diff options
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/packages/patches/libxv-CVE-2016-5407.patch | 162 | ||||
-rw-r--r-- | gnu/packages/xorg.scm | 13 |
3 files changed, 2 insertions, 174 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 34c95332b5..578693f07e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -668,7 +668,6 @@ dist_patch_DATA = \ %D%/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch \ %D%/packages/patches/libwmf-CVE-2015-4695.patch \ %D%/packages/patches/libwmf-CVE-2015-4696.patch \ - %D%/packages/patches/libxv-CVE-2016-5407.patch \ %D%/packages/patches/libxvmc-CVE-2016-7953.patch \ %D%/packages/patches/libxslt-generated-ids.patch \ %D%/packages/patches/linux-pam-no-setfsuid.patch \ diff --git a/gnu/packages/patches/libxv-CVE-2016-5407.patch b/gnu/packages/patches/libxv-CVE-2016-5407.patch deleted file mode 100644 index e6a76c9f70..0000000000 --- a/gnu/packages/patches/libxv-CVE-2016-5407.patch +++ /dev/null @@ -1,162 +0,0 @@ -Fix CVE-2016-5407: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5407 - -Patch copied from upstream source repository: - -https://cgit.freedesktop.org/xorg/lib/libXv/commit/?id=d9da580b46a28ab497de2e94fdc7b9ff953dab17 - -From d9da580b46a28ab497de2e94fdc7b9ff953dab17 Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann <tobias@stoeckmann.org> -Date: Sun, 25 Sep 2016 21:30:03 +0200 -Subject: [PATCH] Protocol handling issues in libXv - CVE-2016-5407 - -The Xv query functions for adaptors and encodings suffer from out of -boundary accesses if a hostile X server sends a maliciously crafted -response. - -A previous fix already checks the received length against fixed values -but ignores additional length specifications which are stored inside -the received data. - -These lengths are accessed in a for-loop. The easiest way to guarantee -a correct processing is by validating all lengths against the -remaining size left before accessing referenced memory. - -This makes the previously applied check obsolete, therefore I removed -it. - -Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> -Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> ---- - src/Xv.c | 46 +++++++++++++++++++++++++++++----------------- - 1 file changed, 29 insertions(+), 17 deletions(-) - -diff --git a/src/Xv.c b/src/Xv.c -index e47093a..be450c4 100644 ---- a/src/Xv.c -+++ b/src/Xv.c -@@ -158,6 +158,7 @@ XvQueryAdaptors( - size_t size; - unsigned int ii, jj; - char *name; -+ char *end; - XvAdaptorInfo *pas = NULL, *pa; - XvFormat *pfs, *pf; - char *buffer = NULL; -@@ -197,17 +198,13 @@ XvQueryAdaptors( - /* GET INPUT ADAPTORS */ - - if (rep.num_adaptors == 0) { -- /* If there's no adaptors, there's nothing more to do. */ -+ /* If there are no adaptors, there's nothing more to do. */ - status = Success; - goto out; - } - -- if (size < (rep.num_adaptors * sz_xvAdaptorInfo)) { -- /* If there's not enough data for the number of adaptors, -- then we have a problem. */ -- status = XvBadReply; -- goto out; -- } -+ u.buffer = buffer; -+ end = buffer + size; - - size = rep.num_adaptors * sizeof(XvAdaptorInfo); - if ((pas = Xmalloc(size)) == NULL) { -@@ -225,9 +222,12 @@ XvQueryAdaptors( - pa++; - } - -- u.buffer = buffer; - pa = pas; - for (ii = 0; ii < rep.num_adaptors; ii++) { -+ if (u.buffer + sz_xvAdaptorInfo > end) { -+ status = XvBadReply; -+ goto out; -+ } - pa->type = u.pa->type; - pa->base_id = u.pa->base_id; - pa->num_ports = u.pa->num_ports; -@@ -239,6 +239,10 @@ XvQueryAdaptors( - size = u.pa->name_size; - u.buffer += pad_to_int32(sz_xvAdaptorInfo); - -+ if (u.buffer + size > end) { -+ status = XvBadReply; -+ goto out; -+ } - if ((name = Xmalloc(size + 1)) == NULL) { - status = XvBadAlloc; - goto out; -@@ -259,6 +263,11 @@ XvQueryAdaptors( - - pf = pfs; - for (jj = 0; jj < pa->num_formats; jj++) { -+ if (u.buffer + sz_xvFormat > end) { -+ Xfree(pfs); -+ status = XvBadReply; -+ goto out; -+ } - pf->depth = u.pf->depth; - pf->visual_id = u.pf->visual; - pf++; -@@ -327,6 +336,7 @@ XvQueryEncodings( - size_t size; - unsigned int jj; - char *name; -+ char *end; - XvEncodingInfo *pes = NULL, *pe; - char *buffer = NULL; - union { -@@ -364,17 +374,13 @@ XvQueryEncodings( - /* GET ENCODINGS */ - - if (rep.num_encodings == 0) { -- /* If there's no encodings, there's nothing more to do. */ -+ /* If there are no encodings, there's nothing more to do. */ - status = Success; - goto out; - } - -- if (size < (rep.num_encodings * sz_xvEncodingInfo)) { -- /* If there's not enough data for the number of adaptors, -- then we have a problem. */ -- status = XvBadReply; -- goto out; -- } -+ u.buffer = buffer; -+ end = buffer + size; - - size = rep.num_encodings * sizeof(XvEncodingInfo); - if ((pes = Xmalloc(size)) == NULL) { -@@ -391,10 +397,12 @@ XvQueryEncodings( - pe++; - } - -- u.buffer = buffer; -- - pe = pes; - for (jj = 0; jj < rep.num_encodings; jj++) { -+ if (u.buffer + sz_xvEncodingInfo > end) { -+ status = XvBadReply; -+ goto out; -+ } - pe->encoding_id = u.pe->encoding; - pe->width = u.pe->width; - pe->height = u.pe->height; -@@ -405,6 +413,10 @@ XvQueryEncodings( - size = u.pe->name_size; - u.buffer += pad_to_int32(sz_xvEncodingInfo); - -+ if (u.buffer + size > end) { -+ status = XvBadReply; -+ goto out; -+ } - if ((name = Xmalloc(size + 1)) == NULL) { - status = XvBadAlloc; - goto out; --- -2.10.1 - diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm index 9d9211f8ee..3793c2b3a7 100644 --- a/gnu/packages/xorg.scm +++ b/gnu/packages/xorg.scm @@ -4667,8 +4667,7 @@ protocol and arbitrary X extension protocol.") (define-public libxv (package (name "libxv") - (replacement libxv/fixed) - (version "1.0.10") + (version "1.0.11") (source (origin (method url-fetch) @@ -4678,7 +4677,7 @@ protocol and arbitrary X extension protocol.") ".tar.bz2")) (sha256 (base32 - "09a5j6bisysiipd0nw6s352565bp0n6gbyhv5hp63s3cd3w95zjm")))) + "125hn06bd3d8y97hm2pbf5j55gg4r2hpd3ifad651i4sr7m16v6j")))) (build-system gnu-build-system) (propagated-inputs `(("videoproto" ,videoproto))) @@ -4693,14 +4692,6 @@ protocol and arbitrary X extension protocol.") (description "Library for the X Video Extension to the X11 protocol.") (license license:x11))) -(define libxv/fixed - (package - (inherit libxv) - (source (origin - (inherit (package-source libxv)) - (patches (search-patches - "libxv-CVE-2016-5407.patch")))))) - (define-public mkfontdir (package (name "mkfontdir") |