Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Dear release team, I would like to update libx11 in Stretch because it is currently affected by CVE-2018-14598, CVE-2018-14599 and CVE-2018-14600. The security team marked all issues as no-dsa. Please find attached the debdiff. I had to refresh one unrelated patch because it did not apply correctly. No other changes were made. Regards, Markus
diff -u libx11-1.6.4/debian/changelog libx11-1.6.4/debian/changelog --- libx11-1.6.4/debian/changelog +++ libx11-1.6.4/debian/changelog @@ -1,3 +1,23 @@ +libx11 (2:1.6.4-3+deb9u1) stretch; urgency=high + + * Non-maintainer upload. + * Fix CVE-2018-14598, CVE-2018-14599 and CVE-2018-14600: + * CVE-2018-14599: + The functions XGetFontPath, XListExtensions, and XListFonts are vulnerable + to an off-by-one override on malicious server responses. + * CVE-2018-14600: + The length value is interpreted as signed char on many systems (depending + on default signedness of char), which can lead to an out of boundary write + up to 128 bytes in front of the allocated storage, but limited to NUL + byte(s). + * CVE-2018-14598: + If the server sends a reply in which even the first string would overflow + the transmitted bytes, list[0] (or flist[0]) will be set to NULL and a + count of 0 is returned. This may trigger a segmentation fault leading to a + Denial of Service. + + -- Markus Koschany <a...@debian.org> Sat, 29 Sep 2018 14:05:05 +0200 + libx11 (2:1.6.4-3) unstable; urgency=high [ Emilio Pozuelo Monfort ] diff -u libx11-1.6.4/debian/patches/003_recognize_glibc_2.3.2_locale_names.diff libx11-1.6.4/debian/patches/003_recognize_glibc_2.3.2_locale_names.diff --- libx11-1.6.4/debian/patches/003_recognize_glibc_2.3.2_locale_names.diff +++ libx11-1.6.4/debian/patches/003_recognize_glibc_2.3.2_locale_names.diff @@ -49,10 +49,8 @@ Partially submitted upstream. This is so large I don't expect it to all go in at once, but any bit would help. --Nathanael -Index: libx11/nls/compose.dir.pre -=================================================================== ---- libx11.orig/nls/compose.dir.pre -+++ libx11/nls/compose.dir.pre +--- a/nls/compose.dir.pre ++++ b/nls/compose.dir.pre @@ -4,8 +4,13 @@ XCOMM The first word is the compose tabl XCOMM and the second word is the full locale name. XCOMM @@ -234,7 +232,7 @@ en_US.UTF-8/Compose: ph_PH.UTF-8 en_US.UTF-8/Compose: pl_PL.UTF-8 en_US.UTF-8/Compose: pp_AN.UTF-8 -@@ -433,9 +466,11 @@ en_US.UTF-8/Compose: sd_IN@devanagari.U +@@ -433,9 +466,11 @@ en_US.UTF-8/Compose: sd_IN.UTF-8@devana en_US.UTF-8/Compose: se_NO.UTF-8 en_US.UTF-8/Compose: sh_BA.UTF-8 en_US.UTF-8/Compose: sh_YU.UTF-8 @@ -254,10 +252,8 @@ en_US.UTF-8/Compose: tl_PH.UTF-8 en_US.UTF-8/Compose: tn_ZA.UTF-8 en_US.UTF-8/Compose: tr_TR.UTF-8 -Index: libx11/nls/locale.alias.pre -=================================================================== ---- libx11.orig/nls/locale.alias.pre -+++ libx11/nls/locale.alias.pre +--- a/nls/locale.alias.pre ++++ b/nls/locale.alias.pre @@ -311,6 +311,12 @@ en_CA.iso88591: en_CA.ISO8859-1 en_CA.ISO-8859-1: en_CA.ISO8859-1 en_CA.ISO_8859-1: en_CA.ISO8859-1 @@ -332,10 +328,8 @@ french: fr_FR.ISO8859-1 french.iso88591: fr_CH.ISO8859-1 galego: gl_ES.ISO8859-1 -Index: libx11/nls/locale.dir.pre -=================================================================== ---- libx11.orig/nls/locale.dir.pre -+++ libx11/nls/locale.dir.pre +--- a/nls/locale.dir.pre ++++ b/nls/locale.dir.pre @@ -6,8 +6,11 @@ XCOMM XCOMM @@ -458,7 +452,7 @@ en_US.UTF-8/XLC_LOCALE: af_ZA.UTF-8 en_US.UTF-8/XLC_LOCALE: am_ET.UTF-8 en_US.UTF-8/XLC_LOCALE: ar_AA.UTF-8 -@@ -297,6 +319,7 @@ en_US.UTF-8/XLC_LOCALE: bn_BD.UTF-8 +@@ -298,6 +320,7 @@ en_US.UTF-8/XLC_LOCALE: bn_BD.UTF-8 en_US.UTF-8/XLC_LOCALE: bn_IN.UTF-8 en_US.UTF-8/XLC_LOCALE: bo_IN.UTF-8 en_US.UTF-8/XLC_LOCALE: br_FR.UTF-8 @@ -538,7 +532,7 @@ en_US.UTF-8/XLC_LOCALE: pp_AN.UTF-8 @@ -431,11 +467,13 @@ en_US.UTF-8/XLC_LOCALE: en_US.UTF-8/XLC_LOCALE: sd_IN.UTF-8 - en_US.UTF-8/XLC_LOCALE: sd...@devanagari.utf-8 + en_US.UTF-8/XLC_LOCALE: sd_IN.UTF-8@devanagari en_US.UTF-8/XLC_LOCALE: se_NO.UTF-8 +en_US.UTF-8/XLC_LOCALE: sid_ET.UTF-8 en_US.UTF-8/XLC_LOCALE: sh_BA.UTF-8 @@ -550,7 +544,7 @@ en_US.UTF-8/XLC_LOCALE: sq_AL.UTF-8 en_US.UTF-8/XLC_LOCALE: sr_CS.UTF-8 en_US.UTF-8/XLC_LOCALE: sr_ME.UTF-8 -@@ -451,6 +489,7 @@ en_US.UTF-8/XLC_LOCALE: tg_TJ.UTF-8 +@@ -452,6 +490,7 @@ en_US.UTF-8/XLC_LOCALE: tg_TJ.UTF-8 th_TH.UTF-8/XLC_LOCALE: th_TH.UTF-8 en_US.UTF-8/XLC_LOCALE: ti_ER.UTF-8 en_US.UTF-8/XLC_LOCALE: ti_ET.UTF-8 diff -u libx11-1.6.4/debian/patches/series libx11-1.6.4/debian/patches/series --- libx11-1.6.4/debian/patches/series +++ libx11-1.6.4/debian/patches/series @@ -5,0 +6,3 @@ +CVE-2018-14599.patch +CVE-2018-14600.patch +CVE-2018-14598.patch only in patch2: unchanged: --- libx11-1.6.4.orig/debian/patches/CVE-2018-14598.patch +++ libx11-1.6.4/debian/patches/CVE-2018-14598.patch @@ -0,0 +1,42 @@ +From: Markus Koschany <a...@debian.org> +Date: Sat, 29 Sep 2018 14:13:53 +0200 +Subject: CVE-2018-14598 + +Origin: https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=e83722768fd5c467ef61fa159e8c6278770b45c2 +--- + src/GetFPath.c | 5 +++++ + src/ListExt.c | 5 +++++ + 2 files changed, 10 insertions(+) + +diff --git a/src/GetFPath.c b/src/GetFPath.c +index fe37fe8..dac553e 100644 +--- a/src/GetFPath.c ++++ b/src/GetFPath.c +@@ -78,6 +78,11 @@ char **XGetFontPath( + length = *(unsigned char *)ch; + *ch = '\0'; /* and replace with null-termination */ + count++; ++ } else if (i == 0) { ++ Xfree(flist); ++ Xfree(ch); ++ flist = NULL; ++ break; + } else + flist[i] = NULL; + } +diff --git a/src/ListExt.c b/src/ListExt.c +index 2a2e135..ceeb885 100644 +--- a/src/ListExt.c ++++ b/src/ListExt.c +@@ -83,6 +83,11 @@ char **XListExtensions( + length = *(unsigned char *)ch; + *ch = '\0'; /* and replace with null-termination */ + count++; ++ } else if (i == 0) { ++ Xfree(list); ++ Xfree(ch); ++ list = NULL; ++ break; + } else + list[i] = NULL; + } only in patch2: unchanged: --- libx11-1.6.4.orig/debian/patches/CVE-2018-14599.patch +++ libx11-1.6.4/debian/patches/CVE-2018-14599.patch @@ -0,0 +1,85 @@ +From: Markus Koschany <a...@debian.org> +Date: Wed, 29 Aug 2018 07:48:56 +0200 +Subject: CVE-2018-14599 + +Origin: https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=b469da1430cdcee06e31c6251b83aede072a1ff0 +--- + src/FontNames.c | 16 ++++------------ + src/GetFPath.c | 2 +- + src/ListExt.c | 12 ++++-------- + 3 files changed, 9 insertions(+), 21 deletions(-) + +diff --git a/src/FontNames.c b/src/FontNames.c +index 31f671c..f185c11 100644 +--- a/src/FontNames.c ++++ b/src/FontNames.c +@@ -88,24 +88,16 @@ int *actualCount) /* RETURN */ + * unpack