22/22: gnu: libxfont: Fix CVE-2017-13720, CVE-2017-13722.

guix-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

22/22: gnu: libxfont: Fix CVE-2017-13720, CVE-2017-13722.

From:	Marius Bakke
Subject:	22/22: gnu: libxfont: Fix CVE-2017-13720, CVE-2017-13722.
Date:	Tue, 10 Oct 2017 13:53:47 -0400 (EDT)

mbakke pushed a commit to branch master
in repository guix.

commit 97ecd75e289d96a8b4f9b1ae877d9d1a2f6774b4
Author: Marius Bakke <address@hidden>
Date:   Tue Oct 10 19:34:02 2017 +0200

    gnu: libxfont: Fix CVE-2017-13720, CVE-2017-13722.
    
    * gnu/packages/patches/libxfont-CVE-2017-13720.patch,
      gnu/packages/patches/libxfont-CVE-2017-13722.patch: New files.
    * gnu/local.mk (dist_patch_DATA): Register them.
    * gnu/packages/xorg.scm (libxfont, libxfont2)[source]: Use them.
---
 gnu/local.mk                                       |  2 +
 gnu/packages/patches/libxfont-CVE-2017-13720.patch | 36 +++++++++++++++
 gnu/packages/patches/libxfont-CVE-2017-13722.patch | 53 ++++++++++++++++++++++
 gnu/packages/xorg.scm                              |  4 ++
 4 files changed, 95 insertions(+)

diff --git a/gnu/local.mk b/gnu/local.mk
index 21b4b95..234c92b 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -818,6 +818,8 @@ dist_patch_DATA =                                           
\
   %D%/packages/patches/libvisio-fix-tests.patch                        \
   %D%/packages/patches/libvpx-CVE-2016-2818.patch              \
   %D%/packages/patches/libxcb-python-3.5-compat.patch          \
+  %D%/packages/patches/libxfont-CVE-2017-13720.patch           \
+  %D%/packages/patches/libxfont-CVE-2017-13722.patch           \
   %D%/packages/patches/libxml2-CVE-2016-4658.patch             \
   %D%/packages/patches/libxml2-CVE-2016-5131.patch             \
   %D%/packages/patches/libxml2-CVE-2017-0663.patch             \
diff --git a/gnu/packages/patches/libxfont-CVE-2017-13720.patch 
b/gnu/packages/patches/libxfont-CVE-2017-13720.patch
new file mode 100644
index 0000000..0936171
--- /dev/null
+++ b/gnu/packages/patches/libxfont-CVE-2017-13720.patch
@@ -0,0 +1,36 @@
+Fix CVE-2017-13720.
+
+Copied from upstream source repository:
+<https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d1e670a4a8704b8708e493ab6155589bcd570608>
+
+
+From d1e670a4a8704b8708e493ab6155589bcd570608 Mon Sep 17 00:00:00 2001
+From: Michal Srb <address@hidden>
+Date: Thu, 20 Jul 2017 13:38:53 +0200
+Subject: Check for end of string in PatternMatch (CVE-2017-13720)
+
+If a pattern contains '?' character, any character in the string is skipped,
+even if it is '\0'. The rest of the matching then reads invalid memory.
+
+Reviewed-by: Peter Hutterer <address@hidden>
+Signed-off-by: Julien Cristau <address@hidden>
+
+diff --git a/src/fontfile/fontdir.c b/src/fontfile/fontdir.c
+index 4ce2473..996b7d1 100644
+--- a/src/fontfile/fontdir.c
++++ b/src/fontfile/fontdir.c
+@@ -400,8 +400,10 @@ PatternMatch(char *pat, int patdashes, char *string, int 
stringdashes)
+               }
+           }
+       case '?':
+-          if (*string++ == XK_minus)
++          if ((t = *string++) == XK_minus)
+               stringdashes--;
++          if (!t)
++              return 0;
+           break;
+       case '\0':
+           return (*string == '\0');
+-- 
+cgit v0.10.2
+
diff --git a/gnu/packages/patches/libxfont-CVE-2017-13722.patch 
b/gnu/packages/patches/libxfont-CVE-2017-13722.patch
new file mode 100644
index 0000000..458fdfd
--- /dev/null
+++ b/gnu/packages/patches/libxfont-CVE-2017-13722.patch
@@ -0,0 +1,53 @@
+Fix CVE-2017-13722.
+
+Copied from upstream source repository:
+<https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=672bb944311392e2415b39c0d63b1e1902905bcd>
+
+From 672bb944311392e2415b39c0d63b1e1902905bcd Mon Sep 17 00:00:00 2001
+From: Michal Srb <address@hidden>
+Date: Thu, 20 Jul 2017 17:05:23 +0200
+Subject: pcfGetProperties: Check string boundaries (CVE-2017-13722)
+
+Without the checks a malformed PCF file can cause the library to make
+atom from random heap memory that was behind the `strings` buffer.
+This may crash the process or leak information.
+
+Signed-off-by: Julien Cristau <address@hidden>
+
+diff --git a/src/bitmap/pcfread.c b/src/bitmap/pcfread.c
+index dab1c44..ae34c28 100644
+--- a/src/bitmap/pcfread.c
++++ b/src/bitmap/pcfread.c
+@@ -45,6 +45,7 @@ from The Open Group.
+ 
+ #include <stdarg.h>
+ #include <stdint.h>
++#include <string.h>
+ 
+ void
+ pcfError(const char* message, ...)
+@@ -311,11 +312,19 @@ pcfGetProperties(FontInfoPtr pFontInfo, FontFilePtr file,
+     if (IS_EOF(file)) goto Bail;
+     position += string_size;
+     for (i = 0; i < nprops; i++) {
++      if (props[i].name >= string_size) {
++          pcfError("pcfGetProperties(): String starts out of bounds 
(%ld/%d)\n", props[i].name, string_size);
++          goto Bail;
++      }
+       props[i].name = MakeAtom(strings + props[i].name,
+-                               strlen(strings + props[i].name), TRUE);
++                               strnlen(strings + props[i].name, string_size - 
props[i].name), TRUE);
+       if (isStringProp[i]) {
++          if (props[i].value >= string_size) {
++              pcfError("pcfGetProperties(): String starts out of bounds 
(%ld/%d)\n", props[i].value, string_size);
++              goto Bail;
++          }
+           props[i].value = MakeAtom(strings + props[i].value,
+-                                    strlen(strings + props[i].value), TRUE);
++                                    strnlen(strings + props[i].value, 
string_size - props[i].value), TRUE);
+       }
+     }
+     free(strings);
+-- 
+cgit v0.10.2
+
diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index c2023de..7511c53 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -4862,6 +4862,8 @@ an X Window System display.")
                "mirror://xorg/individual/lib/libXfont-"
                version
                ".tar.bz2"))
+        (patches (search-patches "libxfont-CVE-2017-13720.patch"
+                                 "libxfont-CVE-2017-13722.patch"))
         (sha256
           (base32
             "0w8d07bkmjiarkx09579bl8zsq903mn8javc7qpi0ix4ink5x502"))))
@@ -4895,6 +4897,8 @@ new API's in libXft, or the legacy API's in libX11.")
               (method url-fetch)
               (uri (string-append "mirror://xorg/individual/lib/libXfont2-"
                                   version ".tar.bz2"))
+              (patches (search-patches "libxfont-CVE-2017-13720.patch"
+                                       "libxfont-CVE-2017-13722.patch"))
               (sha256
                (base32
                 "0znvwk36nhmyqpmhbm9mzisgixp1mp5qkfald8x1n5yxbm3vpyz9"))))))

