diff --git a/.gitignore b/.gitignore index 2411738..4140c05 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/libXfont-1.4.7.tar.bz2 +SOURCES/libXfont-1.5.1.tar.bz2 diff --git a/.libXfont.metadata b/.libXfont.metadata index 6465849..3bae679 100644 --- a/.libXfont.metadata +++ b/.libXfont.metadata @@ -1 +1 @@ -77f60d0a2190cb36c07c2217693f46d5e8942ca2 SOURCES/libXfont-1.4.7.tar.bz2 +e63a354de5dc2d8cba08d50add1519471412a618 SOURCES/libXfont-1.5.1.tar.bz2 diff --git a/SOURCES/0001-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch b/SOURCES/0001-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch deleted file mode 100644 index 2d48df0..0000000 --- a/SOURCES/0001-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 2f5e57317339c526e6eaee1010b0e2ab8089c42e Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Fri, 25 Apr 2014 23:01:11 -0700 -Subject: [PATCH 01/12] CVE-2014-0209: integer overflow of realloc() size in FontFileAddEntry() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -FontFileReadDirectory() opens a fonts.dir file, and reads over every -line in an fscanf loop. For each successful entry read (font name, -file name) a call is made to FontFileAddFontFile(). - -FontFileAddFontFile() will add a font file entry (for the font name -and file) each time it’s called, by calling FontFileAddEntry(). -FontFileAddEntry() will do the actual adding. If the table it has -to add to is full, it will do a realloc, adding 100 more entries -to the table size without checking to see if that will overflow the -int used to store the size. - -Reported-by: Ilja Van Sprundel -Signed-off-by: Alan Coopersmith -Reviewed-by: Adam Jackson -Reviewed-by: Matthieu Herrb ---- - src/fontfile/fontdir.c | 5 +++++ - 1 files changed, 5 insertions(+), 0 deletions(-) - -diff --git a/src/fontfile/fontdir.c b/src/fontfile/fontdir.c -index ef7ffa5..7271603 100644 ---- a/src/fontfile/fontdir.c -+++ b/src/fontfile/fontdir.c -@@ -177,6 +177,11 @@ FontFileAddEntry(FontTablePtr table, FontEntryPtr prototype) - if (table->sorted) - return (FontEntryPtr) 0; /* "cannot" happen */ - if (table->used == table->size) { -+ if (table->size >= ((INT32_MAX / sizeof(FontEntryRec)) - 100)) -+ /* If we've read so many entries we're going to ask for 2gb -+ or more of memory, something is so wrong with this font -+ directory that we should just give up before we overflow. */ -+ return NULL; - newsize = table->size + 100; - entry = realloc(table->entries, newsize * sizeof(FontEntryRec)); - if (!entry) --- -1.7.1 - diff --git a/SOURCES/0002-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch b/SOURCES/0002-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch deleted file mode 100644 index fbf5b5d..0000000 --- a/SOURCES/0002-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 05c8020a49416dd8b7510cbba45ce4f3fc81a7dc Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Fri, 25 Apr 2014 23:01:48 -0700 -Subject: [PATCH 02/12] CVE-2014-0209: integer overflow of realloc() size in lexAlias() - -lexAlias() reads from a file in a loop. It does this by starting with a -64 byte buffer. If that size limit is hit, it does a realloc of the -buffer size << 1, basically doubling the needed length every time the -length limit is hit. - -Eventually, this will shift out to 0 (for a length of ~4gig), and that -length will be passed on to realloc(). A length of 0 (with a valid -pointer) causes realloc to free the buffer on most POSIX platforms, -but the caller will still have a pointer to it, leading to use after -free issues. - -Reported-by: Ilja Van Sprundel -Signed-off-by: Alan Coopersmith -Reviewed-by: Adam Jackson -Reviewed-by: Matthieu Herrb ---- - src/fontfile/dirfile.c | 4 ++++ - 1 files changed, 4 insertions(+), 0 deletions(-) - -diff --git a/src/fontfile/dirfile.c b/src/fontfile/dirfile.c -index cb28333..38ced75 100644 ---- a/src/fontfile/dirfile.c -+++ b/src/fontfile/dirfile.c -@@ -42,6 +42,7 @@ in this Software without prior written authorization from The Open Group. - #include - #include - #include -+#include - - static Bool AddFileNameAliases ( FontDirectoryPtr dir ); - static int ReadFontAlias ( char *directory, Bool isFile, -@@ -376,6 +377,9 @@ lexAlias(FILE *file, char **lexToken) - int nsize; - char *nbuf; - -+ if (tokenSize >= (INT_MAX >> 2)) -+ /* Stop before we overflow */ -+ return EALLOC; - nsize = tokenSize ? (tokenSize << 1) : 64; - nbuf = realloc(tokenBuf, nsize); - if (!nbuf) --- -1.7.1 - diff --git a/SOURCES/0003-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch b/SOURCES/0003-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch deleted file mode 100644 index d306009..0000000 --- a/SOURCES/0003-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 891e084b26837162b12f841060086a105edde86d Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Fri, 25 Apr 2014 23:02:00 -0700 -Subject: [PATCH 03/12] CVE-2014-0210: unvalidated length in _fs_recv_conn_setup() - -The connection setup reply from the font server can include a list -of alternate servers to contact if this font server stops working. - -The reply specifies a total size of all the font server names, and -then provides a list of names. _fs_recv_conn_setup() allocated the -specified total size for copying the names to, but didn't check to -make sure it wasn't copying more data to that buffer than the size -it had allocated. - -Reported-by: Ilja Van Sprundel -Signed-off-by: Alan Coopersmith -Reviewed-by: Adam