Bug#646156: pu: package xorg-server/2:1.7.7-14

2011-11-27 Thread vladz 
On Sat, Oct 29, 2011 at 03:03:49PM -0400, Michael Gilbert wrote:
> > On Sat, Oct 29, 2011 at 13:38:47 -0400, Michael Gilbert wrote:
> >> On Fri, Oct 21, 2011 at 3:12 PM, Julien Cristau wrote:
> >> I wonder if at least this one should be treated with a real urgency?
> >> On the surface its an info disclosure issue, which tend to be very low
> >> urgency, but it's a pretty bad once since its actually a disclosure of
> >> any file on the system (e.g. /etc/shadown), and there is an existing
> >> poc exploit:
> >> http://vladz.devzero.fr/Xorg-CVE-2011-4029.txt
> >>
> > Moritz said "use p-u", I'm not going to second-guess him.
> 
> This was before the real impact of the issue was clear (I believe),
> and definitely before the exploit code existed.  Personally, I think
> this needs to get out to squeeze users ASAP.

Sorry for disclosing the exploit but for your information, when I
discovered this vulnerability, the first thing I did is to send an email
to secur...@debian.org, it contained a full description and the PoC
(exploit) you are talking about (encrypted mail sent on Oct 9th 2011).
I never get any feedback.

Is secur...@debian.org still the good way to report vulnerabilities?

Regards,
vladz.




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#646156: pu: package xorg-server/2:1.7.7-14

2011-10-30 Thread Adam D. Barratt 
tag 646156 + pending
thanks

On Sat, 2011-10-29 at 15:25 +0100, Adam D. Barratt wrote:
> tag 646156 + confirmed squeeze
> thanks
> 
> On Fri, 2011-10-21 at 21:12 +0200, Julien Cristau wrote:
> > there were a couple of CVEs for X recently, that Moritz suggested we
> > fixed through p-u.  And an input fix to use 64bit arithmetic to avoid
> > overflows with high resolution devices, that's been sitting upstream in
> > the 1.7 branch since March.  (The xquartz change is irrelevant but won't
> > hurt.)
> 
> With the obvious tidy-up to the changelog, please go ahead; thanks.

Uploaded and flagged for acceptance at the next dinstall.

Regards,

Adam




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#646156: pu: package xorg-server/2:1.7.7-14

2011-10-29 Thread Michael Gilbert 
On Sat, Oct 29, 2011 at 2:58 PM, Julien Cristau wrote:
> On Sat, Oct 29, 2011 at 13:38:47 -0400, Michael Gilbert wrote:
>
>> On Fri, Oct 21, 2011 at 3:12 PM, Julien Cristau wrote:
>> > +commit 03ff880e8bf20cdecaf27f03391ea31545ecc22c
>> > +Author: Matthieu Herrb 
>> > +Date:   Mon Oct 17 22:27:35 2011 +0200
>> > +
>> > +    Fix CVE-2011-4029: File permission change vulnerability.
>> > +
>> > +    Use fchmod() to change permissions of the lock file instead
>> > +    of chmod(), thus avoid the race that can be exploited to set
>> > +    a symbolic link to any file or directory in the system.
>>
>> I wonder if at least this one should be treated with a real urgency?
>> On the surface its an info disclosure issue, which tend to be very low
>> urgency, but it's a pretty bad once since its actually a disclosure of
>> any file on the system (e.g. /etc/shadown), and there is an existing
>> poc exploit:
>> http://vladz.devzero.fr/Xorg-CVE-2011-4029.txt
>>
> Moritz said "use p-u", I'm not going to second-guess him.

This was before the real impact of the issue was clear (I believe),
and definitely before the exploit code existed.  Personally, I think
this needs to get out to squeeze users ASAP.

Best wishes,
Mike



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#646156: pu: package xorg-server/2:1.7.7-14

2011-10-29 Thread Julien Cristau 
On Sat, Oct 29, 2011 at 13:38:47 -0400, Michael Gilbert wrote:

> On Fri, Oct 21, 2011 at 3:12 PM, Julien Cristau wrote:
> > +commit 03ff880e8bf20cdecaf27f03391ea31545ecc22c
> > +Author: Matthieu Herrb 
> > +Date:   Mon Oct 17 22:27:35 2011 +0200
> > +
> > +    Fix CVE-2011-4029: File permission change vulnerability.
> > +
> > +    Use fchmod() to change permissions of the lock file instead
> > +    of chmod(), thus avoid the race that can be exploited to set
> > +    a symbolic link to any file or directory in the system.
> 
> I wonder if at least this one should be treated with a real urgency?
> On the surface its an info disclosure issue, which tend to be very low
> urgency, but it's a pretty bad once since its actually a disclosure of
> any file on the system (e.g. /etc/shadown), and there is an existing
> poc exploit:
> http://vladz.devzero.fr/Xorg-CVE-2011-4029.txt
> 
Moritz said "use p-u", I'm not going to second-guess him.

Cheers,
Julien



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#646156: pu: package xorg-server/2:1.7.7-14

2011-10-29 Thread Michael Gilbert 
On Fri, Oct 21, 2011 at 3:12 PM, Julien Cristau wrote:
> +commit 03ff880e8bf20cdecaf27f03391ea31545ecc22c
> +Author: Matthieu Herrb 
> +Date:   Mon Oct 17 22:27:35 2011 +0200
> +
> +    Fix CVE-2011-4029: File permission change vulnerability.
> +
> +    Use fchmod() to change permissions of the lock file instead
> +    of chmod(), thus avoid the race that can be exploited to set
> +    a symbolic link to any file or directory in the system.

I wonder if at least this one should be treated with a real urgency?
On the surface its an info disclosure issue, which tend to be very low
urgency, but it's a pretty bad once since its actually a disclosure of
any file on the system (e.g. /etc/shadown), and there is an existing
poc exploit:
http://vladz.devzero.fr/Xorg-CVE-2011-4029.txt

Best wishes,
Mike



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#646156: pu: package xorg-server/2:1.7.7-14

2011-10-29 Thread Adam D. Barratt 
tag 646156 + confirmed squeeze
thanks

On Fri, 2011-10-21 at 21:12 +0200, Julien Cristau wrote:
> there were a couple of CVEs for X recently, that Moritz suggested we
> fixed through p-u.  And an input fix to use 64bit arithmetic to avoid
> overflows with high resolution devices, that's been sitting upstream in
> the 1.7 branch since March.  (The xquartz change is irrelevant but won't
> hurt.)

With the obvious tidy-up to the changelog, please go ahead; thanks.

btw, I'm assuming that many of the additions of:

> +ClientPtr client = cl->client;

are boilerplate, or used in later commits?  They often appear not to be
used in the provided diff.

Regards,

Adam




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#646156: pu: package xorg-server/2:1.7.7-14

2011-10-21 Thread Julien Cristau 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: pu

Hi,

there were a couple of CVEs for X recently, that Moritz suggested we
fixed through p-u.  And an input fix to use 64bit arithmetic to avoid
overflows with high resolution devices, that's been sitting upstream in
the 1.7 branch since March.  (The xquartz change is irrelevant but won't
hurt.)

 ChangeLog  |  205 +
 debian/changelog   |   10 ++
 glx/glxcmds.c  |  188 +++--
 glx/glxcmdsswap.c  |  171 --
 glx/xfont.c|2 
 hw/xfree86/common/xf86Xinput.c |8 -
 hw/xquartz/GL/Makefile.am  |2 
 os/utils.c |4 
 8 files changed, 563 insertions(+), 27 deletions(-)

Cheers,
Julien

diff --git a/ChangeLog b/ChangeLog
index b9683ab..f3261ee 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,208 @@
+commit 03ff880e8bf20cdecaf27f03391ea31545ecc22c
+Author: Matthieu Herrb 
+Date:   Mon Oct 17 22:27:35 2011 +0200
+
+Fix CVE-2011-4029: File permission change vulnerability.
+
+Use fchmod() to change permissions of the lock file instead
+of chmod(), thus avoid the race that can be exploited to set
+a symbolic link to any file or directory in the system.
+
+Signed-off-by: Matthieu Herrb 
+Reviewed-by: Alan Coopersmith 
+(cherry picked from commit b67581cf825940fdf52bf2e0af4330e695d724a4)
+(cherry picked from commit 12f65819ffb04103f170ecd7e281348de618fc4c)
+
+commit 3394ae378da567025ac94a2c2ff04f2a0b113962
+Author: Matthieu Herrb 
+Date:   Mon Oct 17 22:26:12 2011 +0200
+
+Fix CVE-2011-4028: File disclosure vulnerability.
+
+use O_NOFOLLOW to open the existing lock file, so symbolic links
+aren't followed, thus avoid revealing if it point to an existing
+file.
+
+Signed-off-by: Matthieu Herrb 
+Reviewed-by: Alan Coopersmith 
+(cherry picked from commit 6ba44b91e37622ef8c146d8f2ac92d708a18ed34)
+(cherry picked from commit f80d23357874db19bc124dee70239fb182977883)
+
+commit 656307e93a7c72b147805e3741ebb02baf876150
+Author: Julien Cristau 
+Date:   Sun Jan 23 13:35:54 2011 +0100
+
+glx: Work around wrong request lengths sent by mesa
+
+mesa used to send too long requests for GLXDestroyPixmap,
+GLXDestroyWindow, GLXChangeDrawableAttributes, GLXGetDrawableAttributes
+and GLXGetFBConfigsSGIX.
+
+Fixes a regression introduced in ec9c97c6bf70b523bc500bd3adf62176f1bb33a4
+X.Org bug#33324 
+
+Reported-by: xunx.f...@intel.com
+Signed-off-by: Julien Cristau 
+Reviewed-by: Adam Jackson 
+(cherry picked from commit 402b329c3aa8ddbebaa1f593306a02d4cd6fed26)
+
+commit c821bd84e594e86d5dd766f680064e88a29a10d1
+Author: Julien Cristau 
+Date:   Wed Jan 26 13:06:53 2011 +0100
+
+glx: fix BindTexImageEXT length check
+
+The request is followed by a list of attributes.
+
+X.Org bug#33449
+
+Reported-and-tested-by: meng 
+Signed-off-by: Julien Cristau 
+Reviewed-by: Adam Jackson 
+(cherry picked from commit 1137c11be0f82049d28024eaf963c6f76e0d4334)
+
+commit 5b76d710d3cebbfb8a5f02eaa7920f73deadff21
+Author: Julien Cristau 
+Date:   Sun Jan 23 17:05:26 2011 +0100
+
+glx: fix request length check for CreateGLXPbufferSGIX
+
+The request is followed by an attribute list.
+
+Signed-off-by: Julien Cristau 
+Reviewed-by: Adam Jackson 
+(cherry picked from commit a883cf1545abd89bb2cadfa659718884b56fd234)
+
+commit 7ed56f793fe9bfe1fd2b70157523952cf6070fd8
+Author: Julien Cristau 
+Date:   Wed Nov 10 22:39:54 2010 +0100
+
+glx: validate numAttribs field before using it
+
+Reviewed-by: Kristian Høgsberg 
+Reviewed-by: Daniel Stone 
+Signed-off-by: Julien Cristau 
+(cherry picked from commit d9225b9602c85603ae616a7381c784f5cf5e811c)
+
+commit 4f6ee6177c76d480fe2c477b0ca19ad337928373
+Author: Julien Cristau 
+Date:   Sun Aug 22 16:20:45 2010 +0100
+
+glx: swap the request arrays entirely, not just half of them
+
+Various glx requests include a list of pairs of attributes.  We were
+only swapping the first half.
+
+Reviewed-by: Kristian Høgsberg 
+Reviewed-by: Daniel Stone 
+Signed-off-by: Julien Cristau 
+(cherry picked from commit 62319e8381ebd645ae36b25e5fc3c0e9b098387b)
+
+commit 00130263a222de904a4500c5410706aa5ec693dc
+Author: Julien Cristau 
+Date:   Sun Aug 22 00:50:05 2010 +0100
+
+glx: check request length before swapping
+
+Reviewed-by: Kristian Høgsberg 
+Reviewed-by: Daniel Stone 
+Signed-off-by: Julien Cristau 
+(cherry picked from commit 6c69235a9dfc52e4b4e47630ff4bab1a820eb543)
+
+commit 6ff0bcfcc0eb02640456beacaaa93ee762c84507
+Author: Julien Cristau 
+Date:   Sat Jul 3 19:47:55 2010 +0100
+
+