libX11: CVE-2016-7942

The XGetImage function in X.org libX11 before 1.6.4 might allow remote X servers to gain privileges via vectors involving image type and geometry, which triggers out-of-bounds read operations. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7942 Upstream patch https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8ea762f94f4c942d898fdeb590a1630c83235c17 (From OE-Core rev: 6d4421301a54c26e390fa943805574ced6e18c3a) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-01-30 12:46:22 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-02-08 12:00:21 +0000
commit: eed433faba6f8970287d72215f4be7289019516d (patch)
tree: caebb4a92844b8d55db982fa3ef8a526980ff946 /meta
parent: 4f991d93f6221e72c3eea6080ec405155b680681 (diff)
download: poky-eed433faba6f8970287d72215f4be7289019516d.tar.gz
2 files changed, 70 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch
new file mode 100644
index 0000000000..f5b4d69d4c
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch
@@ -0,0 +1,69 @@
+From 8ea762f94f4c942d898fdeb590a1630c83235c17 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 25 Sep 2016 21:25:25 +0200
+Subject: Validation of server responses in XGetImage()
+Check if enough bytes were received for specified image type and
+geometry. Otherwise GetPixel and other functions could trigger an
+out of boundary read later on.
+CVE: CVE-2016-7942
+Upstream-Status: Backport
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+diff --git a/src/GetImage.c b/src/GetImage.c
+index c461abc..ff32d58 100644
+--- a/src/GetImage.c
+++ b/src/GetImage.c
+@@ -59,6 +59,7 @@ XImage *XGetImage (
+        char *data;
+        unsigned long nbytes;
+        XImage *image;
+       int planes;
+        LockDisplay(dpy);
+        GetReq (GetImage, req);
+        /*
+@@ -91,18 +92,28 @@ XImage *XGetImage (
+            return (XImage *) NULL;
+        }
+         _XReadPad (dpy, data, nbytes);
+-        if (format == XYPixmap)
+-          image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
+-                 Ones (plane_mask &
+-                       (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))),
+-                 format, 0, data, width, height, dpy->bitmap_pad, 0);
+-       else /* format == ZPixmap */
+-           image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
+-                rep.depth, ZPixmap, 0, data, width, height,
+-                 _XGetScanlinePad(dpy, (int) rep.depth), 0);
+        if (format == XYPixmap) {
+           image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
+               Ones (plane_mask &
+                   (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))),
+               format, 0, data, width, height, dpy->bitmap_pad, 0);
+           planes = image->depth;
+       } else { /* format == ZPixmap */
+            image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
+               rep.depth, ZPixmap, 0, data, width, height,
+                   _XGetScanlinePad(dpy, (int) rep.depth), 0);
+           planes = 1;
+       }
+ 
+        if (!image)
+            Xfree(data);
+       if (planes < 1 || image->height < 1 || image->bytes_per_line < 1 ||
+           INT_MAX / image->height <= image->bytes_per_line ||
+           INT_MAX / planes <= image->height * image->bytes_per_line ||
+           nbytes < planes * image->height * image->bytes_per_line) {
+           XDestroyImage(image);
+           image = NULL;
+       }
+        UnlockDisplay(dpy);
+        SyncHandle();
+        return (image);
+-- 
+cgit v0.10.2
diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb b/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb
index 8e531c7456..152ccd9d4a 100644
--- a/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb
+++ b/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb
@@ -5,6 +5,7 @@ BBCLASSEXTEND = "native nativesdk"
 SRC_URI += "file://disable_tests.patch \
            file://libX11-Add-missing-NULL-check.patch \
+            file://CVE-2016-7942.patch \
           "
 SRC_URI[md5sum] = "2e36b73f8a42143142dda8129f02e4e0"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-01-30 12:46:22 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-02-08 12:00:21 +0000
commit	eed433faba6f8970287d72215f4be7289019516d (patch)
tree	caebb4a92844b8d55db982fa3ef8a526980ff946 /meta
parent	4f991d93f6221e72c3eea6080ec405155b680681 (diff)
download	poky-eed433faba6f8970287d72215f4be7289019516d.tar.gz

diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch new file mode 100644 index 0000000000..f5b4d69d4c --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch
@@ -0,0 +1,69 @@
		1	From 8ea762f94f4c942d898fdeb590a1630c83235c17 Mon Sep 17 00:00:00 2001
		2	From: Tobias Stoeckmann <tobias@stoeckmann.org>
		3	Date: Sun, 25 Sep 2016 21:25:25 +0200
		4	Subject: Validation of server responses in XGetImage()
		5
		6	Check if enough bytes were received for specified image type and
		7	geometry. Otherwise GetPixel and other functions could trigger an
		8	out of boundary read later on.
		9
		10	CVE: CVE-2016-7942
		11	Upstream-Status: Backport
		12
		13	Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
		14	Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
		15	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		16
		17	diff --git a/src/GetImage.c b/src/GetImage.c
		18	index c461abc..ff32d58 100644
		19	--- a/src/GetImage.c
		20	+++ b/src/GetImage.c
		21	@@ -59,6 +59,7 @@ XImage *XGetImage (
		22	char *data;
		23	unsigned long nbytes;
		24	XImage *image;
		25	+ int planes;
		26	LockDisplay(dpy);
		27	GetReq (GetImage, req);
		28	/*
		29	@@ -91,18 +92,28 @@ XImage *XGetImage (
		30	return (XImage *) NULL;
		31	}
		32	_XReadPad (dpy, data, nbytes);
		33	- if (format == XYPixmap)
		34	- image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
		35	- Ones (plane_mask &
		36	- (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))),
		37	- format, 0, data, width, height, dpy->bitmap_pad, 0);
		38	- else /* format == ZPixmap */
		39	- image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
		40	- rep.depth, ZPixmap, 0, data, width, height,
		41	- _XGetScanlinePad(dpy, (int) rep.depth), 0);
		42	+ if (format == XYPixmap) {
		43	+ image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
		44	+ Ones (plane_mask &
		45	+ (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))),
		46	+ format, 0, data, width, height, dpy->bitmap_pad, 0);
		47	+ planes = image->depth;
		48	+ } else { /* format == ZPixmap */
		49	+ image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
		50	+ rep.depth, ZPixmap, 0, data, width, height,
		51	+ _XGetScanlinePad(dpy, (int) rep.depth), 0);
		52	+ planes = 1;
		53	+ }
		54
		55	if (!image)
		56	Xfree(data);
		57	+ if (planes < 1 \|\| image->height < 1 \|\| image->bytes_per_line < 1 \|\|
		58	+ INT_MAX / image->height <= image->bytes_per_line \|\|
		59	+ INT_MAX / planes <= image->height * image->bytes_per_line \|\|
		60	+ nbytes < planes * image->height * image->bytes_per_line) {
		61	+ XDestroyImage(image);
		62	+ image = NULL;
		63	+ }
		64	UnlockDisplay(dpy);
		65	SyncHandle();
		66	return (image);
		67	--
		68	cgit v0.10.2
		69


diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb b/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb index 8e531c7456..152ccd9d4a 100644 --- a/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb +++ b/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb
@@ -5,6 +5,7 @@ BBCLASSEXTEND = "native nativesdk"
5		5
6	SRC_URI += "file://disable_tests.patch \	6	SRC_URI += "file://disable_tests.patch \
7	file://libX11-Add-missing-NULL-check.patch \	7	file://libX11-Add-missing-NULL-check.patch \
		8	file://CVE-2016-7942.patch \
8	"	9	"
9		10
10	SRC_URI[md5sum] = "2e36b73f8a42143142dda8129f02e4e0"	11	SRC_URI[md5sum] = "2e36b73f8a42143142dda8129f02e4e0"