diff --git a/SOURCES/cve-2015-1802.patch b/SOURCES/cve-2015-1802.patch new file mode 100644 index 0000000..1d87333 --- /dev/null +++ b/SOURCES/cve-2015-1802.patch @@ -0,0 +1,30 @@ +From 2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 6 Feb 2015 15:50:45 -0800 +Subject: bdfReadProperties: property count needs range check [CVE-2015-1802] + +Avoid integer overflow or underflow when allocating memory arrays +by multiplying the number of properties reported for a BDF font. + +Reported-by: Ilja Van Sprundel +Signed-off-by: Alan Coopersmith +Reviewed-by: Julien Cristau + +diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c +index 914a024..6387908 100644 +--- a/src/bitmap/bdfread.c ++++ b/src/bitmap/bdfread.c +@@ -604,7 +604,9 @@ bdfReadProperties(FontFilePtr file, FontPtr pFont, bdfFileState *pState) + bdfError("missing 'STARTPROPERTIES'\n"); + return (FALSE); + } +- if (sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) { ++ if ((sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) || ++ (nProps <= 0) || ++ (nProps > ((INT32_MAX / sizeof(FontPropRec)) - BDF_GENPROPS))) { + bdfError("bad 'STARTPROPERTIES'\n"); + return (FALSE); + } +-- +cgit v0.10.2 + diff --git a/SOURCES/cve-2015-1803.patch b/SOURCES/cve-2015-1803.patch new file mode 100644 index 0000000..22d2d5b --- /dev/null +++ b/SOURCES/cve-2015-1803.patch @@ -0,0 +1,33 @@ +From 78c2e3d70d29698244f70164428bd2868c0ab34c Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 6 Feb 2015 15:54:00 -0800 +Subject: bdfReadCharacters: bailout if a char's bitmap cannot be read + [CVE-2015-1803] + +Previously would charge on ahead with a NULL pointer in ci->bits, and +then crash later in FontCharInkMetrics() trying to access the bits. + +Found with afl-1.23b. + +Signed-off-by: Alan Coopersmith +Reviewed-by: Julien Cristau + +diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c +index 6387908..1b29b81 100644 +--- a/src/bitmap/bdfread.c ++++ b/src/bitmap/bdfread.c +@@ -458,7 +458,10 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, + ci->metrics.descent = -bb; + ci->metrics.characterWidth = wx; + ci->bits = NULL; +- bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes); ++ if (!bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes)) { ++ bdfError("could not read bitmap for character '%s'\n", charName); ++ goto BAILOUT; ++ } + ci++; + ndx++; + } else +-- +cgit v0.10.2 + diff --git a/SOURCES/cve-2015-1804.patch b/SOURCES/cve-2015-1804.patch new file mode 100644 index 0000000..dd8d5be --- /dev/null +++ b/SOURCES/cve-2015-1804.patch @@ -0,0 +1,73 @@ +From 2351c83a77a478b49cba6beb2ad386835e264744 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 6 Mar 2015 22:54:58 -0800 +Subject: bdfReadCharacters: ensure metrics fit into xCharInfo struct + [CVE-2015-1804] + +We use 32-bit ints to read from the bdf file, but then try to stick +into a 16-bit int in the xCharInfo struct, so make sure they won't +overflow that range. + +Found by afl-1.24b. + +v2: Verify that additions won't overflow 32-bit int range either. +v3: As Julien correctly observes, the previous check for bh & bw not + being < 0 reduces the number of cases we need to check for overflow. + +Signed-off-by: Alan Coopersmith +Reviewed-by: Julien Cristau + +diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c +index 1b29b81..a0ace8f 100644 +--- a/src/bitmap/bdfread.c ++++ b/src/bitmap/bdfread.c +@@ -62,8 +62,16 @@ from The Open Group. + + #if HAVE_STDINT_H + #include +-#elif !defined(INT32_MAX) +-#define INT32_MAX 0x7fffffff ++#else ++# ifndef INT32_MAX ++# define INT32_MAX 0x7fffffff ++# endif ++# ifndef INT16_MAX ++# define INT16_MAX 0x7fff ++# endif ++# ifndef INT16_MIN ++# define INT16_MIN (0 - 0x8000) ++# endif + #endif + + #define INDICES 256 +@@ -417,6 +425,12 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, + bdfError("DWIDTH y value must be zero\n"); + goto BAILOUT; + } ++ /* xCharInfo metrics are stored as INT16 */ ++ if ((wx < 0) || (wx > INT16_MAX)) { ++ bdfError("character '%s' has out of range width, %d\n", ++ charName, wx); ++ goto BAILOUT; ++ } + line = bdfGetLine(file, lineBuf, BDFLINELEN); + if ((!line) || (sscanf((char *) line, "BBX %d %d %d %d", &bw, &bh, &bl, &bb) != 4)) { + bdfError("bad 'BBX'\n"); +@@ -427,6 +441,14 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, + charName, bw, bh); + goto BAILOUT; + } ++ /* xCharInfo metrics are read as int, but stored as INT16 */ ++ if ((bl > INT16_MAX) || (bl < INT16_MIN) || ++ (bb > INT16_MAX) || (bb < INT16_MIN) || ++ (bw > (INT16_MAX - bl)) || (bh > (INT16_MAX - bb))) { ++ bdfError("character '%s' has out of range metrics, %d %d %d %d\n", ++ charName, bl, (bl+bw), (bh+bb), -bb); ++ goto BAILOUT; ++ } + line = bdfGetLine(file, lineBuf, BDFLINELEN); + if ((line) && (bdfIsPrefix(line, "ATTRIBUTES"))) { + for (p = line + strlen("ATTRIBUTES "); +-- +cgit v0.10.2 + diff --git a/SPECS/libXfont.spec b/SPECS/libXfont.spec index 06f8492..1b5567a 100644 --- a/SPECS/libXfont.spec +++ b/SPECS/libXfont.spec @@ -1,7 +1,7 @@ Summary: X.Org X11 libXfont runtime library Name: libXfont Version: 1.4.7 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Group: System Environment/Libraries URL: http://www.x.org @@ -28,6 +28,9 @@ Patch8: 0009-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch Patch9: 0010-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch Patch10: 0011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch Patch11: 0012-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch +Patch12: cve-2015-1802.patch +Patch13: cve-2015-1803.patch +Patch14: cve-2015-1804.patch %description X.Org X11 libXfont runtime library @@ -56,6 +59,9 @@ X.Org X11 libXfont development package %patch9 -p1 -b .cve20140210.10 %patch10 -p1 -b .cve20140210.11 %patch11 -p1 -b .cve20140210.12 +%patch12 -p1 -b .cve20151802.13 +%patch13 -p1 -b .cve20151803.14 +%patch14 -p1 -b .cve20151804.15 %build autoreconf -v --install --force @@ -106,6 +112,11 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/pkgconfig/xfont.pc %changelog +* Tue Sep 01 2015 Benjamin Tissoires 1.4.7-3 +- CVE-2015-1802: missing range check in bdfReadProperties (bug 1258894) +- CVE-2015-1803: crash on invalid read in bdfReadCharacters (bug 1258894) +- CVE-2015-1804: out-of-bounds memory access in bdfReadCharacters (bug 1258894) + * Thu Nov 13 2014 Benjamin Tissoires 1.4.7-2 - CVE-2014-0209: integer overflow of allocations in font metadata file parsing (bug 1163604, bug 1163603) - CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies (bug 1163604, bug 1163603)