diff options
Diffstat (limited to 'meta/recipes-graphics/xorg-lib')
-rw-r--r-- | meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7943.patch | 103 | ||||
-rw-r--r-- | meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb | 1 |
2 files changed, 104 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7943.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7943.patch new file mode 100644 index 0000000000..50024236d2 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7943.patch | |||
@@ -0,0 +1,103 @@ | |||
1 | From 8c29f1607a31dac0911e45a0dd3d74173822b3c9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Tobias Stoeckmann <tobias@stoeckmann.org> | ||
3 | Date: Sun, 25 Sep 2016 21:22:57 +0200 | ||
4 | Subject: The validation of server responses avoids out of boundary accesses. | ||
5 | |||
6 | v2: FontNames.c return a NULL list whenever a single | ||
7 | length field from the server is incohent. | ||
8 | |||
9 | CVE: CVE-2016-7943 | ||
10 | Upstream-Status: Backport | ||
11 | |||
12 | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> | ||
13 | Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> | ||
14 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
15 | |||
16 | diff --git a/src/FontNames.c b/src/FontNames.c | ||
17 | index 21dcafe..e55f338 100644 | ||
18 | --- a/src/FontNames.c | ||
19 | +++ b/src/FontNames.c | ||
20 | @@ -66,7 +66,7 @@ int *actualCount) /* RETURN */ | ||
21 | |||
22 | if (rep.nFonts) { | ||
23 | flist = Xmalloc (rep.nFonts * sizeof(char *)); | ||
24 | - if (rep.length < (INT_MAX >> 2)) { | ||
25 | + if (rep.length > 0 && rep.length < (INT_MAX >> 2)) { | ||
26 | rlen = rep.length << 2; | ||
27 | ch = Xmalloc(rlen + 1); | ||
28 | /* +1 to leave room for last null-terminator */ | ||
29 | @@ -93,11 +93,22 @@ int *actualCount) /* RETURN */ | ||
30 | if (ch + length < chend) { | ||
31 | flist[i] = ch + 1; /* skip over length */ | ||
32 | ch += length + 1; /* find next length ... */ | ||
33 | - length = *(unsigned char *)ch; | ||
34 | - *ch = '\0'; /* and replace with null-termination */ | ||
35 | - count++; | ||
36 | - } else | ||
37 | - flist[i] = NULL; | ||
38 | + if (ch <= chend) { | ||
39 | + length = *(unsigned char *)ch; | ||
40 | + *ch = '\0'; /* and replace with null-termination */ | ||
41 | + count++; | ||
42 | + } else { | ||
43 | + Xfree(flist); | ||
44 | + flist = NULL; | ||
45 | + count = 0; | ||
46 | + break; | ||
47 | + } | ||
48 | + } else { | ||
49 | + Xfree(flist); | ||
50 | + flist = NULL; | ||
51 | + count = 0; | ||
52 | + break; | ||
53 | + } | ||
54 | } | ||
55 | } | ||
56 | *actualCount = count; | ||
57 | diff --git a/src/ListExt.c b/src/ListExt.c | ||
58 | index be6b989..0516e45 100644 | ||
59 | --- a/src/ListExt.c | ||
60 | +++ b/src/ListExt.c | ||
61 | @@ -55,7 +55,7 @@ char **XListExtensions( | ||
62 | |||
63 | if (rep.nExtensions) { | ||
64 | list = Xmalloc (rep.nExtensions * sizeof (char *)); | ||
65 | - if (rep.length < (INT_MAX >> 2)) { | ||
66 | + if (rep.length > 0 && rep.length < (INT_MAX >> 2)) { | ||
67 | rlen = rep.length << 2; | ||
68 | ch = Xmalloc (rlen + 1); | ||
69 | /* +1 to leave room for last null-terminator */ | ||
70 | @@ -80,9 +80,13 @@ char **XListExtensions( | ||
71 | if (ch + length < chend) { | ||
72 | list[i] = ch+1; /* skip over length */ | ||
73 | ch += length + 1; /* find next length ... */ | ||
74 | - length = *ch; | ||
75 | - *ch = '\0'; /* and replace with null-termination */ | ||
76 | - count++; | ||
77 | + if (ch <= chend) { | ||
78 | + length = *ch; | ||
79 | + *ch = '\0'; /* and replace with null-termination */ | ||
80 | + count++; | ||
81 | + } else { | ||
82 | + list[i] = NULL; | ||
83 | + } | ||
84 | } else | ||
85 | list[i] = NULL; | ||
86 | } | ||
87 | diff --git a/src/ModMap.c b/src/ModMap.c | ||
88 | index a809aa2..49a5d08 100644 | ||
89 | --- a/src/ModMap.c | ||
90 | +++ b/src/ModMap.c | ||
91 | @@ -42,7 +42,8 @@ XGetModifierMapping(register Display *dpy) | ||
92 | GetEmptyReq(GetModifierMapping, req); | ||
93 | (void) _XReply (dpy, (xReply *)&rep, 0, xFalse); | ||
94 | |||
95 | - if (rep.length < (INT_MAX >> 2)) { | ||
96 | + if (rep.length < (INT_MAX >> 2) && | ||
97 | + (rep.length >> 1) == rep.numKeyPerModifier) { | ||
98 | nbytes = (unsigned long)rep.length << 2; | ||
99 | res = Xmalloc(sizeof (XModifierKeymap)); | ||
100 | if (res) | ||
101 | -- | ||
102 | cgit v0.10.2 | ||
103 | |||
diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb b/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb index 152ccd9d4a..23a77891e9 100644 --- a/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb +++ b/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb | |||
@@ -6,6 +6,7 @@ BBCLASSEXTEND = "native nativesdk" | |||
6 | SRC_URI += "file://disable_tests.patch \ | 6 | SRC_URI += "file://disable_tests.patch \ |
7 | file://libX11-Add-missing-NULL-check.patch \ | 7 | file://libX11-Add-missing-NULL-check.patch \ |
8 | file://CVE-2016-7942.patch \ | 8 | file://CVE-2016-7942.patch \ |
9 | file://CVE-2016-7943.patch \ | ||
9 | " | 10 | " |
10 | 11 | ||
11 | SRC_URI[md5sum] = "2e36b73f8a42143142dda8129f02e4e0" | 12 | SRC_URI[md5sum] = "2e36b73f8a42143142dda8129f02e4e0" |