rpms/xorg-x11-server/devel cve-2007-5760.patch, 1.1, 1.2 cve-2007-6427.patch, 1.1, 1.2 cve-2007-6428.patch, 1.1, 1.2 cve-2007-6429.patch, 1.1, 1.2 cve-2008-0006-server-fixup.patch, 1.1, 1.2 xorg-x11-server.spec, 1.288, 1.289 cve-2007-5958.patch, 1.1, NONE
Dave Airlie (airlied)
fedora-extras-commits at redhat.com
Fri Jan 18 03:32:56 UTC 2008
Author: airlied
Update of /cvs/pkgs/rpms/xorg-x11-server/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv389
Modified Files:
cve-2007-5760.patch cve-2007-6427.patch cve-2007-6428.patch
cve-2007-6429.patch cve-2008-0006-server-fixup.patch
xorg-x11-server.spec
Removed Files:
cve-2007-5958.patch
Log Message:
* Fri Jan 18 2008 Dave Airlie <airlied at redhat.com> 1.4.99.1-0.17
- cve-2007-5760.patch: XFree86-Misc Extension Invalid Array Index Vulnerability
- cve-2007-6427.patch: XInput Extension Memory Corruption Vulnerability
- cve-2007-6428.patch: TOG-CUP Extension Memory Corruption Vulnerability
- cve-2007-6429.patch: EVI and MIT-SHM Extension Integer Overflow Vulnerability
- cve-2008-0006-server-fixup.patch: PCF Font Vulnerability - this patch isn't strictly required with new version of libXfont.
cve-2007-5760.patch:
Index: cve-2007-5760.patch
===================================================================
RCS file: /cvs/pkgs/rpms/xorg-x11-server/devel/cve-2007-5760.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- cve-2007-5760.patch 18 Jan 2008 02:52:04 -0000 1.1
+++ cve-2007-5760.patch 18 Jan 2008 03:31:54 -0000 1.2
@@ -1,10 +1,19 @@
-diff -up xorg-server-1.1.1/hw/xfree86/dixmods/extmod/xf86misc.c.jx xorg-server-1.1.1/hw/xfree86/dixmods/extmod/xf86misc.c
-diff -up xorg-server-1.1.1/hw/xfree86/common/xf86MiscExt.c.jx xorg-server-1.1.1/hw/xfree86/common/xf86MiscExt.c
---- xorg-server-1.1.1/hw/xfree86/common/xf86MiscExt.c.jx 2006-07-05 14:31:40.000000000 -0400
-+++ xorg-server-1.1.1/hw/xfree86/common/xf86MiscExt.c 2007-12-11 15:03:32.000000000 -0500
-@@ -647,6 +647,10 @@ MiscExtPassMessage(int scrnIndex, const
-
- DEBUG_P("MiscExtPassMessage");
+From bbde5b62a137ba726a747b838d81e92d72c1b42b Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu at bluenote.herrb.com>
+Date: Thu, 17 Jan 2008 15:26:41 +0100
+Subject: [PATCH] Fix for CVE-2007-5760 - XFree86 Misc extension out of bounds array index
+
+---
+ hw/xfree86/common/xf86MiscExt.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+diff --git a/hw/xfree86/common/xf86MiscExt.c b/hw/xfree86/common/xf86MiscExt.c
+index c1b9c60..40c196a 100644
+--- a/hw/xfree86/common/xf86MiscExt.c
++++ b/hw/xfree86/common/xf86MiscExt.c
+@@ -548,6 +548,10 @@ MiscExtPassMessage(int scrnIndex, const char *msgtype, const char *msgval,
+ {
+ ScrnInfoPtr pScr = xf86Screens[scrnIndex];
+ /* should check this in the protocol, but xf86NumScreens isn't exported */
+ if (scrnIndex >= xf86NumScreens)
@@ -13,3 +22,6 @@
if (*pScr->HandleMessage == NULL)
return BadImplementation;
return (*pScr->HandleMessage)(scrnIndex, msgtype, msgval, retstr);
+--
+1.5.3.6
+
cve-2007-6427.patch:
Index: cve-2007-6427.patch
===================================================================
