svn commit: r319899 - in head: graphics/libGL graphics/libGL/files security/vuxml x11-drivers/xorg-drivers x11-fonts/libFS x11-toolkits/libXt x11/libX11 x11/libXcursor x11/libXext x11/libXfixes x11...
Niclas Zeising
zeising at FreeBSD.org
Tue Jun 4 19:31:36 UTC 2013
Author: zeising
Date: Tue Jun 4 19:31:29 2013
New Revision: 319899
URL: http://svnweb.freebsd.org/changeset/ports/319899
Log:
Fix security issues in xorg client libraries.
Most libraries were updated to newer versions, in some cases patches
were backported instead.
Most notably, x11/libX11 was updated to 1.6.0
Security: CVE-2013-1981
CVE-2013-1982
CVE-2013-1983
CVE-2013-1984
CVE-2013-1985
CVE-2013-1986
CVE-2013-1987
CVE-2013-1988
CVE-2013-1989
CVE-2013-1990
CVE-2013-1991
CVE-2013-1992
CVE-2013-1993
CVE-2013-1994
CVE-2013-1995
CVE-2013-1996
CVE-2013-1997
CVE-2013-1998
CVE-2013-1999
CVE-2013-2000
CVE-2013-2001
CVE-2013-2002
CVE-2013-2003
CVE-2013-2004
CVE-2013-2005
CVE-2013-2062
CVE-2013-2063
CVE-2013-2064
CVE-2013-2066
Added:
head/graphics/libGL/files/extra-src_glx_XF86dri.c (contents, props changed)
head/graphics/libGL/files/extra-src_glx_x11_XF86dri.c (contents, props changed)
head/x11/libXi/files/patch-src_XGMotion.c (contents, props changed)
head/x11/libXi/files/patch-src_XGetBMap.c (contents, props changed)
head/x11/libXi/files/patch-src_XGetDCtl.c (contents, props changed)
head/x11/libXi/files/patch-src_XGetDProp.c (contents, props changed)
head/x11/libXi/files/patch-src_XGetFCtl.c (contents, props changed)
head/x11/libXi/files/patch-src_XGetProp.c (contents, props changed)
head/x11/libXi/files/patch-src_XIPassiveGrab.c (contents, props changed)
head/x11/libXi/files/patch-src_XIProperties.c (contents, props changed)
head/x11/libXi/files/patch-src_XISelEv.c (contents, props changed)
head/x11/libXi/files/patch-src_XListDev.c (contents, props changed)
head/x11/libXi/files/patch-src_XQueryDv.c (contents, props changed)
head/x11/libXrender/files/
head/x11/libXrender/files/patch-src_Filter.c (contents, props changed)
head/x11/libXrender/files/patch-src_Xrender.c (contents, props changed)
head/x11/libXvMC/files/
head/x11/libXvMC/files/patch-src_XvMC.c (contents, props changed)
Deleted:
head/x11/libXxf86dga/files/patch-src_XF86DGA2.c
Modified:
head/graphics/libGL/Makefile
head/graphics/libGL/bsd.mesalib.mk
head/security/vuxml/vuln.xml
head/x11-drivers/xorg-drivers/Makefile
head/x11-fonts/libFS/Makefile
head/x11-fonts/libFS/distinfo
head/x11-toolkits/libXt/Makefile
head/x11-toolkits/libXt/distinfo
head/x11/libX11/Makefile
head/x11/libX11/distinfo
head/x11/libX11/pkg-plist
head/x11/libXcursor/Makefile
head/x11/libXcursor/distinfo
head/x11/libXext/Makefile
head/x11/libXext/distinfo
head/x11/libXfixes/Makefile
head/x11/libXfixes/distinfo
head/x11/libXi/Makefile
head/x11/libXinerama/Makefile
head/x11/libXinerama/distinfo
head/x11/libXp/Makefile
head/x11/libXp/distinfo
head/x11/libXrandr/Makefile
head/x11/libXrandr/distinfo
head/x11/libXrender/Makefile
head/x11/libXres/Makefile
head/x11/libXres/distinfo
head/x11/libXtst/Makefile
head/x11/libXtst/distinfo
head/x11/libXv/Makefile
head/x11/libXv/distinfo
head/x11/libXv/pkg-plist
head/x11/libXvMC/Makefile
head/x11/libXxf86dga/Makefile
head/x11/libXxf86dga/distinfo
head/x11/libXxf86vm/Makefile
head/x11/libXxf86vm/distinfo
head/x11/libdmx/Makefile
head/x11/libdmx/distinfo
head/x11/libxcb/Makefile
head/x11/libxcb/distinfo
Modified: head/graphics/libGL/Makefile
==============================================================================
--- head/graphics/libGL/Makefile Tue Jun 4 19:13:31 2013 (r319898)
+++ head/graphics/libGL/Makefile Tue Jun 4 19:31:29 2013 (r319899)
@@ -3,13 +3,13 @@
PORTNAME= libGL
PORTVERSION= ${MESAVERSION}
-PORTREVISION= 3
+PORTREVISION= 4
CATEGORIES= graphics
COMMENT= OpenGL library that renders using GLX or DRI
LIB_DEPENDS+= drm:${PORTSDIR}/graphics/libdrm \
- expat.6:${PORTSDIR}/textproc/expat2
+ expat:${PORTSDIR}/textproc/expat2
USES= pkgconfig
