rpms/xorg-x11-server/devel cve-2007-5760.patch, NONE, 1.1 cve-2007-5958.patch, NONE, 1.1 cve-2007-6427.patch, NONE, 1.1 cve-2007-6428.patch, NONE, 1.1 cve-2007-6429.patch, NONE, 1.1 xorg-x11-server.spec, 1.286, 1.287
Dave Airlie (airlied)
fedora-extras-commits at redhat.com
Fri Jan 18 02:52:41 UTC 2008
Author: airlied
Update of /cvs/pkgs/rpms/xorg-x11-server/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv24662
Modified Files:
xorg-x11-server.spec
Added Files:
cve-2007-5760.patch cve-2007-5958.patch cve-2007-6427.patch
cve-2007-6428.patch cve-2007-6429.patch
Log Message:
* Fri Jan 18 2008 Dave Airlie <airlied at redhat.com> 1.4.99.1-0.17
- cve-2007-5760.patch: XFree86-Misc Extension Invalid Array Index Vulnerability
- cve-2007-5958.patch: Xorg / XFree86 file existence disclosure vulnerability
- cve-2007-6427.patch: XInput Extension Memory Corruption Vulnerability
- cve-2007-6428.patch: TOG-CUP Extension Memory Corruption Vulnerability
- cve-2007-6429.patch: EVI and MIT-SHM Extension Integer Overflow Vulnerability
cve-2007-5760.patch:
--- NEW FILE cve-2007-5760.patch ---
diff -up xorg-server-1.1.1/hw/xfree86/dixmods/extmod/xf86misc.c.jx xorg-server-1.1.1/hw/xfree86/dixmods/extmod/xf86misc.c
diff -up xorg-server-1.1.1/hw/xfree86/common/xf86MiscExt.c.jx xorg-server-1.1.1/hw/xfree86/common/xf86MiscExt.c
--- xorg-server-1.1.1/hw/xfree86/common/xf86MiscExt.c.jx 2006-07-05 14:31:40.000000000 -0400
+++ xorg-server-1.1.1/hw/xfree86/common/xf86MiscExt.c 2007-12-11 15:03:32.000000000 -0500
@@ -647,6 +647,10 @@ MiscExtPassMessage(int scrnIndex, const
DEBUG_P("MiscExtPassMessage");
+ /* should check this in the protocol, but xf86NumScreens isn't exported */
+ if (scrnIndex >= xf86NumScreens)
+ return BadValue;
+
if (*pScr->HandleMessage == NULL)
return BadImplementation;
return (*pScr->HandleMessage)(scrnIndex, msgtype, msgval, retstr);
cve-2007-5958.patch:
--- NEW FILE cve-2007-5958.patch ---
--- xorg-server-1.3.0.0/Xext/security.c 2007-12-19 23:00:48.062636000 -0800
+++ xorg-server-1.3.0.0/Xext/security.c 2007-12-21 14:04:40.604373000 -0800
@@ -1572,7 +1572,7 @@
return;
#ifndef __UNIXOS2__
- f = fopen(SecurityPolicyFile, "r");
+ f = Fopen(SecurityPolicyFile, "r");
#else
f = fopen((char*)__XOS2RedirRoot(SecurityPolicyFile), "r");
#endif
@@ -1658,7 +1658,7 @@
}
#endif /* PROPDEBUG */
- fclose(f);
+ Fclose(f);
} /* SecurityLoadPropertyAccessList */
cve-2007-6427.patch:
--- NEW FILE cve-2007-6427.patch ---
--- xorg-server-1.1.1/Xi/chgprop.c.da 2006-07-06 04:31:36.000000000 +1000
+++ xorg-server-1.1.1/Xi/chgprop.c 2007-12-14 11:52:27.000000000 +1000
@@ -81,19 +81,15 @@
SProcXChangeDeviceDontPropagateList(register ClientPtr client)
{
register char n;
- register long *p;
- register int i;
REQUEST(xChangeDeviceDontPropagateListReq);
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq);
swapl(&stuff->window, n);
swaps(&stuff->count, n);
- p = (long *)&stuff[1];
- for (i = 0; i < stuff->count; i++) {
- swapl(p, n);
- p++;
- }
+ REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq,
+ stuff->count * sizeof(CARD32));
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
