Bug#970563: marked as done (buster-pu: package libx11/2:1.6.7-1+deb10u1)

Debian Bug Tracking System Sat, 26 Sep 2020 03:43:33 -0700

Your message dated Sat, 26 Sep 2020 11:36:30 +0100
with message-id 
<d50ba4de424290cd2840a09ef19950156fcf51ab.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.6 point release
has caused the Debian Bug report #970563,
regarding buster-pu: package libx11/2:1.6.7-1+deb10u1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
970563: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970563
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected], [email protected]

This updates fixes a few security issues in libx11, which don't
warrant a DSA. Debdiff attached.

Cheers,
        Moritz

diff -u libx11-1.6.7/debian/changelog libx11-1.6.7/debian/changelog
--- libx11-1.6.7/debian/changelog
+++ libx11-1.6.7/debian/changelog
@@ -1,3 +1,10 @@
+libx11 (2:1.6.7-1+deb10u1) buster; urgency=medium
+
+  * CVE-2020-14344
+  * CVE-2020-14363 (Closes: #969008)
+
+ -- Moritz Mühlenhoff <[email protected]>  Fri, 11 Sep 2020 19:38:11 +0200
+
 libx11 (2:1.6.7-1) unstable; urgency=medium
 
   * New upstream release.
diff -u libx11-1.6.7/debian/patches/series libx11-1.6.7/debian/patches/series
--- libx11-1.6.7/debian/patches/series
+++ libx11-1.6.7/debian/patches/series
@@ -5,0 +6,2 @@
+CVE-2020-14344.diff
+CVE-2020-14363.diff
only in patch2:
unchanged:
--- libx11-1.6.7.orig/debian/patches/CVE-2020-14344.diff
+++ libx11-1.6.7/debian/patches/CVE-2020-14344.diff
@@ -0,0 +1,296 @@
+Backport of the following upstream commits to address CVE-2020-14344:
+
+0e6561efcfaa0ae7b5c74eac7e064b76d687544e
+1703b9f3435079d3c6021e1ee2ec34fd4978103d
+1a566c9e00e5f35c1f9e7f3d741a02e5170852b2
+2fcfcc49f3b1be854bb9085993a01d17c62acf60
+388b303c62aa35a245f1704211a023440ad2c488
+93fce3f4e79cbc737d6468a4f68ba3de1b83953b
+
+diff -Naur libx11-1.6.7.orig/modules/im/ximcp/imDefIc.c 
libx11-1.6.7/modules/im/ximcp/imDefIc.c
+--- libx11-1.6.7.orig/modules/im/ximcp/imDefIc.c       2018-10-09 
16:27:08.000000000 +0200
++++ libx11-1.6.7/modules/im/ximcp/imDefIc.c    2020-09-11 17:30:58.689814672 
+0200
+@@ -350,7 +350,7 @@
+            + sizeof(INT16)
+            + XIM_PAD(2 + buf_size);
+ 
+-    if (!(buf = Xmalloc(buf_size)))
++    if (!(buf = Xcalloc(buf_size, 1)))
+       return arg->name;
+     buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
+ 
+@@ -708,6 +708,7 @@
+ #endif /* XIM_CONNECTABLE */
+ 
+     _XimGetCurrentICValues(ic, &ic_values);
++    memset(tmp_buf, 0, sizeof(tmp_buf32));
+     buf = tmp_buf;
+     buf_size = XIM_HEADER_SIZE
+       + sizeof(CARD16) + sizeof(CARD16) + sizeof(INT16) + sizeof(CARD16);
+@@ -730,7 +731,7 @@
+ 
+       buf_size += ret_len;
+       if (buf == tmp_buf) {
+-          if (!(tmp = Xmalloc(buf_size + data_len))) {
++          if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
+               return tmp_name;
+           }
+           memcpy(tmp, buf, buf_size);
+@@ -740,6 +741,7 @@
+               Xfree(buf);
+               return tmp_name;
+           }
++            memset(&tmp[buf_size], 0, data_len);
+           buf = tmp;
+       }
+     }
+diff -Naur libx11-1.6.7.orig/modules/im/ximcp/imDefIm.c 
libx11-1.6.7/modules/im/ximcp/imDefIm.c
+--- libx11-1.6.7.orig/modules/im/ximcp/imDefIm.c       2018-10-09 
16:27:08.000000000 +0200
++++ libx11-1.6.7/modules/im/ximcp/imDefIm.c    2020-09-11 17:30:58.689814672 
+0200
+@@ -62,6 +62,7 @@
+ #include "XimTrInt.h"
+ #include "Ximint.h"
+ 
++#include <limits.h>
+ 
+ int
+ _XimCheckDataSize(
+@@ -809,12 +810,16 @@
+     int                        buf_size;
+     int                        ret_code;
+     char              *locale_name;
++    size_t             locale_len;
+ 
+     locale_name = im->private.proto.locale_name;
+-    len = strlen(locale_name);
+-    buf_b[0] = (BYTE)len;                        /* length of locale name */
+-    (void)strcpy((char *)&buf_b[1], locale_name);  /* locale name */
+-    len += sizeof(BYTE);                         /* sizeof length */
++    locale_len = strlen(locale_name);
++    if (locale_len > UCHAR_MAX)
++      return False;
++    memset(buf32, 0, sizeof(buf32));
++    buf_b[0] = (BYTE)locale_len;              /* length of locale name */
++    memcpy(&buf_b[1], locale_name, locale_len);          /* locale name */
++    len = (INT16)(locale_len + sizeof(BYTE));    /* sizeof length */
