rpms/xorg-x11-server/devel cve-2007-6429.patch, 1.2, 1.3 xorg-x11-server.spec, 1.289, 1.290
Dave Airlie (airlied)
fedora-extras-commits at redhat.com
Fri Jan 18 20:00:20 UTC 2008
- Previous message (by thread): rpms/xorg-x11-server/F-8 cve-2007-6429.patch, 1.1, 1.2 xorg-x11-server.spec, 1.266, 1.267
- Next message (by thread): rpms/gdm/devel .cvsignore, 1.59, 1.60 gdm.spec, 1.328, 1.329 sources, 1.68, 1.69
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: airlied
Update of /cvs/pkgs/rpms/xorg-x11-server/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv14104
Modified Files:
cve-2007-6429.patch xorg-x11-server.spec
Log Message:
* Fri Jan 18 2008 Dave Airlie <airlied at redhat.com> 1.4.99.1-0.18
- cve-2007-6429.patch: Fix patch to not break java apps
cve-2007-6429.patch:
Index: cve-2007-6429.patch
===================================================================
RCS file: /cvs/pkgs/rpms/xorg-x11-server/devel/cve-2007-6429.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- cve-2007-6429.patch 18 Jan 2008 03:31:54 -0000 1.2
+++ cve-2007-6429.patch 18 Jan 2008 20:00:12 -0000 1.3
@@ -1,69 +1,20 @@
-From 6de61f82728df22ea01f9659df6581b87f33f11d Mon Sep 17 00:00:00 2001
-From: Matthieu Herrb <matthieu at bluenote.herrb.com>
-Date: Thu, 17 Jan 2008 15:28:42 +0100
-Subject: [PATCH] Fix for CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows.
-
----
- Xext/EVI.c | 15 ++++++++++++++-
- Xext/sampleEVI.c | 29 ++++++++++++++++++++++++-----
- Xext/shm.c | 46 ++++++++++++++++++++++++++++++++++++++--------
- 3 files changed, 76 insertions(+), 14 deletions(-)
-
-diff --git a/Xext/EVI.c b/Xext/EVI.c
-index 4bd050c..a637bae 100644
---- a/Xext/EVI.c
-+++ b/Xext/EVI.c
-@@ -34,6 +34,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
- #include <X11/extensions/XEVIstr.h>
- #include "EVIstruct.h"
- #include "modinit.h"
-+#include "scrnintstr.h"
-
- static EviPrivPtr eviPriv;
-
-@@ -84,10 +85,22 @@ ProcEVIGetVisualInfo(ClientPtr client)
- {
- REQUEST(xEVIGetVisualInfoReq);
- xEVIGetVisualInfoReply rep;
-- int n, n_conflict, n_info, sz_info, sz_conflict;
-+ int i, n, n_conflict, n_info, sz_info, sz_conflict;
- VisualID32 *conflict;
-+ unsigned int total_visuals = 0;
- xExtendedVisualInfo *eviInfo;
- int status;
-+
-+ /*
-+ * do this first, otherwise REQUEST_FIXED_SIZE can overflow. we assume
-+ * here that you don't have more than 2^32 visuals over all your screens;
-+ * this seems like a safe assumption.
