Accepting request 555663 from X11:XOrg

OBS-URL: https://build.opensuse.org/request/show/555663 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libXcursor?expand=0&rev=11
2017-12-11 17:54:50 +00:00 · 2017-12-11 17:54:50 +00:00 · c6fd617c13
commit c6fd617c13
parent 4f8a2802a6 c564432d33
5 changed files with 19 additions and 79 deletions
--- a/U_Avoid-heap-overflows-due-to-integer-overflow-signedn.patch
+++ b/U_Avoid-heap-overflows-due-to-integer-overflow-signedn.patch
@ -1,73 +0,0 @@
-From 77a4331570c660ebee77f19eb385911299948422 Mon Sep 17 00:00:00 2001
-From: Stefan Dirsch <sndirsch@suse.de>
-Date: Tue, 21 Nov 2017 16:50:56 +0100
-Subject: [PATCH] Avoid heap overflows due to integer overflow + signedness
- issue [CVE-2017-16612]
-
-It is possible to trigger heap overflows due to an integer overflow
-while parsing images and a signedness issue while parsing comments.
-
-The integer overflow occurs because the chosen limit 0x10000 for
-dimensions is too large for 32 bit systems, because each pixel takes
-4 bytes. Properly chosen values allow an overflow which in turn will
-lead to less allocated memory than needed for subsequent reads.
-
-The signedness bug is triggered by reading the length of a comment
-as unsigned int, but casting it to int when calling the function
-XcursorCommentCreate. Turning length into a negative value allows the
-check against XCURSOR_COMMENT_MAX_LEN to pass, and the following
-addition of sizeof (XcursorComment) + 1 makes it possible to allocate
-less memory than needed for subsequent reads.
-
-Signed-off-by: Tobias Stoeckmann
---
- src/file.c | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/src/file.c b/src/file.c
-index 43163c2..da16277 100644
--- a/src/file.c
-+++ b/src/file.c
-@@ -29,6 +29,11 @@ XcursorImageCreate (int width, int height)
- {
-     XcursorImage    *image;
- 
-+    if (width < 0 || height < 0)
-+       return NULL;
-+    if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
-+       return NULL;
-+
-     image = malloc (sizeof (XcursorImage) +
- 		    width * height * sizeof (XcursorPixel));
-     if (!image)
-@@ -101,7 +106,7 @@ XcursorCommentCreate (XcursorUInt comment_type, int length)
- {
-     XcursorComment  *comment;
- 
-    if (length > XCURSOR_COMMENT_MAX_LEN)
-+    if (length < 0 || length > XCURSOR_COMMENT_MAX_LEN)
- 	return NULL;
- 
-     comment = malloc (sizeof (XcursorComment) + length + 1);
-@@ -448,7 +453,8 @@ _XcursorReadImage (XcursorFile		*file,
-     if (!_XcursorReadUInt (file, &head.delay))
- 	return NULL;
-     /* sanity check data */
-    if (head.width >= 0x10000 || head.height > 0x10000)
-+    if (head.width > XCURSOR_IMAGE_MAX_SIZE  ||
-+	head.height > XCURSOR_IMAGE_MAX_SIZE)
- 	return NULL;
-     if (head.width == 0 || head.height == 0)
- 	return NULL;
-@@ -457,6 +463,8 @@ _XcursorReadImage (XcursorFile		*file,
- 
-     /* Create the image and initialize it */
-     image = XcursorImageCreate (head.width, head.height);
-+    if (image == NULL)
-+	return NULL;
-     if (chunkHeader.version < image->version)
- 	image->version = chunkHeader.version;
-     image->size = chunkHeader.subtype;
-- 
-2.13.6
-
--- a/libXcursor-1.1.14.tar.bz2
+++ b/libXcursor-1.1.14.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9bc6acb21ca14da51bda5bc912c8955bc6e5e433f0ab00c5e8bef842596c33df
-size 311896
--- a/libXcursor-1.1.15.tar.bz2
+++ b/libXcursor-1.1.15.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:294e670dd37cd23995e69aae626629d4a2dfe5708851bbc13d032401b7a3df6b
+size 331607
--- a/libXcursor.changes
+++ b/libXcursor.changes
@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Thu Dec  7 17:26:32 UTC 2017 - tobias.johannes.klausmann@mni.thm.de
+
+- Update to version 1.1.15:
+  * configure: Drop AM_MAINTAINER_MODE
+  * autogen.sh: Honor NOCONFIGURE=1
+  * Use strdup() instead of malloc(strlen())+strcpy()
+  * Fix some clang integer sign/size mismatch warnings
+  * autogen.sh: use quoted string variables
+  * autogen: add default patch prefix
+  * autogen.sh: use exec instead of waiting for configure to finish
+  * Fix heap overflows when parsing malicious files. (CVE-2017-16612)
+  * Insufficient memory for terminating null of string in _XcursorThemeInherits
+- Drop U_Avoid-heap-overflows-due-to-integer-overflow-signedn.patch
+
 -------------------------------------------------------------------
 Tue Nov 28 19:08:11 UTC 2017 - sndirsch@suse.com

--- a/libXcursor.spec
+++ b/libXcursor.spec
@ -18,7 +18,7 @@

 Name:           libXcursor
 %define lname	libXcursor1
-Version:        1.1.14
+Version:        1.1.15
 Release:        0
 Summary:        X Window System Cursor management library
 License:        MIT
@ -29,7 +29,6 @@ Url:            http://xorg.freedesktop.org/
 #Git-Web:	http://cgit.freedesktop.org/xorg/lib/libXcursor/
 Source:         http://xorg.freedesktop.org/releases/individual/lib/%{name}-%{version}.tar.bz2
 Source1:        baselibs.conf
-Patch0:         U_Avoid-heap-overflows-due-to-integer-overflow-signedn.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 #git#BuildRequires:	autoconf >= 2.60, automake, libtool
 BuildRequires:  fdupes
@ -73,7 +72,6 @@ in %lname.

 %prep
 %setup -q
-%patch0 -p1

 %build
 %configure --disable-static