xorg-server: Changes to 'debian-unstable'
ChangeLog | 624 +++++++++++++++++++++++++++++++++++
Xext/EVI.c | 15
Xext/cup.c | 3
Xext/sampleEVI.c | 29 +
Xext/security.c | 4
Xext/shm.c | 50 ++
Xi/chgfctl.c | 7
Xi/chgkmap.c | 13
Xi/chgprop.c | 10
Xi/grabdev.c | 12
Xi/grabdevb.c | 10
Xi/grabdevk.c | 9
Xi/selectev.c | 11
Xi/sendexev.c | 14
debian/changelog | 11
debian/patches/15_CVE-2007-6427.diff | 241 -------------
debian/patches/16_CVE-2007-6428.diff | 12
debian/patches/17_CVE-2007-6429.diff | 190 ----------
debian/patches/18_CVE-2007-5760.diff | 13
debian/patches/19_CVE-2007-5958.diff | 20 -
debian/patches/20_CVE-2008-0006.diff | 18 -
debian/patches/series | 6
dix/dixfonts.c | 7
hw/kdrive/ephyr/ephyr.c | 1
hw/xfree86/common/xf86MiscExt.c | 4
os/io.c | 2
xkb/xkbUtils.c | 1
27 files changed, 764 insertions(+), 573 deletions(-)
New commits:
commit b1b9dbdabfbea6160b4c0021038b068b865b3e6b
Author: Julien Cristau <jcristau@debian.org>
Date: Fri Jan 18 21:15:47 2008 +0100
Update changelogs, and drop security patches applied upstream.
diff --git a/ChangeLog b/ChangeLog
index ebd8bff..fc6cf38 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,627 @@
+commit b6d4cdf64f43ae805beada6122c8be2ed138742c
+Author: Adam Jackson <ajax@redhat.com>
+Date: Fri Jan 18 14:41:20 2008 -0500
+
+ CVE-2007-6429: Don't spuriously reject <8bpp shm pixmaps.
+
+ Move size validation after depth validation, and only validate size if
+ the bpp of the pixmap format is > 8. If bpp < 8 then we're already
+ protected from overflow by the width and height checks.
+ (cherry picked from commit e9fa7c1c88a8130a48f772c92b186b8b777986b5)
+
+commit 19b95cdd1d14a1e7d1abba1880ab023c96f19bf5
+Author: Matthieu Herrb <matthieu@bluenote.herrb.com>
+Date: Thu Jan 17 17:03:39 2008 +0100
+
+ Fix for CVE-2007-5958 - File existence disclosure.
+
+commit f09b8007e7f6e60e0b9c9665ec632b578ae08b6f
+Author: Matthieu Herrb <matthieu@bluenote.herrb.com>
+Date: Thu Jan 17 15:29:06 2008 +0100
+
+ Fix for CVE-2008-0006 - PCF Font parser buffer overflow.
+
+commit 8b14f7b74284900b95a319ec80c4333e63af2296
+Author: Matthieu Herrb <matthieu@bluenote.herrb.com>
+Date: Thu Jan 17 15:28:42 2008 +0100
+
+ Fix for CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows.
+
+commit d244c8272e0ac47c41a9416e37293903b842a78b
+Author: Matthieu Herrb <matthieu@bluenote.herrb.com>
+Date: Thu Jan 17 15:27:34 2008 +0100
+
+ Fix for CVE-2007-6427 - Xinput extension memory corruption.
+
+commit 4848d49d05a318559afe7a17a19ba055947ee1f5
+Author: Matthieu Herrb <matthieu@bluenote.herrb.com>
+Date: Thu Jan 17 15:28:03 2008 +0100
+
+ Fix for CVE-2007-6428 - TOG-cup extension memory corruption.
+
+commit 59a3b83922c810316a374a19484b24901c7437ae
+Author: Matthieu Herrb <matthieu@bluenote.herrb.com>
+Date: Thu Jan 17 15:26:41 2008 +0100
+
+ Fix for CVE-2007-5760 - XFree86 Misc extension out of bounds array index
+
+commit 636aa9e7be2822a0148067a11499ad48fe682cd9
+Author: Daniel Stone <daniel@fooishbar.org>
+Date: Sat Jan 5 10:47:39 2008 +0200
+
+ Xephyr: One-time keyboard leak fix
+
+ Don't leak the originally-allocated keysym map.
+ (cherry picked from commit e85130c85f727466fc27be1cfa46c88b257499fb)
+
+commit 8a3acd3ec41b887b4aeaa0b2932265522c1e2836
+Author: Daniel Stone <daniel@fooishbar.org>
+Date: Sat Jan 5 10:43:53 2008 +0200
+
+ XKB: XkbCopyKeymap: Don't leak all the sections
+
+ Previously, we'd just keep num_sections at 0, which would break the
+ geometry and lead us to leak sections. Don't do that.
+ (cherry picked from commit 0137b0394a248f694448a7d97c9a1a3efcf24e81)
+
+commit 02e805f0ff4b6af551372ba5fc5fb369c8834d1d
+Author: Daniel Stone <daniel@fooishbar.org>
+Date: Sat Jan 5 10:38:16 2008 +0200
+
+ OS: IO: Zero out client buffers
+
+ For alignment reasons, we can write out uninitialised bytes, so allocate
+ the whole thing with xcalloc.