RCS file: /cvs/pkgs/rpms/xorg-x11-server/devel/cve-2007-6427.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- cve-2007-6427.patch 18 Jan 2008 02:52:04 -0000 1.1
+++ cve-2007-6427.patch 18 Jan 2008 03:31:54 -0000 1.2
@@ -1,74 +1,54 @@
---- xorg-server-1.1.1/Xi/chgprop.c.da 2006-07-06 04:31:36.000000000 +1000
-+++ xorg-server-1.1.1/Xi/chgprop.c 2007-12-14 11:52:27.000000000 +1000
-@@ -81,19 +81,15 @@
- SProcXChangeDeviceDontPropagateList(register ClientPtr client)
- {
- register char n;
-- register long *p;
-- register int i;
-
- REQUEST(xChangeDeviceDontPropagateListReq);
- swaps(&stuff->length, n);
- REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq);
- swapl(&stuff->window, n);
- swaps(&stuff->count, n);
-- p = (long *)&stuff[1];
-- for (i = 0; i < stuff->count; i++) {
-- swapl(p, n);
-- p++;
-- }
-+ REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq,
-+ stuff->count * sizeof(CARD32));
-+ SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
- return (ProcXChangeDeviceDontPropagateList(client));
- }
+From dd5e0f5cd5f3a87fee86d99c073ffa7cf89b0a27 Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu at bluenote.herrb.com>
+Date: Thu, 17 Jan 2008 15:27:34 +0100
+Subject: [PATCH] Fix for CVE-2007-6427 - Xinput extension memory corruption.
+
+---
+ Xi/chgfctl.c | 7 +------
+ Xi/chgkmap.c | 14 +++++++-------
+ Xi/chgprop.c | 10 +++-------
+ Xi/grabdev.c | 12 +++++-------
+ Xi/grabdevb.c | 10 +++-------
+ Xi/grabdevk.c | 9 ++-------
+ Xi/selectev.c | 11 ++++-------
+ Xi/sendexev.c | 14 ++++++++------
+ 8 files changed, 33 insertions(+), 54 deletions(-)
+
+diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
+index 8fc24d5..696b74a 100644
+--- a/Xi/chgfctl.c
++++ b/Xi/chgfctl.c
+@@ -302,18 +302,13 @@ ChangeStringFeedback(ClientPtr client, DeviceIntPtr dev,
+ xStringFeedbackCtl * f)
+ {
+ char n;
+- long *p;
+ int i, j;
+ KeySym *syms, *sup_syms;
---- xorg-server-1.1.1/Xi/sendexev.c.da 2006-07-06 04:31:36.000000000 +1000
-+++ xorg-server-1.1.1/Xi/sendexev.c 2007-12-14 11:54:20.000000000 +1000
-@@ -83,7 +83,7 @@
- SProcXSendExtensionEvent(register ClientPtr client)
- {
- register char n;
-- register long *p;
-+ register CARD32 *p;
- register int i;
- xEvent eventT;
- xEvent *eventP;
-@@ -94,6 +94,11 @@
- REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
- swapl(&stuff->destination, n);
- swaps(&stuff->count, n);
-+
-+ if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count +
-+ (stuff->num_events * (sizeof(xEvent) >> 2)))
-+ return BadLength;
-+
- eventP = (xEvent *) & stuff[1];
- for (i = 0; i < stuff->num_events; i++, eventP++) {
- proc = EventSwapVector[eventP->u.u.type & 0177];
-@@ -103,11 +108,8 @@
- *eventP = eventT;
+ syms = (KeySym *) (f + 1);
+ if (client->swapped) {
+ swaps(&f->length, n); /* swapped num_keysyms in calling proc */
+- p = (long *)(syms);
+- for (i = 0; i < f->num_keysyms; i++) {
+- swapl(p, n);
+- p++;
+- }
++ SwapLongs((CARD32 *) syms, f->num_keysyms);
}
-- p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events);
-- for (i = 0; i < stuff->count; i++) {
-- swapl(p, n);
-- p++;
-- }
-+ p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events);
