[arch-commits] Commit in libxfont/trunk (3 files)

Laurent Carlier lcarlier at archlinux.org
Fri Jul 18 16:46:17 UTC 2014


    Date: Friday, July 18, 2014 @ 18:46:17
  Author: lcarlier
Revision: 217470

upgpkg: libxfont 1.4.99.901-1

upstream update 1.4.99.901

Modified:
  libxfont/trunk/PKGBUILD
Deleted:
  libxfont/trunk/CVE-2014-209-210-211.patch
  libxfont/trunk/fix-for-fontsproto213.patch

-----------------------------+
 CVE-2014-209-210-211.patch  |  925 ------------------------------------------
 PKGBUILD                    |   22 
 fix-for-fontsproto213.patch |   70 ---
 3 files changed, 5 insertions(+), 1012 deletions(-)

Deleted: CVE-2014-209-210-211.patch
===================================================================
--- CVE-2014-209-210-211.patch	2014-07-18 14:56:43 UTC (rev 217469)
+++ CVE-2014-209-210-211.patch	2014-07-18 16:46:17 UTC (rev 217470)
@@ -1,925 +0,0 @@
-From 2f5e57317339c526e6eaee1010b0e2ab8089c42e Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Fri, 25 Apr 2014 23:01:11 -0700
-Subject: [PATCH 01/12] CVE-2014-0209: integer overflow of realloc() size in
- FontFileAddEntry()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-FontFileReadDirectory() opens a fonts.dir file, and reads over every
-line in an fscanf loop.  For each successful entry read (font name,
-file name) a call is made to FontFileAddFontFile().
-
-FontFileAddFontFile() will add a font file entry (for the font name
-and file) each time it’s called, by calling FontFileAddEntry().
-FontFileAddEntry() will do the actual adding.  If the table it has
-to add to is full, it will do a realloc, adding 100 more entries
-to the table size without checking to see if that will overflow the
-int used to store the size.
-
-Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Reviewed-by: Adam Jackson <ajax at redhat.com>
-Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
----
- src/fontfile/fontdir.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/src/fontfile/fontdir.c b/src/fontfile/fontdir.c
-index ef7ffa5..7271603 100644
---- a/src/fontfile/fontdir.c
-+++ b/src/fontfile/fontdir.c
-@@ -177,6 +177,11 @@ FontFileAddEntry(FontTablePtr table, FontEntryPtr prototype)
-     if (table->sorted)
- 	return (FontEntryPtr) 0;    /* "cannot" happen */
-     if (table->used == table->size) {
-+	if (table->size >= ((INT32_MAX / sizeof(FontEntryRec)) - 100))
-+	    /* If we've read so many entries we're going to ask for 2gb
-+	       or more of memory, something is so wrong with this font
-+	       directory that we should just give up before we overflow. */
-+	    return NULL;
- 	newsize = table->size + 100;
- 	entry = realloc(table->entries, newsize * sizeof(FontEntryRec));
- 	if (!entry)
--- 
-1.9.2
-
-
-From 05c8020a49416dd8b7510cbba45ce4f3fc81a7dc Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Fri, 25 Apr 2014 23:01:48 -0700
-Subject: [PATCH 02/12] CVE-2014-0209: integer overflow of realloc() size in
- lexAlias()
-
-lexAlias() reads from a file in a loop. It does this by starting with a
-64 byte buffer.  If that size limit is hit, it does a realloc of the
-buffer size << 1, basically doubling the needed length every time the
-length limit is hit.
-
-Eventually, this will shift out to 0 (for a length of ~4gig), and that
-length will be passed on to realloc().  A length of 0 (with a valid
-pointer) causes realloc to free the buffer on most POSIX platforms,
-but the caller will still have a pointer to it, leading to use after
-free issues.
-
-Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Reviewed-by: Adam Jackson <ajax at redhat.com>
-Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
----
- src/fontfile/dirfile.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/fontfile/dirfile.c b/src/fontfile/dirfile.c
-index cb28333..38ced75 100644
---- a/src/fontfile/dirfile.c
-+++ b/src/fontfile/dirfile.c
-@@ -42,6 +42,7 @@ in this Software without prior written authorization from The Open Group.
- #include <sys/types.h>
- #include <sys/stat.h>
- #include <errno.h>
-+#include <limits.h>
- 
- static Bool AddFileNameAliases ( FontDirectoryPtr dir );
- static int ReadFontAlias ( char *directory, Bool isFile,
-@@ -376,6 +377,9 @@ lexAlias(FILE *file, char **lexToken)
- 	    int         nsize;
- 	    char       *nbuf;
- 
-+	    if (tokenSize >= (INT_MAX >> 2))
-+		/* Stop before we overflow */
-+		return EALLOC;
- 	    nsize = tokenSize ? (tokenSize << 1) : 64;
- 	    nbuf = realloc(tokenBuf, nsize);
- 	    if (!nbuf)
--- 
-1.9.2
-
-
-From 891e084b26837162b12f841060086a105edde86d Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Fri, 25 Apr 2014 23:02:00 -0700
-Subject: [PATCH 03/12] CVE-2014-0210: unvalidated length in
- _fs_recv_conn_setup()
-
-The connection setup reply from the font server can include a list
-of alternate servers to contact if this font server stops working.
