subject:"Bug#892032\: jessie\-pu\: package wayland\/1.6.0\-2"

Bug#892032: jessie-pu: package wayland/1.6.0-2

2018-06-08 Thread Adam D. Barratt

Control: tags -1 + confirmed

On Sun, 2018-03-04 at 18:52 +0100, Héctor Orón Martínez wrote:
> Hello,
> 
> 2018-03-04 15:44 GMT+01:00 Emilio Pozuelo Monfort :
> > On 04/03/18 12:46, Héctor Orón Martínez wrote:
> > > 
> > > diff --git a/debian/changelog b/debian/changelog
> > > index 645a4bc..b6409a8 100644
> > > --- a/debian/changelog
> > > +++ b/debian/changelog
> > > @@ -1,3 +1,14 @@
> > > +wayland (1.6.0-2+deb8u1) stretch; urgency=medium
> > 
> > Distribution should be jessie.
> 
> Ouch! Right. Find new version attached

Please go ahead. Sorry for the delay.

Regards,

Adam

Bug#892032: jessie-pu: package wayland/1.6.0-2

2018-03-04 Thread Héctor Orón Martínez

Hello,

2018-03-04 15:44 GMT+01:00 Emilio Pozuelo Monfort :
> On 04/03/18 12:46, Héctor Orón Martínez wrote:
>>
>> diff --git a/debian/changelog b/debian/changelog
>> index 645a4bc..b6409a8 100644
>> --- a/debian/changelog
>> +++ b/debian/changelog
>> @@ -1,3 +1,14 @@
>> +wayland (1.6.0-2+deb8u1) stretch; urgency=medium
>
> Distribution should be jessie.

Ouch! Right. Find new version attached


-- 
 Héctor Orón  -.. . -... .. .- -.   -.. . ...- . .-.. --- .--. . .-.
From c9f4eb1998a3b390c8b03df7c84f83608a3418fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?H=C3=A9ctor=20Or=C3=B3n=20Mart=C3=ADnez?= 
Date: Sun, 4 Mar 2018 12:29:17 +0100
Subject: [PATCH] debian/patches/CVE-2017-16612.patch: fix cursor integer
 overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Héctor Orón Martínez 
---
 debian/changelog| 11 +
 debian/patches/CVE-2017-16612.patch | 47 +
 debian/patches/series   |  1 +
 3 files changed, 59 insertions(+)
 create mode 100644 debian/patches/CVE-2017-16612.patch
 create mode 100644 debian/patches/series

diff --git a/debian/changelog b/debian/changelog
index 645a4bc..0379671 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+wayland (1.6.0-2+deb8u1) jessie; urgency=medium
+
+  * debian/patches/CVE-2017-16612.patch: (Closes: #889681)
+- libXcursor before 1.1.15 has various integer overflows that could lead
+  to heap buffer overflows when processing malicious cursors, e.g., with
+  programs like GIMP. It is also possible that an attack vector exists
+  against the related code in cursor/xcursor.c in Wayland through
+  1.14.0.
+
+ -- Héctor Orón Martínez   Sun, 04 Mar 2018 12:27:36 +0100
+
 wayland (1.6.0-2) unstable; urgency=medium
 
   * Switch back to use upstream tarball.
diff --git a/debian/patches/CVE-2017-16612.patch b/debian/patches/CVE-2017-16612.patch
new file mode 100644
index 000..9d91f70
--- /dev/null
+++ b/debian/patches/CVE-2017-16612.patch
@@ -0,0 +1,47 @@
+commit 5d201df72f3d4f4cb8b8f75f980169b03507da38
+Author: Tobias Stoeckmann 
+Date:   Tue Nov 28 21:38:07 2017 +0100
+
+cursor: Fix heap overflows when parsing malicious files.
+
+It is possible to trigger heap overflows due to an integer overflow
+while parsing images.
+
+The integer overflow occurs because the chosen limit 0x1 for
+dimensions is too large for 32 bit systems, because each pixel takes
+4 bytes. Properly chosen values allow an overflow which in turn will
+lead to less allocated memory than needed for subsequent reads.
+
+See also: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8
+Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=103961
+
+Signed-off-by: Tobias Stoeckmann 
+[Pekka: add link to the corresponding libXcursor commit]
+Signed-off-by: Pekka Paalanen 
+
+diff --git a/cursor/xcursor.c b/cursor/xcursor.c
+index ca41c4a..689c702 100644
+--- a/cursor/xcursor.c
 b/cursor/xcursor.c
+@@ -202,6 +202,11 @@ XcursorImageCreate (int width, int height)
+ {
+ XcursorImage*image;
+ 
++if (width < 0 || height < 0)
++   return NULL;
++if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
++   return NULL;
++
+ image = malloc (sizeof (XcursorImage) +
+ 		width * height * sizeof (XcursorPixel));
+ if (!image)
+@@ -482,7 +487,8 @@ _XcursorReadImage (XcursorFile		*file,
+ if (!_XcursorReadUInt (file, ))
+ 	return NULL;
+ /* sanity check data */
+-if (head.width >= 0x1 || head.height > 0x1)
++if (head.width > XCURSOR_IMAGE_MAX_SIZE  ||
++	head.height > XCURSOR_IMAGE_MAX_SIZE)
+ 	return NULL;
+ if (head.width == 0 || head.height == 0)
+ 	return NULL;
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..4c42ec7
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2017-16612.patch
-- 
2.16.2

Bug#892032: jessie-pu: package wayland/1.6.0-2

2018-03-04 Thread Emilio Pozuelo Monfort

On 04/03/18 12:46, Héctor Orón Martínez wrote:
> 
> diff --git a/debian/changelog b/debian/changelog
> index 645a4bc..b6409a8 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,14 @@
> +wayland (1.6.0-2+deb8u1) stretch; urgency=medium

Distribution should be jessie.