USE_XORG= glproto x11 xext xxf86vm xdamage xfixes dri2proto:both
Modified: head/graphics/libGL/bsd.mesalib.mk
==============================================================================
--- head/graphics/libGL/bsd.mesalib.mk Tue Jun 4 19:13:31 2013 (r319898)
+++ head/graphics/libGL/bsd.mesalib.mk Tue Jun 4 19:31:29 2013 (r319899)
@@ -56,14 +56,16 @@ EXTRA_PATCHES+= ${PATCHDIR}/extra-config
${PATCHDIR}/extra-src-glsl_ir_constant_expression.cpp \
${PATCHDIR}/extra-src__gallium__include__pipe__p_config.h \
${PATCHDIR}/extra-src__mesa__drivers__dri__nouveau__nouveau_array.c \
- ${PATCHDIR}/extra-src__mesa__drivers__dri__nouveau__nouveau_render_t.c
+ ${PATCHDIR}/extra-src__mesa__drivers__dri__nouveau__nouveau_render_t.c \
+ ${PATCHDIR}/extra-src_glx_XF86dri.c
.else
EXTRA_PATCHES+= ${PATCHDIR}/extra-configure-old \
${PATCHDIR}/extra-mach64_context.h-old \
${PATCHDIR}/extra-src__mesa__x86-64__glapi_x86-64.S \
${PATCHDIR}/extra-src__mesa__x86-64__xform4.S \
${PATCHDIR}/extra-src__mesa__x86__glapi_x86.S \
- ${PATCHDIR}/extra-src__mesa__x86__read_rgba_span_x86.S
+ ${PATCHDIR}/extra-src__mesa__x86__read_rgba_span_x86.S \
+ ${PATCHDIR}/extra-src_glx_x11_XF86dri.c
CONFIGURE_ARGS+=--disable-glut --disable-glw
.endif
Added: head/graphics/libGL/files/extra-src_glx_XF86dri.c
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/graphics/libGL/files/extra-src_glx_XF86dri.c Tue Jun 4 19:31:29 2013 (r319899)
@@ -0,0 +1,38 @@
+--- src/glx/XF86dri.c.orig 2012-10-24 19:03:59.000000000 +0000
++++ src/glx/XF86dri.c 2013-05-29 10:07:33.000000000 +0000
+@@ -43,6 +43,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ #include <X11/extensions/Xext.h>
+ #include <X11/extensions/extutil.h>
+ #include "xf86dristr.h"
++#include <limits.h>
+
+ static XExtensionInfo _xf86dri_info_data;
+ static XExtensionInfo *xf86dri_info = &_xf86dri_info_data;
+@@ -201,7 +202,11 @@ XF86DRIOpenConnection(Display * dpy, int
+ }
+
+ if (rep.length) {
+- if (!(*busIdString = (char *) Xcalloc(rep.busIdStringLength + 1, 1))) {
++ if (rep.busIdStringLength < INT_MAX)
++ *busIdString = Xcalloc(rep.busIdStringLength + 1, 1);
++ else
++ *busIdString = NULL;
++ if (*busIdString == NULL) {
+ _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3));
+ UnlockDisplay(dpy);
+ SyncHandle();
+@@ -300,9 +305,11 @@ XF86DRIGetClientDriverName(Display * dpy
+ *ddxDriverPatchVersion = rep.ddxDriverPatchVersion;
+
+ if (rep.length) {
+- if (!
+- (*clientDriverName =
+- (char *) Xcalloc(rep.clientDriverNameLength + 1, 1))) {
++ if (rep.clientDriverNameLength < INT_MAX)
++ *clientDriverName = Xcalloc(rep.clientDriverNameLength + 1, 1);
++ else
++ *clientDriverName = NULL;
++ if (*clientDriverName == NULL) {
+ _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3));
+ UnlockDisplay(dpy);
+ SyncHandle();
Added: head/graphics/libGL/files/extra-src_glx_x11_XF86dri.c
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/graphics/libGL/files/extra-src_glx_x11_XF86dri.c Tue Jun 4 19:31:29 2013 (r319899)
@@ -0,0 +1,38 @@
+--- src/glx/x11/XF86dri.c.orig 2009-06-17 18:35:16.000000000 +0000
++++ src/glx/x11/XF86dri.c 2013-05-29 10:09:37.000000000 +0000
+@@ -43,6 +43,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ #include <X11/extensions/Xext.h>
+ #include <X11/extensions/extutil.h>
+ #include "xf86dristr.h"
++#include <limits.h>
+
+
+ #if defined(__GNUC__) && (__GNUC__ * 100 + __GNUC_MINOR__) >= 303
+@@ -212,7 +213,11 @@ XF86DRIOpenConnection(Display * dpy, int
+ }
+
+ if (rep.length) {
+- if (!(*busIdString = (char *) Xcalloc(rep.busIdStringLength + 1, 1))) {
++ if (rep.busIdStringLength < INT_MAX)
++ *busIdString = Xcalloc(rep.busIdStringLength + 1, 1);
++ else
++ *busIdString = NULL;
++ if (*busIdString == NULL) {
+ _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3));
+ UnlockDisplay(dpy);
+ SyncHandle();
+@@ -311,9 +316,11 @@ XF86DRIGetClientDriverName(Display * dpy
+ *ddxDriverPatchVersion = rep.ddxDriverPatchVersion;
+
+ if (rep.length) {
+- if (!
