ChangeLog | 517 +++++++++++++++++++++++++++++++++++++++ autogen.sh | 4 configure.ac | 13 debian/changelog | 21 + debian/compat | 2 debian/control | 8 debian/libxi-dev.install | 1 debian/libxi-dev.manpages | 1 debian/libxi6.symbols | 2 debian/patches/series | 2 debian/rules | 23 - include/X11/extensions/XInput2.h | 47 +++ man/Makefile.am | 9 man/XGetDeviceControl.txt | 12 man/XIBarrierReleasePointer.txt | 76 +++++ man/XIGrabButton.txt | 3 src/Makefile.am | 4 src/XExtInt.c | 110 +++++--- src/XGMotion.c | 24 + src/XGetBMap.c | 21 - src/XGetDCtl.c | 41 ++- src/XGetDProp.c | 64 ++-- src/XGetFCtl.c | 40 ++- src/XGetKMap.c | 2 src/XGetMMap.c | 2 src/XGetProp.c | 16 - src/XGtSelect.c | 2 src/XIBarrier.c | 81 ++++++ src/XIGrabDevice.c | 19 - src/XIPassiveGrab.c | 12 src/XIProperties.c | 18 - src/XIQueryVersion.c | 6 src/XISelEv.c | 65 +++- src/XIint.h | 15 + src/XListDProp.c | 2 src/XListDev.c | 31 +- src/XOpenDev.c | 2 src/XQueryDv.c | 19 - src/config.h.in | 71 ----- xi.pc.in | 2 40 files changed, 1147 insertions(+), 263 deletions(-)
New commits: commit a536a94af6b825f838cac96b9f11971a6966ae40 Author: Julien Cristau <[email protected]> Date: Sun Jun 30 15:51:05 2013 +0200 Upload to unstable diff --git a/debian/changelog b/debian/changelog index acb24af..61e151a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -libxi (2:1.7.1.901-1) UNRELEASED; urgency=low +libxi (2:1.7.1.901-1) unstable; urgency=low * New upstream release candidate. @@ -17,7 +17,7 @@ libxi (2:1.7.1.901-1) UNRELEASED; urgency=low * Fix clean rule for config.h.in. * Use dh_prep instead of dh_clean -k. - -- Timo Aaltonen <[email protected]> Wed, 06 Feb 2013 23:43:08 +0200 + -- Julien Cristau <[email protected]> Sun, 30 Jun 2013 15:51:02 +0200 libxi (2:1.6.1-1) unstable; urgency=low commit 5e923a687c4391fcd9828ce551a18b901a324c42 Author: Julien Cristau <[email protected]> Date: Sun Jun 30 15:51:01 2013 +0200 Use dh_prep instead of dh_clean -k. diff --git a/debian/changelog b/debian/changelog index 66989a9..acb24af 100644 --- a/debian/changelog +++ b/debian/changelog @@ -15,6 +15,7 @@ libxi (2:1.7.1.901-1) UNRELEASED; urgency=low * Bump debhelper compat level to 7. * Simplify installing manpages. * Fix clean rule for config.h.in. + * Use dh_prep instead of dh_clean -k. -- Timo Aaltonen <[email protected]> Wed, 06 Feb 2013 23:43:08 +0200 diff --git a/debian/rules b/debian/rules index 83871c1..40fb02a 100755 --- a/debian/rules +++ b/debian/rules @@ -69,7 +69,7 @@ clean: xsfclean install: build dh_testdir dh_testroot - dh_clean -k + dh_prep dh_installdirs cd build && $(MAKE) DESTDIR=$(CURDIR)/debian/tmp install commit c218add56ca740a5b177d51837595b3cbb12dc3e Author: Julien Cristau <[email protected]> Date: Sun Jun 30 15:42:44 2013 +0200 Fix clean rule for config.h.in. diff --git a/debian/changelog b/debian/changelog index bb9946f..66989a9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -14,6 +14,7 @@ libxi (2:1.7.1.901-1) UNRELEASED; urgency=low * Disable silent build rules. * Bump debhelper compat level to 7. * Simplify installing manpages. + * Fix clean rule for config.h.in. -- Timo Aaltonen <[email protected]> Wed, 06 Feb 2013 23:43:08 +0200 diff --git a/debian/rules b/debian/rules index d4c418e..83871c1 100755 --- a/debian/rules +++ b/debian/rules @@ -62,7 +62,7 @@ clean: xsfclean rm -rf autom4te.cache */autom4te.cache rm -rf build find -name Makefile.in -delete - rm -f INSTALL compile config.guess config.sub configure config.h.in + rm -f INSTALL compile config.guess config.sub configure src/config.h.in rm -f depcomp install-sh ltmain.sh missing aclocal.m4 mkinstalldirs dh_clean diff --git a/src/config.h.in b/src/config.h.in deleted file mode 100644 index 1b81ba9..0000000 --- a/src/config.h.in +++ /dev/null @@ -1,71 +0,0 @@ -/* src/config.h.in. Generated from configure.ac by autoheader. */ - -/* Define to 1 if you have the <dlfcn.h> header file. */ -#undef HAVE_DLFCN_H - -/* Define to 1 if you have the <inttypes.h> header file. */ -#undef HAVE_INTTYPES_H - -/* Define to 1 if you have the <memory.h> header file. */ -#undef HAVE_MEMORY_H - -/* Define to 1 if you have the <stdint.h> header file. */ -#undef HAVE_STDINT_H - -/* Define to 1 if you have the <stdlib.h> header file. */ -#undef HAVE_STDLIB_H - -/* Define to 1 if you have the <strings.h> header file. */ -#undef HAVE_STRINGS_H - -/* Define to 1 if you have the <string.h> header file. */ -#undef HAVE_STRING_H - -/* Define to 1 if you have the <sys/stat.h> header file. */ -#undef HAVE_SYS_STAT_H - -/* Define to 1 if you have the <sys/types.h> header file. */ -#undef HAVE_SYS_TYPES_H - -/* Define to 1 if you have the <unistd.h> header file. */ -#undef HAVE_UNISTD_H - -/* Define to the sub-directory in which libtool stores uninstalled libraries. - */ -#undef LT_OBJDIR - -/* Name of package */ -#undef PACKAGE - -/* Define to the address where bug reports for this package should be sent. */ -#undef PACKAGE_BUGREPORT - -/* Define to the full name of this package. */ -#undef PACKAGE_NAME - -/* Define to the full name and version of this package. */ -#undef PACKAGE_STRING - -/* Define to the one symbol short name of this package. */ -#undef PACKAGE_TARNAME - -/* Define to the home page for this package. */ -#undef PACKAGE_URL - -/* Define to the version of this package. */ -#undef PACKAGE_VERSION - -/* Major version of this package */ -#undef PACKAGE_VERSION_MAJOR - -/* Minor version of this package */ -#undef PACKAGE_VERSION_MINOR - -/* Patch version of this package */ -#undef PACKAGE_VERSION_PATCHLEVEL - -/* Define to 1 if you have the ANSI C header files. */ -#undef STDC_HEADERS - -/* Version number of package */ -#undef VERSION commit 4a11c07ff2c6b7fd1de80cbbd8517bf7d76814ab Author: Julien Cristau <[email protected]> Date: Sun Jun 30 15:38:44 2013 +0200 Simplify installing manpages. diff --git a/debian/changelog b/debian/changelog index 8570213..bb9946f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -13,6 +13,7 @@ libxi (2:1.7.1.901-1) UNRELEASED; urgency=low * Use dpkg-buildflags. * Disable silent build rules. * Bump debhelper compat level to 7. + * Simplify installing manpages. -- Timo Aaltonen <[email protected]> Wed, 06 Feb 2013 23:43:08 +0200 diff --git a/debian/libxi-dev.install b/debian/libxi-dev.install index 5f68330..6eb611b 100644 --- a/debian/libxi-dev.install +++ b/debian/libxi-dev.install @@ -4,3 +4,4 @@ usr/lib/*/pkgconfig/xi.pc usr/include/X11/extensions/ usr/share/doc/libXi/*.html usr/share/doc/libxi-dev usr/share/doc/libXi/*.txt usr/share/doc/libxi-dev +usr/share/man/man3 diff --git a/debian/libxi-dev.manpages b/debian/libxi-dev.manpages deleted file mode 100644 index 7c72677..0000000 --- a/debian/libxi-dev.manpages +++ /dev/null @@ -1 +0,0 @@ -debian/tmp/usr/share/man/man3/* diff --git a/debian/rules b/debian/rules index ab3912d..d4c418e 100755 --- a/debian/rules +++ b/debian/rules @@ -82,7 +82,7 @@ binary-arch: build install dh_installdocs find debian/tmp -name '*.xml' -delete find debian/tmp -name '*.db' -delete - dh_install --fail-missing --exclude=libXi.la --exclude=usr/share/man/man3 + dh_install --fail-missing --exclude=libXi.la dh_installman dh_installchangelogs dh_link commit fae2d21774ae5d1259664fdda5441fd217439d5a Author: Julien Cristau <[email protected]> Date: Sun Jun 30 15:37:22 2013 +0200 Bump debhelper compat level to 7. diff --git a/debian/changelog b/debian/changelog index 5ebf177..8570213 100644 --- a/debian/changelog +++ b/debian/changelog @@ -12,6 +12,7 @@ libxi (2:1.7.1.901-1) UNRELEASED; urgency=low [ Julien Cristau ] * Use dpkg-buildflags. * Disable silent build rules. + * Bump debhelper compat level to 7. -- Timo Aaltonen <[email protected]> Wed, 06 Feb 2013 23:43:08 +0200 diff --git a/debian/compat b/debian/compat index 7ed6ff8..7f8f011 100644 --- a/debian/compat +++ b/debian/compat @@ -1 +1 @@ -5 +7 diff --git a/debian/rules b/debian/rules index 069d899..ab3912d 100755 --- a/debian/rules +++ b/debian/rules @@ -82,9 +82,9 @@ binary-arch: build install dh_installdocs find debian/tmp -name '*.xml' -delete find debian/tmp -name '*.db' -delete - dh_install --sourcedir=debian/tmp --fail-missing --exclude=libXi.la --exclude=usr/share/man/man3 + dh_install --fail-missing --exclude=libXi.la --exclude=usr/share/man/man3 dh_installman - dh_installchangelogs ChangeLog + dh_installchangelogs dh_link dh_strip -p$(PACKAGE) --dbg-package=$(PACKAGE)-dbg dh_strip -N$(PACKAGE) commit dcc2345a792ab73ca98dda18a47fd80b5d38f96e Author: Julien Cristau <[email protected]> Date: Sun Jun 30 15:29:06 2013 +0200 Disable silent build rules. diff --git a/debian/changelog b/debian/changelog index d5d2804..5ebf177 100644 --- a/debian/changelog +++ b/debian/changelog @@ -11,6 +11,7 @@ libxi (2:1.7.1.901-1) UNRELEASED; urgency=low [ Julien Cristau ] * Use dpkg-buildflags. + * Disable silent build rules. -- Timo Aaltonen <[email protected]> Wed, 06 Feb 2013 23:43:08 +0200 diff --git a/debian/rules b/debian/rules index 6cbcf80..069d899 100755 --- a/debian/rules +++ b/debian/rules @@ -36,6 +36,7 @@ build/config.status: configure cd build && \ ../configure --prefix=/usr --mandir=\$${prefix}/share/man \ --infodir=\$${prefix}/share/info \ + --disable-silent-rules \ --with-xmlto \ --without-fop \ --libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH) \ commit ee476ab098bcc1d9a39ee12ee118d255a6738f0d Author: Julien Cristau <[email protected]> Date: Sun Jun 30 15:28:30 2013 +0200 Use dpkg-buildflags. diff --git a/debian/changelog b/debian/changelog index ff9c9a5..d5d2804 100644 --- a/debian/changelog +++ b/debian/changelog @@ -9,6 +9,9 @@ libxi (2:1.7.1.901-1) UNRELEASED; urgency=low * rules: Bump shlibs. * control: Add libfixes-dev to build-deps and libxi-dev Depends. + [ Julien Cristau ] + * Use dpkg-buildflags. + -- Timo Aaltonen <[email protected]> Wed, 06 Feb 2013 23:43:08 +0200 libxi (2:1.6.1-1) unstable; urgency=low diff --git a/debian/control b/debian/control index 3161890..e947000 100644 --- a/debian/control +++ b/debian/control @@ -5,6 +5,8 @@ Maintainer: Debian X Strike Force <[email protected]> Uploaders: Drew Parsons <[email protected]>, Cyril Brulebois <[email protected]> Build-Depends: debhelper (>= 8.1.3), +# dpkg-buildflags --export=configure + dpkg-dev (>= 1.16.1), x11proto-core-dev (>= 7.0.13), x11proto-xext-dev (>= 7.0.3), x11proto-input-dev (>= 2.2.99.1), diff --git a/debian/rules b/debian/rules index 3c97ff8..6cbcf80 100755 --- a/debian/rules +++ b/debian/rules @@ -12,12 +12,6 @@ PACKAGE = libxi6 include debian/xsfbs/xsfbs.mk -CFLAGS = -Wall -g -ifneq (,$(filter noopt,$(DEB_BUILD_OPTIONS))) - CFLAGS += -O0 -else - CFLAGS += -O2 -endif ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) MAKEFLAGS += -j$(NUMJOBS) @@ -32,6 +26,7 @@ ifeq ($(DEB_BUILD_GNU_TYPE), $(DEB_HOST_GNU_TYPE)) else confflags += --build=$(DEB_BUILD_GNU_TYPE) --host=$(DEB_HOST_GNU_TYPE) endif +confflags += $(shell DEB_CFLAGS_MAINT_APPEND=-Wall dpkg-buildflags --export=configure) configure: $(STAMP_DIR)/patch autoreconf -vfi @@ -40,12 +35,11 @@ build/config.status: configure mkdir -p build cd build && \ ../configure --prefix=/usr --mandir=\$${prefix}/share/man \ - --infodir=\$${prefix}/share/info $(confflags) \ + --infodir=\$${prefix}/share/info \ --with-xmlto \ --without-fop \ --libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH) \ - CFLAGS="$(CFLAGS)" - + $(confflags) build: build-indep build-arch build-indep: commit a9bd8d6151f43a7839e35b9d56a78a840d0967a8 Author: Julien Cristau <[email protected]> Date: Sun Jun 30 15:24:38 2013 +0200 Bump changelogs diff --git a/ChangeLog b/ChangeLog index 4e2a391..cf57166 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,303 @@ +commit 957a9d64afd76f878ce6c5570f369e2a7fc1e772 +Author: Peter Hutterer <[email protected]> +Date: Thu Jun 27 08:47:16 2013 +1000 + + libXi 1.7.1.901 + + Signed-off-by: Peter Hutterer <[email protected]> + +commit 62033a9c83bcdc75b9f1452ce24729eefa8f4dc0 +Author: Peter Hutterer <[email protected]> +Date: Thu Jun 27 06:25:02 2013 +1000 + + Include limits.h to prevent build error: missing INT_MAX + + Introduced in 4c8e9bcab459ea5f870d3e56eff15f931807f9b7. + + Signed-off-by: Peter Hutterer <[email protected]> + +commit 0f3f5a36d5fc6dc53f69f48a0c83aef6a1fcf381 +Author: Peter Hutterer <[email protected]> +Date: Tue May 28 15:52:34 2013 +1000 + + If the XGetDeviceDontPropagateList reply has an invalid length, return 0 + + If we skip over the reply data, return 0 as number of event classes. + + Follow-up to 6dd6dc51a2935c72774be81e5cc2ba2c30e9feff. + + Signed-off-by: Peter Hutterer <[email protected]> + +commit 35ae16dc2f16b24a22625b2d9f76a2128b673a6c +Author: Peter Hutterer <[email protected]> +Date: Tue May 28 15:52:33 2013 +1000 + + Change size += to size = in XGetDeviceControl + + size += blah is technically correct but it implies that we're looping or + otherwise incrementing the size. Which we don't, it's only ever set once. + + Change this to avoid reviewer confusion. + + Reported-by: Dave "color-me-confused" Airlie <[email protected]> + Signed-off-by: Peter Hutterer <[email protected]> + +commit 4c8e9bcab459ea5f870d3e56eff15f931807f9b7 +Author: Peter Hutterer <[email protected]> +Date: Tue May 28 15:52:32 2013 +1000 + + Fix potential corruption in mask_len handling + + First: check for allocation failure on the mask. + XI2 requires that the mask is zeroed, so we can't just Data() the mask + provided by the client (it will pad) - we need a tmp buffer. Make sure that + doesn't fail. + + Second: + req->mask_len is a uint16_t, so check against malicious mask_lens that would + cause us to corrupt memory on copy, as the code always allocates + req->mask_len * 4, but copies mask->mask_len bytes. + + Signed-off-by: Peter Hutterer <[email protected]> + +commit 661c45ca17c434dbd342a46fd3fb813852ae0ca9 +Author: Peter Hutterer <[email protected]> +Date: Tue May 21 12:23:05 2013 +1000 + + Don't overwrite the cookies serial number + + serial != sequenceNumber, see _XSetLastRequestRead() + + cookie->serial is already set at this point, setting it again directly from + the sequenceNumber of the event causes a bunch of weird issues such as + scrollbars and text drag-n-drop breaking. + + https://bugzilla.redhat.com/show_bug.cgi?id=965347 + + Signed-off-by: Peter Hutterer <[email protected]> + +commit 81b4df8ac6aa1520c41c3526961014a6f115cc46 +Author: Alan Coopersmith <[email protected]> +Date: Sun Mar 10 00:16:22 2013 -0800 + + sign extension issue in XListInputDevices() [CVE-2013-1995] + + nptr is (signed) char, which can be negative, and will sign extend + when added to the int size, which means size can be subtracted from, + leading to allocating too small a buffer to hold the data being copied + from the X server's reply. + + v2: check that string size fits inside the data read from the server, + so that we don't read out of bounds either + + Reported-by: Ilja Van Sprundel <[email protected]> + Signed-off-by: Alan Coopersmith <[email protected]> + Reviewed-by: Peter Hutterer <[email protected]> + +commit ef82512288d8ca36ac0beeb289f158195b0a8cae +Author: Alan Coopersmith <[email protected]> +Date: Sun Mar 10 00:22:14 2013 -0800 + + Avoid integer overflow in XListInputDevices() [CVE-2013-1984 8/8] + + If the length of the reply as reported by the Xserver is too long, it + could overflow the calculation for the size of the buffer to copy the + reply into, causing memory corruption. + + Signed-off-by: Alan Coopersmith <[email protected]> + Reviewed-by: Peter Hutterer <[email protected]> + +commit 17071c1c608247800b2ca03a35b1fcc9c4cabe6c +Author: Alan Coopersmith <[email