Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hello, I would like to apply fix in stable for #889681. I have asked security team if they want the fix via security queue or stable update, however I have gotten no reply yet. I am attaching the patch I intend to upload to stable if you acknowledge it. Regards -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: armhf Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=ca_AD.utf8, LC_CTYPE=ca_AD.utf8 (charmap=UTF-8), LANGUAGE=ca_AD:ca (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
From 2471b0463e9395bd981f8b875e3280f1fc6b995f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?H=C3=A9ctor=20Or=C3=B3n=20Mart=C3=ADnez?= <zu...@debian.org> Date: Sun, 4 Mar 2018 11:54:40 +0100 Subject: [PATCH] debian/patches/CVE-2017-16612.patch: fix cursor integer overflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Héctor Orón Martínez <zu...@debian.org> --- debian/changelog | 11 +++++++++ debian/patches/CVE-2017-16612.patch | 47 +++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 59 insertions(+) create mode 100644 debian/patches/CVE-2017-16612.patch create mode 100644 debian/patches/series diff --git a/debian/changelog b/debian/changelog index 2f84b50..7495ef3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +wayland (1.12.0-1+deb9u1) stretch; urgency=medium + + * debian/patches/CVE-2017-16612.patch: (Closes: #889681) + - libXcursor before 1.1.15 has various integer overflows that could lead + to heap buffer overflows when processing malicious cursors, e.g., with + programs like GIMP. It is also possible that an attack vector exists + against the related code in cursor/xcursor.c in Wayland through + 1.14.0. + + -- Héctor Orón Martínez <zu...@debian.org> Sun, 04 Mar 2018 11:43:29 +0100 + wayland (1.12.0-1) unstable; urgency=medium * New upstream release. Closes: #840752. diff --git a/debian/patches/CVE-2017-16612.patch b/debian/patches/CVE-2017-16612.patch new file mode 100644 index 0000000..9d91f70 --- /dev/null +++ b/debian/patches/CVE-2017-16612.patch @@ -0,0 +1,47 @@ +commit 5d201df72f3d4f4cb8b8f75f980169b03507da38 +Author: Tobias Stoeckmann <tob...@stoeckmann.org> +Date: Tue Nov 28 21:38:07 2017 +0100 + + cursor: Fix heap overflows when parsing malicious files. + + It is possible to trigger heap overflows due to an integer overflow + while parsing images. + + The integer overflow occurs because the chosen limit 0x10000 for + dimensions is too large for 32 bit systems, because each pixel takes + 4 bytes. Properly chosen values allow an overflow which in turn will + lead to less allocated memory than needed for subsequent reads. + + See also: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8 + Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=103961 + + Signed-off-by: Tobias Stoeckmann <tob...@stoeckmann.org> + [Pekka: add link to the corresponding libXcursor commit] + Signed-off-by: Pekka Paalanen <pekka.paala...@collabora.co.uk> + +diff --git a/cursor/xcursor.c b/cursor/xcursor.c +index ca41c4a..689c702 100644 +--- a/cursor/xcursor.c ++++ b/cursor/xcursor.c +@@ -202,6 +202,11 @@ XcursorImageCreate (int width, int height) + { + XcursorImage *image; + ++ if (width < 0 || height < 0) ++ return NULL; ++ if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE) ++ return NULL; ++ + image = malloc (sizeof (XcursorImage) + + width * height * sizeof (XcursorPixel)); + if (!image) +@@ -482,7 +487,8 @@ _XcursorReadImage (XcursorFile *file, + if (!_XcursorReadUInt (file, &head.delay)) + return NULL; + /* sanity check data */ +- if (head.width >= 0x10000 || head.height > 0x10000) ++ if (head.width > XCURSOR_IMAGE_MAX_SIZE || ++ head.height > XCURSOR_IMAGE_MAX_SIZE) + return NULL; + if (head.width == 0 || head.height == 0) + return NULL; diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..4c42ec7 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2017-16612.patch -- 2.16.2
