diffstat for libxvmc_1.0.6-1 libxvmc_1.0.6-1ubuntu2.1 debian/patches/01_support_alternatives.patch | 13 ++ debian/patches/CVE-2013-1990.patch | 144 +++++++++++++++++++++++++++ debian/patches/CVE-2013-1999.patch | 74 +++++++++++++ debian/patches/ld.gold.diff | 13 ++ debian/patches/series | 4 libxvmc-1.0.6/debian/changelog | 39 +++++++ libxvmc-1.0.6/debian/control | 3 libxvmc-1.0.6/debian/libxvmc1.install | 2 libxvmc-1.0.6/debian/rules | 7 - 9 files changed, 294 insertions(+), 5 deletions(-) diff -u libxvmc-1.0.6/debian/libxvmc1.install libxvmc-1.0.6/debian/libxvmc1.install --- libxvmc-1.0.6/debian/libxvmc1.install +++ libxvmc-1.0.6/debian/libxvmc1.install @@ -3 +3 @@ -etc/X11/XvMCConfig +usr/lib/xvmcconfig-standard/XvMCConfig diff -u libxvmc-1.0.6/debian/changelog libxvmc-1.0.6/debian/changelog --- libxvmc-1.0.6/debian/changelog +++ libxvmc-1.0.6/debian/changelog @@ -1,3 +1,33 @@ +libxvmc (2:1.0.6-1ubuntu2.1) precise-security; urgency=low + + * SECURITY UPDATE: denial of service and possible code execution via + incorrect memory size calculations + - debian/patches/CVE-2013-1990.patch: fix multiple integer overflows. + - CVE-2013-1990 + * SECURITY UPDATE: denial of service and possible code execution via + incorrect length and bounds checking + - debian/patches/CVE-2013-1999.patch: properly handle lengths in + src/XvMC.c. + - CVE-2013-1999 + + -- Marc Deslauriers Wed, 29 May 2013 09:20:37 -0400 + +libxvmc (2:1.0.6-1ubuntu2) natty; urgency=low + + * Resolve unresolved symbols in shared library. + + -- Matthias Klose Thu, 20 Jan 2011 09:27:36 +0100 + +libxvmc (2:1.0.6-1ubuntu1) natty; urgency=low + + * Merge with Debian; remaining changes: + - debian/patches/01_support_alternatives.patch: + - Put XvMCConfig in usr/lib/xvmcconfig-standard. + - Make the library look for /lib/XvMCConfig (which will be the + link that alternatives will set). + + -- Matthias Klose Thu, 20 Jan 2011 08:57:30 +0100 + libxvmc (2:1.0.6-1) unstable; urgency=low * New upstream release. @@ -7,6 +37,15 @@ -- Cyril Brulebois Mon, 08 Nov 2010 00:29:28 +0100 +libxvmc (2:1.0.5-1ubuntu1) lucid; urgency=low + + * debian/patches/01_support_alternatives.patch: + - Put XvMCConfig in usr/lib/xvmcconfig-standard. + - Make the library look for /lib/XvMCConfig (which will be the + link that alternatives will set). + + -- Alberto Milone Fri, 08 Jan 2010 20:13:26 +0100 + libxvmc (2:1.0.5-1) unstable; urgency=low [ Timo Aaltonen ] diff -u libxvmc-1.0.6/debian/control libxvmc-1.0.6/debian/control --- libxvmc-1.0.6/debian/control +++ libxvmc-1.0.6/debian/control @@ -1,7 +1,8 @@ Source: libxvmc Section: x11 Priority: optional -Maintainer: Debian X Strike Force +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian X Strike Force Uploaders: David Nusinow , Andres Salomon , Drew Parsons , Cyril Brulebois Build-Depends: debhelper (>= 5.0.0), diff -u libxvmc-1.0.6/debian/rules libxvmc-1.0.6/debian/rules --- libxvmc-1.0.6/debian/rules +++ libxvmc-1.0.6/debian/rules @@ -32,6 +32,7 @@ confflags += --build=$(DEB_BUILD_GNU_TYPE) --host=$(DEB_HOST_GNU_TYPE) endif +standard-configdir := /usr/lib/xvmcconfig-standard build: patch build-stamp build-stamp: @@ -40,7 +41,7 @@ mkdir -p obj-$(DEB_BUILD_GNU_TYPE) cd obj-$(DEB_BUILD_GNU_TYPE) && \ ../configure --prefix=/usr \ - --sysconfdir=/etc --mandir=\$${prefix}/share/man \ + --sysconfdir=/usr/lib --mandir=\$${prefix}/share/man \ --infodir=\$${prefix}/share/info $(confflags) \ CFLAGS="$(CFLAGS)" cd obj-$(DEB_BUILD_GNU_TYPE) && $(MAKE) @@ -69,8 +70,8 @@ dh_installdirs cd obj-$(DEB_BUILD_GNU_TYPE) && $(MAKE) DESTDIR=$(CURDIR)/debian/tmp install - mkdir -p $(CURDIR)/debian/tmp/etc/X11 - cp debian/local/XvMCConfig $(CURDIR)/debian/tmp/etc/X11 + mkdir -p $(CURDIR)/debian/tmp$(standard-configdir) + cp debian/local/XvMCConfig $(CURDIR)/debian/tmp$(standard-configdir) # Build architecture-dependent files here. binary-arch: build install only in patch2: unchanged: --- libxvmc-1.0.6.orig/debian/patches/CVE-2013-1999.patch +++ libxvmc-1.0.6/debian/patches/CVE-2013-1999.patch @@ -0,0 +1,74 @@ +Description: fix denial of service and possible code execution via + incorrect length and bounds checking +Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libXvMC/commit/?id=e9415ddef2ac81d4139bd32d5e9cda9394a60051 +Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libXvMC/commit/?id=8c164524d229adb6141fdac8336b3823e7fe1a5d + +Index: libxvmc-1.0.6/src/XvMC.c +=================================================================== +--- libxvmc-1.0.6.orig/src/XvMC.c 2013-05-29 09:23:10.772420193 -0400 ++++ libxvmc-1.0.6/src/XvMC.c 2013-05-29 09:25:14.448419013 -0400 +@@ -499,7 +499,6 @@ + XExtDisplayInfo *info = xvmc_find_display(dpy); + xvmcGetDRInfoReply rep; + xvmcGetDRInfoReq *req; +- char *tmpBuf = NULL; + CARD32 magic; + + #ifdef HAS_SHM +@@ -510,6 +509,9 @@ + here.tz_dsttime = 0; + #endif + ++ *name = NULL; ++ *busID = NULL; ++ + XvMCCheckExtension (dpy, info, BadImplementation); + + LockDisplay (dpy); +@@ -568,31 +570,31 @@ + #endif + + if (rep.length > 0) { ++ unsigned long realSize = 0; ++ char *tmpBuf = NULL; + +- int realSize = rep.length << 2; +- +- tmpBuf = (char *) Xmalloc(realSize); +- if (tmpBuf) { +- *name = (char *) Xmalloc(rep.nameLen); +- if (*name) { +- *busID = (char *) Xmalloc(rep.busIDLen); +- if (! *busID) { +- XFree(*name); +- XFree(tmpBuf); +- } +- } else { +- XFree(tmpBuf); ++ if (rep.length < (INT_MAX >> 2)) { ++ realSize = rep.length << 2; ++ if (realSize >= (rep.nameLen + rep.busIDLen)) { ++ tmpBuf = Xmalloc(realSize); ++ *name = Xmalloc(rep.nameLen); ++ *busID = Xmalloc(rep.busIDLen); + } + } + + if (*name && *busID && tmpBuf) { +- + _XRead(dpy, tmpBuf, realSize); + strncpy(*name,tmpBuf,rep.nameLen); ++ (*name)[rep.nameLen - 1] = '\0'; + strncpy(*busID,tmpBuf+rep.nameLen,rep.busIDLen); ++ (*busID)[rep.busIDLen - 1] = '\0'; + XFree(tmpBuf); +- + } else { ++ XFree(*name); ++ *name = NULL; ++ XFree(*busID); ++ *busID = NULL; ++ XFree(tmpBuf); + + _XEatDataWords(dpy, rep.length); + UnlockDisplay (dpy); only in patch2: unchanged: --- libxvmc-1.0.6.orig/debian/patches/ld.gold.diff +++ libxvmc-1.0.6/debian/patches/ld.gold.diff @@ -0,0 +1,13 @@ +Index: libxvmc-1.0.6/src/Makefile.am +=================================================================== +--- libxvmc-1.0.6.orig/src/Makefile.am 2011-01-20 08:26:19.078234331 +0000 ++++ libxvmc-1.0.6/src/Makefile.am 2011-01-20 08:27:26.518228985 +0000 +@@ -13,7 +13,7 @@ + libXvMC_la_LIBADD = @XVMC_LIBS@ + libXvMC_la_CFLAGS = $(AM_CFLAGS) + +-libXvMCW_la_LIBADD = @XVMC_LIBS@ ++libXvMCW_la_LIBADD = @XVMC_LIBS@ -ldl + libXvMCW_la_CFLAGS = \ + $(AM_CFLAGS) \ + -DXVMC_CONFIGDIR=$(sysconfdir) \ only in patch2: unchanged: --- libxvmc-1.0.6.orig/debian/patches/CVE-2013-1990.patch +++ libxvmc-1.0.6/debian/patches/CVE-2013-1990.patch @@ -0,0 +1,144 @@ +Description: fix denial of service and possible code execution via + incorrect memory size calculations +Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libXvMC/commit/?id=cf1a1dc1b9ca34a29d0471da9389f8eae70ddbd9 +Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libXvMC/commit/?id=2712383813b26475dc6713888414d842be57f8ca +Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libXvMC/commit/?id=478d4e5873eeee2ebdce6673e4e3469816ab63b8 +Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libXvMC/commit/?id=5fd871e5f878810f8f8837725d548e07e89577ab + +Index: libxvmc-1.0.6/configure.ac +=================================================================== +--- libxvmc-1.0.6.orig/configure.ac 2013-05-29 09:21:20.196421247 -0400 ++++ libxvmc-1.0.6/configure.ac 2013-05-29 09:21:55.692420909 -0400 +@@ -42,6 +42,12 @@ + # Check for dependencies + PKG_CHECK_MODULES(XVMC, x11 xext xv xextproto videoproto) + ++# Check for _XEatDataWords function that may be patched into older Xlib release ++SAVE_LIBS="$LIBS" ++LIBS="$XVMC_LIBS" ++AC_CHECK_FUNCS([_XEatDataWords]) ++LIBS="$SAVE_LIBS" ++ + AC_CHECK_FUNC([shmat], AC_DEFINE(HAS_SHM,1,[Has shm*() functions])) + + XORG_CHECK_MALLOC_ZERO +Index: libxvmc-1.0.6/src/XvMC.c +=================================================================== +--- libxvmc-1.0.6.orig/src/XvMC.c 2013-05-29 09:21:20.196421247 -0400 ++++ libxvmc-1.0.6/src/XvMC.c 2013-05-29 09:22:40.132420485 -0400 +@@ -16,6 +16,18 @@ + #include + #include + #include ++#include ++ ++#ifndef HAVE__XEATDATAWORDS ++static inline void _XEatDataWords(Display *dpy, unsigned long n) ++{ ++# ifndef LONG64 ++ if (n >= (ULONG_MAX >> 2)) ++ _XIOError(dpy); ++# endif ++ _XEatData (dpy, n << 2); ++} ++#endif + + static XExtensionInfo _xvmc_info_data; + static XExtensionInfo *xvmc_info = &_xvmc_info_data; +@@ -111,8 +123,8 @@ + } + + if(rep.num > 0) { +- surface_info = +- (XvMCSurfaceInfo*)Xmalloc(rep.num * sizeof(XvMCSurfaceInfo)); ++ if (rep.num < (INT_MAX / sizeof(XvMCSurfaceInfo))) ++ surface_info = Xmalloc(rep.num * sizeof(XvMCSurfaceInfo)); + + if(surface_info) { + xvmcSurfaceInfo sinfo; +@@ -134,7 +146,7 @@ + surface_info[i].flags = sinfo.flags; + } + } else +- _XEatData(dpy, rep.length << 2); ++ _XEatDataWords(dpy, rep.length); + } + + UnlockDisplay (dpy); +@@ -172,8 +184,8 @@ + } + + if(rep.num > 0) { +- ret = +- (XvImageFormatValues*)Xmalloc(rep.num * sizeof(XvImageFormatValues)); ++ if (rep.num < (INT_MAX / sizeof(XvImageFormatValues))) ++ ret = Xmalloc(rep.num * sizeof(XvImageFormatValues)); + + if(ret) { + xvImageFormatInfo Info; +@@ -207,7 +219,7 @@ + ret[i].scanline_order = Info.scanline_order; + } + } else +- _XEatData(dpy, rep.length << 2); ++ _XEatDataWords(dpy, rep.length); + } + + UnlockDisplay (dpy); +@@ -273,12 +285,13 @@ + context->flags = rep.flags_return; + + if(rep.length) { +- *priv_data = Xmalloc(rep.length << 2); ++ if (rep.length < (INT_MAX >> 2)) ++ *priv_data = Xmalloc(rep.length << 2); + if(*priv_data) { + _XRead(dpy, (char*)(*priv_data), rep.length << 2); + *priv_count = rep.length; + } else +- _XEatData(dpy, rep.length << 2); ++ _XEatDataWords(dpy, rep.length); + } + + UnlockDisplay (dpy); +@@ -354,12 +367,13 @@ + } + + if(rep.length) { +- *priv_data = Xmalloc(rep.length << 2); ++ if (rep.length < (INT_MAX >> 2)) ++ *priv_data = Xmalloc(rep.length << 2); + if(*priv_data) { + _XRead(dpy, (char*)(*priv_data), rep.length << 2); + *priv_count = rep.length; + } else +- _XEatData(dpy, rep.length << 2); ++ _XEatDataWords(dpy, rep.length); + } + + UnlockDisplay (dpy); +@@ -444,12 +458,13 @@ + subpicture->component_order[3] = rep.component_order[3]; + + if(rep.length) { +- *priv_data = Xmalloc(rep.length << 2); ++ if (rep.length < (INT_MAX >> 2)) ++ *priv_data = Xmalloc(rep.length << 2); + if(*priv_data) { + _XRead(dpy, (char*)(*priv_data), rep.length << 2); + *priv_count = rep.length; + } else +- _XEatData(dpy, rep.length << 2); ++ _XEatDataWords(dpy, rep.length); + } + + UnlockDisplay (dpy); +@@ -579,7 +594,7 @@ + + } else { + +- _XEatData(dpy, realSize); ++ _XEatDataWords(dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + return -1; only in patch2: unchanged: --- libxvmc-1.0.6.orig/debian/patches/01_support_alternatives.patch +++ libxvmc-1.0.6/debian/patches/01_support_alternatives.patch @@ -0,0 +1,13 @@ +Index: libxvmc-1.0.5/src/Makefile.am +=================================================================== +--- libxvmc-1.0.5.orig/src/Makefile.am 2010-01-06 16:12:58.184669594 +0100 ++++ libxvmc-1.0.5/src/Makefile.am 2010-01-06 16:13:22.457132534 +0100 +@@ -16,7 +16,7 @@ + libXvMCW_la_LIBADD = @XVMC_LIBS@ + libXvMCW_la_CFLAGS = \ + $(AM_CFLAGS) \ +- -DXVMC_CONFIGDIR=$(sysconfdir)/X11 \ ++ -DXVMC_CONFIGDIR=$(sysconfdir) \ + -DXVMC_SOVERSION=\".1.0\" \ + -DXV_SOVERSION=\".1.0\" + only in patch2: unchanged: --- libxvmc-1.0.6.orig/debian/patches/series +++ libxvmc-1.0.6/debian/patches/series @@ -0,0 +1,4 @@ +01_support_alternatives.patch +ld.gold.diff +CVE-2013-1990.patch +CVE-2013-1999.patch