Package: feh / 2.18-2

Metadata

Package Version Patches format
feh 2.18-2 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
do_not_touch_deps_mk.patch | (download)

src/Makefile | 6 1 + 5 - 0 !
1 file changed, 1 insertion(+), 5 deletions(-)

 make sure src/deps.mk will not be changed


reproducible_build.patch | (download)

src/Makefile | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 make the build reproducible
CVE 2017 7875.patch | (download)

src/wallpaper.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] fix double-free/oob-write while receiving ipc data

If a malicious client pretends to be the E17 window manager, it is
possible to trigger an out of boundary heap write while receiving an
IPC message.

The length of the already received message is stored in an unsigned
short, which overflows after receiving 64 KB of data. It's comparably
small amount of data and therefore achievable for an attacker.

When len overflows, realloc() will either be called with a small value
and therefore chars will be appended out of bounds, or len + 1 will be
exactly 0, in which case realloc() behaves like free(). This could be
abused for a later double-free attack as it's even possible to overwrite
the free information -- but this depends on the malloc implementation.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>