Bug#852947: jessie-pu: package libx11/2:1.6.2-3+deb8u1

2017-11-16 Thread Adam D. Barratt 
Control: tags -1 + pending

On Sat, 2017-01-28 at 13:51 +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Sat, 2017-01-28 at 14:29 +0100, Julien Cristau wrote:
> > +libx11 (2:1.6.2-3+deb8u1) jessie; urgency=medium
> > +
> > +  * Insufficient validation of data from the X server can cause
> > out of
> > +boundary memory read (XGetImage()) or write (XListFonts()).
> > +Addresses CVE-2016-7942 and CVE-2016-7943.
> 
> Please go ahead.
> 

Uploaded and flagged for acceptance.

Regards,

Adam

Bug#852947: jessie-pu: package libx11/2:1.6.2-3+deb8u1

2017-06-26 Thread Cyril Brulebois 
Hi Julien and debian-x@,

Adam D. Barratt  (2017-01-28):
> Control: tags -1 + confirmed
> 
> On Sat, 2017-01-28 at 14:29 +0100, Julien Cristau wrote:
> > +libx11 (2:1.6.2-3+deb8u1) jessie; urgency=medium
> > +
> > +  * Insufficient validation of data from the X server can cause out of
> > +boundary memory read (XGetImage()) or write (XListFonts()).
> > +Addresses CVE-2016-7942 and CVE-2016-7943.
> 
> Please go ahead.

This update doesn't seem to have reached jessie-new?


KiBi.


signature.asc
Description: Digital signature

Bug#852947: jessie-pu: package libx11/2:1.6.2-3+deb8u1

2017-01-28 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Sat, 2017-01-28 at 14:29 +0100, Julien Cristau wrote:
> +libx11 (2:1.6.2-3+deb8u1) jessie; urgency=medium
> +
> +  * Insufficient validation of data from the X server can cause out of
> +boundary memory read (XGetImage()) or write (XListFonts()).
> +Addresses CVE-2016-7942 and CVE-2016-7943.

Please go ahead.

Regards,

Adam

Bug#852947: jessie-pu: package libx11/2:1.6.2-3+deb8u1

2017-01-28 Thread Julien Cristau 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

This is a bunch of CVE fixes, already in wheezy-lts and sid.

Cheers,
Julien

diff -u libx11-1.6.2/debian/changelog libx11-1.6.2/debian/changelog
--- libx11-1.6.2/debian/changelog
+++ libx11-1.6.2/debian/changelog
@@ -1,3 +1,11 @@
+libx11 (2:1.6.2-3+deb8u1) jessie; urgency=medium
+
+  * Insufficient validation of data from the X server can cause out of
+boundary memory read (XGetImage()) or write (XListFonts()).
+Addresses CVE-2016-7942 and CVE-2016-7943.
+
+ -- Julien Cristau   Sat, 28 Jan 2017 14:01:35 +0100
+
 libx11 (2:1.6.2-3) unstable; urgency=medium
 
   [ Julien Cristau ]
only in patch2:
unchanged:
--- libx11-1.6.2.orig/src/FontNames.c
+++ libx11-1.6.2/src/FontNames.c
@@ -43,6 +43,7 @@
 register int length;
 char **flist = NULL;
 char *ch = NULL;
+char *chstart;
 char *chend;
 int count = 0;
 xListFontsReply rep;
@@ -66,7 +67,7 @@
 
 if (rep.nFonts) {
flist = Xmalloc (rep.nFonts * sizeof(char *));
-   if (rep.length < (INT_MAX >> 2)) {
+   if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
rlen = rep.length << 2;
ch = Xmalloc(rlen + 1);
/* +1 to leave room for last null-terminator */
@@ -86,6 +87,7 @@
/*
 * unpack into null terminated strings.
 */
+   chstart = ch;
chend = ch + (rlen + 1);
length = *(unsigned char *)ch;
*ch = 1; /* make sure it is non-zero for XFreeFontNames */
@@ -93,11 +95,24 @@
if (ch + length < chend) {
flist[i] = ch + 1;  /* skip over length */
ch += length + 1;  /* find next length ... */
-   length = *(unsigned char *)ch;
-   *ch = '\0';  /* and replace with null-termination */
-   count++;
-   } else
-   flist[i] = NULL;
+   if (ch <= chend) {
+   length = *(unsigned char *)ch;
+   *ch = '\0';  /* and replace with null-termination */
+   count++;
+   } else {
+Xfree(chstart);
+Xfree(flist);
+flist = NULL;
+count = 0;
+break;
+   }
+   } else {
+Xfree(chstart);
+Xfree(flist);
+flist = NULL;
+count = 0;
+break;
+}
}
 }
 *actualCount = count;
only in patch2:
unchanged:
--- libx11-1.6.2.orig/src/GetImage.c
+++ libx11-1.6.2/src/GetImage.c
@@ -59,6 +59,7 @@
char *data;
unsigned long nbytes;
XImage *image;
+   int planes;
LockDisplay(dpy);
GetReq (GetImage, req);
/*
@@ -91,18 +92,28 @@
return (XImage *) NULL;
}
 _XReadPad (dpy, data, nbytes);
-if (format == XYPixmap)
-  image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
- Ones (plane_mask &
-   (((unsigned long)0x) >> (32 - rep.depth))),
- format, 0, data, width, height, dpy->bitmap_pad, 0);
-   else /* format == ZPixmap */
-   image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
-rep.depth, ZPixmap, 0, data, width, height,
- _XGetScanlinePad(dpy, (int) rep.depth), 0);
+if (format == XYPixmap) {
+   image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
+   Ones (plane_mask &
+   (((unsigned long)0x) >> (32 - rep.depth))),
+   format, 0, data, width, height, dpy->bitmap_pad, 0);
+   planes = image->depth;
+   } else { /* format == ZPixmap */
+image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
+   rep.depth, ZPixmap, 0, data, width, height,
+   _XGetScanlinePad(dpy, (int) rep.depth), 0);
+   planes = 1;
+   }
 
if (!image)
Xfree(data);
+   if (planes < 1 || image->height < 1 || image->bytes_per_line < 1 ||
+   INT_MAX / image->height <= image->bytes_per_line ||
+   INT_MAX / planes <= image->height * image->bytes_per_line ||
+   nbytes < planes * image->height * image->bytes_per_line) {
+   XDestroyImage(image);
+   image = NULL;
+   }
UnlockDisplay(dpy);
SyncHandle();
return (image);
only in patch2:
unchanged:
--- libx11-1.6.2.orig/src/ListExt.c
+++ libx11-1.6.2/src/ListExt.c
@@ -55,7 +55,7 @@
 
if (rep.nExtensions) {
list = Xmalloc (rep.nExtensions * sizeof (char *));
-   if (rep.length < (INT_MAX >> 2)) {
+   if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
rlen = rep.length << 2;
ch = Xmalloc (rlen + 1);
 /* +1 to leave room for last