-+ */
-+ for (i = 0; i < screenInfo.numScreens; i++)
-+ total_visuals += screenInfo.screens[i]->numVisuals;
-+ if (stuff->n_visual > total_visuals)
-+ return BadValue;
-+
- REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
- status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual,
- &eviInfo, &n_info, &conflict, &n_conflict);
-diff --git a/Xext/sampleEVI.c b/Xext/sampleEVI.c
-index 7508aa7..b871bfd 100644
---- a/Xext/sampleEVI.c
-+++ b/Xext/sampleEVI.c
-@@ -34,6 +34,13 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
+--- xorg-server-1.1.1/Xext/sampleEVI.c.cve-2007-6429 2006-07-05 14:31:36.000000000 -0400
++++ xorg-server-1.1.1/Xext/sampleEVI.c 2008-01-18 14:15:44.000000000 -0500
+@@ -36,6 +36,13 @@
#include <X11/extensions/XEVIstr.h>
#include "EVIstruct.h"
#include "scrnintstr.h"
+
+#if HAVE_STDINT_H
+#include <stdint.h>
-+#elif !defined(UINT32_MAX)
-+#define UINT32_MAX 0xffffffffU
++#elif !defined(INT_MAX)
++#define INT_MAX 0x7fffffff
+#endif
+
static int sampleGetVisualInfo(
VisualID32 *visual,
int n_visual,
-@@ -42,24 +49,36 @@ static int sampleGetVisualInfo(
+@@ -44,24 +51,36 @@
VisualID32 **conflict_rn,
int *n_conflict_rn)
{
@@ -105,12 +56,44 @@
for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
for (visualI = 0; visualI < n_visual; visualI++) {
evi[sz_evi].core_visual_id = visual[visualI];
-diff --git a/Xext/shm.c b/Xext/shm.c
-index e3d7a23..c545e49 100644
---- a/Xext/shm.c
-+++ b/Xext/shm.c
-@@ -757,6 +757,8 @@ ProcPanoramiXShmCreatePixmap(
- int i, j, result, rc;
+--- xorg-server-1.1.1/Xext/EVI.c.cve-2007-6429 2006-07-05 14:31:36.000000000 -0400
++++ xorg-server-1.1.1/Xext/EVI.c 2008-01-18 14:15:44.000000000 -0500
+@@ -36,6 +36,7 @@
+ #include <X11/extensions/XEVIstr.h>
+ #include "EVIstruct.h"
+ #include "modinit.h"
++#include "scrnintstr.h"
+
+ #if 0
+ static unsigned char XEVIReqCode = 0;
+@@ -89,10 +90,22 @@
+ {
+ REQUEST(xEVIGetVisualInfoReq);
+ xEVIGetVisualInfoReply rep;
+- int n, n_conflict, n_info, sz_info, sz_conflict;
++ int i, n, n_conflict, n_info, sz_info, sz_conflict;
+ VisualID32 *conflict;
++ unsigned int total_visuals = 0;
+ xExtendedVisualInfo *eviInfo;
+ int status;
++
++ /*
++ * do this first, otherwise REQUEST_FIXED_SIZE can overflow. we assume
++ * here that you don't have more than 2^32 visuals over all your screens;
++ * this seems like a safe assumption.
++ */
++ for (i = 0; i < screenInfo.numScreens; i++)
++ total_visuals += screenInfo.screens[i]->numVisuals;
++ if (stuff->n_visual > total_visuals)
++ return BadValue;
++
+ REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
+ status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual,
+ &eviInfo, &n_info, &conflict, &n_conflict);
+--- xorg-server-1.1.1/Xext/shm.c.cve-2007-6429 2006-07-05 14:31:36.000000000 -0400
++++ xorg-server-1.1.1/Xext/shm.c 2008-01-18 14:19:28.000000000 -0500
+@@ -725,6 +725,8 @@
+ int i, j, result;
ShmDescPtr shmdesc;
REQUEST(xShmCreatePixmapReq);
+ unsigned int width, height, depth;
@@ -118,9 +101,9 @@
PanoramiXRes *newPix;
REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
-@@ -770,11 +772,26 @@ ProcPanoramiXShmCreatePixmap(
- return rc;
-
+@@ -734,11 +736,18 @@
+ LEGAL_NEW_RESOURCE(stuff->pid, client);
+ VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
- if (!stuff->width || !stuff->height)
+
@@ -134,31 +117,35 @@
}
+ if (width > 32767 || height > 32767)
+ return BadAlloc;
-+ size = PixmapBytePad(width, depth) * height;
-+ if (sizeof(size) == 4) {
-+ if (size < width * height)
-+ return BadAlloc;
-+ /* thankfully, offset is unsigned */
-+ if (stuff->offset + size < size)
-+ return BadAlloc;
