Bug#892032: jessie-pu: package wayland/1.6.0-2
Control: tags -1 + confirmed On Sun, 2018-03-04 at 18:52 +0100, Héctor Orón Martínez wrote: > Hello, > > 2018-03-04 15:44 GMT+01:00 Emilio Pozuelo Monfort : > > On 04/03/18 12:46, Héctor Orón Martínez wrote: > > > > > > diff --git a/debian/changelog b/debian/changelog > > > index 645a4bc..b6409a8 100644 > > > --- a/debian/changelog > > > +++ b/debian/changelog > > > @@ -1,3 +1,14 @@ > > > +wayland (1.6.0-2+deb8u1) stretch; urgency=medium > > > > Distribution should be jessie. > > Ouch! Right. Find new version attached Please go ahead. Sorry for the delay. Regards, Adam
Bug#892032: jessie-pu: package wayland/1.6.0-2
Hello, 2018-03-04 15:44 GMT+01:00 Emilio Pozuelo Monfort: > On 04/03/18 12:46, Héctor Orón Martínez wrote: >> >> diff --git a/debian/changelog b/debian/changelog >> index 645a4bc..b6409a8 100644 >> --- a/debian/changelog >> +++ b/debian/changelog >> @@ -1,3 +1,14 @@ >> +wayland (1.6.0-2+deb8u1) stretch; urgency=medium > > Distribution should be jessie. Ouch! Right. Find new version attached -- Héctor Orón -.. . -... .. .- -. -.. . ...- . .-.. --- .--. . .-. From c9f4eb1998a3b390c8b03df7c84f83608a3418fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?H=C3=A9ctor=20Or=C3=B3n=20Mart=C3=ADnez?= Date: Sun, 4 Mar 2018 12:29:17 +0100 Subject: [PATCH] debian/patches/CVE-2017-16612.patch: fix cursor integer overflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Héctor Orón Martínez --- debian/changelog| 11 + debian/patches/CVE-2017-16612.patch | 47 + debian/patches/series | 1 + 3 files changed, 59 insertions(+) create mode 100644 debian/patches/CVE-2017-16612.patch create mode 100644 debian/patches/series diff --git a/debian/changelog b/debian/changelog index 645a4bc..0379671 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +wayland (1.6.0-2+deb8u1) jessie; urgency=medium + + * debian/patches/CVE-2017-16612.patch: (Closes: #889681) +- libXcursor before 1.1.15 has various integer overflows that could lead + to heap buffer overflows when processing malicious cursors, e.g., with + programs like GIMP. It is also possible that an attack vector exists + against the related code in cursor/xcursor.c in Wayland through + 1.14.0. + + -- Héctor Orón Martínez Sun, 04 Mar 2018 12:27:36 +0100 + wayland (1.6.0-2) unstable; urgency=medium * Switch back to use upstream tarball. diff --git a/debian/patches/CVE-2017-16612.patch b/debian/patches/CVE-2017-16612.patch new file mode 100644 index 000..9d91f70 --- /dev/null +++ b/debian/patches/CVE-2017-16612.patch @@ -0,0 +1,47 @@ +commit 5d201df72f3d4f4cb8b8f75f980169b03507da38 +Author: Tobias Stoeckmann +Date: Tue Nov 28 21:38:07 2017 +0100 + +cursor: Fix heap overflows when parsing malicious files. + +It is possible to trigger heap overflows due to an integer overflow +while parsing images. + +The integer overflow occurs because the chosen limit 0x1 for +dimensions is too large for 32 bit systems, because each pixel takes +4 bytes. Properly chosen values allow an overflow which in turn will +lead to less allocated memory than needed for subsequent reads. + +See also: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8 +Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=103961 + +Signed-off-by: Tobias Stoeckmann +[Pekka: add link to the corresponding libXcursor commit] +Signed-off-by: Pekka Paalanen + +diff --git a/cursor/xcursor.c b/cursor/xcursor.c +index ca41c4a..689c702 100644 +--- a/cursor/xcursor.c b/cursor/xcursor.c +@@ -202,6 +202,11 @@ XcursorImageCreate (int width, int height) + { + XcursorImage*image; + ++if (width < 0 || height < 0) ++ return NULL; ++if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE) ++ return NULL; ++ + image = malloc (sizeof (XcursorImage) + + width * height * sizeof (XcursorPixel)); + if (!image) +@@ -482,7 +487,8 @@ _XcursorReadImage (XcursorFile *file, + if (!_XcursorReadUInt (file, )) + return NULL; + /* sanity check data */ +-if (head.width >= 0x1 || head.height > 0x1) ++if (head.width > XCURSOR_IMAGE_MAX_SIZE || ++ head.height > XCURSOR_IMAGE_MAX_SIZE) + return NULL; + if (head.width == 0 || head.height == 0) + return NULL; diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..4c42ec7 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2017-16612.patch -- 2.16.2
