xorg-server: Changes to 'debian-lenny'
debian/changelog | 6 ++
debian/local/xvfb-run | 5 +-
debian/patches/55_Fix-mod-macro-in-fb-and-mi.patch | 44 +++++++++++++++++++++
debian/patches/series | 1
fb/fbbits.h | 2
render/render.c | 8 +++
6 files changed, 63 insertions(+), 3 deletions(-)
New commits:
commit 5e56865b7b1cc2cb6c69ed706f99d106ec3bed95
Author: Julien Cristau <jcristau@debian.org>
Date: Sun Sep 19 17:44:03 2010 +0200
xvfb-run: don't pass the magic cookie to xauth on the command line
Use xauth source to pass the cookie via stdin.
This addresses CVE-2009-1573. Thanks, Loïc Minier!
(cherry picked from commit ecf09e571198ee16256a5efd1c23fd286a4f2249)
Conflicts:
debian/changelog
diff --git a/debian/changelog b/debian/changelog
index 7db9a4a..9c573c1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,8 @@ xorg-server (2:1.4.2-10.lenny3) UNRELEASED; urgency=low
mi.
* render: bounds check for nglyphs in ProcRenderAddGlyphs.
* fb: make isClipped always reject negative coordinates (closes: #320627)
+ * xvfb-run: don't pass the magic cookie to xauth on the command line
+ (CVE-2009-1573). Thanks, Loïc Minier!
-- Julien Cristau <jcristau@debian.org> Sat, 21 Nov 2009 13:09:36 +0100
diff --git a/debian/local/xvfb-run b/debian/local/xvfb-run
index c85f86a..b11130a 100644
--- a/debian/local/xvfb-run
+++ b/debian/local/xvfb-run
@@ -157,8 +157,9 @@ fi
# Start Xvfb.
MCOOKIE=$(mcookie)
-XAUTHORITY=$AUTHFILE xauth add ":$SERVERNUM" "$XAUTHPROTO" "$MCOOKIE" \
- >>"$ERRORFILE" 2>&1
+XAUTHORITY=$AUTHFILE xauth source - << EOF >>"$ERRORFILE" 2>&1
+add :$SERVERNUM $XAUTHPROTO $MCOOKIE
+EOF
XAUTHORITY=$AUTHFILE Xvfb ":$SERVERNUM" $XVFBARGS $LISTENTCP >>"$ERRORFILE" \
2>&1 &
XVFBPID=$!
commit 1fe0ca9d4f82effe4cd85f71b3d4202bf3454ddd
Author: Julien Cristau <jcristau@debian.org>
Date: Sun Sep 12 14:12:14 2010 +0200
Update changelog
diff --git a/debian/changelog b/debian/changelog
index 12ca313..7db9a4a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,8 @@ xorg-server (2:1.4.2-10.lenny3) UNRELEASED; urgency=low
#555308).
* Add patch by Olivier Fourdan (Red Hat) to fix the mod() macro in fb and
mi.
+ * render: bounds check for nglyphs in ProcRenderAddGlyphs.
+ * fb: make isClipped always reject negative coordinates (closes: #320627)
-- Julien Cristau <jcristau@debian.org> Sat, 21 Nov 2009 13:09:36 +0100
commit fa8e429c2e091e97c6ba617f9e622b0a23dbf7ff
Author: Keith Packard <keithp@keithp.com>
Date: Fri Aug 20 10:01:48 2010 -0700
fb: make isClipped always reject negative coordinates (bug 11503)
A window with either dimension > 32767 can be positioned such that
coordinates > 32767 are visible on the screen. Attempts to draw to
those pixels will generate coordinates wrapped around to negative
values.
The optimized clipping macro, 'isClipped', in fbbits.h, computes
clipping in window space rather than screen space using int16 values,
and so it too has coordinates wrapped around to negative values and
hence ends up accepting the wrapped drawing coordinates.
Two possible fixes for this problem
1) Detect wrapped region coordinates and clip those to 32767.
