[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
08/09: gnu: libxv: Update to 1.0.11.
|
From: |
Leo Famulari |
|
Subject: |
08/09: gnu: libxv: Update to 1.0.11. |
|
Date: |
Wed, 5 Oct 2016 23:43:00 +0000 (UTC) |
lfam pushed a commit to branch core-updates
in repository guix.
commit 62ad505603c291d5a19da2c29b9176e2a1c28bdb
Author: Leo Famulari <address@hidden>
Date: Wed Oct 5 19:32:04 2016 -0400
gnu: libxv: Update to 1.0.11.
* gnu/packages/xorg.scm (libxv): Update to 1.0.11.
[replacement]: Remove field.
(libxv/fixed): Remove variable.
* gnu/packages/patches/libxv-CVE-2016-5407.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Remove it.
---
gnu/local.mk | 1 -
gnu/packages/patches/libxv-CVE-2016-5407.patch | 162 ------------------------
gnu/packages/xorg.scm | 13 +-
3 files changed, 2 insertions(+), 174 deletions(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index 34c9533..578693f 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -668,7 +668,6 @@ dist_patch_DATA =
\
%D%/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch \
%D%/packages/patches/libwmf-CVE-2015-4695.patch \
%D%/packages/patches/libwmf-CVE-2015-4696.patch \
- %D%/packages/patches/libxv-CVE-2016-5407.patch \
%D%/packages/patches/libxvmc-CVE-2016-7953.patch \
%D%/packages/patches/libxslt-generated-ids.patch \
%D%/packages/patches/linux-pam-no-setfsuid.patch \
diff --git a/gnu/packages/patches/libxv-CVE-2016-5407.patch
b/gnu/packages/patches/libxv-CVE-2016-5407.patch
deleted file mode 100644
index e6a76c9..0000000
--- a/gnu/packages/patches/libxv-CVE-2016-5407.patch
+++ /dev/null
@@ -1,162 +0,0 @@
-Fix CVE-2016-5407:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5407
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libXv/commit/?id=d9da580b46a28ab497de2e94fdc7b9ff953dab17
-
-From d9da580b46a28ab497de2e94fdc7b9ff953dab17 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <address@hidden>
-Date: Sun, 25 Sep 2016 21:30:03 +0200
-Subject: [PATCH] Protocol handling issues in libXv - CVE-2016-5407
-
-The Xv query functions for adaptors and encodings suffer from out of
-boundary accesses if a hostile X server sends a maliciously crafted
-response.
-
-A previous fix already checks the received length against fixed values
-but ignores additional length specifications which are stored inside
-the received data.
-
-These lengths are accessed in a for-loop. The easiest way to guarantee
-a correct processing is by validating all lengths against the
-remaining size left before accessing referenced memory.
-
-This makes the previously applied check obsolete, therefore I removed
-it.
-
-Signed-off-by: Tobias Stoeckmann <address@hidden>
-Reviewed-by: Matthieu Herrb <address@hidden>
----
- src/Xv.c | 46 +++++++++++++++++++++++++++++-----------------
- 1 file changed, 29 insertions(+), 17 deletions(-)
-
-diff --git a/src/Xv.c b/src/Xv.c
-index e47093a..be450c4 100644
---- a/src/Xv.c
-+++ b/src/Xv.c
-@@ -158,6 +158,7 @@ XvQueryAdaptors(
- size_t size;
- unsigned int ii, jj;
- char *name;
-+ char *end;
- XvAdaptorInfo *pas = NULL, *pa;
- XvFormat *pfs, *pf;
- char *buffer = NULL;
-@@ -197,17 +198,13 @@ XvQueryAdaptors(
- /* GET INPUT ADAPTORS */
-
- if (rep.num_adaptors == 0) {
-- /* If there's no adaptors, there's nothing more to do. */
-+ /* If there are no adaptors, there's nothing more to do. */
- status = Success;
- goto out;
- }
-
-- if (size < (rep.num_adaptors * sz_xvAdaptorInfo)) {
-- /* If there's not enough data for the number of adaptors,
-- then we have a problem. */
-- status = XvBadReply;
-- goto out;
-- }
-+ u.buffer = buffer;
-+ end = buffer + size;
-
- size = rep.num_adaptors * sizeof(XvAdaptorInfo);
- if ((pas = Xmalloc(size)) == NULL) {
-@@ -225,9 +222,12 @@ XvQueryAdaptors(
- pa++;
- }
-
-- u.buffer = buffer;
- pa = pas;