-+ SwapLongs(p, stuff->count);
- return (ProcXSendExtensionEvent(client));
- }
-
---- xorg-server-1.1.1/Xi/chgkmap.c.da 2006-07-06 04:31:36.000000000 +1000
-+++ xorg-server-1.1.1/Xi/chgkmap.c 2007-12-14 11:52:00.000000000 +1000
-@@ -79,18 +79,14 @@
- SProcXChangeDeviceKeyMapping(register ClientPtr client)
- {
- register char n;
-- register long *p;
-- register int i, count;
-+ register unsigned int count;
+ if (f->num_keysyms > s->ctrl.max_symbols)
+diff --git a/Xi/chgkmap.c b/Xi/chgkmap.c
+index 3361e98..df334c1 100644
+--- a/Xi/chgkmap.c
++++ b/Xi/chgkmap.c
+@@ -75,18 +75,14 @@ int
+ SProcXChangeDeviceKeyMapping(ClientPtr client)
+ {
+ char n;
+- long *p;
+- int i, count;
++ unsigned int count;
REQUEST(xChangeDeviceKeyMappingReq);
swaps(&stuff->length, n);
@@ -84,7 +64,7 @@
return (ProcXChangeDeviceKeyMapping(client));
}
-@@ -106,10 +102,14 @@
+@@ -102,10 +98,14 @@ ProcXChangeDeviceKeyMapping(ClientPtr client)
int ret;
unsigned len;
DeviceIntPtr dev;
@@ -95,73 +75,109 @@
+ count = stuff->keyCodes * stuff->keySymsPerKeyCode;
+ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
-+
- dev = LookupDeviceIntRec(stuff->deviceid);
- if (dev == NULL) {
- SendErrorToClient(client, IReqCode, X_ChangeDeviceKeyMapping, 0,
---- xorg-server-1.1.1/Xi/grabdevb.c.da 2006-07-06 04:31:36.000000000 +1000
-+++ xorg-server-1.1.1/Xi/grabdevb.c 2007-12-14 11:53:03.000000000 +1000
-@@ -80,8 +80,6 @@
- SProcXGrabDeviceButton(register ClientPtr client)
- {
- register char n;
-- register long *p;
-- register int i;
++
+ ret = dixLookupDevice(&dev, stuff->deviceid, client, DixSetAttrAccess);
+ if (ret != Success)
+ return ret;
+diff --git a/Xi/chgprop.c b/Xi/chgprop.c
+index 58db886..3fb33e1 100644
+--- a/Xi/chgprop.c
++++ b/Xi/chgprop.c
+@@ -77,19 +77,15 @@ int
+ SProcXChangeDeviceDontPropagateList(ClientPtr client)
+ {
+ char n;
+- long *p;
+- int i;
- REQUEST(xGrabDeviceButtonReq);
+ REQUEST(xChangeDeviceDontPropagateListReq);
+ swaps(&stuff->length, n);
+ REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq);
+ swapl(&stuff->window, n);
+ swaps(&stuff->count, n);
+- p = (long *)&stuff[1];
+- for (i = 0; i < stuff->count; i++) {
+- swapl(p, n);
+- p++;
+- }
++ REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq,
++ stuff->count * sizeof(CARD32));
++ SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
+ return (ProcXChangeDeviceDontPropagateList(client));
+ }
+
+diff --git a/Xi/grabdev.c b/Xi/grabdev.c
+index 110fc6b..0671e0e 100644
+--- a/Xi/grabdev.c
++++ b/Xi/grabdev.c
+@@ -78,8 +78,6 @@ int
+ SProcXGrabDevice(ClientPtr client)
+ {
+ char n;
+- long *p;
+- int i;
+
+ REQUEST(xGrabDeviceReq);
swaps(&stuff->length, n);
-@@ -89,11 +87,9 @@
+@@ -87,11 +85,11 @@ SProcXGrabDevice(ClientPtr client)
swapl(&stuff->grabWindow, n);
- swaps(&stuff->modifiers, n);
+ swapl(&stuff->time, n);
swaps(&stuff->event_count, n);
- p = (long *)&stuff[1];
- for (i = 0; i < stuff->event_count; i++) {
- swapl(p, n);
- p++;
- }
-+ REQUEST_FIXED_SIZE(xGrabDeviceButtonReq,
-+ stuff->event_count * sizeof(CARD32));
++
++ if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count)
