Git-Url:
http://git.frugalware.org/gitweb/gitweb.cgi?p=xorg73.git;a=commitdiff;h=0f5544bf80130e52b5e4a4e9a7799ec79fce1f0a
commit 0f5544bf80130e52b5e4a4e9a7799ec79fce1f0a
Author: crazy <[EMAIL PROTECTED]>
Date: Sat Jan 19 11:45:11 2008 +0100
xorg-server-1.4.0.90-3-i686
* [SEC] release bump
* removed revert patch and added CVE-2007-6429_2.patch
* which is the fix for the first CVE-2007-6429 fix =)
* closes FS#2709
diff --git a/source/x11/xorg-server/CVE-2007-6429_2.patch
b/source/x11/xorg-server/CVE-2007-6429_2.patch
new file mode 100644
index 0000000..877a28a
--- /dev/null
+++ b/source/x11/xorg-server/CVE-2007-6429_2.patch
@@ -0,0 +1,86 @@
+From b6d4cdf64f43ae805beada6122c8be2ed138742c Mon Sep 17 00:00:00 2001
+From: Adam Jackson <[EMAIL PROTECTED]>
+Date: Fri, 18 Jan 2008 14:41:20 -0500
+Subject: [PATCH] CVE-2007-6429: Don't spuriously reject <8bpp shm pixmaps.
+
+Move size validation after depth validation, and only validate size if
+the bpp of the pixmap format is > 8. If bpp < 8 then we're already
+protected from overflow by the width and height checks.
+(cherry picked from commit e9fa7c1c88a8130a48f772c92b186b8b777986b5)
+---
+ Xext/shm.c | 36 ++++++++++++++++++++----------------
+ 1 files changed, 20 insertions(+), 16 deletions(-)
+
+diff --git a/Xext/shm.c b/Xext/shm.c
+index 5633be9..6f99e90 100644
+--- a/Xext/shm.c
++++ b/Xext/shm.c
+@@ -737,14 +737,6 @@ ProcPanoramiXShmCreatePixmap(
+ }
+ if (width > 32767 || height > 32767)
+ return BadAlloc;
+- size = PixmapBytePad(width, depth) * height;
+- if (sizeof(size) == 4) {
+- if (size < width * height)
+- return BadAlloc;
+- /* thankfully, offset is unsigned */
+- if (stuff->offset + size < size)
+- return BadAlloc;
+- }
+
+ if (stuff->depth != 1)
+ {
+@@ -755,7 +747,17 @@ ProcPanoramiXShmCreatePixmap(
+ client->errorValue = stuff->depth;
+ return BadValue;
+ }
++
+ CreatePmap:
++ size = PixmapBytePad(width, depth) * height;
++ if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
++ if (size < width * height)
++ return BadAlloc;
++ /* thankfully, offset is unsigned */
++ if (stuff->offset + size < size)
++ return BadAlloc;
++ }
++
+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
+
+ if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
+@@ -1080,14 +1082,6 @@ ProcShmCreatePixmap(client)
+ }
+ if (width > 32767 || height > 32767)
+ return BadAlloc;
+- size = PixmapBytePad(width, depth) * height;
+- if (sizeof(size) == 4) {
+- if (size < width * height)
+- return BadAlloc;
+- /* thankfully, offset is unsigned */
+- if (stuff->offset + size < size)
+- return BadAlloc;
+- }
+
+ if (stuff->depth != 1)
+ {
+@@ -1098,7 +1092,17 @@ ProcShmCreatePixmap(client)
+ client->errorValue = stuff->depth;
+ return BadValue;
+ }
++
+ CreatePmap:
++ size = PixmapBytePad(width, depth) * height;
++ if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
++ if (size < width * height)
++ return BadAlloc;
++ /* thankfully, offset is unsigned */
++ if (stuff->offset + size < size)
++ return BadAlloc;
++ }
++
+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
+ pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
