rpms/xorg-x11-server/F-8 cve-2008-1377.patch, NONE, 1.1 cve-2008-1379.patch, NONE, 1.1 cve-2008-2360.patch, NONE, 1.1 cve-2008-2361.patch, NONE, 1.1 cve-2008-2362.patch, NONE, 1.1 xorg-x11-server.spec, 1.275, 1.276
Dave Airlie (airlied)
fedora-extras-commits at redhat.com
Wed Jun 11 23:38:01 UTC 2008
- Previous message (by thread): rpms/xorg-x11-server/F-7 cve-2008-1377.patch, NONE, 1.1 cve-2008-1379.patch, NONE, 1.1 cve-2008-2360.patch, NONE, 1.1 cve-2008-2361.patch, NONE, 1.1 cve-2008-2362.patch, NONE, 1.1 xorg-x11-server.spec, 1.236, 1.237
- Next message (by thread): rpms/xfce4-places-plugin/devel .cvsignore, 1.6, 1.7 sources, 1.6, 1.7 xfce4-places-plugin.spec, 1.8, 1.9
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: airlied
Update of /cvs/pkgs/rpms/xorg-x11-server/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv6482
Modified Files:
xorg-x11-server.spec
Added Files:
cve-2008-1377.patch cve-2008-1379.patch cve-2008-2360.patch
cve-2008-2361.patch cve-2008-2362.patch
Log Message:
* Thu Jun 12 2008 Dave Airlie <airlied at redhat.com> 1.3.0.0-46
- cve-2008-1377.patch: Record and Security Extension Input validation
- cve-2008-1379.patch: MIT-SHM extension Input Validation flaw
- cve-2008-2360.patch: Render AllocateGlyph extension Integer overflows
- cve-2008-2361.patch: Render CreateCursor extension Integer overflows
- cve-2008-2362.patch: Render Gradient extension Integer overflows
cve-2008-1377.patch:
--- NEW FILE cve-2008-1377.patch ---
diff --git a/Xext/security.c b/Xext/security.c
index ba057de..f34c463 100644
--- a/Xext/security.c
+++ b/Xext/security.c
@@ -651,15 +651,19 @@ SProcSecurityGenerateAuthorization(
register char n;
CARD32 *values;
unsigned long nvalues;
+ int values_offset;
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
swaps(&stuff->nbytesAuthProto, n);
swaps(&stuff->nbytesAuthData, n);
swapl(&stuff->valueMask, n);
- values = (CARD32 *)(&stuff[1]) +
- ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
- ((stuff->nbytesAuthData + (unsigned)3) >> 2);
+ values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
+ ((stuff->nbytesAuthData + (unsigned)3) >> 2);
+ if (values_offset >
+ stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
+ return BadLength;
+ values = (CARD32 *)(&stuff[1]) + values_offset;
nvalues = (((CARD32 *)stuff) + stuff->length) - values;
SwapLongs(values, nvalues);
return ProcSecurityGenerateAuthorization(client);
diff --git a/record/record.c b/record/record.c
index 0ed8f84..9a166d6 100644
--- a/record/record.c
+++ b/record/record.c
@@ -2656,7 +2656,7 @@ SProcRecordQueryVersion(ClientPtr client)
} /* SProcRecordQueryVersion */
-static void
+static int
SwapCreateRegister(xRecordRegisterClientsReq *stuff)
{
register char n;
@@ -2667,11 +2667,17 @@ SwapCreateRegister(xRecordRegisterClientsReq *stuff)
swapl(&stuff->nClients, n);
swapl(&stuff->nRanges, n);
pClientID = (XID *)&stuff[1];
+ if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2))
+ return BadLength;
for (i = 0; i < stuff->nClients; i++, pClientID++)
{
swapl(pClientID, n);
}
+ if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2)
+ - stuff->nClients)
+ return BadLength;
RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges);
+ return Success;
} /* SwapCreateRegister */
@@ -2679,11 +2685,13 @@ static int
