[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
07/09: gnu: libxtst: Update to 1.2.3.
|
From: |
Leo Famulari |
|
Subject: |
07/09: gnu: libxtst: Update to 1.2.3. |
|
Date: |
Wed, 5 Oct 2016 23:43:00 +0000 (UTC) |
lfam pushed a commit to branch core-updates
in repository guix.
commit 82e6a4341bd7c7661279d5c4430390f6c2c7ef6b
Author: Leo Famulari <address@hidden>
Date: Wed Oct 5 19:30:10 2016 -0400
gnu: libxtst: Update to 1.2.3.
* gnu/packages/xorg.scm (libxtst): Update to 1.2.3.
[replacement]: Remove field.
(libxtst/fixed): Remove variable.
* gnu/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch: Delete
file.
* gnu/local.mk (dist_patch_DATA): Remove it.
---
gnu/local.mk | 1 -
.../libxtst-CVE-2016-7951-CVE-2016-7952.patch | 152 --------------------
gnu/packages/xorg.scm | 13 +-
3 files changed, 2 insertions(+), 164 deletions(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index 74b57b0..34c9533 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -668,7 +668,6 @@ dist_patch_DATA =
\
%D%/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch \
%D%/packages/patches/libwmf-CVE-2015-4695.patch \
%D%/packages/patches/libwmf-CVE-2015-4696.patch \
- %D%/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch \
%D%/packages/patches/libxv-CVE-2016-5407.patch \
%D%/packages/patches/libxvmc-CVE-2016-7953.patch \
%D%/packages/patches/libxslt-generated-ids.patch \
diff --git a/gnu/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch
b/gnu/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch
deleted file mode 100644
index 9df6cf3..0000000
--- a/gnu/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch
+++ /dev/null
@@ -1,152 +0,0 @@
-Fix CVE-2016-7951 and CVE-2016-7952
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7951
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7952
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libXtst/commit/?id=9556ad67af3129ec4a7a4f4b54a0d59701beeae3
-
-From 9556ad67af3129ec4a7a4f4b54a0d59701beeae3 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <address@hidden>
-Date: Sun, 25 Sep 2016 21:37:01 +0200
-Subject: [PATCH] Out of boundary access and endless loop in libXtst
-
-A lack of range checks in libXtst allows out of boundary accesses.
-The checks have to be done in-place here, because it cannot be done
-without in-depth knowledge of the read data.
-
-If XRecordStartOfData, XRecordEndOfData, or XRecordClientDied
-without a client sequence have attached data, an endless loop would
-occur. The do-while-loop continues until the current index reaches
-the end. But in these cases, the current index would not be
-incremented, leading to an endless processing.
-
-Signed-off-by: Tobias Stoeckmann <address@hidden>
-Reviewed-by: Matthieu Herrb <address@hidden>
----
- src/XRecord.c | 43 +++++++++++++++++++++++++++++++++++++++----
- 1 file changed, 39 insertions(+), 4 deletions(-)
-
-diff --git a/src/XRecord.c b/src/XRecord.c
-index 50420c0..fefd842 100644
---- a/src/XRecord.c
-+++ b/src/XRecord.c
-@@ -749,15 +749,23 @@ parse_reply_call_callback(
- switch (rep->category) {
- case XRecordFromServer:
- if (rep->elementHeader&XRecordFromServerTime) {
-+ if (current_index + 4 > rep->length << 2)
-+ return Error;
- EXTRACT_CARD32(rep->clientSwapped,
- reply->buf+current_index,
- data->server_time);
- current_index += 4;
- }
-+ if (current_index + 1 > rep->length << 2)
-+ return Error;
- switch (reply->buf[current_index]) {
- case X_Reply: /* reply */
-+ if (current_index + 8 > rep->length << 2)
-+ return Error;
- EXTRACT_CARD32(rep->clientSwapped,
- reply->buf+current_index+4, datum_bytes);
-+ if (datum_bytes < 0 || datum_bytes > ((INT_MAX >> 2) - 8))
-+ return Error;
- datum_bytes = (datum_bytes+8) << 2;
- break;
- default: /* error or event */
-@@ -766,52 +774,73 @@ parse_reply_call_callback(
- break;
- case XRecordFromClient:
- if (rep->elementHeader&XRecordFromClientTime) {
-+ if (current_index + 4 > rep->length << 2)
-+ return Error;
- EXTRACT_CARD32(rep->clientSwapped,
- reply->buf+current_index,
- data->server_time);
- current_index += 4;
- }