- for (ii = 0; ii < rep.num_adaptors; ii++) {
-+ if (u.buffer + sz_xvAdaptorInfo > end) {
-+ status = XvBadReply;
-+ goto out;
-+ }
- pa->type = u.pa->type;
- pa->base_id = u.pa->base_id;
- pa->num_ports = u.pa->num_ports;
-@@ -239,6 +239,10 @@ XvQueryAdaptors(
- size = u.pa->name_size;
- u.buffer += pad_to_int32(sz_xvAdaptorInfo);
-
-+ if (u.buffer + size > end) {
-+ status = XvBadReply;
-+ goto out;
-+ }
- if ((name = Xmalloc(size + 1)) == NULL) {
- status = XvBadAlloc;
- goto out;
-@@ -259,6 +263,11 @@ XvQueryAdaptors(
-
- pf = pfs;
- for (jj = 0; jj < pa->num_formats; jj++) {
-+ if (u.buffer + sz_xvFormat > end) {
-+ Xfree(pfs);
-+ status = XvBadReply;
-+ goto out;
-+ }
- pf->depth = u.pf->depth;
- pf->visual_id = u.pf->visual;
- pf++;
-@@ -327,6 +336,7 @@ XvQueryEncodings(
- size_t size;
- unsigned int jj;
- char *name;
-+ char *end;
- XvEncodingInfo *pes = NULL, *pe;
- char *buffer = NULL;
- union {
-@@ -364,17 +374,13 @@ XvQueryEncodings(
- /* GET ENCODINGS */
-
- if (rep.num_encodings == 0) {
-- /* If there's no encodings, there's nothing more to do. */
-+ /* If there are no encodings, there's nothing more to do. */
- status = Success;
- goto out;
- }
-
-- if (size < (rep.num_encodings * sz_xvEncodingInfo)) {
-- /* If there's not enough data for the number of adaptors,
-- then we have a problem. */
-- status = XvBadReply;
-- goto out;
-- }
-+ u.buffer = buffer;
-+ end = buffer + size;
-
- size = rep.num_encodings * sizeof(XvEncodingInfo);
- if ((pes = Xmalloc(size)) == NULL) {
-@@ -391,10 +397,12 @@ XvQueryEncodings(
- pe++;
- }
-
-- u.buffer = buffer;
--
- pe = pes;
- for (jj = 0; jj < rep.num_encodings; jj++) {
-+ if (u.buffer + sz_xvEncodingInfo > end) {
-+ status = XvBadReply;
-+ goto out;
-+ }
- pe->encoding_id = u.pe->encoding;
- pe->width = u.pe->width;
- pe->height = u.pe->height;
-@@ -405,6 +413,10 @@ XvQueryEncodings(
- size = u.pe->name_size;
- u.buffer += pad_to_int32(sz_xvEncodingInfo);
-
-+ if (u.buffer + size > end) {
-+ status = XvBadReply;
-+ goto out;
-+ }
- if ((name = Xmalloc(size + 1)) == NULL) {
- status = XvBadAlloc;
- goto out;
---
-2.10.1
-
diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 9d9211f..3793c2b 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -4667,8 +4667,7 @@ protocol and arbitrary X extension protocol.")
(define-public libxv
(package
(name "libxv")
- (replacement libxv/fixed)
- (version "1.0.10")
+ (version "1.0.11")
(source
(origin
(method url-fetch)
@@ -4678,7 +4677,7 @@ protocol and arbitrary X extension protocol.")
".tar.bz2"))
(sha256
(base32
- "09a5j6bisysiipd0nw6s352565bp0n6gbyhv5hp63s3cd3w95zjm"))))
+ "125hn06bd3d8y97hm2pbf5j55gg4r2hpd3ifad651i4sr7m16v6j"))))
(build-system gnu-build-system)
(propagated-inputs
`(("videoproto" ,videoproto)))
@@ -4693,14 +4692,6 @@ protocol and arbitrary X extension protocol.")
(description "Library for the X Video Extension to the X11 protocol.")
(license license:x11)))
-(define libxv/fixed
- (package
- (inherit libxv)
- (source (origin
- (inherit (package-source libxv))
- (patches (search-patches
- "libxv-CVE-2016-5407.patch"))))))
-
(define-public mkfontdir
(package
(name "mkfontdir")
- branch core-updates updated (6524c1c -> 22f08f0), Leo Famulari, 2016/10/05
- 01/09: Merge branch 'master' into core-updates, Leo Famulari, 2016/10/05
- 06/09: gnu: libxrender: Update to 0.9.10., Leo Famulari, 2016/10/05
- 02/09: gnu: libx11: Update to 1.6.4., Leo Famulari, 2016/10/05
- 09/09: gnu: libxvmc: Update to 1.0.10., Leo Famulari, 2016/10/05
- 03/09: gnu: libxfixes: Update to 5.0.3., Leo Famulari, 2016/10/05
- 04/09: gnu: libxi: Update to 1.7.7., Leo Famulari, 2016/10/05
- 07/09: gnu: libxtst: Update to 1.2.3., Leo Famulari, 2016/10/05
- 08/09: gnu: libxv: Update to 1.0.11.,
Leo Famulari <=
- 05/09: gnu: libxrandr: Update to 1.5.1., Leo Famulari, 2016/10/05