Opened 5 years ago

Closed 5 years ago

#10086 closed enhancement (fixed)

libXcursor-1.1.15 (xorg library)

Reported by: bdubbs@… Owned by: bdubbs@…
Priority: normal Milestone: 8.2
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (3)

comment:1 by bdubbs@…, 5 years ago

Owner: changed from blfs-book@… to bdubbs@…
Status: newassigned

comment:2 by bdubbs@…, 5 years ago

libXcursor 1.1.15

Fix heap overflows when parsing malicious files. (CVE-2017-16612)

It is possible to trigger heap overflows due to an integer overflow while parsing images and a signedness issue while parsing comments.

The integer overflow occurs because the chosen limit 0x10000 for dimensions is too large for 32 bit systems, because each pixel takes 4 bytes. Properly chosen values allow an overflow which in turn will lead to less allocated memory than needed for subsequent reads.

The signedness bug is triggered by reading the length of a comment as unsigned int, but casting it to int when calling the function XcursorCommentCreate. Turning length into a negative value allows the check against XCURSOR_COMMENT_MAX_LEN to pass, and the following addition of sizeof (XcursorComment) + 1 makes it possible to allocate less memory than needed for subsequent reads.

autogen: add default patch prefix

autogen.sh: use quoted string variables

Place quotes around the $srcdir, $ORIGDIR and $0 variables to prevent fall-outs, when they contain space.

autogen.sh: use exec instead of waiting for configure to finish

Syncs the invocation of configure with the one from the server.

Insufficient memory for terminating null of string in _XcursorThemeInherits

Fix does one byte of memory allocation for null termination of string. https://bugs.freedesktop.org/show_bug.cgi?id=90857

Fix some clang integer sign/size mismatch warnings

Use strdup() instead of malloc(strlen())+strcpy()

autogen.sh: Honor NOCONFIGURE=1

configure: Drop AM_MAINTAINER_MODE

comment:3 by bdubbs@…, 5 years ago

Resolution: fixed
Status: assignedclosed

Fixed at revision 19558.

Note: See TracTickets for help on using tickets.