++ return BadLength;
++
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
- return (ProcXGrabDeviceButton(client));
+ return (ProcXGrabDevice(client));
}
---- xorg-server-1.1.1/Xi/selectev.c.da 2006-07-06 04:31:36.000000000 +1000
-+++ xorg-server-1.1.1/Xi/selectev.c 2007-12-14 11:53:54.000000000 +1000
-@@ -84,19 +84,15 @@
- SProcXSelectExtensionEvent(register ClientPtr client)
- {
- register char n;
-- register long *p;
-- register int i;
+diff --git a/Xi/grabdevb.c b/Xi/grabdevb.c
+index c2661e8..ce0dcc5 100644
+--- a/Xi/grabdevb.c
++++ b/Xi/grabdevb.c
+@@ -77,8 +77,6 @@ int
+ SProcXGrabDeviceButton(ClientPtr client)
+ {
+ char n;
+- long *p;
+- int i;
- REQUEST(xSelectExtensionEventReq);
+ REQUEST(xGrabDeviceButtonReq);
swaps(&stuff->length, n);
- REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq);
- swapl(&stuff->window, n);
- swaps(&stuff->count, n);
+@@ -86,11 +84,9 @@ SProcXGrabDeviceButton(ClientPtr client)
+ swapl(&stuff->grabWindow, n);
+ swaps(&stuff->modifiers, n);
+ swaps(&stuff->event_count, n);
- p = (long *)&stuff[1];
-- for (i = 0; i < stuff->count; i++) {
+- for (i = 0; i < stuff->event_count; i++) {
- swapl(p, n);
- p++;
- }
-+ REQUEST_FIXED_SIZE(xSelectExtensionEventReq,
-+ stuff->count * sizeof(CARD32));
-+ SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
- return (ProcXSelectExtensionEvent(client));
- }
++ REQUEST_FIXED_SIZE(xGrabDeviceButtonReq,
++ stuff->event_count * sizeof(CARD32));
++ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
---- xorg-server-1.1.1/Xi/grabdevk.c.da 2006-07-06 04:31:36.000000000 +1000
-+++ xorg-server-1.1.1/Xi/grabdevk.c 2007-12-14 11:53:15.000000000 +1000
-@@ -80,8 +80,6 @@
- SProcXGrabDeviceKey(register ClientPtr client)
- {
- register char n;
-- register long *p;
-- register int i;
+ return (ProcXGrabDeviceButton(client));
+ }
+diff --git a/Xi/grabdevk.c b/Xi/grabdevk.c
+index 43b1928..d4b7fe8 100644
+--- a/Xi/grabdevk.c
++++ b/Xi/grabdevk.c
+@@ -77,8 +77,6 @@ int
+ SProcXGrabDeviceKey(ClientPtr client)
+ {
+ char n;
+- long *p;
+- int i;
REQUEST(xGrabDeviceKeyReq);
swaps(&stuff->length, n);
-@@ -89,11 +87,8 @@
+@@ -86,11 +84,8 @@ SProcXGrabDeviceKey(ClientPtr client)
swapl(&stuff->grabWindow, n);
swaps(&stuff->modifiers, n);
swaps(&stuff->event_count, n);
@@ -175,53 +191,73 @@
return (ProcXGrabDeviceKey(client));
}
---- xorg-server-1.1.1/Xi/grabdev.c.da 2006-07-06 04:31:36.000000000 +1000
-+++ xorg-server-1.1.1/Xi/grabdev.c 2007-12-14 11:52:47.000000000 +1000
-@@ -82,8 +82,6 @@
- SProcXGrabDevice(register ClientPtr client)
- {
- register char n;
-- register long *p;
-- register int i;
+diff --git a/Xi/selectev.c b/Xi/selectev.c
+index b93618a..d3670ab 100644
+--- a/Xi/selectev.c
++++ b/Xi/selectev.c
+@@ -127,19 +127,16 @@ int
+ SProcXSelectExtensionEvent(ClientPtr client)
+ {
+ char n;
+- long *p;
+- int i;
- REQUEST(xGrabDeviceReq);
+ REQUEST(xSelectExtensionEventReq);
swaps(&stuff->length, n);
-@@ -91,11 +89,11 @@
- swapl(&stuff->grabWindow, n);
- swapl(&stuff->time, n);
- swaps(&stuff->event_count, n);
+ REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq);
+ swapl(&stuff->window, n);
