From 87ffd7ce2e8ece8b44ff3f1c219a74b3590cf14b Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Fri, 27 Jan 2017 08:26:12 +0100 Subject: libxrender: CVE-2016-7949 Insufficient validation of server responses results in overflow of previously reserved memory Upstream patch: https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=9362c7ddd1af3b168953d0737877bc52d79c94f4 External References: https://lists.x.org/archives/xorg-announce/2016-October/002720.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7949 Signed-off-by: Sona Sarmadi --- .../xorg-lib/libxrender/CVE-2016-7949.patch | 59 ++++++++++++++++++++++ meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb | 3 ++ 2 files changed, 62 insertions(+) create mode 100644 meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch diff --git a/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch b/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch new file mode 100644 index 0000000000..73315b1084 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch @@ -0,0 +1,59 @@ +From 9362c7ddd1af3b168953d0737877bc52d79c94f4 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Sun, 25 Sep 2016 21:43:09 +0200 +Subject: Validate lengths while parsing server data. + +Individual lengths inside received server data can overflow +the previously reserved memory. + +It is therefore important to validate every single length +field to not overflow the previously agreed sum of all invidual +length fields. + +v2: consume remaining bytes in the reply buffer on error. + +CVE: CVE-2016-7949 +Upstream-Status: Backport + +Signed-off-by: Tobias Stoeckmann +Reviewed-by: Matthieu Herrb@laas.fr +Signed-off-by: Sona Sarmadi + +diff --git a/src/Xrender.c b/src/Xrender.c +index 3102eb2..71cf3e6 100644 +--- a/src/Xrender.c ++++ b/src/Xrender.c +@@ -533,12 +533,30 @@ XRenderQueryFormats (Display *dpy) + screen->fallback = _XRenderFindFormat (xri, xScreen->fallback); + screen->subpixel = SubPixelUnknown; + xDepth = (xPictDepth *) (xScreen + 1); ++ if (screen->ndepths > rep.numDepths) { ++ Xfree (xri); ++ Xfree (xData); ++ _XEatDataWords (dpy, rep.length); ++ UnlockDisplay (dpy); ++ SyncHandle (); ++ return 0; ++ } ++ rep.numDepths -= screen->ndepths; + for (nd = 0; nd < screen->ndepths; nd++) + { + depth->depth = xDepth->depth; + depth->nvisuals = xDepth->nPictVisuals; + depth->visuals = visual; + xVisual = (xPictVisual *) (xDepth + 1); ++ if (depth->nvisuals > rep.numVisuals) { ++ Xfree (xri); ++ Xfree (xData); ++ _XEatDataWords (dpy, rep.length); ++ UnlockDisplay (dpy); ++ SyncHandle (); ++ return 0; ++ } ++ rep.numVisuals -= depth->nvisuals; + for (nv = 0; nv < depth->nvisuals; nv++) + { + visual->visual = _XRenderFindVisual (dpy, xVisual->visual); +-- +cgit v0.10.2 + diff --git a/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb b/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb index 44cb2e0ebb..eac367906c 100644 --- a/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb +++ b/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb @@ -19,5 +19,8 @@ XORG_PN = "libXrender" BBCLASSEXTEND = "native nativesdk" +SRC_URI += "file://CVE-2016-7949.patch \ + " + SRC_URI[md5sum] = "5db92962b124ca3a8147daae4adbd622" SRC_URI[sha256sum] = "fc2fe57980a14092426dffcd1f2d9de0987b9d40adea663bd70d6342c0e9be1a" -- cgit v1.2.3