diff --git a/.cvsignore b/.cvsignore index befb234..0b254b7 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,3 +1 @@ -libX11-1.0.1.tar.bz2 -libX11-1.0.2.tar.bz2 libX11-1.0.3.tar.bz2 diff --git a/libX11-cve-2007-1667.patch b/libX11-cve-2007-1667.patch new file mode 100644 index 0000000..72e8a4c --- /dev/null +++ b/libX11-cve-2007-1667.patch @@ -0,0 +1,95 @@ +From: Matthieu Herrb +Date: Tue, 3 Apr 2007 13:39:52 +0000 (+0200) +Subject: Multiple integer overflows in the XGetPixel() and XInitImage functions +X-Git-Url: http://gitweb.freedesktop.org/?p=xorg/lib/libX11.git;a=commitdiff;h=7dc7ef398b6ad90ccd1680ed9cd1cfdd47312f5a + +Multiple integer overflows in the XGetPixel() and XInitImage functions + +CVE-2007-1667 +--- + +--- a/src/ImUtil.c ++++ b/src/ImUtil.c +@@ -327,12 +327,13 @@ XImage *XCreateImage (dpy, visual, depth + { + register XImage *image; + int bits_per_pixel = 1; ++ int min_bytes_per_line; + + if (depth == 0 || depth > 32 || + (format != XYBitmap && format != XYPixmap && format != ZPixmap) || + (format == XYBitmap && depth != 1) || + (xpad != 8 && xpad != 16 && xpad != 32) || +- offset < 0 || image_bytes_per_line < 0) ++ offset < 0) + return (XImage *) NULL; + if ((image = (XImage *) Xcalloc(1, (unsigned) sizeof(XImage))) == NULL) + return (XImage *) NULL; +@@ -363,16 +364,21 @@ XImage *XCreateImage (dpy, visual, depth + /* + * compute per line accelerator. + */ +- if (image_bytes_per_line == 0) + { + if (format == ZPixmap) +- image->bytes_per_line = ++ min_bytes_per_line = + ROUNDUP((bits_per_pixel * width), image->bitmap_pad); + else +- image->bytes_per_line = ++ min_bytes_per_line = + ROUNDUP((width + offset), image->bitmap_pad); + } +- else image->bytes_per_line = image_bytes_per_line; ++ if (image_bytes_per_line == 0) { ++ image->bytes_per_line = min_bytes_per_line; ++ } else if (image_bytes_per_line < min_bytes_per_line) { ++ return 0; ++ } else { ++ image->bytes_per_line = image_bytes_per_line; ++ } + + image->bits_per_pixel = bits_per_pixel; + image->obdata = NULL; +@@ -384,7 +390,11 @@ XImage *XCreateImage (dpy, visual, depth + Status XInitImage (image) + XImage *image; + { ++ int min_bytes_per_line; ++ + if (image->depth == 0 || image->depth > 32 || ++ image->bits_per_pixel > 32 || image->bitmap_unit > 32 || ++ image->bits_per_pixel < 0 || image->bitmap_unit < 0 || + (image->format != XYBitmap && + image->format != XYPixmap && + image->format != ZPixmap) || +@@ -392,21 +402,24 @@ Status XInitImage (image) + (image->bitmap_pad != 8 && + image->bitmap_pad != 16 && + image->bitmap_pad != 32) || +- image->xoffset < 0 || image->bytes_per_line < 0) ++ image->xoffset < 0) + return 0; + + /* + * compute per line accelerator. + */ +- if (image->bytes_per_line == 0) +- { + if (image->format == ZPixmap) +- image->bytes_per_line = ++ min_bytes_per_line = + ROUNDUP((image->bits_per_pixel * image->width), + image->bitmap_pad); + else +- image->bytes_per_line = ++ min_bytes_per_line = + ROUNDUP((image->width + image->xoffset), image->bitmap_pad); ++ ++ if (image->bytes_per_line == 0) { ++ image->bytes_per_line = min_bytes_per_line; ++ } else if (image->bytes_per_line < min_bytes_per_line) { ++ return 0; + } + + _XInitImageFuncPtrs (image); diff --git a/libX11.spec b/libX11.spec index 25c4235..f6fcefc 100644 --- a/libX11.spec +++ b/libX11.spec @@ -1,7 +1,7 @@ Summary: X.Org X11 libX11 runtime library Name: libX11 Version: 1.0.3 -Release: 7%{?dist} +Release: 8%{?dist} License: MIT/X11 Group: System Environment/Libraries URL: http://www.x.org @@ -17,6 +17,7 @@ Patch1: libX11-nls-indic-locales-bug185376.patch Patch2: dont-forward-keycode-0.patch Patch3: bug-201284.patch Patch4: libX11-fd-leak.patch +Patch5: libX11-cve-2007-1667.patch BuildRequires: pkgconfig # xproto >= 7.0.6 required @@ -59,16 +60,12 @@ X.Org X11 libX11 development package %patch2 -p1 -b .dont-forward-keycode-0 %patch3 -p1 -b .3-bug201284 %patch4 -p1 -b .xim-fd-leak - -# Disable static library creation by default. -%define with_static 0 +%patch5 -p1 -b .cve-2007-1667 %build %configure \ --disable-dependency-tracking \ -%if ! %{with_static} --disable-static -%endif make %{?_smp_mflags} @@ -242,15 +239,15 @@ rm -rf $RPM_BUILD_ROOT %{_includedir}/X11/Xresource.h %{_includedir}/X11/Xutil.h %{_includedir}/X11/cursorfont.h -%if %{with_static} -%{_libdir}/libX11.a -%endif %{_libdir}/libX11.so %{_libdir}/pkgconfig/x11.pc #%dir %{_mandir}/man3x %{_mandir}/man3/*.3x* %changelog +* Fri Apr 06 2007 Adam Jackson 1.0.3-8 +- Fix for CVE 2007-1667. + * Mon Jan 29 2007 Adam Jackson 1.0.3-7 - Fix xim fd leak.