Bug#852954: jessie-pu: package libxrender/1:0.9.8-1+deb8u1

2017-09-09 Thread Julien Cristau 
On Sat, Jan 28, 2017 at 15:30:54 +0100, Julien Cristau wrote:

> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> One more.
> 
For the record this is blocked on getting resolution upstream on
https://lists.x.org/pipermail/xorg-devel/2017-January/052247.html
Poked again today, 
https://lists.x.org/pipermail/xorg-devel/2017-September/054604.html

Cheers,
Julien

Bug#852954: jessie-pu: package libxrender/1:0.9.8-1+deb8u1

2017-01-28 Thread Julien Cristau 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

One more.

Cheers,
Julien

diff -u libxrender-0.9.8/debian/changelog libxrender-0.9.8/debian/changelog
--- libxrender-0.9.8/debian/changelog
+++ libxrender-0.9.8/debian/changelog
@@ -1,3 +1,11 @@
+libxrender (1:0.9.8-1+deb8u1) jessie; urgency=medium
+
+  * Insufficient validation of data from the X server
+can cause out of boundary memory writes.  Addresses CVE-2016-7949 and
+CVE-2016-7950.
+
+ -- Julien Cristau   Sat, 28 Jan 2017 15:11:56 +0100
+
 libxrender (1:0.9.8-1) sid; urgency=low
 
   * New upstream release.
only in patch2:
unchanged:
--- libxrender-0.9.8.orig/src/Filter.c
+++ libxrender-0.9.8/src/Filter.c
@@ -38,7 +38,7 @@
 char   *name;
 char   len;
 inti;
-unsigned long  nbytes, nbytesAlias, nbytesName;
+unsigned long  nbytes, nbytesAlias, nbytesName, reply_left;
 
 if (!RenderHasExtension (info))
return NULL;
@@ -114,6 +114,7 @@
  * Read the filter aliases
  */
 _XRead16Pad (dpy, filters->alias, 2 * rep.numAliases);
+reply_left = 8 + rep.length - 2 * rep.numAliases;;
 
 /*
  * Read the filter names
@@ -122,9 +123,19 @@
 {
int l;
_XRead (dpy, , 1);
+   reply_left--;
l = len & 0xff;
+   if ((unsigned long)l + 1 > nbytesName) {
+_XEatDataWords(dpy, reply_left);
+   Xfree(filters);
+   UnlockDisplay (dpy);
+   SyncHandle ();
+   return NULL;
+   }
+   nbytesName -= l + 1;
filters->filter[i] = name;
_XRead (dpy, name, l);
+reply_left -= l;
name[l] = '\0';
name += l + 1;
 }
only in patch2:
unchanged:
--- libxrender-0.9.8.orig/src/Xrender.c
+++ libxrender-0.9.8/src/Xrender.c
@@ -533,12 +533,30 @@
screen->fallback = _XRenderFindFormat (xri, xScreen->fallback);
screen->subpixel = SubPixelUnknown;
xDepth = (xPictDepth *) (xScreen + 1);
+   if (screen->ndepths > rep.numDepths) {
+   Xfree (xri);
+   Xfree (xData);
+   _XEatDataWords (dpy, rep.length);
+   UnlockDisplay (dpy);
+   SyncHandle ();
+   return 0;
+   }
+   rep.numDepths -= screen->ndepths;
for (nd = 0; nd < screen->ndepths; nd++)
{
depth->depth = xDepth->depth;
depth->nvisuals = xDepth->nPictVisuals;
depth->visuals = visual;
xVisual = (xPictVisual *) (xDepth + 1);
+   if (depth->nvisuals > rep.numVisuals) {
+   Xfree (xri);
+   Xfree (xData);
+   _XEatDataWords (dpy, rep.length);
+   UnlockDisplay (dpy);
+   SyncHandle ();
+   return 0;
+   }
+   rep.numVisuals -= depth->nvisuals;
for (nv = 0; nv < depth->nvisuals; nv++)
{
visual->visual = _XRenderFindVisual (dpy, xVisual->visual);


signature.asc
Description: PGP signature