debian/changelog | 6 ++ debian/patches/avoid-use-after-free.diff | 70 +++++++++++++++++++++++++++++++ debian/patches/series | 1 3 files changed, 77 insertions(+)
New commits: commit e960d0aee5485f090ffe9fb7fce696846d8afb7a Author: Timo Aaltonen <[email protected]> Date: Tue Oct 15 12:06:27 2013 +0300 avoid-use-after-free.diff: Fix CVE-2013-4396. diff --git a/debian/changelog b/debian/changelog index d14bd68..5cd5b79 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +xorg-server (2:1.14.3-3ubuntu2) saucy-proposed; urgency=low + + * avoid-use-after-free.diff: Fix CVE-2013-4396. + + -- Timo Aaltonen <[email protected]> Tue, 15 Oct 2013 12:05:48 +0300 + xorg-server (2:1.14.3-3ubuntu1) saucy; urgency=low * Merge from unreleased debian git. diff --git a/debian/patches/avoid-use-after-free.diff b/debian/patches/avoid-use-after-free.diff new file mode 100644 index 0000000..86d8fc2 --- /dev/null +++ b/debian/patches/avoid-use-after-free.diff @@ -0,0 +1,70 @@ +commit 3afbfc4913db988b29f9aa6879b7501321e448d4 +Author: Alan Coopersmith <[email protected]> +Date: Mon Sep 16 21:47:16 2013 -0700 + + Avoid use-after-free in dix/dixfonts.c: doImageText() + + Save a pointer to the passed in closure structure before copying it + and overwriting the *c pointer to point to our copy instead of the + original. If we hit an error, once we free(c), reset c to point to + the original structure before jumping to the cleanup code that + references *c. + + Since one of the errors being checked for is whether the server was + able to malloc(c->nChars * itemSize), the client can potentially pass + a number of characters chosen to cause the malloc to fail and the + error path to be taken, resulting in the read from freed memory. + + Since the memory is accessed almost immediately afterwards, and the + X server is mostly single threaded, the odds of the free memory having + invalid contents are low with most malloc implementations when not using + memory debugging features, but some allocators will definitely overwrite + the memory there, leading to a likely crash. + + Reported-by: Pedro Ribeiro <[email protected]> + Signed-off-by: Alan Coopersmith <[email protected]> + Reviewed-by: Julien Cristau <[email protected]> + +diff --git a/dix/dixfonts.c b/dix/dixfonts.c +index feb765d..2e34d37 100644 +--- a/dix/dixfonts.c ++++ b/dix/dixfonts.c +@@ -1425,6 +1425,7 @@ doImageText(ClientPtr client, ITclosurePtr c) + GC *pGC; + unsigned char *data; + ITclosurePtr new_closure; ++ ITclosurePtr old_closure; + + /* We're putting the client to sleep. We need to + save some state. Similar problem to that handled +@@ -1436,12 +1437,14 @@ doImageText(ClientPtr client, ITclosurePtr c) + err = BadAlloc; + goto bail; + } ++ old_closure = c; + *new_closure = *c; + c = new_closure; + + data = malloc(c->nChars * itemSize); + if (!data) { + free(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1452,6 +1455,7 @@ doImageText(ClientPtr client, ITclosurePtr c) + if (!pGC) { + free(c->data); + free(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1464,6 +1468,7 @@ doImageText(ClientPtr client, ITclosurePtr c) + FreeScratchGC(pGC); + free(c->data); + free(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } diff --git a/debian/patches/series b/debian/patches/series index 69b99c3..4288da4 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -61,3 +61,4 @@ glx-corner-case-drawablegone.patch glx-link-against-glapi.patch aarch64.patch xmir.patch +avoid-use-after-free.diff -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
