New branch 'debian-wheezy' available with the following commits: commit bd85c13141bf096377f219b631eaa0c31e54e282 Author: Julien Cristau <jcris...@debian.org> Date: Tue May 14 00:55:11 2013 +0200
Upload to wheezy-security commit c835b658fed055a3c1ea6fe485fa56bc050f701d Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Mar 9 14:40:33 2013 -0800 integer overflow in XSyncListSystemCounters() [CVE-2013-1982 6/6] If the number of counters or amount of data reported by the server is large enough that it overflows when multiplied by the size of the appropriate struct, then memory corruption can occur when more bytes are read from the X server than the size of the buffers we allocated to hold them. V2: Make sure we don't walk past the end of the reply when converting data from wire format to the structures returned to the caller. Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> Signed-off-by: Julien Cristau <jcris...@debian.org> commit 4ab9367b58cbef5549be6ee45c48595b49e9140e Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Mar 9 14:40:33 2013 -0800 integer overflow in XShapeGetRectangles() [CVE-2013-1982 5/6] If the number of rectangles reported by the server is large enough that it overflows when multiplied by the size of the appropriate struct, then memory corruption can occur when more bytes are read from the X server than the size of the buffer we allocated to hold them. Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> Signed-off-by: Julien Cristau <jcris...@debian.org> commit 836d056daf460fd174f4380957b66a3d46fc5506 Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Mar 9 14:40:33 2013 -0800 integer overflow in XeviGetVisualInfo() [CVE-2013-1982 4/6] If the number of visuals or conflicts reported by the server is large enough that it overflows when multiplied by the size of the appropriate struct, then memory corruption can occur when more bytes are read from the X server than the size of the buffer we allocated to hold them. Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> Signed-off-by: Julien Cristau <jcris...@debian.org> commit 3ea550613ed0267086934e6389fbef0656f6f501 Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Mar 9 14:40:33 2013 -0800 several integer overflows in XdbeGetVisualInfo() [CVE-2013-1982 3/6] If the number of screens or visuals reported by the server is large enough that it overflows when multiplied by the size of the appropriate struct, then memory corruption can occur when more bytes are read from the X server than the size of the buffer we allocated to hold them. Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> Signed-off-by: Julien Cristau <jcris...@debian.org> commit 1e99cf4a553712dd14882fca6982eabf877224c7 Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Mar 9 14:40:33 2013 -0800 integer overflow in XcupStoreColors() [CVE-2013-1982 2/6] If the computed number of entries is large enough that it overflows when multiplied by the size of a xColorItem struct, or is treated as negative when compared to the size of the stack allocated buffer, then memory corruption can occur when more bytes are read from the X server than the size of the buffer we allocated to hold them. The requirement to match the number of colors specified by the caller makes this much harder to hit than the one in XcupGetReservedColormapEntries() Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> Signed-off-by: Julien Cristau <jcris...@debian.org> commit b4d2357dd8ef1938186a4ae1a6924eefc08ab591 Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Mar 9 14:40:33 2013 -0800 integer overflow in XcupGetReservedColormapEntries() [CVE-2013-1982 1/6] If the computed number of entries is large enough that it overflows when multiplied by the size of a xColorItem struct, or is treated as negative when compared to the size of the stack allocated buffer, then memory corruption can occur when more bytes are read from the X server than the size of the buffer we allocated to hold them. Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> Signed-off-by: Julien Cristau <jcris...@debian.org> commit 3c773c2cedb7319ede5e5e9159c29af7ba9095b3 Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Apr 13 09:32:12 2013 -0700 Use _XEatDataWords to avoid overflow of rep.length bit shifting rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> Signed-off-by: Julien Cristau <jcris...@debian.org> -- To UNSUBSCRIBE, email to debian-x-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1ufaj6-0002ek...@vasks.debian.org