debian/changelog | 6 ++ debian/patches/14_CVE-2013-4396.diff | 73 +++++++++++++++++++++++++++++++++++ debian/patches/series | 1 3 files changed, 80 insertions(+)
New commits: commit 87ab5736bf997fab5c26471a61c2a68188f722e4 Author: intrigeri <[email protected]> Date: Mon Dec 2 10:32:40 2013 +0000 Upload to squeeze-backports. diff --git a/debian/changelog b/debian/changelog index d61d908..15be2b9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +xorg-server (2:1.10.4-1~bpo60+2) squeeze-backports; urgency=low + + * Add 14_CVE-2013-4396.diff to fix CVE-2013-4396 (DSA-2784-1). + + -- intrigeri <[email protected]> Mon, 02 Dec 2013 11:30:11 +0100 + xorg-server (2:1.10.4-1~bpo60+1) squeeze-backports; urgency=low * Rebuild for squeeze-backports. commit 2dffdefa2ff8ca90fb108581162075f5d8c4e0da Author: intrigeri <[email protected]> Date: Mon Dec 2 11:08:20 2013 +0000 Add 14_CVE-2013-4396.diff to fix CVE-2013-4396 (DSA-2784-1). diff --git a/debian/patches/14_CVE-2013-4396.diff b/debian/patches/14_CVE-2013-4396.diff new file mode 100644 index 0000000..eed6dae --- /dev/null +++ b/debian/patches/14_CVE-2013-4396.diff @@ -0,0 +1,73 @@ +From 73b2660d7273d175d279d22f8ca0c3932a14ff1c Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <[email protected]> +Date: Tue, 17 Sep 2013 04:47:16 +0000 +Subject: Avoid use-after-free in dix/dixfonts.c: doImageText() [CVE-2013-4396] + +Save a pointer to the passed in closure structure before copying it +and overwriting the *c pointer to point to our copy instead of the +original. If we hit an error, once we free(c), reset c to point to +the original structure before jumping to the cleanup code that +references *c. + +Since one of the errors being checked for is whether the server was +able to malloc(c->nChars * itemSize), the client can potentially pass +a number of characters chosen to cause the malloc to fail and the +error path to be taken, resulting in the read from freed memory. + +Since the memory is accessed almost immediately afterwards, and the +X server is mostly single threaded, the odds of the free memory having +invalid contents are low with most malloc implementations when not using +memory debugging features, but some allocators will definitely overwrite +the memory there, leading to a likely crash. + +Reported-by: Pedro Ribeiro <[email protected]> +Signed-off-by: Alan Coopersmith <[email protected]> +Reviewed-by: Julien Cristau <[email protected]> +--- + dix/dixfonts.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/dix/dixfonts.c b/dix/dixfonts.c +index fbac124..62feaed 100644 +--- a/dix/dixfonts.c ++++ b/dix/dixfonts.c +@@ -1479,6 +1479,7 @@ doImageText(ClientPtr client, ITclosurePtr c) + GC *pGC; + unsigned char *data; + ITclosurePtr new_closure; ++ ITclosurePtr old_closure; + + /* We're putting the client to sleep. We need to + save some state. Similar problem to that handled +@@ -1491,6 +1492,7 @@ doImageText(ClientPtr client, ITclosurePtr c) + err = BadAlloc; + goto bail; + } ++ old_closure = c; + *new_closure = *c; + c = new_closure; + +@@ -1498,6 +1500,7 @@ doImageText(ClientPtr client, ITclosurePtr c) + if (!data) + { + free(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1509,6 +1512,7 @@ doImageText(ClientPtr client, ITclosurePtr c) + { + free(c->data); + free(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1522,6 +1526,7 @@ doImageText(ClientPtr client, ITclosurePtr c) + FreeScratchGC(pGC); + free(c->data); + free(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } diff --git a/debian/patches/series b/debian/patches/series index 2e0f947..0308bc8 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -4,4 +4,5 @@ 02_Add-libnettle-as-option-for-sha1.diff 07-xfree86-fix-build-with-xv-disabled.diff #13_debian_add_xkbpath_env_variable.diff +14_CVE-2013-4396.diff 15-nouveau.diff -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