Jackson -Reviewed-by: Matthieu Herrb ---- - src/fc/fserve.c | 20 ++++++++++++++++++-- - 1 files changed, 18 insertions(+), 2 deletions(-) - -diff --git a/src/fc/fserve.c b/src/fc/fserve.c -index 3585951..aa9acdb 100644 ---- a/src/fc/fserve.c -+++ b/src/fc/fserve.c -@@ -2784,7 +2784,7 @@ _fs_recv_conn_setup (FSFpePtr conn) - int ret = FSIO_ERROR; - fsConnSetup *setup; - FSFpeAltPtr alts; -- int i, alt_len; -+ unsigned int i, alt_len; - int setup_len; - char *alt_save, *alt_names; - -@@ -2811,8 +2811,9 @@ _fs_recv_conn_setup (FSFpePtr conn) - } - if (setup->num_alternates) - { -+ size_t alt_name_len = setup->alternate_len << 2; - alts = malloc (setup->num_alternates * sizeof (FSFpeAltRec) + -- (setup->alternate_len << 2)); -+ alt_name_len); - if (alts) - { - alt_names = (char *) (setup + 1); -@@ -2821,10 +2822,25 @@ _fs_recv_conn_setup (FSFpePtr conn) - { - alts[i].subset = alt_names[0]; - alt_len = alt_names[1]; -+ if (alt_len >= alt_name_len) { -+ /* -+ * Length is longer than setup->alternate_len -+ * told us to allocate room for, assume entire -+ * alternate list is corrupted. -+ */ -+#ifdef DEBUG -+ fprintf (stderr, -+ "invalid alt list (length %lx >= %lx)\n", -+ (long) alt_len, (long) alt_name_len); -+#endif -+ free(alts); -+ return FSIO_ERROR; -+ } - alts[i].name = alt_save; - memcpy (alt_save, alt_names + 2, alt_len); - alt_save[alt_len] = '\0'; - alt_save += alt_len + 1; -+ alt_name_len -= alt_len + 1; - alt_names += _fs_pad_length (alt_len + 2); - } - conn->numAlts = setup->num_alternates; --- -1.7.1 - diff --git a/SOURCES/0004-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch b/SOURCES/0004-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch deleted file mode 100644 index 5334808..0000000 --- a/SOURCES/0004-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch +++ /dev/null @@ -1,161 +0,0 @@ -From cbb64aef35960b2882be721f4b8fbaa0fb649d12 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Fri, 25 Apr 2014 23:02:12 -0700 -Subject: [PATCH 04/12] CVE-2014-0210: unvalidated lengths when reading replies from font server - -Functions to handle replies to font server requests were casting replies -from the generic form to reply specific structs without first checking -that the reply was at least as long as the struct being cast to. - -Reported-by: Ilja Van Sprundel -Signed-off-by: Alan Coopersmith -Reviewed-by: Adam Jackson -Reviewed-by: Matthieu Herrb ---- - src/fc/fserve.c | 44 ++++++++++++++++++++++++++++++++++++++------ - 1 files changed, 38 insertions(+), 6 deletions(-) - -diff --git a/src/fc/fserve.c b/src/fc/fserve.c -index aa9acdb..f08028f 100644 ---- a/src/fc/fserve.c -+++ b/src/fc/fserve.c -@@ -91,6 +91,12 @@ in this Software without prior written authorization from The Open Group. - (pci)->descent || \ - (pci)->characterWidth) - -+/* -+ * SIZEOF(r) is in bytes, length fields in the protocol are in 32-bit words, -+ * so this converts for doing size comparisons. -+ */ -+#define LENGTHOF(r) (SIZEOF(r) >> 2) -+ - extern void ErrorF(const char *f, ...); - - static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec ); -@@ -206,9 +212,22 @@ _fs_add_rep_log (FSFpePtr conn, fsGenericReply *rep) - rep->sequenceNumber, - conn->reqbuffer[i].opcode); - } -+ -+#define _fs_reply_failed(rep, name, op) do { \ -+ if (rep) { \ -+ if (rep->type == FS_Error) \ -+ fprintf (stderr, "Error: %d Request: %s\n", \ -+ ((fsError *)rep)->request, #name); \ -+ else \ -+ fprintf (stderr, "Bad Length for %s Reply: %d %s %d\n", \ -+ #name, rep->length, op, LENGTHOF(name)); \ -+ } \ -+} while (0) -+ - #else - #define _fs_add_req_log(conn,op) ((conn)->current_seq++) - #define _fs_add_rep_log(conn,rep) -+#define _fs_reply_failed(rep,name,op) - #endif - - static Bool -@@ -682,13 +701,15 @@ fs_read_open_font(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - int ret; - - rep = (fsOpenBitmapFontReply *) fs_get_reply (conn, &ret); -- if (!rep || rep->type == FS_Error) -+ if (!rep || rep->type == FS_Error || -+ (rep->length != LENGTHOF(fsOpenBitmapFontReply))) - { - if (ret == FSIO_BLOCK) - return StillWorking; - if (rep) - _fs_done_read (conn, rep->length << 2); - fs_cleanup_bfont (bfont); -+ _fs_reply_failed (rep, fsOpenBitmapFontReply, "!="); - return BadFontName; - } - -@@ -824,13 +845,15 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - int ret; - - rep = (fsQueryXInfoReply *) fs_get_reply (conn, &ret); -- if (!rep || rep->type == FS_Error) -+ if (!rep || rep->type == FS_Error || -+ (rep->length < LENGTHOF(fsQueryXInfoReply))) - { - if (ret == FSIO_BLOCK) - return StillWorking; - if (rep) - _fs_done_read (conn, rep->length << 2); - fs_cleanup_bfont (bfont); -+ _fs_reply_failed (rep, fsQueryXInfoReply, "<"); - return BadFontName; - } - -@@ -951,13 +974,15 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - FontInfoRec *fi = &bfont->pfont->info; - - rep = (fsQueryXExtents16Reply *) fs_get_reply (conn, &ret); -- if (!rep || rep->type == FS_Error) -+ if (!rep || rep->type == FS_Error || -+ (rep->length < LENGTHOF(fsQueryXExtents16Reply))) - { - if (ret == FSIO_BLOCK) - return StillWorking; - if (rep) - _fs_done_read (conn, rep->length << 2); - fs_cleanup_bfont (bfont); -+ _fs_reply_failed (rep, fsQueryXExtents16Reply, "<"); - return BadFontName; - } - -@@ -1823,13 +1848,15 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - unsigned long minchar, maxchar; - - rep = (fsQueryXBitmaps16Reply *) fs_get_reply (conn, &ret); -- if (!rep || rep->type == FS_Error) -+ if (!rep || rep->type == FS_Error || -+ (rep->length < LENGTHOF(fsQueryXBitmaps16Reply))) - { - if (ret == FSIO_BLOCK) - return StillWorking; - if (rep) - _fs_done_read (conn, rep->length << 2); - err = AllocError; -+ _fs_reply_failed (rep, fsQueryXBitmaps16Reply, "<"); - goto bail; - } - -@@ -2232,12 +2259,14 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - int err; - - rep = (fsListFontsReply *) fs_get_reply (conn, &ret); -- if (!rep || rep->type == FS_Error) -+ if (!rep || rep->type == FS_Error || -+ (rep->length < LENGTHOF(fsListFontsReply))) - { - if (ret == FSIO_BLOCK) - return StillWorking; - if (rep) - _fs_done_read (conn, rep->length << 2); -+ _fs_reply_failed (rep, fsListFontsReply, "<"); - return AllocError; - } - data = (char *) rep + SIZEOF (fsListFontsReply); -@@ -2356,12 +2385,15 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - _fs_free_props (&binfo->info); - - rep = (fsListFontsWithXInfoReply *) fs_get_reply (conn, &ret); -- if (!rep || rep->type == FS_Error) -+ if (!rep || rep->type == FS_Error || -+ ((rep->nameLength != 0) && -+ (rep->length < LENGTHOF(fsListFontsWithXInfoReply)))) - { - if (ret == FSIO_BLOCK) - return StillWorking; - binfo->status = FS_LFWI_FINISHED; - err = AllocError; -+ _fs_reply_failed (rep, fsListFontsWithXInfoReply, "<"); - goto done; - } - /* --- -1.7.1 - diff --git a/SOURCES/0005-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch b/SOURCES/0005-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch deleted file mode 100644 index 817e06d..0000000 --- a/SOURCES/0005-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 0f1a5d372c143f91a602bdf10c917d7eabaee09b Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Fri, 25 Apr 2014 23:02:25 -0700 -Subject: [PATCH 05/12] CVE-2014-0211: Integer overflow in fs_get_reply/_fs_start_read - -fs_get_reply() would take any reply size, multiply it by 4 and pass to -_fs_start_read. If that size was bigger than the current reply buffer -size, _fs_start_read would add it to the existing buffer size plus the -buffer size increment constant and realloc the buffer to that result. - -This math could overflow, causing the code to allocate a smaller -buffer than the amount it was about to read into that buffer from -the network. It could also succeed, allowing the remote font server -to cause massive allocations in the X server, possibly using up all -the address space in a 32-bit X server, allowing the triggering of -other bugs in code that fails to handle malloc failure properly. - -This patch protects against both problems, by disconnecting any -font server trying to feed us more than (the somewhat arbitrary) -64 mb in a single reply. - -Signed-off-by: Alan Coopersmith -Reviewed-by: Adam Jackson -Reviewed-by: Matthieu Herrb ---- - src/fc/fserve.c | 18 ++++++++++++++++++ - 1 files changed, 18 insertions(+), 0 deletions(-) - -diff --git a/src/fc/fserve.c b/src/fc/fserve.c -index f08028f..3abbacf 100644 ---- a/src/fc/fserve.c -+++ b/src/fc/fserve.c -@@ -97,6 +97,9 @@ in this Software without prior written authorization from The Open Group. - */ - #define LENGTHOF(r) (SIZEOF(r) >> 2) - -+/* Somewhat arbitrary limit on maximum reply size we'll try to read. */ -+#define MAX_REPLY_LENGTH ((64 * 1024 * 1024) >> 2) -+ - extern void ErrorF(const char *f, ...); - - static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec ); -@@ -619,6 +622,21 @@ fs_get_reply (FSFpePtr conn, int *error) - - rep = (fsGenericReply *) buf; - -+ /* -+ * Refuse to accept replies longer than a maximum reasonable length, -+ * before we pass to _fs_start_read, since it will try to resize the -+ * incoming connection buffer to this size. Also avoids integer overflow -+ * on 32-bit systems. -+ */ -+ if (rep->length > MAX_REPLY_LENGTH) -+ { -+ ErrorF("fserve: reply length %d > MAX_REPLY_LENGTH, disconnecting" -+ " from font server\n", rep->length); -+ _fs_connection_died (conn); -+ *error = FSIO_ERROR; -+ return 0; -+ } -+ - ret = _fs_start_read (conn, rep->length << 2, &buf); - if (ret != FSIO_READY) - { --- -1.7.1 - diff --git a/SOURCES/0006-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch b/SOURCES/0006-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch deleted file mode 100644 index 7ebbf10..0000000 --- a/SOURCES/0006-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch +++ /dev/null @@ -1,126 +0,0 @@ -From 491291cabf78efdeec8f18b09e14726a9030cc8f Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Fri, 25 Apr 2014 23:02:34 -0700 -Subject: [PATCH 06/12] CVE-2014-0210: unvalidated length fields in fs_read_query_info() - -fs_read_query_info() parses a reply from the font server. The reply -contains embedded length fields, none of which are validated. This -can cause out of bound reads in either fs_read_query_info() or in -_fs_convert_props() which it calls to parse the fsPropInfo in the reply. - -Reported-by: Ilja Van Sprundel -Signed-off-by: Alan Coopersmith -Reviewed-by: Adam Jackson -Reviewed-by: Matthieu Herrb ---- - src/fc/fsconvert.c | 9 +++++++++ - src/fc/fserve.c | 37 +++++++++++++++++++++++++++++++++++++ - 2 files changed, 46 insertions(+), 0 deletions(-) - -diff --git a/src/fc/fsconvert.c b/src/fc/fsconvert.c -index 75b5372..dfa1317 100644 ---- a/src/fc/fsconvert.c -+++ b/src/fc/fsconvert.c -@@ -118,6 +118,10 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd, - for (i = 0; i < nprops; i++, dprop++, is_str++) - { - memcpy(&local_off, off_adr, SIZEOF(fsPropOffset)); -+ if ((local_off.name.position >= pi->data_len) || -+ (local_off.name.length > -+ (pi->data_len - local_off.name.position))) -+ goto bail; - dprop->name = MakeAtom(&pdc[local_off.name.position], - local_off.name.length, 1); - if (local_off.type != PropTypeString) { -@@ -125,10 +129,15 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd, - dprop->value = local_off.value.position; - } else { - *is_str = TRUE; -+ if ((local_off.value.position >= pi->data_len) || -+ (local_off.value.length > -+ (pi->data_len - local_off.value.position))) -+ goto bail; - dprop->value = (INT32) MakeAtom(&pdc[local_off.value.position], - local_off.value.length, 1); - if (dprop->value == BAD_RESOURCE) - { -+ bail: - free (pfi->props); - pfi->nprops = 0; - pfi->props = 0; -diff --git a/src/fc/fserve.c b/src/fc/fserve.c -index 3abbacf..ec5336e 100644 ---- a/src/fc/fserve.c -+++ b/src/fc/fserve.c -@@ -854,6 +854,7 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - FSFpePtr conn = (FSFpePtr) fpe->private; - fsQueryXInfoReply *rep; - char *buf; -+ long bufleft; /* length of reply left to use */ - fsPropInfo *pi; - fsPropOffset *po; - pointer pd; -@@ -885,6 +886,9 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - buf = (char *) rep; - buf += SIZEOF(fsQueryXInfoReply); - -+ bufleft = rep->length << 2; -+ bufleft -= SIZEOF(fsQueryXInfoReply); -+ - /* move the data over */ - fsUnpack_XFontInfoHeader(rep, pInfo); - -@@ -892,17 +896,50 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - _fs_init_fontinfo(conn, pInfo); - - /* Compute offsets into the reply */ -+ if (bufleft < SIZEOF(fsPropInfo)) -+ { -+ ret = -1; -+#ifdef DEBUG -+ fprintf(stderr, "fsQueryXInfo: bufleft (%ld) < SIZEOF(fsPropInfo)\n", -+ bufleft); -+#endif -+ goto bail; -+ } - pi = (fsPropInfo *) buf; - buf += SIZEOF (fsPropInfo); -+ bufleft -= SIZEOF(fsPropInfo); - -+ if ((bufleft / SIZEOF(fsPropOffset)) < pi->num_offsets) -+ { -+ ret = -1; -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsQueryXInfo: bufleft (%ld) / SIZEOF(fsPropOffset) < %d\n", -+ bufleft, pi->num_offsets); -+#endif -+ goto bail; -+ } - po = (fsPropOffset *) buf; - buf += pi->num_offsets * SIZEOF(fsPropOffset); -+ bufleft -= pi->num_offsets * SIZEOF(fsPropOffset); - -+ if (bufleft < pi->data_len) -+ { -+ ret = -1; -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsQueryXInfo: bufleft (%ld) < data_len (%d)\n", -+ bufleft, pi->data_len); -+#endif -+ goto bail; -+ } - pd = (pointer) buf; - buf += pi->data_len; -+ bufleft -= pi->data_len; - - /* convert the properties and step over the reply */ - ret = _fs_convert_props(pi, po, pd, pInfo); -+ bail: - _fs_done_read (conn, rep->length << 2); - - if (ret == -1) --- -1.7.1 - diff --git a/SOURCES/0007-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch b/SOURCES/0007-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch deleted file mode 100644 index 3134420..0000000 --- a/SOURCES/0007-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch +++ /dev/null @@ -1,51 +0,0 @@ -From c578408c1fd4db09e4e3173f8a9e65c81cc187c1 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Fri, 25 Apr 2014 23:02:42 -0700 -Subject: [PATCH 07/12] CVE-2014-0211: integer overflow in fs_read_extent_info() - -fs_read_extent_info() parses a reply from the font server. -The reply contains a 32bit number of elements field which is used -to calculate a buffer length. There is an integer overflow in this -calculation which can lead to memory corruption. - -Reported-by: Ilja Van Sprundel -Signed-off-by: Alan Coopersmith -Reviewed-by: Adam Jackson -Reviewed-by: Matthieu Herrb ---- - src/fc/fserve.c | 12 +++++++++++- - 1 files changed, 11 insertions(+), 1 deletions(-) - -diff --git a/src/fc/fserve.c b/src/fc/fserve.c -index ec5336e..96abd0e 100644 ---- a/src/fc/fserve.c -+++ b/src/fc/fserve.c -@@ -70,6 +70,7 @@ in this Software without prior written authorization from The Open Group. - #include "fservestr.h" - #include - #include -+#include - - #include - #define Time_t time_t -@@ -1050,7 +1051,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - numInfos *= 2; - haveInk = TRUE; - } -- ci = pCI = malloc(sizeof(CharInfoRec) * numInfos); -+ if (numInfos >= (INT_MAX / sizeof(CharInfoRec))) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsQueryXExtents16: numInfos (%d) >= %ld\n", -+ numInfos, (INT_MAX / sizeof(CharInfoRec))); -+#endif -+ pCI = NULL; -+ } -+ else -+ pCI = malloc(sizeof(CharInfoRec) * numInfos); - - if (!pCI) - { --- -1.7.1 - diff --git a/SOURCES/0008-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs.patch b/SOURCES/0008-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs.patch deleted file mode 100644 index 2c213ab..0000000 --- a/SOURCES/0008-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs.patch +++ /dev/null @@ -1,38 +0,0 @@ -From a42f707f8a62973f5e8bbcd08afb10a79e9cee33 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Fri, 25 Apr 2014 23:02:54 -0700 -Subject: [PATCH 08/12] CVE-2014-0211: integer overflow in fs_alloc_glyphs() - -fs_alloc_glyphs() is a malloc wrapper used by the font code. -It contains a classic integer overflow in the malloc() call, -which can cause memory corruption. - -Reported-by: Ilja Van Sprundel -Signed-off-by: Alan Coopersmith -Reviewed-by: Adam Jackson -Reviewed-by: Matthieu Herrb ---- - src/fc/fsconvert.c | 7 ++++++- - 1 files changed, 6 insertions(+), 1 deletions(-) - -diff --git a/src/fc/fsconvert.c b/src/fc/fsconvert.c -index dfa1317..18b0c0d 100644 ---- a/src/fc/fsconvert.c -+++ b/src/fc/fsconvert.c -@@ -721,7 +721,12 @@ fs_alloc_glyphs (FontPtr pFont, int size) - FSGlyphPtr glyphs; - FSFontPtr fsfont = (FSFontPtr) pFont->fontPrivate; - -- glyphs = malloc (sizeof (FSGlyphRec) + size); -+ if (size < (INT_MAX - sizeof (FSGlyphRec))) -+ glyphs = malloc (sizeof (FSGlyphRec) + size); -+ else -+ glyphs = NULL; -+ if (glyphs == NULL) -+ return NULL; - glyphs->next = fsfont->glyphs; - fsfont->glyphs = glyphs; - return (pointer) (glyphs + 1); --- -1.7.1 - diff --git a/SOURCES/0009-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch b/SOURCES/0009-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch deleted file mode 100644 index 1bed539..0000000 --- a/SOURCES/0009-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch +++ /dev/null @@ -1,41 +0,0 @@ -From a3f21421537620fc4e1f844a594a4bcd9f7e2bd8 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Fri, 25 Apr 2014 23:03:05 -0700 -Subject: [PATCH 09/12] CVE-2014-0210: unvalidated length fields in fs_read_extent_info() - -Looping over the extents in the reply could go past the end of the -reply buffer if the reply indicated more extents than could fit in -the specified reply length. - -Reported-by: Ilja Van Sprundel -Signed-off-by: Alan Coopersmith -Reviewed-by: Adam Jackson -Reviewed-by: Matthieu Herrb ---- - src/fc/fserve.c | 10 ++++++++++ - 1 files changed, 10 insertions(+), 0 deletions(-) - -diff --git a/src/fc/fserve.c b/src/fc/fserve.c -index 96abd0e..232e969 100644 ---- a/src/fc/fserve.c -+++ b/src/fc/fserve.c -@@ -1059,6 +1059,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - #endif - pCI = NULL; - } -+ else if (numExtents > ((rep->length - LENGTHOF(fsQueryXExtents16Reply)) -+ / LENGTHOF(fsXCharInfo))) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsQueryXExtents16: numExtents (%d) > (%d - %d) / %d\n", -+ numExtents, rep->length, -+ LENGTHOF(fsQueryXExtents16Reply), LENGTHOF(fsXCharInfo)); -+#endif -+ pCI = NULL; -+ } - else - pCI = malloc(sizeof(CharInfoRec) * numInfos); - --- -1.7.1 - diff --git a/SOURCES/0010-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch b/SOURCES/0010-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch deleted file mode 100644 index f74286b..0000000 --- a/SOURCES/0010-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 520683652564c2a4e42328ae23eef9bb63271565 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Fri, 25 Apr 2014 23:03:24 -0700 -Subject: [PATCH 10/12] CVE-2014-0210: unvalidated length fields in fs_read_glyphs() - -fs_read_glyphs() parses a reply from the font server. The reply -contains embedded length fields, none of which are validated. -This can cause out of bound reads when looping over the glyph -bitmaps in the reply. - -Reported-by: Ilja Van Sprundel -Signed-off-by: Alan Coopersmith -Reviewed-by: Adam Jackson -Reviewed-by: Matthieu Herrb ---- - src/fc/fserve.c | 29 ++++++++++++++++++++++++++++- - 1 files changed, 28 insertions(+), 1 deletions(-) - -diff --git a/src/fc/fserve.c b/src/fc/fserve.c -index 232e969..581bb1b 100644 ---- a/src/fc/fserve.c -+++ b/src/fc/fserve.c -@@ -1907,6 +1907,7 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - FontInfoPtr pfi = &pfont->info; - fsQueryXBitmaps16Reply *rep; - char *buf; -+ long bufleft; /* length of reply left to use */ - fsOffset32 *ppbits; - fsOffset32 local_off; - char *off_adr; -@@ -1938,9 +1939,33 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - buf = (char *) rep; - buf += SIZEOF (fsQueryXBitmaps16Reply); - -+ bufleft = rep->length << 2; -+ bufleft -= SIZEOF (fsQueryXBitmaps16Reply); -+ -+ if ((bufleft / SIZEOF (fsOffset32)) < rep->num_chars) -+ { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsQueryXBitmaps16: num_chars (%d) > bufleft (%ld) / %d\n", -+ rep->num_chars, bufleft, SIZEOF (fsOffset32)); -+#endif -+ err = AllocError; -+ goto bail; -+ } - ppbits = (fsOffset32 *) buf; - buf += SIZEOF (fsOffset32) * (rep->num_chars); -+ bufleft -= SIZEOF (fsOffset32) * (rep->num_chars); - -+ if (bufleft < rep->nbytes) -+ { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsQueryXBitmaps16: nbytes (%d) > bufleft (%ld)\n", -+ rep->nbytes, bufleft); -+#endif -+ err = AllocError; -+ goto bail; -+ } - pbitmaps = (pointer ) buf; - - if (blockrec->type == FS_LOAD_GLYPHS) -@@ -1998,7 +2023,9 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - */ - if (NONZEROMETRICS(&fsdata->encoding[minchar].metrics)) - { -- if (local_off.length) -+ if (local_off.length && -+ (local_off.position < rep->nbytes) && -+ (local_off.length <= (rep->nbytes - local_off.position))) - { - bits = allbits; - allbits += local_off.length; --- -1.7.1 - diff --git a/SOURCES/0011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch b/SOURCES/0011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch deleted file mode 100644 index 657f898..0000000 --- a/SOURCES/0011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 5fa73ac18474be3032ee7af9c6e29deab163ea39 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Fri, 2 May 2014 19:24:17 -0700 -Subject: [PATCH 11/12] CVE-2014-0210: unvalidated length fields in fs_read_list() - -fs_read_list() parses a reply from the font server. The reply -contains a list of strings with embedded length fields, none of -which are validated. This can cause out of bound reads when looping -over the strings in the reply. - -Signed-off-by: Alan Coopersmith ---- - src/fc/fserve.c | 15 +++++++++++++++ - 1 files changed, 15 insertions(+), 0 deletions(-) - -diff --git a/src/fc/fserve.c b/src/fc/fserve.c -index 581bb1b..4dcdc04 100644 ---- a/src/fc/fserve.c -+++ b/src/fc/fserve.c -@@ -2355,6 +2355,7 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - FSBlockedListPtr blist = (FSBlockedListPtr) blockrec->data; - fsListFontsReply *rep; - char *data; -+ long dataleft; /* length of reply left to use */ - int length, - i, - ret; -@@ -2372,16 +2373,30 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - return AllocError; - } - data = (char *) rep + SIZEOF (fsListFontsReply); -+ dataleft = (rep->length << 2) - SIZEOF (fsListFontsReply); - - err = Successful; - /* copy data into FontPathRecord */ - for (i = 0; i < rep->nFonts; i++) - { -+ if (dataleft < 1) -+ break; - length = *(unsigned char *)data++; -+ dataleft--; /* used length byte */ -+ if (length > dataleft) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsListFonts: name length (%d) > dataleft (%ld)\n", -+ length, dataleft); -+#endif -+ err = BadFontName; -+ break; -+ } - err = AddFontNamesName(blist->names, data, length); - if (err != Successful) - break; - data += length; -+ dataleft -= length; - } - _fs_done_read (conn, rep->length << 2); - return err; --- -1.7.1 - diff --git a/SOURCES/0012-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch b/SOURCES/0012-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch deleted file mode 100644 index 3550ec6..0000000 --- a/SOURCES/0012-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch +++ /dev/null @@ -1,110 +0,0 @@ -From d338f81df1e188eb16e1d6aeea7f4800f89c1218 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Fri, 2 May 2014 19:24:17 -0700 -Subject: [PATCH 12/12] CVE-2014-0210: unvalidated length fields in fs_read_list_info() - -fs_read_list_info() parses a reply from the font server. The reply -contains a number of additional data items with embedded length or -count fields, none of which are validated. This can cause out of -bound reads when looping over these items in the reply. - -Signed-off-by: Alan Coopersmith ---- - src/fc/fserve.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 files changed, 54 insertions(+), 0 deletions(-) - -diff --git a/src/fc/fserve.c b/src/fc/fserve.c -index 4dcdc04..c1cf9d6 100644 ---- a/src/fc/fserve.c -+++ b/src/fc/fserve.c -@@ -2491,6 +2491,7 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - FSBlockedListInfoPtr binfo = (FSBlockedListInfoPtr) blockrec->data; - fsListFontsWithXInfoReply *rep; - char *buf; -+ long bufleft; - FSFpePtr conn = (FSFpePtr) fpe->private; - fsPropInfo *pi; - fsPropOffset *po; -@@ -2527,6 +2528,7 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - } - - buf = (char *) rep + SIZEOF (fsListFontsWithXInfoReply); -+ bufleft = (rep->length << 2) - SIZEOF (fsListFontsWithXInfoReply); - - /* - * The original FS implementation didn't match -@@ -2535,19 +2537,71 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - */ - if (conn->fsMajorVersion <= 1) - { -+ if (rep->nameLength > bufleft) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsListFontsWithXInfo: name length (%d) > bufleft (%ld)\n", -+ (int) rep->nameLength, bufleft); -+#endif -+ err = AllocError; -+ goto done; -+ } -+ /* binfo->name is a 256 char array, rep->nameLength is a CARD8 */ - memcpy (binfo->name, buf, rep->nameLength); - buf += _fs_pad_length (rep->nameLength); -+ bufleft -= _fs_pad_length (rep->nameLength); - } - pi = (fsPropInfo *) buf; -+ if (SIZEOF (fsPropInfo) > bufleft) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsListFontsWithXInfo: PropInfo length (%d) > bufleft (%ld)\n", -+ (int) SIZEOF (fsPropInfo), bufleft); -+#endif -+ err = AllocError; -+ goto done; -+ } -+ bufleft -= SIZEOF (fsPropInfo); - buf += SIZEOF (fsPropInfo); - po = (fsPropOffset *) buf; -+ if (pi->num_offsets > (bufleft / SIZEOF (fsPropOffset))) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsListFontsWithXInfo: offset length (%d * %d) > bufleft (%ld)\n", -+ pi->num_offsets, (int) SIZEOF (fsPropOffset), bufleft); -+#endif -+ err = AllocError; -+ goto done; -+ } -+ bufleft -= pi->num_offsets * SIZEOF (fsPropOffset); - buf += pi->num_offsets * SIZEOF (fsPropOffset); - pd = (pointer) buf; -+ if (pi->data_len > bufleft) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsListFontsWithXInfo: data length (%d) > bufleft (%ld)\n", -+ pi->data_len, bufleft); -+#endif -+ err = AllocError; -+ goto done; -+ } -+ bufleft -= pi->data_len; - buf += pi->data_len; - if (conn->fsMajorVersion > 1) - { -+ if (rep->nameLength > bufleft) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsListFontsWithXInfo: name length (%d) > bufleft (%ld)\n", -+ (int) rep->nameLength, bufleft); -+#endif -+ err = AllocError; -+ goto done; -+ } -+ /* binfo->name is a 256 char array, rep->nameLength is a CARD8 */ - memcpy (binfo->name, buf, rep->nameLength); - buf += _fs_pad_length (rep->nameLength); -+ bufleft -= _fs_pad_length (rep->nameLength); - } - - #ifdef DEBUG --- -1.7.1 - diff --git a/SOURCES/bdfReadCharacters-Allow-negative-DWIDTH-values.patch b/SOURCES/bdfReadCharacters-Allow-negative-DWIDTH-values.patch new file mode 100644 index 0000000..4ab25f3 --- /dev/null +++ b/SOURCES/bdfReadCharacters-Allow-negative-DWIDTH-values.patch @@ -0,0 +1,39 @@ +From 1a73d6828dfa03924f2d68644fb5b99afd9c78e2 Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Mon, 13 Jul 2015 14:43:06 -0400 +Subject: [PATCH] bdfReadCharacters: Allow negative DWIDTH values +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The fix for CVE-2015-1804 prevent DWIDTH to be negative. +However, the spec states that "DWIDTH [...] is a vector indicating the +position of the next glyph’s origin relative to the origin of this glyph." + +So negative values are correct. + +Found by trying to compile XTS. + +Signed-off-by: Benjamin Tissoires +Reviewed-by: Peter Hutterer +Signed-off-by: Alan Coopersmith +--- + src/bitmap/bdfread.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c +index a0ace8f..eccd7b7 100644 +--- a/src/bitmap/bdfread.c ++++ b/src/bitmap/bdfread.c +@@ -426,7 +426,7 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, + goto BAILOUT; + } + /* xCharInfo metrics are stored as INT16 */ +- if ((wx < 0) || (wx > INT16_MAX)) { ++ if ((wx < INT16_MIN) || (wx > INT16_MAX)) { + bdfError("character '%s' has out of range width, %d\n", + charName, wx); + goto BAILOUT; +-- +2.1.0 + diff --git a/SOURCES/cve-2015-1802.patch b/SOURCES/cve-2015-1802.patch deleted file mode 100644 index 1d87333..0000000 --- a/SOURCES/cve-2015-1802.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Fri, 6 Feb 2015 15:50:45 -0800 -Subject: bdfReadProperties: property count needs range check [CVE-2015-1802] - -Avoid integer overflow or underflow when allocating memory arrays -by multiplying the number of properties reported for a BDF font. - -Reported-by: Ilja Van Sprundel -Signed-off-by: Alan Coopersmith -Reviewed-by: Julien Cristau - -diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c -index 914a024..6387908 100644 ---- a/src/bitmap/bdfread.c -+++ b/src/bitmap/bdfread.c -@@ -604,7 +604,9 @@ bdfReadProperties(FontFilePtr file, FontPtr pFont, bdfFileState *pState) - bdfError("missing 'STARTPROPERTIES'\n"); - return (FALSE); - } -- if (sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) { -+ if ((sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) || -+ (nProps <= 0) || -+ (nProps > ((INT32_MAX / sizeof(FontPropRec)) - BDF_GENPROPS))) { - bdfError("bad 'STARTPROPERTIES'\n"); - return (FALSE); - } --- -cgit v0.10.2 - diff --git a/SOURCES/cve-2015-1803.patch b/SOURCES/cve-2015-1803.patch deleted file mode 100644 index 22d2d5b..0000000 --- a/SOURCES/cve-2015-1803.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 78c2e3d70d29698244f70164428bd2868c0ab34c Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Fri, 6 Feb 2015 15:54:00 -0800 -Subject: bdfReadCharacters: bailout if a char's bitmap cannot be read - [CVE-2015-1803] - -Previously would charge on ahead with a NULL pointer in ci->bits, and -then crash later in FontCharInkMetrics() trying to access the bits. - -Found with afl-1.23b. - -Signed-off-by: Alan Coopersmith -Reviewed-by: Julien Cristau - -diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c -index 6387908..1b29b81 100644 ---- a/src/bitmap/bdfread.c -+++ b/src/bitmap/bdfread.c -@@ -458,7 +458,10 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, - ci->metrics.descent = -bb; - ci->metrics.characterWidth = wx; - ci->bits = NULL; -- bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes); -+ if (!bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes)) { -+ bdfError("could not read bitmap for character '%s'\n", charName); -+ goto BAILOUT; -+ } - ci++; - ndx++; - } else --- -cgit v0.10.2 - diff --git a/SOURCES/cve-2015-1804.patch b/SOURCES/cve-2015-1804.patch deleted file mode 100644 index dd8d5be..0000000 --- a/SOURCES/cve-2015-1804.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 2351c83a77a478b49cba6beb2ad386835e264744 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Fri, 6 Mar 2015 22:54:58 -0800 -Subject: bdfReadCharacters: ensure metrics fit into xCharInfo struct - [CVE-2015-1804] - -We use 32-bit ints to read from the bdf file, but then try to stick -into a 16-bit int in the xCharInfo struct, so make sure they won't -overflow that range. - -Found by afl-1.24b. - -v2: Verify that additions won't overflow 32-bit int range either. -v3: As Julien correctly observes, the previous check for bh & bw not - being < 0 reduces the number of cases we need to check for overflow. - -Signed-off-by: Alan Coopersmith -Reviewed-by: Julien Cristau - -diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c -index 1b29b81..a0ace8f 100644 ---- a/src/bitmap/bdfread.c -+++ b/src/bitmap/bdfread.c -@@ -62,8 +62,16 @@ from The Open Group. - - #if HAVE_STDINT_H - #include --#elif !defined(INT32_MAX) --#define INT32_MAX 0x7fffffff -+#else -+# ifndef INT32_MAX -+# define INT32_MAX 0x7fffffff -+# endif -+# ifndef INT16_MAX -+# define INT16_MAX 0x7fff -+# endif -+# ifndef INT16_MIN -+# define INT16_MIN (0 - 0x8000) -+# endif - #endif - - #define INDICES 256 -@@ -417,6 +425,12 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, - bdfError("DWIDTH y value must be zero\n"); - goto BAILOUT; - } -+ /* xCharInfo metrics are stored as INT16 */ -+ if ((wx < 0) || (wx > INT16_MAX)) { -+ bdfError("character '%s' has out of range width, %d\n", -+ charName, wx); -+ goto BAILOUT; -+ } - line = bdfGetLine(file, lineBuf, BDFLINELEN); - if ((!line) || (sscanf((char *) line, "BBX %d %d %d %d", &bw, &bh, &bl, &bb) != 4)) { - bdfError("bad 'BBX'\n"); -@@ -427,6 +441,14 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, - charName, bw, bh); - goto BAILOUT; - } -+ /* xCharInfo metrics are read as int, but stored as INT16 */ -+ if ((bl > INT16_MAX) || (bl < INT16_MIN) || -+ (bb > INT16_MAX) || (bb < INT16_MIN) || -+ (bw > (INT16_MAX - bl)) || (bh > (INT16_MAX - bb))) { -+ bdfError("character '%s' has out of range metrics, %d %d %d %d\n", -+ charName, bl, (bl+bw), (bh+bb), -bb); -+ goto BAILOUT; -+ } - line = bdfGetLine(file, lineBuf, BDFLINELEN); - if ((line) && (bdfIsPrefix(line, "ATTRIBUTES"))) { - for (p = line + strlen("ATTRIBUTES "); --- -cgit v0.10.2 - diff --git a/SPECS/libXfont.spec b/SPECS/libXfont.spec index 1b5567a..01ca9a0 100644 --- a/SPECS/libXfont.spec +++ b/SPECS/libXfont.spec @@ -1,14 +1,15 @@ Summary: X.Org X11 libXfont runtime library Name: libXfont -Version: 1.4.7 -Release: 3%{?dist} +Version: 1.5.1 +Release: 2%{?dist} License: MIT Group: System Environment/Libraries URL: http://www.x.org -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Source0: http://www.x.org/pub/individual/lib/%{name}-%{version}.tar.bz2 +Patch0: bdfReadCharacters-Allow-negative-DWIDTH-values.patch + BuildRequires: autoconf automake libtool BuildRequires: pkgconfig(fontsproto) BuildRequires: xorg-x11-util-macros @@ -16,30 +17,14 @@ BuildRequires: xorg-x11-xtrans-devel >= 1.0.3-3 BuildRequires: libfontenc-devel BuildRequires: freetype-devel -Patch0: 0001-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch -Patch1: 0002-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch -Patch2: 0003-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch -Patch3: 0004-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch -Patch4: 0005-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch -Patch5: 0006-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch -Patch6: 0007-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch -Patch7: 0008-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs.patch -Patch8: 0009-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch -Patch9: 0010-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch -Patch10: 0011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch -Patch11: 0012-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch -Patch12: cve-2015-1802.patch -Patch13: cve-2015-1803.patch -Patch14: cve-2015-1804.patch - %description X.Org X11 libXfont runtime library %package devel Summary: X.Org X11 libXfont development package Group: Development/Libraries -Requires: %{name} = %{version}-%{release} -Requires: libfontenc-devel +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: libfontenc-devel%{?_isa} %description devel X.Org X11 libXfont development package @@ -47,21 +32,7 @@ X.Org X11 libXfont development package %prep %setup -q -%patch0 -p1 -b .cve20140209.1 -%patch1 -p1 -b .cve20140209.2 -%patch2 -p1 -b .cve20140210.3 -%patch3 -p1 -b .cve20140210.4 -%patch4 -p1 -b .cve20140211.5 -%patch5 -p1 -b .cve20140210.6 -%patch6 -p1 -b .cve20140211.7 -%patch7 -p1 -b .cve20140211.8 -%patch8 -p1 -b .cve20140210.9 -%patch9 -p1 -b .cve20140210.10 -%patch10 -p1 -b .cve20140210.11 -%patch11 -p1 -b .cve20140210.12 -%patch12 -p1 -b .cve20151802.13 -%patch13 -p1 -b .cve20151803.14 -%patch14 -p1 -b .cve20151804.15 +%patch0 -p1 %build autoreconf -v --install --force @@ -70,29 +41,20 @@ export CFLAGS="$RPM_OPT_FLAGS -Os" make %{?_smp_mflags} %install -rm -rf $RPM_BUILD_ROOT - -make install DESTDIR=$RPM_BUILD_ROOT +%make_install # We intentionally don't ship *.la files rm -f $RPM_BUILD_ROOT%{_libdir}/*.la -%clean -rm -rf $RPM_BUILD_ROOT - %post -p /sbin/ldconfig %postun -p /sbin/ldconfig %files -%defattr(-,root,root,-) -# FIXME: Missing README/INSTALL - should file bug upstream. -#%doc AUTHORS COPYING README INSTALL ChangeLog NEWS -%doc AUTHORS COPYING ChangeLog +%doc AUTHORS COPYING README ChangeLog %{_libdir}/libXfont.so.1 %{_libdir}/libXfont.so.1.4.1 %files devel -%defattr(-,root,root,-) %{_includedir}/X11/fonts/bdfint.h %{_includedir}/X11/fonts/bitmap.h %{_includedir}/X11/fonts/bufio.h @@ -112,18 +74,30 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/pkgconfig/xfont.pc %changelog -* Tue Sep 01 2015 Benjamin Tissoires 1.4.7-3 -- CVE-2015-1802: missing range check in bdfReadProperties (bug 1258894) -- CVE-2015-1803: crash on invalid read in bdfReadCharacters (bug 1258894) -- CVE-2015-1804: out-of-bounds memory access in bdfReadCharacters (bug 1258894) - -* Thu Nov 13 2014 Benjamin Tissoires 1.4.7-2 -- CVE-2014-0209: integer overflow of allocations in font metadata file parsing (bug 1163604, bug 1163603) -- CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies (bug 1163604, bug 1163603) -- CVE-2014-0211: integer overflows calculating memory needs for xfs replies (bug 1163604, bug 1163603) - -* Wed Feb 12 2014 Adam Jackson 1.4.7-1.1 -- Mass rebuild +* Tue Jul 28 2015 Benjamin Tissoires 1.5.1-2 +- Add bdfReadCharacters patch to fix XTS compilation problems (rhbz#1241939) + +* Wed Mar 18 2015 Peter Hutterer 1.5.1-1 +- libXfont 1.5.1 (CVE-2015-1802, CVE-2015-1803, CVE-2015-1804) + +* Sun Aug 17 2014 Fedora Release Engineering - 1.5.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Thu Jul 31 2014 Benjamin Tissoires 1.5.0-1 +- libXfont 1.5.0 + +* Wed Jul 9 2014 Hans de Goede - 1.4.99.901-1 +- libXfont 1.4.99.901 + +* Wed Jul 9 2014 Hans de Goede - 1.4.8-1 +- libXfont 1.4.8 (rhbz#1100441) +- Fixes: CVE-2014-0209, CVE-2014-0210, CVE-2014-0211 (rhbz#1097397) + +* Mon Jun 09 2014 Adam Jackson 1.4.7-2 +- Fix FTBFS against new fontproto + +* Sat Jun 07 2014 Fedora Release Engineering - 1.4.7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild * Wed Jan 08 2014 Peter Hutterer 1.4.7-1 - libXfont 1.4.7 (CVE-2013-6462)