FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-24 03:12:49 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
ddecde18-e33b-11e7-a293-54e1ad3d6335	libXcursor -- integer overflow that can lead to heap buffer overflow The freedesktop.org project reports: It is possible to trigger heap overflows due to an integer overflow while parsing images and a signedness issue while parsing comments. The integer overflow occurs because the chosen limit 0x10000 for dimensions is too large for 32 bit systems, because each pixel takes 4 bytes. Properly chosen values allow an overflow which in turn will lead to less allocated memory than needed for subsequent reads. The signedness bug is triggered by reading the length of a comment as unsigned int, but casting it to int when calling the function XcursorCommentCreate. Turning length into a negative value allows the check against XCURSOR_COMMENT_MAX_LEN to pass, and the following addition of sizeof (XcursorComment) + 1 makes it possible to allocate less memory than needed for subsequent reads. Discovery 2017-11-28 Entry 2017-12-17 libXcursor < 1.1.15 http://seclists.org/oss-sec/2017/q4/339 https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8 CVE-2017-16612

VuXML ID

Description

ddecde18-e33b-11e7-a293-54e1ad3d6335

libXcursor -- integer overflow that can lead to heap buffer overflow

The freedesktop.org project reports:

It is possible to trigger heap overflows due to an integer overflow while parsing images and a signedness issue while parsing comments.

The integer overflow occurs because the chosen limit 0x10000 for dimensions is too large for 32 bit systems, because each pixel takes 4 bytes. Properly chosen values allow an overflow which in turn will lead to less allocated memory than needed for subsequent reads.

The signedness bug is triggered by reading the length of a comment as unsigned int, but casting it to int when calling the function XcursorCommentCreate. Turning length into a negative value allows the check against XCURSOR_COMMENT_MAX_LEN to pass, and the following addition of sizeof (XcursorComment) + 1 makes it possible to allocate less memory than needed for subsequent reads.

Discovery 2017-11-28
Entry 2017-12-17
libXcursor

< 1.1.15

http://seclists.org/oss-sec/2017/q4/339
https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8
CVE-2017-16612