-
-The reply specifies a total size of all the font server names, and
-then provides a list of names. _fs_recv_conn_setup() allocated the
-specified total size for copying the names to, but didn't check to
-make sure it wasn't copying more data to that buffer than the size
-it had allocated.
-
-Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Reviewed-by: Adam Jackson <ajax at redhat.com>
-Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
----
- src/fc/fserve.c | 20 ++++++++++++++++++--
- 1 file changed, 18 insertions(+), 2 deletions(-)
-
-diff --git a/src/fc/fserve.c b/src/fc/fserve.c
-index 3585951..aa9acdb 100644
---- a/src/fc/fserve.c
-+++ b/src/fc/fserve.c
-@@ -2784,7 +2784,7 @@ _fs_recv_conn_setup (FSFpePtr conn)
-     int			ret = FSIO_ERROR;
-     fsConnSetup		*setup;
-     FSFpeAltPtr		alts;
--    int			i, alt_len;
-+    unsigned int	i, alt_len;
-     int			setup_len;
-     char		*alt_save, *alt_names;
- 
-@@ -2811,8 +2811,9 @@ _fs_recv_conn_setup (FSFpePtr conn)
- 	}
- 	if (setup->num_alternates)
- 	{
-+	    size_t alt_name_len = setup->alternate_len << 2;
- 	    alts = malloc (setup->num_alternates * sizeof (FSFpeAltRec) +
--			   (setup->alternate_len << 2));
-+			   alt_name_len);
- 	    if (alts)
- 	    {
- 		alt_names = (char *) (setup + 1);
-@@ -2821,10 +2822,25 @@ _fs_recv_conn_setup (FSFpePtr conn)
- 		{
- 		    alts[i].subset = alt_names[0];
- 		    alt_len = alt_names[1];
-+		    if (alt_len >= alt_name_len) {
-+			/*
-+			 * Length is longer than setup->alternate_len
-+			 * told us to allocate room for, assume entire
-+			 * alternate list is corrupted.
-+			 */
-+#ifdef DEBUG
-+			fprintf (stderr,
-+				 "invalid alt list (length %lx >= %lx)\n",
-+				 (long) alt_len, (long) alt_name_len);
-+#endif
-+			free(alts);
-+			return FSIO_ERROR;
-+		    }
- 		    alts[i].name = alt_save;
- 		    memcpy (alt_save, alt_names + 2, alt_len);
- 		    alt_save[alt_len] = '\0';
- 		    alt_save += alt_len + 1;
-+		    alt_name_len -= alt_len + 1;
- 		    alt_names += _fs_pad_length (alt_len + 2);
- 		}
- 		conn->numAlts = setup->num_alternates;
--- 
-1.9.2
-
-
-From cbb64aef35960b2882be721f4b8fbaa0fb649d12 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Fri, 25 Apr 2014 23:02:12 -0700
-Subject: [PATCH 04/12] CVE-2014-0210: unvalidated lengths when reading replies
- from font server
-
-Functions to handle replies to font server requests were casting replies
-from the generic form to reply specific structs without first checking
-that the reply was at least as long as the struct being cast to.
-
-Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Reviewed-by: Adam Jackson <ajax at redhat.com>
-Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
----
- src/fc/fserve.c | 44 ++++++++++++++++++++++++++++++++++++++------
- 1 file changed, 38 insertions(+), 6 deletions(-)
-
-diff --git a/src/fc/fserve.c b/src/fc/fserve.c
-index aa9acdb..f08028f 100644
---- a/src/fc/fserve.c
-+++ b/src/fc/fserve.c
-@@ -91,6 +91,12 @@ in this Software without prior written authorization from The Open Group.
- 			     (pci)->descent || \
- 			     (pci)->characterWidth)
- 
-+/*
-+ * SIZEOF(r) is in bytes, length fields in the protocol are in 32-bit words,
-+ * so this converts for doing size comparisons.