+- (*clientDriverName =
+- (char *) Xcalloc(rep.clientDriverNameLength + 1, 1))) {
++ if (rep.clientDriverNameLength < INT_MAX)
++ *clientDriverName = Xcalloc(rep.clientDriverNameLength + 1, 1);
++ else
++ *clientDriverName = NULL;
++ if (*clientDriverName == NULL) {
+ _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3));
+ UnlockDisplay(dpy);
+ SyncHandle();
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Tue Jun 4 19:13:31 2013 (r319898)
+++ head/security/vuxml/vuln.xml Tue Jun 4 19:31:29 2013 (r319899)
@@ -51,6 +51,164 @@ Note: Please add new entries to the beg
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="2eebebff-cd3b-11e2-8f09-001b38c3836c">
+ <topic>xorg -- protocol handling issues in X Window System client libraries</topic>
+ <affects>
+ <package>
+ <name>libX11</name>
+ <range><lt>1.6.0</lt></range>
+ </package>
+ <package>
+ <name>libXext</name>
+ <range><lt>1.3.2</lt></range>
+ </package>
+ <package>
+ <name>libXfixes</name>
+ <range><lt>5.0.1</lt></range>
+ </package>
+ <package>
+ <name>libXi</name>
+ <range><lt>1.7_1</lt></range>
+ </package>
+ <package>
+ <name>libXinerama</name>
+ <range><lt>1.1.3</lt></range>
+ </package>
+ <package>
+ <name>libXp</name>
+ <range><lt>1.0.2</lt></range>
+ </package>
+ <package>
+ <name>libXrandr</name>
+ <range><lt>1.4.1</lt></range>
+ </package>
+ <package>
+ <name>libXrender</name>
+ <range><lt>0.9.7_1</lt></range>
+ </package>
+ <package>
+ <name>libXres</name>
+ <range><lt>1.0.7</lt></range>
+ </package>
+ <package>
+ <name>libXtst</name>
+ <range><lt>1.2.2</lt></range>
+ </package>
+ <package>
+ <name>libXv</name>
+ <range><lt>1.0.8</lt></range>
+ </package>
+ <package>
+ <name>libXvMC</name>
+ <range><lt>1.0.7_1</lt></range>
+ </package>
+ <package>
+ <name>libXxf86dga</name>
+ <range><lt>1.1.4</lt></range>
+ </package>
+ <package>
+ <name>libdmx</name>
+ <range><lt>1.1.3</lt></range>
+ </package>
+ <package>
+ <name>libxcb</name>
+ <range><lt>1.9.1</lt></range>
+ </package>
+ <package>
+ <name>libGL</name>
+ <range>
+ <lt>7.6.1_4</lt>
+ <gt>7.8.0</gt><lt>8.0.5_4</lt>
+ </range>
+ </package>
+ <package>
+ <name>xf86-video-openchrome</name>
+ <range><lt>0.3.3</lt></range>
+ </package>
+ <package>
+ <name>libFS</name>
+ <range><lt>1.0.5</lt></range>
+ </package>
+ <package>
+ <name>libXxf86vm</name>
+ <range><lt>1.1.3</lt></range>
+ </package>
+ <package>
+ <name>libXt</name>
+ <range><lt>1.1.4</lt></range>
+ </package>
+ <package>
+ <name>libXcursor</name>
+ <range><lt>1.1.14</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>freedesktop.org reports:</p>
+ <blockquote cite="http://www.x.org/wiki/Development/Security/Advisory-2013-05-23">
+ <p>Ilja van Sprundel, a security researcher with IOActive, has
+ discovered a large number of issues in the way various X client
+ libraries handle the responses they receive from servers, and has
+ worked with X.Org's security team to analyze, confirm, and fix
+ these issues.</p>
+ <p>Most of these issues stem from the client libraries trusting the
+ server to send correct protocol data, and not verifying that the
+ values will not overflow or cause other damage. Most of the time X
+ clients & servers are run by the same user, with the server
+ more privileged from the clients, so this is not a problem, but
+ there are scenarios in which a privileged client can be connected
+ to an unprivileged server, for instance, connecting a setuid X
+ client (such as a screen lock program) to a virtual X server (such
+ as Xvfb or Xephyr) which the user has modified to return invalid
+ data, potentially allowing the user to escalate their privileges.</p>
+ <p>The vulnerabilities include:</p>
+ <p>Integer overflows calculating memory needs for replies.</p>
+ <p>Sign extension issues calculating memory needs for replies.</p>
+ <p>Buffer overflows due to not validating length or offset values in
+ replies.</p>
+ <p>Integer overflows parsing user-specified files.</p>
+ <p>Unbounded recursion parsing user-specified files.</p>
+ <p>Memory corruption due to unchecked return values.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2013-1981</cvename>
+ <cvename>CVE-2013-1982</cvename>
+ <cvename>CVE-2013-1983</cvename>
+ <cvename>CVE-2013-1984</cvename>
+ <cvename>CVE-2013-1985</cvename>
+ <cvename>CVE-2013-1986</cvename>
+ <cvename>CVE-2013-1987</cvename>
+ <cvename>CVE-2013-1988</cvename>
+ <cvename>CVE-2013-1989</cvename>
+ <cvename>CVE-2013-1990</cvename>
+ <cvename>CVE-2013-1991</cvename>
+ <cvename>CVE-2013-1992</cvename>
+ <cvename>CVE-2013-1993</cvename>
+ <cvename>CVE-2013-1994</cvename>
+ <cvename>CVE-2013-1995</cvename>
+ <cvename>CVE-2013-1996</cvename>
+ <cvename>CVE-2013-1997</cvename>
+ <cvename>CVE-2013-1998</cvename>
+ <cvename>CVE-2013-1999</cvename>
+ <cvename>CVE-2013-2000</cvename>
+ <cvename>CVE-2013-2001</cvename>
+ <cvename>CVE-2013-2002</cvename>
+ <cvename>CVE-2013-2003</cvename>
+ <cvename>CVE-2013-2004</cvename>
+ <cvename>CVE-2013-2005</cvename>
+ <cvename>CVE-2013-2062</cvename>
+ <cvename>CVE-2013-2063</cvename>
+ <cvename>CVE-2013-2064</cvename>
+ <cvename>CVE-2013-2066</cvename>
+ </references>
+ <dates>
+ <discovery>2013-05-23</discovery>
+ <entry>2013-06-04</entry>
+ </dates>
+ </vuln>
+
<vuln vid="e3f64457-cccd-11e2-af76-206a8a720317">
<topic>krb5 -- UDP ping-pong vulnerability in the kpasswd (password changing) service. [CVE-2002-2443]</topic>
<affects>
Modified: head/x11-drivers/xorg-drivers/Makefile
==============================================================================
--- head/x11-drivers/xorg-drivers/Makefile Tue Jun 4 19:13:31 2013 (r319898)
+++ head/x11-drivers/xorg-drivers/Makefile Tue Jun 4 19:31:29 2013 (r319899)
@@ -10,8 +10,6 @@ EXTRACT_ONLY= # none
MAINTAINER= x11 at FreeBSD.org
COMMENT= X.org drivers meta-port
-.MAKE.FreeBSD_UL= yes
-
VIDEODIR= ${PREFIX}/lib/xorg/modules/drivers
INPUTDIR= ${PREFIX}/lib/xorg/modules/input
Modified: head/x11-fonts/libFS/Makefile
==============================================================================
--- head/x11-fonts/libFS/Makefile Tue Jun 4 19:13:31 2013 (r319898)
+++ head/x11-fonts/libFS/Makefile Tue Jun 4 19:31:29 2013 (r319899)
@@ -1,7 +1,7 @@
# $FreeBSD$
PORTNAME= libFS
-PORTVERSION= 1.0.4
+PORTVERSION= 1.0.5
CATEGORIES= x11-fonts
MAINTAINER= x11 at FreeBSD.org
Modified: head/x11-fonts/libFS/distinfo
==============================================================================
--- head/x11-fonts/libFS/distinfo Tue Jun 4 19:13:31 2013 (r319898)
+++ head/x11-fonts/libFS/distinfo Tue Jun 4 19:31:29 2013 (r319899)
@@ -1,2 +1,2 @@
-SHA256 (xorg/lib/libFS-1.0.4.tar.bz2) = 7073761e7594d43180a922605fb64cce60e5ccb8c06f8efa24f2d4621f5e8315
-SIZE (xorg/lib/libFS-1.0.4.tar.bz2) = 291155
+SHA256 (xorg/lib/libFS-1.0.5.tar.bz2) = 22eb3005dd8053aef7ff82758da5dd59ca9738410bcf847e675780e3a1f96107
+SIZE (xorg/lib/libFS-1.0.5.tar.bz2) = 303806
Modified: head/x11-toolkits/libXt/Makefile
==============================================================================
--- head/x11-toolkits/libXt/Makefile Tue Jun 4 19:13:31 2013 (r319898)
+++ head/x11-toolkits/libXt/Makefile Tue Jun 4 19:31:29 2013 (r319899)
@@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME= libXt
-PORTVERSION= 1.1.3
+PORTVERSION= 1.1.4
PORTEPOCH= 1
CATEGORIES= x11-toolkits
Modified: head/x11-toolkits/libXt/distinfo
==============================================================================
--- head/x11-toolkits/libXt/distinfo Tue Jun 4 19:13:31 2013 (r319898)
+++ head/x11-toolkits/libXt/distinfo Tue Jun 4 19:31:29 2013 (r319899)
@@ -1,2 +1,2 @@
-SHA256 (xorg/lib/libXt-1.1.3.tar.bz2) = 8db593c3fc5ffc4e9cd854ba50af1eac9b90d66521ba17802b8f1e0d2d7f05bd
-SIZE (xorg/lib/libXt-1.1.3.tar.bz2) = 734679
+SHA256 (xorg/lib/libXt-1.1.4.tar.bz2) = 843a97a988f5654872682a4120486d987d853a71651515472f55519ffae2dd57
+SIZE (xorg/lib/libXt-1.1.4.tar.bz2) = 762331
Modified: head/x11/libX11/Makefile
==============================================================================
--- head/x11/libX11/Makefile Tue Jun 4 19:13:31 2013 (r319898)
+++ head/x11/libX11/Makefile Tue Jun 4 19:31:29 2013 (r319899)
@@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME= libX11
-PORTVERSION= 1.5.0
+PORTVERSION= 1.6.0
PORTEPOCH= 1
CATEGORIES= x11
Modified: head/x11/libX11/distinfo
==============================================================================
--- head/x11/libX11/distinfo Tue Jun 4 19:13:31 2013 (r319898)
+++ head/x11/libX11/distinfo Tue Jun 4 19:31:29 2013 (r319899)
@@ -1,2 +1,2 @@
-SHA256 (xorg/lib/libX11-1.5.0.tar.bz2) = c382efd7e92bfc3cef39a4b7f1ecf2744ba4414a705e3bc1e697f75502bd4d86
-SIZE (xorg/lib/libX11-1.5.0.tar.bz2) = 2322265
+SHA256 (xorg/lib/libX11-1.6.0.tar.bz2) = 53131412343ec252307fe14903deaf54c356f9414d72d49180c2091dcd7019fa
+SIZE (xorg/lib/libX11-1.6.0.tar.bz2) = 2373718
Modified: head/x11/libX11/pkg-plist
==============================================================================
--- head/x11/libX11/pkg-plist Tue Jun 4 19:13:31 2013 (r319898)
+++ head/x11/libX11/pkg-plist Tue Jun 4 19:31:29 2013 (r319899)
@@ -94,15 +94,9 @@ lib/X11/locale/iso8859-9e/XLC_LOCALE
lib/X11/locale/ja.JIS/Compose
lib/X11/locale/ja.JIS/XI18N_OBJS
lib/X11/locale/ja.JIS/XLC_LOCALE
-lib/X11/locale/ja.S90/Compose
-lib/X11/locale/ja.S90/XI18N_OBJS
-lib/X11/locale/ja.S90/XLC_LOCALE
lib/X11/locale/ja.SJIS/Compose
lib/X11/locale/ja.SJIS/XI18N_OBJS
lib/X11/locale/ja.SJIS/XLC_LOCALE
-lib/X11/locale/ja.U90/Compose
-lib/X11/locale/ja.U90/XI18N_OBJS
-lib/X11/locale/ja.U90/XLC_LOCALE
lib/X11/locale/ja/Compose
lib/X11/locale/ja/XI18N_OBJS
lib/X11/locale/ja/XLC_LOCALE
@@ -234,9 +228,7 @@ libdata/pkgconfig/x11.pc
@dirrm lib/X11/locale/ko_KR.UTF-8
@dirrm lib/X11/locale/ko
@dirrm lib/X11/locale/ja_JP.UTF-8
- at dirrm lib/X11/locale/ja.U90
@dirrm lib/X11/locale/ja.SJIS
- at dirrm lib/X11/locale/ja.S90
@dirrm lib/X11/locale/ja.JIS
@dirrm lib/X11/locale/ja
@dirrm lib/X11/locale/iso8859-9e
Modified: head/x11/libXcursor/Makefile
==============================================================================
--- head/x11/libXcursor/Makefile Tue Jun 4 19:13:31 2013 (r319898)
+++ head/x11/libXcursor/Makefile Tue Jun 4 19:31:29 2013 (r319899)
@@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME= libXcursor
-PORTVERSION= 1.1.13
+PORTVERSION= 1.1.14
CATEGORIES= x11
MAINTAINER= x11 at FreeBSD.org
Modified: head/x11/libXcursor/distinfo
==============================================================================
--- head/x11/libXcursor/distinfo Tue Jun 4 19:13:31 2013 (r319898)
+++ head/x11/libXcursor/distinfo Tue Jun 4 19:31:29 2013 (r319899)
@@ -1,2 +1,2 @@
-SHA256 (xorg/lib/libXcursor-1.1.13.tar.bz2) = f78827de4a1b7ce8cceca24a9ab9d1b1d2f6a61362f505166ffc19b07c0bad8f