+     XIM_SET_PAD(buf_b, len);                     /* pad */
+ 
+     _XimSetHeader((XPointer)buf, XIM_OPEN, 0, &len);
+@@ -1289,6 +1294,7 @@
+ #endif /* XIM_CONNECTABLE */
+ 
+     _XimGetCurrentIMValues(im, &im_values);
++    memset(tmp_buf, 0, sizeof(tmp_buf32));
+     buf = tmp_buf;
+     buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16);
+     data_len = BUFSIZE - buf_size;
+@@ -1311,7 +1317,7 @@
+ 
+       buf_size += ret_len;
+       if (buf == tmp_buf) {
+-          if (!(tmp = Xmalloc(buf_size + data_len))) {
++          if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
+               return arg->name;
+           }
+           memcpy(tmp, buf, buf_size);
+@@ -1321,6 +1327,7 @@
+               Xfree(buf);
+               return arg->name;
+           }
++            memset(&tmp[buf_size], 0, data_len);
+           buf = tmp;
+       }
+     }
+@@ -1462,7 +1469,7 @@
+            + sizeof(INT16)
+            + XIM_PAD(buf_size);
+ 
+-    if (!(buf = Xmalloc(buf_size)))
++    if (!(buf = Xcalloc(buf_size, 1)))
+       return arg->name;
+     buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
+ 
+@@ -1724,7 +1731,7 @@
+       + sizeof(CARD16)
+       + detail_len;
+ 
+-    if (!(buf = Xmalloc(XIM_HEADER_SIZE + len)))
++    if (!(buf = Xcalloc(XIM_HEADER_SIZE + len, 1)))
+       goto free_detail_ptr;
+ 
+     buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
+@@ -1820,6 +1827,7 @@
+     int                        ret_code;
+ 
+     _XimGetCurrentIMValues(im, &im_values);
++    memset(tmp_buf, 0, sizeof(tmp_buf32));
+     buf = tmp_buf;
+     buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16);
+     data_len = BUFSIZE - buf_size;
+@@ -1842,7 +1850,7 @@
+ 
+       buf_size += ret_len;
+       if (buf == tmp_buf) {
+-          if (!(tmp = Xmalloc(buf_size + data_len))) {
++          if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
+               return False;
+           }
+           memcpy(tmp, buf, buf_size);
+@@ -1852,6 +1860,7 @@
+               Xfree(buf);
+               return False;
+           }
++            memset(&tmp[buf_size], 0, data_len);
+           buf = tmp;
+       }
+     }
+diff -Naur libx11-1.6.7.orig/modules/im/ximcp/imRmAttr.c 
libx11-1.6.7/modules/im/ximcp/imRmAttr.c
+--- libx11-1.6.7.orig/modules/im/ximcp/imRmAttr.c      2018-10-09 
16:27:08.000000000 +0200
++++ libx11-1.6.7/modules/im/ximcp/imRmAttr.c   2020-09-11 17:31:32.348034612 
+0200
+@@ -29,6 +29,8 @@
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
++
+ #include "Xlibint.h"
+ #include "Xlcint.h"
+ #include "Ximint.h"
+@@ -214,7 +216,7 @@
+     Xic                         ic,
+     XIMResourceList     res,
+     CARD16             *data,
+-    INT16               data_len,
++    CARD16              data_len,
+     XPointer            value,
+     BITMASK32           mode)
+ {
+@@ -250,18 +252,24 @@
+ 
+     case XimType_XIMStyles:
+       {
+-          INT16                num = data[0];
++          CARD16               num = data[0];
+           register CARD32     *style_list = (CARD32 *)&data[2];
+           XIMStyle            *style;
+           XIMStyles           *rep;
+           register int         i;
+           char                *p;
+-          int                  alloc_len;
++          unsigned int         alloc_len;
+ 
+           if (!(value))
+               return False;
+ 
++          if (num > (USHRT_MAX / sizeof(XIMStyle)))
++              return False;
++          if ((2 * sizeof(CARD16) + (num * sizeof(CARD32))) > data_len)
++              return False;
+           alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num;
++          if (alloc_len < sizeof(XIMStyles))
++              return False;
+           if (!(p = Xmalloc(alloc_len)))
+               return False;
+ 
+@@ -313,7 +321,7 @@
+ 
+     case XimType_XFontSet:
+       {
+-          INT16        len = data[0];
++          CARD16       len = data[0];
+           char        *base_name;
+           XFontSet     rep = (XFontSet)NULL;
+           char        **missing_list = NULL;
+@@ -324,11 +332,12 @@
+               return False;
+           if (!ic)
+               return False;
+-
++          if (len > data_len)
++              return False;
+           if (!(base_name = Xmalloc(len + 1)))
+               return False;
+ 
+-          (void)strncpy(base_name, (char *)&data[1], (int)len);
++          (void)strncpy(base_name, (char *)&data[1], (size_t)len);
