From 33f38a832eaa1a0ea454f83df6ea0327fb616f76 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Aur=C3=A9lien=20Larcher?= Date: Thu, 3 Nov 2016 10:26:01 +0100 Subject: [PATCH] Bump libXfixes to 5.0.3 --- components/x11/libXfixes/Makefile | 5 +-- .../x11/libXfixes/patches/02-CVE-2016-7944.patch | 51 ---------------------- 2 files changed, 2 insertions(+), 54 deletions(-) delete mode 100644 components/x11/libXfixes/patches/02-CVE-2016-7944.patch diff --git a/components/x11/libXfixes/Makefile b/components/x11/libXfixes/Makefile index fd6ddc6a5..f52017130 100644 --- a/components/x11/libXfixes/Makefile +++ b/components/x11/libXfixes/Makefile @@ -16,13 +16,12 @@ include ../../../make-rules/shared-macros.mk COMPONENT_NAME= libXfixes -COMPONENT_VERSION= 5.0.1 -COMPONENT_REVISION= 1 +COMPONENT_VERSION= 5.0.3 COMPONENT_SUMMARY= libXfixes - XFIXES extension client library COMPONENT_SRC= $(COMPONENT_NAME)-$(COMPONENT_VERSION) COMPONENT_ARCHIVE= $(COMPONENT_SRC).tar.bz2 COMPONENT_ARCHIVE_HASH= \ - sha256:63bec085084fa3caaee5180490dd871f1eb2020ba9e9b39a30f93693ffc34767 + sha256:de1cd33aff226e08cefd0e6759341c2c8e8c9faf8ce9ac6ec38d43e287b22ad6 COMPONENT_ARCHIVE_URL= \ http://xorg.freedesktop.org/archive/individual/lib/$(COMPONENT_ARCHIVE) COMPONENT_PROJECT_URL = http://xorg.freedesktop.org diff --git a/components/x11/libXfixes/patches/02-CVE-2016-7944.patch b/components/x11/libXfixes/patches/02-CVE-2016-7944.patch deleted file mode 100644 index 8991eb774..000000000 --- a/components/x11/libXfixes/patches/02-CVE-2016-7944.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 61c1039ee23a2d1de712843bed3480654d7ef42e Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann -Date: Sun, 25 Sep 2016 22:38:44 +0200 -Subject: Integer overflow on illegal server response - -The 32 bit field "rep.length" is not checked for validity, which allows -an integer overflow on 32 bit systems. - -A malicious server could send INT_MAX as length, which gets multiplied -by the size of XRectangle. In that case the client won't read the whole -data from server, getting out of sync. - -Signed-off-by: Tobias Stoeckmann -Reviewed-by: Matthieu Herrb - -diff --git a/src/Region.c b/src/Region.c -index cb0cf6e..59bcc1a 100644 ---- a/src/Region.c -+++ b/src/Region.c -@@ -23,6 +23,7 @@ - #ifdef HAVE_CONFIG_H - #include - #endif -+#include - #include "Xfixesint.h" - - XserverRegion -@@ -333,9 +334,17 @@ XFixesFetchRegionAndBounds (Display *dpy, - bounds->y = rep.y; - bounds->width = rep.width; - bounds->height = rep.height; -- nbytes = (long) rep.length << 2; -- nrects = rep.length >> 1; -- rects = Xmalloc (nrects * sizeof (XRectangle)); -+ -+ if (rep.length < (INT_MAX >> 2)) { -+ nbytes = (long) rep.length << 2; -+ nrects = rep.length >> 1; -+ rects = Xmalloc (nrects * sizeof (XRectangle)); -+ } else { -+ nbytes = 0; -+ nrects = 0; -+ rects = NULL; -+ } -+ - if (!rects) - { - _XEatDataWords(dpy, rep.length); --- -cgit v0.10.2 - -- 2.11.4.GIT