-SIZE (xorg/lib/libXcursor-1.1.13.tar.bz2) = 302525
+SHA256 (xorg/lib/libXcursor-1.1.14.tar.bz2) = 9bc6acb21ca14da51bda5bc912c8955bc6e5e433f0ab00c5e8bef842596c33df
+SIZE (xorg/lib/libXcursor-1.1.14.tar.bz2) = 311896
Modified: head/x11/libXext/Makefile
==============================================================================
--- head/x11/libXext/Makefile Tue Jun 4 19:13:31 2013 (r319898)
+++ head/x11/libXext/Makefile Tue Jun 4 19:31:29 2013 (r319899)
@@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME= libXext
-PORTVERSION= 1.3.1
+PORTVERSION= 1.3.2
PORTEPOCH= 1
CATEGORIES= x11
Modified: head/x11/libXext/distinfo
==============================================================================
--- head/x11/libXext/distinfo Tue Jun 4 19:13:31 2013 (r319898)
+++ head/x11/libXext/distinfo Tue Jun 4 19:31:29 2013 (r319899)
@@ -1,2 +1,2 @@
-SHA256 (xorg/lib/libXext-1.3.1.tar.bz2) = 56229c617eb7bfd6dec40d2805bc4dfb883dfe80f130d99b9a2beb632165e859
-SIZE (xorg/lib/libXext-1.3.1.tar.bz2) = 372728
+SHA256 (xorg/lib/libXext-1.3.2.tar.bz2) = f829075bc646cdc085fa25d98d5885d83b1759ceb355933127c257e8e50432e0
+SIZE (xorg/lib/libXext-1.3.2.tar.bz2) = 378901
Modified: head/x11/libXfixes/Makefile
==============================================================================
--- head/x11/libXfixes/Makefile Tue Jun 4 19:13:31 2013 (r319898)
+++ head/x11/libXfixes/Makefile Tue Jun 4 19:31:29 2013 (r319899)
@@ -2,8 +2,7 @@
# $FreeBSD$
PORTNAME= libXfixes
-PORTVERSION= 5.0
-PORTREVISION= 2
+PORTVERSION= 5.0.1
CATEGORIES= x11
MAINTAINER= x11 at FreeBSD.org
Modified: head/x11/libXfixes/distinfo
==============================================================================
--- head/x11/libXfixes/distinfo Tue Jun 4 19:13:31 2013 (r319898)
+++ head/x11/libXfixes/distinfo Tue Jun 4 19:31:29 2013 (r319899)
@@ -1,2 +1,2 @@
-SHA256 (xorg/lib/libXfixes-5.0.tar.bz2) = 537a2446129242737a35db40081be4bbcc126e56c03bf5f2b142b10a79cda2e3
-SIZE (xorg/lib/libXfixes-5.0.tar.bz2) = 253777
+SHA256 (xorg/lib/libXfixes-5.0.1.tar.bz2) = 63bec085084fa3caaee5180490dd871f1eb2020ba9e9b39a30f93693ffc34767
+SIZE (xorg/lib/libXfixes-5.0.1.tar.bz2) = 291978
Modified: head/x11/libXi/Makefile
==============================================================================
--- head/x11/libXi/Makefile Tue Jun 4 19:13:31 2013 (r319898)
+++ head/x11/libXi/Makefile Tue Jun 4 19:31:29 2013 (r319899)
@@ -3,6 +3,7 @@
PORTNAME= libXi
PORTVERSION= 1.7.1
+PORTREVISION= 1
PORTEPOCH= 1
CATEGORIES= x11
Added: head/x11/libXi/files/patch-src_XGMotion.c
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/x11/libXi/files/patch-src_XGMotion.c Tue Jun 4 19:31:29 2013 (r319899)
@@ -0,0 +1,63 @@
+From bb922ed4253b35590f0369f32a917ff89ade0830 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith at oracle.com>
+Date: Sun, 10 Mar 2013 06:55:23 +0000
+Subject: integer overflow in XGetDeviceMotionEvents() [CVE-2013-1984 4/8]
+
+If the number of events or axes reported by the server is large enough
+that it overflows when multiplied by the size of the appropriate struct,
+then memory corruption can occur when more bytes are copied from the
+X server reply than the size of the buffer we allocated to hold them.
+
+Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
+---
+diff --git a/src/XGMotion.c b/src/XGMotion.c
+index 5feac85..a4c75b6 100644
+--- src/XGMotion.c
++++ src/XGMotion.c
+@@ -59,6 +59,7 @@ SOFTWARE.
+ #include <X11/extensions/XInput.h>
+ #include <X11/extensions/extutil.h>
+ #include "XIint.h"
++#include <limits.h>
+
+ XDeviceTimeCoord *
+ XGetDeviceMotionEvents(
+@@ -74,7 +75,7 @@ XGetDeviceMotionEvents(
+ xGetDeviceMotionEventsReply rep;
+ XDeviceTimeCoord *tc;
+ int *data, *bufp, *readp, *savp;
+- long size, size2;
++ unsigned long size;
+ int i, j;
+ XExtDisplayInfo *info = XInput_find_display(dpy);
+
+@@ -104,10 +105,21 @@ XGetDeviceMotionEvents(
+ SyncHandle();
+ return (NULL);
+ }
+- size = rep.length << 2;
+- size2 = rep.nEvents * (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int)));
+- savp = readp = (int *)Xmalloc(size);
+- bufp = (int *)Xmalloc(size2);
++ if (rep.length < (INT_MAX >> 2)) {
++ size = rep.length << 2;
++ savp = readp = Xmalloc(size);
++ } else {
++ size = 0;
++ savp = readp = NULL;
++ }
++ /* rep.axes is a CARD8, so assume max number of axes for bounds check */
++ if (rep.nEvents <
++ (INT_MAX / (sizeof(XDeviceTimeCoord) + (UCHAR_MAX * sizeof(int))))) {
++ size_t bsize = rep.nEvents *
++ (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int)));
++ bufp = Xmalloc(bsize);
++ } else
++ bufp = NULL;
+ if (!bufp || !savp) {
+ Xfree(bufp);
+ Xfree(savp);
+--
+cgit v0.9.0.2-2-gbebe
Added: head/x11/libXi/files/patch-src_XGetBMap.c
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/x11/libXi/files/patch-src_XGetBMap.c Tue Jun 4 19:31:29 2013 (r319899)
@@ -0,0 +1,61 @@
+From f3e08e4fbe40016484ba795feecf1a742170ffc1 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith at oracle.com>
+Date: Sun, 10 Mar 2013 06:26:52 +0000
+Subject: Stack buffer overflow in XGetDeviceButtonMapping() [CVE-2013-1998 1/3]
+
+We copy the entire reply sent by the server into the fixed size
+mapping[] array on the stack, even if the server says it's a larger
+size than the mapping array can hold. HULK SMASH STACK!
