The XGetImage function in X.org libX11 before 1.6.4 might allow remote X servers to gain privileges via vectors involving image type and geometry, which triggers out-of-bounds read operations.
References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7942 Upstream patch https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8ea762f94f4c942d898fdeb590a1630c83235c17 Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com> --- .../xorg-lib/libx11/CVE-2016-7942.patch | 69 ++++++++++++++++++++++ meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb | 1 + 2 files changed, 70 insertions(+) create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch new file mode 100644 index 0000000..f5b4d69 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch @@ -0,0 +1,69 @@ +From 8ea762f94f4c942d898fdeb590a1630c83235c17 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann <tob...@stoeckmann.org> +Date: Sun, 25 Sep 2016 21:25:25 +0200 +Subject: Validation of server responses in XGetImage() + +Check if enough bytes were received for specified image type and +geometry. Otherwise GetPixel and other functions could trigger an +out of boundary read later on. + +CVE: CVE-2016-7942 +Upstream-Status: Backport + +Signed-off-by: Tobias Stoeckmann <tob...@stoeckmann.org> +Reviewed-by: Matthieu Herrb <matth...@herrb.eu> +Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com> + +diff --git a/src/GetImage.c b/src/GetImage.c +index c461abc..ff32d58 100644 +--- a/src/GetImage.c ++++ b/src/GetImage.c +@@ -59,6 +59,7 @@ XImage *XGetImage ( + char *data; + unsigned long nbytes; + XImage *image; ++ int planes; + LockDisplay(dpy); + GetReq (GetImage, req); + /* +@@ -91,18 +92,28 @@ XImage *XGetImage ( + return (XImage *) NULL; + } + _XReadPad (dpy, data, nbytes); +- if (format == XYPixmap) +- image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual), +- Ones (plane_mask & +- (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))), +- format, 0, data, width, height, dpy->bitmap_pad, 0); +- else /* format == ZPixmap */ +- image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual), +- rep.depth, ZPixmap, 0, data, width, height, +- _XGetScanlinePad(dpy, (int) rep.depth), 0); ++ if (format == XYPixmap) { ++ image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual), ++ Ones (plane_mask & ++ (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))), ++ format, 0, data, width, height, dpy->bitmap_pad, 0); ++ planes = image->depth; ++ } else { /* format == ZPixmap */ ++ image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual), ++ rep.depth, ZPixmap, 0, data, width, height, ++ _XGetScanlinePad(dpy, (int) rep.depth), 0); ++ planes = 1; ++ } + + if (!image) + Xfree(data); ++ if (planes < 1 || image->height < 1 || image->bytes_per_line < 1 || ++ INT_MAX / image->height <= image->bytes_per_line || ++ INT_MAX / planes <= image->height * image->bytes_per_line || ++ nbytes < planes * image->height * image->bytes_per_line) { ++ XDestroyImage(image); ++ image = NULL; ++ } + UnlockDisplay(dpy); + SyncHandle(); + return (image); +-- +cgit v0.10.2 + diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb b/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb index 8e531c7..152ccd9 100644 --- a/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb +++ b/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb @@ -5,6 +5,7 @@ BBCLASSEXTEND = "native nativesdk" SRC_URI += "file://disable_tests.patch \ file://libX11-Add-missing-NULL-check.patch \ + file://CVE-2016-7942.patch \ " SRC_URI[md5sum] = "2e36b73f8a42143142dda8129f02e4e0" -- 1.9.1 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
