From 802cd7f32df113786180c55e9619ccc005f5b7e9 Mon Sep 17 00:00:00 2001 From: Peter Hutterer Date: Fri, 31 May 2013 09:13:46 +1000 Subject: [PATCH] libxcb 1.9.1 --- .gitignore | 1 + ...verflow-in-read_packet-CVE-2013-2064.patch | 48 ------------------- libxcb.spec | 10 ++-- sources | 2 +- 4 files changed, 7 insertions(+), 54 deletions(-) delete mode 100644 0001-integer-overflow-in-read_packet-CVE-2013-2064.patch diff --git a/.gitignore b/.gitignore index 33d6947..5817c33 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ libxcb-1.7.tar.bz2 /libxcb-1.8.tar.bz2 /libxcb-1.8.1.tar.bz2 /libxcb-1.9.tar.bz2 +/libxcb-1.9.1.tar.bz2 diff --git a/0001-integer-overflow-in-read_packet-CVE-2013-2064.patch b/0001-integer-overflow-in-read_packet-CVE-2013-2064.patch deleted file mode 100644 index 0c98d6d..0000000 --- a/0001-integer-overflow-in-read_packet-CVE-2013-2064.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 1b33867fa996034deb50819ae54640be501f8d20 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Wed, 1 May 2013 17:59:31 -0700 -Subject: [PATCH] integer overflow in read_packet() [CVE-2013-2064] - -Ensure that when calculating the size of the incoming response from the -Xserver, we don't overflow the integer used in the calculations when we -multiply the int32_t length by 4 and add it to the default response size. - -Signed-off-by: Alan Coopersmith ---- - src/xcb_in.c | 13 +++++++++---- - 1 file changed, 9 insertions(+), 4 deletions(-) - -diff --git a/src/xcb_in.c b/src/xcb_in.c -index b810783..8a7af92 100644 ---- a/src/xcb_in.c -+++ b/src/xcb_in.c -@@ -93,8 +93,9 @@ static void remove_finished_readers(reader_list **prev_reader, uint64_t complete - static int read_packet(xcb_connection_t *c) - { - xcb_generic_reply_t genrep; -- int length = 32; -- int eventlength = 0; /* length after first 32 bytes for GenericEvents */ -+ uint64_t length = 32; -+ uint64_t eventlength = 0; /* length after first 32 bytes for GenericEvents */ -+ uint64_t bufsize; - void *buf; - pending_reply *pend = 0; - struct event_list *event; -@@ -169,8 +170,12 @@ static int read_packet(xcb_connection_t *c) - if ((genrep.response_type & 0x7f) == XCB_XGE_EVENT) - eventlength = genrep.length * 4; - -- buf = malloc(length + eventlength + -- (genrep.response_type == XCB_REPLY ? 0 : sizeof(uint32_t))); -+ bufsize = length + eventlength + -+ (genrep.response_type == XCB_REPLY ? 0 : sizeof(uint32_t)); -+ if (bufsize < INT32_MAX) -+ buf = malloc((size_t) bufsize); -+ else -+ buf = NULL; - if(!buf) - { - _xcb_conn_shutdown(c, XCB_CONN_CLOSED_MEM_INSUFFICIENT); --- -1.8.1.4 - diff --git a/libxcb.spec b/libxcb.spec index 3036c26..b1d7b1b 100644 --- a/libxcb.spec +++ b/libxcb.spec @@ -1,6 +1,6 @@ Name: libxcb -Version: 1.9 -Release: 3%{?dist} +Version: 1.9.1 +Release: 1%{?dist} Summary: A C binding to the X11 protocol Group: System Environment/Libraries @@ -14,8 +14,6 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) # the pkgconfig file so libs that link against libxcb know this... Source1: pthread-stubs.pc.in -Patch01: 0001-integer-overflow-in-read_packet-CVE-2013-2064.patch - BuildRequires: autoconf automake libtool pkgconfig BuildRequires: doxygen BuildRequires: graphviz @@ -50,7 +48,6 @@ The %{name}-doc package contains documentation for the %{name} library. %prep %setup -q -%patch01 -p1 %build sed -i 's/pthread-stubs //' configure.ac @@ -111,6 +108,9 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/doc/%{name}-%{version} %changelog +* Fri May 31 2013 Peter Hutterer 1.9.1-1 +- libxcb 1.9.1 + * Fri May 24 2013 Peter Hutterer 1.9-3 - Fix integer overflow in read_packet (CVE-2013-2064) diff --git a/sources b/sources index c678665..17d3707 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -2b05856e9d1cb37836aae7406f2f4ce2 libxcb-1.9.tar.bz2 +ed632cb0dc31b6fbd7ea5c0f931cf5a4 libxcb-1.9.1.tar.bz2