return (ProcXChangeDeviceDontPropagateList(client));
}
--- xorg-server-1.1.1/Xi/sendexev.c.da 2006-07-06 04:31:36.000000000 +1000
+++ xorg-server-1.1.1/Xi/sendexev.c 2007-12-14 11:54:20.000000000 +1000
@@ -83,7 +83,7 @@
SProcXSendExtensionEvent(register ClientPtr client)
{
register char n;
- register long *p;
+ register CARD32 *p;
register int i;
xEvent eventT;
xEvent *eventP;
@@ -94,6 +94,11 @@
REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
swapl(&stuff->destination, n);
swaps(&stuff->count, n);
+
+ if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count +
+ (stuff->num_events * (sizeof(xEvent) >> 2)))
+ return BadLength;
+
eventP = (xEvent *) & stuff[1];
for (i = 0; i < stuff->num_events; i++, eventP++) {
proc = EventSwapVector[eventP->u.u.type & 0177];
@@ -103,11 +108,8 @@
*eventP = eventT;
}
- p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events);
- for (i = 0; i < stuff->count; i++) {
- swapl(p, n);
- p++;
- }
+ p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events);
+ SwapLongs(p, stuff->count);
return (ProcXSendExtensionEvent(client));
}
--- xorg-server-1.1.1/Xi/chgkmap.c.da 2006-07-06 04:31:36.000000000 +1000
+++ xorg-server-1.1.1/Xi/chgkmap.c 2007-12-14 11:52:00.000000000 +1000
@@ -79,18 +79,14 @@
SProcXChangeDeviceKeyMapping(register ClientPtr client)
{
register char n;
- register long *p;
- register int i, count;
+ register unsigned int count;
REQUEST(xChangeDeviceKeyMappingReq);
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
- p = (long *)&stuff[1];
count = stuff->keyCodes * stuff->keySymsPerKeyCode;
- for (i = 0; i < count; i++) {
- swapl(p, n);
- p++;
- }
+ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
+ SwapLongs((CARD32 *) (&stuff[1]), count);
return (ProcXChangeDeviceKeyMapping(client));
}
@@ -106,10 +102,14 @@
int ret;
unsigned len;
DeviceIntPtr dev;
+ unsigned int count;
REQUEST(xChangeDeviceKeyMappingReq);
REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
+ count = stuff->keyCodes * stuff->keySymsPerKeyCode;
+ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
+
dev = LookupDeviceIntRec(stuff->deviceid);
if (dev == NULL) {
SendErrorToClient(client, IReqCode, X_ChangeDeviceKeyMapping, 0,
--- xorg-server-1.1.1/Xi/grabdevb.c.da 2006-07-06 04:31:36.000000000 +1000
+++ xorg-server-1.1.1/Xi/grabdevb.c 2007-12-14 11:53:03.000000000 +1000
@@ -80,8 +80,6 @@
SProcXGrabDeviceButton(register ClientPtr client)
{
register char n;
- register long *p;
- register int i;
REQUEST(xGrabDeviceButtonReq);
swaps(&stuff->length, n);
@@ -89,11 +87,9 @@
swapl(&stuff->grabWindow, n);
swaps(&stuff->modifiers, n);
swaps(&stuff->event_count, n);
- p = (long *)&stuff[1];
- for (i = 0; i < stuff->event_count; i++) {
- swapl(p, n);
- p++;
- }
+ REQUEST_FIXED_SIZE(xGrabDeviceButtonReq,
+ stuff->event_count * sizeof(CARD32));
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
return (ProcXGrabDeviceButton(client));
}
--- xorg-server-1.1.1/Xi/selectev.c.da 2006-07-06 04:31:36.000000000 +1000
+++ xorg-server-1.1.1/Xi/selectev.c 2007-12-14 11:53:54.000000000 +1000
@@ -84,19 +84,15 @@
SProcXSelectExtensionEvent(register ClientPtr client)
{
register char n;
