FYI. libwayland-cursor0 has a bunch of reverse deps in stretch so this may be of interest, though I'm not sure in which cases there's a security boundary being crossed. (And we should fix this in sid in any case.)
-------- Forwarded Message -------- Subject: libwayland-cursor heap overflow fix Date: Wed, 29 Nov 2017 11:39:09 +0200 From: Pekka Paalanen <[email protected]> To: [email protected] CC: [email protected] <[email protected]>
--Sig_/xB3GJvChK+eko+ekfi/KLUH Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Hi all, I would like to bring to your attention a patch I have just merged into wayland master: https://cgit.freedesktop.org/wayland/wayland/commit/?id=3D5d201df72f3d4f4cb= 8b8f75f980169b03507da38 commit 5d201df72f3d4f4cb8b8f75f980169b03507da38 Author: Tobias Stoeckmann <[email protected]> Date: Tue Nov 28 21:38:07 2017 +0100 cursor: Fix heap overflows when parsing malicious files. =20 It is possible to trigger heap overflows due to an integer overflow while parsing images. =20 The integer overflow occurs because the chosen limit 0x10000 for dimensions is too large for 32 bit systems, because each pixel takes 4 bytes. Properly chosen values allow an overflow which in turn will lead to less allocated memory than needed for subsequent reads. =20 See also: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id= =3D4794b5dd34688158fb51a2943032569d3780c4b8 Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=3D103961 =20 Signed-off-by: Tobias Stoeckmann <[email protected]> [Pekka: add link to the corresponding libXcursor commit] Signed-off-by: Pekka Paalanen <[email protected]> This fix is not yet in any release, so would be nice if distributions cherry-picked this into what they ship, the pick should be trivial for any release so far. The issue has existed in libwayland-cursor ever since it was introduced, before wayland 1.0.0 release. Thanks, pq --Sig_/xB3GJvChK+eko+ekfi/KLUH Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEJQjwWQChkWOYOIONI1/ltBGqqqcFAloegD0ACgkQI1/ltBGq qqea9w/9G4EZ6g/+fg9b5TG4CqOwDOr7w3ULcLiqwatXe/MSNBO1/urm38R4a71X bGijjpALD3oz3knINmstCgsOTPQtmvSRJ+3UKIwnm9CZEt0mABK4s9ayIii4F8tN FnVigBksylewmTd/szD+RrwQJssU6E1IDqCwcGPJEvGMk8IKBaEZJr/ITVDlWNOY HdqVgVkz/LlyqreW8UJ3zrcUaLA6//n7lc67Ht857Qi0DvpGFdtkz05Lgoh4nvx1 zlqvKwA8iEZ5IwSmKmgkoS6saaKKhPXfG/yf0zkKlO2+IrjDlgq5XV4SW5InvssA Clp7398BiB8OQ7tLVvkG7nMULULe+owJPRMCGOgtQ32sSO47/Mv5ixFpkxCA+23E YJGqyrnMZDOeAN1mJ9tFDCNFFEWRnAKjJeiWQclfTCiLE3FDyrGfOEt3rDSnQods mYAIFrIpnJzokK8kaf1YGtygweTJemAn5eB5kOJ4Jzf9TFvuTSODy4673+kTOxwW OFerdlH/s+vdP71ZkA4ZpHfaD6YsoePyYLazEZtDdhX5L0kIPB6IFbedqbUQgNBw U00TJtUWx2sAvD/Q4r7D0U6fYUHW3YzBXH0Nn9X0SA0sVxVaseo3DL0cNpsFuPOy RrxQEV/wkE+Z+Stc1Pl4stNYicxUNBlxMVclM87RKKqXfT9R0E0= =bHlf -----END PGP SIGNATURE----- --Sig_/xB3GJvChK+eko+ekfi/KLUH--
_______________________________________________ xorg-security mailing list [email protected] https://lists.x.org/mailman/listinfo/xorg-security
