Hello community, here is the log from the commit of package libXfixes.1715 for openSUSE:12.3:Update checked in at 2013-06-14 16:51:01 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.3:Update/libXfixes.1715 (Old) and /work/SRC/openSUSE:12.3:Update/.libXfixes.1715.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libXfixes.1715" Changes: -------- New Changes file: --- /dev/null 2013-06-12 16:57:03.272031756 +0200 +++ /work/SRC/openSUSE:12.3:Update/.libXfixes.1715.new/libXfixes.changes 2013-06-14 16:51:02.000000000 +0200 @@ -0,0 +1,112 @@ +------------------------------------------------------------------- +Fri May 31 09:51:25 UTC 2013 - [email protected] + +- U_0001-integer-overflow-in-XFixesGetCursorImage-CVE-2013-19.patch + * integer overflow in XFixesGetCursorImage() [CVE-2013-1983] + (bnc#821667, bnc#815451) + +------------------------------------------------------------------- +Tue Sep 25 06:33:15 UTC 2012 - [email protected] + +- specfile cleanup + +------------------------------------------------------------------- +Sat Feb 11 18:50:49 UTC 2012 - [email protected] + +- Rename xorg-x11-libXfixes to libXfixes and utilize shlib policy + +------------------------------------------------------------------- +Fri Mar 18 12:47:27 UTC 2011 - [email protected] + +- update to release 5.0 + * Pointer barrier support, along with the usual buildsystem updates. + +------------------------------------------------------------------- +Tue Dec 21 02:45:09 UTC 2010 - [email protected] + +- bumped version number to 7.6_4.0.5 + +------------------------------------------------------------------- +Sat Sep 4 18:28:15 UTC 2010 - [email protected] + +- update to release 4.0.5 +- bumped version number to 7.5_4.0.5 +- fixed Summary/Group entries in -devel package + +------------------------------------------------------------------- +Sun Apr 4 15:40:46 CEST 2010 - [email protected] + +- libXfixes 4.0.4 +- bumped version number to 7.5 + +------------------------------------------------------------------- +Mon Dec 14 18:25:48 CET 2009 - [email protected] + +- add baselibs.conf as a source + +------------------------------------------------------------------- +Sat May 2 14:42:17 CEST 2009 - [email protected] + +- revert static library and .la file removal + for SUSE versions <= 11.1. + +------------------------------------------------------------------- +Tue Apr 21 20:18:44 CEST 2009 - [email protected] + +- remove static libraries and "la" files + +------------------------------------------------------------------- +Thu Sep 11 14:21:36 CEST 2008 - [email protected] + +- bumped release number to 7.4 + +------------------------------------------------------------------- +Thu Apr 10 12:54:45 CEST 2008 - [email protected] + +- added baselibs.conf file to build xxbit packages + for multilib support + +------------------------------------------------------------------- +Wed Dec 26 21:29:22 CET 2007 - [email protected] + +- PreReq coreutils +- fix library-without-ldconfig-postun warning +- fix no-version-dependency-on xorg-x11-libXfixes 7.3 + +------------------------------------------------------------------- +Sat Sep 29 12:22:56 CEST 2007 - [email protected] + +- bumped version to 7.3 + +------------------------------------------------------------------- +Wed Nov 8 16:58:09 CET 2006 - [email protected] + +- update to release 4.0.3 (X.Org 7.2 RC2) + * Don't unlock the Display when you have not locked it. + +------------------------------------------------------------------- +Sat Oct 14 06:13:20 CEST 2006 - [email protected] + +- update to X.Org 7.2R1 + +------------------------------------------------------------------- +Wed Aug 2 16:12:14 CEST 2006 - [email protected] + +- fix setup line + +------------------------------------------------------------------- +Fri Jul 28 14:44:32 CEST 2006 - [email protected] + +- use "-fno-strict-aliasing" + +------------------------------------------------------------------- +Thu Jul 27 11:43:09 CEST 2006 - [email protected] + +- use $RPM_OPT_FLAGS +- remove existing /usr/include/X11 symlink in %pre + +------------------------------------------------------------------- +Fri Jun 23 16:08:17 CEST 2006 - [email protected] + +- created package + New: ---- U_0001-integer-overflow-in-XFixesGetCursorImage-CVE-2013-19.patch baselibs.conf libXfixes-5.0.tar.bz2 libXfixes.changes libXfixes.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libXfixes.spec ++++++ # # spec file for package libXfixes # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: libXfixes %define lname libXfixes3 Version: 5.0 Release: 0 Summary: X11 miscellaneous "fixes" extension library License: MIT Group: Development/Libraries/C and C++ Url: http://xorg.freedesktop.org/ #Git-Clone: git://anongit.freedesktop.org/xorg/lib/libXfixes #Git-Web: http://cgit.freedesktop.org/xorg/lib/libXfixes/ Source: %name-%version.tar.bz2 Patch0: U_0001-integer-overflow-in-XFixesGetCursorImage-CVE-2013-19.