debian/changelog | 10 ++ debian/patches/122_xext_fix_card32_overflow_in_xauth.patch | 51 +++++++++++++ debian/patches/series | 1 3 files changed, 62 insertions(+)
New commits: commit c500501be8906e4b2c5459bb0cc2db2180cb2709 Author: Bryce Harrington <[email protected]> Date: Thu Apr 15 14:11:03 2010 -0700 Release diff --git a/debian/changelog b/debian/changelog index 442915f..251c6be 100644 --- a/debian/changelog +++ b/debian/changelog @@ -6,7 +6,7 @@ xorg-server (2:1.7.6-2ubuntu6) lucid; urgency=low dropped in favor of whatever upstream decides to include. (LP: #519049) - -- Bryce Harrington <[email protected]> Thu, 15 Apr 2010 14:02:00 -0700 + -- Bryce Harrington <[email protected]> Thu, 15 Apr 2010 14:10:53 -0700 xorg-server (2:1.7.6-2ubuntu5) lucid; urgency=low commit 80466a6e56e3f7a564a2e858ccb50e07c6d05f1a Author: Bryce Harrington <[email protected]> Date: Thu Apr 15 14:09:15 2010 -0700 Add check for bounds on millis variable to prevent xauth overflow from triggering an assertion. diff --git a/debian/changelog b/debian/changelog index 22b2e1c..442915f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +xorg-server (2:1.7.6-2ubuntu6) lucid; urgency=low + + * Add 122_xext_fix_card32_overflow_in_xauth.patch: Prevent overflow + of a CARD32 variable millis by doing bounds checking. This is a + patch currently in discussion at fdo #27134, so this patch can be + dropped in favor of whatever upstream decides to include. + (LP: #519049) + + -- Bryce Harrington <[email protected]> Thu, 15 Apr 2010 14:02:00 -0700 + xorg-server (2:1.7.6-2ubuntu5) lucid; urgency=low * Update patches in previous upload to fix FTBS issue. diff --git a/debian/patches/122_xext_fix_card32_overflow_in_xauth.patch b/debian/patches/122_xext_fix_card32_overflow_in_xauth.patch new file mode 100644 index 0000000..840627b --- /dev/null +++ b/debian/patches/122_xext_fix_card32_overflow_in_xauth.patch @@ -0,0 +1,51 @@ +From 90f69d758dee4e3b6c1f8955642682a28da3b153 Mon Sep 17 00:00:00 2001 +From: Arvind Umrao <[email protected]> +Date: Wed, 7 Apr 2010 22:12:07 +0530 + +Subject: [PATCH] [PATCH] Xext: "xauth generate" with large timeout crashes Xorg #27134 + Signed-off-by: Arvind Umrao <[email protected]> + +Description of the change: + +bug https://bugs.freedesktop.org/show_bug.cgi?id=27134 + +This coredump is happening because of assertion at ( Xext/security.c line:325 assert(pAuth->timer == timer) + +Overflow of CARD32 happens at ( os/WaitFor.c line:458 millis += now ) + +This bug could be fixed in couple of ways. +a) Using CARD64 for variable millis. But even after storing millisec time in 64 bits variable, we can get coredump when timeout is very large. +b) Removing assert statement, but it is not a good fix. +c) By checking maximum possible value of timeout, so that overflow of variable millis does not happen. + +I have fixed this problem by checking maximum possible value of timeout, so that overflow of variable millis(size CARD32) doees not happen. Maximum timeout is possible only between range 0 to ( MAX_Value(CARD32) - CurrentTime) + +--- + Xext/security.c | 10 ++++++---- + 1 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/Xext/security.c b/Xext/security.c +index af8d205..6d2e36e 100644 +--- a/Xext/security.c ++++ b/Xext/security.c +@@ -280,11 +280,13 @@ SecurityComputeAuthorizationTimeout( + * 32 bits worth of milliseconds + */ + CARD32 maxSecs = (CARD32)(~0) / (CARD32)MILLI_PER_SECOND; ++ CARD32 nowSec = GetTimeInMillis()/ (CARD32)MILLI_PER_SECOND; + +- if (seconds > maxSecs) +- { /* only come here if we want to wait more than 49 days */ +- pAuth->secondsRemaining = seconds - maxSecs; +- return maxSecs * MILLI_PER_SECOND; ++ CARD32 maxPossibleSec = maxSecs - nowSec; ++ if (seconds > maxPossibleSec -1 ) ++ { ++ pAuth->secondsRemaining = seconds - maxPossibleSec; ++ return maxPossibleSec * MILLI_PER_SECOND; + } + else + { /* by far the common case */ +-- +1.5.6.5 + diff --git a/debian/patches/series b/debian/patches/series index 3118710..eb9e37c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -32,6 +32,7 @@ 117_fix_crash_with_createglyphset.patch 118_xkb_fix_garbage_init.patch 121_only_switch_vt_when_active.diff +122_xext_fix_card32_overflow_in_xauth.patch #143_default_to_vesa.patch 157_check_null_modes.patch 162_null_crtc_in_rotation.patch -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