Bug#892032: jessie-pu: package wayland/1.6.0-2
On 04/03/18 12:46, Héctor Orón Martínez wrote: > > diff --git a/debian/changelog b/debian/changelog > index 645a4bc..b6409a8 100644 > --- a/debian/changelog > +++ b/debian/changelog > @@ -1,3 +1,14 @@ > +wayland (1.6.0-2+deb8u1) stretch; urgency=medium Distribution should be jessie. Cheers, Emilio
Bug#892032: jessie-pu: package wayland/1.6.0-2
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hello, I would like to apply oldstable fix for #889681 in oldstable. I am attaching the patch I plan to upload to oldstable. Note, I have requested security team if they want to handle it via security queue or stable update instead. Regards -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: armhf Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=ca_AD.utf8, LC_CTYPE=ca_AD.utf8 (charmap=UTF-8), LANGUAGE=ca_AD:ca (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled From 5df34123d130816a1acf506d8e9f1a1c3e3efcc8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?H=C3=A9ctor=20Or=C3=B3n=20Mart=C3=ADnez?=Date: Sun, 4 Mar 2018 12:29:17 +0100 Subject: [PATCH] debian/patches/CVE-2017-16612.patch: fix cursor integer overflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Héctor Orón Martínez --- debian/changelog| 11 + debian/patches/CVE-2017-16612.patch | 47 + debian/patches/series | 1 + 3 files changed, 59 insertions(+) create mode 100644 debian/patches/CVE-2017-16612.patch create mode 100644 debian/patches/series diff --git a/debian/changelog b/debian/changelog index 645a4bc..b6409a8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +wayland (1.6.0-2+deb8u1) stretch; urgency=medium + + * debian/patches/CVE-2017-16612.patch: (Closes: #889681) +- libXcursor before 1.1.15 has various integer overflows that could lead + to heap buffer overflows when processing malicious cursors, e.g., with + programs like GIMP. It is also possible that an attack vector exists + against the related code in cursor/xcursor.c in Wayland through + 1.14.0. + + -- Héctor Orón Martínez Sun, 04 Mar 2018 12:27:36 +0100 + wayland (1.6.0-2) unstable; urgency=medium * Switch back to use upstream tarball. diff --git a/debian/patches/CVE-2017-16612.patch b/debian/patches/CVE-2017-16612.patch new file mode 100644 index 000..9d91f70 --- /dev/null +++ b/debian/patches/CVE-2017-16612.patch @@ -0,0 +1,47 @@ +commit 5d201df72f3d4f4cb8b8f75f980169b03507da38 +Author: Tobias Stoeckmann +Date: Tue Nov 28 21:38:07 2017 +0100 + +cursor: Fix heap overflows when parsing malicious files. + +It is possible to trigger heap overflows due to an integer overflow +while parsing images. + +The integer overflow occurs because the chosen limit 0x1 for +dimensions is too large for 32 bit systems, because each pixel takes +4 bytes. Properly chosen values allow an overflow which in turn will +lead to less allocated memory than needed for subsequent reads. + +See also: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8 +Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=103961 + +Signed-off-by: Tobias Stoeckmann +[Pekka: add link to the corresponding libXcursor commit] +Signed-off-by: Pekka Paalanen + +diff --git a/cursor/xcursor.c b/cursor/xcursor.c +index ca41c4a..689c702 100644 +--- a/cursor/xcursor.c b/cursor/xcursor.c +@@ -202,6 +202,11 @@ XcursorImageCreate (int width, int height) + { + XcursorImage*image; + ++if (width < 0 || height < 0) ++ return NULL; ++if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE) ++ return NULL; ++ + image = malloc (sizeof (XcursorImage) + + width * height * sizeof (XcursorPixel)); + if (!image) +@@ -482,7 +487,8 @@ _XcursorReadImage (XcursorFile *file, + if (!_XcursorReadUInt (file, )) + return NULL; + /* sanity check data */ +-if (head.width >= 0x1 || head.height > 0x1) ++if (head.width > XCURSOR_IMAGE_MAX_SIZE || ++ head.height > XCURSOR_IMAGE_MAX_SIZE) + return NULL; + if (head.width == 0 || head.height == 0) + return NULL; diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..4c42ec7 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2017-16612.patch -- 2.16.2