- register long *p;
- register int i;
REQUEST(xSelectExtensionEventReq);
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq);
swapl(&stuff->window, n);
swaps(&stuff->count, n);
- p = (long *)&stuff[1];
- for (i = 0; i < stuff->count; i++) {
- swapl(p, n);
- p++;
- }
+ REQUEST_FIXED_SIZE(xSelectExtensionEventReq,
+ stuff->count * sizeof(CARD32));
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
return (ProcXSelectExtensionEvent(client));
}
--- xorg-server-1.1.1/Xi/grabdevk.c.da 2006-07-06 04:31:36.000000000 +1000
+++ xorg-server-1.1.1/Xi/grabdevk.c 2007-12-14 11:53:15.000000000 +1000
@@ -80,8 +80,6 @@
SProcXGrabDeviceKey(register ClientPtr client)
{
register char n;
- register long *p;
- register int i;
REQUEST(xGrabDeviceKeyReq);
swaps(&stuff->length, n);
@@ -89,11 +87,8 @@
swapl(&stuff->grabWindow, n);
swaps(&stuff->modifiers, n);
swaps(&stuff->event_count, n);
- p = (long *)&stuff[1];
- for (i = 0; i < stuff->event_count; i++) {
- swapl(p, n);
- p++;
- }
+ REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32));
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
return (ProcXGrabDeviceKey(client));
}
--- xorg-server-1.1.1/Xi/grabdev.c.da 2006-07-06 04:31:36.000000000 +1000
+++ xorg-server-1.1.1/Xi/grabdev.c 2007-12-14 11:52:47.000000000 +1000
@@ -82,8 +82,6 @@
SProcXGrabDevice(register ClientPtr client)
{
register char n;
- register long *p;
- register int i;
REQUEST(xGrabDeviceReq);
swaps(&stuff->length, n);
@@ -91,11 +89,11 @@
swapl(&stuff->grabWindow, n);
swapl(&stuff->time, n);
swaps(&stuff->event_count, n);
- p = (long *)&stuff[1];
- for (i = 0; i < stuff->event_count; i++) {
- swapl(p, n);
- p++;
- }
+
+ if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count)
+ return BadLength;
+
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
return (ProcXGrabDevice(client));
}
--- xorg-server-1.1.1/Xi/chgfctl.c.da 2006-07-06 04:31:36.000000000 +1000
+++ xorg-server-1.1.1/Xi/chgfctl.c 2007-12-14 11:50:50.000000000 +1000
@@ -451,18 +451,13 @@
xStringFeedbackCtl * f)
{
register char n;
- register long *p;
int i, j;
KeySym *syms, *sup_syms;
syms = (KeySym *) (f + 1);
if (client->swapped) {
swaps(&f->length, n); /* swapped num_keysyms in calling proc */
- p = (long *)(syms);
- for (i = 0; i < f->num_keysyms; i++) {
- swapl(p, n);
- p++;
- }
+ SwapLongs((CARD32 *) syms, f->num_keysyms);
}
if (f->num_keysyms > s->ctrl.max_symbols) {
cve-2007-6428.patch:
--- NEW FILE cve-2007-6428.patch ---
diff -up xorg-server-1.1.1/Xext/cup.c.jx xorg-server-1.1.1/Xext/cup.c
--- xorg-server-1.1.1/Xext/cup.c.jx 2006-07-05 14:31:36.000000000 -0400
+++ xorg-server-1.1.1/Xext/cup.c 2007-12-11 14:28:37.000000000 -0500
@@ -198,6 +198,9 @@ int ProcGetReservedColormapEntries(
REQUEST_SIZE_MATCH (xXcupGetReservedColormapEntriesReq);
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
#ifndef HAVE_SPECIAL_DESKTOP_COLORS
citems[CUP_BLACK_PIXEL].pixel =
screenInfo.screens[stuff->screen]->blackPixel;
cve-2007-6429.patch:
--- NEW FILE cve-2007-6429.patch ---
--- xorg-server-1.1.1/Xext/shm.c.freedesktop-bug-13520 2006-07-06 04:31:36.000000000 +1000
+++ xorg-server-1.1.1/Xext/shm.c 2007-12-14 13:08:59.000000000 +1000
