gnu: libxrender: Fix CVE-2016-{7949,7950}.

* gnu/packages/patches/libxrender-CVE-2016-7949.patch,
gnu/packages/patches/libxrender-CVE-2016-7950.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/xorg.scm (libxrender)[replacement]: New field.
(libxrender/fixed): New variable.
This commit is contained in:
Leo Famulari 2016-10-05 13:25:09 -04:00
parent a300db1c7f
commit 666d40193c
No known key found for this signature in database
GPG Key ID: 2646FA30BACA7F08
4 changed files with 150 additions and 0 deletions

View File

@ -674,6 +674,8 @@ dist_patch_DATA = \
%D%/packages/patches/libxfixes-CVE-2016-7944.patch \
%D%/packages/patches/libxi-CVE-2016-7945-CVE-2016-7946.patch \
%D%/packages/patches/libxrandr-CVE-2016-7947-CVE-2016-7948.patch \
%D%/packages/patches/libxrender-CVE-2016-7949.patch \
%D%/packages/patches/libxrender-CVE-2016-7950.patch \
%D%/packages/patches/libxslt-generated-ids.patch \
%D%/packages/patches/lirc-localstatedir.patch \
%D%/packages/patches/llvm-for-extempore.patch \

View File

@ -0,0 +1,66 @@
Fix CVE-2016-7949:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7949
Patch copied from upstream source repository:
https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=9362c7ddd1af3b168953d0737877bc52d79c94f4
From 9362c7ddd1af3b168953d0737877bc52d79c94f4 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sun, 25 Sep 2016 21:43:09 +0200
Subject: [PATCH] Validate lengths while parsing server data.
Individual lengths inside received server data can overflow
the previously reserved memory.
It is therefore important to validate every single length
field to not overflow the previously agreed sum of all invidual
length fields.
v2: consume remaining bytes in the reply buffer on error.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matthieu Herrb@laas.fr
---
src/Xrender.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/src/Xrender.c b/src/Xrender.c
index 3102eb2..71cf3e6 100644
--- a/src/Xrender.c
+++ b/src/Xrender.c
@@ -533,12 +533,30 @@ XRenderQueryFormats (Display *dpy)
screen->fallback = _XRenderFindFormat (xri, xScreen->fallback);
screen->subpixel = SubPixelUnknown;
xDepth = (xPictDepth *) (xScreen + 1);
+ if (screen->ndepths > rep.numDepths) {
+ Xfree (xri);
+ Xfree (xData);
+ _XEatDataWords (dpy, rep.length);
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ return 0;
+ }
+ rep.numDepths -= screen->ndepths;
for (nd = 0; nd < screen->ndepths; nd++)
{
depth->depth = xDepth->depth;
depth->nvisuals = xDepth->nPictVisuals;
depth->visuals = visual;
xVisual = (xPictVisual *) (xDepth + 1);
+ if (depth->nvisuals > rep.numVisuals) {
+ Xfree (xri);
+ Xfree (xData);
+ _XEatDataWords (dpy, rep.length);
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ return 0;
+ }
+ rep.numVisuals -= depth->nvisuals;
for (nv = 0; nv < depth->nvisuals; nv++)
{
visual->visual = _XRenderFindVisual (dpy, xVisual->visual);
--
2.10.1

View File

@ -0,0 +1,73 @@
Fix CVE-2016-7950:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7950
Patch copied from upstream source repository:
https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=8fad00b0b647ee662ce4737ca15be033b7a21714
From 8fad00b0b647ee662ce4737ca15be033b7a21714 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sun, 25 Sep 2016 21:42:09 +0200
Subject: [PATCH] Avoid OOB write in XRenderQueryFilters
The memory for filter names is reserved right after receiving the reply.
After that, filters are iterated and each individual filter name is
stored in that reserved memory.
The individual name lengths are not checked for validity, which means
that a malicious server can reserve less memory than it will write to
during each iteration.
v2: consume remaining bytes in reply buffer on error.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
---
src/Filter.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/src/Filter.c b/src/Filter.c
index edfa572..8d701eb 100644
--- a/src/Filter.c
+++ b/src/Filter.c
@@ -38,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
char *name;
char len;
int i;
- unsigned long nbytes, nbytesAlias, nbytesName;
+ unsigned long nbytes, nbytesAlias, nbytesName, reply_left;
if (!RenderHasExtension (info))
return NULL;
@@ -114,6 +114,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
* Read the filter aliases
*/
_XRead16Pad (dpy, filters->alias, 2 * rep.numAliases);
+ reply_left = 8 + rep.length - 2 * rep.numAliases;;
/*
* Read the filter names
@@ -122,9 +123,19 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
{
int l;
_XRead (dpy, &len, 1);
+ reply_left--;
l = len & 0xff;
+ if ((unsigned long)l + 1 > nbytesName) {
+ _XEatDataWords(dpy, reply_left);
+ Xfree(filters);
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ return NULL;
+ }
+ nbytesName -= l + 1;
filters->filter[i] = name;
_XRead (dpy, name, l);
+ reply_left -= l;
name[l] = '\0';
name += l + 1;
}
--
2.10.1

View File

@ -4602,6 +4602,7 @@ cannot be adequately worked around on the client side of the wire.")
(define-public libxrender
(package
(name "libxrender")
(replacement libxrender/fixed)
(version "0.9.9")
(source
(origin
@ -4626,6 +4627,14 @@ cannot be adequately worked around on the client side of the wire.")
(description "Library for the Render Extension to the X11 protocol.")
(license license:x11)))
(define libxrender/fixed
(package
(inherit libxrender)
(source (origin
(inherit (package-source libxrender))
(patches (search-patches
"libxrender-CVE-2016-7949.patch"
"libxrender-CVE-2016-7950.patch"))))))
(define-public libxtst
(package