+ swaps(&stuff->count, n);
- p = (long *)&stuff[1];
-- for (i = 0; i < stuff->event_count; i++) {
+- for (i = 0; i < stuff->count; i++) {
- swapl(p, n);
- p++;
- }
++ REQUEST_FIXED_SIZE(xSelectExtensionEventReq,
++ stuff->count * sizeof(CARD32));
++ SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
+
-+ if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count)
-+ return BadLength;
-+
-+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
-
- return (ProcXGrabDevice(client));
+ return (ProcXSelectExtensionEvent(client));
}
---- xorg-server-1.1.1/Xi/chgfctl.c.da 2006-07-06 04:31:36.000000000 +1000
-+++ xorg-server-1.1.1/Xi/chgfctl.c 2007-12-14 11:50:50.000000000 +1000
-@@ -451,18 +451,13 @@
- xStringFeedbackCtl * f)
- {
- register char n;
-- register long *p;
- int i, j;
- KeySym *syms, *sup_syms;
- syms = (KeySym *) (f + 1);
- if (client->swapped) {
- swaps(&f->length, n); /* swapped num_keysyms in calling proc */
-- p = (long *)(syms);
-- for (i = 0; i < f->num_keysyms; i++) {
-- swapl(p, n);
-- p++;
-- }
-+ SwapLongs((CARD32 *) syms, f->num_keysyms);
+diff --git a/Xi/sendexev.c b/Xi/sendexev.c
+index e4e38d7..588c910 100644
+--- a/Xi/sendexev.c
++++ b/Xi/sendexev.c
+@@ -80,7 +80,7 @@ int
+ SProcXSendExtensionEvent(ClientPtr client)
+ {
+ char n;
+- long *p;
++ CARD32 *p;
+ int i;
+ xEvent eventT;
+ xEvent *eventP;
+@@ -91,6 +91,11 @@ SProcXSendExtensionEvent(ClientPtr client)
+ REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
+ swapl(&stuff->destination, n);
+ swaps(&stuff->count, n);
++
++ if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count +
++ (stuff->num_events * (sizeof(xEvent) >> 2)))
++ return BadLength;
++
+ eventP = (xEvent *) & stuff[1];
+ for (i = 0; i < stuff->num_events; i++, eventP++) {
+ proc = EventSwapVector[eventP->u.u.type & 0177];
+@@ -100,11 +105,8 @@ SProcXSendExtensionEvent(ClientPtr client)
+ *eventP = eventT;
}
- if (f->num_keysyms > s->ctrl.max_symbols) {
+- p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events);
+- for (i = 0; i < stuff->count; i++) {
+- swapl(p, n);
+- p++;
+- }
++ p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events);
++ SwapLongs(p, stuff->count);
+ return (ProcXSendExtensionEvent(client));
+ }
+
+--
+1.5.3.6
+
cve-2007-6428.patch:
Index: cve-2007-6428.patch
===================================================================
RCS file: /cvs/pkgs/rpms/xorg-x11-server/devel/cve-2007-6428.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- cve-2007-6428.patch 18 Jan 2008 02:52:04 -0000 1.1
+++ cve-2007-6428.patch 18 Jan 2008 03:31:54 -0000 1.2
@@ -1,7 +1,17 @@
-diff -up xorg-server-1.1.1/Xext/cup.c.jx xorg-server-1.1.1/Xext/cup.c
---- xorg-server-1.1.1/Xext/cup.c.jx 2006-07-05 14:31:36.000000000 -0400
-+++ xorg-server-1.1.1/Xext/cup.c 2007-12-11 14:28:37.000000000 -0500
-@@ -198,6 +198,9 @@ int ProcGetReservedColormapEntries(
+From 7dc1717ff0f96b99271a912b8948dfce5164d5ad Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu at bluenote.herrb.com>
+Date: Thu, 17 Jan 2008 15:28:03 +0100
+Subject: [PATCH] Fix for CVE-2007-6428 - TOG-cup extension memory corruption.
