debian/changelog | 7 ++++ debian/patches/25-CVE-2013-6424.diff | 50 +++++++++++++++++++++++++++++++++++ debian/patches/series | 3 +- 3 files changed, 59 insertions(+), 1 deletion(-)
New commits: commit c8328c3185dc44e8167cdf46a0b11e555fadc130 Author: Julien Cristau <[email protected]> Date: Tue Dec 17 20:23:01 2013 +0100 exa: only draw valid trapezoids Addresses CVE-2013-6424 diff --git a/debian/changelog b/debian/changelog index 6efa612..6e176e1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +xorg-server (2:1.7.7-18) squeeze-security; urgency=high + + * exa: only draw valid trapezoids + Addresses CVE-2013-6424 + + -- Julien Cristau <[email protected]> Tue, 17 Dec 2013 20:21:57 +0100 + xorg-server (2:1.7.7-17) squeeze-security; urgency=low * CVE-2013-4396 diff --git a/debian/patches/25-CVE-2013-6424.diff b/debian/patches/25-CVE-2013-6424.diff new file mode 100644 index 0000000..aacc6f2 --- /dev/null +++ b/debian/patches/25-CVE-2013-6424.diff @@ -0,0 +1,50 @@ +From patchwork Wed Oct 2 13:47:54 2013 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: exa: only draw valid trapezoids +From: Maarten Lankhorst <[email protected]> +X-Patchwork-Id: 14769 +Message-Id: <[email protected]> +To: "X.Org Devel List" <[email protected]> +Date: Wed, 02 Oct 2013 15:47:54 +0200 + +Fixes freedesktop.org bug https://bugs.freedesktop.org/show_bug.cgi?id=67484 + +If t->bottom is close to MIN_INT, removing top can wraparound, so do the check properly. +A similar fix should also be applied to pixman. + +Signed-off-by: Maarten Lankhorst <[email protected]> + +--- + + +Index: xorg-server/exa/exa_render.c +=================================================================== +--- xorg-server.orig/exa/exa_render.c ++++ xorg-server/exa/exa_render.c +@@ -1174,8 +1174,9 @@ exaTrapezoids (CARD8 op, PicturePtr pSrc + + exaPrepareAccess(pPicture->pDrawable, EXA_PREPARE_DEST); + for (; ntrap; ntrap--, traps++) +- (*ps->RasterizeTrapezoid) (pPicture, traps, +- -bounds.x1, -bounds.y1); ++ if (xTrapezoidValid(traps)) ++ (*ps->RasterizeTrapezoid) (pPicture, traps, ++ -bounds.x1, -bounds.y1); + exaFinishAccess(pPicture->pDrawable, EXA_PREPARE_DEST); + + xRel = bounds.x1 + xSrc - xDst; +Index: xorg-server/render/picture.h +=================================================================== +--- xorg-server.orig/render/picture.h ++++ xorg-server/render/picture.h +@@ -211,7 +211,7 @@ typedef pixman_fixed_t xFixed; + /* whether 't' is a well defined not obviously empty trapezoid */ + #define xTrapezoidValid(t) ((t)->left.p1.y != (t)->left.p2.y && \ + (t)->right.p1.y != (t)->right.p2.y && \ +- (int) ((t)->bottom - (t)->top) > 0) ++ ((t)->bottom > (t)->top)) + + /* + * Standard NTSC luminance conversions: diff --git a/debian/patches/series b/debian/patches/series index 833b3ce..cf4a27b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -22,4 +22,5 @@ 21-device-mode-list.diff 22-stop-searching-for-xf86config-files 23-xf86-fix-flush-input-to-work-with-Linux-evdev-device.diff -24-CVE-2013-4396.diff \ No newline at end of file +24-CVE-2013-4396.diff +25-CVE-2013-6424.diff -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