@@ -725,6 +725,8 @@
int i, j, result;
ShmDescPtr shmdesc;
REQUEST(xShmCreatePixmapReq);
+ unsigned int width, height, depth;
+ unsigned long size;
PanoramiXRes *newPix;
REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
@@ -734,11 +736,26 @@
LEGAL_NEW_RESOURCE(stuff->pid, client);
VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
- if (!stuff->width || !stuff->height)
+
+ width = stuff->width;
+ height = stuff->height;
+ depth = stuff->depth;
+ if (!width || !height || !depth)
{
client->errorValue = 0;
return BadValue;
}
+ if (width > 32767 || height > 32767)
+ return BadAlloc;
+ size = PixmapBytePad(width, depth) * height;
+ if (sizeof(size) == 4) {
+ if (size < width * height)
+ return BadAlloc;
+ /* thankfully, offset is unsigned */
+ if (stuff->offset + size < size)
+ return BadAlloc;
+ }
+
if (stuff->depth != 1)
{
pDepth = pDraw->pScreen->allowedDepths;
@@ -749,9 +766,7 @@
return BadValue;
}
CreatePmap:
- VERIFY_SHMSIZE(shmdesc, stuff->offset,
- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
- client);
+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
return BadAlloc;
@@ -1049,6 +1064,8 @@
register int i;
ShmDescPtr shmdesc;
REQUEST(xShmCreatePixmapReq);
+ unsigned int width, height, depth;
+ unsigned long size;
REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
client->errorValue = stuff->pid;
@@ -1057,11 +1074,26 @@
LEGAL_NEW_RESOURCE(stuff->pid, client);
VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
- if (!stuff->width || !stuff->height)
+
+ width = stuff->width;
+ height = stuff->height;
+ depth = stuff->depth;
+ if (!width || !height || !depth)
{
client->errorValue = 0;
return BadValue;
}
+ if (width > 32767 || height > 32767)
+ return BadAlloc;
+ size = PixmapBytePad(width, depth) * height;
+ if (sizeof(size) == 4) {
+ if (size < width * height)
+ return BadAlloc;
+ /* thankfully, offset is unsigned */
+ if (stuff->offset + size < size)
+ return BadAlloc;
+ }
+
if (stuff->depth != 1)
{
pDepth = pDraw->pScreen->allowedDepths;
@@ -1072,9 +1104,7 @@
return BadValue;
}
CreatePmap:
- VERIFY_SHMSIZE(shmdesc, stuff->offset,
- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
- client);
+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
pDraw->pScreen, stuff->width,
stuff->height, stuff->depth,
diff --git a/Xext/EVI.c b/Xext/EVI.c
index 8fe3481..13bd32a 100644
--- a/Xext/EVI.c
+++ b/Xext/EVI.c
@@ -34,6 +34,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
#include <X11/extensions/XEVIstr.h>
#include "EVIstruct.h"
#include "modinit.h"
+#include "scrnintstr.h"
#if 0
static unsigned char XEVIReqCode = 0;
@@ -87,10 +88,22 @@ ProcEVIGetVisualInfo(ClientPtr client)
{
REQUEST(xEVIGetVisualInfoReq);
xEVIGetVisualInfoReply rep;
- int n, n_conflict, n_info, sz_info, sz_conflict;
+ int i, n, n_conflict, n_info, sz_info, sz_conflict;
VisualID32 *conflict;
+ unsigned int total_visuals = 0;
xExtendedVisualInfo *eviInfo;
int status;
+
+ /*
+ * do this first, otherwise REQUEST_FIXED_SIZE can overflow. we assume
+ * here that you don't have more than 2^32 visuals over all your screens;
+ * this seems like a safe assumption.