+
+---
+ Xext/cup.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/Xext/cup.c b/Xext/cup.c
+index d0e820c..fd1409e 100644
+--- a/Xext/cup.c
++++ b/Xext/cup.c
+@@ -176,6 +176,9 @@ int ProcGetReservedColormapEntries(
REQUEST_SIZE_MATCH (xXcupGetReservedColormapEntriesReq);
@@ -11,3 +21,6 @@
#ifndef HAVE_SPECIAL_DESKTOP_COLORS
citems[CUP_BLACK_PIXEL].pixel =
screenInfo.screens[stuff->screen]->blackPixel;
+--
+1.5.3.6
+
cve-2007-6429.patch:
Index: cve-2007-6429.patch
===================================================================
RCS file: /cvs/pkgs/rpms/xorg-x11-server/devel/cve-2007-6429.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- cve-2007-6429.patch 18 Jan 2008 02:52:04 -0000 1.1
+++ cve-2007-6429.patch 18 Jan 2008 03:31:54 -0000 1.2
@@ -1,103 +1,16 @@
---- xorg-server-1.1.1/Xext/shm.c.freedesktop-bug-13520 2006-07-06 04:31:36.000000000 +1000
-+++ xorg-server-1.1.1/Xext/shm.c 2007-12-14 13:08:59.000000000 +1000
-@@ -725,6 +725,8 @@
- int i, j, result;
- ShmDescPtr shmdesc;
- REQUEST(xShmCreatePixmapReq);
-+ unsigned int width, height, depth;
-+ unsigned long size;
- PanoramiXRes *newPix;
-
- REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
-@@ -734,11 +736,26 @@
- LEGAL_NEW_RESOURCE(stuff->pid, client);
- VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
- VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
-- if (!stuff->width || !stuff->height)
-+
-+ width = stuff->width;
-+ height = stuff->height;
-+ depth = stuff->depth;
-+ if (!width || !height || !depth)
- {
- client->errorValue = 0;
- return BadValue;
- }
-+ if (width > 32767 || height > 32767)
-+ return BadAlloc;
-+ size = PixmapBytePad(width, depth) * height;
-+ if (sizeof(size) == 4) {
-+ if (size < width * height)
-+ return BadAlloc;
-+ /* thankfully, offset is unsigned */
-+ if (stuff->offset + size < size)
-+ return BadAlloc;
-+ }
-+
- if (stuff->depth != 1)
- {
- pDepth = pDraw->pScreen->allowedDepths;
-@@ -749,9 +766,7 @@
- return BadValue;
- }
- CreatePmap:
-- VERIFY_SHMSIZE(shmdesc, stuff->offset,
-- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
-- client);
-+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
-
- if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
- return BadAlloc;
-@@ -1049,6 +1064,8 @@
- register int i;
- ShmDescPtr shmdesc;
- REQUEST(xShmCreatePixmapReq);
-+ unsigned int width, height, depth;
-+ unsigned long size;
-
- REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
- client->errorValue = stuff->pid;
-@@ -1057,11 +1074,26 @@
- LEGAL_NEW_RESOURCE(stuff->pid, client);
- VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
- VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
-- if (!stuff->width || !stuff->height)
-+
-+ width = stuff->width;
-+ height = stuff->height;
-+ depth = stuff->depth;
-+ if (!width || !height || !depth)
- {
- client->errorValue = 0;
- return BadValue;
- }
-+ if (width > 32767 || height > 32767)
-+ return BadAlloc;
-+ size = PixmapBytePad(width, depth) * height;
-+ if (sizeof(size) == 4) {
-+ if (size < width * height)
-+ return BadAlloc;
-+ /* thankfully, offset is unsigned */
-+ if (stuff->offset + size < size)
-+ return BadAlloc;
-+ }
-+
- if (stuff->depth != 1)
- {
- pDepth = pDraw->pScreen->allowedDepths;
-@@ -1072,9 +1104,7 @@
- return BadValue;
- }
- CreatePmap:
-- VERIFY_SHMSIZE(shmdesc, stuff->offset,
-- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
-- client);
-+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
- pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
- pDraw->pScreen, stuff->width,
- stuff->height, stuff->depth,
+From 6de61f82728df22ea01f9659df6581b87f33f11d Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu at bluenote.herrb.com>
+Date: Thu, 17 Jan 2008 15:28:42 +0100
+Subject: [PATCH] Fix for CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows.