SProcRecordCreateContext(ClientPtr client)
{
REQUEST(xRecordCreateContextReq);
+ int status;
register char n;
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
- SwapCreateRegister((pointer)stuff);
+ if ((status = SwapCreateRegister((pointer)stuff)) != Success)
+ return status;
return ProcRecordCreateContext(client);
} /* SProcRecordCreateContext */
@@ -2692,11 +2700,13 @@ static int
SProcRecordRegisterClients(ClientPtr client)
{
REQUEST(xRecordRegisterClientsReq);
+ int status;
register char n;
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
- SwapCreateRegister((pointer)stuff);
+ if ((status = SwapCreateRegister((pointer)stuff)) != Success)
+ return status;
return ProcRecordRegisterClients(client);
} /* SProcRecordRegisterClients */
cve-2008-1379.patch:
--- NEW FILE cve-2008-1379.patch ---
diff --git a/Xext/shm.c b/Xext/shm.c
index ac587be..e08df36 100644
--- a/Xext/shm.c
+++ b/Xext/shm.c
@@ -831,8 +831,17 @@ ProcShmPutImage(client)
return BadValue;
}
- VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
- client);
+ /*
+ * There's a potential integer overflow in this check:
+ * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
+ * client);
+ * the version below ought to avoid it
+ */
+ if (stuff->totalHeight != 0 &&
+ length > (shmdesc->size - stuff->offset)/stuff->totalHeight) {
+ client->errorValue = stuff->totalWidth;
+ return BadValue;
+ }
if (stuff->srcX > stuff->totalWidth)
{
client->errorValue = stuff->srcX;
cve-2008-2360.patch:
--- NEW FILE cve-2008-2360.patch ---
diff -up ./render/glyph.c.cve-2008-2360 ./render/glyph.c
--- ./render/glyph.c.cve-2008-2360 2006-07-06 04:31:44.000000000 +1000
+++ ./render/glyph.c 2008-05-29 16:22:06.000000000 +1000
@@ -43,6 +43,12 @@
#include "picturestr.h"
#include "glyphstr.h"
+#if HAVE_STDINT_H
+#include <stdint.h>
+#else
+#define UINT32_MAX 0xffffffffU
+#endif
+
/*
* From Knuth -- a good choice for hash/rehash values is p, p-2 where
* p and p-2 are both prime. These tables are sized to have an extra 10%
@@ -627,8 +633,14 @@ AllocateGlyph (xGlyphInfo *gi, int fdept
int size;
GlyphPtr glyph;
int i;
+ size_t padded_width;
+
+ padded_width = PixmapBytePad (gi->width, glyphDepths[fdepth]);
+
+ if (gi->height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi->height)
+ return 0;
- size = gi->height * PixmapBytePad (gi->width, glyphDepths[fdepth]);
+ size = gi->height * padded_width;
glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec));
if (!glyph)
return 0;
cve-2008-2361.patch:
--- NEW FILE cve-2008-2361.patch ---
diff --git a/render/render.c b/render/render.c
index caaa278..b53e878 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1504,6 +1504,8 @@ ProcRenderCreateCursor (ClientPtr client)
pScreen = pSrc->pDrawable->pScreen;
width = pSrc->pDrawable->width;
height = pSrc->pDrawable->height;
+ if (height && width > UINT32_MAX/(height*sizeof(CARD32)))
+ return BadAlloc;
if ( stuff->x > width
|| stuff->y > height )
return (BadMatch);
cve-2008-2362.patch:
--- NEW FILE cve-2008-2362.patch ---
diff --git a/render/render.c b/render/render.c
index caaa278..b53e878 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1918,6 +1920,8 @@ static int ProcRenderCreateLinearGradient (ClientPtr client)
LEGAL_NEW_RESOURCE(stuff->pid, client);
len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