+
+Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
+---
+diff --git a/src/XGetBMap.c b/src/XGetBMap.c
+index 211c9ca..002daba 100644
+--- src/XGetBMap.c
++++ src/XGetBMap.c
+@@ -60,6 +60,7 @@ SOFTWARE.
+ #include <X11/extensions/XInput.h>
+ #include <X11/extensions/extutil.h>
+ #include "XIint.h"
++#include <limits.h>
+
+ #ifdef MIN /* some systems define this in <sys/param.h> */
+ #undef MIN
+@@ -75,7 +76,6 @@ XGetDeviceButtonMapping(
+ {
+ int status = 0;
+ unsigned char mapping[256]; /* known fixed size */
+- long nbytes;
+ XExtDisplayInfo *info = XInput_find_display(dpy);
+
+ register xGetDeviceButtonMappingReq *req;
+@@ -92,13 +92,18 @@ XGetDeviceButtonMapping(
+
+ status = _XReply(dpy, (xReply *) & rep, 0, xFalse);
+ if (status == 1) {
+- nbytes = (long)rep.length << 2;
+- _XRead(dpy, (char *)mapping, nbytes);
+-
+- /* don't return more data than the user asked for. */
+- if (rep.nElts)
+- memcpy((char *)map, (char *)mapping, MIN((int)rep.nElts, nmap));
+- status = rep.nElts;
++ if (rep.length <= (sizeof(mapping) >> 2)) {
++ unsigned long nbytes = rep.length << 2;
++ _XRead(dpy, (char *)mapping, nbytes);
++
++ /* don't return more data than the user asked for. */
++ if (rep.nElts)
++ memcpy(map, mapping, MIN((int)rep.nElts, nmap));
++ status = rep.nElts;
++ } else {
++ _XEatDataWords(dpy, rep.length);
++ status = 0;
++ }
+ } else
+ status = 0;
+ UnlockDisplay(dpy);
+--
+cgit v0.9.0.2-2-gbebe
Added: head/x11/libXi/files/patch-src_XGetDCtl.c
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/x11/libXi/files/patch-src_XGetDCtl.c Tue Jun 4 19:31:29 2013 (r319899)
@@ -0,0 +1,113 @@
+From b0b13c12a8079a5a0e7f43b2b8983699057b2cec Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith at oracle.com>
+Date: Sun, 10 Mar 2013 06:55:23 +0000
+Subject: integer overflow in XGetDeviceControl() [CVE-2013-1984 1/8]
+
+If the number of valuators reported by the server is large enough that
+it overflows when multiplied by the size of the appropriate struct, then
+memory corruption can occur when more bytes are copied from the X server
+reply than the size of the buffer we allocated to hold them.
+
+v2: check that reply size fits inside the data read from the server, so
+we don't read out of bounds either
+
+Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
+---
+diff --git a/src/XGetDCtl.c b/src/XGetDCtl.c
+index f73a4e8..51ed0ae 100644
+--- src/XGetDCtl.c
++++ src/XGetDCtl.c
+@@ -61,6 +61,7 @@ SOFTWARE.
+ #include <X11/extensions/XInput.h>
+ #include <X11/extensions/extutil.h>
+ #include "XIint.h"
++#include <limits.h>
+
+ XDeviceControl *
+ XGetDeviceControl(
+@@ -68,8 +69,6 @@ XGetDeviceControl(
+ XDevice *dev,
+ int control)
+ {
+- int size = 0;
+- int nbytes, i;
+ XDeviceControl *Device = NULL;
+ XDeviceControl *Sav = NULL;
+ xDeviceState *d = NULL;
+@@ -92,8 +91,12 @@ XGetDeviceControl(
+ goto out;
+
+ if (rep.length > 0) {
+- nbytes = (long)rep.length << 2;
+- d = (xDeviceState *) Xmalloc((unsigned)nbytes);
++ unsigned long nbytes;
++ size_t size = 0;
++ if (rep.length < (INT_MAX >> 2)) {
++ nbytes = (unsigned long) rep.length << 2;
++ d = Xmalloc(nbytes);
++ }
+ if (!d) {
+ _XEatDataWords(dpy, rep.length);
+ goto out;
+@@ -111,33 +114,46 @@ XGetDeviceControl(
+ case DEVICE_RESOLUTION:
+ {
+ xDeviceResolutionState *r;
++ size_t val_size;
+
+ r = (xDeviceResolutionState *) d;
+- size += sizeof(XDeviceResolutionState) +
+- (3 * sizeof(int) * r->num_valuators);
++ if (r->num_valuators >= (INT_MAX / (3 * sizeof(int))))
++ goto out;
++ val_size = 3 * sizeof(int) * r->num_valuators;
++ if ((sizeof(xDeviceResolutionState) + val_size) > nbytes)
++ goto out;
++ size += sizeof(XDeviceResolutionState) + val_size;
+ break;
+ }
+ case DEVICE_ABS_CALIB:
+ {
++ if (sizeof(xDeviceAbsCalibState) > nbytes)
++ goto out;
+ size += sizeof(XDeviceAbsCalibState);
+ break;
+ }
+ case DEVICE_ABS_AREA:
+ {
++ if (sizeof(xDeviceAbsAreaState) > nbytes)
++ goto out;
+ size += sizeof(XDeviceAbsAreaState);
+ break;
+ }
+ case DEVICE_CORE:
+ {
++ if (sizeof(xDeviceCoreState) > nbytes)
++ goto out;
+ size += sizeof(XDeviceCoreState);
+ break;
+ }
+ default:
++ if (d->length > nbytes)
++ goto out;
+ size += d->length;
+ break;
+ }
+
+- Device = (XDeviceControl *) Xmalloc((unsigned)size);
++ Device = Xmalloc(size);
+ if (!Device)
+ goto out;
+
+@@ -150,6 +166,7 @@ XGetDeviceControl(
+ int *iptr, *iptr2;
+ xDeviceResolutionState *r;
+ XDeviceResolutionState *R;
++ unsigned int i;
+
+ r = (xDeviceResolutionState *) d;
+ R = (XDeviceResolutionState *) Device;
+--
+cgit v0.9.0.2-2-gbebe
Added: head/x11/libXi/files/patch-src_XGetDProp.c
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/x11/libXi/files/patch-src_XGetDProp.c Tue Jun 4 19:31:29 2013 (r319899)
@@ -0,0 +1,126 @@
