From owner-svn-ports-head@FreeBSD.ORG Tue Jun 4 19:31:36 2013 Return-Path: Delivered-To: svn-ports-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 69BD2154; Tue, 4 Jun 2013 19:31:36 +0000 (UTC) (envelope-from zeising@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 592811867; Tue, 4 Jun 2013 19:31:36 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r54JVZN8038202; Tue, 4 Jun 2013 19:31:35 GMT (envelope-from zeising@svn.freebsd.org) Received: (from zeising@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id r54JVU8B038164; Tue, 4 Jun 2013 19:31:30 GMT (envelope-from zeising@svn.freebsd.org) Message-Id: <201306041931.r54JVU8B038164@svn.freebsd.org> From: Niclas Zeising Date: Tue, 4 Jun 2013 19:31:30 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r319899 - in head: graphics/libGL graphics/libGL/files security/vuxml x11-drivers/xorg-drivers x11-fonts/libFS x11-toolkits/libXt x11/libX11 x11/libXcursor x11/libXext x11/libXfixes x11... X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Jun 2013 19:31:36 -0000 Author: zeising Date: Tue Jun 4 19:31:29 2013 New Revision: 319899 URL: http://svnweb.freebsd.org/changeset/ports/319899 Log: Fix security issues in xorg client libraries. Most libraries were updated to newer versions, in some cases patches were backported instead. Most notably, x11/libX11 was updated to 1.6.0 Security: CVE-2013-1981 CVE-2013-1982 CVE-2013-1983 CVE-2013-1984 CVE-2013-1985 CVE-2013-1986 CVE-2013-1987 CVE-2013-1988 CVE-2013-1989 CVE-2013-1990 CVE-2013-1991 CVE-2013-1992 CVE-2013-1993 CVE-2013-1994 CVE-2013-1995 CVE-2013-1996 CVE-2013-1997 CVE-2013-1998 CVE-2013-1999 CVE-2013-2000 CVE-2013-2001 CVE-2013-2002 CVE-2013-2003 CVE-2013-2004 CVE-2013-2005 CVE-2013-2062 CVE-2013-2063 CVE-2013-2064 CVE-2013-2066 Added: head/graphics/libGL/files/extra-src_glx_XF86dri.c (contents, props changed) head/graphics/libGL/files/extra-src_glx_x11_XF86dri.c (contents, props changed) head/x11/libXi/files/patch-src_XGMotion.c (contents, props changed) head/x11/libXi/files/patch-src_XGetBMap.c (contents, props changed) head/x11/libXi/files/patch-src_XGetDCtl.c (contents, props changed) head/x11/libXi/files/patch-src_XGetDProp.c (contents, props changed) head/x11/libXi/files/patch-src_XGetFCtl.c (contents, props changed) head/x11/libXi/files/patch-src_XGetProp.c (contents, props changed) head/x11/libXi/files/patch-src_XIPassiveGrab.c (contents, props changed) head/x11/libXi/files/patch-src_XIProperties.c (contents, props changed) head/x11/libXi/files/patch-src_XISelEv.c (contents, props changed) head/x11/libXi/files/patch-src_XListDev.c (contents, props changed) head/x11/libXi/files/patch-src_XQueryDv.c (contents, props changed) head/x11/libXrender/files/ head/x11/libXrender/files/patch-src_Filter.c (contents, props changed) head/x11/libXrender/files/patch-src_Xrender.c (contents, props changed) head/x11/libXvMC/files/ head/x11/libXvMC/files/patch-src_XvMC.c (contents, props changed) Deleted: head/x11/libXxf86dga/files/patch-src_XF86DGA2.c Modified: head/graphics/libGL/Makefile head/graphics/libGL/bsd.mesalib.mk head/security/vuxml/vuln.xml head/x11-drivers/xorg-drivers/Makefile head/x11-fonts/libFS/Makefile head/x11-fonts/libFS/distinfo head/x11-toolkits/libXt/Makefile head/x11-toolkits/libXt/distinfo head/x11/libX11/Makefile head/x11/libX11/distinfo head/x11/libX11/pkg-plist head/x11/libXcursor/Makefile head/x11/libXcursor/distinfo head/x11/libXext/Makefile head/x11/libXext/distinfo head/x11/libXfixes/Makefile head/x11/libXfixes/distinfo head/x11/libXi/Makefile head/x11/libXinerama/Makefile head/x11/libXinerama/distinfo head/x11/libXp/Makefile head/x11/libXp/distinfo head/x11/libXrandr/Makefile head/x11/libXrandr/distinfo head/x11/libXrender/Makefile head/x11/libXres/Makefile head/x11/libXres/distinfo head/x11/libXtst/Makefile head/x11/libXtst/distinfo head/x11/libXv/Makefile head/x11/libXv/distinfo head/x11/libXv/pkg-plist head/x11/libXvMC/Makefile head/x11/libXxf86dga/Makefile head/x11/libXxf86dga/distinfo head/x11/libXxf86vm/Makefile head/x11/libXxf86vm/distinfo head/x11/libdmx/Makefile head/x11/libdmx/distinfo head/x11/libxcb/Makefile head/x11/libxcb/distinfo Modified: head/graphics/libGL/Makefile ============================================================================== --- head/graphics/libGL/Makefile Tue Jun 4 19:13:31 2013 (r319898) +++ head/graphics/libGL/Makefile Tue Jun 4 19:31:29 2013 (r319899) @@ -3,13 +3,13 @@ PORTNAME= libGL PORTVERSION= ${MESAVERSION} -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= graphics COMMENT= OpenGL library that renders using GLX or DRI LIB_DEPENDS+= drm:${PORTSDIR}/graphics/libdrm \ - expat.6:${PORTSDIR}/textproc/expat2 + expat:${PORTSDIR}/textproc/expat2 USES= pkgconfig USE_XORG= glproto x11 xext xxf86vm xdamage xfixes dri2proto:both Modified: head/graphics/libGL/bsd.mesalib.mk ============================================================================== --- head/graphics/libGL/bsd.mesalib.mk Tue Jun 4 19:13:31 2013 (r319898) +++ head/graphics/libGL/bsd.mesalib.mk Tue Jun 4 19:31:29 2013 (r319899) @@ -56,14 +56,16 @@ EXTRA_PATCHES+= ${PATCHDIR}/extra-config ${PATCHDIR}/extra-src-glsl_ir_constant_expression.cpp \ ${PATCHDIR}/extra-src__gallium__include__pipe__p_config.h \ ${PATCHDIR}/extra-src__mesa__drivers__dri__nouveau__nouveau_array.c \ - ${PATCHDIR}/extra-src__mesa__drivers__dri__nouveau__nouveau_render_t.c + ${PATCHDIR}/extra-src__mesa__drivers__dri__nouveau__nouveau_render_t.c \ + ${PATCHDIR}/extra-src_glx_XF86dri.c .else EXTRA_PATCHES+= ${PATCHDIR}/extra-configure-old \ ${PATCHDIR}/extra-mach64_context.h-old \ ${PATCHDIR}/extra-src__mesa__x86-64__glapi_x86-64.S \ ${PATCHDIR}/extra-src__mesa__x86-64__xform4.S \ ${PATCHDIR}/extra-src__mesa__x86__glapi_x86.S \ - ${PATCHDIR}/extra-src__mesa__x86__read_rgba_span_x86.S + ${PATCHDIR}/extra-src__mesa__x86__read_rgba_span_x86.S \ + ${PATCHDIR}/extra-src_glx_x11_XF86dri.c CONFIGURE_ARGS+=--disable-glut --disable-glw .endif Added: head/graphics/libGL/files/extra-src_glx_XF86dri.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/graphics/libGL/files/extra-src_glx_XF86dri.c Tue Jun 4 19:31:29 2013 (r319899) @@ -0,0 +1,38 @@ +--- src/glx/XF86dri.c.orig 2012-10-24 19:03:59.000000000 +0000 ++++ src/glx/XF86dri.c 2013-05-29 10:07:33.000000000 +0000 +@@ -43,6 +43,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN + #include + #include + #include "xf86dristr.h" ++#include + + static XExtensionInfo _xf86dri_info_data; + static XExtensionInfo *xf86dri_info = &_xf86dri_info_data; +@@ -201,7 +202,11 @@ XF86DRIOpenConnection(Display * dpy, int + } + + if (rep.length) { +- if (!(*busIdString = (char *) Xcalloc(rep.busIdStringLength + 1, 1))) { ++ if (rep.busIdStringLength < INT_MAX) ++ *busIdString = Xcalloc(rep.busIdStringLength + 1, 1); ++ else ++ *busIdString = NULL; ++ if (*busIdString == NULL) { + _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3)); + UnlockDisplay(dpy); + SyncHandle(); +@@ -300,9 +305,11 @@ XF86DRIGetClientDriverName(Display * dpy + *ddxDriverPatchVersion = rep.ddxDriverPatchVersion; + + if (rep.length) { +- if (! +- (*clientDriverName = +- (char *) Xcalloc(rep.clientDriverNameLength + 1, 1))) { ++ if (rep.clientDriverNameLength < INT_MAX) ++ *clientDriverName = Xcalloc(rep.clientDriverNameLength + 1, 1); ++ else ++ *clientDriverName = NULL; ++ if (*clientDriverName == NULL) { + _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3)); + UnlockDisplay(dpy); + SyncHandle(); Added: head/graphics/libGL/files/extra-src_glx_x11_XF86dri.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/graphics/libGL/files/extra-src_glx_x11_XF86dri.c Tue Jun 4 19:31:29 2013 (r319899) @@ -0,0 +1,38 @@ +--- src/glx/x11/XF86dri.c.orig 2009-06-17 18:35:16.000000000 +0000 ++++ src/glx/x11/XF86dri.c 2013-05-29 10:09:37.000000000 +0000 +@@ -43,6 +43,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN + #include + #include + #include "xf86dristr.h" ++#include + + + #if defined(__GNUC__) && (__GNUC__ * 100 + __GNUC_MINOR__) >= 303 +@@ -212,7 +213,11 @@ XF86DRIOpenConnection(Display * dpy, int + } + + if (rep.length) { +- if (!(*busIdString = (char *) Xcalloc(rep.busIdStringLength + 1, 1))) { ++ if (rep.busIdStringLength < INT_MAX) ++ *busIdString = Xcalloc(rep.busIdStringLength + 1, 1); ++ else ++ *busIdString = NULL; ++ if (*busIdString == NULL) { + _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3)); + UnlockDisplay(dpy); + SyncHandle(); +@@ -311,9 +316,11 @@ XF86DRIGetClientDriverName(Display * dpy + *ddxDriverPatchVersion = rep.ddxDriverPatchVersion; + + if (rep.length) { +- if (! +- (*clientDriverName = +- (char *) Xcalloc(rep.clientDriverNameLength + 1, 1))) { ++ if (rep.clientDriverNameLength < INT_MAX) ++ *clientDriverName = Xcalloc(rep.clientDriverNameLength + 1, 1); ++ else ++ *clientDriverName = NULL; ++ if (*clientDriverName == NULL) { + _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3)); + UnlockDisplay(dpy); + SyncHandle(); Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Jun 4 19:13:31 2013 (r319898) +++ head/security/vuxml/vuln.xml Tue Jun 4 19:31:29 2013 (r319899) @@ -51,6 +51,164 @@ Note: Please add new entries to the beg --> + + xorg -- protocol handling issues in X Window System client libraries + + + libX11 + 1.6.0 + + + libXext + 1.3.2 + + + libXfixes + 5.0.1 + + + libXi + 1.7_1 + + + libXinerama + 1.1.3 + + + libXp + 1.0.2 + + + libXrandr + 1.4.1 + + + libXrender + 0.9.7_1 + + + libXres + 1.0.7 + + + libXtst + 1.2.2 + + + libXv + 1.0.8 + + + libXvMC + 1.0.7_1 + + + libXxf86dga + 1.1.4 + + + libdmx + 1.1.3 + + + libxcb + 1.9.1 + + + libGL + + 7.6.1_4 + 7.8.08.0.5_4 + + + + xf86-video-openchrome + 0.3.3 + + + libFS + 1.0.5 + + + libXxf86vm + 1.1.3 + + + libXt + 1.1.4 + + + libXcursor + 1.1.14 + + + + +