[Prev in Thread]

Current Thread

[Next in Thread]

11/22: gnu: libpagemaker: Update to 0.0.3., (continued)
- 11/22: gnu: libpagemaker: Update to 0.0.3., Marius Bakke, 2017/10/10
- 14/22: gnu: libmwaw: Update to 0.3.12., Marius Bakke, 2017/10/10
- 18/22: gnu: libreoffice: Don't replace "/bin/sh" reference with bash., Marius Bakke, 2017/10/10
- 03/22: gnu: librevenge: Update to 0.0.4., Marius Bakke, 2017/10/10
- 02/22: gnu: rofi: Update to 1.4.1., Marius Bakke, 2017/10/10
- 20/22: gnu: libnl: Update to 3.4.0., Marius Bakke, 2017/10/10
- 19/22: gnu: sddm: Update to 0.16.0., Marius Bakke, 2017/10/10
- 17/22: gnu: vigra: Update to 1.11.1., Marius Bakke, 2017/10/10
- 12/22: gnu: libvisio: Update to 0.1.5., Marius Bakke, 2017/10/10
- 21/22: gnu: lftp: Update to 4.8.3., Marius Bakke, 2017/10/10
- 22/22: gnu: libxfont: Fix CVE-2017-13720, CVE-2017-13722., Marius Bakke <=

Prev by Date: 21/22: gnu: lftp: Update to 4.8.3.
Next by Date: branch master updated (97ecd75 -> 565e24c)
Previous by thread: 21/22: gnu: lftp: Update to 4.8.3.
Next by thread: branch master updated (97ecd75 -> 565e24c)
Index(es):
- Date
- Thread