Hello community, here is the log from the commit of package libXv for openSUSE:Factory checked in at 2016-11-05 21:22:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libXv (Old) and /work/SRC/openSUSE:Factory/.libXv.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libXv" Changes: -------- --- /work/SRC/openSUSE:Factory/libXv/libXv.changes 2013-09-13 14:47:03.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libXv.new/libXv.changes 2016-11-05 21:22:21.000000000 +0100 @@ -1,0 +2,12 @@ +Wed Nov 2 10:39:47 UTC 2016 - [email protected] + +- tagged baselibs.conf as source in specfile + +------------------------------------------------------------------- +Fri Oct 28 23:55:56 UTC 2016 - [email protected] + +- Update to version 1.0.11: + + Fix typo in dependencies for lint library + + Protocol handling issues in libXv - CVE-2016-5407 + +------------------------------------------------------------------- Old: ---- libXv-1.0.10.tar.bz2 New: ---- libXv-1.0.11.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libXv.spec ++++++ --- /var/tmp/diff_new_pack.gGc3tJ/_old 2016-11-05 21:22:21.000000000 +0100 +++ /var/tmp/diff_new_pack.gGc3tJ/_new 2016-11-05 21:22:21.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package libXv # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ Name: libXv %define lname libXv1 -Version: 1.0.10 +Version: 1.0.11 Release: 0 Summary: X Video extension library License: MIT @@ -28,6 +28,7 @@ #Git-Clone: git://anongit.freedesktop.org/xorg/lib/libXv #Git-Web: http://cgit.freedesktop.org/xorg/lib/libXv/ Source: http://xorg.freedesktop.org/releases/individual/lib/%{name}-%{version}.tar.bz2 +Source1: baselibs.conf BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: pkgconfig BuildRequires: pkgconfig(videoproto) ++++++ libXv-1.0.10.tar.bz2 -> libXv-1.0.11.tar.bz2 ++++++ ++++ 20363 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXv-1.0.10/ChangeLog new/libXv-1.0.11/ChangeLog --- old/libXv-1.0.10/ChangeLog 2013-09-08 07:20:43.000000000 +0200 +++ new/libXv-1.0.11/ChangeLog 2016-10-04 22:25:10.000000000 +0200 @@ -1,3 +1,45 @@ +commit ef2a282876acc2316d338f8b66344ad5a2947057 +Author: Matthieu Herrb <[email protected]> +Date: Tue Oct 4 21:29:55 2016 +0200 + + libXv 1.0.11 + + Signed-off-by: Matthieu Herrb <[email protected]> + +commit d9da580b46a28ab497de2e94fdc7b9ff953dab17 +Author: Tobias Stoeckmann <[email protected]> +Date: Sun Sep 25 21:30:03 2016 +0200 + + Protocol handling issues in libXv - CVE-2016-5407 + + The Xv query functions for adaptors and encodings suffer from out of + boundary accesses if a hostile X server sends a maliciously crafted + response. + + A previous fix already checks the received length against fixed values + but ignores additional length specifications which are stored inside + the received data. + + These lengths are accessed in a for-loop. The easiest way to guarantee + a correct processing is by validating all lengths against the + remaining size left before accessing referenced memory. + + This makes the previously applied check obsolete, therefore I removed + it. + + Signed-off-by: Tobias Stoeckmann <[email protected]> + Reviewed-by: Matthieu Herrb <[email protected]> + +commit cf8cc328f1e370a548b71581bada7e1ee073c756 +Author: Alan Coopersmith <[email protected]> +Date: Sat Jul 26 14:07:26 2014 -0700 + + Fix typo in dependencies for lint library + + Breaks out of tree lintlib builds by causing VPATH lookup to fail. + + Signed-off-by: Alan Coopersmith <[email protected]> + commit 736d7ac5a94c7aa6761d50ab58339a3d9a116c51 Author: Alan Coopersmith <[email protected]> Date: Sat Sep 7 22:19:48 2013 -0700 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXv-1.0.10/configure.ac new/libXv-1.0.11/configure.ac --- old/libXv-1.0.10/configure.ac 2013-09-08 07:20:18.000000000 +0200 +++ new/libXv-1.0.11/configure.ac 2016-10-04 21:29:05.000000000 +0200 @@ -22,7 +22,7 @@ # Initialize Autoconf AC_PREREQ([2.60]) -AC_INIT([libXv], [1.0.10], +AC_INIT([libXv], [1.0.11], [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXv]) AC_CONFIG_SRCDIR([Makefile.am]) AC_CONFIG_HEADERS([config.h]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXv-1.0.10/missing