Opened 5 years ago

Closed 5 years ago

#10086 closed enhancement (fixed)

libXcursor-1.1.15 (xorg library)

Reported by: bdubbs@… Owned by: bdubbs@…
Priority: normal Milestone: 8.2
Component: BOOK Version: SVN
Severity: normal Keywords:


New point version.

Change History (3)

comment:1 by bdubbs@…, 5 years ago

Owner: changed from blfs-book@… to bdubbs@…
Status: newassigned

comment:2 by bdubbs@…, 5 years ago

libXcursor 1.1.15

Fix heap overflows when parsing malicious files. (CVE-2017-16612)

It is possible to trigger heap overflows due to an integer overflow while parsing images and a signedness issue while parsing comments.

The integer overflow occurs because the chosen limit 0x10000 for dimensions is too large for 32 bit systems, because each pixel takes 4 bytes. Properly chosen values allow an overflow which in turn will lead to less allocated memory than needed for subsequent reads.

The signedness bug is triggered by reading the length of a comment as unsigned int, but casting it to int when calling the function XcursorCommentCreate. Turning length into a negative value allows the check against XCURSOR_COMMENT_MAX_LEN to pass, and the following addition of sizeof (XcursorComment) + 1 makes it possible to allocate less memory than needed for subsequent reads.

autogen: add default patch prefix use quoted string variables

Place quotes around the $srcdir, $ORIGDIR and $0 variables to prevent fall-outs, when they contain space. use exec instead of waiting for configure to finish

Syncs the invocation of configure with the one from the server.

Insufficient memory for terminating null of string in _XcursorThemeInherits

Fix does one byte of memory allocation for null termination of string.

Fix some clang integer sign/size mismatch warnings

Use strdup() instead of malloc(strlen())+strcpy() Honor NOCONFIGURE=1

configure: Drop AM_MAINTAINER_MODE

comment:3 by bdubbs@…, 5 years ago

Resolution: fixed
Status: assignedclosed

Fixed at revision 19558.

Note: See TracTickets for help on using tickets.