@@ -2491,18 +2495,18 @@ SProcRenderCreateSolidFill(ClientPtr client)
return (*ProcRenderVector[stuff->renderReqType]) (client);
}
-static void swapStops(void *stuff, int n)
+static void swapStops(void *stuff, int num)
{
- int i;
+ int i, n;
CARD32 *stops;
CARD16 *colors;
stops = (CARD32 *)(stuff);
- for (i = 0; i < n; ++i) {
+ for (i = 0; i < num; ++i) {
swapl(stops, n);
++stops;
}
colors = (CARD16 *)(stops);
- for (i = 0; i < 4*n; ++i) {
+ for (i = 0; i < 4*num; ++i) {
swaps(stops, n);
++stops;
}
@@ -2525,6 +2529,8 @@ SProcRenderCreateLinearGradient (ClientPtr client)
swapl(&stuff->nStops, n);
len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
@@ -2552,6 +2558,8 @@ SProcRenderCreateRadialGradient (ClientPtr client)
swapl(&stuff->nStops, n);
len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq);
+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
@@ -2576,6 +2584,8 @@ SProcRenderCreateConicalGradient (ClientPtr client)
swapl(&stuff->nStops, n);
len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq);
+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
Index: xorg-x11-server.spec
===================================================================
RCS file: /cvs/pkgs/rpms/xorg-x11-server/F-8/xorg-x11-server.spec,v
retrieving revision 1.275
retrieving revision 1.276
diff -u -r1.275 -r1.276
--- xorg-x11-server.spec 30 Apr 2008 00:54:09 -0000 1.275
+++ xorg-x11-server.spec 11 Jun 2008 23:37:18 -0000 1.276
@@ -9,7 +9,7 @@
Summary: X.Org X11 X server
Name: xorg-x11-server
Version: 1.3.0.0
-Release: 45%{?dist}
+Release: 46%{?dist}
URL: http://www.x.org
License: MIT
Group: User Interface/X
@@ -105,6 +105,11 @@
Patch3004: cve-2007-6429.patch
Patch3005: cve-2008-0006-server-fixup.patch
Patch3006: cve-2007-3920.patch
+Patch3007: cve-2008-1377.patch
+Patch3008: cve-2008-1379.patch
+Patch3009: cve-2008-2360.patch
+Patch3010: cve-2008-2361.patch
+Patch3011: cve-2008-2362.patch
%define moduledir %{_libdir}/xorg/modules
%define drimoduledir %{_libdir}/dri
@@ -389,6 +394,11 @@
%patch3004 -p1 -b .cve-2007-6429
%patch3005 -p1 -b .cve-2008-0006
%patch3006 -p1 -b .cve-2007-3920
+%patch3007 -p1 -b .cve-2008-1377
+%patch3008 -p1 -b .cve-2008-1379
+%patch3009 -p1 -b .cve-2008-2360
+%patch3010 -p1 -b .cve-2008-2361
+%patch3011 -p1 -b .cve-2008-2362
%build
@@ -657,6 +667,13 @@
%changelog
+* Thu Jun 12 2008 Dave Airlie <airlied at redhat.com> 1.3.0.0-46
+- cve-2008-1377.patch: Record and Security Extension Input validation
+- cve-2008-1379.patch: MIT-SHM extension Input Validation flaw
+- cve-2008-2360.patch: Render AllocateGlyph extension Integer overflows
+- cve-2008-2361.patch: Render CreateCursor extension Integer overflows
+- cve-2008-2362.patch: Render Gradient extension Integer overflows
+
* Wed Apr 30 2008 Dave Airlie <airlied at redhat.com> 1.3.0.0-45
- fix EXA pixmap maximum size to not fail on 32-bpp * 8192 pixmaps.
- Previous message (by thread): rpms/xorg-x11-server/F-7 cve-2008-1377.patch, NONE, 1.1 cve-2008-1379.patch, NONE, 1.1 cve-2008-2360.patch, NONE, 1.1 cve-2008-2361.patch, NONE, 1.1 cve-2008-2362.patch, NONE, 1.1 xorg-x11-server.spec, 1.236, 1.237
- Next message (by thread): rpms/xfce4-places-plugin/devel .cvsignore, 1.6, 1.7 sources, 1.6, 1.7 xfce4-places-plugin.spec, 1.8, 1.9
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list