diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-01-30 12:46:23 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-02-08 12:00:01 +0000 |
commit | d627e5bd50f66275cb3a77036ea3376a6f1e9a96 (patch) | |
tree | 192cf2332b3f44b59eedc11d55b0a2afdd0008d1 | |
parent | 6d4421301a54c26e390fa943805574ced6e18c3a (diff) | |
download | openembedded-core-d627e5bd50f66275cb3a77036ea3376a6f1e9a96.tar.gz openembedded-core-d627e5bd50f66275cb3a77036ea3376a6f1e9a96.tar.bz2 openembedded-core-d627e5bd50f66275cb3a77036ea3376a6f1e9a96.zip |
libx11: CVE-2016-7943
The XListFonts function in X.org libX11 before 1.6.4 might allow
remote X servers to gain privileges via vectors involving length
fields, which trigger out-of-bounds write operations.
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7943
https://lists.x.org/archives/xorg-announce/2016-October/002720.html
Upstream patch:
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8c29f1607a31dac0911e45a0dd3d74173822b3c9
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
-rw-r--r-- | meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7943.patch | 103 | ||||
-rw-r--r-- | meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb | 1 |
2 files changed, 104 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7943.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7943.patch new file mode 100644 index 0000000000..50024236d2 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7943.patch @@ -0,0 +1,103 @@ +From 8c29f1607a31dac0911e45a0dd3d74173822b3c9 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann <tobias@stoeckmann.org> +Date: Sun, 25 Sep 2016 21:22:57 +0200 +Subject: The validation of server responses avoids out of boundary accesses. + +v2: FontNames.c return a NULL list whenever a single +length field from the server is incohent. + +CVE: CVE-2016-7943 +Upstream-Status: Backport + +Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> +Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> + +diff --git a/src/FontNames.c b/src/FontNames.c +index 21dcafe..e55f338 100644 +--- a/src/FontNames.c ++++ b/src/FontNames.c +@@ -66,7 +66,7 @@ int *actualCount) /* RETURN */ + + if (rep.nFonts) { + flist = Xmalloc (rep.nFonts * sizeof(char *)); +- if (rep.length < (INT_MAX >> 2)) { ++ if (rep.length > 0 && rep.length < (INT_MAX >> 2)) { + rlen = rep.length << 2; + ch = Xmalloc(rlen + 1); + /* +1 to leave room for last null-terminator */ +@@ -93,11 +93,22 @@ int *actualCount) /* RETURN */ + if (ch + length < chend) { + flist[i] = ch + 1; /* skip over length */ + ch += length + 1; /* find next length ... */ +- length = *(unsigned char *)ch; +- *ch = '\0'; /* and replace with null-termination */ +- count++; +- } else +- flist[i] = NULL; ++ if (ch <= chend) { ++ length = *(unsigned char *)ch; ++ *ch = '\0'; /* and replace with null-termination */ ++ count++; ++ } else { ++ Xfree(flist); ++ flist = NULL; ++ count = 0; ++ break; ++ } ++ } else { ++ Xfree(flist); ++ flist = NULL; ++ count = 0; ++ break; ++ } + } + } + *actualCount = count; +diff --git a/src/ListExt.c b/src/ListExt.c +index be6b989..0516e45 100644 +--- a/src/ListExt.c ++++ b/src/ListExt.c +@@ -55,7 +55,7 @@ char **XListExtensions( + + if (rep.nExtensions) { + list = Xmalloc (rep.nExtensions * sizeof (char *)); +- if (rep.length < (INT_MAX >> 2)) { ++ if (rep.length > 0 && rep.length < (INT_MAX >> 2)) { + rlen = rep.length << 2; + ch = Xmalloc (rlen + 1); + /* +1 to leave room for last null-terminator */ +@@ -80,9 +80,13 @@ char **XListExtensions( + if (ch + length < chend) { + list[i] = ch+1; /* skip over length */ + ch += length + 1; /* find next length ... */ +- length = *ch; +- *ch = '\0'; /* and replace with null-termination */ +- count++; ++ if (ch <= chend) { ++ length = *ch; ++ *ch = '\0'; /* and replace with null-termination */ ++ count++; ++ } else { ++ list[i] = NULL; ++ } + } else + list[i] = NULL; + } +diff --git a/src/ModMap.c b/src/ModMap.c +index a809aa2..49a5d08 100644 +--- a/src/ModMap.c ++++ b/src/ModMap.c +@@ -42,7 +42,8 @@ XGetModifierMapping(register Display *dpy) + GetEmptyReq(GetModifierMapping, req); + (void) _XReply (dpy, (xReply *)&rep, 0, xFalse); + +- if (rep.length < (INT_MAX >> 2)) { ++ if (rep.length < (INT_MAX >> 2) && ++ (rep.length >> 1) == rep.numKeyPerModifier) { + nbytes = (unsigned long)rep.length << 2; + res = Xmalloc(sizeof (XModifierKeymap)); + if (res) +-- +cgit v0.10.2 + diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb b/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb index 152ccd9d4a..23a77891e9 100644 --- a/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb +++ b/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb @@ -6,6 +6,7 @@ BBCLASSEXTEND = "native nativesdk" SRC_URI += "file://disable_tests.patch \ file://libX11-Add-missing-NULL-check.patch \ file://CVE-2016-7942.patch \ + file://CVE-2016-7943.patch \ " SRC_URI[md5sum] = "2e36b73f8a42143142dda8129f02e4e0" |