+
+---
+ Xext/EVI.c | 15 ++++++++++++++-
+ Xext/sampleEVI.c | 29 ++++++++++++++++++++++++-----
+ Xext/shm.c | 46 ++++++++++++++++++++++++++++++++++++++--------
+ 3 files changed, 76 insertions(+), 14 deletions(-)
+
diff --git a/Xext/EVI.c b/Xext/EVI.c
-index 8fe3481..13bd32a 100644
+index 4bd050c..a637bae 100644
--- a/Xext/EVI.c
+++ b/Xext/EVI.c
@@ -34,6 +34,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
@@ -106,9 +19,9 @@
#include "modinit.h"
+#include "scrnintstr.h"
- #if 0
- static unsigned char XEVIReqCode = 0;
-@@ -87,10 +88,22 @@ ProcEVIGetVisualInfo(ClientPtr client)
+ static EviPrivPtr eviPriv;
+
+@@ -84,10 +85,22 @@ ProcEVIGetVisualInfo(ClientPtr client)
{
REQUEST(xEVIGetVisualInfoReq);
xEVIGetVisualInfoReply rep;
@@ -133,7 +46,7 @@
status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual,
&eviInfo, &n_info, &conflict, &n_conflict);
diff --git a/Xext/sampleEVI.c b/Xext/sampleEVI.c
-index 7508aa7..b8f39c7 100644
+index 7508aa7..b871bfd 100644
--- a/Xext/sampleEVI.c
+++ b/Xext/sampleEVI.c
@@ -34,6 +34,13 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
@@ -143,8 +56,8 @@
+
+#if HAVE_STDINT_H
+#include <stdint.h>
-+#elif !defined(INT_MAX)
-+#define INT_MAX 0x7fffffff
++#elif !defined(UINT32_MAX)
++#define UINT32_MAX 0xffffffffU
+#endif
+
static int sampleGetVisualInfo(
@@ -192,3 +105,106 @@
for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
for (visualI = 0; visualI < n_visual; visualI++) {
evi[sz_evi].core_visual_id = visual[visualI];
+diff --git a/Xext/shm.c b/Xext/shm.c
+index e3d7a23..c545e49 100644
+--- a/Xext/shm.c
++++ b/Xext/shm.c
+@@ -757,6 +757,8 @@ ProcPanoramiXShmCreatePixmap(
+ int i, j, result, rc;
+ ShmDescPtr shmdesc;
+ REQUEST(xShmCreatePixmapReq);
++ unsigned int width, height, depth;
++ unsigned long size;
+ PanoramiXRes *newPix;
+
+ REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
+@@ -770,11 +772,26 @@ ProcPanoramiXShmCreatePixmap(
+ return rc;
+
+ VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
+- if (!stuff->width || !stuff->height)
++
++ width = stuff->width;
++ height = stuff->height;
++ depth = stuff->depth;
++ if (!width || !height || !depth)
+ {
+ client->errorValue = 0;
+ return BadValue;
+ }
++ if (width > 32767 || height > 32767)
++ return BadAlloc;
++ size = PixmapBytePad(width, depth) * height;
++ if (sizeof(size) == 4) {
++ if (size < width * height)
++ return BadAlloc;
++ /* thankfully, offset is unsigned */
++ if (stuff->offset + size < size)
++ return BadAlloc;
++ }
++
+ if (stuff->depth != 1)
+ {
+ pDepth = pDraw->pScreen->allowedDepths;
+@@ -785,9 +802,7 @@ ProcPanoramiXShmCreatePixmap(
+ return BadValue;
+ }
+ CreatePmap:
+- VERIFY_SHMSIZE(shmdesc, stuff->offset,
+- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
+- client);
++ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
+
+ if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
+ return BadAlloc;
+@@ -1086,6 +1101,8 @@ ProcShmCreatePixmap(client)
+ register int i, rc;
+ ShmDescPtr shmdesc;
+ REQUEST(xShmCreatePixmapReq);
++ unsigned int width, height, depth;
++ unsigned long size;
+
+ REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
+ client->errorValue = stuff->pid;
+@@ -1098,11 +1115,26 @@ ProcShmCreatePixmap(client)
+ return rc;
+
+ VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