freedesktop.org reports:

+
+

Ilja van Sprundel, a security researcher with IOActive, has + discovered a large number of issues in the way various X client + libraries handle the responses they receive from servers, and has + worked with X.Org's security team to analyze, confirm, and fix + these issues.

+

Most of these issues stem from the client libraries trusting the + server to send correct protocol data, and not verifying that the + values will not overflow or cause other damage. Most of the time X + clients & servers are run by the same user, with the server + more privileged from the clients, so this is not a problem, but + there are scenarios in which a privileged client can be connected + to an unprivileged server, for instance, connecting a setuid X + client (such as a screen lock program) to a virtual X server (such + as Xvfb or Xephyr) which the user has modified to return invalid + data, potentially allowing the user to escalate their privileges.

+

The vulnerabilities include:

+

Integer overflows calculating memory needs for replies.

+

Sign extension issues calculating memory needs for replies.

+

Buffer overflows due to not validating length or offset values in + replies.

+

Integer overflows parsing user-specified files.

+

Unbounded recursion parsing user-specified files.

+

Memory corruption due to unchecked return values.

+
+ + + + CVE-2013-1981 + CVE-2013-1982 + CVE-2013-1983 + CVE-2013-1984 + CVE-2013-1985 + CVE-2013-1986 + CVE-2013-1987 + CVE-2013-1988 + CVE-2013-1989 + CVE-2013-1990 + CVE-2013-1991 + CVE-2013-1992 + CVE-2013-1993 + CVE-2013-1994 + CVE-2013-1995 + CVE-2013-1996 + CVE-2013-1997 + CVE-2013-1998 + CVE-2013-1999 + CVE-2013-2000 + CVE-2013-2001 + CVE-2013-2002 + CVE-2013-2003 + CVE-2013-2004 + CVE-2013-2005 + CVE-2013-2062 + CVE-2013-2063 + CVE-2013-2064 + CVE-2013-2066 + + + 2013-05-23 + 2013-06-04 + + + krb5 -- UDP ping-pong vulnerability in the kpasswd (password changing) service. [CVE-2002-2443] Modified: head/x11-drivers/xorg-drivers/Makefile ============================================================================== --- head/x11-drivers/xorg-drivers/Makefile Tue Jun 4 19:13:31 2013 (r319898) +++ head/x11-drivers/xorg-drivers/Makefile Tue Jun 4 19:31:29 2013 (r319899) @@ -10,8 +10,6 @@ EXTRACT_ONLY= # none MAINTAINER= x11@FreeBSD.org COMMENT= X.org drivers meta-port -.MAKE.FreeBSD_UL= yes - VIDEODIR= ${PREFIX}/lib/xorg/modules/drivers INPUTDIR= ${PREFIX}/lib/xorg/modules/input Modified: head/x11-fonts/libFS/Makefile ============================================================================== --- head/x11-fonts/libFS/Makefile Tue Jun 4 19:13:31 2013 (r319898) +++ head/x11-fonts/libFS/Makefile Tue Jun 4 19:31:29 2013 (r319899) @@ -1,7 +1,7 @@ # $FreeBSD$ PORTNAME= libFS -PORTVERSION= 1.0.4 +PORTVERSION= 1.0.5 CATEGORIES= x11-fonts MAINTAINER= x11@FreeBSD.org Modified: head/x11-fonts/libFS/distinfo ============================================================================== --- head/x11-fonts/libFS/distinfo Tue Jun 4 19:13:31 2013 (r319898) +++ head/x11-fonts/libFS/distinfo Tue Jun 4 19:31:29 2013 (r319899) @@ -1,2 +1,2 @@ -SHA256 (xorg/lib/libFS-1.0.4.tar.bz2) = 7073761e7594d43180a922605fb64cce60e5ccb8c06f8efa24f2d4621f5e8315 -SIZE (xorg/lib/libFS-1.0.4.tar.bz2) = 291155 +SHA256 (xorg/lib/libFS-1.0.5.tar.bz2) = 22eb3005dd8053aef7ff82758da5dd59ca9738410bcf847e675780e3a1f96107 +SIZE (xorg/lib/libFS-1.0.5.tar.bz2) = 303806 Modified: head/x11-toolkits/libXt/Makefile ============================================================================== --- head/x11-toolkits/libXt/Makefile Tue Jun 4 19:13:31 2013 (r319898) +++ head/x11-toolkits/libXt/Makefile Tue Jun 4 19:31:29 2013 (r319899) @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= libXt -PORTVERSION= 1.1.3 +PORTVERSION= 1.1.4 PORTEPOCH= 1 CATEGORIES= x11-toolkits Modified: head/x11-toolkits/libXt/distinfo ============================================================================== --- head/x11-toolkits/libXt/distinfo Tue Jun 4 19:13:31 2013 (r319898) +++ head/x11-toolkits/libXt/distinfo Tue Jun 4 19:31:29 2013 (r319899) @@ -1,2 +1,2 @@ -SHA256 (xorg/lib/libXt-1.1.3.tar.bz2) = 8db593c3fc5ffc4e9cd854ba50af1eac9b90d66521ba17802b8f1e0d2d7f05bd -SIZE (xorg/lib/libXt-1.1.3.tar.bz2) = 734679 +SHA256 (xorg/lib/libXt-1.1.4.tar.bz2) = 843a97a988f5654872682a4120486d987d853a71651515472f55519ffae2dd57 +SIZE (xorg/lib/libXt-1.1.4.tar.bz2) = 762331 Modified: head/x11/libX11/Makefile ============================================================================== --- head/x11/libX11/Makefile Tue Jun 4 19:13:31 2013 (r319898) +++ head/x11/libX11/Makefile Tue Jun 4 19:31:29 2013 (r319899) @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= libX11 -PORTVERSION= 1.5.0 +PORTVERSION= 1.6.0 PORTEPOCH= 1 CATEGORIES= x11 Modified: head/x11/libX11/distinfo ============================================================================== --- head/x11/libX11/distinfo Tue Jun 4 19:13:31 2013 (r319898) +++ head/x11/libX11/distinfo Tue Jun 4 19:31:29 2013 (r319899) @@ -1,2 +1,2 @@ -SHA256 (xorg/lib/libX11-1.5.0.tar.bz2) = c382efd7e92bfc3cef39a4b7f1ecf2744ba4414a705e3bc1e697f75502bd4d86 -SIZE (xorg/lib/libX11-1.5.0.tar.bz2) = 2322265 +SHA256 (xorg/lib/libX11-1.6.0.tar.bz2) = 53131412343ec252307fe14903deaf54c356f9414d72d49180c2091dcd7019fa +SIZE (xorg/lib/libX11-1.6.0.tar.bz2) = 2373718 Modified: head/x11/libX11/pkg-plist ============================================================================== --- head/x11/libX11/pkg-plist Tue Jun 4 19:13:31 2013 (r319898) +++ head/x11/libX11/pkg-plist Tue Jun 4 19:31:29 2013 (r319899) @@ -94,15 +94,9 @@ lib/X11/locale/iso8859-9e/XLC_LOCALE lib/X11/locale/ja.JIS/Compose lib/X11/locale/ja.JIS/XI18N_OBJS lib/X11/locale/ja.JIS/XLC_LOCALE -lib/X11/locale/ja.S90/Compose -lib/X11/locale/ja.S90/XI18N_OBJS -lib/X11/locale/ja.S90/XLC_LOCALE lib/X11/locale/ja.SJIS/Compose lib/X11/locale/ja.SJIS/XI18N_OBJS lib/X11/locale/ja.SJIS/XLC_LOCALE -lib/X11/locale/ja.U90/Compose -lib/X11/locale/ja.U90/XI18N_OBJS -lib/X11/locale/ja.U90/XLC_LOCALE lib/X11/locale/ja/Compose lib/X11/locale/ja/XI18N_OBJS lib/X11/locale/ja/XLC_LOCALE @@ -234,9 +228,7 @@ libdata/pkgconfig/x11.pc @dirrm lib/X11/locale/ko_KR.UTF-8 @dirrm lib/X11/locale/ko @dirrm lib/X11/locale/ja_JP.UTF-8 -@dirrm lib/X11/locale/ja.U90 @dirrm lib/X11/locale/ja.SJIS -@dirrm lib/X11/locale/ja.S90 @dirrm lib/X11/locale/ja.JIS @dirrm lib/X11/locale/ja @dirrm lib/X11/locale/iso8859-9e Modified: head/x11/libXcursor/Makefile ============================================================================== --- head/x11/libXcursor/Makefile Tue Jun 4 19:13:31 2013 (r319898) +++ head/x11/libXcursor/Makefile Tue Jun 4 19:31:29 2013 (r319899) @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= libXcursor -PORTVERSION= 1.1.13 +PORTVERSION= 1.1.14 CATEGORIES= x11 MAINTAINER= x11@FreeBSD.org Modified: head/x11/libXcursor/distinfo ============================================================================== --- head/x11/libXcursor/distinfo Tue Jun 4 19:13:31 2013 (r319898) +++ head/x11/libXcursor/distinfo Tue Jun 4 19:31:29 2013 (r319899) @@ -1,2 +1,2 @@ -SHA256 (xorg/lib/libXcursor-1.1.13.tar.bz2) = f78827de4a1b7ce8cceca24a9ab9d1b1d2f6a61362f505166ffc19b07c0bad8f -SIZE (xorg/lib/libXcursor-1.1.13.tar.bz2) = 302525 +SHA256 (xorg/lib/libXcursor-1.1.14.tar.bz2) = 9bc6acb21ca14da51bda5bc912c8955bc6e5e433f0ab00c5e8bef842596c33df +SIZE (xorg/lib/libXcursor-1.1.14.tar.bz2) = 311896 Modified: head/x11/libXext/Makefile ============================================================================== --- head/x11/libXext/Makefile Tue Jun 4 19:13:31 2013 (r319898) +++ head/x11/libXext/Makefile Tue Jun 4 19:31:29 2013 (r319899) @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= libXext -PORTVERSION= 1.3.1 +PORTVERSION= 1.3.2 PORTEPOCH= 1 CATEGORIES= x11 Modified: head/x11/libXext/distinfo ============================================================================== --- head/x11/libXext/distinfo Tue Jun 4 19:13:31 2013 (r319898) +++ head/x11/libXext/distinfo Tue Jun 4 19:31:29 2013 (r319899) @@ -1,2 +1,2 @@ -SHA256 (xorg/lib/libXext-1.3.1.tar.bz2) = 56229c617eb7bfd6dec40d2805bc4dfb883dfe80f130d99b9a2beb632165e859 -SIZE (xorg/lib/libXext-1.3.1.tar.bz2) = 372728 +SHA256 (xorg/lib/libXext-1.3.2.tar.bz2) = f829075bc646cdc085fa25d98d5885d83b1759ceb355933127c257e8e50432e0 +SIZE (xorg/lib/libXext-1.3.2.tar.bz2) = 378901 Modified: head/x11/libXfixes/Makefile ============================================================================== --- head/x11/libXfixes/Makefile Tue Jun 4 19:13:31 2013 (r319898) +++ head/x11/libXfixes/Makefile Tue Jun 4 19:31:29 2013 (r319899) @@ -2,8 +2,7 @@ # $FreeBSD$ PORTNAME= libXfixes -PORTVERSION= 5.0 -PORTREVISION= 2 +PORTVERSION= 5.0.1 CATEGORIES= x11 MAINTAINER= x11@FreeBSD.org