libdmx: Changes to 'debian-wheezy'

Thu, 23 May 2013 12:21:58 -0700 

New branch 'debian-wheezy' available with the following commits:
commit 0df9b05bf69b1413433577d5e46c280290456c8b
Author: Julien Cristau <[email protected]>
Date:   Wed May 15 20:13:37 2013 +0200

    Upload to wheezy-security

commit e99aaae2ee15d977496a51d67378987aaf9cf298
Author: Alan Coopersmith <[email protected]>
Date:   Sat Mar 9 13:48:28 2013 -0800

    integer overflow in DMXGetInputAttributes() [CVE-2013-1992 3/3]
    
    If the server provided nameLength causes integer overflow
    when padding length is added, a smaller buffer would be allocated
    than the amount of data written to it.
    
    Reported-by: Ilja Van Sprundel <[email protected]>
    Signed-off-by: Alan Coopersmith <[email protected]>
    Signed-off-by: Julien Cristau <[email protected]>

commit aa72ec9eb440898789c2bcdd4446f07e416628e3
Author: Alan Coopersmith <[email protected]>
Date:   Sat Mar 9 13:48:28 2013 -0800

    integer overflow in DMXGetWindowAttributes() [CVE-2013-1992 2/3]
    
    If the server provided screenCount causes integer overflow when
    multiplied by the size of each array element, a smaller buffer
    would be allocated than the amount of data written to it.
    
    Reported-by: Ilja Van Sprundel <[email protected]>
    Signed-off-by: Alan Coopersmith <[email protected]>
    Signed-off-by: Julien Cristau <[email protected]>

commit b03b651fda6a8e4e45c7c9515a8409727d64eb3f
Author: Alan Coopersmith <[email protected]>
Date:   Sat Mar 9 13:48:28 2013 -0800

    integer overflow in DMXGetScreenAttributes() [CVE-2013-1992 1/3]
    
    If the server provided displayNameLength causes integer overflow
    when padding length is added, a smaller buffer would be allocated
    than the amount of data written to it.
    
    Reported-by: Ilja Van Sprundel <[email protected]>
    Signed-off-by: Alan Coopersmith <[email protected]>
    Signed-off-by: Julien Cristau <[email protected]>

commit 7aeea88767897d1208baeed4e6386a55e448606a
Author: Alan Coopersmith <[email protected]>
Date:   Fri May 3 23:10:47 2013 -0700

    Use _XEatDataWords to avoid overflow of rep.length bit shifting
    
    rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
    
    Signed-off-by: Alan Coopersmith <[email protected]>
    Signed-off-by: Julien Cristau <[email protected]>


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive: http://lists.debian.org/[email protected]

Reply via email to