+ (cherry picked from commit b99a43dfe97c1813e1c61f298b1c83c5d5ca88a2)
+
+commit 60144ac814ee26e151186f7c93cb1a273468d497
+Author: Peter Hutterer <peter@cs.unisa.edu.au>
+Date: Wed Dec 19 16:20:36 2007 +1030
+
+ include: never overwrite realInputProc with enqueueInputProc. Bug #13511
+
+ In some cases (triggered by a key repeat during a sync grab) XKB unwrapping
+ can overwrite the device's realInputProc with the enqueueInputProc. When the
+ grab is released and the events are replayed, we end up in an infinite loop.
+ Each event is replayed and in replaying pushed to the end of the queue again.
+
+ This fix is a hack only. It ensures that the realInputProc is never
+ overwritten with the enqueueInputProc.
+
+ This fixes Bug #13511 (https://bugs.freedesktop.org/show_bug.cgi?id=13511)
+ (cherry picked from commit eace88989c3b65d5c20e9f37ea9b23c7c8e19335)
+ (cherry picked from commit 50e80c39870adfdc84fdbc00dddf1362117ad443)
+
+commit 102c012c206cbb3bbf0fa5b0c8f0ce2ce9bba72a
+Author: Daniel Stone <daniel@fooishbar.org>
+Date: Fri Dec 28 15:49:50 2007 +0200
+
+ Input: Don't reinit devices
+
+ If a device is already initialised (i.e. the virtual core devices) during
+ IASD, don't init them again. This fixes a leak.
+ (cherry picked from commit 1f6015c8fe62c28cfaa82cc855b5b9c28fd34607)
+
+commit a304fc1d4a7062f65161ef8748fd358639ec73de
+Author: Daniel Stone <daniel@fooishbar.org>
+Date: Fri Dec 28 15:48:57 2007 +0200
+
+ KDrive: Xephyr: Don't leak screen damage structure
+ (cherry picked from commit 0b03d97a244540824c922c300adbc3d3ae4855d5)
+
+commit 38d8cfaaff0ae6273d9e921aae08b2706355f0d2
+Author: Daniel Stone <daniel@fooishbar.org>
+Date: Fri Dec 28 15:48:25 2007 +0200
+
+ OS: Don't leak connection translation table on regeneration
+ (cherry picked from commit e868e0bc0d2318e62707d3ae68532b0029959154)
+
+commit 30fc8053a5e734c3b70156bdae94fd7d5d7865a5
+Author: Daniel Stone <daniel@fooishbar.org>
+Date: Fri Dec 28 15:47:57 2007 +0200
+
+ Config: HAL: Don't leak options on failure to add device
+
+ This showed up in Xephyr in particular, which denies new device requests.
+ (cherry picked from commit 2bb199056edf6c63cf978d1a8ad49a57ce1938f3)
+
+commit 81c5950d0af8d5859f850b98c98a532784e9a757
+Author: Daniel Stone <daniel@fooishbar.org>
+Date: Fri Dec 28 15:47:21 2007 +0200
+
+ Config: D-Bus: Don't leak timers
+
+ TimerCancel doesn't free the timer: you need TimerFree for that.
+ (cherry picked from commit 25deaa7e6b29b3913b35efa39b9c8b25de5e6d95)
+
+commit d988da6eee8422774dff364050bf431b843a714a
+Author: Arkadiusz Miskiewicz <arekm@maven.pl>
+Date: Thu Dec 13 00:09:08 2007 +0200
+
+ Xprint: Clean up generated files
+
+ Remember to clean generated wrapper files.
+ (cherry picked from commit 977fcdea8198906936a64b8117e6a6d027c617e3)
+
+commit 41f735fbe02f59bc7bcca335c6e743c72c2fc44c
+Author: Hong Liu <hong.liu@intel.com>
+Date: Tue Sep 4 08:46:46 2007 +0100
+
+ bgPixel (unsigned long) is 64-bit on x86_64, so -1 != 0xffffffff
+
+ This patch should fix bug 8080.
+ (cherry picked from commit 9adea807038b64292403ede982075fe1dcfd4c9a)
+
+commit f4bcb53e86bb103b6bcf8a3a170a36137c34d272
+Author: Hong Liu <hong.liu@intel.com>
+Date: Wed Dec 5 17:48:28 2007 +0100
+
+ Bug 13308: Verify and reject obviously broken modes.
+ (cherry picked from commit c6cfcd408df3e44d0094946c0a7d2fa944b4d2d1)
+
+commit d63efecc9471ac53535932b80a85b7f408f06fb9
+Author: Daniel Stone <daniel@fooishbar.org>
+Date: Wed Dec 12 21:57:59 2007 +0200
+
+ Bump to 1.4.0.90
+
+commit 446efcc554195970cb3ddcd992f7aac617d45b1d
+Author: Bartosz Fabianowski <freebsd@chillt.de>
+Date: Fri Dec 7 02:38:14 2007 +0000
+
+ Input: Fix proximity events with valuators
+
+ Initialise num_events to 1, so we always send a proximity event, and then
+ optionally valuator events. Also make sure mieq can deal with valuator
+ events sent after proximity events.
+ (cherry picked from commit 2dcfab37d38c0c72e9be7cc724047405c8029e88)
+
+commit 9f4689173ef9db080592497dc2212ae79b8d6e02
+Author: Daniel Stone <daniel@fooishbar.org>
+Date: Thu Dec 6 00:46:32 2007 +0000
+
+ KDrive: Xephyr: Fix non-GLX builds
+
+ Only set noGlxExtension if we're actually building GLX.
+
+commit d37351308b255d5f9bff3438b6767c62974902da
+Author: Daniel Stone <daniel@fooishbar.org>
+Date: Wed Dec 5 19:37:48 2007 +0000
+
+ XKB: Actions: Don't run certain actions on the core keyboard
+
+ Don't run VT switches, terminations, or anything, on the core keyboard: only
+ run actions which affect the keyboard state. If we get an action such as VT
+ switch, just swallow the event.