Modified: head/x11/libXfixes/distinfo ============================================================================== --- head/x11/libXfixes/distinfo Tue Jun 4 19:13:31 2013 (r319898) +++ head/x11/libXfixes/distinfo Tue Jun 4 19:31:29 2013 (r319899) @@ -1,2 +1,2 @@ -SHA256 (xorg/lib/libXfixes-5.0.tar.bz2) = 537a2446129242737a35db40081be4bbcc126e56c03bf5f2b142b10a79cda2e3 -SIZE (xorg/lib/libXfixes-5.0.tar.bz2) = 253777 +SHA256 (xorg/lib/libXfixes-5.0.1.tar.bz2) = 63bec085084fa3caaee5180490dd871f1eb2020ba9e9b39a30f93693ffc34767 +SIZE (xorg/lib/libXfixes-5.0.1.tar.bz2) = 291978 Modified: head/x11/libXi/Makefile ============================================================================== --- head/x11/libXi/Makefile Tue Jun 4 19:13:31 2013 (r319898) +++ head/x11/libXi/Makefile Tue Jun 4 19:31:29 2013 (r319899) @@ -3,6 +3,7 @@ PORTNAME= libXi PORTVERSION= 1.7.1 +PORTREVISION= 1 PORTEPOCH= 1 CATEGORIES= x11 Added: head/x11/libXi/files/patch-src_XGMotion.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/x11/libXi/files/patch-src_XGMotion.c Tue Jun 4 19:31:29 2013 (r319899) @@ -0,0 +1,63 @@ +From bb922ed4253b35590f0369f32a917ff89ade0830 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sun, 10 Mar 2013 06:55:23 +0000 +Subject: integer overflow in XGetDeviceMotionEvents() [CVE-2013-1984 4/8] + +If the number of events or axes reported by the server is large enough +that it overflows when multiplied by the size of the appropriate struct, +then memory corruption can occur when more bytes are copied from the +X server reply than the size of the buffer we allocated to hold them. + +Reported-by: Ilja Van Sprundel +Signed-off-by: Alan Coopersmith +Reviewed-by: Peter Hutterer +--- +diff --git a/src/XGMotion.c b/src/XGMotion.c +index 5feac85..a4c75b6 100644 +--- src/XGMotion.c ++++ src/XGMotion.c +@@ -59,6 +59,7 @@ SOFTWARE. + #include + #include + #include "XIint.h" ++#include + + XDeviceTimeCoord * + XGetDeviceMotionEvents( +@@ -74,7 +75,7 @@ XGetDeviceMotionEvents( + xGetDeviceMotionEventsReply rep; + XDeviceTimeCoord *tc; + int *data, *bufp, *readp, *savp; +- long size, size2; ++ unsigned long size; + int i, j; + XExtDisplayInfo *info = XInput_find_display(dpy); + +@@ -104,10 +105,21 @@ XGetDeviceMotionEvents( + SyncHandle(); + return (NULL); + } +- size = rep.length << 2; +- size2 = rep.nEvents * (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int))); +- savp = readp = (int *)Xmalloc(size); +- bufp = (int *)Xmalloc(size2); ++ if (rep.length < (INT_MAX >> 2)) { ++ size = rep.length << 2; ++ savp = readp = Xmalloc(size); ++ } else { ++ size = 0; ++ savp = readp = NULL; ++ } ++ /* rep.axes is a CARD8, so assume max number of axes for bounds check */ ++ if (rep.nEvents < ++ (INT_MAX / (sizeof(XDeviceTimeCoord) + (UCHAR_MAX * sizeof(int))))) { ++ size_t bsize = rep.nEvents * ++ (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int))); ++ bufp = Xmalloc(bsize); ++ } else ++ bufp = NULL; + if (!bufp || !savp) { + Xfree(bufp); + Xfree(savp); +-- +cgit v0.9.0.2-2-gbebe Added: head/x11/libXi/files/patch-src_XGetBMap.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/x11/libXi/files/patch-src_XGetBMap.c Tue Jun 4 19:31:29 2013 (r319899) @@ -0,0 +1,61 @@ +From f3e08e4fbe40016484ba795feecf1a742170ffc1 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sun, 10 Mar 2013 06:26:52 +0000 +Subject: Stack buffer overflow in XGetDeviceButtonMapping() [CVE-2013-1998 1/3] + +We copy the entire reply sent by the server into the fixed size +mapping[] array on the stack, even if the server says it's a larger +size than the mapping array can hold. HULK SMASH STACK! + +Reported-by: Ilja Van Sprundel +Signed-off-by: Alan Coopersmith +Reviewed-by: Peter Hutterer +--- +diff --git a/src/XGetBMap.c b/src/XGetBMap.c +index 211c9ca..002daba 100644 +--- src/XGetBMap.c ++++ src/XGetBMap.c +@@ -60,6 +60,7 @@ SOFTWARE. + #include + #include + #include "XIint.h" ++#include + + #ifdef MIN /* some systems define this in */ + #undef MIN +@@ -75,7 +76,6 @@ XGetDeviceButtonMapping( + { + int status = 0; + unsigned char mapping[256]; /* known fixed size */ +- long nbytes; + XExtDisplayInfo *info = XInput_find_display(dpy); + + register xGetDeviceButtonMappingReq *req; +@@ -92,13 +92,18 @@ XGetDeviceButtonMapping( + + status = _XReply(dpy, (xReply *) & rep, 0, xFalse); + if (status == 1) { +- nbytes = (long)rep.length << 2; +- _XRead(dpy, (char *)mapping, nbytes); +- +- /* don't return more data than the user asked for. */ +- if (rep.nElts) +- memcpy((char *)map, (char *)mapping, MIN((int)rep.nElts, nmap)); +- status = rep.nElts; ++ if (rep.length <= (sizeof(mapping) >> 2)) { ++ unsigned long nbytes = rep.length << 2; ++ _XRead(dpy, (char *)mapping, nbytes); ++ ++ /* don't return more data than the user asked for. */ ++ if (rep.nElts) ++ memcpy(map, mapping, MIN((int)rep.nElts, nmap)); ++ status = rep.nElts; ++ } else { ++ _XEatDataWords(dpy, rep.length); ++ status = 0; ++ } + } else + status = 0; + UnlockDisplay(dpy); +-- +cgit v0.9.0.2-2-gbebe Added: head/x11/libXi/files/patch-src_XGetDCtl.