Git-Url:
http://git.frugalware.org/gitweb/gitweb.cgi?p=xorg73.git;a=commitdiff;h=10809be955895c0a3214965e367eb38778444341
commit 10809be955895c0a3214965e367eb38778444341
Author: crazy <[EMAIL PROTECTED]>
Date: Sat Jan 19 10:15:34 2008 +0100
xorg-server-1.4.0.90-2-i686
* prepare for FS#2709
* revert CVE-2007-6429 until is fully sorted
diff --git a/source/x11/xorg-server/FrugalBuild
b/source/x11/xorg-server/FrugalBuild
index 668b7fb..3a73663 100644
--- a/source/x11/xorg-server/FrugalBuild
+++ b/source/x11/xorg-server/FrugalBuild
@@ -25,7 +25,10 @@ provides=('xorg-compat')
replaces=('xorg-compat')
backup=('etc/sysconfig/desktop')
Finclude sourceforge xorg
-source=([EMAIL PROTECTED]
http://$_F_sourceforge_mirror.dl.sourceforge.net/sourceforge/mesa3d/MesaLib-$mesaver.tar.bz2
\
+source=([EMAIL PROTECTED] \
+
http://$_F_sourceforge_mirror.dl.sourceforge.net/sourceforge/mesa3d/MesaLib-$mesaver.tar.bz2
\
+
ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-multiple-overflows.diff
\
+ revert-CVE-2007-6429.patch \
01-kernel-headers-fix.patch \
02-access_c_skip_null_addresses.patch \
03-black-background.patch \
@@ -37,11 +40,13 @@ source=([EMAIL PROTECTED]
http://$_F_sourceforge_mirror.dl.sourceforge.net/sourceforg
xprint-rc-files-fix.patch \
no-aiglx.patch \
1.4-fix-dmx-build.patch \
- 1.4-fix-dmx-link.patch \
- 1.4-fix-kdrive-automake.patch \
+ 1.4-fix-dmx-link.patch \
+ 1.4-fix-kdrive-automake.patch \
1.4-fix-xephyr-link.patch)
sha1sums=('7c492ac32bd83b521f5c016e4728fccf9cba55db' \
'd16eaeb1d9d95d11d3b6d289b1ba87108b88da90' \
+ 'b3c9013aa6abc30fabd8f6a85e427f5fd6e6ef6c' \
+ '70953105acc839ca4e377b9ba6f8ea5589f8e46b' \
'f31702e0029b2d68018598e73ed55c4d6c58367b' \
'859b98a4049400be152032fc09ceff2afe9e6dcf' \
'863ad92892785c3785b122bf54d0def4d4d2732c' \
@@ -132,6 +137,11 @@ build() {
Fpatch 1.4-fix-dmx-build.patch
Fpatch 1.4-fix-dmx-link.patch
Fpatch 1.4-fix-kdrive-automake.patch
+ ## SEC fixes - FS#2709
+ Fpatch xorg-xserver-1.4-multiple-overflows.diff
+ ## revert CVE-2007-6429 untill that issue is fixed in a way to not break
+ ## gazillons other applications
+ patch -p1 -R -i ../revert-CVE-2007-6429.patch || Fdie
## GCC 4.2.0 bug do **NOT** remove this hack or it will kill your box!!
## http://gcc.gnu.org/bugzilla/show_bug.cgi?id=30052
echo 'CFLAGS = @CFLAGS@ -O0' >> hw/xfree86/scanpci/Makefile.am
diff --git a/source/x11/xorg-server/revert-CVE-2007-6429.patch
b/source/x11/xorg-server/revert-CVE-2007-6429.patch
new file mode 100644
index 0000000..a1e04cb
--- /dev/null
+++ b/source/x11/xorg-server/revert-CVE-2007-6429.patch
@@ -0,0 +1,210 @@
+From 8b14f7b74284900b95a319ec80c4333e63af2296 Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <[EMAIL PROTECTED]>
+Date: Thu, 17 Jan 2008 15:28:42 +0100
+Subject: [PATCH] Fix for CVE-2007-6429 - MIT-SHM and EVI extensions integer
overflows.
