auto-import libX11-1.0.3-8.fc7 on branch devel from

libX11-1.0.3-8.fc7.src.rpm
2007-04-06 18:31:38 +00:00 · 2007-04-06 18:31:38 +00:00 · 505d73414c
commit 505d73414c
parent 5857ebce46
3 changed files with 101 additions and 11 deletions
--- a/.cvsignore
+++ b/.cvsignore
@ -1,3 +1 @@
-libX11-1.0.1.tar.bz2
-libX11-1.0.2.tar.bz2
 libX11-1.0.3.tar.bz2
--- a/libX11-cve-2007-1667.patch
+++ b/libX11-cve-2007-1667.patch
@ -0,0 +1,95 @@
+From: Matthieu Herrb <matthieu@roadrock.(none)>
+Date: Tue, 3 Apr 2007 13:39:52 +0000 (+0200)
+Subject: Multiple integer overflows in the XGetPixel() and XInitImage functions
+X-Git-Url: http://gitweb.freedesktop.org/?p=xorg/lib/libX11.git;a=commitdiff;h=7dc7ef398b6ad90ccd1680ed9cd1cfdd47312f5a
+
+Multiple integer overflows in the XGetPixel() and XInitImage functions
+
+CVE-2007-1667
+---
+
+--- a/src/ImUtil.c
+++ b/src/ImUtil.c
+@@ -327,12 +327,13 @@ XImage *XCreateImage (dpy, visual, depth
+ {
+ 	register XImage *image;
+ 	int bits_per_pixel = 1;
+	int min_bytes_per_line;
+ 
+ 	if (depth == 0 || depth > 32 ||
+ 	    (format != XYBitmap && format != XYPixmap && format != ZPixmap) ||
+ 	    (format == XYBitmap && depth != 1) ||
+ 	    (xpad != 8 && xpad != 16 && xpad != 32) ||
+-	    offset < 0 || image_bytes_per_line < 0)
+	    offset < 0)
+ 	    return (XImage *) NULL;
+ 	if ((image = (XImage *) Xcalloc(1, (unsigned) sizeof(XImage))) == NULL)
+ 	    return (XImage *) NULL;
+@@ -363,16 +364,21 @@ XImage *XCreateImage (dpy, visual, depth
+ 	/*
+ 	 * compute per line accelerator.
+ 	 */
+-	if (image_bytes_per_line == 0)
+ 	{
+ 	if (format == ZPixmap)
+-	    image->bytes_per_line = 
+	    min_bytes_per_line = 
+ 	       ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
+ 	else
+-	    image->bytes_per_line =
+	    min_bytes_per_line =
+ 	        ROUNDUP((width + offset), image->bitmap_pad);
+ 	}
+-	else image->bytes_per_line = image_bytes_per_line;
+	if (image_bytes_per_line == 0) {
+	    image->bytes_per_line = min_bytes_per_line;
+	} else if (image_bytes_per_line < min_bytes_per_line) {
+	    return 0;
+	} else {
+	    image->bytes_per_line = image_bytes_per_line;
+	}
+ 
+ 	image->bits_per_pixel = bits_per_pixel;
+ 	image->obdata = NULL;
+@@ -384,7 +390,11 @@ XImage *XCreateImage (dpy, visual, depth
+ Status XInitImage (image)
+     XImage *image;
+ {
+	int min_bytes_per_line;
+
+ 	if (image->depth == 0 || image->depth > 32 ||
+	    image->bits_per_pixel > 32 || image->bitmap_unit > 32 ||
+	    image->bits_per_pixel < 0 || image->bitmap_unit < 0 ||
+ 	    (image->format != XYBitmap &&
+ 	     image->format != XYPixmap &&
+ 	     image->format != ZPixmap) ||
+@@ -392,21 +402,24 @@ Status XInitImage (image)
+ 	    (image->bitmap_pad != 8 &&
+ 	     image->bitmap_pad != 16 &&
+ 	     image->bitmap_pad != 32) ||
+-	    image->xoffset < 0 || image->bytes_per_line < 0)
+	    image->xoffset < 0)
+ 	    return 0;
+ 
+ 	/*
+ 	 * compute per line accelerator.
+ 	 */
+-	if (image->bytes_per_line == 0)
+-	{
+ 	if (image->format == ZPixmap)
+-	    image->bytes_per_line = 
+	    min_bytes_per_line = 
+ 	       ROUNDUP((image->bits_per_pixel * image->width),
+ 		       image->bitmap_pad);
+ 	else
+-	    image->bytes_per_line =
+	    min_bytes_per_line =
+ 	        ROUNDUP((image->width + image->xoffset), image->bitmap_pad);
+
+	if (image->bytes_per_line == 0) {
+	    image->bytes_per_line = min_bytes_per_line;
+	} else if (image->bytes_per_line < min_bytes_per_line) {
+	    return 0;
+ 	}
+ 
+ 	_XInitImageFuncPtrs (image);
--- a/libX11.spec
+++ b/libX11.spec
@ -1,7 +1,7 @@
 Summary: X.Org X11 libX11 runtime library
 Name: libX11
 Version: 1.0.3
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: MIT/X11
 Group: System Environment/Libraries
 URL: http://www.x.org
@ -17,6 +17,7 @@ Patch1: libX11-nls-indic-locales-bug185376.patch
 Patch2: dont-forward-keycode-0.patch
 Patch3: bug-201284.patch
 Patch4: libX11-fd-leak.patch
+Patch5: libX11-cve-2007-1667.patch

 BuildRequires: pkgconfig
 # xproto >= 7.0.6 required
@ -59,16 +60,12 @@ X.Org X11 libX11 development package
 %patch2 -p1 -b .dont-forward-keycode-0
 %patch3 -p1 -b .3-bug201284
 %patch4 -p1 -b .xim-fd-leak
-
-# Disable static library creation by default.
-%define with_static 0
+%patch5 -p1 -b .cve-2007-1667

 %build
 %configure \
 	--disable-dependency-tracking \
-%if ! %{with_static}
 	--disable-static
-%endif

 make %{?_smp_mflags}

@ -242,15 +239,15 @@ rm -rf $RPM_BUILD_ROOT
 %{_includedir}/X11/Xresource.h
 %{_includedir}/X11/Xutil.h
 %{_includedir}/X11/cursorfont.h
-%if %{with_static}
-%{_libdir}/libX11.a
-%endif
 %{_libdir}/libX11.so
 %{_libdir}/pkgconfig/x11.pc
 #%dir %{_mandir}/man3x
 %{_mandir}/man3/*.3x*

 %changelog
+* Fri Apr 06 2007 Adam Jackson <ajax@redhat.com> 1.0.3-8
+- Fix for CVE 2007-1667.
+
 * Mon Jan 29 2007 Adam Jackson <ajax@redhat.com> 1.0.3-7
 - Fix xim fd leak.