Package: release.debian.org Severity: normal Tags: jessie User: [email protected] Usertags: pu
This is a bunch of CVE fixes, already in wheezy-lts and sid. Cheers, Julien diff -u libx11-1.6.2/debian/changelog libx11-1.6.2/debian/changelog --- libx11-1.6.2/debian/changelog +++ libx11-1.6.2/debian/changelog @@ -1,3 +1,11 @@ +libx11 (2:1.6.2-3+deb8u1) jessie; urgency=medium + + * Insufficient validation of data from the X server can cause out of + boundary memory read (XGetImage()) or write (XListFonts()). + Addresses CVE-2016-7942 and CVE-2016-7943. + + -- Julien Cristau <[email protected]> Sat, 28 Jan 2017 14:01:35 +0100 + libx11 (2:1.6.2-3) unstable; urgency=medium [ Julien Cristau ] only in patch2: unchanged: --- libx11-1.6.2.orig/src/FontNames.c +++ libx11-1.6.2/src/FontNames.c @@ -43,6 +43,7 @@ register int length; char **flist = NULL; char *ch = NULL; + char *chstart; char *chend; int count = 0; xListFontsReply rep; @@ -66,7 +67,7 @@ if (rep.nFonts) { flist = Xmalloc (rep.nFonts * sizeof(char *)); - if (rep.length < (INT_MAX >> 2)) { + if (rep.length > 0 && rep.length < (INT_MAX >> 2)) { rlen = rep.length << 2; ch = Xmalloc(rlen + 1); /* +1 to leave room for last null-terminator */ @@ -86,6 +87,7 @@ /* * unpack into null terminated strings. */ + chstart = ch; chend = ch + (rlen + 1); length = *(unsigned char *)ch; *ch = 1; /* make sure it is non-zero for XFreeFontNames */ @@ -93,11 +95,24 @@ if (ch + length < chend) { flist[i] = ch + 1; /* skip over length */ ch += length + 1; /* find next length ... */ - length = *(unsigned char *)ch; - *ch = '\0'; /* and replace with null-termination */ - count++; - } else - flist[i] = NULL; + if (ch <= chend) { + length = *(unsigned char *)ch; + *ch = '\0'; /* and replace with null-termination */ + count++; + } else { + Xfree(chstart); + Xfree(flist); + flist = NULL; + count = 0; + break; + } + } else { + Xfree(chstart); + Xfree(flist); + flist = NULL; + count = 0; + break; + } } } *actualCount = count; only in patch2: unchanged: --- libx11-1.6.2.orig/src/GetImage.c +++ libx11-1.6.2/src/GetImage.c @@ -59,6 +59,7 @@ char *data; unsigned long nbytes; XImage *image; + int planes; LockDisplay(dpy); GetReq (GetImage, req); /* @@ -91,18 +92,28 @@ return (XImage *) NULL; } _XReadPad (dpy, data, nbytes); - if (format == XYPixmap) - image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual), - Ones (plane_mask & - (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))), - format, 0, data, width, height, dpy->bitmap_pad, 0); - else /* format == ZPixmap */ - image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual), - rep.depth, ZPixmap, 0, data, width, height, - _XGetScanlinePad(dpy, (int) rep.depth), 0); + if (format == XYPixmap) { + image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual), + Ones (plane_mask & + (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))), + format, 0, data, width, height, dpy->bitmap_pad, 0); + planes = image->depth; + } else { /* format == ZPixmap */ + image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual), + rep.depth, ZPixmap, 0, data, width, height, + _XGetScanlinePad(dpy, (int) rep.depth), 0); + planes = 1; + } if (!image) Xfree(data); + if (planes < 1 || image->height < 1 || image->bytes_per_line < 1 || + INT_MAX / image->height <= image->bytes_per_line || + INT_MAX / planes <= image->height * image->bytes_per_line || + nbytes < planes * image->height * image->bytes_per_line) { + XDestroyImage(image); + image = NULL; + } UnlockDisplay(dpy); SyncHandle(); return (image); only in patch2: unchanged: --- libx11-1.6.2.orig/src/ListExt.c +++ libx11-1.6.2/src/ListExt.c @@ -55,7 +55,7 @@ if (rep.nExtensions) { list = Xmalloc (rep.nExtensions * sizeof (char *)); - if (rep.length < (INT_MAX >> 2)) { + if (rep.length > 0 && rep.length < (INT_MAX >> 2)) { rlen = rep.length << 2; ch = Xmalloc (rlen + 1); /* +1 to leave room for last null-terminator */ @@ -80,9 +80,13 @@ if (ch + length < chend) { list[i] = ch+1; /* skip over length */ ch += length + 1; /* find next length ... */ - length = *ch; - *ch = '\0'; /* and replace with null-termination */ - count++; + if (ch <= chend) { + length = *ch; + *ch = '\0'; /* and replace with null-termination */ + count++; + } else { + list[i] = NULL; + } } else list[i] = NULL; } only in patch2: unchanged: --- libx11-1.6.2.orig/src/ModMap.c +++ libx11-1.6.2/src/ModMap.c @@ -42,7 +42,8 @@ GetEmptyReq(GetModifierMapping, req); (void) _XReply (dpy, (xReply *)&rep, 0, xFalse); - if (rep.length < (INT_MAX >> 2)) { + if (rep.length < (INT_MAX >> 2) && + (rep.length >> 1) == rep.numKeyPerModifier) { nbytes = (unsigned long)rep.length << 2; res = Xmalloc(sizeof (XModifierKeymap)); if (res)
