ChangeLog | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ configure.ac | 8 ++++++- debian/changelog | 16 ++++++++++++++ debian/compat | 2 - debian/control | 3 +- debian/rules | 23 ++++++++------------ src/Makefile.am | 2 - src/XRes.c | 29 ++++++++++++++++++++++--- 8 files changed, 124 insertions(+), 21 deletions(-)
New commits: commit 121aebcdc6418919e2c18857b8128cffd7b2d408 Author: Julien Cristau <[email protected]> Date: Sun Aug 4 14:51:09 2013 +0200 Bump Standards-Version to 3.9.4, no changes needed. diff --git a/debian/changelog b/debian/changelog index bd01c2f..0933a3a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -4,6 +4,7 @@ libxres (2:1.0.7-1) UNRELEASED; urgency=low * Bump debhelper compat level to 7. * Use dpkg-buildflags. * Disable silent build rules. + * Bump Standards-Version to 3.9.4, no changes needed. -- Julien Cristau <[email protected]> Sun, 04 Aug 2013 12:50:07 +0200 diff --git a/debian/control b/debian/control index 9229490..cea312a 100644 --- a/debian/control +++ b/debian/control @@ -15,7 +15,7 @@ Build-Depends: automake, libtool, xutils-dev (>= 1:7.5+4), -Standards-Version: 3.8.3 +Standards-Version: 3.9.4 Vcs-Git: git://git.debian.org/git/pkg-xorg/lib/libxres Vcs-Browser: http://git.debian.org/?p=pkg-xorg/lib/libxres.git commit 0c5aa272f60580b24d7876344b15b88d2ae1d6e6 Author: Julien Cristau <[email protected]> Date: Sun Aug 4 12:56:29 2013 +0200 Disable silent build rules. diff --git a/debian/changelog b/debian/changelog index 6610a66..bd01c2f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,7 @@ libxres (2:1.0.7-1) UNRELEASED; urgency=low * New upstream release. * Bump debhelper compat level to 7. * Use dpkg-buildflags. + * Disable silent build rules. -- Julien Cristau <[email protected]> Sun, 04 Aug 2013 12:50:07 +0200 diff --git a/debian/rules b/debian/rules index 5e082e2..4547366 100755 --- a/debian/rules +++ b/debian/rules @@ -36,10 +36,14 @@ build-stamp: configure $(STAMP_DIR)/genscripts dh_testdir mkdir -p build cd build && \ - ../configure --prefix=/usr --mandir=\$${prefix}/share/man \ - --libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH) \ - --infodir=\$${prefix}/share/info $(confflags) \ - $(shell DEB_CFLAGS_MAINT_APPEND=-Wall dpkg-buildflags --export=configure) + ../configure \ + --prefix=/usr \ + --mandir=\$${prefix}/share/man \ + --libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH) \ + --infodir=\$${prefix}/share/info \ + --disable-silent-rules \ + $(confflags) \ + $(shell DEB_CFLAGS_MAINT_APPEND=-Wall dpkg-buildflags --export=configure) cd build && $(MAKE) >$@ commit 79bdb577b7182cca0e9b5465cc31b0cbdf173cc2 Author: Julien Cristau <[email protected]> Date: Sun Aug 4 12:55:01 2013 +0200 Use dpkg-buildflags. diff --git a/debian/changelog b/debian/changelog index b8c9cf3..6610a66 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,7 @@ libxres (2:1.0.7-1) UNRELEASED; urgency=low * New upstream release. * Bump debhelper compat level to 7. + * Use dpkg-buildflags. -- Julien Cristau <[email protected]> Sun, 04 Aug 2013 12:50:07 +0200 diff --git a/debian/control b/debian/control index 74f0e45..9229490 100644 --- a/debian/control +++ b/debian/control @@ -4,6 +4,7 @@ Priority: optional Maintainer: Debian X Strike Force <[email protected]> Uploaders: Drew Parsons <[email protected]>, Cyril Brulebois <[email protected]> Build-Depends: + dpkg-dev (>= 1.16.1), debhelper (>= 8.1.3), libx11-dev (>= 1:0.99.2), libxext-dev (>= 1:0.99.1), diff --git a/debian/rules b/debian/rules index 810a927..5e082e2 100755 --- a/debian/rules +++ b/debian/rules @@ -12,12 +12,6 @@ PACKAGE = libxres1 include debian/xsfbs/xsfbs.mk -CFLAGS = -Wall -g -ifneq (,$(filter noopt,$(DEB_BUILD_OPTIONS))) - CFLAGS += -O0 -else - CFLAGS += -O2 -endif ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) MAKEFLAGS += -j$(NUMJOBS) @@ -45,7 +39,7 @@ build-stamp: configure $(STAMP_DIR)/genscripts ../configure --prefix=/usr --mandir=\$${prefix}/share/man \ --libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH) \ --infodir=\$${prefix}/share/info $(confflags) \ - CFLAGS="$(CFLAGS)" + $(shell DEB_CFLAGS_MAINT_APPEND=-Wall dpkg-buildflags --export=configure) cd build && $(MAKE) >$@ commit badf86ebe2347c1025d5df82cb50626c01444f28 Author: Julien Cristau <[email protected]> Date: Sun Aug 4 12:50:54 2013 +0200 Bump debhelper compat level to 7. diff --git a/debian/changelog b/debian/changelog index 8231a31..b8c9cf3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,7 @@ libxres (2:1.0.7-1) UNRELEASED; urgency=low * New upstream release. + * Bump debhelper compat level to 7. -- Julien Cristau <[email protected]> Sun, 04 Aug 2013 12:50:07 +0200 diff --git a/debian/compat b/debian/compat index 7ed6ff8..7f8f011 100644 --- a/debian/compat +++ b/debian/compat @@ -1 +1 @@ -5 +7 diff --git a/debian/rules b/debian/rules index 459f24a..810a927 100755 --- a/debian/rules +++ b/debian/rules @@ -51,7 +51,6 @@ build-stamp: configure $(STAMP_DIR)/genscripts clean: xsfclean dh_testdir - rm -f build-stamp rm -f config.cache config.log config.status rm -f */config.cache */config.log */config.status rm -f conftest* */conftest* @@ -77,9 +76,9 @@ binary-arch: build install dh_testroot dh_installdocs - dh_install --sourcedir=debian/tmp --fail-missing --exclude=libXRes.la + dh_install --fail-missing --exclude=libXRes.la dh_installman - dh_installchangelogs ChangeLog + dh_installchangelogs dh_link dh_strip --dbg-package=$(PACKAGE)-dbg dh_compress commit 318f792fa45a68026260172f916613396c8f56aa Author: Julien Cristau <[email protected]> Date: Sun Aug 4 12:50:24 2013 +0200 Bump changelogs diff --git a/ChangeLog b/ChangeLog index 5832f59..bfd4c59 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,65 @@ +commit b51a7b0ccf0d5ccb53fbd5d34ed8fe57603d2604 +Author: Alan Coopersmith <[email protected]> +Date: Thu May 30 17:51:12 2013 -0700 + + libXres 1.0.7 + + Signed-off-by: Alan Coopersmith <[email protected]> + +commit ad156a716a324ee60362c8ba66a5ed8c835c219b +Author: Alan Coopersmith <[email protected]> +Date: Fri Apr 12 23:36:13 2013 -0700 + + integer overflow in XResQueryClientResources() [CVE-2013-1988 2/2] + + The CARD32 rep.num_types needs to be bounds checked before multiplying + by sizeof(XResType) to avoid integer overflow leading to underallocation + and writing data from the network past the end of the allocated buffer. + + Reported-by: Ilja Van Sprundel <[email protected]> + Signed-off-by: Alan Coopersmith <[email protected]> + +commit 3ec2db9eeb9ba8fb561802b0c4b8bf79e321b7a2 +Author: Alan Coopersmith <[email protected]> +Date: Fri Apr 12 23:36:13 2013 -0700 + + integer overflow in XResQueryClients() [CVE-2013-1988 1/2] + + The CARD32 rep.num_clients needs to be bounds checked before multiplying + by sizeof(XResClient) to avoid integer overflow leading to underallocation + and writing data from the network past the end of the allocated buffer. + + Reported-by: Ilja Van Sprundel <[email protected]> + Signed-off-by: Alan Coopersmith <[email protected]> + +commit 95b352b0f4a1ab1bc254e78adbc73cd65223ded4 +Author: Alan Coopersmith <[email protected]> +Date: Sat Apr 13 10:34:22 2013 -0700 + + Use _XEatDataWords to avoid overflow of rep.length shifting + + rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds + + Signed-off-by: Alan Coopersmith <[email protected]> + +commit d54acff47096cf52a9b8e018a26f7165e1092eb5 +Author: Alan Coopersmith <[email protected]> +Date: Fri Jan 18 23:06:20 2013 -0800 + + Replace deprecated Automake INCLUDES variable with AM_CPPFLAGS + + Excerpt https://lists.gnu.org/archive/html/automake/2012-12/msg00038.html + + - Support for the long-deprecated INCLUDES variable will be removed + altogether in Automake 1.14. The AM_CPPFLAGS variable should be + used instead. + + This variable was deprecated in Automake releases prior to 1.10, which is + the current minimum level required to build X. + + Signed-off-by: Alan Coopersmith <[email protected]> + (cherry picked from commit 83e7693515369d57dcd11c2bb1f03563f51bc500) + commit e6e0e02e4bf764fa58798540793bdeb44a60cc7f Author: Alan Coopersmith <[email protected]> Date: Wed Mar 7 20:53:56 2012 -0800 diff --git a/debian/changelog b/debian/changelog index 0f06b6a..8231a31 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +libxres (2:1.0.7-1) UNRELEASED; urgency=low + + * New upstream release. + + -- Julien Cristau <[email protected]> Sun, 04 Aug 2013 12:50:07 +0200 + libxres (2:1.0.6-1+deb7u1) wheezy-security; urgency=high * integer overflows calculating memory needs for replies [CVE-2013-1988] commit b51a7b0ccf0d5ccb53fbd5d34ed8fe57603d2604 Author: Alan Coopersmith <[email protected]> Date: Thu May 30 17:51:12 2013 -0700 libXres 1.0.7 Signed-off-by: Alan Coopersmith <[email protected]> diff --git a/configure.ac b/configure.ac index 10e47d2..fc92739 100644 --- a/configure.ac +++ b/configure.ac @@ -29,7 +29,7 @@ AC_PREREQ([2.60]) # digit in the version number to track changes which don't affect the # protocol, so XRes version l.n.m corresponds to protocol version l.n # -AC_INIT([libXres], [1.0.6], +AC_INIT([libXres], [1.0.7], [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXres]) AC_CONFIG_SRCDIR([Makefile.am]) AC_CONFIG_HEADERS([config.h]) commit ad7f2cb02dd3fa13f7fcfeae2d2f40df2729bb0e Author: Julien Cristau <[email protected]> Date: Tue May 14 00:32:27 2013 +0200 Upload to wheezy-security diff --git a/debian/changelog b/debian/changelog index 82adc6c..0f06b6a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +libxres (2:1.0.6-1+deb7u1) wheezy-security; urgency=high + + * integer overflows calculating memory needs for replies [CVE-2013-1988] + + -- Julien Cristau <[email protected]> Tue, 14 May 2013 00:32:14 +0200 + libxres (2:1.0.6-1) unstable; urgency=low * Remove Andres, David and Brice from Uploaders. commit 1205f5ae76cc0114694f31ed24313f225eabb678 Author: Alan Coopersmith <[email protected]> Date: Fri Apr 12 23:36:13 2013 -0700 integer overflow in XResQueryClientResources() [CVE-2013-1988 2/2] The CARD32 rep.num_types needs to be bounds checked before multiplying by sizeof(XResType) to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <[email protected]> Signed-off-by: Alan Coopersmith <[email protected]> Signed-off-by: Julien Cristau <[email protected]> diff --git a/src/XRes.c b/src/XRes.c index 5117321..ff21dd4 100644 --- a/src/XRes.c +++ b/src/XRes.c @@ -186,7 +186,12 @@ Status XResQueryClientResources ( } if(rep.num_types) { - if((typs = Xmalloc(sizeof(XResType) * rep.num_types))) { + if (rep.num_types < (INT_MAX / sizeof(XResType))) + typs = Xmalloc(sizeof(XResType) * rep.num_types); + else + typs = NULL; + + if (typs != NULL) { xXResType scratch; int i; commit 04762076eb40d1ea06e0c091ef6348b421dc709d Author: Alan Coopersmith <[email protected]> Date: Fri Apr 12 23:36:13 2013 -0700 integer overflow in XResQueryClients() [CVE-2013-1988 1/2] The CARD32 rep.num_clients needs to be bounds checked before multiplying by sizeof(XResClient) to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <[email protected]> Signed-off-by: Alan Coopersmith <[email protected]> Signed-off-by: Julien Cristau <[email protected]> diff --git a/src/XRes.c b/src/XRes.c index ae86206..5117321 100644 --- a/src/XRes.c +++ b/src/XRes.c @@ -129,7 +129,12 @@ Status XResQueryClients ( } if(rep.num_clients) { - if((clnts = Xmalloc(sizeof(XResClient) * rep.num_clients))) { + if (rep.num_clients < (INT_MAX / sizeof(XResClient))) + clnts = Xmalloc(sizeof(XResClient) * rep.num_clients); + else + clnts = NULL; + + if (clnts != NULL) { xXResClient scratch; int i; commit 330eb63c6f7526cf65ccf41d35411ebd24f4165a Author: Alan Coopersmith <[email protected]> Date: Sat Apr 13 10:34:22 2013 -0700 Use _XEatDataWords to avoid overflow of rep.length shifting rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds Signed-off-by: Alan Coopersmith <[email protected]> Signed-off-by: Julien Cristau <[email protected]> diff --git a/configure.ac b/configure.ac index bc4e8a6..10e47d2 100644 --- a/configure.ac +++ b/configure.ac @@ -55,6 +55,12 @@ RES_VERSION=[`echo $VERSION | sed 's/^\([0-9][0-9]*\.[0-9][0-9]*\).*$/\1/'`] # Obtain compiler/linker options for depedencies PKG_CHECK_MODULES(XRES, x11 xext xextproto [resourceproto >= $RES_VERSION]) +# Check for _XEatDataWords function that may be patched into older Xlib release +SAVE_LIBS="$LIBS" +LIBS="$XRES_LIBS" +AC_CHECK_FUNCS([_XEatDataWords]) +LIBS="$SAVE_LIBS" + AC_CONFIG_FILES([Makefile src/Makefile man/Makefile diff --git a/src/XRes.c b/src/XRes.c index 6091c96..ae86206 100644 --- a/src/XRes.c +++ b/src/XRes.c @@ -12,7 +12,18 @@ #include <X11/extensions/extutil.h> #include <X11/extensions/XResproto.h> #include <X11/extensions/XRes.h> +#include <limits.h> +#ifndef HAVE__XEATDATAWORDS +static inline void _XEatDataWords(Display *dpy, unsigned long n) +{ +# ifndef LONG64 + if (n >= (ULONG_MAX >> 2)) + _XIOError(dpy); +# endif + _XEatData (dpy, n << 2); +} +#endif static XExtensionInfo _xres_ext_info_data; static XExtensionInfo *xres_ext_info = &_xres_ext_info_data; @@ -131,7 +142,7 @@ Status XResQueryClients ( *num_clients = rep.num_clients; result = 1; } else { - _XEatData(dpy, rep.length << 2); + _XEatDataWords(dpy, rep.length); } } @@ -183,7 +194,7 @@ Status XResQueryClientResources ( *num_types = rep.num_types; result = 1; } else { - _XEatData(dpy, rep.length << 2); + _XEatDataWords(dpy, rep.length); } } commit ad156a716a324ee60362c8ba66a5ed8c835c219b Author: Alan Coopersmith <[email protected]> Date: Fri Apr 12 23:36:13 2013 -0700 integer overflow in XResQueryClientResources() [CVE-2013-1988 2/2] The CARD32 rep.num_types needs to be bounds checked before multiplying by sizeof(XResType) to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <[email protected]> Signed-off-by: Alan Coopersmith <[email protected]> diff --git a/src/XRes.c b/src/XRes.c index 5117321..ff21dd4 100644 --- a/src/XRes.c +++ b/src/XRes.c @@ -186,7 +186,12 @@ Status XResQueryClientResources ( } if(rep.num_types) { - if((typs = Xmalloc(sizeof(XResType) * rep.num_types))) { + if (rep.num_types < (INT_MAX / sizeof(XResType))) + typs = Xmalloc(sizeof(XResType) * rep.num_types); + else + typs = NULL; + + if (typs != NULL) { xXResType scratch; int i; commit 3ec2db9eeb9ba8fb561802b0c4b8bf79e321b7a2 Author: Alan Coopersmith <[email protected]> Date: Fri Apr 12 23:36:13 2013 -0700 integer overflow in XResQueryClients() [CVE-2013-1988 1/2] The CARD32 rep.num_clients needs to be bounds checked before multiplying by sizeof(XResClient) to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <[email protected]> Signed-off-by: Alan Coopersmith <[email protected]> diff --git a/src/XRes.c b/src/XRes.c index ae86206..5117321 100644 --- a/src/XRes.c +++ b/src/XRes.c @@ -129,7 +129,12 @@ Status XResQueryClients ( } if(rep.num_clients) { - if((clnts = Xmalloc(sizeof(XResClient) * rep.num_clients))) { + if (rep.num_clients < (INT_MAX / sizeof(XResClient))) + clnts = Xmalloc(sizeof(XResClient) * rep.num_clients); + else + clnts = NULL; + + if (clnts != NULL) { xXResClient scratch; int i; commit 95b352b0f4a1ab1bc254e78adbc73cd65223ded4 Author: Alan Coopersmith <[email protected]> Date: Sat Apr 13 10:34:22 2013 -0700 Use _XEatDataWords to avoid overflow of rep.length shifting rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds Signed-off-by: Alan Coopersmith <[email protected]> diff --git a/configure.ac b/configure.ac index bc4e8a6..10e47d2 100644 --- a/configure.ac +++ b/configure.ac @@ -55,6 +55,12 @@ RES_VERSION=[`echo $VERSION | sed 's/^\([0-9][0-9]*\.[0-9][0-9]*\).*$/\1/'`] # Obtain compiler/linker options for depedencies PKG_CHECK_MODULES(XRES, x11 xext xextproto [resourceproto >= $RES_VERSION]) +# Check for _XEatDataWords function that may be patched into older Xlib release +SAVE_LIBS="$LIBS" +LIBS="$XRES_LIBS" +AC_CHECK_FUNCS([_XEatDataWords]) +LIBS="$SAVE_LIBS" + AC_CONFIG_FILES([Makefile src/Makefile man/Makefile diff --git a/src/XRes.c b/src/XRes.c index 6091c96..ae86206 100644 --- a/src/XRes.c +++ b/src/XRes.c @@ -12,7 +12,18 @@ #include <X11/extensions/extutil.h> #include <X11/extensions/XResproto.h> #include <X11/extensions/XRes.h> +#include <limits.h> +#ifndef HAVE__XEATDATAWORDS +static inline void _XEatDataWords(Display *dpy, unsigned long n) +{ +# ifndef LONG64 + if (n >= (ULONG_MAX >> 2)) + _XIOError(dpy); +# endif + _XEatData (dpy, n << 2); +} +#endif static XExtensionInfo _xres_ext_info_data; static XExtensionInfo *xres_ext_info = &_xres_ext_info_data; @@ -131,7 +142,7 @@ Status XResQueryClients ( *num_clients = rep.num_clients; result = 1; } else { - _XEatData(dpy, rep.length << 2); + _XEatDataWords(dpy, rep.length); } } @@ -183,7 +194,7 @@ Status XResQueryClientResources ( *num_types = rep.num_types; result = 1; } else { - _XEatData(dpy, rep.length << 2); + _XEatDataWords(dpy, rep.length); } } commit d54acff47096cf52a9b8e018a26f7165e1092eb5 Author: Alan Coopersmith <[email protected]> Date: Fri Jan 18 23:06:20 2013 -0800 Replace deprecated Automake INCLUDES variable with AM_CPPFLAGS Excerpt https://lists.gnu.org/archive/html/automake/2012-12/msg00038.html - Support for the long-deprecated INCLUDES variable will be removed altogether in Automake 1.14. The AM_CPPFLAGS variable should be used instead. This variable was deprecated in Automake releases prior to 1.10, which is the current minimum level required to build X. Signed-off-by: Alan Coopersmith <[email protected]> (cherry picked from commit 83e7693515369d57dcd11c2bb1f03563f51bc500) diff --git a/src/Makefile.am b/src/Makefile.am index fd508da..bf66d68 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -10,7 +10,7 @@ AM_CFLAGS = \ $(XRES_CFLAGS) \ $(MALLOC_ZERO_CFLAGS) -INCLUDES = -I$(top_srcdir)/include +AM_CPPFLAGS = -I$(top_srcdir)/include libXRes_la_LDFLAGS = -version-number 1:0:0 -no-undefined -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