protected]> +Date: Sun Mar 10 13:30:55 2013 -0700 + + Avoid integer overflow in XGetDeviceProperties() [CVE-2013-1984 7/8] + + If the number of items as reported by the Xserver is too large, it + could overflow the calculation for the size of the buffer to copy the + reply into, causing memory corruption. + + Signed-off-by: Alan Coopersmith <[email protected]> + Reviewed-by: Peter Hutterer <[email protected]> + +commit 528419b9ef437e7eeafb41bf45e8ff7d818bd845 +Author: Alan Coopersmith <[email protected]> +Date: Sat Mar 9 22:55:23 2013 -0800 + + integer overflow in XIGetSelectedEvents() [CVE-2013-1984 6/8] + + If the number of events or masks reported by the server is large enough + that it overflows when multiplied by the size of the appropriate struct, + or the sizes overflow as they are totaled up, then memory corruption can + occur when more bytes are copied from the X server reply than the size + of the buffer we allocated to hold them. + + v2: check that reply size fits inside the data read from the server, + so that we don't read out of bounds either + + Reported-by: Ilja Van Sprundel <[email protected]> + Signed-off-by: Alan Coopersmith <[email protected]> + Reviewed-by: Peter Hutterer <[email protected]> + +commit 242f92b490a695fbab244af5bad11b71f897c732 +Author: Alan Coopersmith <[email protected]> +Date: Sat Mar 9 22:55:23 2013 -0800 + + integer overflow in XIGetProperty() [CVE-2013-1984 5/8] + + If the number of items reported by the server is large enough that + it overflows when multiplied by the size of the appropriate item type, + then memory corruption can occur when more bytes are copied from the + X server reply than the size of the buffer we allocated to hold them. + + Reported-by: Ilja Van Sprundel <[email protected]> + Signed-off-by: Alan Coopersmith <[email protected]> + Reviewed-by: Peter Hutterer <[email protected]> + +commit bb922ed4253b35590f0369f32a917ff89ade0830 +Author: Alan Coopersmith <[email protected]> +Date: Sat Mar 9 22:55:23 2013 -0800 + + integer overflow in XGetDeviceMotionEvents() [CVE-2013-1984 4/8] + + If the number of events or axes reported by the server is large enough + that it overflows when multiplied by the size of the appropriate struct, + then memory corruption can occur when more bytes are copied from the + X server reply than the size of the buffer we allocated to hold them. + + Reported-by: Ilja Van Sprundel <[email protected]> + Signed-off-by: Alan Coopersmith <[email protected]> + Reviewed-by: Peter Hutterer <[email protected]> + +commit 6dd6dc51a2935c72774be81e5cc2ba2c30e9feff +Author: Alan Coopersmith <[email protected]> +Date: Sat Mar 9 22:55:23 2013 -0800 + + integer overflow in XGetDeviceDontPropagateList() [CVE-2013-1984 3/8] + + If the number of event classes reported by the server is large enough + that it overflows when multiplied by the size of the appropriate struct, + then memory corruption can occur when more bytes are copied from the + X server reply than the size of the buffer we allocated to hold them. + + V2: EatData if count is 0 but length is > 0 to avoid XIOErrors + + Reported-by: Ilja Van Sprundel <[email protected]> + Signed-off-by: Alan Coopersmith <[email protected]> + Reviewed-by: Peter Hutterer <[email protected]> + +commit 322ee3576789380222d4403366e4fd12fb24cb6a +Author: Alan Coopersmith <[email protected]> +Date: Sat Mar 9 22:55:23 2013 -0800 + + integer overflow in XGetFeedbackControl() [CVE-2013-1984 2/8] + + If the number of feedbacks reported by the server is large enough that + it overflows when multiplied by the size of the appropriate struct, or + if the total size of all the feedback structures overflows when added + together, then memory corruption can occur when more bytes are copied from + the X server reply than the size of the buffer we allocated to hold them. + + v2: check that reply size fits inside the data read