New branch 'debian-wheezy' available with the following commits:
commit bd85c13141bf096377f219b631eaa0c31e54e282
Author: Julien Cristau <jcris...@debian.org>
Date: Tue May 14 00:55:11 2013 +0200
Upload to wheezy-security
commit c835b658fed055a3c1ea6fe485fa56bc050f701d
Author: Alan Coopersmith <alan.coopersm...@oracle.com>
Date: Sat Mar 9 14:40:33 2013 -0800
integer overflow in XSyncListSystemCounters() [CVE-2013-1982 6/6]
If the number of counters or amount of data reported by the server is
large enough that it overflows when multiplied by the size of the
appropriate struct, then memory corruption can occur when more bytes
are read from the X server than the size of the buffers we allocated
to hold them.
V2: Make sure we don't walk past the end of the reply when converting
data from wire format to the structures returned to the caller.
Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
Signed-off-by: Julien Cristau <jcris...@debian.org>
commit 4ab9367b58cbef5549be6ee45c48595b49e9140e
Author: Alan Coopersmith <alan.coopersm...@oracle.com>
Date: Sat Mar 9 14:40:33 2013 -0800
integer overflow in XShapeGetRectangles() [CVE-2013-1982 5/6]
If the number of rectangles reported by the server is large enough that
it overflows when multiplied by the size of the appropriate struct, then
memory corruption can occur when more bytes are read from the X server
than the size of the buffer we allocated to hold them.
Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
Signed-off-by: Julien Cristau <jcris...@debian.org>
commit 836d056daf460fd174f4380957b66a3d46fc5506
Author: Alan Coopersmith <alan.coopersm...@oracle.com>
Date: Sat Mar 9 14:40:33 2013 -0800
integer overflow in XeviGetVisualInfo() [CVE-2013-1982 4/6]
If the number of visuals or conflicts reported by the server is large
enough that it overflows when multiplied by the size of the appropriate
struct, then memory corruption can occur when more bytes are read from
the X server than the size of the buffer we allocated to hold them.
Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
Signed-off-by: Julien Cristau <jcris...@debian.org>
commit 3ea550613ed0267086934e6389fbef0656f6f501
Author: Alan Coopersmith <alan.coopersm...@oracle.com>
Date: Sat Mar 9 14:40:33 2013 -0800
several integer overflows in XdbeGetVisualInfo() [CVE-2013-1982 3/6]
If the number of screens or visuals reported by the server is large enough
that it overflows when multiplied by the size of the appropriate struct,
then memory corruption can occur when more bytes are read from the X server
than the size of the buffer we allocated to hold them.
Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
Signed-off-by: Julien Cristau <jcris...@debian.org>
commit 1e99cf4a553712dd14882fca6982eabf877224c7
Author: Alan Coopersmith <alan.coopersm...@oracle.com>
Date: Sat Mar 9 14:40:33 2013 -0800
integer overflow in XcupStoreColors() [CVE-2013-1982 2/6]
If the computed number of entries is large enough that it overflows when
multiplied by the size of a xColorItem struct, or is treated as negative
when compared to the size of the stack allocated buffer, then memory
corruption can occur when more bytes are read from the X server than the
size of the buffer we allocated to hold them.
The requirement to match the number of colors specified by the caller makes
this much harder to hit than the one in XcupGetReservedColormapEntries()
Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
Signed-off-by: Julien Cristau <jcris...@debian.org>
commit b4d2357dd8ef1938186a4ae1a6924eefc08ab591
Author: Alan Coopersmith <alan.coopersm...@oracle.com>
Date: Sat Mar 9 14:40:33 2013 -0800
integer overflow in XcupGetReservedColormapEntries() [CVE-2013-1982 1/6]
If the computed number of entries is large enough that it overflows when
multiplied by the size of a xColorItem struct, or is treated as negative
when compared to the size of the stack allocated buffer, then memory
corruption can occur when more bytes are read from the X server than the
size of the buffer we allocated to hold them.
Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
Signed-off-by: Julien Cristau <jcris...@debian.org>
commit 3c773c2cedb7319ede5e5e9159c29af7ba9095b3
Author: Alan Coopersmith <alan.coopersm...@oracle.com>
Date: Sat Apr 13 09:32:12 2013 -0700
Use _XEatDataWords to avoid overflow of rep.length bit shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
Signed-off-by: Julien Cristau <jcris...@debian.org>
--
To UNSUBSCRIBE, email to debian-x-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/e1ufaj6-0002ek...@vasks.debian.org