-+ */
-+#define LENGTHOF(r)	(SIZEOF(r) >> 2)
-+
- extern void ErrorF(const char *f, ...);
- 
- static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec );
-@@ -206,9 +212,22 @@ _fs_add_rep_log (FSFpePtr conn, fsGenericReply *rep)
- 		 rep->sequenceNumber,
- 		 conn->reqbuffer[i].opcode);
- }
-+
-+#define _fs_reply_failed(rep, name, op) do {                            \
-+    if (rep) {                                                          \
-+        if (rep->type == FS_Error)                                      \
-+            fprintf (stderr, "Error: %d Request: %s\n",                 \
-+                     ((fsError *)rep)->request, #name);                 \
-+        else                                                            \
-+            fprintf (stderr, "Bad Length for %s Reply: %d %s %d\n",     \
-+                     #name, rep->length, op, LENGTHOF(name));           \
-+    }                                                                   \
-+} while (0)
-+
- #else
- #define _fs_add_req_log(conn,op)    ((conn)->current_seq++)
- #define _fs_add_rep_log(conn,rep)
-+#define _fs_reply_failed(rep,name,op)
- #endif
- 
- static Bool
-@@ -682,13 +701,15 @@ fs_read_open_font(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
-     int			    ret;
- 
-     rep = (fsOpenBitmapFontReply *) fs_get_reply (conn, &ret);
--    if (!rep || rep->type == FS_Error)
-+    if (!rep || rep->type == FS_Error ||
-+	(rep->length != LENGTHOF(fsOpenBitmapFontReply)))
-     {
- 	if (ret == FSIO_BLOCK)
- 	    return StillWorking;
- 	if (rep)
- 	    _fs_done_read (conn, rep->length << 2);
- 	fs_cleanup_bfont (bfont);
-+	_fs_reply_failed (rep, fsOpenBitmapFontReply, "!=");
- 	return BadFontName;
-     }
- 
-@@ -824,13 +845,15 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
-     int			ret;
- 
-     rep = (fsQueryXInfoReply *) fs_get_reply (conn, &ret);
--    if (!rep || rep->type == FS_Error)
-+    if (!rep || rep->type == FS_Error ||
-+	(rep->length < LENGTHOF(fsQueryXInfoReply)))
-     {
- 	if (ret == FSIO_BLOCK)
- 	    return StillWorking;
- 	if (rep)
- 	    _fs_done_read (conn, rep->length << 2);
- 	fs_cleanup_bfont (bfont);
-+	_fs_reply_failed (rep, fsQueryXInfoReply, "<");
- 	return BadFontName;
-     }
- 
-@@ -951,13 +974,15 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
-     FontInfoRec		    *fi = &bfont->pfont->info;
- 
-     rep = (fsQueryXExtents16Reply *) fs_get_reply (conn, &ret);
--    if (!rep || rep->type == FS_Error)
-+    if (!rep || rep->type == FS_Error ||
-+	(rep->length < LENGTHOF(fsQueryXExtents16Reply)))
-     {
- 	if (ret == FSIO_BLOCK)
- 	    return StillWorking;
- 	if (rep)
- 	    _fs_done_read (conn, rep->length << 2);
- 	fs_cleanup_bfont (bfont);
-+	_fs_reply_failed (rep, fsQueryXExtents16Reply, "<");
- 	return BadFontName;
-     }
- 
-@@ -1823,13 +1848,15 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
-     unsigned long	    minchar, maxchar;
- 
-     rep = (fsQueryXBitmaps16Reply *) fs_get_reply (conn, &ret);
--    if (!rep || rep->type == FS_Error)
-+    if (!rep || rep->type == FS_Error ||
-+	(rep->length < LENGTHOF(fsQueryXBitmaps16Reply)))
-     {
- 	if (ret == FSIO_BLOCK)
- 	    return StillWorking;
- 	if (rep)
- 	    _fs_done_read (conn, rep->length << 2);
- 	err = AllocError;
-+	_fs_reply_failed (rep, fsQueryXBitmaps16Reply, "<");
- 	goto bail;
-     }
- 
-@@ -2232,12 +2259,14 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
-     int			err;
- 
-     rep = (fsListFontsReply *) fs_get_reply (conn, &ret);
--    if (!rep || rep->type == FS_Error)
-+    if (!rep || rep->type == FS_Error ||
-+	(rep->length < LENGTHOF(fsListFontsReply)))
-     {
- 	if (ret == FSIO_BLOCK)
- 	    return StillWorking;
- 	if (rep)
- 	    _fs_done_read (conn, rep->length << 2);
-+	_fs_reply_failed (rep, fsListFontsReply, "<");
- 	return AllocError;
-     }
-     data = (char *) rep + SIZEOF (fsListFontsReply);
-@@ -2356,12 +2385,15 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
-     _fs_free_props (&binfo->info);
- 
-     rep = (fsListFontsWithXInfoReply *) fs_get_reply (conn, &ret);
--    if (!rep || rep->type == FS_Error)
-+    if (!rep || rep->type == FS_Error ||
-+	((rep->nameLength != 0) &&
-+	 (rep->length < LENGTHOF(fsListFontsWithXInfoReply))))
-     {
- 	if (ret == FSIO_BLOCK)
- 	    return StillWorking;
- 	binfo->status = FS_LFWI_FINISHED;
- 	err = AllocError;
-+	_fs_reply_failed (rep, fsListFontsWithXInfoReply, "<");
- 	goto done;
-     }
-     /*
--- 
-1.9.2
-
-
-From 0f1a5d372c143f91a602bdf10c917d7eabaee09b Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Fri, 25 Apr 2014 23:02:25 -0700
-Subject: [PATCH 05/12] CVE-2014-0211: Integer overflow in
- fs_get_reply/_fs_start_read
-
-fs_get_reply() would take any reply size, multiply it by 4 and pass to
-_fs_start_read.  If that size was bigger than the current reply buffer
-size, _fs_start_read would add it to the existing buffer size plus the
-buffer size increment constant and realloc the buffer to that result.
-
-This math could overflow, causing the code to allocate a smaller
-buffer than the amount it was about to read into that buffer from
-the network.  It could also succeed, allowing the remote font server
-to cause massive allocations in the X server, possibly using up all
-the address space in a 32-bit X server, allowing the triggering of
-other bugs in code that fails to handle malloc failure properly.
-
-This patch protects against both problems, by disconnecting any
-font server trying to feed us more than (the somewhat arbitrary)
-64 mb in a single reply.