from the server, so + we don't read out of bounds either + + Reported-by: Ilja Van Sprundel <[email protected]> + Signed-off-by: Alan Coopersmith <[email protected]> + Reviewed-by: Peter Hutterer <[email protected]> + +commit b0b13c12a8079a5a0e7f43b2b8983699057b2cec +Author: Alan Coopersmith <[email protected]> +Date: Sat Mar 9 22:55:23 2013 -0800 + + integer overflow in XGetDeviceControl() [CVE-2013-1984 1/8] + + If the number of valuators reported by the server is large enough that + it overflows when multiplied by the size of the appropriate struct, then + memory corruption can occur when more bytes are copied from the X server + reply than the size of the buffer we allocated to hold them. + + v2: check that reply size fits inside the data read from the server, so + we don't read out of bounds either + + Reported-by: Ilja Van Sprundel <[email protected]> + Signed-off-by: Alan Coopersmith <[email protected]> + Reviewed-by: Peter Hutterer <[email protected]> + +commit 5398ac0797f7516f2c9b8f2869a6c6d071437352 +Author: Alan Coopersmith <[email protected]> +Date: Fri Apr 26 22:48:36 2013 -0700 + + unvalidated lengths in XQueryDeviceState() [CVE-2013-1998 3/3] + + If the lengths given for each class state in the reply add up to more + than the rep.length, we could read past the end of the buffer allocated + to hold the data read from the server. + + Signed-off-by: Alan Coopersmith <[email protected]> + Reviewed-by: Peter Hutterer <[email protected]> + +commit 91434737f592e8f5cc1762383882a582b55fc03a +Author: Alan Coopersmith <[email protected]> +Date: Sat Mar 9 23:37:23 2013 -0800 + + memory corruption in _XIPassiveGrabDevice() [CVE-2013-1998 2/3] + + If the server returned more modifiers than the caller asked for, + we'd just keep copying past the end of the array provided by the + caller, writing over who-knows-what happened to be there. + + Signed-off-by: Alan Coopersmith <[email protected]> + Reviewed-by: Peter Hutterer <[email protected]> + +commit f3e08e4fbe40016484ba795feecf1a742170ffc1 +Author: Alan Coopersmith <[email protected]> +Date: Sat Mar 9 22:26:52 2013 -0800 + + Stack buffer overflow in XGetDeviceButtonMapping() [CVE-2013-1998 1/3] + + We copy the entire reply sent by the server into the fixed size + mapping[] array on the stack, even if the server says it's a larger + size than the mapping array can hold. HULK SMASH STACK! + + Reported-by: Ilja Van Sprundel <[email protected]> + Signed-off-by: Alan Coopersmith <[email protected]> + Reviewed-by: Peter Hutterer <[email protected]> + +commit 59b8e1388a687f871831ac5a9e0ac11de75e2516 +Author: Alan Coopersmith <[email protected]> +Date: Wed May 1 23:58:39 2013 -0700 + + Use _XEatDataWords to avoid overflow of rep.length bit shifting + + rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds + + Signed-off-by: Alan Coopersmith <[email protected]> + Reviewed-by: Peter Hutterer <[email protected]> + +commit 5d43d4914dcabb6de69859567061e99300e56ef4 +Author: Peter Hutterer <[email protected]> +Date: Fri May 17 09:07:44 2013 +1000 + + Copy the sequence number into the target event too (#64687) + + X.Org Bug 64687 <http://bugs.freedesktop.org/show_bug.cgi?id=64687> + + Signed-off-by: Peter Hutterer <[email protected]> + Reviewed-by: Jasper St. Pierre <[email protected]> + +commit bb82c72a1d69eaf60b7586570faf797df967f661 +Author: Alan Coopersmith <[email protected]> +Date: Mon Apr 29 18:39:34 2013 -0700 + + Expand comment on the memory vs. reply ordering in XIGetSelectedEvents() + + Unpacking from the wire involves un-interleaving the structs & masks, + which wasn't obvious to me the first time I read it, so make notes + before I forget again. + + Signed-off-by: Alan Coopersmith <[email protected]> + Signed-off-by: Peter Hutterer <[email protected]> + commit 26cb4573cbb8808ce9d5c75c16bd613b2f03a368 Author: Peter Hutterer <[email protected]> Date: Fri Apr 5 09:34:48 