+ (cherry picked from commit 320abd7d1d906807448fa01ad3377daf707f46cc)
+
+commit 27da1367c9ea143946b8b8d3dbd0f9d44c4a9039
+Author: Daniel Stone <daniel@fooishbar.org>
+Date: Wed Dec 5 19:36:59 2007 +0000
+
+ WaitForSomething: Ignore EAGAIN
+
+ If select ever returns EAGAIN, don't bother complaining.
+ (cherry picked from commit 85dd8efac1bc0715f03c99d261b1c5d0980623e1)
+
+commit 259f86b13b453f3503afd3d523de32b43996d334
+Author: Rich Coe <Richard.Coe@med.ge.com>
+Date: Wed Dec 5 19:36:37 2007 +0000
+
+ OS: Connection: Keep trying select while it gets interrupted (bug #9240)
+
+ If we got interrupted (EINTR or EAGAIN) during select, just try again, rather
+ than shutting clients down on either of these errors.
+ (cherry picked from commit b7f3618f3933a810778093fd47564a1e3bf3fde6)
+
+commit 90649e6a39dc6caad8313b25ef869a089f81aba7
+Author: Rich Coe <Richard.Coe@med.ge.com>
+Date: Wed Dec 5 19:31:07 2007 +0000
+
+ OS: Connection: Don't shut down disappeared clients (bug #7876)
+
+ If a client disappears in the middle of CheckConnections (presumably
+ because its appgroup leader disappears), then don't attempt to shut it down
+ a second time, when it's already vanished.
+ (cherry picked from commit d8b2cad3771a09860e7be1726f67e684cf7caeec)
+
+commit 25d26b55e74b50a2fd0632329cb0bdca017fe8e6
+Author: Kanru Chen <koster@debian.org.tw>
+Date: Mon Dec 3 12:46:45 2007 +0000
+
+ Config: HAL: Fix XKB option parsing
+
+ Actually combine the XKB options into a string, rather than just repeatedly
+ writing a comma.
+ (cherry picked from commit da893908feb2dcf7c22420b3426ab3ac65c7ca99)
+
+commit b037e4a5abb878ad89e7f27c2b6c23004625f6c3
+Author: Peter Harris <peter.harris@hummingbird.com>
+Date: Mon Oct 29 18:05:19 2007 -0400
+
+ Add missing swaps in panoramiXSwap.c
+ (cherry picked from commit cb67a10b7f6f564e0345de19316934361ea28720)
+
+commit 3e0993fcf38e47dd42c27a2dcb5dde7d23222ca8
+Author: Daniel Stone <daniel@fooishbar.org>
+Date: Fri Nov 30 20:35:26 2007 +0200
+
+ ProcessOtherEvent: Don't do double translation of button events
+
+ We already deal with the button mapping in GetPointerEvents, so don't
+ do the remapping again in ProcessOtherEvent.
+ (cherry picked from commit 7ff002fe3e229330216d7f2ff16cdabe63014bcd)
+
+commit cbf775cde7bb737ddf71fa3aa5b08c859d516084
+Author: Peter Hutterer <peter@cs.unisa.edu.au>
+Date: Sat Nov 17 22:50:07 2007 +0100
+
+ XKB: Generate correct key repeat events (bug #13114)
+
+ Make sure we send the correct event for the type of device when we're
+ sending key repeat events, which stops repeats being sent to incorrect
+ windows.
+
+commit 3e987ea670aadefeb3a6ad05d9a39dd7902985f9
+Author: Michel Dänzer <michel@tungstengraphics.com>
+Date: Thu Oct 18 17:44:14 2007 +0200
+
+ EXA: Don't attempt to move in pixmaps that can't be accelerated.
+
+ Fixes https://bugs.freedesktop.org/show_bug.cgi?id=12815 .
+
+ (Related to commit 5d74416740de883b7ef0994afea4bbd4d3901be0 on master.)
+
+commit 75b9dc907b332d64d074083cae0c6b099960f09b
+Author: Michel Dänzer <michel@tungstengraphics.com>
+Date: Thu Sep 27 13:08:41 2007 +0200
+
+ EXA: Make sure tile offsets passed to drivers are never negative.
+
+ Thanks to Björn Steinbrink for pointing out the problem on IRC.
+
+ (cherry picked from commit 006f6525057970a74382132237b2131286ad147c with
+ modifications.)
+
+commit 732d586b0919e57ed836999f4117db3e776e2934
+Author: Michel Dänzer <michel@tungstengraphics.com>
+Date: Thu Sep 27 13:08:40 2007 +0200
+
+ EXA: Punt on fallback case not handled correctly in exaFillRegionTiled.
+
+ Fixes http://bugs.freedesktop.org/show_bug.cgi?id=12520 .
+
+ (From master commit c7d6d1f5, modified to suit.)
+
+commit a3aed33244914b64d08630e19100c71ab81e1a81
+Author: Daniel Stone <daniel@fooishbar.org>
+Date: Sat Nov 17 22:34:47 2007 +0100
+
+ XKB: Don't ring the bell when we don't have a BellProc (bug #13246)
+ (cherry picked from commit 55888552769ce6361174285b09dfb78ee22c170d)
+
+commit f3a5d67688a0f691ef23cb44b1fdda190b5b8bef
+Author: Daniel Stone <daniel@fooishbar.org>
+Date: Sun Sep 23 12:43:31 2007 +0300
+
+ GetKeyboardEvents: Reject out-of-range keycodes (bug #12528)
+
+ We can only deal with keycodes between 8 and 255, so make sure that we never
+ accept anything out of this range.