new/libXv-1.0.11/missing --- old/libXv-1.0.10/missing 2013-09-08 07:20:28.000000000 +0200 +++ new/libXv-1.0.11/missing 2016-10-04 00:57:40.000000000 +0200 @@ -1,7 +1,7 @@ #! /bin/sh # Common wrapper for a few potentially missing GNU programs. -scriptversion=2012-06-26.16; # UTC +scriptversion=2013-10-28.13; # UTC # Copyright (C) 1996-2013 Free Software Foundation, Inc. # Originally written by Fran,cois Pinard <[email protected]>, 1996. @@ -160,7 +160,7 @@ ;; autom4te*) echo "You might have modified some maintainer files that require" - echo "the 'automa4te' program to be rebuilt." + echo "the 'autom4te' program to be rebuilt." program_details 'autom4te' ;; bison*|yacc*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXv-1.0.10/src/Makefile.am new/libXv-1.0.11/src/Makefile.am --- old/libXv-1.0.10/src/Makefile.am 2013-09-08 07:20:18.000000000 +0200 +++ new/libXv-1.0.11/src/Makefile.am 2016-08-17 14:58:38.000000000 +0200 @@ -23,7 +23,7 @@ lintlib_DATA = $(LINTLIB) -$(LINTLIB): $(libXau_la_SOURCES) +$(LINTLIB): $(libXv_la_SOURCES) $(LINT) -y -oXv -x $(ALL_LINT_FLAGS) $(libXv_la_SOURCES) CLEANFILES = $(LINTLIB) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libXv-1.0.10/src/Xv.c new/libXv-1.0.11/src/Xv.c --- old/libXv-1.0.10/src/Xv.c 2013-09-08 07:20:18.000000000 +0200 +++ new/libXv-1.0.11/src/Xv.c 2016-09-23 09:56:49.000000000 +0200 @@ -158,6 +158,7 @@ size_t size; unsigned int ii, jj; char *name; + char *end; XvAdaptorInfo *pas = NULL, *pa; XvFormat *pfs, *pf; char *buffer = NULL; @@ -197,17 +198,13 @@ /* GET INPUT ADAPTORS */ if (rep.num_adaptors == 0) { - /* If there's no adaptors, there's nothing more to do. */ + /* If there are no adaptors, there's nothing more to do. */ status = Success; goto out; } - if (size < (rep.num_adaptors * sz_xvAdaptorInfo)) { - /* If there's not enough data for the number of adaptors, - then we have a problem. */ - status = XvBadReply; - goto out; - } + u.buffer = buffer; + end = buffer + size; size = rep.num_adaptors * sizeof(XvAdaptorInfo); if ((pas = Xmalloc(size)) == NULL) { @@ -225,9 +222,12 @@ pa++; } - u.buffer = buffer; pa = pas; for (ii = 0; ii < rep.num_adaptors; ii++) { + if (u.buffer + sz_xvAdaptorInfo > end) { + status = XvBadReply; + goto out; + } pa->type = u.pa->type; pa->base_id = u.pa->base_id; pa->num_ports = u.pa->num_ports; @@ -239,6 +239,10 @@ size = u.pa->name_size; u.buffer += pad_to_int32(sz_xvAdaptorInfo); + if (u.buffer + size > end) { + status = XvBadReply; + goto out; + } if ((name = Xmalloc(size + 1)) == NULL) { status = XvBadAlloc; goto out; @@ -259,6 +263,11 @@ pf = pfs; for (jj = 0; jj < pa->num_formats; jj++) { + if (u.buffer + sz_xvFormat > end) { + Xfree(pfs); + status = XvBadReply; + goto out; + } pf->depth = u.pf->depth; pf->visual_id = u.pf->visual; pf++; @@ -327,6 +336,7 @@ size_t size; unsigned int jj; char *name; + char *end; XvEncodingInfo *pes = NULL, *pe; char *buffer = NULL; union { @@ -364,17 +374,13 @@ /* GET ENCODINGS */ if (rep.num_encodings == 0) { - /* If there's no encodings, there's nothing more to do. */ + /* If there are no encodings, there's nothing more to do. */ status = Success; goto out; } - if (size < (rep.num_encodings * sz_xvEncodingInfo)) { - /* If there's not enough data for the number of adaptors, - then we have a problem. */ - status = XvBadReply; - goto out; - } + u.buffer = buffer; + end = buffer + size; size = rep.num_encodings * sizeof(XvEncodingInfo); if ((pes = Xmalloc(size)) == NULL) { @@ -391,10 +397,12 @@ pe++; } - u.buffer = buffer; - pe = pes; for (jj = 0; jj < rep.num_encodings; jj++) { + if (u.buffer + sz_xvEncodingInfo > end) { + status = XvBadReply; + goto out; + } pe->encoding_id = u.pe->encoding; pe->width = u.pe->width; pe->height = u.pe->height; @@ -405,6 +413,10 @@ size = u.pe->name_size; u.buffer += pad_to_int32(sz_xvEncodingInfo); + if (u.buffer + size > end) { + status = XvBadReply; + goto out; + } if ((name = Xmalloc(size + 1)) == NULL) { status = XvBadAlloc; goto out;