2013 +1000 diff --git a/debian/changelog b/debian/changelog index 2b028c1..ff9c9a5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,8 @@ -libxi (2:1.7.1-1) UNRELEASED; urgency=low +libxi (2:1.7.1.901-1) UNRELEASED; urgency=low - * New upstream release. + * New upstream release candidate. + + [ Timo Aaltonen ] * control: Bump policy to 3.9.4, no changes. * control: Bump x11proto-input-dev build-dep to 2.2.99.1. * libxi6.symbols: Added new symbols. commit 957a9d64afd76f878ce6c5570f369e2a7fc1e772 Author: Peter Hutterer <[email protected]> Date: Thu Jun 27 08:47:16 2013 +1000 libXi 1.7.1.901 Signed-off-by: Peter Hutterer <[email protected]> diff --git a/configure.ac b/configure.ac index f5ef1e2..18d895b 100644 --- a/configure.ac +++ b/configure.ac @@ -1,7 +1,7 @@ # Initialize Autoconf AC_PREREQ([2.60]) -AC_INIT([libXi], [1.7.1], +AC_INIT([libXi], [1.7.1.901], [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXi]) AC_CONFIG_SRCDIR([Makefile.am]) AC_CONFIG_HEADERS([src/config.h]) commit 62033a9c83bcdc75b9f1452ce24729eefa8f4dc0 Author: Peter Hutterer <[email protected]> Date: Thu Jun 27 06:25:02 2013 +1000 Include limits.h to prevent build error: missing INT_MAX Introduced in 4c8e9bcab459ea5f870d3e56eff15f931807f9b7. Signed-off-by: Peter Hutterer <[email protected]> diff --git a/src/XIGrabDevice.c b/src/XIGrabDevice.c index 2bff3d8..a8c5697 100644 --- a/src/XIGrabDevice.c +++ b/src/XIGrabDevice.c @@ -31,6 +31,7 @@ #include <X11/extensions/XI2proto.h> #include <X11/extensions/XInput2.h> #include <X11/extensions/extutil.h> +#include <limits.h> #include "XIint.h" diff --git a/src/XIPassiveGrab.c b/src/XIPassiveGrab.c index 4ed2f09..baadccb 100644 --- a/src/XIPassiveGrab.c +++ b/src/XIPassiveGrab.c @@ -30,6 +30,7 @@ #include <X11/extensions/XI2proto.h> #include <X11/extensions/XInput2.h> #include <X11/extensions/extutil.h> +#include <limits.h> #include "XIint.h" static int commit 0f3f5a36d5fc6dc53f69f48a0c83aef6a1fcf381 Author: Peter Hutterer <[email protected]> Date: Tue May 28 15:52:34 2013 +1000 If the XGetDeviceDontPropagateList reply has an invalid length, return 0 If we skip over the reply data, return 0 as number of event classes. Follow-up to 6dd6dc51a2935c72774be81e5cc2ba2c30e9feff. Signed-off-by: Peter Hutterer <[email protected]> diff --git a/src/XGetProp.c b/src/XGetProp.c index b49328c..8c69ef2 100644 --- a/src/XGetProp.c +++ b/src/XGetProp.c @@ -104,8 +104,10 @@ XGetDeviceDontPropagateList( _XRead(dpy, (char *)(&ec), sizeof(CARD32)); list[i] = (XEventClass) ec; } - } else + } else { + *count = 0; _XEatDataWords(dpy, rep.length); + } } UnlockDisplay(dpy); commit 35ae16dc2f16b24a22625b2d9f76a2128b673a6c Author: Peter Hutterer <[email protected]> Date: Tue May 28 15:52:33 2013 +1000 Change size += to size = in XGetDeviceControl size += blah is technically correct but it implies that we're looping or otherwise incrementing the size. Which we don't, it's only ever set once. Change this to avoid reviewer confusion. Reported-by: Dave "color-me-confused" Airlie <[email protected]> Signed-off-by: Peter Hutterer <[email protected]> diff --git a/src/XGetDCtl.c b/src/XGetDCtl.c index 51ed0ae..b576aa5 100644 --- a/src/XGetDCtl.c +++ b/src/XGetDCtl.c @@ -122,34 +122,34 @@ XGetDeviceControl( val_size = 3 * sizeof(int) * r->num_valuators; if ((sizeof(xDeviceResolutionState) + val_size) > nbytes) goto out; - size += sizeof(XDeviceResolutionState) + val_size; + size = sizeof(XDeviceResolutionState) + val_size; break; } case DEVICE_ABS_CALIB: { if (sizeof(xDeviceAbsCalibState) > nbytes) goto out; - size += sizeof(XDeviceAbsCalibState); + size = sizeof(XDeviceAbsCalibState); break; } case DEVICE_ABS_AREA: { if (sizeof(xDeviceAbsAreaState) > nbytes) goto out; - size += sizeof(XDeviceAbsAreaState); + size = sizeof(XDeviceAbsAreaState); break; } case DEVICE_CORE: { if (sizeof(xDeviceCoreState) > nbytes) goto out; - size += sizeof(XDeviceCoreState); + size = sizeof(XDeviceCoreState); break; } default: if (d->length > nbytes) goto out; - size += d->length; + size = d->length; break; } commit 4c8e9bcab459ea5f870d3e56eff15f931807f9b7 Author: Peter Hutterer <[email protected]> Date: Tue May 28 15:52:32 2013 +1000 Fix potential corruption in mask_len handling First: check for allocation failure on the mask. XI2 requires that the mask is zeroed, so we can't just Data() the mask provided by the client (it will pad) - we need a tmp buffer. Make sure that doesn't fail. Second: req->mask_len is a uint16_t, so check against malicious mask_lens that would cause us to corrupt memory on copy, as the code always allocates req->mask_len * 4, but copies mask->mask_len bytes. Signed-off-by: Peter Hutterer <[email protected]> diff --git a/src/XIGrabDevice.c b/src/XIGrabDevice.c index dd1bd10..2bff3d8 100644 --- a/src/XIGrabDevice.c +++ b/src/XIGrabDevice.c @@ -50,6 +50,17 @@ XIGrabDevice(Display* dpy, int deviceid, Window grab_window, Time time, if (_XiCheckExtInit(dpy, XInput_2_0, extinfo) == -1) return (NoSuchExtension); + if (mask->mask_len > INT_MAX - 3 || + (mask->mask_len + 3)/4 >= 0xffff) + return BadValue; + + /* mask->mask_len is in bytes, but we need 4-byte units on the wire, + * and they need to be padded with 0 */ + len = (mask->mask_len + 3)/4; + buff = calloc(4, len); + if (!buff) + return BadAlloc; + GetReq(XIGrabDevice, req); req->reqType = extinfo->codes->major_opcode; req->ReqType = X_XIGrabDevice; @@ -59,14 +70,9 @@ XIGrabDevice(Display* dpy, int deviceid, Window grab_window, Time time, req->grab_mode = grab_mode; req->paired_device_mode = paired_device_mode; req->owner_events = owner_events; - req->mask_len = (mask->mask_len + 3)/4; + req->mask_len = len; req->cursor = cursor; - - /* mask->mask_len is in bytes, but we need 4-byte units on the wire, - * and they need to be padded with 0 */ - len = req->mask_len; - buff = calloc(1, len * 4); memcpy(buff, mask->mask, mask->mask_len); SetReqLen(req, len, len); diff --git a/src/XIPassiveGrab.c b/src/XIPassiveGrab.c index 53b4084..4ed2f09 100644 --- a/src/XIPassiveGrab.c +++ b/src/XIPassiveGrab.c @@ -51,6 +51,14 @@ _XIPassiveGrabDevice(Display* dpy, int deviceid, int grabtype, int detail, if (_XiCheckExtInit(dpy, XInput_2_0, extinfo) == -1) return -1; + if (mask->mask_len > INT_MAX - 3 || + (mask->mask_len + 3)/4 >= 0xffff) + return -1; + + buff = calloc(4, (mask->mask_len + 3)/4); + if (!buff) + return -1; + GetReq(XIPassiveGrabDevice, req); req->reqType = extinfo->codes->major_opcode; req->ReqType = X_XIPassiveGrabDevice; @@ -68,7 +76,6 @@ _XIPassiveGrabDevice(Display* dpy, int deviceid, int grabtype, int detail, len = req->mask_len + num_modifiers; SetReqLen(req, len, len); - buff = calloc(4, req->mask_len); memcpy(buff, mask->mask, mask->mask_len); Data(dpy, buff, req->mask_len * 4); for (i = 0; i < num_modifiers; i++) diff --git a/src/XISelEv.c b/src/XISelEv.c index 0471bef..55c0a6a 100644 --- a/src/XISelEv.c +++ b/src/XISelEv.c @@ -53,6 +53,8 @@ XISelectEvents(Display* dpy, Window win, XIEventMask* masks, int num_masks) int i; int len = 0; int r = Success; + int max_mask_len = 0; + char *buff; XExtDisplayInfo *info = XInput_find_display(dpy); LockDisplay(dpy); @@ -60,6 +62,26 @@ XISelectEvents(Display* dpy, Window win, XIEventMask* masks, int num_masks) r = NoSuchExtension; goto out; } + + for (i = 0; i < num_masks; i++) { + current = &masks[i]; + if (current->mask_len > INT_MAX - 3 || + (current->mask_len + 3)/4 >= 0xffff) { + r = -1; + goto out; + } + if (current->mask_len > max_mask_len) + max_mask_len = current->mask_len; + } + + /* max_mask_len is in bytes, but we need 4-byte units on the wire, + * and they need to be padded with 0 */ + buff = calloc(4, ((max_mask_len + 3)/4)); + if (!buff) { + r = -1; + goto out; + } + -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
