diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-01-30 12:46:22 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-02-08 12:00:21 +0000 |
commit | eed433faba6f8970287d72215f4be7289019516d (patch) | |
tree | caebb4a92844b8d55db982fa3ef8a526980ff946 | |
parent | 4f991d93f6221e72c3eea6080ec405155b680681 (diff) | |
download | poky-eed433faba6f8970287d72215f4be7289019516d.tar.gz |
libX11: CVE-2016-7942
The XGetImage function in X.org libX11 before 1.6.4 might allow remote X
servers to gain privileges via vectors involving image type and geometry,
which triggers out-of-bounds read operations.
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7942
Upstream patch
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8ea762f94f4c942d898fdeb590a1630c83235c17
(From OE-Core rev: 6d4421301a54c26e390fa943805574ced6e18c3a)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch | 69 | ||||
-rw-r--r-- | meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb | 1 |
2 files changed, 70 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch new file mode 100644 index 0000000000..f5b4d69d4c --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch | |||
@@ -0,0 +1,69 @@ | |||
1 | From 8ea762f94f4c942d898fdeb590a1630c83235c17 Mon Sep 17 00:00:00 2001 | ||
2 | From: Tobias Stoeckmann <tobias@stoeckmann.org> | ||
3 | Date: Sun, 25 Sep 2016 21:25:25 +0200 | ||
4 | Subject: Validation of server responses in XGetImage() | ||
5 | |||
6 | Check if enough bytes were received for specified image type and | ||
7 | geometry. Otherwise GetPixel and other functions could trigger an | ||
8 | out of boundary read later on. | ||
9 | |||
10 | CVE: CVE-2016-7942 | ||
11 | Upstream-Status: Backport | ||
12 | |||
13 | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> | ||
14 | Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> | ||
15 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
16 | |||
17 | diff --git a/src/GetImage.c b/src/GetImage.c | ||
18 | index c461abc..ff32d58 100644 | ||
19 | --- a/src/GetImage.c | ||
20 | +++ b/src/GetImage.c | ||
21 | @@ -59,6 +59,7 @@ XImage *XGetImage ( | ||
22 | char *data; | ||
23 | unsigned long nbytes; | ||
24 | XImage *image; | ||
25 | + int planes; | ||
26 | LockDisplay(dpy); | ||
27 | GetReq (GetImage, req); | ||
28 | /* | ||
29 | @@ -91,18 +92,28 @@ XImage *XGetImage ( | ||
30 | return (XImage *) NULL; | ||
31 | } | ||
32 | _XReadPad (dpy, data, nbytes); | ||
33 | - if (format == XYPixmap) | ||
34 | - image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual), | ||
35 | - Ones (plane_mask & | ||
36 | - (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))), | ||
37 | - format, 0, data, width, height, dpy->bitmap_pad, 0); | ||
38 | - else /* format == ZPixmap */ | ||
39 | - image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual), | ||
40 | - rep.depth, ZPixmap, 0, data, width, height, | ||
41 | - _XGetScanlinePad(dpy, (int) rep.depth), 0); | ||
42 | + if (format == XYPixmap) { | ||
43 | + image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual), | ||
44 | + Ones (plane_mask & | ||
45 | + (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))), | ||
46 | + format, 0, data, width, height, dpy->bitmap_pad, 0); | ||
47 | + planes = image->depth; | ||
48 | + } else { /* format == ZPixmap */ | ||
49 | + image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual), | ||
50 | + rep.depth, ZPixmap, 0, data, width, height, | ||
51 | + _XGetScanlinePad(dpy, (int) rep.depth), 0); | ||
52 | + planes = 1; | ||
53 | + } | ||
54 | |||
55 | if (!image) | ||
56 | Xfree(data); | ||
57 | + if (planes < 1 || image->height < 1 || image->bytes_per_line < 1 || | ||
58 | + INT_MAX / image->height <= image->bytes_per_line || | ||
59 | + INT_MAX / planes <= image->height * image->bytes_per_line || | ||
60 | + nbytes < planes * image->height * image->bytes_per_line) { | ||
61 | + XDestroyImage(image); | ||
62 | + image = NULL; | ||
63 | + } | ||
64 | UnlockDisplay(dpy); | ||
65 | SyncHandle(); | ||
66 | return (image); | ||
67 | -- | ||
68 | cgit v0.10.2 | ||
69 | |||
diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb b/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb index 8e531c7456..152ccd9d4a 100644 --- a/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb +++ b/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb | |||
@@ -5,6 +5,7 @@ BBCLASSEXTEND = "native nativesdk" | |||
5 | 5 | ||
6 | SRC_URI += "file://disable_tests.patch \ | 6 | SRC_URI += "file://disable_tests.patch \ |
7 | file://libX11-Add-missing-NULL-check.patch \ | 7 | file://libX11-Add-missing-NULL-check.patch \ |
8 | file://CVE-2016-7942.patch \ | ||
8 | " | 9 | " |
9 | 10 | ||
10 | SRC_URI[md5sum] = "2e36b73f8a42143142dda8129f02e4e0" | 11 | SRC_URI[md5sum] = "2e36b73f8a42143142dda8129f02e4e0" |