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Reviewed-by: Adam Jackson <ajax at redhat.com>
-Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
----
- src/fc/fserve.c | 18 ++++++++++++++++++
- 1 file changed, 18 insertions(+)
-
-diff --git a/src/fc/fserve.c b/src/fc/fserve.c
-index f08028f..3abbacf 100644
---- a/src/fc/fserve.c
-+++ b/src/fc/fserve.c
-@@ -97,6 +97,9 @@ in this Software without prior written authorization from The Open Group.
-  */
- #define LENGTHOF(r)	(SIZEOF(r) >> 2)
- 
-+/* Somewhat arbitrary limit on maximum reply size we'll try to read. */
-+#define MAX_REPLY_LENGTH	((64 * 1024 * 1024) >> 2)
-+
- extern void ErrorF(const char *f, ...);
- 
- static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec );
-@@ -619,6 +622,21 @@ fs_get_reply (FSFpePtr conn, int *error)
- 
-     rep = (fsGenericReply *) buf;
- 
-+    /*
-+     * Refuse to accept replies longer than a maximum reasonable length,
-+     * before we pass to _fs_start_read, since it will try to resize the
-+     * incoming connection buffer to this size.  Also avoids integer overflow
-+     * on 32-bit systems.
-+     */
-+    if (rep->length > MAX_REPLY_LENGTH)
-+    {
-+	ErrorF("fserve: reply length %d > MAX_REPLY_LENGTH, disconnecting"
-+	       " from font server\n", rep->length);
-+	_fs_connection_died (conn);
-+	*error = FSIO_ERROR;
-+	return 0;
-+    }
-+
-     ret = _fs_start_read (conn, rep->length << 2, &buf);
-     if (ret != FSIO_READY)
-     {
--- 
-1.9.2
-
-
-From 491291cabf78efdeec8f18b09e14726a9030cc8f Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Fri, 25 Apr 2014 23:02:34 -0700
-Subject: [PATCH 06/12] CVE-2014-0210: unvalidated length fields in
- fs_read_query_info()
-
-fs_read_query_info() parses a reply from the font server.  The reply
-contains embedded length fields, none of which are validated.  This
-can cause out of bound reads in either fs_read_query_info() or in
-_fs_convert_props() which it calls to parse the fsPropInfo in the reply.
-
-Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Reviewed-by: Adam Jackson <ajax at redhat.com>
-Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
----
- src/fc/fsconvert.c |  9 +++++++++
- src/fc/fserve.c    | 37 +++++++++++++++++++++++++++++++++++++
- 2 files changed, 46 insertions(+)
-
-diff --git a/src/fc/fsconvert.c b/src/fc/fsconvert.c
-index 75b5372..dfa1317 100644
---- a/src/fc/fsconvert.c
-+++ b/src/fc/fsconvert.c
-@@ -118,6 +118,10 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd,
-     for (i = 0; i < nprops; i++, dprop++, is_str++)
-     {
- 	memcpy(&local_off, off_adr, SIZEOF(fsPropOffset));
-+	if ((local_off.name.position >= pi->data_len) ||
-+		(local_off.name.length >
-+		 (pi->data_len - local_off.name.position)))
-+	    goto bail;
- 	dprop->name = MakeAtom(&pdc[local_off.name.position],
- 			       local_off.name.length, 1);
- 	if (local_off.type != PropTypeString) {
-@@ -125,10 +129,15 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd,
- 	    dprop->value = local_off.value.position;
- 	} else {
- 	    *is_str = TRUE;
-+	    if ((local_off.value.position >= pi->data_len) ||
-+		(local_off.value.length >
-+		 (pi->data_len - local_off.value.position)))
-+		goto bail;
- 	    dprop->value = (INT32) MakeAtom(&pdc[local_off.value.position],
- 					    local_off.value.length, 1);
- 	    if (dprop->value == BAD_RESOURCE)
- 	    {
-+	      bail:
- 		free (pfi->props);
- 		pfi->nprops = 0;
- 		pfi->props = 0;
-diff --git a/src/fc/fserve.c b/src/fc/fserve.c
-index 3abbacf..ec5336e 100644
---- a/src/fc/fserve.c
-+++ b/src/fc/fserve.c
-@@ -854,6 +854,7 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
-     FSFpePtr		conn = (FSFpePtr) fpe->private;
-     fsQueryXInfoReply	*rep;
-     char		*buf;
-+    long		bufleft; /* length of reply left to use */
-     fsPropInfo		*pi;
-     fsPropOffset	*po;
-     pointer		pd;
-@@ -885,6 +886,9 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
-     buf = (char *) rep;
-     buf += SIZEOF(fsQueryXInfoReply);
- 
-+    bufleft = rep->length << 2;
-+    bufleft -= SIZEOF(fsQueryXInfoReply);
-+
-     /* move the data over */
-     fsUnpack_XFontInfoHeader(rep, pInfo);
- 
-@@ -892,17 +896,50 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
-     _fs_init_fontinfo(conn, pInfo);
- 
-     /* Compute offsets into the reply */