+ (cherry picked from commit 0e800ca4651a947ccef239e6fe7bf64aab92257c)
+
+commit 35bf7c738a8286a382aeef38c0f035773b3ab96a
+Author: Naoki Hamada <nao@tom-yam.or.jp>
+Date: Thu Oct 25 18:45:50 2007 +0300
+
+ Input: Fix key down test (bug #12858)
+
+ Fix the botched previous key_is_down test, which would give false positives.
+ Also move key_autorepeats to a separate inline function.
+ (cherry picked from commit 242f56f722243938e908d1957781ee53c2999783)
+
+commit b3de1b9d375c98b72c88991ac2011e492254c61f
+Author: Daniel Stone <daniel@fooishbar.org>
+Date: Fri Oct 26 09:12:15 2007 +0300
+
+ XFree86 Misc/VidMode: Remove ridiculous debug ErrorFs
+
+ When we're building with --enable-debug, don't emit an ErrorF every time a
+ function gets called.
+ (cherry picked from commit 6d59bb5709a99ab60b482bbf3393ebffda7f9407)
+
+commit 007e2239cf65535c4df3486e7b2cc42a4e86eb56
+Author: Dodji Seketeli <dodji@seketeli.org>
+Date: Mon Nov 12 20:29:12 2007 +0100
+
+ Xephyr: don't initialise the GLX extension
+
+commit 7f231de5e05a8755d76e18595c57baf2e239a4be
+Author: Daniel Stone <daniel@fooishbar.org>
+Date: Tue Nov 6 15:05:06 2007 +0000
+
+ .gitignore: Ignore build directories
+
+ Ignore directories people might use for building.
+ (cherry picked from commit 36df34cffd0cfcfb250fb42596781b3d4e9871eb)
+
+commit 4c20d6104691b370f14216035b5ff07ad5633098
+Author: Alan Coopersmith <alan.coopersmith@sun.com>
+Date: Fri Aug 17 15:29:16 2007 -0700
+
+ Actually build Secure RPC authentication support (missed in modularization)
+ (cherry picked from commit 23fbd5292d356067e85e1eec4eb4f743532b0503)
+
+commit f350c81a912cf5eab8d88a7800a828141945a2f0
+Author: Matthias Hopf <mhopf@suse.de>
+Date: Wed Oct 24 20:31:51 2007 +0200
+
+ Prefer configured DisplaySize to probed DDC data, if available.
+
+ Based on patch by Hong Liu <hong.liu@intel.com>.
+ (cherry picked from commit 48ca5961caee62f2980017a6bdc96a1b4c747727)
+
+commit c5501865703d5d4ee49e081b6075ab89a583deb6
+Author: Keith Packard <keithp@koto.keithp.com>
+Date: Sun Aug 19 20:29:37 2007 -0700
+
+ Screen size changing should leave FB alone when X is inactive.
+
+ xf86RandR12ScreenSetSize must protect calls to EnableDisableFBAccess with
+ suitable vtSema checks to avoid invoking driver code while the X server is
+ inactive.
+ (cherry picked from commit 265a633cf1fcbf497d6916d9e22403dffdde2e07)
+
+commit 9244b8e4a2274946b56d9cf6d43487e11c29f7d7
+Author: Elvis Pranskevichus <el@prans.net>
+Date: Tue Nov 6 09:40:14 2007 +0000
+
+ Config: D-Bus: Fix dbus_bus_request_name failure check
+
+ The code in connect_hook incorrectly checks for dbus_bus_request_name failure.
+ The dbus_bus_request_name error indicator is -1, not 0. This leads
+ to subsequent assertion failure in libdbus.
+ (cherry picked from commit ddce48ede036f3996f8e584b0012c396c5df42fb)
+
+commit 0050d7e78d990fa945bd808554b0a86721262786
+Author: Daniel Stone <daniel@fooishbar.org>
+Date: Tue Nov 6 14:52:03 2007 +0000
+
+ DIX: XKB: Set xkbInfo to NULL as well as freeing it (bug #10639)
+
+ XkbRemoveResourceClient wants to access xkbInfo if it exists, so make
+ sure we NULL it after freeing it. It doesn't make much sense to move
+ the RemoveResourceClient call first, as there's not much point in
+ notifying clients while we're shutting the server down anyway.
+ (cherry picked from commit 23023af1c5a33546a2027cad23a946a2882e9893)
+
+commit 846745c58108856e5fc1b6d94c91a245cbc4f16f
+Author: Markku Vire <markku.vire@movial.fi>
+Date: Thu Nov 1 22:43:04 2007 +0200
+
+ Config: HAL: Touchpads are pointers too
+
+ Treat touchpads -- not just mice -- as pointer devices.
+ (cherry picked from commit 3f1b6765aadf665ede8253464da19a5878f16e56)
+
+commit ab80b27250bb583e3a40bf92cfe5edc117e4bd58
+Author: Mark Vytlacil <mrv@wi.rr.com>
+Date: Thu Nov 1 21:05:43 2007 +0200
+
+ XFree86: Input: Save/restore errno around SIGIO (bug #10683)
+
+ Make sure errno is saved and restored from the SIGIO handler, so errors
+ from system calls in input handlers don't break the interrupted code.
+ (cherry picked from commit 41c3069f7cf28155f8e6cfe0c10a12a1f5f76c7d)
+
+commit ad05d5d035b32b05d304b2fc598f6fadeb077516
+Author: Daniel Stone <daniel@fooishbar.org>
+Date: Sun Sep 23 17:17:03 2007 +0300
+
+ Input: Generate XKB mapping changes for all core-sending devices (bug #12523)
+
+ When we change the mapping on a core device, make sure we propagate this
+ through to XKB for all extended devices as well.