+ pDraw->pScreen, stuff->width,
+--
+1.5.3.8
+
diff --git a/source/x11/xorg-server/FrugalBuild
b/source/x11/xorg-server/FrugalBuild
index ae433f1..b24d3d3 100644
--- a/source/x11/xorg-server/FrugalBuild
+++ b/source/x11/xorg-server/FrugalBuild
@@ -3,7 +3,7 @@
pkgname=xorg-server
pkgver=1.4.0.90
-pkgrel=2
+pkgrel=3
mesaver=7.0.2
pkgdesc="Modular X.Org X Server"
groups=('x11' 'xorg-core')
@@ -28,7 +28,7 @@ Finclude sourceforge xorg
source=([EMAIL PROTECTED] \
http://$_F_sourceforge_mirror.dl.sourceforge.net/sourceforge/mesa3d/MesaLib-$mesaver.tar.bz2
\
ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-multiple-overflows.diff
\
- revert-CVE-2007-6429.patch \
+ CVE-2007-6429_2.patch \
bug13308-Verify-and-reject-obviously-broken-modes.patch \
fix-bgPixel-unsigned-long-issues.patch \
OS-Don-t-leak-connection-translation-table.patch \
@@ -55,7 +55,7 @@ source=([EMAIL PROTECTED] \
sha1sums=('7c492ac32bd83b521f5c016e4728fccf9cba55db' \
'd16eaeb1d9d95d11d3b6d289b1ba87108b88da90' \
'b3c9013aa6abc30fabd8f6a85e427f5fd6e6ef6c' \
- '70953105acc839ca4e377b9ba6f8ea5589f8e46b' \
+ '3350a781d333a04220a328b0174f6dff77ab9dc7' \
'838c1144516368be4b15ab1b22d1a557fc8261ba' \
'03313ab37223329913354321449d7e818c69c937' \
'4d35fe70d5af830ac732fe74260d8483c390461c' \
@@ -158,10 +158,8 @@ build() {
Fpatch 1.4-fix-kdrive-automake.patch
## SEC fixes - FS#2709
Fpatch xorg-xserver-1.4-multiple-overflows.diff
- ## revert CVE-2007-6429 untill that issue is fixed in a way to not break
- ## gazillons other applications
- Fmessage "Reverting CVE-2007-6429.patch for now"
- patch -p1 -R -i ../revert-CVE-2007-6429.patch || Fdie
+ # the fix for the sec fix =)
+ Fpatch CVE-2007-6429_2.patch
## fixes from 1.4-branch
Fpatch bug13308-Verify-and-reject-obviously-broken-modes.patch
Fpatch fix-bgPixel-unsigned-long-issues.patch
@@ -210,15 +208,17 @@ build() {
--enable-multibuffer \
--disable-config-hal # DISABLED THIS for now , not really complete now
Fmakeinstall
-
+ # TODO - Move away from here
Ffile /etc/sysconfig/desktop
-# Disabled for reasons :P
-# Frcd xprint
-
- # I dont think that simple user need this Xsession file on by-default :S
-# Fmkdir /etc/X11/Xsession.d.xprint
-# Fmv /etc/X11/Xsession.d/92* /etc/X11/Xsession.d.xprint/
-
+
+ ######################
+ ## Disabled for reasons :P
+ #Frcd xprint
+ ## I dont think that simple user need this Xsession file on by-default
:S
+ #Fmkdir /etc/X11/Xsession.d.xprint
+ #Fmv /etc/X11/Xsession.d/92* /etc/X11/Xsession.d.xprint/
+ ######################
+
Fsplit libglx usr/lib/xorg/modules/extensions/libglx.*
usr/lib/xorg/modules/libwfb.*
## the servers =)
diff --git a/source/x11/xorg-server/revert-CVE-2007-6429.patch
b/source/x11/xorg-server/revert-CVE-2007-6429.patch
deleted file mode 100644
index a1e04cb..0000000
--- a/source/x11/xorg-server/revert-CVE-2007-6429.patch
+++ /dev/null
@@ -1,210 +0,0 @@
-From 8b14f7b74284900b95a319ec80c4333e63af2296 Mon Sep 17 00:00:00 2001
-From: Matthieu Herrb <[EMAIL PROTECTED]>
-Date: Thu, 17 Jan 2008 15:28:42 +0100
-Subject: [PATCH] Fix for CVE-2007-6429 - MIT-SHM and EVI extensions integer
overflows.
