (dpy, rep.length);
++ UnlockDisplay (dpy);
++ SyncHandle ();
++ return 0;
++ }
++ rep.numVisuals -= depth->nvisuals;
+ for (nv = 0; nv < depth->nvisuals; nv++)
+ {
+ visual->visual = _XRenderFindVisual (dpy, xVisual->visual);
+--
+cgit v0.10.2
+
diff --git a/main/libxrender/CVE-2016-7950.patch b/main/libxrender/CVE-2016-7950.patch
new file mode 100644
index 0000000000..a11f88e8ae
--- /dev/null
+++ b/main/libxrender/CVE-2016-7950.patch
@@ -0,0 +1,62 @@
+From 8fad00b0b647ee662ce4737ca15be033b7a21714 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 25 Sep 2016 21:42:09 +0200
+Subject: Avoid OOB write in XRenderQueryFilters
+
+The memory for filter names is reserved right after receiving the reply.
+After that, filters are iterated and each individual filter name is
+stored in that reserved memory.
+
+The individual name lengths are not checked for validity, which means
+that a malicious server can reserve less memory than it will write to
+during each iteration.
+
+v2: consume remaining bytes in reply buffer on error.
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+
+diff --git a/src/Filter.c b/src/Filter.c
+index edfa572..8d701eb 100644
+--- a/src/Filter.c
++++ b/src/Filter.c
+@@ -38,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
+ char *name;
+ char len;
+ int i;
+- unsigned long nbytes, nbytesAlias, nbytesName;
++ unsigned long nbytes, nbytesAlias, nbytesName, reply_left;
+
+ if (!RenderHasExtension (info))
+ return NULL;
+@@ -114,6 +114,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
+ * Read the filter aliases
+ */
+ _XRead16Pad (dpy, filters->alias, 2 * rep.numAliases);
++ reply_left = 8 + rep.length - 2 * rep.numAliases;;
+
+ /*
+ * Read the filter names
+@@ -122,9 +123,19 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
+ {
+ int l;
+ _XRead (dpy, &len, 1);
++ reply_left--;
+ l = len & 0xff;
++ if ((unsigned long)l + 1 > nbytesName) {
++ _XEatDataWords(dpy, reply_left);
++ Xfree(filters);
++ UnlockDisplay (dpy);
++ SyncHandle ();
++ return NULL;
++ }
++ nbytesName -= l + 1;
+ filters->filter[i] = name;
+ _XRead (dpy, name, l);
++ reply_left -= l;
+ name[l] = '\0';
+ name += l + 1;
+ }
+--
+cgit v0.10.2
+