+ (cherry picked from commit 27ad5d74c20f01516a1bff73be283f8982fcf0fe)
+
+commit 84040b655e3ea9188a6c9d6dafea429ffc4690de
+Author: Peter Hutterer <peter@cs.unisa.edu.au>
+Date: Thu Sep 6 18:57:00 2007 +0930
+
+ xfree86: wrap keyboard devices for XKB.
+
+ Call ProcessOtherEvents first, then for all keyboard devices let them be
+ wrapped by XKB. This way all XI events will go through XKB.
+
+ Note that the VCK is still not wrapped, so core events will bypass XKB.
+
+ (cherry picked from commit d627061b48ae06d27b37be209d67a3f4f2388dd3)
+ (cherry picked from commit 8ead41388e36e21eea6fa0408c847f174911eab0)
+
+commit e26e93c54e54ab4010dfdede47c3e56e4418bcbd
+Author: Daniel Stone <daniel@fooishbar.org>
+Date: Sat Oct 27 21:32:47 2007 +0300
+
+ XKB: Cope with all events in XkbProcessKeyboardEvent
+
+ Cope with Xi and pointer events in the (now increasingly misnamed)
+ XkbProcessKeyboardEvent. If it's the wrong type, call through the wrapping
+ chain to get out; else, process it.
+ (cherry picked from commit e717cf08e99746761d74289c426bbd84176f4435)
+
+commit 37c690cfa4e9055209732ab5431fffb8886c7d67
+Author: Daniel Stone <daniel@fooishbar.org>
+Date: Sat Oct 27 21:31:39 2007 +0300
+
+ XKB: Don't update indicators on all devices, add missing include file
+
+ Don't get XkbUpdateIndicators to update the indicators on all our devices: we
+ already deal with that ourselves.
+ Add exevents.h include to get more (proto)types.
+ (cherry picked from commit 9db8846fa53d91193bbfe541b244e2326440011d)
+
+commit 1dce9c20283279eac4d6e5cafc4f73a333548c07
+Author: Peter Hutterer <peter@cs.unisa.edu.au>
+Date: Wed Sep 26 18:04:59 2007 +0930
+
+ xkb: Unwrap properly in ProcessPointerEvent.
+
+ Instead of hardcoding CoreProcessPointerEvent, actually try to unwrap properly
+ and then call the unwrapped processInputProc. Seems to be a better idea,
+ especially since it makes stuff actually work...
+ (cherry picked from commit 8f9bf927e1beecf9b9ec8877131ec12c765e4d84)
+ (cherry picked from commit ee3aa948eb8ed181d037294ed87df6ceec81684e)
+
+commit 940cce1f4856a3ffc6fdba9c807c8238ed1acf8b
+Author: Peter Hutterer <peter@cs.unisa.edu.au>
+Date: Thu Sep 27 11:44:03 2007 +0930
+
+ xkb: xkbHandleActions: let wrapping take care of event delivery.
+
+ This is hopefully better than hardcodey calling CoreProcessPointerEvent.
+ (cherry picked from commit 32d0440c7f6e604807cb14dd32349df6f22c903b)
+ (cherry picked from commit d3588a0aee33fbd233082f881c0d37152c6d4d8b)
+
+commit 5909fb3c406356505440af8d53785d9ee06ab9be
+Author: Peter Hutterer <peter@cs.unisa.edu.au>
+Date: Wed Sep 12 17:40:11 2007 +0930
+
+ dix: don't compress motion events from different devices (EventEnqueue)
+
+ (cherry picked from commit 8840829ab93c4eb62eb58753c015da5307133fe5)
+ (cherry picked from commit 352c5a311200bf491153fe9ef16126c5877a57bb)
+
+commit 600752bece350592f374470dd54b9e1cd2900d0b
+Author: Peter Hutterer <peter@cs.unisa.edu.au>
+Date: Thu Sep 6 18:52:02 2007 +0930
+
+ dix: add XI event support to FixKeyState.
+
+ FixKeyState needs to be able to handle XI events, otherwise we get "impossible
+ keyboard events" on server zaps and other special key combos.
+ (cherry picked from commit 5ee409794ee604fcf84886f70429fc2d6b1ff4f1)
+ (cherry picked from commit 8d3d027062c105b50863dce43b8070ec560bc12e)
+
+commit 15117d47bf883f3eefc57404f1dfc0c933ab054a
+Author: Peter Hutterer <peter@cs.unisa.edu.au>
+Date: Thu Sep 6 18:49:57 2007 +0930
+
+ xkb: enable XI event processing for xkb.
+
+ XI events can now take the same processing paths as core events, and should do
+ the correct state changes etc.
+
+ There's some cases where XKB will use KeyPress as type for an event to be
+ delivered to the client. Stuck warnings in, not sure what the correct solution
+ is yet.
+
+ (cherry picked from commit 6334d4e7be18de5f237c12a6dc20f75aa23477d0 with some
+ additional compile fixes and non-MPX adaptations)
+ (cherry picked from commit 99e826e867c1c5520153c539ba07a884aec88d0c)
+
+commit 83e76fb3f7a89a237893c2b7df450d4f90eab52d
+Author: Peter Hutterer <peter@cs.unisa.edu.au>
+Date: Thu Jun 21 18:24:30 2007 +0930
+
+ Save processInputProc before wrapping it and restore it later, instead of
+ using a hardcoded ProcessKeyboardEvent. Otherwise we lose the ability to
+ process DeviceKeyEvents after the first key press.
