Hello community, here is the log from the commit of package libXp.1717 for openSUSE:12.3:Update checked in at 2013-06-19 11:58:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.3:Update/libXp.1717 (Old) and /work/SRC/openSUSE:12.3:Update/.libXp.1717.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libXp.1717" Changes: -------- New Changes file: --- /dev/null 2013-06-19 06:36:38.484029756 +0200 +++ /work/SRC/openSUSE:12.3:Update/.libXp.1717.new/libXp.changes 2013-06-19 11:58:15.000000000 +0200 @@ -0,0 +1,104 @@ +------------------------------------------------------------------- +Tue Jun 11 10:14:43 UTC 2013 - sndir...@suse.com + +- definition of _XEatDataWords() was still missing in patches + below + +------------------------------------------------------------------- +Fri May 31 12:20:47 UTC 2013 - sndir...@suse.com + +- U_0001-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch, + U_0002-integer-overflows-in-XpGetPrinterList-CVE-2013-2062-.patch, + U_0003-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch + * integer overflow(s) in XpGetAttributes/XpGetOneAttribute, + XpGetPrinterList() and XpQueryScreens() [CVE-2013-2062] + (bnc#821668, bnc#815451) + +------------------------------------------------------------------- +Wed Apr 11 15:29:47 UTC 2012 - vu...@opensuse.org + +- Update to version 1.0.1: + + Fix compiler warnings + + Build fixes + + Build configuration improvements +- Add pkgconfig(xorg-macros) BuildRequires: new dependency + upstream. + +------------------------------------------------------------------- +Sun Feb 12 00:57:07 UTC 2012 - jeng...@medozas.de + +- Rename xorg-x11-libXext to libXext and utilize shlib policy + +------------------------------------------------------------------- +Tue Dec 21 02:46:09 UTC 2010 - sndir...@novell.com + +- bumped version number to 7.6 + +------------------------------------------------------------------- +Fri Apr 2 18:04:02 CEST 2010 - sndir...@suse.de + +- bumped version number to 7.5 + +------------------------------------------------------------------- +Mon Dec 14 19:59:10 CET 2009 - jeng...@medozas.de + +- add baselibs.conf as a source + +------------------------------------------------------------------- +Sat Nov 14 03:05:30 CET 2009 - sndir...@suse.de + +- fixed build + +------------------------------------------------------------------- +Sat May 2 17:17:24 CEST 2009 - e...@suse.de + +- revert static library and .la file removal + for SUSE versions <= 11.1. + +------------------------------------------------------------------- +Tue Apr 21 19:53:12 CEST 2009 - crrodrig...@suse.de + +- remove sttaic libraries and "la" files +- run ldconfig in postun + +------------------------------------------------------------------- +Thu Sep 11 14:21:48 CEST 2008 - sndir...@suse.de + +- bumped release number to 7.4 + +------------------------------------------------------------------- +Thu Apr 10 12:54:45 CEST 2008 - r...@suse.de + +- added baselibs.conf file to build xxbit packages + for multilib support + +------------------------------------------------------------------- +Sat Sep 29 12:23:36 CEST 2007 - sndir...@suse.de + +- bumped version to 7.3 + +------------------------------------------------------------------- +Thu Oct 26 07:29:01 CEST 2006 - sndir...@suse.de + +- set version to 7.2 in specfile + +------------------------------------------------------------------- +Wed Aug 2 16:12:20 CEST 2006 - sndir...@suse.de + +- fix setup line + +------------------------------------------------------------------- +Fri Jul 28 14:44:38 CEST 2006 - sndir...