Git-Url: http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-current.git;a=commitdiff;h=5b59c5907f4f5fabbdfff40e31e673e2c1b88001
commit 5b59c5907f4f5fabbdfff40e31e673e2c1b88001 Author: crazy <[EMAIL PROTECTED]> Date: Tue Jan 22 22:47:09 2008 +0100 xorg-server-1.4.0.90-4-i686 * [SEC] release bump * updated link to xorg-xserver-1.4-multiple-overflows-v2.diff * which is still missing an fix , so removed * CVE-2007-6429_2.patch and added CVE-2007-6429_3.patch * in addition added CVE-2007-3069.patch which was forgotten =) * finally this closes #2709 in -current diff --git a/source/x11/xorg-server/CVE-2007-3069.patch b/source/x11/xorg-server/CVE-2007-3069.patch new file mode 100644 index 0000000..05e6c14 --- /dev/null +++ b/source/x11/xorg-server/CVE-2007-3069.patch @@ -0,0 +1,36 @@ +From: Kristian Høgsberg <[EMAIL PROTECTED]> +Date: Thu, 17 Jan 2008 01:24:11 +0000 (-0500) +Subject: Don't break grab and focus state for a window when redirecting it. +X-Git-Url: http://gitweb.freedesktop.org/?p=xorg/xserver.git;a=commitdiff;h=a6a7fadbb03ee99312dfb15ac478ab3c414c1c0b + +Don't break grab and focus state for a window when redirecting it. + +Composite uses an unmap/map cycle to trigger backing pixmap allocation +and cliprect recomputation when a window is redirected or unredirected. +To avoid protocol visible side effects, map and unmap events are +disabled temporarily. However, when a window is unmapped it is also +removed from grabs and loses focus, but these state changes are not +disabled. + +This change supresses the unmap side effects during the composite +unmap/map cycle and fixes this bug: + + http://bugzilla.gnome.org/show_bug.cgi?id=488264 + +where compiz would cause gnome-screensaver to lose its grab when +compiz unredirects the fullscreen lock window. +--- + +--- a/dix/window.c ++++ b/dix/window.c +@@ -2993,7 +2993,8 @@ UnrealizeTree( + } + #endif + (* Unrealize)(pChild); +- DeleteWindowFromAnyEvents(pChild, FALSE); ++ if (MapUnmapEventsEnabled(pWin)) ++ DeleteWindowFromAnyEvents(pChild, FALSE); + if (pChild->viewable) + { + #ifdef DO_SAVE_UNDERS + diff --git a/source/x11/xorg-server/CVE-2007-6429_2.patch b/source/x11/xorg-server/CVE-2007-6429_2.patch deleted file mode 100644 index 877a28a..0000000 --- a/source/x11/xorg-server/CVE-2007-6429_2.patch +++ /dev/null @@ -1,86 +0,0 @@ -From b6d4cdf64f43ae805beada6122c8be2ed138742c Mon Sep 17 00:00:00 2001 -From: Adam Jackson <[EMAIL PROTECTED]> -Date: Fri, 18 Jan 2008 14:41:20 -0500 -Subject: [PATCH] CVE-2007-6429: Don't spuriously reject <8bpp shm pixmaps. - -Move size validation after depth validation, and only validate size if -the bpp of the pixmap format is > 8. If bpp < 8 then we're already -protected from overflow by the width and height checks. -(cherry picked from commit e9fa7c1c88a8130a48f772c92b186b8b777986b5) ---- - Xext/shm.c | 36 ++++++++++++++++++++---------------- - 1 files changed, 20 insertions(+), 16 deletions(-) - -diff --git a/Xext/shm.c b/Xext/shm.c -index 5633be9..6f99e90 100644 ---- a/Xext/shm.c -+++ b/Xext/shm.c -@@ -737,14 +737,6 @@ ProcPanoramiXShmCreatePixmap( - } - if (width > 32767 || height > 32767) - return BadAlloc; -- size = PixmapBytePad(width, depth) * height; -- if (sizeof(size) == 4) { -- if (size < width * height) -- return BadAlloc; -- /* thankfully, offset is unsigned */ -- if (stuff->offset + size < size) -- return BadAlloc; -- } - - if (stuff->depth != 1) - { -@@ -755,7 +747,17 @@ ProcPanoramiXShmCreatePixmap( - client->errorValue = stuff->depth; - return BadValue; - } -+ - CreatePmap: -+ size = PixmapBytePad(width, depth) * height; -+ if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { -+ if (size < width * height) -+ return BadAlloc; -+ /* thankfully, offset is unsigned */ -+ if (stuff->offset + size < size) -+ return BadAlloc; -+ } -+ - VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); - - if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) -@@ -1080,14 +1082,6 @@ ProcShmCreatePixmap(client) - } - if (width > 32767 || height > 32767) - return BadAlloc; -- size = PixmapBytePad(width, depth) * height; -- if (sizeof(size) == 4) { -- if (size < width * height) -- return BadAlloc; -- /* thankfully, offset is unsigned */ -- if (stuff->offset + size < size) -- return BadAlloc; -- } - - if (stuff->depth != 1) - { -@@ -1098,7 +1092,17 @@ ProcShmCreatePixmap(client) - client->errorValue = stuff->depth; - return BadValue; - } -+ - CreatePmap: -+ size = PixmapBytePad(width, depth) * height; -+ if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { -+ if (size < width * height) -+ return BadAlloc; -+ /* thankfully, offset is unsigned */ -+ if (stuff->offset + size < size) -+ return BadAlloc; -+ } -+ - VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); - pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( - pDraw->pScreen, stuff->width, --- -1.5.3.8 - diff --git a/source/x11/xorg-server/CVE-2007-6429_3.patch b/source/x11/xorg-server/CVE-2007-6429_3.patch new file mode 100644 index 0000000..1fba567 --- /dev/null +++ b/source/x11/xorg-server/CVE-2007-6429_3.patch @@ -0,0 +1,38 @@ +From: Matthias Hopf <[EMAIL PROTECTED]> +Date: Mon, 21 Jan 2008 15:13:21 +0000 (+0100) +Subject: CVE-2007-6429: Always test for size+offset wrapping. +X-Git-Url: http://gitweb.freedesktop.org/?p=xorg/xserver.git;a=commitdiff;h=be6c17fcf9efebc0bbcc3d9a25f8c5a2450c2161 + +CVE-2007-6429: Always test for size+offset wrapping. +--- + +--- a/Xext/shm.c ++++ b/Xext/shm.c +@@ -799,10 +799,10 @@ CreatePmap: + if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { + if (size < width * height) + return BadAlloc; +- /* thankfully, offset is unsigned */ +- if (stuff->offset + size < size) +- return BadAlloc; + } ++ /* thankfully, offset is unsigned */ ++ if (stuff->offset + size < size) ++ return BadAlloc; + + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); + +@@ -1144,10 +1144,10 @@ CreatePmap: + if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { + if (size < width * height) + return BadAlloc; +- /* thankfully, offset is unsigned */ +- if (stuff->offset + size < size) +- return BadAlloc; + } ++ /* thankfully, offset is unsigned */ ++ if (stuff->offset + size < size) ++ return BadAlloc; + + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); + pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( diff --git a/source/x11/xorg-server/FrugalBuild b/source/x11/xorg-server/FrugalBuild index b24d3d3..1185ee2 100644 --- a/source/x11/xorg-server/FrugalBuild +++ b/source/x11/xorg-server/FrugalBuild @@ -3,7 +3,7 @@ pkgname=xorg-server pkgver=1.4.0.90 -pkgrel=3 +pkgrel=4 mesaver=7.0.2 pkgdesc="Modular X.Org X Server" groups=('x11' 'xorg-core') @@ -27,8 +27,9 @@ backup=('etc/sysconfig/desktop') Finclude sourceforge xorg source=([EMAIL PROTECTED] \ http://$_F_sourceforge_mirror.dl.sourceforge.net/sourceforge/mesa3d/MesaLib-$mesaver.tar.bz2 \ - ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-multiple-overflows.diff \ - CVE-2007-6429_2.patch \ + ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-multiple-overflows-v2.diff \ + CVE-2007-6429_3.patch \ + CVE-2007-3069.patch \ bug13308-Verify-and-reject-obviously-broken-modes.patch \ fix-bgPixel-unsigned-long-issues.patch \ OS-Don-t-leak-connection-translation-table.patch \ @@ -54,8 +55,9 @@ source=([EMAIL PROTECTED] \ 1.4-fix-xephyr-link.patch) sha1sums=('7c492ac32bd83b521f5c016e4728fccf9cba55db' \ 'd16eaeb1d9d95d11d3b6d289b1ba87108b88da90' \ - 'b3c9013aa6abc30fabd8f6a85e427f5fd6e6ef6c' \ - '3350a781d333a04220a328b0174f6dff77ab9dc7' \ + 'af92fd389e72a3bb59d25dbf9cbb06e827b75d7d' \ + '0dccea5821d612255d415fb994b69780a6c39c29' \ + 'eef5c663f5728e70969126d13c5a22ba3d0b08d1' \ '838c1144516368be4b15ab1b22d1a557fc8261ba' \ '03313ab37223329913354321449d7e818c69c937' \ '4d35fe70d5af830ac732fe74260d8483c390461c' \ @@ -157,9 +159,12 @@ build() { Fpatch 1.4-fix-dmx-link.patch Fpatch 1.4-fix-kdrive-automake.patch ## SEC fixes - FS#2709 - Fpatch xorg-xserver-1.4-multiple-overflows.diff - # the fix for the sec fix =) - Fpatch CVE-2007-6429_2.patch + Fpatch xorg-xserver-1.4-multiple-overflows-v2.diff + ## the fix for the sec fix =) + ## http://gitweb.freedesktop.org/?p=xorg/xserver.git;a=commit;h=be6c17fcf9efebc0bbcc3d9a25f8c5a2450c2161 + Fpatch CVE-2007-6429_3.patch + ## http://lists.freedesktop.org/archives/xorg/2008-January/032129.html + Fpatch CVE-2007-3069.patch ## fixes from 1.4-branch Fpatch bug13308-Verify-and-reject-obviously-broken-modes.patch Fpatch fix-bgPixel-unsigned-long-issues.patch _______________________________________________ Frugalware-git mailing list [email protected] http://frugalware.org/mailman/listinfo/frugalware-git