- if (rep->elementHeader&XRecordFromClientSequence) {
-+ if (current_index + 4 > rep->length << 2)
-+ return Error;
- EXTRACT_CARD32(rep->clientSwapped,
- reply->buf+current_index,
- data->client_seq);
- current_index += 4;
- }
-+ if (current_index + 4 > rep->length<<2)
-+ return Error;
- if (reply->buf[current_index+2] == 0
- && reply->buf[current_index+3] == 0) /* needn't swap 0 */
- { /* BIG-REQUESTS */
-+ if (current_index + 8 > rep->length << 2)
-+ return Error;
- EXTRACT_CARD32(rep->clientSwapped,
- reply->buf+current_index+4, datum_bytes);
- } else {
- EXTRACT_CARD16(rep->clientSwapped,
- reply->buf+current_index+2, datum_bytes);
- }
-+ if (datum_bytes < 0 || datum_bytes > INT_MAX >> 2)
-+ return Error;
- datum_bytes <<= 2;
- break;
- case XRecordClientStarted:
-+ if (current_index + 8 > rep->length << 2)
-+ return Error;
- EXTRACT_CARD16(rep->clientSwapped,
- reply->buf+current_index+6, datum_bytes);
- datum_bytes = (datum_bytes+2) << 2;
- break;
- case XRecordClientDied:
- if (rep->elementHeader&XRecordFromClientSequence) {
-+ if (current_index + 4 > rep->length << 2)
-+ return Error;
- EXTRACT_CARD32(rep->clientSwapped,
- reply->buf+current_index,
- data->client_seq);
- current_index += 4;
-- }
-- /* fall through */
-+ } else if (current_index < rep->length << 2)
-+ return Error;
-+ datum_bytes = 0;
-+ break;
- case XRecordStartOfData:
- case XRecordEndOfData:
-+ if (current_index < rep->length << 2)
-+ return Error;
- datum_bytes = 0;
-+ break;
- }
-
- if (datum_bytes > 0) {
-- if (current_index + datum_bytes > rep->length << 2)
-+ if (INT_MAX - datum_bytes < (rep->length << 2) - current_index) {
- fprintf(stderr,
- "XRecord: %lu-byte reply claims %d-byte element (seq
%lu)\n",
-- (long)rep->length << 2, current_index + datum_bytes,
-+ (unsigned long)rep->length << 2, current_index +
datum_bytes,
- dpy->last_request_read);
-+ return Error;
-+ }
- /*
- * This assignment (and indeed the whole buffer sharing
- * scheme) assumes arbitrary 4-byte boundaries are
-@@ -863,6 +892,12 @@ XRecordEnableContext(Display *dpy, XRecordContext context,
- return 0;
- }
-
-+ if (rep.length > INT_MAX >> 2) {
-+ UnlockDisplay(dpy);
-+ SyncHandle();
-+ return 0;
-+ }
-+
- if (rep.length > 0) {
- reply = alloc_reply_buffer(info, rep.length<<2);
- if (!reply) {
---
-2.10.1
-
diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 19b5d31..9d9211f 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -4629,8 +4629,7 @@ cannot be adequately worked around on the client side of
the wire.")
(define-public libxtst
(package
(name "libxtst")
- (replacement libxtst/fixed)
- (version "1.2.2")
+ (version "1.2.3")
(source
(origin
(method url-fetch)
@@ -4640,7 +4639,7 @@ cannot be adequately worked around on the client side of
the wire.")
".tar.bz2"))
(sha256
(base32
- "1ngn161nq679ffmbwl81i2hn75jjg5b3ffv6n4jilpvyazypy2pg"))))
+ "012jpyj7xfm653a9jcfqbzxyywdmwb2b5wr1dwylx14f3f54jma6"))))
(build-system gnu-build-system)
(propagated-inputs
`(("recordproto" ,recordproto)
@@ -4665,14 +4664,6 @@ The RECORD extension supports the recording and
reporting of all core X
protocol and arbitrary X extension protocol.")
(license license:x11)))
-(define libxtst/fixed
- (package
- (inherit libxtst)
- (source (origin
- (inherit (package-source libxtst))
- (patches (search-patches
- "libxtst-CVE-2016-7951-CVE-2016-7952.patch"))))))
-
(define-public libxv
(package
(name "libxv")
- branch core-updates updated (6524c1c -> 22f08f0), Leo Famulari, 2016/10/05
- 01/09: Merge branch 'master' into core-updates, Leo Famulari, 2016/10/05
- 06/09: gnu: libxrender: Update to 0.9.10., Leo Famulari, 2016/10/05
- 02/09: gnu: libx11: Update to 1.6.4., Leo Famulari, 2016/10/05
- 09/09: gnu: libxvmc: Update to 1.0.10., Leo Famulari, 2016/10/05
- 03/09: gnu: libxfixes: Update to 5.0.3., Leo Famulari, 2016/10/05
- 04/09: gnu: libxi: Update to 1.7.7., Leo Famulari, 2016/10/05
- 07/09: gnu: libxtst: Update to 1.2.3.,
Leo Famulari <=
- 08/09: gnu: libxv: Update to 1.0.11., Leo Famulari, 2016/10/05
- 05/09: gnu: libxrandr: Update to 1.5.1., Leo Famulari, 2016/10/05