Integer underflow in the xTrapezoidValid macro in render/picture.h in X.Org allows context-dependent attackers to cause a denial of service (crash) via a negative bottom value.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6424 Signed-off-by: Baogen Shang <[email protected]> Signed-off-by: Kai Kang <[email protected]> --- .../xserver-xorg/xorg-CVE-2013-6424.patch | 31 ++++++++++++++++++++++ .../xorg-xserver/xserver-xorg_1.15.0.bb | 1 + 2 files changed, 32 insertions(+) create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/xorg-CVE-2013-6424.patch diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/xorg-CVE-2013-6424.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/xorg-CVE-2013-6424.patch new file mode 100644 index 0000000..7c61530 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/xorg-CVE-2013-6424.patch @@ -0,0 +1,31 @@ +This patch comes from: +http://lists.x.org/archives/xorg-devel/2013-October/037996.html + +Upstream-Status: Backport + +Signed-off-by: Baogen shang <[email protected]> +diff -Naur xorg-server-1.14.0-orig/exa/exa_render.c xorg-server-1.14.0/exa/exa_render.c +--- xorg-server-1.14.0-orig/exa/exa_render.c 2014-02-27 14:32:38.000000000 +0800 ++++ xorg-server-1.14.0/exa/exa_render.c 2014-02-27 15:46:59.000000000 +0800 +@@ -1141,7 +1141,8 @@ + + exaPrepareAccess(pPicture->pDrawable, EXA_PREPARE_DEST); + for (; ntrap; ntrap--, traps++) +- (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1); ++ if (xTrapezoidValid(traps)) ++ (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1); + exaFinishAccess(pPicture->pDrawable, EXA_PREPARE_DEST); + + xRel = bounds.x1 + xSrc - xDst; +diff -Naur xorg-server-1.14.0-orig/render/picture.h xorg-server-1.14.0/render/picture.h +--- xorg-server-1.14.0-orig/render/picture.h 2014-02-27 14:32:26.000000000 +0800 ++++ xorg-server-1.14.0/render/picture.h 2014-02-27 15:48:13.000000000 +0800 +@@ -211,7 +211,7 @@ + /* whether 't' is a well defined not obviously empty trapezoid */ + #define xTrapezoidValid(t) ((t)->left.p1.y != (t)->left.p2.y && \ + (t)->right.p1.y != (t)->right.p2.y && \ +- (int) ((t)->bottom - (t)->top) > 0) ++ ((t)->bottom > (t)->top)) + + /* + * Standard NTSC luminance conversions: diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.15.0.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.15.0.bb index a4dda4e..1f9fa04 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.15.0.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.15.0.bb @@ -5,6 +5,7 @@ SRC_URI += "file://crosscompile.patch \ file://fix_open_max_preprocessor_error.patch \ file://mips64-compiler.patch \ file://aarch64.patch \ + file://xorg-CVE-2013-6424.patch \ " SRC_URI[md5sum] = "c2ace3697b32414094cf8c597c39d7d9" -- 1.8.1.2 -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
