New branch 'debian-wheezy' available with the following commits: commit ad7f2cb02dd3fa13f7fcfeae2d2f40df2729bb0e Author: Julien Cristau <jcris...@debian.org> Date: Tue May 14 00:32:27 2013 +0200
Upload to wheezy-security commit 1205f5ae76cc0114694f31ed24313f225eabb678 Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Fri Apr 12 23:36:13 2013 -0700 integer overflow in XResQueryClientResources() [CVE-2013-1988 2/2] The CARD32 rep.num_types needs to be bounds checked before multiplying by sizeof(XResType) to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> Signed-off-by: Julien Cristau <jcris...@debian.org> commit 04762076eb40d1ea06e0c091ef6348b421dc709d Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Fri Apr 12 23:36:13 2013 -0700 integer overflow in XResQueryClients() [CVE-2013-1988 1/2] The CARD32 rep.num_clients needs to be bounds checked before multiplying by sizeof(XResClient) to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> Signed-off-by: Julien Cristau <jcris...@debian.org> commit 330eb63c6f7526cf65ccf41d35411ebd24f4165a Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Apr 13 10:34:22 2013 -0700 Use _XEatDataWords to avoid overflow of rep.length shifting rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> Signed-off-by: Julien Cristau <jcris...@debian.org> -- To UNSUBSCRIBE, email to debian-x-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1ufaj3-0002cj...@vasks.debian.org