-
----
- Xext/EVI.c | 15 ++++++++++++++-
- Xext/sampleEVI.c | 29 ++++++++++++++++++++++++-----
- Xext/shm.c | 46 ++++++++++++++++++++++++++++++++++++++--------
- 3 files changed, 76 insertions(+), 14 deletions(-)
-
-diff --git a/Xext/EVI.c b/Xext/EVI.c
-index 8fe3481..13bd32a 100644
---- a/Xext/EVI.c
-+++ b/Xext/EVI.c
-@@ -34,6 +34,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
- #include <X11/extensions/XEVIstr.h>
- #include "EVIstruct.h"
- #include "modinit.h"
-+#include "scrnintstr.h"
-
- #if 0
- static unsigned char XEVIReqCode = 0;
-@@ -87,10 +88,22 @@ ProcEVIGetVisualInfo(ClientPtr client)
- {
- REQUEST(xEVIGetVisualInfoReq);
- xEVIGetVisualInfoReply rep;
-- int n, n_conflict, n_info, sz_info, sz_conflict;
-+ int i, n, n_conflict, n_info, sz_info, sz_conflict;
- VisualID32 *conflict;
-+ unsigned int total_visuals = 0;
- xExtendedVisualInfo *eviInfo;
- int status;
-+
-+ /*
-+ * do this first, otherwise REQUEST_FIXED_SIZE can overflow. we assume
-+ * here that you don't have more than 2^32 visuals over all your screens;
-+ * this seems like a safe assumption.
-+ */
-+ for (i = 0; i < screenInfo.numScreens; i++)
-+ total_visuals += screenInfo.screens[i]->numVisuals;
-+ if (stuff->n_visual > total_visuals)
-+ return BadValue;
-+
- REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
- status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1],
(int)stuff->n_visual,
- &eviInfo, &n_info, &conflict, &n_conflict);
-diff --git a/Xext/sampleEVI.c b/Xext/sampleEVI.c
-index 7508aa7..b871bfd 100644
---- a/Xext/sampleEVI.c
-+++ b/Xext/sampleEVI.c
-@@ -34,6 +34,13 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
- #include <X11/extensions/XEVIstr.h>
- #include "EVIstruct.h"
- #include "scrnintstr.h"
-+
-+#if HAVE_STDINT_H
-+#include <stdint.h>
-+#elif !defined(UINT32_MAX)
-+#define UINT32_MAX 0xffffffffU
-+#endif
-+
- static int sampleGetVisualInfo(
- VisualID32 *visual,
- int n_visual,
-@@ -42,24 +49,36 @@ static int sampleGetVisualInfo(
- VisualID32 **conflict_rn,
- int *n_conflict_rn)
- {
-- int max_sz_evi = n_visual * sz_xExtendedVisualInfo *
screenInfo.numScreens;
-+ unsigned int max_sz_evi;
- VisualID32 *temp_conflict;
- xExtendedVisualInfo *evi;
-- int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
-+ unsigned int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
- register int visualI, scrI, sz_evi = 0, conflictI, n_conflict;
-- *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi);
-- if (!*evi_rn)
-- return BadAlloc;
-+
-+ if (n_visual > UINT32_MAX/(sz_xExtendedVisualInfo *
screenInfo.numScreens))
-+ return BadAlloc;
-+ max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens;
-+
- for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
- if (screenInfo.screens[scrI]->numVisuals > max_visuals)
- max_visuals = screenInfo.screens[scrI]->numVisuals;
- }
-+
-+ if (n_visual > UINT32_MAX/(sz_VisualID32 * screenInfo.numScreens
-+ * max_visuals))
-+ return BadAlloc;
- max_sz_conflict = n_visual * sz_VisualID32 * screenInfo.numScreens *
max_visuals;
-+
-+ *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi);
-+ if (!*evi_rn)
-+ return BadAlloc;
-+
- temp_conflict = (VisualID32 *)xalloc(max_sz_conflict);