+ */
+ for (i = 0; i < screenInfo.numScreens; i++)
+ total_visuals += screenInfo.screens[i]->numVisuals;
+ if (stuff->n_visual > total_visuals)
+ return BadValue;
+
REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual,
&eviInfo, &n_info, &conflict, &n_conflict);
diff --git a/Xext/sampleEVI.c b/Xext/sampleEVI.c
index 7508aa7..b8f39c7 100644
--- a/Xext/sampleEVI.c
+++ b/Xext/sampleEVI.c
@@ -34,6 +34,13 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
#include <X11/extensions/XEVIstr.h>
#include "EVIstruct.h"
#include "scrnintstr.h"
+
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(INT_MAX)
+#define INT_MAX 0x7fffffff
+#endif
+
static int sampleGetVisualInfo(
VisualID32 *visual,
int n_visual,
@@ -42,24 +49,36 @@ static int sampleGetVisualInfo(
VisualID32 **conflict_rn,
int *n_conflict_rn)
{
- int max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens;
+ unsigned int max_sz_evi;
VisualID32 *temp_conflict;
xExtendedVisualInfo *evi;
- int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
+ unsigned int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
register int visualI, scrI, sz_evi = 0, conflictI, n_conflict;
- *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi);
- if (!*evi_rn)
- return BadAlloc;
+
+ if (n_visual > UINT32_MAX/(sz_xExtendedVisualInfo * screenInfo.numScreens))
+ return BadAlloc;
+ max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens;
+
for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
if (screenInfo.screens[scrI]->numVisuals > max_visuals)
max_visuals = screenInfo.screens[scrI]->numVisuals;
}
+
+ if (n_visual > UINT32_MAX/(sz_VisualID32 * screenInfo.numScreens
+ * max_visuals))
+ return BadAlloc;
max_sz_conflict = n_visual * sz_VisualID32 * screenInfo.numScreens * max_visuals;
+
+ *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi);
+ if (!*evi_rn)
+ return BadAlloc;
+
temp_conflict = (VisualID32 *)xalloc(max_sz_conflict);
if (!temp_conflict) {
xfree(*evi_rn);
return BadAlloc;
}
+
for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
for (visualI = 0; visualI < n_visual; visualI++) {
evi[sz_evi].core_visual_id = visual[visualI];
Index: xorg-x11-server.spec
===================================================================
RCS file: /cvs/pkgs/rpms/xorg-x11-server/devel/xorg-x11-server.spec,v
retrieving revision 1.286
retrieving revision 1.287
diff -u -r1.286 -r1.287
--- xorg-x11-server.spec 17 Jan 2008 03:01:50 -0000 1.286
+++ xorg-x11-server.spec 18 Jan 2008 02:52:04 -0000 1.287
@@ -20,7 +20,7 @@
Summary: X.Org X11 X server
Name: xorg-x11-server
Version: 1.4.99.1
-Release: 0.16.%{?gitdate}%{?dist}
+Release: 0.17.%{?gitdate}%{?dist}
URL: http://www.x.org
License: MIT
Group: User Interface/X
@@ -57,8 +57,12 @@
Patch2007: xserver-1.3.0-randr12-config-hack.patch
Patch2013: xserver-1.4.99-document-fontpath-correctly.patch
-# Trivial things, already merged
-#Patch3000:
+# Trivial things, already merged - cves already upstream
+Patch3000: cve-2007-5760.patch
+Patch3001: cve-2007-5958.patch
+Patch3002: cve-2007-6427.patch
+Patch3003: cve-2007-6428.patch
+Patch3004: cve-2007-6429.patch
# Trivial things to maybe merge upstream at next rebase
#Patch4003: argh-pixman.patch #fixme
@@ -511,6 +515,13 @@
%changelog
+* Fri Jan 18 2008 Dave Airlie <airlied at redhat.com> 1.4.99.1-0.17
+- cve-2007-5760.patch: XFree86-Misc Extension Invalid Array Index Vulnerability
+- cve-2007-5958.patch: Xorg / XFree86 file existence disclosure vulnerability
+- cve-2007-6427.patch: XInput Extension Memory Corruption Vulnerability
+- cve-2007-6428.patch: TOG-CUP Extension Memory Corruption Vulnerability
+- cve-2007-6429.patch: EVI and MIT-SHM Extension Integer Overflow Vulnerability
+
* Wed Jan 16 2008 Kristian Høgsberg <krh at redhat.com> 1.4.99.1-0.16
- Add xserver-1.4.99-engage-composite-crack-mode.patch to better hide
protocol side effects such as loss of grabs and focus when
More information about the fedora-extras-commits
mailing list