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build #git#BuildRequires: autoconf >= 2.60, automake, libtool BuildRequires: pkgconfig BuildRequires: pkgconfig(fixesproto) >= 5.0 BuildRequires: pkgconfig(x11) BuildRequires: pkgconfig(xextproto) BuildRequires: pkgconfig(xorg-macros) >= 1.8 BuildRequires: pkgconfig(xproto) %description The X Fixes extension provides applications with work-arounds for various limitations in the core protocol. %package -n %lname Summary: X11 miscellaneous "fixes" extension library Group: System/Libraries # O/P added for 12.2 Provides: xorg-x11-libXfixes = 7.6_%version-%release Obsoletes: xorg-x11-libXfixes < 7.6_%version-%release %description -n %lname The X Fixes extension provides applications with work-arounds for various limitations in the core protocol. %package devel Summary: Development files for the X11 Xfixes extension library Group: Development/Libraries/C and C++ Requires: %lname = %version # O/P added for 12.2 Provides: xorg-x11-libXfixes-devel = 7.6_%version-%release Obsoletes: xorg-x11-libXfixes-devel < 7.6_%version-%release %description devel The X Fixes extension provides applications with work-arounds for various limitations in the core protocol. This package contains the development headers for the library found in %lname. %prep %setup -q %patch0 -p1 %build %configure --disable-static make %{?_smp_mflags} %install %makeinstall rm -f "%buildroot/%_libdir"/*.la %post -n %lname -p /sbin/ldconfig %postun -n %lname -p /sbin/ldconfig %files -n %lname %defattr(-,root,root) %_libdir/libXfixes.so.3* %files devel %defattr(-,root,root) %_includedir/X11/* %_libdir/libXfixes.so %_libdir/pkgconfig/xfixes.pc %_mandir/man3/* %changelog ++++++ U_0001-integer-overflow-in-XFixesGetCursorImage-CVE-2013-19.patch ++++++ >From c480fe3271873ec7471b0cbd680f4dac18ca8904 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith <[email protected]> Date: Sat, 13 Apr 2013 10:24:08 -0700 Subject: [PATCH] integer overflow in XFixesGetCursorImage() [CVE-2013-1983] If the reported cursor dimensions or name length are too large, the calculations to allocate memory for them may overflow, leaving us writing beyond the bounds of the allocation. Reported-by: Ilja Van Sprundel <[email protected]> Signed-off-by: Alan Coopersmith <[email protected]> --- src/Cursor.c | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) Index: libXfixes-5.0/src/Cursor.c =================================================================== --- libXfixes-5.0.orig/src/Cursor.c +++ libXfixes-5.0/src/Cursor.c @@ -47,6 +47,7 @@ #include <config.h> #endif #include "Xfixesint.h" +#include <limits.h> void XFixesSelectCursorInput (Display *dpy, @@ -74,9 +75,9 @@ XFixesGetCursorImage (Display *dpy) XFixesExtDisplayInfo *info = XFixesFindDisplay (dpy); xXFixesGetCursorImageAndNameReq *req; xXFixesGetCursorImageAndNameReply rep; - int npixels; - int nbytes_name; - int nbytes, nread, rlength; + size_t npixels; + size_t nbytes_name; + size_t nbytes, nread, rlength; XFixesCursorImage *image; char *name; @@ -101,16 +102,20 @@ XFixesGetCursorImage (Display *dpy) } npixels = rep.width * rep.height; nbytes_name = rep.nbytes; - /* reply data length */ - nbytes = (long) rep.length << 2; - /* bytes of actual data in the reply */ - nread = (npixels << 2) + nbytes_name; - /* size of data returned to application */ - rlength = (sizeof (XFixesCursorImage) + - npixels * sizeof (unsigned long) + - nbytes_name + 1); - - image = (XFixesCursorImage *) Xmalloc (rlength); + if ((rep.length < (INT_MAX >> 2)) && + npixels < (((INT_MAX >> 3) - sizeof (XFixesCursorImage) - 1) + - nbytes_name)) { + /* reply data length */ + nbytes = (size_t) rep.length << 2; + /* bytes of actual data in the reply */ + nread = (npixels << 2) + nbytes_name; + /* size of data returned to application */ + rlength = (sizeof (XFixesCursorImage) + + npixels * sizeof (unsigned long) + + nbytes_name + 1); + image = Xmalloc (rlength); + } else + image = NULL; if (!image) { _XEatData (dpy, nbytes); ++++++ baselibs.conf ++++++ libXfixes3 provides "xorg-x11-libXfixes-<targettype> = 7.6_<version>" obsoletes "xorg-x11-libXfixes-<targettype> < 7.6_<version>" libXfixes-devel requires -libXfixes-<targettype> requires "libXfixes3-<targettype> = <version>" provides "xorg-x11-libXfixes-devel-<targettype> = 7.6_<version>" obsoletes "xorg-x11-libXfixes-devel-<targettype> < 7.6_<version>" -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