+- if (!stuff->width || !stuff->height)
++
++ width = stuff->width;
++ height = stuff->height;
++ depth = stuff->depth;
++ if (!width || !height || !depth)
+ {
+ client->errorValue = 0;
+ return BadValue;
+ }
++ if (width > 32767 || height > 32767)
++ return BadAlloc;
++ size = PixmapBytePad(width, depth) * height;
++ if (sizeof(size) == 4) {
++ if (size < width * height)
++ return BadAlloc;
++ /* thankfully, offset is unsigned */
++ if (stuff->offset + size < size)
++ return BadAlloc;
++ }
++
+ if (stuff->depth != 1)
+ {
+ pDepth = pDraw->pScreen->allowedDepths;
+@@ -1113,9 +1145,7 @@ ProcShmCreatePixmap(client)
+ return BadValue;
+ }
+ CreatePmap:
+- VERIFY_SHMSIZE(shmdesc, stuff->offset,
+- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
+- client);
++ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
+ pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
+ pDraw->pScreen, stuff->width,
+ stuff->height, stuff->depth,
+--
+1.5.3.6
+
cve-2008-0006-server-fixup.patch:
Index: cve-2008-0006-server-fixup.patch
===================================================================
RCS file: /cvs/pkgs/rpms/xorg-x11-server/devel/cve-2008-0006-server-fixup.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- cve-2008-0006-server-fixup.patch 18 Jan 2008 03:06:10 -0000 1.1
+++ cve-2008-0006-server-fixup.patch 18 Jan 2008 03:31:54 -0000 1.2
@@ -1,3 +1,8 @@
+From bbde5b62a137ba726a747b838d81e92d72c1b42b Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu at bluenote.herrb.com>
+Date: Thu, 17 Jan 2008 15:26:41 +0100
+Subject: [PATCH] Fix for CVE-2008-0006 - server side part of fix
+
diff -up xorg-x11-6.8.2/xc/programs/Xserver/dix/dixfonts.c.jx xorg-x11-6.8.2/xc/programs/Xserver/dix/dixfonts.c
--- xorg-x11-6.8.2/xc/programs/Xserver/dix/dixfonts.c.jx 2004-04-23 15:04:44.000000000 -0400
+++ xorg-x11-server/dix/dixfonts.c 2008-01-14 11:15:00.000000000 -0500
Index: xorg-x11-server.spec
===================================================================
RCS file: /cvs/pkgs/rpms/xorg-x11-server/devel/xorg-x11-server.spec,v
retrieving revision 1.288
retrieving revision 1.289
diff -u -r1.288 -r1.289
--- xorg-x11-server.spec 18 Jan 2008 03:06:10 -0000 1.288
+++ xorg-x11-server.spec 18 Jan 2008 03:31:54 -0000 1.289
@@ -59,11 +59,10 @@
# Trivial things, already merged - cves already upstream
Patch3000: cve-2007-5760.patch
-Patch3001: cve-2007-5958.patch
-Patch3002: cve-2007-6427.patch
-Patch3003: cve-2007-6428.patch
-Patch3004: cve-2007-6429.patch
-Patch3005: cve-2008-0006-server-fixup.patch
+Patch3001: cve-2007-6427.patch
+Patch3002: cve-2007-6428.patch
+Patch3003: cve-2007-6429.patch
+Patch3004: cve-2008-0006-server-fixup.patch
# Trivial things to maybe merge upstream at next rebase
#Patch4003: argh-pixman.patch #fixme
@@ -518,7 +517,6 @@
%changelog
* Fri Jan 18 2008 Dave Airlie <airlied at redhat.com> 1.4.99.1-0.17
- cve-2007-5760.patch: XFree86-Misc Extension Invalid Array Index Vulnerability
-- cve-2007-5958.patch: Xorg / XFree86 file existence disclosure vulnerability
- cve-2007-6427.patch: XInput Extension Memory Corruption Vulnerability
- cve-2007-6428.patch: TOG-CUP Extension Memory Corruption Vulnerability
- cve-2007-6429.patch: EVI and MIT-SHM Extension Integer Overflow Vulnerability
--- cve-2007-5958.patch DELETED ---
More information about the fedora-extras-commits
mailing list