+From 17071c1c608247800b2ca03a35b1fcc9c4cabe6c Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith at oracle.com>
+Date: Sun, 10 Mar 2013 20:30:55 +0000
+Subject: Avoid integer overflow in XGetDeviceProperties() [CVE-2013-1984 7/8]
+
+If the number of items as reported by the Xserver is too large, it
+could overflow the calculation for the size of the buffer to copy the
+reply into, causing memory corruption.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
+---
+--- src/XGetDProp.c.orig 2010-09-07 05:21:05.000000000 +0000
++++ src/XGetDProp.c 2013-05-29 16:46:04.000000000 +0000
+@@ -38,6 +38,7 @@ in this Software without prior written a
+ #include <X11/extensions/XInput.h>
+ #include <X11/extensions/extutil.h>
+ #include "XIint.h"
++#include <limits.h>
+
+ int
+ XGetDeviceProperty(Display* dpy, XDevice* dev,
+@@ -48,7 +49,8 @@ XGetDeviceProperty(Display* dpy, XDevice
+ {
+ xGetDevicePropertyReq *req;
+ xGetDevicePropertyReply rep;
+- long nbytes, rbytes;
++ unsigned long nbytes, rbytes;
++ int ret = Success;
+
+ XExtDisplayInfo *info = XInput_find_display(dpy);
+
+@@ -81,30 +83,43 @@ XGetDeviceProperty(Display* dpy, XDevice
+ * data, but this last byte is null terminated and convenient for
+ * returning string properties, so the client doesn't then have to
+ * recopy the string to make it null terminated.
++ *
++ * Maximum item limits are set to both prevent integer overflow when
++ * calculating the amount of memory to malloc, and to limit how much
++ * memory will be used if a server provides an insanely high count.
+ */
+ switch (rep.format) {
+ case 8:
+- nbytes = rep.nItems;
+- rbytes = rep.nItems + 1;
+- if (rbytes > 0 &&
+- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
+- _XReadPad (dpy, (char *) *prop, nbytes);
++ if (rep.nItems < INT_MAX) {
++ nbytes = rep.nItems;
++ rbytes = rep.nItems + 1;
++ if ((*prop = Xmalloc (rbytes)))
++ _XReadPad (dpy, (char *) *prop, nbytes);
++ else
++ ret = BadAlloc;
++ }
+ break;
+
+ case 16:
+- nbytes = rep.nItems << 1;
+- rbytes = rep.nItems * sizeof (short) + 1;
+- if (rbytes > 0 &&
+- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
+- _XRead16Pad (dpy, (short *) *prop, nbytes);
++ if (rep.nItems < (INT_MAX / sizeof (short))) {
++ nbytes = rep.nItems << 1;
++ rbytes = rep.nItems * sizeof (short) + 1;
++ if ((*prop = Xmalloc (rbytes)))
++ _XRead16Pad (dpy, (short *) *prop, nbytes);
++ else
++ ret = BadAlloc;
++ }
+ break;
+
+ case 32:
+- nbytes = rep.nItems << 2;
+- rbytes = rep.nItems * sizeof (long) + 1;
+- if (rbytes > 0 &&
+- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
+- _XRead32 (dpy, (long *) *prop, nbytes);
++ if (rep.nItems < (INT_MAX / sizeof (long))) {
++ nbytes = rep.nItems << 2;
++ rbytes = rep.nItems * sizeof (long) + 1;
++ if ((*prop = Xmalloc (rbytes)))
++ _XRead32 (dpy, (long *) *prop, nbytes);
++ else
++ ret = BadAlloc;
++ }
+ break;
+
+ default:
+@@ -112,17 +127,13 @@ XGetDeviceProperty(Display* dpy, XDevice
+ * This part of the code should never be reached. If it is,
+ * the server sent back a property with an invalid format.
+ */
+- nbytes = rep.length << 2;
+- _XEatData(dpy, (unsigned long) nbytes);
+- UnlockDisplay(dpy);
+- SyncHandle();
+- return(BadImplementation);
++ ret = BadImplementation;
+ }
+ if (! *prop) {
+- _XEatData(dpy, (unsigned long) nbytes);
+- UnlockDisplay(dpy);
+- SyncHandle();
+- return(BadAlloc);
++ _XEatDataWords(dpy, rep.length);
++ if (ret == Success)
++ ret = BadAlloc;
++ goto out;
+ }
+ (*prop)[rbytes - 1] = '\0';
+ }
+@@ -131,9 +142,10 @@ XGetDeviceProperty(Display* dpy, XDevice
+ *actual_format = rep.format;
+ *nitems = rep.nItems;
+ *bytes_after = rep.bytesAfter;
++ out:
+ UnlockDisplay (dpy);
+ SyncHandle ();
+
+- return Success;
++ return ret;
+ }
+
Added: head/x11/libXi/files/patch-src_XGetFCtl.c
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/x11/libXi/files/patch-src_XGetFCtl.c Tue Jun 4 19:31:29 2013 (r319899)
@@ -0,0 +1,94 @@
+From 322ee3576789380222d4403366e4fd12fb24cb6a Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith at oracle.com>
+Date: Sun, 10 Mar 2013 06:55:23 +0000
+Subject: integer overflow in XGetFeedbackControl() [CVE-2013-1984 2/8]
+
+If the number of feedbacks reported by the server is large enough that
+it overflows when multiplied by the size of the appropriate struct, or
+if the total size of all the feedback structures overflows when added
+together, then memory corruption can occur when more bytes are copied from
+the X server reply than the size of the buffer we allocated to hold them.
+
+v2: check that reply size fits inside the data read from the server, so
+ we don't read out of bounds either
+
+Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
+---
+diff --git a/src/XGetFCtl.c b/src/XGetFCtl.c
+index 28fab4d..bb50bf3 100644
+--- src/XGetFCtl.c
++++ src/XGetFCtl.c
+@@ -61,6 +61,7 @@ SOFTWARE.
