diff --git a/.gitignore b/.gitignore index 9716cfb..9965377 100644 --- a/.gitignore +++ b/.gitignore @@ -45,3 +45,4 @@ /wayland-1.13.92.tar.xz /wayland-1.13.93.tar.xz /wayland-1.14.0.tar.xz +/wayland-1.14.91.tar.xz diff --git a/0001-cursor-Fix-heap-overflows-when-parsing-malicious-fil.patch b/0001-cursor-Fix-heap-overflows-when-parsing-malicious-fil.patch deleted file mode 100644 index e03e3f3..0000000 --- a/0001-cursor-Fix-heap-overflows-when-parsing-malicious-fil.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 5d201df72f3d4f4cb8b8f75f980169b03507da38 Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann -Date: Tue, 28 Nov 2017 21:38:07 +0100 -Subject: [PATCH] cursor: Fix heap overflows when parsing malicious files. - -It is possible to trigger heap overflows due to an integer overflow -while parsing images. - -The integer overflow occurs because the chosen limit 0x10000 for -dimensions is too large for 32 bit systems, because each pixel takes -4 bytes. Properly chosen values allow an overflow which in turn will -lead to less allocated memory than needed for subsequent reads. - -See also: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8 -Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=103961 - -Signed-off-by: Tobias Stoeckmann -[Pekka: add link to the corresponding libXcursor commit] -Signed-off-by: Pekka Paalanen ---- - cursor/xcursor.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/cursor/xcursor.c b/cursor/xcursor.c -index ca41c4ac611f..689c7026729d 100644 ---- a/cursor/xcursor.c -+++ b/cursor/xcursor.c -@@ -202,6 +202,11 @@ XcursorImageCreate (int width, int height) - { - XcursorImage *image; - -+ if (width < 0 || height < 0) -+ return NULL; -+ if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE) -+ return NULL; -+ - image = malloc (sizeof (XcursorImage) + - width * height * sizeof (XcursorPixel)); - if (!image) -@@ -482,7 +487,8 @@ _XcursorReadImage (XcursorFile *file, - if (!_XcursorReadUInt (file, &head.delay)) - return NULL; - /* sanity check data */ -- if (head.width >= 0x10000 || head.height > 0x10000) -+ if (head.width > XCURSOR_IMAGE_MAX_SIZE || -+ head.height > XCURSOR_IMAGE_MAX_SIZE) - return NULL; - if (head.width == 0 || head.height == 0) - return NULL; --- -2.14.3 - diff --git a/sources b/sources index f619a6c..6e8af13 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (wayland-1.14.0.tar.xz) = bd38b2b8963d4d98d42c270e5d7dbff6323789a173b19b67a18258424fd8adee5021b282c9d7f6dad0bd25aa0160e76aecd8ed803d4eb25d911ef0a81cd713a5 +SHA512 (wayland-1.14.91.tar.xz) = e9a1f465188c46e82512efba1c7502fee1201f3ddfb7afe132c406c3fb728f0f5144580663bea4cdc2af38794f00b2c30369ca6e04fdcb691b9ed1889bc11344 diff --git a/wayland.spec b/wayland.spec index 6c77dbd..e20774d 100644 --- a/wayland.spec +++ b/wayland.spec @@ -1,16 +1,12 @@ Name: wayland -Version: 1.14.0 -Release: 3%{?dist} +Version: 1.14.91 +Release: 1%{?dist} Summary: Wayland Compositor Infrastructure License: MIT URL: http://wayland.freedesktop.org/ Source0: http://wayland.freedesktop.org/releases/%{name}-%{version}.tar.xz -# https://lists.freedesktop.org/archives/wayland-devel/2017-November/035979.html -# Backported from upstream -Patch0: 0001-cursor-Fix-heap-overflows-when-parsing-malicious-fil.patch - BuildRequires: chrpath BuildRequires: docbook-style-xsl BuildRequires: doxygen @@ -131,6 +127,9 @@ XDG_RUNTIME_DIR=$PWD/tests/run make check || \ %{_libdir}/libwayland-server.so.0* %changelog +* Tue Feb 27 2018 Kalev Lember - 1.14.91-1 +- Update to 1.14.91 + * Fri Feb 09 2018 Fedora Release Engineering - 1.14.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild