nixo
/
guix-devel
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

gnu: libxv: Update to 1.0.11. 

* gnu/packages/xorg.scm (libxv): Update to 1.0.11.
[replacement]: Remove field.
(libxv/fixed): Remove variable.
* gnu/packages/patches/libxv-CVE-2016-5407.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Remove it.
master
Leo Famulari 2016-10-05 19:32:04 -04:00
parent 82e6a4341b
commit 62ad505603
No known key found for this signature in database
GPG Key ID: 2646FA30BACA7F08
3 changed files with 2 additions and 174 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
gnu/local.mk
View File

@ -668,7 +668,6 @@ dist_patch_DATA = \
%D%/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch \
%D%/packages/patches/libwmf-CVE-2015-4695.patch \
%D%/packages/patches/libwmf-CVE-2015-4696.patch \
%D%/packages/patches/libxv-CVE-2016-5407.patch \
%D%/packages/patches/libxvmc-CVE-2016-7953.patch \
%D%/packages/patches/libxslt-generated-ids.patch \
%D%/packages/patches/linux-pam-no-setfsuid.patch \

162
gnu/packages/patches/libxv-CVE-2016-5407.patch
View File

@ -1,162 +0,0 @@
Fix CVE-2016-5407:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5407
Patch copied from upstream source repository:
https://cgit.freedesktop.org/xorg/lib/libXv/commit/?id=d9da580b46a28ab497de2e94fdc7b9ff953dab17
From d9da580b46a28ab497de2e94fdc7b9ff953dab17 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sun, 25 Sep 2016 21:30:03 +0200
Subject: [PATCH] Protocol handling issues in libXv - CVE-2016-5407
The Xv query functions for adaptors and encodings suffer from out of
boundary accesses if a hostile X server sends a maliciously crafted
response.
A previous fix already checks the received length against fixed values
but ignores additional length specifications which are stored inside
the received data.
These lengths are accessed in a for-loop. The easiest way to guarantee
a correct processing is by validating all lengths against the
remaining size left before accessing referenced memory.
This makes the previously applied check obsolete, therefore I removed
it.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
---
src/Xv.c | 46 +++++++++++++++++++++++++++++-----------------
1 file changed, 29 insertions(+), 17 deletions(-)
diff --git a/src/Xv.c b/src/Xv.c
index e47093a..be450c4 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -158,6 +158,7 @@ XvQueryAdaptors(
size_t size;
unsigned int ii, jj;
char *name;
+ char *end;
XvAdaptorInfo *pas = NULL, *pa;
XvFormat *pfs, *pf;
char *buffer = NULL;
@@ -197,17 +198,13 @@ XvQueryAdaptors(
/* GET INPUT ADAPTORS */
if (rep.num_adaptors == 0) {
- /* If there's no adaptors, there's nothing more to do. */
+ /* If there are no adaptors, there's nothing more to do. */
status = Success;
goto out;
}
- if (size < (rep.num_adaptors * sz_xvAdaptorInfo)) {
- /* If there's not enough data for the number of adaptors,
- then we have a problem. */
- status = XvBadReply;
- goto out;
- }
+ u.buffer = buffer;
+ end = buffer + size;
size = rep.num_adaptors * sizeof(XvAdaptorInfo);
if ((pas = Xmalloc(size)) == NULL) {
@@ -225,9 +222,12 @@ XvQueryAdaptors(
pa++;
}
- u.buffer = buffer;
pa = pas;
for (ii = 0; ii < rep.num_adaptors; ii++) {
+ if (u.buffer + sz_xvAdaptorInfo > end) {
+ status = XvBadReply;
+ goto out;
+ }
pa->type = u.pa->type;
pa->base_id = u.pa->base_id;
pa->num_ports = u.pa->num_ports;
@@ -239,6 +239,10 @@ XvQueryAdaptors(
size = u.pa->name_size;
u.buffer += pad_to_int32(sz_xvAdaptorInfo);
+ if (u.buffer + size > end) {
+ status = XvBadReply;
+ goto out;
+ }
if ((name = Xmalloc(size + 1)) == NULL) {
status = XvBadAlloc;
goto out;
@@ -259,6 +263,11 @@ XvQueryAdaptors(
pf = pfs;
for (jj = 0; jj < pa->num_formats; jj++) {
+ if (u.buffer + sz_xvFormat > end) {
+ Xfree(pfs);
+ status = XvBadReply;
+ goto out;
+ }
pf->depth = u.pf->depth;
pf->visual_id = u.pf->visual;
pf++;
@@ -327,6 +336,7 @@ XvQueryEncodings(
size_t size;
unsigned int jj;
char *name;
+ char *end;
XvEncodingInfo *pes = NULL, *pe;
char *buffer = NULL;
union {
@@ -364,17 +374,13 @@ XvQueryEncodings(
/* GET ENCODINGS */
if (rep.num_encodings == 0) {
- /* If there's no encodings, there's nothing more to do. */
+ /* If there are no encodings, there's nothing more to do. */
status = Success;
goto out;
}
- if (size < (rep.num_encodings * sz_xvEncodingInfo)) {
- /* If there's not enough data for the number of adaptors,
- then we have a problem. */
- status = XvBadReply;
- goto out;
- }
+ u.buffer = buffer;
+ end = buffer + size;
size = rep.num_encodings * sizeof(XvEncodingInfo);
if ((pes = Xmalloc(size)) == NULL) {
@@ -391,10 +397,12 @@ XvQueryEncodings(
pe++;
}
- u.buffer = buffer;
-
pe = pes;
for (jj = 0; jj < rep.num_encodings; jj++) {
+ if (u.buffer + sz_xvEncodingInfo > end) {
+ status = XvBadReply;
+ goto out;
+ }
pe->encoding_id = u.pe->encoding;
pe->width = u.pe->width;
pe->height = u.pe->height;
@@ -405,6 +413,10 @@ XvQueryEncodings(
size = u.pe->name_size;
u.buffer += pad_to_int32(sz_xvEncodingInfo);
+ if (u.buffer + size > end) {
+ status = XvBadReply;
+ goto out;
+ }
if ((name = Xmalloc(size + 1)) == NULL) {
status = XvBadAlloc;
goto out;
--
2.10.1

13
gnu/packages/xorg.scm
View File

@ -4667,8 +4667,7 @@ protocol and arbitrary X extension protocol.")
(define-public libxv
(package
(name "libxv")
(replacement libxv/fixed)
(version "1.0.10")
(version "1.0.11")
(source
(origin
(method url-fetch)
@ -4678,7 +4677,7 @@ protocol and arbitrary X extension protocol.")
".tar.bz2"))
(sha256
(base32
"09a5j6bisysiipd0nw6s352565bp0n6gbyhv5hp63s3cd3w95zjm"))))
"125hn06bd3d8y97hm2pbf5j55gg4r2hpd3ifad651i4sr7m16v6j"))))
(build-system gnu-build-system)
(propagated-inputs
`(("videoproto" ,videoproto)))
@ -4693,14 +4692,6 @@ protocol and arbitrary X extension protocol.")
(description "Library for the X Video Extension to the X11 protocol.")
(license license:x11)))
(define libxv/fixed
(package
(inherit libxv)
(source (origin
(inherit (package-source libxv))
(patches (search-patches
"libxv-CVE-2016-5407.patch"))))))
(define-public mkfontdir
(package
(name "mkfontdir")