into null terminated strings. + */ + chstart = ch; +- chend = ch + (rlen + 1); ++ chend = ch + rlen; + length = *(unsigned char *)ch; + *ch = 1; /* make sure it is non-zero for XFreeFontNames */ + for (i = 0; i < rep.nFonts; i++) { + if (ch + length < chend) { + flist[i] = ch + 1; /* skip over length */ + ch += length + 1; /* find next length ... */ +- if (ch <= chend) { +- length = *(unsigned char *)ch; +- *ch = '\0'; /* and replace with null-termination */ +- count++; +- } else { +- Xfree(chstart); +- Xfree(flist); +- flist = NULL; +- count = 0; +- break; +- } ++ length = *(unsigned char *)ch; ++ *ch = '\0'; /* and replace with null-termination */ ++ count++; + } else { + Xfree(chstart); + Xfree(flist); +diff --git a/src/GetFPath.c b/src/GetFPath.c +index abd4a5d..cd56564 100644 +--- a/src/GetFPath.c ++++ b/src/GetFPath.c +@@ -69,7 +69,7 @@ char **XGetFontPath( + /* + * unpack into null terminated strings. + */ +- chend = ch + (nbytes + 1); ++ chend = ch + nbytes; + length = *ch; + for (i = 0; i < rep.nPaths; i++) { + if (ch + length < chend) { +diff --git a/src/ListExt.c b/src/ListExt.c +index 9074315..421adb4 100644 +--- a/src/ListExt.c ++++ b/src/ListExt.c +@@ -74,19 +74,15 @@ char **XListExtensions( + /* + * unpack into null terminated strings. + */ +- chend = ch + (rlen + 1); ++ chend = ch + rlen; + length = *ch; + for (i = 0; i < rep.nExtensions; i++) { + if (ch + length < chend) { + list[i] = ch+1; /* skip over length */ + ch += length + 1; /* find next length ... */ +- if (ch <= chend) { +- length = *ch; +- *ch = '\0'; /* and replace with null-termination */ +- count++; +- } else { +- list[i] = NULL; +- } ++ length = *ch; ++ *ch = '\0'; /* and replace with null-termination */ ++ count++; + } else + list[i] = NULL; + } only in patch2: unchanged: --- libx11-1.6.4.orig/debian/patches/CVE-2018-14600.patch +++ libx11-1.6.4/debian/patches/CVE-2018-14600.patch @@ -0,0 +1,48 @@ +From: Markus Koschany <a...@debian.org> +Date: Wed, 29 Aug 2018 07:49:14 +0200 +Subject: CVE-2018-14600 + +Origin: https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=dbf72805fd9d7b1846fe9a11b46f3994bfc27fea +--- + src/GetFPath.c | 4 ++-- + src/ListExt.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/GetFPath.c b/src/GetFPath.c +index cd56564..c99174a 100644 +--- a/src/GetFPath.c ++++ b/src/GetFPath.c +@@ -70,12 +70,12 @@ char **XGetFontPath( + * unpack into null terminated strings. + */ + chend = ch + nbytes; +- length = *ch; ++ length = *(unsigned char *)ch; + for (i = 0; i < rep.nPaths; i++) { + if (ch + length < chend) { + flist[i] = ch+1; /* skip over length */ + ch += length + 1; /* find next length ... */ +- length = *ch; ++ length = *(unsigned char *)ch; + *ch = '\0'; /* and replace with null-termination */ + count++; + } else +diff --git a/src/ListExt.c b/src/ListExt.c +index 421adb4..6daa14d 100644 +--- a/src/ListExt.c ++++ b/src/ListExt.c +@@ -75,12 +75,12 @@ char **XListExtensions( + * unpack into null terminated strings. + */ + chend = ch + rlen; +- length = *ch; ++ length = *(unsigned char *)ch; + for (i = 0; i < rep.nExtensions; i++) { + if (ch + length < chend) { + list[i] = ch+1; /* skip over length */ + ch += length + 1; /* find next length ... */ +- length = *ch; ++ length = *(unsigned char *)ch; + *ch = '\0'; /* and replace with null-termination */ + count++; + } else