+
+ This should be the correct fix now.
+ (cherry picked from commit 4d5df14f2c4a3108a8c8adfcf4766c0d1a9daad2)
+ (cherry picked from commit 91077bfc50d54be37c217e377c55b6bf886a2fab)
+
+commit a53172827c69a88155a088843c9a3e8a7a7a0463
+Author: Peter Hutterer <peter@cs.unisa.edu.au>
+Date: Tue Sep 4 17:44:51 2007 +0930
+
+ xkb: Store the action filters per device in the XkbSrvInfoRec.
+
+ Using a global array for action filters is bad. If two keyboard hit a modifier
+ at the same time, releaseing the first one will deactivate the filter and
+ thus the second keyboard can never release the modifier again.
+ (cherry picked from commit bfe6b4d2d9952a80f8dbc63eec974ef894e5c226)
+ (cherry picked from commit 8b9481a113b56078191e2298bf590905978f6289)
+
+commit b76b1d51fe3053fa2a60b64de9ac93f50ef252f5
+Author: Daniel Stone <daniel@fooishbar.org>
+Date: Sat Oct 27 21:33:52 2007 +0300
+
+ XFree86: Remove ridiculous SIGIO debugging
+
+ YOU PRESSED A KEY
+ AND AGAIN
+ YOU RELEASED A KEY
+ AND AGAIN
+ YOU PRESSED A KEY
+ AND AGAIN
+
+ ... not so much.
+ (cherry picked from commit 493b83bd097372ae0023da9919da83af39e3fc1c)
+
+commit b600e7c123ce637359a75c43bf67b3462eadb37e
+Author: Daniel Stone <daniel@fooishbar.org>
+Date: Sat Oct 27 21:35:31 2007 +0300
+
+ XKB: Add more bits to xkbsrv.h
+
+ Add the device private index, given we use that in a macro here, and also the
+ prototype for xkbUnwrapProc, since that's also useful.
+ (cherry picked from commit a3d48de5f2b7eacf3193c60f0fb461912201210b)
+
+commit 63c6d9d622a10303f594a07bd86dda8e5f894ca7
+Author: Daniel Stone <daniel@fooishbar.org>
+Date: Sat Oct 27 21:34:22 2007 +0300
+
+ Xi: Include XI protocol header in exevents.h
+
+ Make sure we have all the types we need to use this header.
+ (cherry picked from commit e29e69960d67aa4b7a4d1551af509dbac193f438)
+
+commit bd779f8cde1c71a0db8470b8c993504da7c1104e
+Author: Daniel Stone <daniel@fooishbar.org>
+Date: Sun Oct 28 15:46:26 2007 +0200
+
+ configure.ac/XFree86: Only build XF86Misc and XF86VidMode when appropriate
+
+ Don't build XF86Misc or XF86Vidmode in hw/xfree86/dixmod when it's been
+ explicitly disabled in configure, or we don't have the proto modules
+ installed.
+
+ (cherry picked from commit df57ae1639ba4f1719883c5bf868394e4748a022)
+
+commit 881e4fb518c7ed4c95882368356901c1ec4b6abf
+Author: Aaron Plattner <aplattner@nvidia.com>
+Date: Thu Sep 20 14:00:33 2007 -0700
+
+ Set noCompositeExtension to TRUE when failing to initialize the extension (e.g. when Xinerama is enabled).
+ (cherry picked from commit 50fa8722d35c12e5f0322cebe25faf99c39d4f50)
+
+commit ce55565ecd0411065878fa7c9983606d53663b7c
+Author: Aaron Plattner <aplattner@nvidia.com>
+Date: Thu Sep 20 16:22:24 2007 -0700
+
+ Don't segfault on shutdown if we never managed to connect to dbus.
+ (cherry picked from commit 3a965fdadccea7beff09a28c9c0ef4b4975eae38)
+
+commit eba45539af33f7d312bcfee954786fe38ab8f391
+Author: Peter Hutterer <peter@cs.unisa.edu.au>
+Date: Thu Aug 30 18:22:12 2007 +0930
+
+ config: Use [config/dbus] consistently for error messages.
+ (cherry picked from commit 3f42af8c0ef1e5379bc836f589e0cbee43c02ac5)
+
+commit c0da35bda136ed423f2963bd5c75ad0301ac7845
+Author: Peter Hutterer <peter@cs.unisa.edu.au>
+Date: Thu Aug 30 18:20:20 2007 +0930
+
+ config: return BadValue to caller if add/remove doesn't have parameters.
+
+ If message iterator cannot be created, the caller didn't supply any
+ parameters. Return BadValue, instead of dying a horrible death while being
+ stuck in an endless loop.
+ (cherry picked from commit 0fcde83d94507eadd9f99d4e6a63584b221c989c)
+
commit 99dd8b9414d1eb7aabc682be0b9cfd7a27eb2a6b
Author: Eric Anholt <eric@anholt.net>
Date: Thu Sep 6 01:42:43 2007 -0700
diff --git a/debian/changelog b/debian/changelog
index d724733..3f86ce6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,16 @@
-xorg-server (2:1.4.1~git20080105-3) UNRELEASED; urgency=low
+xorg-server (2:1.4.1~git20080118-1) UNRELEASED; urgency=low
+ [ Brice Goglin ]
* Add 42_dont_break_grab_and_focus_for_window_when_redirecting.diff
to prevent password authentication bypass, closes: #449108.