-+ }
+
if (stuff->depth != 1)
{
pDepth = pDraw->pScreen->allowedDepths;
-@@ -785,9 +802,7 @@ ProcPanoramiXShmCreatePixmap(
+@@ -748,10 +757,19 @@
+ client->errorValue = stuff->depth;
return BadValue;
}
++
CreatePmap:
- VERIFY_SHMSIZE(shmdesc, stuff->offset,
- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
- client);
++ /* now w/h/d are valid; but will they overflow a 32-bit pointer? */
++ size = PixmapBytePad(width, depth) * height;
++ if (sizeof(void *) == 4 && BitsPerPixel(depth) > 8) {
++ if (size < width * height)
++ return BadAlloc;
++ /* thankfully, offset is unsigned */
++ if (stuff->offset + size < size)
++ return BadAlloc;
++ }
++
+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
return BadAlloc;
-@@ -1086,6 +1101,8 @@ ProcShmCreatePixmap(client)
- register int i, rc;
+@@ -1049,6 +1067,8 @@
+ register int i;
ShmDescPtr shmdesc;
REQUEST(xShmCreatePixmapReq);
+ unsigned int width, height, depth;
@@ -166,9 +153,9 @@
REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
client->errorValue = stuff->pid;
-@@ -1098,11 +1115,26 @@ ProcShmCreatePixmap(client)
- return rc;
-
+@@ -1057,11 +1077,18 @@
+ LEGAL_NEW_RESOURCE(stuff->pid, client);
+ VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
- if (!stuff->width || !stuff->height)
+
@@ -182,29 +169,30 @@
}
+ if (width > 32767 || height > 32767)
+ return BadAlloc;
-+ size = PixmapBytePad(width, depth) * height;
-+ if (sizeof(size) == 4) {
-+ if (size < width * height)
-+ return BadAlloc;
-+ /* thankfully, offset is unsigned */
-+ if (stuff->offset + size < size)
-+ return BadAlloc;
-+ }
+
if (stuff->depth != 1)
{
pDepth = pDraw->pScreen->allowedDepths;
-@@ -1113,9 +1145,7 @@ ProcShmCreatePixmap(client)
+@@ -1071,10 +1098,19 @@
+ client->errorValue = stuff->depth;
return BadValue;
}
++
CreatePmap:
- VERIFY_SHMSIZE(shmdesc, stuff->offset,
- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
- client);
++ /* now w/h/d are valid; but will they overflow a 32-bit pointer? */
++ size = PixmapBytePad(width, depth) * height;
++ if (sizeof(void *) == 4 && BitsPerPixel(depth) > 8) {
++ if (size < width * height)
++ return BadAlloc;
++ /* thankfully, offset is unsigned */
++ if (stuff->offset + size < size)
++ return BadAlloc;
++ }
++
+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
pDraw->pScreen, stuff->width,
stuff->height, stuff->depth,
---
-1.5.3.6
-
Index: xorg-x11-server.spec
===================================================================
RCS file: /cvs/pkgs/rpms/xorg-x11-server/devel/xorg-x11-server.spec,v
retrieving revision 1.289
retrieving revision 1.290
diff -u -r1.289 -r1.290
--- xorg-x11-server.spec 18 Jan 2008 03:31:54 -0000 1.289
+++ xorg-x11-server.spec 18 Jan 2008 20:00:12 -0000 1.290
@@ -20,7 +20,7 @@
Summary: X.Org X11 X server
Name: xorg-x11-server
Version: 1.4.99.1
-Release: 0.17.%{?gitdate}%{?dist}
+Release: 0.18.%{?gitdate}%{?dist}
URL: http://www.x.org
License: MIT
Group: User Interface/X
@@ -515,6 +515,9 @@
%changelog
+* Fri Jan 18 2008 Dave Airlie <airlied at redhat.com> 1.4.99.1-0.18
+- cve-2007-6429.patch: Fix patch to not break java apps
+
* Fri Jan 18 2008 Dave Airlie <airlied at redhat.com> 1.4.99.1-0.17
- cve-2007-5760.patch: XFree86-Misc Extension Invalid Array Index Vulnerability
- cve-2007-6427.patch: XInput Extension Memory Corruption Vulnerability
- Previous message (by thread): rpms/xorg-x11-server/F-8 cve-2007-6429.patch, 1.1, 1.2 xorg-x11-server.spec, 1.266, 1.267
- Next message (by thread): rpms/gdm/devel .cvsignore, 1.59, 1.60 gdm.spec, 1.328, 1.329 sources, 1.68, 1.69
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list