Cheers,
Emilio

Bug#892032: jessie-pu: package wayland/1.6.0-2

2018-03-04 Thread Héctor Orón Martínez

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hello,

  I would like to apply oldstable fix for #889681 in oldstable.
  I am attaching the patch I plan to upload to oldstable.
  Note, I have requested security team if they want to handle it via
  security queue or stable update instead.

Regards

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf

Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=ca_AD.utf8, LC_CTYPE=ca_AD.utf8 (charmap=UTF-8), LANGUAGE=ca_AD:ca 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
From 5df34123d130816a1acf506d8e9f1a1c3e3efcc8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?H=C3=A9ctor=20Or=C3=B3n=20Mart=C3=ADnez?= 
Date: Sun, 4 Mar 2018 12:29:17 +0100
Subject: [PATCH] debian/patches/CVE-2017-16612.patch: fix cursor integer
 overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Héctor Orón Martínez 
---
 debian/changelog| 11 +
 debian/patches/CVE-2017-16612.patch | 47 +
 debian/patches/series   |  1 +
 3 files changed, 59 insertions(+)
 create mode 100644 debian/patches/CVE-2017-16612.patch
 create mode 100644 debian/patches/series

diff --git a/debian/changelog b/debian/changelog
index 645a4bc..b6409a8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+wayland (1.6.0-2+deb8u1) stretch; urgency=medium
+
+  * debian/patches/CVE-2017-16612.patch: (Closes: #889681)
+- libXcursor before 1.1.15 has various integer overflows that could lead
+  to heap buffer overflows when processing malicious cursors, e.g., with
+  programs like GIMP. It is also possible that an attack vector exists
+  against the related code in cursor/xcursor.c in Wayland through
+  1.14.0.
+
+ -- Héctor Orón Martínez   Sun, 04 Mar 2018 12:27:36 +0100
+
 wayland (1.6.0-2) unstable; urgency=medium
 
   * Switch back to use upstream tarball.
diff --git a/debian/patches/CVE-2017-16612.patch 
b/debian/patches/CVE-2017-16612.patch
new file mode 100644
index 000..9d91f70
--- /dev/null
+++ b/debian/patches/CVE-2017-16612.patch
@@ -0,0 +1,47 @@
+commit 5d201df72f3d4f4cb8b8f75f980169b03507da38
+Author: Tobias Stoeckmann 
+Date:   Tue Nov 28 21:38:07 2017 +0100
+
+cursor: Fix heap overflows when parsing malicious files.
+
+It is possible to trigger heap overflows due to an integer overflow
+while parsing images.
+
+The integer overflow occurs because the chosen limit 0x1 for
+dimensions is too large for 32 bit systems, because each pixel takes
+4 bytes. Properly chosen values allow an overflow which in turn will
+lead to less allocated memory than needed for subsequent reads.
+
+See also: 
https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8
+Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=103961
+
+Signed-off-by: Tobias Stoeckmann 
+[Pekka: add link to the corresponding libXcursor commit]
+Signed-off-by: Pekka Paalanen 
+
+diff --git a/cursor/xcursor.c b/cursor/xcursor.c
+index ca41c4a..689c702 100644
+--- a/cursor/xcursor.c
 b/cursor/xcursor.c
+@@ -202,6 +202,11 @@ XcursorImageCreate (int width, int height)
+ {
+ XcursorImage*image;
+ 
++if (width < 0 || height < 0)
++   return NULL;
++if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
++   return NULL;
++
+ image = malloc (sizeof (XcursorImage) +
+   width * height * sizeof (XcursorPixel));
+ if (!image)
+@@ -482,7 +487,8 @@ _XcursorReadImage (XcursorFile *file,
+ if (!_XcursorReadUInt (file, ))
+   return NULL;
+ /* sanity check data */
+-if (head.width >= 0x1 || head.height > 0x1)
++if (head.width > XCURSOR_IMAGE_MAX_SIZE  ||
++  head.height > XCURSOR_IMAGE_MAX_SIZE)
+   return NULL;
+ if (head.width == 0 || head.height == 0)
+   return NULL;
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..4c42ec7
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2017-16612.patch
-- 
2.16.2

Bug#892032: jessie-pu: package wayland/1.6.0-2

Bug#892032: jessie-pu: package wayland/1.6.0-2

Bug#892032: jessie-pu: package wayland/1.6.0-2

Bug#892032: jessie-pu: package wayland/1.6.0-2

4 matches

Site Navigation

Mail list logo

Footer information