debian/changelog                                  |    7 +
 debian/patches/022_CVE-2007-1667.diff             |  100 ++++++++++++++++++++++
 debian/patches/022_XInitImage_input_validate.diff |   19 ----
 debian/patches/series                             |    2 
 4 files changed, 108 insertions(+), 20 deletions(-)

New commits:
commit 14e0d107a272906349365b1f48888cee0fd86016
Author: Julien Cristau <[EMAIL PROTECTED]>
Date:   Tue Apr 3 18:53:08 2007 +0200

    Fix CVE-2007-1667.
    
    Grab patch from upstream git to fix CVE-2007-1667 (the patch included in
    2:1.0.3-6 was incomplete).  This closes: #414045.

diff --git a/debian/changelog b/debian/changelog
index c491cc9..592ee01 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libx11 (2:1.0.3-7) unstable; urgency=high
+
+  * Grab patch from upstream git to fix CVE-2007-1667 (the patch included in
+    2:1.0.3-6 was incomplete).  This closes: #414045.
+
+ -- Julien Cristau <[EMAIL PROTECTED]>  Tue, 03 Apr 2007 18:45:51 +0200
+
 libx11 (2:1.0.3-6) unstable; urgency=high
 
   * Add patch by Daniel Kobras <[EMAIL PROTECTED]> to add more input
diff --git a/debian/patches/022_CVE-2007-1667.diff 
b/debian/patches/022_CVE-2007-1667.diff
new file mode 100644
index 0000000..6872e39
--- /dev/null
+++ b/debian/patches/022_CVE-2007-1667.diff
@@ -0,0 +1,100 @@
+From 7dc7ef398b6ad90ccd1680ed9cd1cfdd47312f5a Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <[EMAIL PROTECTED](none)>
+Date: Tue, 3 Apr 2007 15:39:52 +0200
+Subject: [PATCH] Multiple integer overflows in the XGetPixel() and XInitImage 
functions
+
+CVE-2007-1667
+---
+ src/ImUtil.c |   33 +++++++++++++++++++++++----------
+ 1 files changed, 23 insertions(+), 10 deletions(-)
+
+diff --git a/src/ImUtil.c b/src/ImUtil.c
+index 83fd030..9e667bb 100644
+--- a/src/ImUtil.c
++++ b/src/ImUtil.c
+@@ -327,12 +327,13 @@ XImage *XCreateImage (dpy, visual, depth, format, 
offset, data, width, height,
+ {
+       register XImage *image;
+       int bits_per_pixel = 1;
++      int min_bytes_per_line;
+ 
+       if (depth == 0 || depth > 32 ||
+           (format != XYBitmap && format != XYPixmap && format != ZPixmap) ||
+           (format == XYBitmap && depth != 1) ||
+           (xpad != 8 && xpad != 16 && xpad != 32) ||
+-          offset < 0 || image_bytes_per_line < 0)
++          offset < 0)
+           return (XImage *) NULL;
+       if ((image = (XImage *) Xcalloc(1, (unsigned) sizeof(XImage))) == NULL)
+           return (XImage *) NULL;
+@@ -363,16 +364,21 @@ XImage *XCreateImage (dpy, visual, depth, format, 
offset, data, width, height,
+       /*
+        * compute per line accelerator.
+        */
+-      if (image_bytes_per_line == 0)
+       {
+       if (format == ZPixmap)
+-          image->bytes_per_line = 
++          min_bytes_per_line = 
+              ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
+       else
+-          image->bytes_per_line =
++          min_bytes_per_line =
+               ROUNDUP((width + offset), image->bitmap_pad);
+       }
+-      else image->bytes_per_line = image_bytes_per_line;
++      if (image_bytes_per_line == 0) {
++          image->bytes_per_line = min_bytes_per_line;
++      } else if (image_bytes_per_line < min_bytes_per_line) {
++          return 0;
++      } else {
++          image->bytes_per_line = image_bytes_per_line;
++      }
+ 
+       image->bits_per_pixel = bits_per_pixel;
+       image->obdata = NULL;
+@@ -384,7 +390,11 @@ XImage *XCreateImage (dpy, visual, depth, format, offset, 
data, width, height,
+ Status XInitImage (image)
+     XImage *image;
+ {
++      int min_bytes_per_line;
++
+       if (image->depth == 0 || image->depth > 32 ||
++          image->bits_per_pixel > 32 || image->bitmap_unit > 32 ||
++          image->bits_per_pixel < 0 || image->bitmap_unit < 0 ||
+           (image->format != XYBitmap &&
+            image->format != XYPixmap &&
+            image->format != ZPixmap) ||
+@@ -392,21 +402,24 @@ Status XInitImage (image)
+           (image->bitmap_pad != 8 &&
+            image->bitmap_pad != 16 &&
+            image->bitmap_pad != 32) ||
+-          image->xoffset < 0 || image->bytes_per_line < 0)
++          image->xoffset < 0)
+           return 0;
+ 
+       /*
+        * compute per line accelerator.
+        */
+-      if (image->bytes_per_line == 0)
+-      {
+       if (image->format == ZPixmap)
+-          image->bytes_per_line = 
++          min_bytes_per_line = 
+              ROUNDUP((image->bits_per_pixel * image->width),
+                      image->bitmap_pad);
+       else
+-          image->bytes_per_line =
++          min_bytes_per_line =
+               ROUNDUP((image->width + image->xoffset), image->bitmap_pad);
++
++      if (image->bytes_per_line == 0) {
++          image->bytes_per_line = min_bytes_per_line;
++      } else if (image->bytes_per_line < min_bytes_per_line) {
++          return 0;
+       }
+ 
+       _XInitImageFuncPtrs (image);
+-- 
+1.5.0.3
+
diff --git a/debian/patches/022_XInitImage_input_validate.diff 
b/debian/patches/022_XInitImage_input_validate.diff
deleted file mode 100644
index e22ca19..0000000
--- a/debian/patches/022_XInitImage_input_validate.diff
+++ /dev/null
@@ -1,19 +0,0 @@
-Add more input validation to XInitImage(), to avoid buffer overflow in
-XGetPixel(), which assumes sane values.
-Debian bug #414045.
-
-This patch by Daniel Kobras <[EMAIL PROTECTED]>
-
-Index: libx11/src/ImUtil.c
-===================================================================
---- libx11.orig/src/ImUtil.c   2007-03-09 02:21:29.000000000 +0100
-+++ libx11/src/ImUtil.c        2007-03-09 02:22:34.000000000 +0100
-@@ -385,6 +385,8 @@
-     XImage *image;
- {
-       if (image->depth == 0 || image->depth > 32 ||
-+          image->bits_per_pixel > 32 || image->bitmap_unit > 32 ||
-+          image->bits_per_pixel < 0 || image->bitmap_unit < 0 ||
-           (image->format != XYBitmap &&
-            image->format != XYPixmap &&
-            image->format != ZPixmap) ||
diff --git a/debian/patches/series b/debian/patches/series
index d10a1c1..aeb3102 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -15,4 +15,4 @@
 019_new_autoconf.diff
 020_CVE-2006-5397.diff
 021_compose_fclose.diff
-022_XInitImage_input_validate.diff
+022_CVE-2007-1667.diff


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to