-+    if (bufleft < SIZEOF(fsPropInfo))
-+    {
-+	ret = -1;
-+#ifdef DEBUG
-+	fprintf(stderr, "fsQueryXInfo: bufleft (%ld) < SIZEOF(fsPropInfo)\n",
-+		bufleft);
-+#endif
-+	goto bail;
-+    }
-     pi = (fsPropInfo *) buf;
-     buf += SIZEOF (fsPropInfo);
-+    bufleft -= SIZEOF(fsPropInfo);
- 
-+    if ((bufleft / SIZEOF(fsPropOffset)) < pi->num_offsets)
-+    {
-+	ret = -1;
-+#ifdef DEBUG
-+	fprintf(stderr,
-+		"fsQueryXInfo: bufleft (%ld) / SIZEOF(fsPropOffset) < %d\n",
-+		bufleft, pi->num_offsets);
-+#endif
-+	goto bail;
-+    }
-     po = (fsPropOffset *) buf;
-     buf += pi->num_offsets * SIZEOF(fsPropOffset);
-+    bufleft -= pi->num_offsets * SIZEOF(fsPropOffset);
- 
-+    if (bufleft < pi->data_len)
-+    {
-+	ret = -1;
-+#ifdef DEBUG
-+	fprintf(stderr,
-+		"fsQueryXInfo: bufleft (%ld) < data_len (%d)\n",
-+		bufleft, pi->data_len);
-+#endif
-+	goto bail;
-+    }
-     pd = (pointer) buf;
-     buf += pi->data_len;
-+    bufleft -= pi->data_len;
- 
-     /* convert the properties and step over the reply */
-     ret = _fs_convert_props(pi, po, pd, pInfo);
-+  bail:
-     _fs_done_read (conn, rep->length << 2);
- 
-     if (ret == -1)
--- 
-1.9.2
-
-
-From c578408c1fd4db09e4e3173f8a9e65c81cc187c1 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Fri, 25 Apr 2014 23:02:42 -0700
-Subject: [PATCH 07/12] CVE-2014-0211: integer overflow in
- fs_read_extent_info()
-
-fs_read_extent_info() parses a reply from the font server.
-The reply contains a 32bit number of elements field which is used
-to calculate a buffer length. There is an integer overflow in this
-calculation which can lead to memory corruption.
-
-Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Reviewed-by: Adam Jackson <ajax at redhat.com>
-Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
----
- src/fc/fserve.c | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
-diff --git a/src/fc/fserve.c b/src/fc/fserve.c
-index ec5336e..96abd0e 100644
---- a/src/fc/fserve.c
-+++ b/src/fc/fserve.c
-@@ -70,6 +70,7 @@ in this Software without prior written authorization from The Open Group.
- #include	"fservestr.h"
- #include	<X11/fonts/fontutil.h>
- #include	<errno.h>
-+#include	<limits.h>
- 
- #include	<time.h>
- #define Time_t time_t
-@@ -1050,7 +1051,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
- 	numInfos *= 2;
- 	haveInk = TRUE;
-     }
--    ci = pCI = malloc(sizeof(CharInfoRec) * numInfos);
-+    if (numInfos >= (INT_MAX / sizeof(CharInfoRec))) {
-+#ifdef DEBUG
-+	fprintf(stderr,
-+		"fsQueryXExtents16: numInfos (%d) >= %ld\n",
-+		numInfos, (INT_MAX / sizeof(CharInfoRec)));
-+#endif
-+	pCI = NULL;
-+    }
-+    else
-+	pCI = malloc(sizeof(CharInfoRec) * numInfos);
- 
-     if (!pCI)
-     {
--- 
-1.9.2
-
-
-From a42f707f8a62973f5e8bbcd08afb10a79e9cee33 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Fri, 25 Apr 2014 23:02:54 -0700
-Subject: [PATCH 08/12] CVE-2014-0211: integer overflow in fs_alloc_glyphs()
-
-fs_alloc_glyphs() is a malloc wrapper used by the font code.
-It contains a classic integer overflow in the malloc() call,
-which can cause memory corruption.
-
-Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Reviewed-by: Adam Jackson <ajax at redhat.com>
-Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
----
- src/fc/fsconvert.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/src/fc/fsconvert.c b/src/fc/fsconvert.c
-index dfa1317..18b0c0d 100644
---- a/src/fc/fsconvert.c
-+++ b/src/fc/fsconvert.c
-@@ -721,7 +721,12 @@ fs_alloc_glyphs (FontPtr pFont, int size)
-     FSGlyphPtr	glyphs;
-     FSFontPtr	fsfont = (FSFontPtr) pFont->fontPrivate;
- 
--    glyphs = malloc (sizeof (FSGlyphRec) + size);
-+    if (size < (INT_MAX - sizeof (FSGlyphRec)))
-+	glyphs = malloc (sizeof (FSGlyphRec) + size);
-+    else
-+	glyphs = NULL;
-+    if (glyphs == NULL)
-+	return NULL;
-     glyphs->next = fsfont->glyphs;
-     fsfont->glyphs = glyphs;
-     return (pointer) (glyphs + 1);
--- 
-1.9.2
-
-
-From a3f21421537620fc4e1f844a594a4bcd9f7e2bd8 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Fri, 25 Apr 2014 23:03:05 -0700
-Subject: [PATCH 09/12] CVE-2014-0210: unvalidated length fields in
- fs_read_extent_info()
-
-Looping over the extents in the reply could go past the end of the
-reply buffer if the reply indicated more extents than could fit in
-the specified reply length.