+
+---
+ Xext/EVI.c | 15 ++++++++++++++-
+ Xext/sampleEVI.c | 29 ++++++++++++++++++++++++-----
+ Xext/shm.c | 46 ++++++++++++++++++++++++++++++++++++++--------
+ 3 files changed, 76 insertions(+), 14 deletions(-)
+
+diff --git a/Xext/EVI.c b/Xext/EVI.c
+index 8fe3481..13bd32a 100644
+--- a/Xext/EVI.c
++++ b/Xext/EVI.c
+@@ -34,6 +34,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ #include <X11/extensions/XEVIstr.h>
+ #include "EVIstruct.h"
+ #include "modinit.h"
++#include "scrnintstr.h"
+
+ #if 0
+ static unsigned char XEVIReqCode = 0;
+@@ -87,10 +88,22 @@ ProcEVIGetVisualInfo(ClientPtr client)
+ {
+ REQUEST(xEVIGetVisualInfoReq);
+ xEVIGetVisualInfoReply rep;
+- int n, n_conflict, n_info, sz_info, sz_conflict;
++ int i, n, n_conflict, n_info, sz_info, sz_conflict;
+ VisualID32 *conflict;
++ unsigned int total_visuals = 0;
+ xExtendedVisualInfo *eviInfo;
+ int status;
++
++ /*
++ * do this first, otherwise REQUEST_FIXED_SIZE can overflow. we assume
++ * here that you don't have more than 2^32 visuals over all your screens;
++ * this seems like a safe assumption.
++ */
++ for (i = 0; i < screenInfo.numScreens; i++)
++ total_visuals += screenInfo.screens[i]->numVisuals;
++ if (stuff->n_visual > total_visuals)
++ return BadValue;
++
+ REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
+ status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1],
(int)stuff->n_visual,
+ &eviInfo, &n_info, &conflict, &n_conflict);
+diff --git a/Xext/sampleEVI.c b/Xext/sampleEVI.c
+index 7508aa7..b871bfd 100644
+--- a/Xext/sampleEVI.c
++++ b/Xext/sampleEVI.c
+@@ -34,6 +34,13 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ #include <X11/extensions/XEVIstr.h>
+ #include "EVIstruct.h"
+ #include "scrnintstr.h"
++
++#if HAVE_STDINT_H
++#include <stdint.h>
++#elif !defined(UINT32_MAX)
++#define UINT32_MAX 0xffffffffU
++#endif
++
+ static int sampleGetVisualInfo(
+ VisualID32 *visual,
+ int n_visual,
+@@ -42,24 +49,36 @@ static int sampleGetVisualInfo(
+ VisualID32 **conflict_rn,
+ int *n_conflict_rn)
+ {
+- int max_sz_evi = n_visual * sz_xExtendedVisualInfo *
screenInfo.numScreens;
++ unsigned int max_sz_evi;
+ VisualID32 *temp_conflict;
+ xExtendedVisualInfo *evi;
+- int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
++ unsigned int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
+ register int visualI, scrI, sz_evi = 0, conflictI, n_conflict;
+- *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi);
+- if (!*evi_rn)
+- return BadAlloc;
++
++ if (n_visual > UINT32_MAX/(sz_xExtendedVisualInfo *
screenInfo.numScreens))
++ return BadAlloc;
++ max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens;
++
+ for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
+ if (screenInfo.screens[scrI]->numVisuals > max_visuals)
+ max_visuals = screenInfo.screens[scrI]->numVisuals;
+ }
++
++ if (n_visual > UINT32_MAX/(sz_VisualID32 * screenInfo.numScreens
++ * max_visuals))
++ return BadAlloc;
+ max_sz_conflict = n_visual * sz_VisualID32 * screenInfo.numScreens *
max_visuals;
++
++ *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi);
++ if (!*evi_rn)
++ return BadAlloc;
++
+ temp_conflict = (VisualID32 *)xalloc(max_sz_conflict);