- if (!temp_conflict) {
- xfree(*evi_rn);
- return BadAlloc;
- }
-+
- for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
- for (visualI = 0; visualI < n_visual; visualI++) {
- evi[sz_evi].core_visual_id = visual[visualI];
-diff --git a/Xext/shm.c b/Xext/shm.c
-index ac587be..5633be9 100644
---- a/Xext/shm.c
-+++ b/Xext/shm.c
-@@ -711,6 +711,8 @@ ProcPanoramiXShmCreatePixmap(
- int i, j, result, rc;
- ShmDescPtr shmdesc;
- REQUEST(xShmCreatePixmapReq);
-+ unsigned int width, height, depth;
-+ unsigned long size;
- PanoramiXRes *newPix;
-
- REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
-@@ -724,11 +726,26 @@ ProcPanoramiXShmCreatePixmap(
- return rc;
-
- VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
-- if (!stuff->width || !stuff->height)
-+
-+ width = stuff->width;
-+ height = stuff->height;
-+ depth = stuff->depth;
-+ if (!width || !height || !depth)
- {
- client->errorValue = 0;
- return BadValue;
- }
-+ if (width > 32767 || height > 32767)
-+ return BadAlloc;
-+ size = PixmapBytePad(width, depth) * height;
-+ if (sizeof(size) == 4) {
-+ if (size < width * height)
-+ return BadAlloc;
-+ /* thankfully, offset is unsigned */
-+ if (stuff->offset + size < size)
-+ return BadAlloc;
-+ }
-+
- if (stuff->depth != 1)
- {
- pDepth = pDraw->pScreen->allowedDepths;
-@@ -739,9 +756,7 @@ ProcPanoramiXShmCreatePixmap(
- return BadValue;
- }
- CreatePmap:
-- VERIFY_SHMSIZE(shmdesc, stuff->offset,
-- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
-- client);
-+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
-
- if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
- return BadAlloc;
-@@ -1040,6 +1055,8 @@ ProcShmCreatePixmap(client)
- register int i, rc;
- ShmDescPtr shmdesc;
- REQUEST(xShmCreatePixmapReq);
-+ unsigned int width, height, depth;
-+ unsigned long size;
-
- REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
- client->errorValue = stuff->pid;
-@@ -1052,11 +1069,26 @@ ProcShmCreatePixmap(client)
- return rc;
-
- VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
-- if (!stuff->width || !stuff->height)
-+
-+ width = stuff->width;
-+ height = stuff->height;
-+ depth = stuff->depth;
-+ if (!width || !height || !depth)
- {
- client->errorValue = 0;
- return BadValue;
- }
-+ if (width > 32767 || height > 32767)
-+ return BadAlloc;
-+ size = PixmapBytePad(width, depth) * height;
-+ if (sizeof(size) == 4) {
-+ if (size < width * height)
-+ return BadAlloc;
-+ /* thankfully, offset is unsigned */
-+ if (stuff->offset + size < size)
-+ return BadAlloc;
-+ }
-+
- if (stuff->depth != 1)
- {
- pDepth = pDraw->pScreen->allowedDepths;
-@@ -1067,9 +1099,7 @@ ProcShmCreatePixmap(client)
- return BadValue;
- }
- CreatePmap:
-- VERIFY_SHMSIZE(shmdesc, stuff->offset,
-- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
-- client);
-+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
- pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
- pDraw->pScreen, stuff->width,
- stuff->height, stuff->depth,
---
-1.5.3.8
-
_______________________________________________
Frugalware-git mailing list
[email protected]
http://frugalware.org/mailman/listinfo/frugalware-git