-
-Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Reviewed-by: Adam Jackson <ajax at redhat.com>
-Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
----
- src/fc/fserve.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/src/fc/fserve.c b/src/fc/fserve.c
-index 96abd0e..232e969 100644
---- a/src/fc/fserve.c
-+++ b/src/fc/fserve.c
-@@ -1059,6 +1059,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
- #endif
- 	pCI = NULL;
-     }
-+    else if (numExtents > ((rep->length - LENGTHOF(fsQueryXExtents16Reply))
-+			    / LENGTHOF(fsXCharInfo))) {
-+#ifdef DEBUG
-+	fprintf(stderr,
-+		"fsQueryXExtents16: numExtents (%d) > (%d - %d) / %d\n",
-+		numExtents, rep->length,
-+		LENGTHOF(fsQueryXExtents16Reply), LENGTHOF(fsXCharInfo));
-+#endif
-+	pCI = NULL;
-+    }
-     else
- 	pCI = malloc(sizeof(CharInfoRec) * numInfos);
- 
--- 
-1.9.2
-
-
-From 520683652564c2a4e42328ae23eef9bb63271565 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Fri, 25 Apr 2014 23:03:24 -0700
-Subject: [PATCH 10/12] CVE-2014-0210: unvalidated length fields in
- fs_read_glyphs()
-
-fs_read_glyphs() parses a reply from the font server.  The reply
-contains embedded length fields, none of which are validated.
-This can cause out of bound reads when looping over the glyph
-bitmaps in the reply.
-
-Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Reviewed-by: Adam Jackson <ajax at redhat.com>
-Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
----
- src/fc/fserve.c | 29 ++++++++++++++++++++++++++++-
- 1 file changed, 28 insertions(+), 1 deletion(-)
-
-diff --git a/src/fc/fserve.c b/src/fc/fserve.c
-index 232e969..581bb1b 100644
---- a/src/fc/fserve.c
-+++ b/src/fc/fserve.c
-@@ -1907,6 +1907,7 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
-     FontInfoPtr		    pfi = &pfont->info;
-     fsQueryXBitmaps16Reply  *rep;
-     char		    *buf;
-+    long		    bufleft; /* length of reply left to use */
-     fsOffset32		    *ppbits;
-     fsOffset32		    local_off;
-     char		    *off_adr;
-@@ -1938,9 +1939,33 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
-     buf = (char *) rep;
-     buf += SIZEOF (fsQueryXBitmaps16Reply);
- 
-+    bufleft = rep->length << 2;
-+    bufleft -= SIZEOF (fsQueryXBitmaps16Reply);
-+
-+    if ((bufleft / SIZEOF (fsOffset32)) < rep->num_chars)
-+    {
-+#ifdef DEBUG
-+	fprintf(stderr,
-+		"fsQueryXBitmaps16: num_chars (%d) > bufleft (%ld) / %d\n",
-+		rep->num_chars, bufleft, SIZEOF (fsOffset32));
-+#endif
-+	err = AllocError;
-+	goto bail;
-+    }
-     ppbits = (fsOffset32 *) buf;
-     buf += SIZEOF (fsOffset32) * (rep->num_chars);
-+    bufleft -= SIZEOF (fsOffset32) * (rep->num_chars);
- 
-+    if (bufleft < rep->nbytes)
-+    {
-+#ifdef DEBUG
-+	fprintf(stderr,
-+		"fsQueryXBitmaps16: nbytes (%d) > bufleft (%ld)\n",
-+		rep->nbytes, bufleft);
-+#endif
-+	err = AllocError;
-+	goto bail;
-+    }
-     pbitmaps = (pointer ) buf;
- 
-     if (blockrec->type == FS_LOAD_GLYPHS)
-@@ -1998,7 +2023,9 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
- 	     */
- 	    if (NONZEROMETRICS(&fsdata->encoding[minchar].metrics))
- 	    {
--		if (local_off.length)
-+		if (local_off.length &&
-+		    (local_off.position < rep->nbytes) &&
-+		    (local_off.length <= (rep->nbytes - local_off.position)))
- 		{
- 		    bits = allbits;
- 		    allbits += local_off.length;
--- 
-1.9.2
-
-
-From 5fa73ac18474be3032ee7af9c6e29deab163ea39 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Fri, 2 May 2014 19:24:17 -0700
-Subject: [PATCH 11/12] CVE-2014-0210: unvalidated length fields in
- fs_read_list()
-
-fs_read_list() parses a reply from the font server.  The reply
-contains a list of strings with embedded length fields, none of
-which are validated. This can cause out of bound reads when looping
-over the strings in the reply.