- -- Brice Goglin <bgoglin@debian.org> Thu, 17 Jan 2008 20:24:54 +0100
+ [ Julien Cristau ]
+ * New upstream snapshot
+ + includes the security fixes from the previous version
+ + fixes regression introduced by the fix for CVE-2007-6429 in the MIT-SHM
+ extension (closes: #461410)
+
+ -- Julien Cristau <jcristau@debian.org> Fri, 18 Jan 2008 21:12:00 +0100
xorg-server (2:1.4.1~git20080105-2) unstable; urgency=low
diff --git a/debian/patches/15_CVE-2007-6427.diff b/debian/patches/15_CVE-2007-6427.diff
deleted file mode 100644
index da62c5e..0000000
--- a/debian/patches/15_CVE-2007-6427.diff
+++ /dev/null
@@ -1,241 +0,0 @@
-#
-# Updated but not checked in:
-# (will commit)
-#
-# modified: Xi/chgfctl.c
-# modified: Xi/chgkmap.c
-# modified: Xi/chgprop.c
-# modified: Xi/grabdev.c
-# modified: Xi/grabdevb.c
-# modified: Xi/grabdevk.c
-# modified: Xi/selectev.c
-# modified: Xi/sendexev.c
-#
---- xorg-server.orig/Xi/chgfctl.c
-+++ xorg-server/Xi/chgfctl.c
-@@ -327,18 +327,13 @@
- xStringFeedbackCtl * f)
- {
- char n;
-- long *p;
- int i, j;
- KeySym *syms, *sup_syms;
-
- syms = (KeySym *) (f + 1);
- if (client->swapped) {
- swaps(&f->length, n); /* swapped num_keysyms in calling proc */
-- p = (long *)(syms);
-- for (i = 0; i < f->num_keysyms; i++) {
-- swapl(p, n);
-- p++;
-- }
-+ SwapLongs((CARD32 *) syms, f->num_keysyms);
- }
-
- if (f->num_keysyms > s->ctrl.max_symbols) {
---- xorg-server.orig/Xi/chgkmap.c
-+++ xorg-server/Xi/chgkmap.c
-@@ -79,18 +79,14 @@
- SProcXChangeDeviceKeyMapping(ClientPtr client)
- {
- char n;
-- long *p;
-- int i, count;
-+ unsigned int count;
-
- REQUEST(xChangeDeviceKeyMappingReq);
- swaps(&stuff->length, n);
- REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
-- p = (long *)&stuff[1];
- count = stuff->keyCodes * stuff->keySymsPerKeyCode;
-- for (i = 0; i < count; i++) {
-- swapl(p, n);
-- p++;
-- }
-+ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
-+ SwapLongs((CARD32 *) (&stuff[1]), count);
- return (ProcXChangeDeviceKeyMapping(client));
- }
-
-@@ -106,10 +102,14 @@
- int ret;
- unsigned len;
- DeviceIntPtr dev;
-+ unsigned int count;
-
- REQUEST(xChangeDeviceKeyMappingReq);
- REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
-
-+ count = stuff->keyCodes * stuff->keySymsPerKeyCode;
-+ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
-+
- dev = LookupDeviceIntRec(stuff->deviceid);
- if (dev == NULL) {
- SendErrorToClient(client, IReqCode, X_ChangeDeviceKeyMapping, 0,
---- xorg-server.orig/Xi/chgprop.c
-+++ xorg-server/Xi/chgprop.c
-@@ -81,19 +81,15 @@
- SProcXChangeDeviceDontPropagateList(ClientPtr client)
- {
- char n;
-- long *p;
-- int i;
-
- REQUEST(xChangeDeviceDontPropagateListReq);
- swaps(&stuff->length, n);
- REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq);
- swapl(&stuff->window, n);
- swaps(&stuff->count, n);
-- p = (long *)&stuff[1];
-- for (i = 0; i < stuff->count; i++) {
-- swapl(p, n);
-- p++;
-- }
-+ REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq,
-+ stuff->count * sizeof(CARD32));
-+ SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
- return (ProcXChangeDeviceDontPropagateList(client));
- }
-
---- xorg-server.orig/Xi/grabdev.c
-+++ xorg-server/Xi/grabdev.c
-@@ -82,8 +82,6 @@
- SProcXGrabDevice(ClientPtr client)
- {
- char n;
-- long *p;
-- int i;
-
- REQUEST(xGrabDeviceReq);
- swaps(&stuff->length, n);
-@@ -91,11 +89,11 @@
- swapl(&stuff->grabWindow, n);
- swapl(&stuff->time, n);
- swaps(&stuff->event_count, n);
-- p = (long *)&stuff[1];
-- for (i = 0; i < stuff->event_count; i++) {
-- swapl(p, n);
-- p++;
-- }
-+
-+ if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count)
-+ return BadLength;
-+
-+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
-
- return (ProcXGrabDevice(client));
- }
---- xorg-server.orig/Xi/grabdevb.c
-+++ xorg-server/Xi/grabdevb.c
-@@ -80,8 +80,6 @@
- SProcXGrabDeviceButton(ClientPtr client)
- {
- char n;
-- long *p;
-- int i;
-
- REQUEST(xGrabDeviceButtonReq);
- swaps(&stuff->length, n);
-@@ -89,11 +87,9 @@
- swapl(&stuff->grabWindow, n);
- swaps(&stuff->modifiers, n);
- swaps(&stuff->event_count, n);
-- p = (long *)&stuff[1];
-- for (i = 0; i < stuff->event_count; i++) {
-- swapl(p, n);
-- p++;
-- }
-+ REQUEST_FIXED_SIZE(xGrabDeviceButtonReq,
-+ stuff->event_count * sizeof(CARD32));