@suse.de + +- use "-fno-strict-aliasing" + +------------------------------------------------------------------- +Thu Jul 27 11:46:33 CEST 2006 - sndir...@suse.de + +- use $RPM_OPT_FLAGS + +------------------------------------------------------------------- +Fri Jun 23 16:46:38 CEST 2006 - sndir...@suse.de + +- created package + New: ---- U_0001-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch U_0002-integer-overflows-in-XpGetPrinterList-CVE-2013-2062-.patch U_0003-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch baselibs.conf libXp-1.0.1.tar.bz2 libXp.changes libXp.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libXp.spec ++++++ # # spec file for package libXp # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: libXp %define lname libXp6 Version: 1.0.1 Release: 0 Summary: X Printing Extension client library License: MIT Group: Development/Libraries/C and C++ Url: http://xorg.freedesktop.org/ #Git-Clone: git://anongit.freedesktop.org/xorg/lib/libXp #Git-Web: http://cgit.freedesktop.org/xorg/lib/libXp/ Source: http://xorg.freedesktop.org/releases/individual/lib/%{name}-%{version}.tar.bz2 Patch0: U_0001-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch Patch1: U_0002-integer-overflows-in-XpGetPrinterList-CVE-2013-2062-.patch Patch2: U_0003-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build #git#BuildRequires: autoconf >= 2.57, automake, libtool BuildRequires: pkgconfig BuildRequires: pkgconfig(printproto) BuildRequires: pkgconfig(x11) BuildRequires: pkgconfig(xau) BuildRequires: pkgconfig(xext) BuildRequires: pkgconfig(xextproto) BuildRequires: pkgconfig(xorg-macros) >= 1.8 %description libXp provides APIs to allow client applications to render to non-display devices. %package -n %lname Summary: X Printing Extension client library Group: System/Libraries # O/P added for 12.2 Provides: xorg-x11-libXp = 7.6_%version-%release Obsoletes: xorg-x11-libXp < 7.6_%version-%release %description -n %lname libXp provides APIs to allow client applications to render to non-display devices. %package devel Summary: Development files for the X Printing Extension library Group: Development/Libraries/C and C++ Requires: %lname = %version # O/P added for 12.2 Provides: xorg-x11-libXp-devel = 7.6_%version-%release Obsoletes: xorg-x11-libXp-devel < 7.6_%version-%release %description devel libXp provides APIs to allow client applications to render to non-display devices. This package contains the development headers for the library found in %lname. %prep %setup -q %patch0 -p1 %patch1 -p1 %patch2 -p1 %build %configure --disable-static make %{?_smp_mflags} %install %makeinstall rm -f "%buildroot/%_libdir"/*.la %post -n %lname -p /sbin/ldconfig %postun -n %lname -p /sbin/ldconfig %files -n %lname %defattr(-,root,root) %_libdir/libXp.so.6* %files devel %defattr(-,root,root) %_libdir/libXp.so %_libdir/pkgconfig/xp.pc %_mandir/man3/* %changelog ++++++ U_0001-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch ++++++ >From babb1fc823ab3be192c48fe115feeb0d57f74d05 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Fri, 26 Apr 2013 23:59:25 -0700 Subject: [PATCH] integer overflow in XpGetAttributes & XpGetOneAttribute [CVE-2013-2062 1/3] stringLen & valueLen are CARD32s and need to be bounds checked before adding one to them to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> --- src/XpAttr.c | 36 +++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) Index: libXp-1.0.1/src/XpAttr.c =================================================================== --- libXp-1.0.1.orig/src/XpAttr.c +++ libXp-1.0.1/src/XpAttr.c @@ -48,6 +48,8 @@ #include <stdio.h> #include <sys/stat.h> +#include <limits.h> +#include "eat.h" char * XpGetAttributes ( @@ -83,17 +85,18 @@ XpGetAttributes ( /* * Read pool and return to caller. */ - buf = Xmalloc( (unsigned) rep.stringLen + 1 ); + if (rep.stringLen < INT_MAX) + buf = Xmalloc(rep.stringLen + 1); + else + buf = NULL; if (!buf) { - UnlockDisplay(dpy); - SyncHandle(); - return( (char *) NULL ); /* malloc error */ + _XEatDataWords(dpy, rep.length); + } + else { + _XReadPad (dpy, (char *) buf, rep.stringLen ); + buf[rep.stringLen] = 0; } - - _XReadPad (dpy, (char *) buf, (long) rep.stringLen ); - - buf[rep.stringLen] = 0; UnlockDisplay(dpy); SyncHandle(); @@ -144,18 +147,18 @@ XpGetOneAttribute ( /* * Read variable answer. */ - buf = Xmalloc( (unsigned) rep.valueLen + 1 ); + if (rep.valueLen < INT_MAX) + buf = Xmalloc(rep.valueLen + 1); + else + buf = NULL; if (!buf) { - UnlockDisplay(dpy); - SyncHandle(); - return( (char *) NULL ); /* malloc error */ + _XEatDataWords(dpy, rep.length); + } + else { + _XReadPad (dpy, (char *) buf, rep.valueLen); + buf[rep.valueLen] = 0; } - - buf[rep.valueLen] = 0; - - _XReadPad (dpy, (char *) buf, (long) rep.valueLen ); - buf[rep.valueLen] = 0; UnlockDisplay(dpy); SyncHandle(); Index: libXp-1.0.1/src/eat.h =================================================================== --- /dev/null +++ libXp-1.0.1/src/eat.h @@ -0,0 +1,40 @@ +/* + * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice (including the next + * paragraph) shall be included in all copies or substantial portions of the + * Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + +#ifndef HAVE__XEATDATAWORDS +#include <X11/Xmd.h> /* for LONG64 on 64-bit platforms */ +#include <limits.h> + +static inline void _XEatDataWords(Display *dpy, unsigned long n) +{ +# ifndef LONG64 + if (n >= (ULONG_MAX >> 2)) + _XIOError(dpy); +# endif + _XEatData (dpy, n << 2); +} +#endif ++++++ U_0002-integer-overflows-in-XpGetPrinterList-CVE-2013-2062-.patch ++++++ >From cc90f6be64bfd6973ae270b9bff494f577e1bda7 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Fri, 26 Apr 2013 23:59:25 -0700 Subject: [PATCH] integer overflows in XpGetPrinterList() [CVE-2013-2062 2/3] listCount is a CARD32 that needs to be bounds checked before it is multiplied by the size of the structs to allocate, and the string lengths are CARD32s and need to be bounds checked before adding one to them to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> --- src/XpPrinter.c | 43 +++++++++++++++++++++++-------------------- 1 file changed, 23 insertions(+), 20 deletions(-) Index: libXp-1.0.1/src/XpPrinter.c =================================================================== --- libXp-1.0.1.orig/src/XpPrinter.c +++ libXp-1.0.1/src/XpPrinter.c @@ -42,6 +42,8 @@ #include <X11/extensions/Printstr.h> #include <X11/Xlibint.h> #include "XpExtUtil.h" +#include <limits.h> +#include "eat.h" #define _XpPadOut(len) (((len) + 3) & ~3) @@ -62,7 +64,7 @@ XpGetPrinterList ( long dataLenVR; CARD8 *dataVR; /* aka STRING8 */ - XPPrinterList ptr_list; + XPPrinterList ptr_list = NULL; XExtDisplayInfo *info = (XExtDisplayInfo *) xp_find_display (dpy); @@ -128,13 +130,12 @@ XpGetPrinterList ( *list_count = rep.listCount; if (*list_count) { - ptr_list = (XPPrinterList) - Xmalloc( (unsigned) (sizeof(XPPrinterRec) * (*list_count + 1))); + if (rep.listCount < (INT_MAX / sizeof(XPPrinterRec))) + ptr_list = Xmalloc(sizeof(XPPrinterRec) * (*list_count + 1)); if (!ptr_list) { - UnlockDisplay(dpy); - SyncHandle(); - return ( (XPPrinterList) NULL ); /* malloc error */ + _XEatDataWords(dpy, rep.length); + goto out; } /* @@ -150,16 +151,17 @@ XpGetPrinterList ( _XRead32 (dpy, &dataLenVR, (long) sizeof(CARD32) ); if (dataLenVR) { - dataVR = (CARD8 *) Xmalloc( (unsigned) dataLenVR + 1 ); + if (dataLenVR < INT_MAX) + dataVR = Xmalloc(dataLenVR + 1); + else + dataVR = NULL; if (!dataVR) { - UnlockDisplay(dpy); - SyncHandle(); - return ( (XPPrinterList) NULL ); /* malloc error */ + _XEatData(dpy, dataLenVR); + } else { + _XReadPad (dpy, (char *) dataVR, (long) dataLenVR); + dataVR[dataLenVR] = 0; } - - _XReadPad (dpy, (char *) dataVR, (long) dataLenVR); - dataVR[dataLenVR] = 0; ptr_list[i].name = (char *) dataVR; } else { @@ -172,16 +174,17 @@ XpGetPrinterList ( _XRead32 (dpy, &dataLenVR, (long) sizeof(CARD32) ); if (dataLenVR) { - dataVR = (CARD8 *) Xmalloc( (unsigned) dataLenVR + 1 ); + if (dataLenVR < INT_MAX) + dataVR = Xmalloc(dataLenVR + 1); + else + dataVR = NULL; if (!dataVR) { - UnlockDisplay(dpy); - SyncHandle(); - return ( (XPPrinterList) NULL ); /* malloc error */ + _XEatData(dpy, dataLenVR); + } else { + _XReadPad (dpy, (char *) dataVR, (long) dataLenVR); + dataVR[dataLenVR] = 0; } - - _XReadPad (dpy, (char *) dataVR, (long) dataLenVR); - dataVR[dataLenVR] = 0; ptr_list[i].desc = (char *) dataVR; } else { @@ -193,6 +196,7 @@ XpGetPrinterList ( ptr_list = (XPPrinterList) NULL; } + out: UnlockDisplay(dpy); SyncHandle(); ++++++ U_0003-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch ++++++ >From e111065f6dd790c820fa67ea31055b18c68481e3 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Fri, 26 Apr 2013 23:59:25 -0700 Subject: [PATCH] integer overflows in XpQueryScreens() [CVE-2013-2062 3/3] listCount is a CARD32 that needs to be bounds checked before it is multiplied by the size of the pointers to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> --- src/XpScreens.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) Index: libXp-1.0.1/src/XpScreens.c =================================================================== --- libXp-1.0.1.orig/src/XpScreens.c +++ libXp-1.0.1/src/XpScreens.c @@ -42,6 +42,8 @@ #include <X11/extensions/Printstr.h> #include <X11/Xlibint.h> #include "XpExtUtil.h" +#include <limits.h> +#include "eat.h" Screen ** @@ -82,19 +84,17 @@ XpQueryScreens ( *list_count = rep.listCount; if (*list_count) { - scr_list = (Screen **) - Xmalloc( (unsigned) (sizeof(Screen *) * *list_count) ); + if (rep.listCount < (INT_MAX / sizeof(Screen *))) + scr_list = Xmalloc(sizeof(Screen *) * *list_count); + else + scr_list = NULL; if (!scr_list) { - UnlockDisplay(dpy); - SyncHandle(); - return ( (Screen **) NULL ); /* malloc error */ + _XEatDataWords(dpy, rep.length); + goto out; } i = 0; while(i < *list_count){ - /* - * Pull printer length and then name. - */ _XRead32 (dpy, &rootWindow, (long) sizeof(CARD32) ); scr_list[i] = NULL; for ( j = 0; j < XScreenCount(dpy); j++ ) { @@ -118,6 +118,7 @@ XpQueryScreens ( scr_list = (Screen **) NULL; } + out: UnlockDisplay(dpy); SyncHandle(); ++++++ baselibs.conf ++++++ libXp6 provides "xorg-x11-libXp-<targettype> = 7.6_<version>" obsoletes "xorg-x11-libXp-<targettype> < 7.6_<version>" libXp-devel requires -libXp-<targettype> requires "libXp6-<targettype> = <version>" provides "xorg-x11-libXp-devel-<targettype> = 7.6_<version>" obsoletes "xorg-x11-libXp-devel-<targettype> < 7.6_<version>" -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