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/x11/libXi/files/patch-src_XGetDCtl.c Tue Jun 4 19:31:29 2013 (r319899) @@ -0,0 +1,113 @@ +From b0b13c12a8079a5a0e7f43b2b8983699057b2cec Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sun, 10 Mar 2013 06:55:23 +0000 +Subject: integer overflow in XGetDeviceControl() [CVE-2013-1984 1/8] + +If the number of valuators reported by the server is large enough that +it overflows when multiplied by the size of the appropriate struct, then +memory corruption can occur when more bytes are copied from the X server +reply than the size of the buffer we allocated to hold them. + +v2: check that reply size fits inside the data read from the server, so +we don't read out of bounds either + +Reported-by: Ilja Van Sprundel +Signed-off-by: Alan Coopersmith +Reviewed-by: Peter Hutterer +--- +diff --git a/src/XGetDCtl.c b/src/XGetDCtl.c +index f73a4e8..51ed0ae 100644 +--- src/XGetDCtl.c ++++ src/XGetDCtl.c +@@ -61,6 +61,7 @@ SOFTWARE. + #include + #include + #include "XIint.h" ++#include + + XDeviceControl * + XGetDeviceControl( +@@ -68,8 +69,6 @@ XGetDeviceControl( + XDevice *dev, + int control) + { +- int size = 0; +- int nbytes, i; + XDeviceControl *Device = NULL; + XDeviceControl *Sav = NULL; + xDeviceState *d = NULL; +@@ -92,8 +91,12 @@ XGetDeviceControl( + goto out; + + if (rep.length > 0) { +- nbytes = (long)rep.length << 2; +- d = (xDeviceState *) Xmalloc((unsigned)nbytes); ++ unsigned long nbytes; ++ size_t size = 0; ++ if (rep.length < (INT_MAX >> 2)) { ++ nbytes = (unsigned long) rep.length << 2; ++ d = Xmalloc(nbytes); ++ } + if (!d) { + _XEatDataWords(dpy, rep.length); + goto out; +@@ -111,33 +114,46 @@ XGetDeviceControl( + case DEVICE_RESOLUTION: + { + xDeviceResolutionState *r; ++ size_t val_size; + + r = (xDeviceResolutionState *) d; +- size += sizeof(XDeviceResolutionState) + +- (3 * sizeof(int) * r->num_valuators); ++ if (r->num_valuators >= (INT_MAX / (3 * sizeof(int)))) ++ goto out; ++ val_size = 3 * sizeof(int) * r->num_valuators; ++ if ((sizeof(xDeviceResolutionState) + val_size) > nbytes) ++ goto out; ++ size += sizeof(XDeviceResolutionState) + val_size; + break; + } + case DEVICE_ABS_CALIB: + { ++ if (sizeof(xDeviceAbsCalibState) > nbytes) ++ goto out; + size += sizeof(XDeviceAbsCalibState); + break; + } + case DEVICE_ABS_AREA: + { ++ if (sizeof(xDeviceAbsAreaState) > nbytes) ++ goto out; + size += sizeof(XDeviceAbsAreaState); + break; + } + case DEVICE_CORE: + { ++ if (sizeof(xDeviceCoreState) > nbytes) ++ goto out; + size += sizeof(XDeviceCoreState); + break; + } + default: ++ if (d->length > nbytes) ++ goto out; + size += d->length; + break; + } + +- Device = (XDeviceControl *) Xmalloc((unsigned)size); ++ Device = Xmalloc(size); + if (!Device) + goto out; + +@@ -150,6 +166,7 @@ XGetDeviceControl( + int *iptr, *iptr2; + xDeviceResolutionState *r; + XDeviceResolutionState *R; ++ unsigned int i; + + r = (xDeviceResolutionState *) d; + R = (XDeviceResolutionState *) Device; +-- +cgit v0.9.0.2-2-gbebe Added: head/x11/libXi/files/patch-src_XGetDProp.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/x11/libXi/files/patch-src_XGetDProp.c Tue Jun 4 19:31:29 2013 (r319899) @@ -0,0 +1,126 @@ +From 17071c1c608247800b2ca03a35b1fcc9c4cabe6c Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sun, 10 Mar 2013 20:30:55 +0000 +Subject: Avoid integer overflow in XGetDeviceProperties() [CVE-2013-1984 7/8] + +If the number of items as reported by the Xserver is too large, it +could overflow the calculation for the size of the buffer to copy the +reply into, causing memory corruption. + +Signed-off-by: Alan Coopersmith +Reviewed-by: Peter Hutterer +--- +--- src/XGetDProp.c.orig 2010-09-07 05:21:05.000000000 +0000 ++++ src/XGetDProp.c 