From http://www.openbsd.org/errata55.html:
X Font Service Protocol & Font metadata file handling issues in libXfont
CVE-2014-0209: integer overflow of allocations in font metadata file parsing
CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies
CVE-2014-0211: integer overflows calculating memory needs for xfs replies
Please see the advisory for more information.
http://lists.x.org/archives/xorg-announce/2014-May/002431.html
Source code patch:
untrusted comment: signature from openbsd 5.5 base secret key
RWRGy8gxk9N93+eLgi55eB+q+iJdk3vT7fqMhrHUN7dUsETsdek0CEyTtx7kXq9vjF5sYa/lCtsUIEgykH7yxDmuIuNUmE3wegc=
OpenBSD 5.5 errata 6, May 24, 2014: X Font Service Protocol
& Font metadata file handling issues in libXfont
This is revision 2 of the patch (the first version forgot to use
signify).
Apply patch using:
signify -Vep /etc/signify/openbsd-55-base.pub -x 006_libXfont.patch.sig \
-m - | (cd /usr/xenocara && patch -p0)
Then build and install libXfont
cd /usr/xenocara/lib/libXfont
make -f Makefile.bsd-wrapper obj
make -f Makefile.bsd-wrapper build
Index: lib/libXfont/src/fc/fsconvert.c
===================================================================
RCS file: /cvs/OpenBSD/xenocara/lib/libXfont/src/fc/fsconvert.c,v
retrieving revision 1.4
diff -u -p -u -r1.4 fsconvert.c
--- lib/libXfont/src/fc/fsconvert.c 4 Mar 2012 18:13:47 -0000 1.4
+++ lib/libXfont/src/fc/fsconvert.c 13 May 2014 19:42:23 -0000
@@ -118,6 +118,10 @@ _fs_convert_props(fsPropInfo *pi, fsProp
for (i = 0; i < nprops; i++, dprop++, is_str++)
{
memcpy(&local_off, off_adr, SIZEOF(fsPropOffset));
+ if ((local_off.name.position >= pi->data_len) ||
+ (local_off.name.length >
+ (pi->data_len - local_off.name.position)))
+ goto bail;
dprop->name = MakeAtom(&pdc[local_off.name.position],
local_off.name.length, 1);
if (local_off.type != PropTypeString) {
@@ -125,10 +129,15 @@ _fs_convert_props(fsPropInfo *pi, fsProp
dprop->value = local_off.value.position;
} else {
*is_str = TRUE;
+ if ((local_off.value.position >= pi->data_len) ||
+ (local_off.value.length >
+ (pi->data_len - local_off.value.position)))
+ goto bail;
dprop->value = (INT32) MakeAtom(&pdc[local_off.value.position],
local_off.value.length, 1);
if (dprop->value == BAD_RESOURCE)
{
+ bail:
free (pfi->props);
pfi->nprops = 0;
pfi->props = 0;
@@ -712,7 +721,12 @@ fs_alloc_glyphs (FontPtr pFont, int size
FSGlyphPtr glyphs;
FSFontPtr fsfont = (FSFontPtr) pFont->fontPrivate;
- glyphs = malloc (sizeof (FSGlyphRec) + size);
+ if (size < (INT_MAX - sizeof (FSGlyphRec)))
+ glyphs = malloc (sizeof (FSGlyphRec) + size);
+ else
+ glyphs = NULL;
+ if (glyphs == NULL)
+ return NULL;
glyphs->next = fsfont->glyphs;
fsfont->glyphs = glyphs;
return (pointer) (glyphs + 1);
Index: lib/libXfont/src/fc/fserve.c
===================================================================
RCS file: /cvs/OpenBSD/xenocara/lib/libXfont/src/fc/fserve.c,v
retrieving revision 1.4
diff -u -p -u -r1.4 fserve.c
--- lib/libXfont/src/fc/fserve.c 4 Mar 2012 18:13:47 -0000 1.4
+++ lib/libXfont/src/fc/fserve.c 13 May 2014 19:42:23 -0000
@@ -70,6 +70,7 @@ in this Software without prior written a
#include "fservestr.h"
#include <X11/fonts/fontutil.h>
#include <errno.h>
+#include <limits.h>
#include <time.h>
#define Time_t time_t
@@ -91,6 +92,15 @@ in this Software without prior written a
(pci)->descent || \
(pci)->characterWidth)
+/*
+ * SIZEOF(r) is in bytes, length fields in the protocol are in 32-bit words,
+ * so this converts for doing size comparisons.
+ */
+#define LENGTHOF(r) (SIZEOF(r) >> 2)
+
+/* Somewhat arbitrary limit on maximum reply size we'll try to read. */
+#define MAX_REPLY_LENGTH ((64 * 1024 * 1024) >> 2)
+
extern void ErrorF(const char *f, ...);
static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec );
@@ -206,9 +216,22 @@ _fs_add_rep_log (FSFpePtr conn, fsGeneri
rep->sequenceNumber,
conn->reqbuffer[i].opcode);
}
+
+#define _fs_reply_failed(rep, name, op) do { \
+ if (rep) { \
+ if (rep->type == FS_Error) \
+ fprintf (stderr, "Error: %d Request: %s\n", \
+ ((fsError *)rep)->request, #name); \
+ else \
+ fprintf (stderr, "Bad Length for %s Reply: %d %s %d\n", \
+ #name, rep->length, op, LENGTHOF(name)); \
+ } \
+} while (0)
+
#else
#define _fs_add_req_log(conn,op) ((conn)->current_seq++)
#define _fs_add_rep_log(conn,rep)
+#define _fs_reply_failed(rep,name,op)
No comments:
Post a Comment