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
----
- src/fc/fserve.c | 15 +++++++++++++++
- 1 file changed, 15 insertions(+)
-
-diff --git a/src/fc/fserve.c b/src/fc/fserve.c
-index 581bb1b..4dcdc04 100644
---- a/src/fc/fserve.c
-+++ b/src/fc/fserve.c
-@@ -2355,6 +2355,7 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
-     FSBlockedListPtr	blist = (FSBlockedListPtr) blockrec->data;
-     fsListFontsReply	*rep;
-     char		*data;
-+    long		dataleft; /* length of reply left to use */
-     int			length,
- 			i,
- 			ret;
-@@ -2372,16 +2373,30 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
- 	return AllocError;
-     }
-     data = (char *) rep + SIZEOF (fsListFontsReply);
-+    dataleft = (rep->length << 2) - SIZEOF (fsListFontsReply);
- 
-     err = Successful;
-     /* copy data into FontPathRecord */
-     for (i = 0; i < rep->nFonts; i++)
-     {
-+	if (dataleft < 1)
-+	    break;
- 	length = *(unsigned char *)data++;
-+	dataleft--; /* used length byte */
-+	if (length > dataleft) {
-+#ifdef DEBUG
-+	    fprintf(stderr,
-+		    "fsListFonts: name length (%d) > dataleft (%ld)\n",
-+		    length, dataleft);
-+#endif
-+	    err = BadFontName;
-+	    break;
-+	}
- 	err = AddFontNamesName(blist->names, data, length);
- 	if (err != Successful)
- 	    break;
- 	data += length;
-+	dataleft -= length;
-     }
-     _fs_done_read (conn, rep->length << 2);
-     return err;
--- 
-1.9.2
-
-
-From d338f81df1e188eb16e1d6aeea7f4800f89c1218 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Fri, 2 May 2014 19:24:17 -0700
-Subject: [PATCH 12/12] CVE-2014-0210: unvalidated length fields in
- fs_read_list_info()
-
-fs_read_list_info() parses a reply from the font server.  The reply
-contains a number of additional data items with embedded length or
-count fields, none of which are validated. This can cause out of
-bound reads when looping over these items in the reply.
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
----
- src/fc/fserve.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 54 insertions(+)
-
-diff --git a/src/fc/fserve.c b/src/fc/fserve.c
-index 4dcdc04..c1cf9d6 100644
---- a/src/fc/fserve.c
-+++ b/src/fc/fserve.c
-@@ -2491,6 +2491,7 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
-     FSBlockedListInfoPtr	binfo = (FSBlockedListInfoPtr) blockrec->data;
-     fsListFontsWithXInfoReply	*rep;
-     char			*buf;
-+    long			bufleft;
-     FSFpePtr			conn = (FSFpePtr) fpe->private;
-     fsPropInfo			*pi;
-     fsPropOffset		*po;
-@@ -2527,6 +2528,7 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
-     }
- 
-     buf = (char *) rep + SIZEOF (fsListFontsWithXInfoReply);
-+    bufleft = (rep->length << 2) - SIZEOF (fsListFontsWithXInfoReply);
- 
-     /*
-      * The original FS implementation didn't match
-@@ -2535,19 +2537,71 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
-      */
-     if (conn->fsMajorVersion <= 1)
-     {
-+	if (rep->nameLength > bufleft) {
-+#ifdef DEBUG
-+	    fprintf(stderr,
-+		    "fsListFontsWithXInfo: name length (%d) > bufleft (%ld)\n",
-+		    (int) rep->nameLength, bufleft);
-+#endif
-+	    err = AllocError;
-+	    goto done;
-+	}
-+	/* binfo->name is a 256 char array, rep->nameLength is a CARD8 */
- 	memcpy (binfo->name, buf, rep->nameLength);
- 	buf += _fs_pad_length (rep->nameLength);
-+	bufleft -= _fs_pad_length (rep->nameLength);
-     }
-     pi = (fsPropInfo *) buf;
-+    if (SIZEOF (fsPropInfo) > bufleft) {
-+#ifdef DEBUG
-+	fprintf(stderr,
-+		"fsListFontsWithXInfo: PropInfo length (%d) > bufleft (%ld)\n",
-+		(int) SIZEOF (fsPropInfo), bufleft);
-+#endif
-+	err = AllocError;
-+	goto done;
-+    }
-+    bufleft -= SIZEOF (fsPropInfo);
-     buf += SIZEOF (fsPropInfo);
-     po = (fsPropOffset *) buf;
-+    if (pi->num_offsets > (bufleft / SIZEOF (fsPropOffset))) {
-+#ifdef DEBUG
-+	fprintf(stderr,
-+		"fsListFontsWithXInfo: offset length (%d * %d) > bufleft (%ld)\n",
-+		pi->num_offsets, (int) SIZEOF (fsPropOffset), bufleft);
-+#endif
-+	err = AllocError;
-+	goto done;
-+    }
-+    bufleft -= pi->num_offsets * SIZEOF (fsPropOffset);
-     buf += pi->num_offsets * SIZEOF (fsPropOffset);
-     pd = (pointer) buf;
-+    if (pi->data_len > bufleft) {
-+#ifdef DEBUG
-+	fprintf(stderr,
-+		"fsListFontsWithXInfo: data length (%d) > bufleft (%ld)\n",
-+		pi->data_len, bufleft);
-+#endif
-+	err = AllocError;
-+	goto done;
-+    }
-+    bufleft -= pi->data_len;