2013-05-29 16:46:04.000000000 +0000 +@@ -38,6 +38,7 @@ in this Software without prior written a + #include + #include + #include "XIint.h" ++#include + + int + XGetDeviceProperty(Display* dpy, XDevice* dev, +@@ -48,7 +49,8 @@ XGetDeviceProperty(Display* dpy, XDevice + { + xGetDevicePropertyReq *req; + xGetDevicePropertyReply rep; +- long nbytes, rbytes; ++ unsigned long nbytes, rbytes; ++ int ret = Success; + + XExtDisplayInfo *info = XInput_find_display(dpy); + +@@ -81,30 +83,43 @@ XGetDeviceProperty(Display* dpy, XDevice + * data, but this last byte is null terminated and convenient for + * returning string properties, so the client doesn't then have to + * recopy the string to make it null terminated. ++ * ++ * Maximum item limits are set to both prevent integer overflow when ++ * calculating the amount of memory to malloc, and to limit how much ++ * memory will be used if a server provides an insanely high count. + */ + switch (rep.format) { + case 8: +- nbytes = rep.nItems; +- rbytes = rep.nItems + 1; +- if (rbytes > 0 && +- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) +- _XReadPad (dpy, (char *) *prop, nbytes); ++ if (rep.nItems < INT_MAX) { ++ nbytes = rep.nItems; ++ rbytes = rep.nItems + 1; ++ if ((*prop = Xmalloc (rbytes))) ++ _XReadPad (dpy, (char *) *prop, nbytes); ++ else ++ ret = BadAlloc; ++ } + break; + + case 16: +- nbytes = rep.nItems << 1; +- rbytes = rep.nItems * sizeof (short) + 1; +- if (rbytes > 0 && +- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) +- _XRead16Pad (dpy, (short *) *prop, nbytes); ++ if (rep.nItems < (INT_MAX / sizeof (short))) { ++ nbytes = rep.nItems << 1; ++ rbytes = rep.nItems * sizeof (short) + 1; ++ if ((*prop = Xmalloc (rbytes))) ++ _XRead16Pad (dpy, (short *) *prop, nbytes); ++ else ++ ret = BadAlloc; ++ } + break; + + case 32: +- nbytes = rep.nItems << 2; +- rbytes = rep.nItems * sizeof (long) + 1; +- if (rbytes > 0 && +- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) +- _XRead32 (dpy, (long *) *prop, nbytes); ++ if (rep.nItems < (INT_MAX / sizeof (long))) { ++ nbytes = rep.nItems << 2; ++ rbytes = rep.nItems * sizeof (long) + 1; ++ if ((*prop = Xmalloc (rbytes))) ++ _XRead32 (dpy, (long *) *prop, nbytes); ++ else ++ ret = BadAlloc; ++ } + break; + + default: +@@ -112,17 +127,13 @@ XGetDeviceProperty(Display* dpy, XDevice + * This part of the code should never be reached. If it is, + * the server sent back a property with an invalid format. + */ +- nbytes = rep.length << 2; +- _XEatData(dpy, (unsigned long) nbytes); +- UnlockDisplay(dpy); +- SyncHandle(); +- return(BadImplementation); ++ ret = BadImplementation; + } + if (! *prop) { +- _XEatData(dpy, (unsigned long) nbytes); +- UnlockDisplay(dpy); +- SyncHandle(); +- return(BadAlloc); ++ _XEatDataWords(dpy, rep.length); ++ if (ret == Success) ++ ret = BadAlloc; ++ goto out; + } + (*prop)[rbytes - 1] = '\0'; + } +@@ -131,9 +142,10 @@ XGetDeviceProperty(Display* dpy, XDevice + *actual_format = rep.format; + *nitems = rep.nItems; + *bytes_after = rep.bytesAfter; ++ out: + UnlockDisplay (dpy); + SyncHandle (); + +- return Success; ++ return ret; + } + Added: head/x11/libXi/files/patch-src_XGetFCtl.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/x11/libXi/files/patch-src_XGetFCtl.c Tue Jun 4 19:31:29 2013 (r319899) @@ -0,0 +1,94 @@ +From 322ee3576789380222d4403366e4fd12fb24cb6a Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sun, 10 Mar 2013 06:55:23 +0000 +Subject: integer overflow in XGetFeedbackControl() [CVE-2013-1984 2/8] + +If the number of feedbacks reported by the server is large enough that +it overflows when multiplied by the size of the appropriate struct, or +if the total size of all the feedback structures overflows when added +together, then memory corruption can occur when more bytes are copied from +the X server reply than the size of the buffer we allocated to hold them. + +v2: check that reply size fits inside the data read from the server, so + we don't read out of bounds either + +Reported-by: Ilja Van Sprundel +Signed-off-by: Alan Coopersmith +Reviewed-by: Peter Hutterer +--- +diff --git a/src/XGetFCtl.c b/src/XGetFCtl.c +index 28fab4d..bb50bf3 100644 +--- src/XGetFCtl.c ++++ src/XGetFCtl.c +@@ -61,6 +61,7 @@ SOFTWARE. + #include + #include + #include "XIint.h" ++#include + + XFeedbackState * + XGetFeedbackControl( +@@ -68,8 +69,6 @@ XGetFeedbackControl( + XDevice *dev, + int *num_feedbacks) + { +- int size = 0; +- int nbytes, i; + XFeedbackState *Feedback = NULL; + XFeedbackState *Sav = NULL; + xFeedbackState *f = NULL; +@@ -91,9 +90,16 @@ XGetFeedbackControl( + goto out; + + if (rep.length > 0) { ++ unsigned long nbytes; ++ size_t size = 0; ++ int i; ++ + *num_feedbacks = rep.num_feedbacks; +- nbytes = (long)rep.length << 2; +- f = (xFeedbackState *) Xmalloc((unsigned)nbytes); ++ ++ if (rep.length < (INT_MAX >> 2)) { ++ nbytes = rep.length << 2; ++ f = Xmalloc(nbytes); ++ } + if (!f) { + _XEatDataWords(dpy, rep.length); + goto out; +@@ -102,6 +108,10 @@ XGetFeedbackControl( + _XRead(dpy, (char *)f, nbytes); + + for (i = 0; i < *num_feedbacks; i++) { ++ if (f->length > nbytes) ++ goto out; ++ nbytes -= f->length; ++ + switch (f->class) { + case KbdFeedbackClass: + size += sizeof(XKbdFeedbackState); +@@ -116,6 +126,8 @@ XGetFeedbackControl( + { + xStringFeedbackState *strf = (xStringFeedbackState *) f; + ++ if (strf->num_syms_supported >= (INT_MAX / sizeof(KeySym))) ++ goto out; + size += sizeof(XStringFeedbackState) + + (strf->num_syms_supported * sizeof(KeySym)); + } +@@ -130,10 +142,12 @@ XGetFeedbackControl( + size += f->length; + break; + } ++ if (size > INT_MAX) ++ goto out; + f = (xFeedbackState *) ((char *)f + f->length); + } + +- Feedback = (XFeedbackState *) Xmalloc((unsigned)size); ++ Feedback = Xmalloc(size); + if (!Feedback) + goto out; + +-- +cgit v0.9.0.2-2-gbebe Added: head/x11/libXi/files/patch-src_XGetProp.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/x11/libXi/files/patch-src_XGetProp.c Tue Jun 4 19:31:29 2013 (r319899) @@ -0,0 +1,53 @@ +From 6dd6dc51a2935c72774be81e5cc2ba2c30e9feff Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sun, 10 Mar 2013 06:55:23 +0000 +Subject: integer overflow in XGetDeviceDontPropagateList() [CVE-2013-1984 3/8] + +If the number of event classes reported by the server is large enough +that it overflows when multiplied by the size of the appropriate struct, +then memory corruption can occur when more bytes are copied from the +X server reply than the size of the buffer we allocated to hold them. + +V2: EatData if count is 0 but length is > 0 to avoid XIOErrors + +Reported-by: Ilja Van Sprundel +Signed-off-by: Alan Coopersmith +Reviewed-by: Peter Hutterer +--- +(limited to 'src/XGetProp.c') + +--- src/XGetProp.c.orig 2011-12-20 00:28:44.000000000 +0000 ++++ src/XGetProp.c 2013-05-29 16:49:01.000000000 +0000 +@@ -60,6 +60,7 @@ SOFTWARE. + #include + #include + #include "XIint.h" ++#include + + XEventClass * + XGetDeviceDontPropagateList( +@@ -89,11 +90,11 @@ XGetDeviceDontPropagateList( + } + *count = rep.count; + +- if (*count) { +- rlen = rep.length << 2; +- list = (XEventClass *) Xmalloc(rep.length * sizeof(XEventClass)); ++ if (rep.length != 0) { ++ if ((rep.count != 0) && (rep.length < (INT_MAX / sizeof(XEventClass)))) ++ list = Xmalloc(rep.length * sizeof(XEventClass)); + if (list) { +- int i; ++ unsigned int i; + CARD32 ec; + + /* read and assign each XEventClass separately because +@@ -105,7 +106,7 @@ XGetDeviceDontPropagateList( + list[i] = (XEventClass) ec; + } + } else +- _XEatData(dpy, (unsigned long)rlen); ++ _XEatDataWords(dpy, rep.length); + } + + UnlockDisplay(dpy); Added: head/x11/libXi/files/patch-src_XIPassiveGrab.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/x11/libXi/files/patch-src_XIPassiveGrab.c Tue Jun 4 19:31:29 2013 (r319899) @@ -0,0 +1,27 @@ +From 91434737f592e8f5cc1762383882a582b55fc03a Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sun, 10 Mar 2013 07:37:23 +0000 +Subject: memory corruption in _XIPassiveGrabDevice() [CVE-2013-1998 2/3] + +If the server returned more modifiers than the caller asked for, +we'd just keep copying past the end of the array provided by the +caller, writing over who-knows-what happened to be there. + +Signed-off-by: Alan Coopersmith +Reviewed-by: Peter Hutterer +--- +diff --git a/src/XIPassiveGrab.c b/src/XIPassiveGrab.c +index ac17c01..53b4084 100644 +--- src/XIPassiveGrab.c ++++ src/XIPassiveGrab.c +@@ -88,7 +88,7 @@ _XIPassiveGrabDevice(Display* dpy, int deviceid, int grabtype, int detail, + return -1; + _XRead(dpy, (char*)failed_mods, reply.num_modifiers * sizeof(xXIGrabModifierInfo)); + +- for (i = 0; i < reply.num_modifiers; i++) ++ for (i = 0; i < reply.num_modifiers && i < num_modifiers; i++) + { *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***