Hello community, here is the log from the commit of package libXcursor for openSUSE:Factory checked in at 2017-12-03 10:08:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libXcursor (Old) and /work/SRC/openSUSE:Factory/.libXcursor.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libXcursor" Sun Dec 3 10:08:56 2017 rev:10 rq:546296 version:1.1.14 Changes: -------- --- /work/SRC/openSUSE:Factory/libXcursor/libXcursor.changes 2014-05-05 21:09:57.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libXcursor.new/libXcursor.changes 2017-12-03 10:08:57.328730912 +0100 @@ -1,0 +2,8 @@ +Tue Nov 28 19:08:11 UTC 2017 - sndir...@suse.com + +- U_Avoid-heap-overflows-due-to-integer-overflow-signedn.patch + * It is possible to trigger heap overflows due to an integer + overflow while parsing images and a signedness issue while + parsing comments. [CVE-2017-16612] (bsc#1065386) + +------------------------------------------------------------------- New: ---- U_Avoid-heap-overflows-due-to-integer-overflow-signedn.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libXcursor.spec ++++++ --- /var/tmp/diff_new_pack.O2W4N5/_old 2017-12-03 10:08:57.816713169 +0100 +++ /var/tmp/diff_new_pack.O2W4N5/_new 2017-12-03 10:08:57.816713169 +0100 @@ -1,7 +1,7 @@ # # spec file for package libXcursor # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -28,6 +28,8 @@ #Git-Clone: git://anongit.freedesktop.org/xorg/lib/libXcursor #Git-Web: http://cgit.freedesktop.org/xorg/lib/libXcursor/ Source: http://xorg.freedesktop.org/releases/individual/lib/%{name}-%{version}.tar.bz2 +Source1: baselibs.conf +Patch0: U_Avoid-heap-overflows-due-to-integer-overflow-signedn.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build #git#BuildRequires: autoconf >= 2.60, automake, libtool BuildRequires: fdupes @@ -71,6 +73,7 @@ %prep %setup -q +%patch0 -p1 %build %configure --disable-static ++++++ U_Avoid-heap-overflows-due-to-integer-overflow-signedn.patch ++++++ >From 77a4331570c660ebee77f19eb385911299948422 Mon Sep 17 00:00:00 2001 From: Stefan Dirsch <sndir...@suse.de> Date: Tue, 21 Nov 2017 16:50:56 +0100 Subject: [PATCH] Avoid heap overflows due to integer overflow + signedness issue [CVE-2017-16612] It is possible to trigger heap overflows due to an integer overflow while parsing images and a signedness issue while parsing comments. The integer overflow occurs because the chosen limit 0x10000 for dimensions is too large for 32 bit systems, because each pixel takes 4 bytes. Properly chosen values allow an overflow which in turn will lead to less allocated memory than needed for subsequent reads. The signedness bug is triggered by reading the length of a comment as unsigned int, but casting it to int when calling the function XcursorCommentCreate. Turning length into a negative value allows the check against XCURSOR_COMMENT_MAX_LEN to pass, and the following addition of sizeof (XcursorComment) + 1 makes it possible to allocate less memory than needed for subsequent reads. Signed-off-by: Tobias Stoeckmann --- src/file.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/file.c b/src/file.c index 43163c2..da16277 100644 --- a/src/file.c +++ b/src/file.c @@ -29,6 +29,11 @@ XcursorImageCreate (int width, int height) { XcursorImage *image; + if (width < 0 || height < 0) + return NULL; + if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE) + return NULL; + image = malloc (sizeof (XcursorImage) + width * height * sizeof (XcursorPixel)); if (!image) @@ -101,7 +106,7 @@ XcursorCommentCreate (XcursorUInt comment_type, int length) { XcursorComment *comment; - if (length > XCURSOR_COMMENT_MAX_LEN) + if (length < 0 || length > XCURSOR_COMMENT_MAX_LEN) return NULL; comment = malloc (sizeof (XcursorComment) + length + 1); @@ -448,7 +453,8 @@ _XcursorReadImage (XcursorFile *file, if (!_XcursorReadUInt (file, &head.delay)) return NULL; /* sanity check data */ - if (head.width >= 0x10000 || head.height > 0x10000) + if (head.width > XCURSOR_IMAGE_MAX_SIZE || + head.height > XCURSOR_IMAGE_MAX_SIZE) return NULL; if (head.width == 0 || head.height == 0) return NULL; @@ -457,6 +463,8 @@ _XcursorReadImage (XcursorFile *file, /* Create the image and initialize it */ image = XcursorImageCreate (head.width, head.height); + if (image == NULL) + return NULL; if (chunkHeader.version < image->version) image->version = chunkHeader.version; image->size = chunkHeader.subtype; -- 2.13.6