-     buf += pi->data_len;
-     if (conn->fsMajorVersion > 1)
-     {
-+	if (rep->nameLength > bufleft) {
-+#ifdef DEBUG
-+	    fprintf(stderr,
-+		    "fsListFontsWithXInfo: name length (%d) > bufleft (%ld)\n",
-+		    (int) rep->nameLength, bufleft);
-+#endif
-+	    err = AllocError;
-+	    goto done;
-+	}
-+	/* binfo->name is a 256 char array, rep->nameLength is a CARD8 */
- 	memcpy (binfo->name, buf, rep->nameLength);
- 	buf += _fs_pad_length (rep->nameLength);
-+	bufleft -= _fs_pad_length (rep->nameLength);
-     }
- 
- #ifdef DEBUG
--- 
-1.9.2
-

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2014-07-18 14:56:43 UTC (rev 217469)
+++ PKGBUILD	2014-07-18 16:46:17 UTC (rev 217470)
@@ -2,29 +2,17 @@
 # Maintainer: Jan de Groot <jgc at archlinux.org>
 
 pkgname=libxfont
-pkgver=1.4.7
-pkgrel=3
+pkgver=1.4.99.901
+pkgrel=1
 pkgdesc="X11 font rasterisation library"
 arch=(i686 x86_64)
 url="http://xorg.freedesktop.org/"
 license=('custom')
-depends=('freetype2' 'libfontenc' 'xproto' 'fontsproto')
+depends=('freetype2' 'libfontenc' 'xproto' 'fontsproto>=2.1.3')
 makedepends=('xorg-util-macros' 'xtrans')
-source=(${url}/archive/individual/lib/libXfont-${pkgver}.tar.bz2
-	fix-for-fontsproto213.patch
-	CVE-2014-209-210-211.patch)
-sha256sums=('d16ea3541835d296b19cfb05d7e64fc62173d8e7eb93284402ec761b951d1543'
-            '9c8298cc9f4dc3981f19107353b2e4373dfb7882768bbf0b3ae027820a2dcad9'
-            '9e70cafaf67636baea1295027d4bb197a74a8ac8469674e4be5776dd27b1741a')
+source=(${url}/archive/individual/lib/libXfont-${pkgver}.tar.bz2)
+sha256sums=('483645ae5a7c1728026ef9eb32f61cc9017bc6f9e09edb9694d487891ab44e4e')
 
-prepare() {
-  cd "${srcdir}/libXfont-${pkgver}"
-  # FS#40044 - merged for branch 1.5
-  patch -Np1 -i ../fix-for-fontsproto213.patch
-  # fix CVE-2014-209 CVE-2014-210 CVE-2014-211 - merged upstream
-  patch -Np1 -i ../CVE-2014-209-210-211.patch
-}
-
 build() {
   cd "${srcdir}/libXfont-${pkgver}"
   ./configure --prefix=/usr --sysconfdir=/etc --disable-static

Deleted: fix-for-fontsproto213.patch
===================================================================
--- fix-for-fontsproto213.patch	2014-07-18 14:56:43 UTC (rev 217469)
+++ fix-for-fontsproto213.patch	2014-07-18 16:46:17 UTC (rev 217470)
@@ -1,70 +0,0 @@
-diff --git a/src/util/patcache.c b/src/util/patcache.c
-index 9c05fa1..2101015 100644
---- a/src/util/patcache.c
-+++ b/src/util/patcache.c
-@@ -50,7 +50,7 @@ typedef unsigned char	EntryPtr;
- typedef struct _FontPatternCacheEntry {
-     struct _FontPatternCacheEntry   *next, **prev;
-     short			    patlen;
--    char			    *pattern;
-+    const char			    *pattern;
-     int				    hash;
-     FontPtr			    pFont;	/* associated font */
- } FontPatternCacheEntryRec, *FontPatternCacheEntryPtr;
-@@ -74,7 +74,7 @@ EmptyFontPatternCache (FontPatternCachePtr cache)
- 	cache->entries[i].next = &cache->entries[i+1];
- 	cache->entries[i].prev = 0;
- 	cache->entries[i].pFont = 0;
--	free (cache->entries[i].pattern);
-+	free ((void *) cache->entries[i].pattern);
- 	cache->entries[i].pattern = 0;
- 	cache->entries[i].patlen = 0;
-     }
-@@ -107,7 +107,7 @@ FreeFontPatternCache (FontPatternCachePtr cache)
-     int	    i;
- 
-     for (i = 0; i < NENTRIES; i++)
--	free (cache->entries[i].pattern);
-+	free ((void *) cache->entries[i].pattern);
-     free (cache);
- }
- 
-@@ -128,7 +128,7 @@ Hash (const char *string, int len)
- /* add entry */
- void
- CacheFontPattern (FontPatternCachePtr cache,
--		  char *pattern,
-+		  const char *pattern,
- 		  int patlen,
- 		  FontPtr pFont)
- {
-@@ -154,7 +154,7 @@ CacheFontPattern (FontPatternCachePtr cache,
- 	if (e->next)
- 	    e->next->prev = e->prev;
- 	*e->prev = e->next;
--	free (e->pattern);
-+	free ((void *) e->pattern);
-     }
-     /* set pattern */
-     memcpy (newpat, pattern, patlen);
-@@ -174,7 +174,7 @@ CacheFontPattern (FontPatternCachePtr cache,
- /* find matching entry */
- FontPtr
- FindCachedFontPattern (FontPatternCachePtr cache,
--		       char *pattern,
-+		       const char *pattern,
- 		       int patlen)
- {
-     int				hash;
-@@ -211,7 +211,7 @@ RemoveCachedFontPattern (FontPatternCachePtr cache,
- 	    *e->prev = e->next;
- 	    e->next = cache->free;
- 	    cache->free = e;
--	    free (e->pattern);
-+	    free ((void *) e->pattern);
- 	    e->pattern = 0;
- 	}
-     }
---
-cgit v0.9.0.2-2-gbebe
-




More information about the arch-commits mailing list