-+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
-
- return (ProcXGrabDeviceButton(client));
- }
---- xorg-server.orig/Xi/grabdevk.c
-+++ xorg-server/Xi/grabdevk.c
-@@ -80,8 +80,6 @@
- SProcXGrabDeviceKey(ClientPtr client)
- {
- char n;
-- long *p;
-- int i;
-
- REQUEST(xGrabDeviceKeyReq);
- swaps(&stuff->length, n);
-@@ -89,11 +87,8 @@
- swapl(&stuff->grabWindow, n);
- swaps(&stuff->modifiers, n);
- swaps(&stuff->event_count, n);
-- p = (long *)&stuff[1];
-- for (i = 0; i < stuff->event_count; i++) {
-- swapl(p, n);
-- p++;
-- }
-+ REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32));
-+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
- return (ProcXGrabDeviceKey(client));
- }
-
---- xorg-server.orig/Xi/selectev.c
-+++ xorg-server/Xi/selectev.c
-@@ -131,19 +131,16 @@
- SProcXSelectExtensionEvent(ClientPtr client)
- {
- char n;
-- long *p;
-- int i;
-
- REQUEST(xSelectExtensionEventReq);
- swaps(&stuff->length, n);
- REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq);
- swapl(&stuff->window, n);
- swaps(&stuff->count, n);
-- p = (long *)&stuff[1];
-- for (i = 0; i < stuff->count; i++) {
-- swapl(p, n);
-- p++;
-- }
-+ REQUEST_FIXED_SIZE(xSelectExtensionEventReq,
-+ stuff->count * sizeof(CARD32));
-+ SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
-+
- return (ProcXSelectExtensionEvent(client));
- }
-
---- xorg-server.orig/Xi/sendexev.c
-+++ xorg-server/Xi/sendexev.c
-@@ -83,7 +83,7 @@
- SProcXSendExtensionEvent(ClientPtr client)
- {
- char n;
-- long *p;
-+ CARD32 *p;
- int i;
- xEvent eventT;
- xEvent *eventP;
-@@ -94,6 +94,11 @@
- REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
- swapl(&stuff->destination, n);
- swaps(&stuff->count, n);
-+
-+ if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count +
-+ (stuff->num_events * (sizeof(xEvent) >> 2)))
-+ return BadLength;
-+
- eventP = (xEvent *) & stuff[1];
- for (i = 0; i < stuff->num_events; i++, eventP++) {
- proc = EventSwapVector[eventP->u.u.type & 0177];
-@@ -103,11 +108,8 @@
- *eventP = eventT;
- }
-
-- p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events);
-- for (i = 0; i < stuff->count; i++) {
-- swapl(p, n);
-- p++;
-- }
-+ p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events);
-+ SwapLongs(p, stuff->count);
- return (ProcXSendExtensionEvent(client));
- }
-
diff --git a/debian/patches/16_CVE-2007-6428.diff b/debian/patches/16_CVE-2007-6428.diff
deleted file mode 100644
index 4068315..0000000
--- a/debian/patches/16_CVE-2007-6428.diff
+++ /dev/null
@@ -1,12 +0,0 @@
---- xorg-server.orig/Xext/cup.c
-+++ xorg-server/Xext/cup.c
-@@ -196,6 +196,9 @@
-
- REQUEST_SIZE_MATCH (xXcupGetReservedColormapEntriesReq);
-
-+ if (stuff->screen >= screenInfo.numScreens)
-+ return BadValue;
-+
- #ifndef HAVE_SPECIAL_DESKTOP_COLORS
- citems[CUP_BLACK_PIXEL].pixel =
- screenInfo.screens[stuff->screen]->blackPixel;
diff --git a/debian/patches/17_CVE-2007-6429.diff b/debian/patches/17_CVE-2007-6429.diff
deleted file mode 100644
index 5c6d548..0000000
--- a/debian/patches/17_CVE-2007-6429.diff
+++ /dev/null
@@ -1,190 +0,0 @@
---- xorg-server.orig/Xext/EVI.c
-+++ xorg-server/Xext/EVI.c
-@@ -34,6 +34,7 @@
- #include <X11/extensions/XEVIstr.h>
- #include "EVIstruct.h"
- #include "modinit.h"
-+#include "scrnintstr.h"
-
- #if 0
- static unsigned char XEVIReqCode = 0;
-@@ -87,10 +88,22 @@
- {
- REQUEST(xEVIGetVisualInfoReq);
- xEVIGetVisualInfoReply rep;
-- int n, n_conflict, n_info, sz_info, sz_conflict;
-+ int i, n, n_conflict, n_info, sz_info, sz_conflict;
- VisualID32 *conflict;
-+ unsigned int total_visuals = 0;
- xExtendedVisualInfo *eviInfo;
- int status;
-+
-+ /*
-+ * do this first, otherwise REQUEST_FIXED_SIZE can overflow. we assume
-+ * here that you don't have more than 2^32 visuals over all your screens;
-+ * this seems like a safe assumption.
-+ */
-+ for (i = 0; i < screenInfo.numScreens; i++)
-+ total_visuals += screenInfo.screens[i]->numVisuals;
-+ if (stuff->n_visual > total_visuals)
-+ return BadValue;
-+
- REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
- status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual,
- &eviInfo, &n_info, &conflict, &n_conflict);
---- xorg-server.orig/Xext/sampleEVI.c
-+++ xorg-server/Xext/sampleEVI.c
-@@ -34,6 +34,13 @@
- #include <X11/extensions/XEVIstr.h>
Reply to: