(2014/05/14 14:26), SAITOH Masanobu wrote:
Module Name: xsrc
Committed By: msaitoh
Date: Wed May 14 05:26:15 UTC 2014
Modified Files:
xsrc/external/mit/libXfont/dist/src/fc [netbsd-5-1]: fsconvert.c
fserve.c
xsrc/external/mit/libXfont/dist/src/fontfile [netbsd-5-1]: dirfile.c
xsrc/xfree/xc/lib/font/fc [netbsd-5-1]: fsconvert.c fserve.c
xsrc/xfree/xc/lib/font/fontfile [netbsd-5-1]: dirfile.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1905):
src/sys/compat/linux/common/linux_exec_elf32.c 1.91 via patch
A specially-crafted binary could easily control a kernel array index.
Add some checks to ensure that nothing will be read outside the allocated
area. Rewrite the code so that we don't need to allocate the whole section.
Spotted by several developers, patch from chs@/enami@
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \
xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c \
xsrc/external/mit/libXfont/dist/src/fc/fserve.c
cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \
xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c
cvs rdiff -u -r1.4 -r1.4.24.1 xsrc/xfree/xc/lib/font/fc/fsconvert.c \
xsrc/xfree/xc/lib/font/fc/fserve.c
cvs rdiff -u -r1.4 -r1.4.12.1 xsrc/xfree/xc/lib/font/fontfile/dirfile.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
The same as netbsd-5, this commit message was wrong. I fixed the message
with cvs admin -m.
------------
Pull up following revision(s) (requested by spz in ticket #1905):
xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c 1.2
xsrc/external/mit/libXfont/dist/src/fc/fserve.c 1.2
xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c 1.2
xsrc/xfree/xc/lib/font/fc/fsconvert.c 1.5
xsrc/xfree/xc/lib/font/fc/fserve.c 1.5
xsrc/xfree/xc/lib/font/fontfile/dirfile.c 1.5
Fix multiple vulnerabilities in libXfont:
- CVE-2014-0209: integer overflow of allocations in font metadata file parsing
When a local user who is already authenticated to the X server adds
a new directory to the font path, the X server calls libXfont to open
the fonts.dir and fonts.alias files in that directory and add entries
to the font tables for every line in it. A large file (~2-4 gb) could
cause the allocations to overflow, and allow the remaining data read
from the file to overwrite other memory in the heap.
Affected functions: FontFileAddEntry(), lexAlias()
- CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies
When parsing replies received from the font server, these calls do not
check that the lengths and/or indexes returned by the font server are
within the size of the reply or the bounds of the memory allocated to
store the data, so could write past the bounds of allocated memory when
storing the returned data.
Affected functions: _fs_recv_conn_setup(), fs_read_open_font(),
fs_read_query_info(), fs_read_extent_info(), fs_read_glyphs(),
fs_read_list(), fs_read_list_info()
- CVE-2014-0211: integer overflows calculating memory needs for xfs replies
These calls do not check that their calculations for how much memory
is needed to handle the returned data have not overflowed, so can
result in allocating too little memory and then writing the returned
data past the end of the allocated buffer.
Affected functions: fs_get_reply(), fs_alloc_glyphs(),
fs_read_extent_info()
See also: http://lists.x.org/archives/xorg-announce/2014-May/002431.html
------------
--
-----------------------------------------------
SAITOH Masanobu (msai...@execsw.org
msai...@netbsd.org)
