Hello community, here is the log from the commit of package libXrender.1722 for openSUSE:12.3:Update checked in at 2013-06-14 16:51:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.3:Update/libXrender.1722 (Old) and /work/SRC/openSUSE:12.3:Update/.libXrender.1722.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libXrender.1722" Changes: -------- New Changes file: --- /dev/null 2013-06-12 16:57:03.272031756 +0200 +++ /work/SRC/openSUSE:12.3:Update/.libXrender.1722.new/libXrender.changes 2013-06-14 16:51:16.000000000 +0200 @@ -0,0 +1,122 @@ +------------------------------------------------------------------- +Fri May 31 14:33:32 UTC 2013 - [email protected] + +- U_0001-integer-overflow-in-XRenderQueryFilters-CVE-2013-198.patch, + U_0002-integer-overflow-in-XRenderQueryFormats-CVE-2013-198.patch, + U_0003-integer-overflow-in-XRenderQueryPictIndexValues-CVE-.patch + * integer overflow in XRenderQueryFilters(), + XRenderQueryFormats() and XRenderQueryPictIndexValues() + [CVE-2013-1987] (bnc#821669, bnc#815451) + +------------------------------------------------------------------- +Wed Apr 11 15:13:29 UTC 2012 - [email protected] + +- Update to version 0.9.7: + + Fix alpha premultiplication in XRenderParseColor + + Compiler warning fixes + + Documentation typo fixes + + Build configuration fixes + +------------------------------------------------------------------- +Fri Feb 17 09:45:33 UTC 2012 - [email protected] + +- fixed name of .changes (follows rename) + +------------------------------------------------------------------- +Tue Dec 21 02:47:08 UTC 2010 - [email protected] + +- bumped version number to 7.6_0.9.6 + +------------------------------------------------------------------- +Sat Sep 4 18:37:32 UTC 2010 - [email protected] + +- update to release 0.9.6 +- bumped version number to 7.5_0.9.6 +- fixed Summary/Group entries in -devel package + +------------------------------------------------------------------- +Sun Apr 4 15:48:03 CEST 2010 - [email protected] + +- libXrender 0.9.5 +- obsoletes libXrender-commit-f6f784c.diff +- bumped version number to 7.5 + +------------------------------------------------------------------- +Mon Dec 28 22:04:12 CET 2009 - [email protected] + +- libXrender-commit-f6f784c.diff + * Use Data instead of Data32 to avoid truncating the filter + parameters on 64-bit systems (bnc #567454) + +------------------------------------------------------------------- +Mon Dec 14 20:17:28 CET 2009 - [email protected] + +- add baselibs.conf as a source + +------------------------------------------------------------------- +Sat May 2 14:42:17 CEST 2009 - [email protected] + +- revert static library and .la file removal + for SUSE versions <= 11.1. + +------------------------------------------------------------------- +Tue Apr 21 19:30:05 CEST 2009 - [email protected] + +- remove static libraries and "la" files +- run ldconfig in postun + +------------------------------------------------------------------- +Thu Sep 11 14:22:04 CEST 2008 - [email protected] + +- bumped release number to 7.4 + +------------------------------------------------------------------- +Thu Apr 10 12:54:45 CEST 2008 - [email protected] + +- added baselibs.conf file to build xxbit packages + for multilib support + +------------------------------------------------------------------- +Sat Sep 29 12:23:47 CEST 2007 - [email protected] + +- bumped version to 7.3 + +------------------------------------------------------------------- +Thu Sep 6 23:32:51 CEST 2007 - [email protected] + +- libXrender 0.9.4 + * This release is just a build fix for some applications + requiring libXrender. + +------------------------------------------------------------------- +Fri Aug 24 15:41:17 CEST 2007 - [email protected] + +- libXrender 0.9.3 + * Properly set length field in gradient requests (bug 9526). + +------------------------------------------------------------------- +Sat Oct 14 06:17:43 CEST 2006 - [email protected] + +- updated to X.Org 7.2RC1 + +------------------------------------------------------------------- +Wed Aug 2 16:12:30 CEST 2006 - [email protected] + +- fix setup line + +------------------------------------------------------------------- +Fri Jul 28 14:44:48 CEST 2006 - [email protected] + +- use "-fno-strict-aliasing" + +------------------------------------------------------------------- +Thu Jul 27 11:47:45 CEST 2006 - [email protected] + +- use $RPM_OPT_FLAGS +- remove existing /usr/include/X11 symlink in %pre + +------------------------------------------------------------------- +Fri Jun 23 17:00:42 CEST 2006 - [email protected] + +- created package + New: ---- U_0001-integer-overflow-in-XRenderQueryFilters-CVE-2013-198.patch U_0002-integer-overflow-in-XRenderQueryFormats-CVE-2013-198.patch U_0003-integer-overflow-in-XRenderQueryPictIndexValues-CVE-.patch baselibs.conf libXrender-0.9.7.tar.bz2 libXrender.changes libXrender.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libXrender.spec ++++++ # # spec file for package libXrender # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: libXrender %define lname libXrender1 Version: 0.9.7 Release: 0 Summary: X Rendering Extension library License: MIT Group: Development/Libraries/C and C++ Url: http://cgit.freedesktop.org/xorg/lib/libXrender/ #Git-Clone: git://anongit.freedesktop.org/xorg/lib/libXrender Source: http://xorg.freedesktop.org/releases/individual/lib/%{name}-%{version}.tar.bz2 Patch0: U_0001-integer-overflow-in-XRenderQueryFilters-CVE-2013-198.patch Patch1: U_0002-integer-overflow-in-XRenderQueryFormats-CVE-2013-198.patch Patch2: U_0003-integer-overflow-in-XRenderQueryPictIndexValues-CVE-.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build #git#BuildRequires: autoconf >= 2.60, automake, libtool BuildRequires: pkgconfig BuildRequires: pkgconfig(renderproto) >= 0.9 BuildRequires: pkgconfig(x11) BuildRequires: pkgconfig(xorg-macros) >= 1.8 %description The Xrender library is designed as a lightweight library interface to the Render extension. %package -n %lname Summary: X Rendering Extension library Group: System/Libraries # O/P added for 12.2 Provides: xorg-x11-libXrender = 7.6_%version-%release Obsoletes: xorg-x11-libXrender < 7.6_%version-%release %description -n %lname The Xrender library is designed as a lightweight library interface to the Render extension. %package devel Summary: Development files for the X11 Render Extension library Group: Development/Libraries/C and C++ Requires: %lname = %version # O/P added for 12.2 Provides: xorg-x11-libXrender-devel = 7.6_%version-%release Obsoletes: xorg-x11-libXrender-devel < 7.6_%version-%release %description devel The Xrender library is designed as a lightweight library interface to the Render extension. This package contains the development headers for the library found in %lname. %prep %setup -q %patch0 -p1 %patch1 -p1 %patch2 -p1 %build %configure --docdir=%_docdir/%name --disable-static make %{?_smp_mflags} %install %makeinstall rm -f "%buildroot/%_libdir"/*.la %post -n %lname -p /sbin/ldconfig %postun -n %lname -p /sbin/ldconfig %files -n %lname %defattr(-,root,root) %_libdir/libXrender.so.1* %files devel %defattr(-,root,root) %_includedir/X11/* %_libdir/libXrender.so %_libdir/pkgconfig/xrender.pc %_docdir/%name %changelog ++++++ U_0001-integer-overflow-in-XRenderQueryFilters-CVE-2013-198.patch ++++++ >From e52853974664289fe42a92909667ed77cfa1cec5 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith <[email protected]> Date: Fri, 12 Apr 2013 22:45:20 -0700 Subject: [PATCH] integer overflow in XRenderQueryFilters() [CVE-2013-1987 1/3] The