+ #include <X11/extensions/XInput.h>
+ #include <X11/extensions/extutil.h>
+ #include "XIint.h"
++#include <limits.h>
+
+ XFeedbackState *
+ XGetFeedbackControl(
+@@ -68,8 +69,6 @@ XGetFeedbackControl(
+ XDevice *dev,
+ int *num_feedbacks)
+ {
+- int size = 0;
+- int nbytes, i;
+ XFeedbackState *Feedback = NULL;
+ XFeedbackState *Sav = NULL;
+ xFeedbackState *f = NULL;
+@@ -91,9 +90,16 @@ XGetFeedbackControl(
+ goto out;
+
+ if (rep.length > 0) {
++ unsigned long nbytes;
++ size_t size = 0;
++ int i;
++
+ *num_feedbacks = rep.num_feedbacks;
+- nbytes = (long)rep.length << 2;
+- f = (xFeedbackState *) Xmalloc((unsigned)nbytes);
++
++ if (rep.length < (INT_MAX >> 2)) {
++ nbytes = rep.length << 2;
++ f = Xmalloc(nbytes);
++ }
+ if (!f) {
+ _XEatDataWords(dpy, rep.length);
+ goto out;
+@@ -102,6 +108,10 @@ XGetFeedbackControl(
+ _XRead(dpy, (char *)f, nbytes);
+
+ for (i = 0; i < *num_feedbacks; i++) {
++ if (f->length > nbytes)
++ goto out;
++ nbytes -= f->length;
++
+ switch (f->class) {
+ case KbdFeedbackClass:
+ size += sizeof(XKbdFeedbackState);
+@@ -116,6 +126,8 @@ XGetFeedbackControl(
+ {
+ xStringFeedbackState *strf = (xStringFeedbackState *) f;
+
++ if (strf->num_syms_supported >= (INT_MAX / sizeof(KeySym)))
++ goto out;
+ size += sizeof(XStringFeedbackState) +
+ (strf->num_syms_supported * sizeof(KeySym));
+ }
+@@ -130,10 +142,12 @@ XGetFeedbackControl(
+ size += f->length;
+ break;
+ }
++ if (size > INT_MAX)
++ goto out;
+ f = (xFeedbackState *) ((char *)f + f->length);
+ }
+
+- Feedback = (XFeedbackState *) Xmalloc((unsigned)size);
++ Feedback = Xmalloc(size);
+ if (!Feedback)
+ goto out;
+
+--
+cgit v0.9.0.2-2-gbebe
Added: head/x11/libXi/files/patch-src_XGetProp.c
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/x11/libXi/files/patch-src_XGetProp.c Tue Jun 4 19:31:29 2013 (r319899)
@@ -0,0 +1,53 @@
+From 6dd6dc51a2935c72774be81e5cc2ba2c30e9feff Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith at oracle.com>
+Date: Sun, 10 Mar 2013 06:55:23 +0000
+Subject: integer overflow in XGetDeviceDontPropagateList() [CVE-2013-1984 3/8]
+
+If the number of event classes reported by the server is large enough
+that it overflows when multiplied by the size of the appropriate struct,
+then memory corruption can occur when more bytes are copied from the
+X server reply than the size of the buffer we allocated to hold them.
+
+V2: EatData if count is 0 but length is > 0 to avoid XIOErrors
+
+Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
+---
+(limited to 'src/XGetProp.c')
+
+--- src/XGetProp.c.orig 2011-12-20 00:28:44.000000000 +0000
++++ src/XGetProp.c 2013-05-29 16:49:01.000000000 +0000
+@@ -60,6 +60,7 @@ SOFTWARE.
+ #include <X11/extensions/XInput.h>
+ #include <X11/extensions/extutil.h>
+ #include "XIint.h"
++#include <limits.h>
+
+ XEventClass *
+ XGetDeviceDontPropagateList(
+@@ -89,11 +90,11 @@ XGetDeviceDontPropagateList(
+ }
+ *count = rep.count;
+
+- if (*count) {
+- rlen = rep.length << 2;
+- list = (XEventClass *) Xmalloc(rep.length * sizeof(XEventClass));
++ if (rep.length != 0) {
++ if ((rep.count != 0) && (rep.length < (INT_MAX / sizeof(XEventClass))))
++ list = Xmalloc(rep.length * sizeof(XEventClass));
+ if (list) {
+- int i;
++ unsigned int i;
+ CARD32 ec;
+
+ /* read and assign each XEventClass separately because
+@@ -105,7 +106,7 @@ XGetDeviceDontPropagateList(
+ list[i] = (XEventClass) ec;
+ }
+ } else
+- _XEatData(dpy, (unsigned long)rlen);
++ _XEatDataWords(dpy, rep.length);
+ }
+
+ UnlockDisplay(dpy);
Added: head/x11/libXi/files/patch-src_XIPassiveGrab.c
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/x11/libXi/files/patch-src_XIPassiveGrab.c Tue Jun 4 19:31:29 2013 (r319899)
@@ -0,0 +1,27 @@
+From 91434737f592e8f5cc1762383882a582b55fc03a Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith at oracle.com>
+Date: Sun, 10 Mar 2013 07:37:23 +0000
+Subject: memory corruption in _XIPassiveGrabDevice() [CVE-2013-1998 2/3]
+
+If the server returned more modifiers than the caller asked for,
+we'd just keep copying past the end of the array provided by the
+caller, writing over who-knows-what happened to be there.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
+---
+diff --git a/src/XIPassiveGrab.c b/src/XIPassiveGrab.c
+index ac17c01..53b4084 100644
+--- src/XIPassiveGrab.c
++++ src/XIPassiveGrab.c
+@@ -88,7 +88,7 @@ _XIPassiveGrabDevice(Display* dpy, int deviceid, int grabtype, int detail,
+ return -1;
+ _XRead(dpy, (char*)failed_mods, reply.num_modifiers * sizeof(xXIGrabModifierInfo));
+
+- for (i = 0; i < reply.num_modifiers; i++)
++ for (i = 0; i < reply.num_modifiers && i < num_modifiers; i++)
+ {
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-ports-head
mailing list