Re: CVS commit: [netbsd-5-2] xsrc
(2014/05/14 14:27), SAITOH Masanobu wrote: Module Name:xsrc Committed By: msaitoh Date: Wed May 14 05:27:33 UTC 2014 Modified Files: xsrc/external/mit/libXfont/dist/src/fc [netbsd-5-2]: fsconvert.c fserve.c xsrc/external/mit/libXfont/dist/src/fontfile [netbsd-5-2]: dirfile.c xsrc/xfree/xc/lib/font/fc [netbsd-5-2]: fsconvert.c fserve.c xsrc/xfree/xc/lib/font/fontfile [netbsd-5-2]: dirfile.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1905): src/sys/compat/linux/common/linux_exec_elf32.c 1.91 via patch A specially-crafted binary could easily control a kernel array index. Add some checks to ensure that nothing will be read outside the allocated area. Rewrite the code so that we don't need to allocate the whole section. Spotted by several developers, patch from chs@/enami@ To generate a diff of this commit: cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.4.1 \ xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c \ xsrc/external/mit/libXfont/dist/src/fc/fserve.c cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.4.1 \ xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c cvs rdiff -u -r1.4 -r1.4.30.1 xsrc/xfree/xc/lib/font/fc/fsconvert.c \ xsrc/xfree/xc/lib/font/fc/fserve.c cvs rdiff -u -r1.4 -r1.4.18.1 xsrc/xfree/xc/lib/font/fontfile/dirfile.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. The same as netbsd-5, this commit message was wrong. I fixed the message with cvs admin -m. Pull up following revision(s) (requested by spz in ticket #1905): xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c 1.2 xsrc/external/mit/libXfont/dist/src/fc/fserve.c 1.2 xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c 1.2 xsrc/xfree/xc/lib/font/fc/fsconvert.c 1.5 xsrc/xfree/xc/lib/font/fc/fserve.c 1.5 xsrc/xfree/xc/lib/font/fontfile/dirfile.c 1.5 Fix multiple vulnerabilities in libXfont: - CVE-2014-0209: integer overflow of allocations in font metadata file parsing When a local user who is already authenticated to the X server adds a new directory to the font path, the X server calls libXfont to open the fonts.dir and fonts.alias files in that directory and add entries to the font tables for every line in it. A large file (~2-4 gb) could cause the allocations to overflow, and allow the remaining data read from the file to overwrite other memory in the heap. Affected functions: FontFileAddEntry(), lexAlias() - CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies When parsing replies received from the font server, these calls do not check that the lengths and/or indexes returned by the font server are within the size of the reply or the bounds of the memory allocated to store the data, so could write past the bounds of allocated memory when storing the returned data. Affected functions: _fs_recv_conn_setup(), fs_read_open_font(), fs_read_query_info(), fs_read_extent_info(), fs_read_glyphs(), fs_read_list(), fs_read_list_info() - CVE-2014-0211: integer overflows calculating memory needs for xfs replies These calls do not check that their calculations for how much memory is needed to handle the returned data have not overflowed, so can result in allocating too little memory and then writing the returned data past the end of the allocated buffer. Affected functions: fs_get_reply(), fs_alloc_glyphs(), fs_read_extent_info() See also: http://lists.x.org/archives/xorg-announce/2014-May/002431.html -- --- SAITOH Masanobu (msai...@execsw.org msai...@netbsd.org)
Re: CVS commit: [netbsd-5-1] xsrc
(2014/05/14 14:26), SAITOH Masanobu wrote: Module Name:xsrc Committed By: msaitoh Date: Wed May 14 05:26:15 UTC 2014 Modified Files: xsrc/external/mit/libXfont/dist/src/fc [netbsd-5-1]: fsconvert.c fserve.c xsrc/external/mit/libXfont/dist/src/fontfile [netbsd-5-1]: dirfile.c xsrc/xfree/xc/lib/font/fc [netbsd-5-1]: fsconvert.c fserve.c xsrc/xfree/xc/lib/font/fontfile [netbsd-5-1]: dirfile.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1905): src/sys/compat/linux/common/linux_exec_elf32.c 1.91 via patch A specially-crafted binary could easily control a kernel array index. Add some checks to ensure that nothing will be read outside the allocated area. Rewrite the code so that we don't need to allocate the whole section. Spotted by several developers, patch from chs@/enami@ To generate a diff of this commit: cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \ xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c \ xsrc/external/mit/libXfont/dist/src/fc/fserve.c cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \ xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c cvs rdiff -u -r1.4 -r1.4.24.1 xsrc/xfree/xc/lib/font/fc/fsconvert.c \ xsrc/xfree/xc/lib/font/fc/fserve.c cvs rdiff -u -r1.4 -r1.4.12.1 xsrc/xfree/xc/lib/font/fontfile/dirfile.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. The same as netbsd-5, this commit message was wrong. I fixed the message with cvs admin -m. Pull up following revision(s) (requested by spz in ticket #1905): xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c 1.2 xsrc/external/mit/libXfont/dist/src/fc/fserve.c 1.2 xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c 1.2 xsrc/xfree/xc/lib/font/fc/fsconvert.c 1.5 xsrc/xfree/xc/lib/font/fc/fserve.c 1.5 xsrc/xfree/xc/lib/font/fontfile/dirfile.c 1.5 Fix multiple vulnerabilities in libXfont: - CVE-2014-0209: integer overflow of allocations in font metadata file parsing When a local user who is already authenticated to the X server adds a new directory to the font path, the X server calls libXfont to open the fonts.dir and fonts.alias files in that directory and add entries to the font tables for every line in it. A large file (~2-4 gb) could cause the allocations to overflow, and allow the remaining data read from the file to overwrite other memory in the heap. Affected functions: FontFileAddEntry(), lexAlias() - CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies When parsing replies received from the font server, these calls do not check that the lengths and/or indexes returned by the font server are within the size of the reply or the bounds of the memory allocated to store the data, so could write past the bounds of allocated memory when storing the returned data. Affected functions: _fs_recv_conn_setup(), fs_read_open_font(), fs_read_query_info(), fs_read_extent_info(), fs_read_glyphs(), fs_read_list(), fs_read_list_info() - CVE-2014-0211: integer overflows calculating memory needs for xfs replies These calls do not check that their calculations for how much memory is needed to handle the returned data have not overflowed, so can result in allocating too little memory and then writing the returned data past the end of the allocated buffer. Affected functions: fs_get_reply(), fs_alloc_glyphs(), fs_read_extent_info() See also: http://lists.x.org/archives/xorg-announce/2014-May/002431.html -- --- SAITOH Masanobu (msai...@execsw.org msai...@netbsd.org)
Re: CVS commit: [netbsd-5] xsrc
(2014/05/14 14:24), SAITOH Masanobu wrote: Module Name:xsrc Committed By: msaitoh Date: Wed May 14 05:24:26 UTC 2014 Modified Files: xsrc/external/mit/libXfont/dist/src/fc [netbsd-5]: fsconvert.c fserve.c xsrc/external/mit/libXfont/dist/src/fontfile [netbsd-5]: dirfile.c xsrc/xfree/xc/lib/font/fc [netbsd-5]: fsconvert.c fserve.c xsrc/xfree/xc/lib/font/fontfile [netbsd-5]: dirfile.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1905): src/sys/compat/linux/common/linux_exec_elf32.c 1.91 via patch A specially-crafted binary could easily control a kernel array index. Add some checks to ensure that nothing will be read outside the allocated area. Rewrite the code so that we don't need to allocate the whole section. Spotted by several developers, patch from chs@/enami@ To generate a diff of this commit: cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.2 \ xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c \ xsrc/external/mit/libXfont/dist/src/fc/fserve.c cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.2 \ xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c cvs rdiff -u -r1.4 -r1.4.20.1 xsrc/xfree/xc/lib/font/fc/fsconvert.c \ xsrc/xfree/xc/lib/font/fc/fserve.c cvs rdiff -u -r1.4 -r1.4.8.1 xsrc/xfree/xc/lib/font/fontfile/dirfile.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Sorry, this commit message was wrong. I fixed the message with cvs admin -m. Pull up following revision(s) (requested by spz in ticket #1905): xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c 1.2 xsrc/external/mit/libXfont/dist/src/fc/fserve.c 1.2 xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c 1.2 xsrc/xfree/xc/lib/font/fc/fsconvert.c 1.5 xsrc/xfree/xc/lib/font/fc/fserve.c 1.5 xsrc/xfree/xc/lib/font/fontfile/dirfile.c 1.5 Fix multiple vulnerabilities in libXfont: - CVE-2014-0209: integer overflow of allocations in font metadata file parsing When a local user who is already authenticated to the X server adds a new directory to the font path, the X server calls libXfont to open the fonts.dir and fonts.alias files in that directory and add entries to the font tables for every line in it. A large file (~2-4 gb) could cause the allocations to overflow, and allow the remaining data read from the file to overwrite other memory in the heap. Affected functions: FontFileAddEntry(), lexAlias() - CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies When parsing replies received from the font server, these calls do not check that the lengths and/or indexes returned by the font server are within the size of the reply or the bounds of the memory allocated to store the data, so could write past the bounds of allocated memory when storing the returned data. Affected functions: _fs_recv_conn_setup(), fs_read_open_font(), fs_read_query_info(), fs_read_extent_info(), fs_read_glyphs(), fs_read_list(), fs_read_list_info() - CVE-2014-0211: integer overflows calculating memory needs for xfs replies These calls do not check that their calculations for how much memory is needed to handle the returned data have not overflowed, so can result in allocating too little memory and then writing the returned data past the end of the allocated buffer. Affected functions: fs_get_reply(), fs_alloc_glyphs(), fs_read_extent_info() See also: http://lists.x.org/archives/xorg-announce/2014-May/002431.html -- --- SAITOH Masanobu (msai...@execsw.org msai...@netbsd.org)