debian/changelog | 7 + debian/patches/022_CVE-2007-1667.diff | 100 ++++++++++++++++++++++ debian/patches/022_XInitImage_input_validate.diff | 19 ---- debian/patches/series | 2 4 files changed, 108 insertions(+), 20 deletions(-)
New commits: commit 14e0d107a272906349365b1f48888cee0fd86016 Author: Julien Cristau <[EMAIL PROTECTED]> Date: Tue Apr 3 18:53:08 2007 +0200 Fix CVE-2007-1667. Grab patch from upstream git to fix CVE-2007-1667 (the patch included in 2:1.0.3-6 was incomplete). This closes: #414045. diff --git a/debian/changelog b/debian/changelog index c491cc9..592ee01 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +libx11 (2:1.0.3-7) unstable; urgency=high + + * Grab patch from upstream git to fix CVE-2007-1667 (the patch included in + 2:1.0.3-6 was incomplete). This closes: #414045. + + -- Julien Cristau <[EMAIL PROTECTED]> Tue, 03 Apr 2007 18:45:51 +0200 + libx11 (2:1.0.3-6) unstable; urgency=high * Add patch by Daniel Kobras <[EMAIL PROTECTED]> to add more input diff --git a/debian/patches/022_CVE-2007-1667.diff b/debian/patches/022_CVE-2007-1667.diff new file mode 100644 index 0000000..6872e39 --- /dev/null +++ b/debian/patches/022_CVE-2007-1667.diff @@ -0,0 +1,100 @@ +From 7dc7ef398b6ad90ccd1680ed9cd1cfdd47312f5a Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb <[EMAIL PROTECTED](none)> +Date: Tue, 3 Apr 2007 15:39:52 +0200 +Subject: [PATCH] Multiple integer overflows in the XGetPixel() and XInitImage functions + +CVE-2007-1667 +--- + src/ImUtil.c | 33 +++++++++++++++++++++++---------- + 1 files changed, 23 insertions(+), 10 deletions(-) + +diff --git a/src/ImUtil.c b/src/ImUtil.c +index 83fd030..9e667bb 100644 +--- a/src/ImUtil.c ++++ b/src/ImUtil.c +@@ -327,12 +327,13 @@ XImage *XCreateImage (dpy, visual, depth, format, offset, data, width, height, + { + register XImage *image; + int bits_per_pixel = 1; ++ int min_bytes_per_line; + + if (depth == 0 || depth > 32 || + (format != XYBitmap && format != XYPixmap && format != ZPixmap) || + (format == XYBitmap && depth != 1) || + (xpad != 8 && xpad != 16 && xpad != 32) || +- offset < 0 || image_bytes_per_line < 0) ++ offset < 0) + return (XImage *) NULL; + if ((image = (XImage *) Xcalloc(1, (unsigned) sizeof(XImage))) == NULL) + return (XImage *) NULL; +@@ -363,16 +364,21 @@ XImage *XCreateImage (dpy, visual, depth, format, offset, data, width, height, + /* + * compute per line accelerator. + */ +- if (image_bytes_per_line == 0) + { + if (format == ZPixmap) +- image->bytes_per_line = ++ min_bytes_per_line = + ROUNDUP((bits_per_pixel * width), image->bitmap_pad); + else +- image->bytes_per_line = ++ min_bytes_per_line = + ROUNDUP((width + offset), image->bitmap_pad); + } +- else image->bytes_per_line = image_bytes_per_line; ++ if (image_bytes_per_line == 0) { ++ image->bytes_per_line = min_bytes_per_line; ++ } else if (image_bytes_per_line < min_bytes_per_line) { ++ return 0; ++ } else { ++ image->bytes_per_line = image_bytes_per_line; ++ } + + image->bits_per_pixel = bits_per_pixel; + image->obdata = NULL; +@@ -384,7 +390,11 @@ XImage *XCreateImage (dpy, visual, depth, format, offset, data, width, height, + Status XInitImage (image) + XImage *image; + { ++ int min_bytes_per_line; ++ + if (image->depth == 0 || image->depth > 32 || ++ image->bits_per_pixel > 32 || image->bitmap_unit > 32 || ++ image->bits_per_pixel < 0 || image->bitmap_unit < 0 || + (image->format != XYBitmap && + image->format != XYPixmap && + image->format != ZPixmap) || +@@ -392,21 +402,24 @@ Status XInitImage (image) + (image->bitmap_pad != 8 && + image->bitmap_pad != 16 && + image->bitmap_pad != 32) || +- image->xoffset < 0 || image->bytes_per_line < 0) ++ image->xoffset < 0) + return 0; + + /* + * compute per line accelerator. + */ +- if (image->bytes_per_line == 0) +- { + if (image->format == ZPixmap) +- image->bytes_per_line = ++ min_bytes_per_line = + ROUNDUP((image->bits_per_pixel * image->width), + image->bitmap_pad); + else +- image->bytes_per_line = ++ min_bytes_per_line = + ROUNDUP((image->width + image->xoffset), image->bitmap_pad); ++ ++ if (image->bytes_per_line == 0) { ++ image->bytes_per_line = min_bytes_per_line; ++ } else if (image->bytes_per_line < min_bytes_per_line) { ++ return 0; + } + + _XInitImageFuncPtrs (image); +-- +1.5.0.3 + diff --git a/debian/patches/022_XInitImage_input_validate.diff b/debian/patches/022_XInitImage_input_validate.diff deleted file mode 100644 index e22ca19..0000000 --- a/debian/patches/022_XInitImage_input_validate.diff +++ /dev/null @@ -1,19 +0,0 @@ -Add more input validation to XInitImage(), to avoid buffer overflow in -XGetPixel(), which assumes sane values. -Debian bug #414045. - -This patch by Daniel Kobras <[EMAIL PROTECTED]> - -Index: libx11/src/ImUtil.c -=================================================================== ---- libx11.orig/src/ImUtil.c 2007-03-09 02:21:29.000000000 +0100 -+++ libx11/src/ImUtil.c 2007-03-09 02:22:34.000000000 +0100 -@@ -385,6 +385,8 @@ - XImage *image; - { - if (image->depth == 0 || image->depth > 32 || -+ image->bits_per_pixel > 32 || image->bitmap_unit > 32 || -+ image->bits_per_pixel < 0 || image->bitmap_unit < 0 || - (image->format != XYBitmap && - image->format != XYPixmap && - image->format != ZPixmap) || diff --git a/debian/patches/series b/debian/patches/series index d10a1c1..aeb3102 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -15,4 +15,4 @@ 019_new_autoconf.diff 020_CVE-2006-5397.diff 021_compose_fclose.diff -022_XInitImage_input_validate.diff +022_CVE-2007-1667.diff -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]