+           base_name[len] = '\0';
+ 
+           if (mode & XIM_PREEDIT_ATTR) {
+@@ -357,19 +366,25 @@
+ 
+     case XimType_XIMHotKeyTriggers:
+       {
+-          INT32                        num = *((CARD32 *)data);
++          CARD32                       num = *((CARD32 *)data);
+           register CARD32             *key_list = (CARD32 *)&data[2];
+           XIMHotKeyTrigger            *key;
+           XIMHotKeyTriggers           *rep;
+           register int                 i;
+           char                        *p;
+-          int                          alloc_len;
++          unsigned int                 alloc_len;
+ 
+           if (!(value))
+               return False;
+ 
++          if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger)))
++              return False;
++          if ((2 * sizeof(CARD16) + (num * 3 * sizeof(CARD32))) > data_len)
++              return False;
+           alloc_len = sizeof(XIMHotKeyTriggers)
+                     + sizeof(XIMHotKeyTrigger) * num;
++          if (alloc_len < sizeof(XIMHotKeyTriggers))
++              return False;
+           if (!(p = Xmalloc(alloc_len)))
+               return False;
+ 
+@@ -1378,13 +1393,13 @@
+ 
+ static unsigned int
+ _XimCountNumberOfAttr(
+-    INT16      total,
+-    CARD16    *attr,
+-    int               *names_len)
++    CARD16      total,
++    CARD16     *attr,
++    unsigned int *names_len)
+ {
+     unsigned int n;
+-    INT16      len;
+-    INT16      min_len = sizeof(CARD16)       /* sizeof attribute ID */
++    CARD16     len;
++    CARD16     min_len = sizeof(CARD16)       /* sizeof attribute ID */
+                        + sizeof(CARD16)       /* sizeof type of value */
+                        + sizeof(INT16);       /* sizeof length of attribute */
+ 
+@@ -1392,6 +1407,9 @@
+     *names_len = 0;
+     while (total > min_len) {
+       len = attr[2];
++      if (len >= (total - min_len)) {
++          return 0;
++      }
+       *names_len += (len + 1);
+       len += (min_len + XIM_PAD(len + 2));
+       total -= len;
+@@ -1406,17 +1424,15 @@
+     Xim                         im,
+     CARD16             *buf)
+ {
+-    unsigned int        n;
++    unsigned int        n, names_len, values_len;
+     XIMResourceList     res;
+     char               *names;
+-    int                         names_len;
+     XPointer            tmp;
+     XIMValuesList      *values_list;
+     char              **values;
+-    int                         values_len;
+     register int        i;
+-    INT16               len;
+-    INT16               min_len = sizeof(CARD16) /* sizeof attribute ID */
++    CARD16              len;
++    CARD16              min_len = sizeof(CARD16) /* sizeof attribute ID */
+                                 + sizeof(CARD16) /* sizeof type of value */
+                                 + sizeof(INT16); /* sizeof length of attr */
+     /*
only in patch2:
unchanged:
--- libx11-1.6.7.orig/debian/patches/CVE-2020-14363.diff
+++ libx11-1.6.7/debian/patches/CVE-2020-14363.diff
@@ -0,0 +1,31 @@
+From acdaaadcb3d85c61fd43669fc5dddf0f8c3f911d Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <[email protected]>
+Date: Thu, 13 Aug 2020 18:02:58 +0200
+Subject: [PATCH] Fix an integer overflow in init_om()
+
+CVE-2020-14363
+
+This can lead to a double free later, as reported by Jayden Rivers.
+
+Signed-off-by: Matthieu Herrb <[email protected]>
+---
+ modules/om/generic/omGeneric.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/modules/om/generic/omGeneric.c b/modules/om/generic/omGeneric.c
+index c44acb88..406cec93 100644
+--- a/modules/om/generic/omGeneric.c
++++ b/modules/om/generic/omGeneric.c
+@@ -1908,7 +1908,8 @@ init_om(
+     char **required_list;
+     XOrientation *orientation;
+     char **value, buf[BUFSIZ], *bufptr;
+-    int count = 0, num = 0, length = 0;
++    int count = 0, num = 0;
++    unsigned int length = 0;
+ 
+     _XlcGetResource(lcd, "XLC_FONTSET", "on_demand_loading", &value, &count);
+     if (count > 0 && _XlcCompareISOLatin1(*value, "True") == 0)
+-- 
+GitLab
+

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 10.6

Hi,

Each of these bugs relates to an update that was included in today's
stable point release.

Regards,

Adam

--- End Message ---

Bug#970563: marked as done (buster-pu: package libx11/2:1.6.7-1+deb10u1)

Reply via email to