length, numFilters & numAliases members of the reply are all CARD32 and need to be bounds checked before multiplying & adding them together to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <[email protected]> Signed-off-by: Alan Coopersmith <[email protected]> --- src/Filter.c | 39 +++++++++++++++++++++++++-------------- 1 file changed, 25 insertions(+), 14 deletions(-) Index: libXrender-0.9.7/src/Filter.c =================================================================== --- libXrender-0.9.7.orig/src/Filter.c +++ libXrender-0.9.7/src/Filter.c @@ -25,6 +25,7 @@ #include <config.h> #endif #include "Xrenderint.h" +#include <limits.h> XFilters * XRenderQueryFilters (Display *dpy, Drawable drawable) @@ -37,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawa char *name; char len; int i; - long nbytes, nbytesAlias, nbytesName; + unsigned long nbytes, nbytesAlias, nbytesName; if (!RenderHasExtension (info)) return NULL; @@ -60,22 +61,32 @@ XRenderQueryFilters (Display *dpy, Drawa SyncHandle (); return NULL; } - /* - * Compute total number of bytes for filter names - */ - nbytes = (long)rep.length << 2; - nbytesAlias = rep.numAliases * 2; - if (rep.numAliases & 1) - nbytesAlias += 2; - nbytesName = nbytes - nbytesAlias; /* - * Allocate one giant block for the whole data structure + * Limit each component of combined size to 1/4 the max, which is far + * more than they should ever possibly need. */ - filters = Xmalloc (sizeof (XFilters) + - rep.numFilters * sizeof (char *) + - rep.numAliases * sizeof (short) + - nbytesName); + if ((rep.length < (INT_MAX >> 2)) && + (rep.numFilters < ((INT_MAX / 4) / sizeof (char *))) && + (rep.numAliases < ((INT_MAX / 4) / sizeof (short)))) { + /* + * Compute total number of bytes for filter names + */ + nbytes = (unsigned long)rep.length << 2; + nbytesAlias = rep.numAliases * 2; + if (rep.numAliases & 1) + nbytesAlias += 2; + nbytesName = nbytes - nbytesAlias; + + /* + * Allocate one giant block for the whole data structure + */ + filters = Xmalloc (sizeof (XFilters) + + (rep.numFilters * sizeof (char *)) + + (rep.numAliases * sizeof (short)) + + nbytesName); + } else + filters = NULL; if (!filters) { ++++++ U_0002-integer-overflow-in-XRenderQueryFormats-CVE-2013-198.patch ++++++ >From 9e577d40322b9e3d8bdefec0eefa44d8ead451a4 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith <[email protected]> Date: Fri, 12 Apr 2013 23:02:11 -0700 Subject: [PATCH] integer overflow in XRenderQueryFormats() [CVE-2013-1987 2/3] The length, numFormats, numScreens, numDepths, and numVisuals members of the reply are all CARD32 and need to be bounds checked before multiplying and adding them together to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <[email protected]> Signed-off-by: Alan Coopersmith <[email protected]> --- src/Xrender.c | 40 ++++++++++++++++++++++++++-------------- 1 file changed, 26 insertions(+), 14 deletions(-) Index: libXrender-0.9.7/src/Xrender.c =================================================================== --- libXrender-0.9.7.orig/src/Xrender.c +++ libXrender-0.9.7/src/Xrender.c @@ -26,6 +26,7 @@ #include <config.h> #endif #include "Xrenderint.h" +#include <limits.h> XRenderExtInfo XRenderExtensionInfo; char XRenderExtensionName[] = RENDER_NAME; @@ -411,8 +412,8 @@ XRenderQueryFormats (Display *dpy) CARD32 *xSubpixel; void *xData; int nf, ns, nd, nv; - int rlength; - int nbytes; + unsigned long rlength; + unsigned long nbytes; RenderCheckExtension (dpy, info, 0); LockDisplay (dpy); @@ -458,18 +459,29 @@ XRenderQueryFormats (Display *dpy) if (async_state.major_version == 0 && async_state.minor_version < 6) rep.numSubpixel = 0; - xri = (XRenderInfo *) Xmalloc (sizeof (XRenderInfo) + - rep.numFormats * sizeof (XRenderPictFormat) + - rep.numScreens * sizeof (XRenderScreen) + - rep.numDepths * sizeof (XRenderDepth) + - rep.numVisuals * sizeof (XRenderVisual)); - rlength = (rep.numFormats * sizeof (xPictFormInfo) + - rep.numScreens * sizeof (xPictScreen) + - rep.numDepths * sizeof (xPictDepth) + - rep.numVisuals * sizeof (xPictVisual) + - rep.numSubpixel * 4); - xData = (void *) Xmalloc (rlength); - nbytes = (int) rep.length << 2; + if ((rep.numFormats < ((INT_MAX / 4) / sizeof (XRenderPictFormat))) && + (rep.numScreens < ((INT_MAX / 4) / sizeof (XRenderScreen))) && + (rep.numDepths < ((INT_MAX / 4) / sizeof (XRenderDepth))) && + (rep.numVisuals < ((INT_MAX / 4) / sizeof (XRenderVisual))) && + (rep.numSubpixel < ((INT_MAX / 4) / 4)) && + (rep.length < (INT_MAX >> 2)) ) { + xri = Xmalloc (sizeof (XRenderInfo) + + (rep.numFormats * sizeof (XRenderPictFormat)) + + (rep.numScreens * sizeof (XRenderScreen)) + + (rep.numDepths * sizeof (XRenderDepth)) + + (rep.numVisuals * sizeof (XRenderVisual))); + rlength = ((rep.numFormats * sizeof (xPictFormInfo)) + + (rep.numScreens * sizeof (xPictScreen)) + + (rep.numDepths * sizeof (xPictDepth)) + + (rep.numVisuals * sizeof (xPictVisual)) + + (rep.numSubpixel * 4)); + xData = Xmalloc (rlength); + nbytes = (unsigned long) rep.length << 2; + } else { + xri = NULL; + xData = NULL; + rlength = nbytes = 0; + } if (!xri || !xData || nbytes < rlength) { ++++++ U_0003-integer-overflow-in-XRenderQueryPictIndexValues-CVE-.patch ++++++ >From 786f78fd8df6d165ccbc81f306fd9f22b5c1551c Mon Sep 17 00:00:00 2001 From: Alan Coopersmith <[email protected]> Date: Fri, 12 Apr 2013 23:02:11 -0700 Subject: [PATCH] integer overflow in XRenderQueryPictIndexValues() [CVE-2013-1987 3/3] The length and numIndexValues members of the reply are both CARD32 and need to be bounds checked before multiplying by sizeof (XIndexValue) to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <[email protected]> Signed-off-by: Alan Coopersmith <[email protected]> --- src/Xrender.c | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) Index: libXrender-0.9.7/src/Xrender.c =================================================================== --- libXrender-0.9.7.orig/src/Xrender.c +++ libXrender-0.9.7/src/Xrender.c @@ -844,7 +844,7 @@ XRenderQueryPictIndexValues(Display *d xRenderQueryPictIndexValuesReq *req; xRenderQueryPictIndexValuesReply rep; XIndexValue *values; - int nbytes, nread, rlength, i; + unsigned int nbytes, nread, rlength, i; RenderCheckExtension (dpy, info, NULL); @@ -860,15 +860,22 @@ XRenderQueryPictIndexValues(Display *d return NULL; } - /* request data length */ - nbytes = (long)rep.length << 2; - /* bytes of actual data in the request */ - nread = rep.numIndexValues * SIZEOF (xIndexValue); - /* size of array returned to application */ - rlength = rep.numIndexValues * sizeof (XIndexValue); + if ((rep.length < (INT_MAX >> 2)) && + (rep.numIndexValues < (INT_MAX / sizeof (XIndexValue)))) { + /* request data length */ + nbytes = rep.length << 2; + /* bytes of actual data in the request */ + nread = rep.numIndexValues * SIZEOF (xIndexValue); + /* size of array returned to application */ + rlength = rep.numIndexValues * sizeof (XIndexValue); + + /* allocate returned data */ + values = Xmalloc (rlength); + } else { + nbytes = nread = rlength = 0; + values = NULL; + } - /* allocate returned data */ - values = (XIndexValue *)Xmalloc (rlength); if (!values) { _XEatData (dpy, nbytes); ++++++ baselibs.conf ++++++ libXrender1 provides "xorg-x11-libXrender-<targettype> = 7.6_<version>" obsoletes "xorg-x11-libXrender-<targettype> < 7.6_<version>" libXrender-devel requires -libXrender-<targettype> requires "libXrender1-<targettype> = <version>" provides "xorg-x11-libXrender-devel-<targettype> = 7.6_<version>" obsoletes "xorg-x11-libXrender-devel-<targettype> < 7.6_<version>" -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