+ if (!temp_conflict) {
+ xfree(*evi_rn);
+ return BadAlloc;
+ }
++
+ for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
+ for (visualI = 0; visualI < n_visual; visualI++) {
+ evi[sz_evi].core_visual_id = visual[visualI];
+diff --git a/Xext/shm.c b/Xext/shm.c
+index ac587be..5633be9 100644
+--- a/Xext/shm.c
++++ b/Xext/shm.c
+@@ -711,6 +711,8 @@ ProcPanoramiXShmCreatePixmap(
+ int i, j, result, rc;
+ ShmDescPtr shmdesc;
+ REQUEST(xShmCreatePixmapReq);
++ unsigned int width, height, depth;
++ unsigned long size;
+ PanoramiXRes *newPix;
+
+ REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
+@@ -724,11 +726,26 @@ ProcPanoramiXShmCreatePixmap(
+ return rc;
+
+ VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
+- if (!stuff->width || !stuff->height)
++
++ width = stuff->width;
++ height = stuff->height;
++ depth = stuff->depth;
++ if (!width || !height || !depth)
+ {
+ client->errorValue = 0;
+ return BadValue;
+ }
++ if (width > 32767 || height > 32767)
++ return BadAlloc;
++ size = PixmapBytePad(width, depth) * height;
++ if (sizeof(size) == 4) {
++ if (size < width * height)
++ return BadAlloc;
++ /* thankfully, offset is unsigned */
++ if (stuff->offset + size < size)
++ return BadAlloc;
++ }
++
+ if (stuff->depth != 1)
+ {
+ pDepth = pDraw->pScreen->allowedDepths;
+@@ -739,9 +756,7 @@ ProcPanoramiXShmCreatePixmap(
+ return BadValue;
+ }
+ CreatePmap:
+- VERIFY_SHMSIZE(shmdesc, stuff->offset,
+- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
+- client);
++ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
+
+ if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
+ return BadAlloc;
+@@ -1040,6 +1055,8 @@ ProcShmCreatePixmap(client)
+ register int i, rc;
+ ShmDescPtr shmdesc;
+ REQUEST(xShmCreatePixmapReq);
++ unsigned int width, height, depth;
++ unsigned long size;
+
+ REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
+ client->errorValue = stuff->pid;
+@@ -1052,11 +1069,26 @@ ProcShmCreatePixmap(client)
+ return rc;
+
+ VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
+- if (!stuff->width || !stuff->height)
++
++ width = stuff->width;
++ height = stuff->height;
++ depth = stuff->depth;
++ if (!width || !height || !depth)
+ {
+ client->errorValue = 0;
+ return BadValue;
+ }
++ if (width > 32767 || height > 32767)
++ return BadAlloc;
++ size = PixmapBytePad(width, depth) * height;
++ if (sizeof(size) == 4) {
++ if (size < width * height)
++ return BadAlloc;
++ /* thankfully, offset is unsigned */
++ if (stuff->offset + size < size)
++ return BadAlloc;
++ }
++
+ if (stuff->depth != 1)
+ {
+ pDepth = pDraw->pScreen->allowedDepths;
+@@ -1067,9 +1099,7 @@ ProcShmCreatePixmap(client)
+ return BadValue;
+ }
+ CreatePmap:
+- VERIFY_SHMSIZE(shmdesc, stuff->offset,
+- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
+- client);
++ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
+ pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
+ pDraw->pScreen, stuff->width,
+ stuff->height, stuff->depth,
+--
+1.5.3.8
+
_______________________________________________
Frugalware-git mailing list
[email protected]
http://frugalware.org/mailman/listinfo/frugalware-git