2) Detect negative incoming coordinates and reject those
This patch takes the second approach as it is much shorter, simply
detecting when either X or Y incoming coordinate is negative, which
can never be 'within' any drawable.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit 3e56efcfb63677cd8574e1e435e61d96f79ea536)
(cherry picked from commit 7c544986656713b5bbdb936bb7c3cb5a83d9f833)
diff --git a/fb/fbbits.h b/fb/fbbits.h
index 44991f1..b8af785 100644
--- a/fb/fbbits.h
+++ b/fb/fbbits.h
@@ -25,7 +25,7 @@
* underlying datatypes instead of masks
*/
-#define isClipped(c,ul,lr) ((((c) - (ul)) | ((lr) - (c))) & 0x80008000)
+#define isClipped(c,ul,lr) (((c) | ((c) - (ul)) | ((lr) - (c))) & 0x80008000)
#ifdef HAVE_DIX_CONFIG_H
#include <dix-config.h>
commit ba65e70a460e4312f777fbf27936e55fdcf950df
Author: Adam Jackson <ajax@redhat.com>
Date: Mon Jun 28 18:08:50 2010 -0400
render: Bounds check for nglyphs in ProcRenderAddGlyphs (#28801)
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 5725849a1b427cd4a72b84e57f211edb35838718)
diff --git a/render/render.c b/render/render.c
index b53e878..a5ce0d9 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1131,6 +1131,14 @@ ProcRenderAddGlyphs (ClientPtr client)
gi = (xGlyphInfo *) (gids + nglyphs);
bits = (CARD8 *) (gi + nglyphs);
remain -= (sizeof (CARD32) + sizeof (xGlyphInfo)) * nglyphs;
+
+ /* protect against bad nglyphs */
+ if (gi < stuff || gi > ((CARD32 *)stuff + client->req_len) ||
+ bits < stuff || bits > ((CARD32 *)stuff + client->req_len)) {
+ err = BadLength;
+ goto bail;
+ }
+
while (remain >= 0 && nglyphs)
{
glyph = AllocateGlyph (gi, glyphSet->fdepth);
commit f2387edf0ead0861f0c545341c3b0e4e6852b6ba
Author: Julien Cristau <jcristau@debian.org>
Date: Mon Mar 29 23:40:20 2010 +0200
Add patch by Olivier Fourdan (Red Hat) to fix the mod() macro in fb and mi.
diff --git a/debian/changelog b/debian/changelog
index 1e33d5c..12ca313 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,8 @@ xorg-server (2:1.4.2-10.lenny3) UNRELEASED; urgency=low
* Cherry-pick patch from upstream to set umask to a sane value in Xorg
before opening the log, so we don't create it world-writable (closes:
#555308).
+ * Add patch by Olivier Fourdan (Red Hat) to fix the mod() macro in fb and
+ mi.
-- Julien Cristau <jcristau@debian.org> Sat, 21 Nov 2009 13:09:36 +0100
diff --git a/debian/patches/55_Fix-mod-macro-in-fb-and-mi.patch b/debian/patches/55_Fix-mod-macro-in-fb-and-mi.patch
new file mode 100644
index 0000000..6bebae2
--- /dev/null
+++ b/debian/patches/55_Fix-mod-macro-in-fb-and-mi.patch
@@ -0,0 +1,44 @@
+From 8f536b80f153337f74f01be1a48f5067cefc47bc Mon Sep 17 00:00:00 2001
+From: Julien Cristau <jcristau@debian.org>
+Date: Mon, 29 Mar 2010 23:32:19 +0200
+Subject: [PATCH] Fix mod() macro in fb and mi
+
+Patch by Olivier Fourdan (Red Hat) via Ubuntu.
+
+References:
+https://bugs.launchpad.net/ubuntu/+source/xorg-server/+bug/551193
+https://bugzilla.redhat.com/show_bug.cgi?id=570089
+---
+ fb/fbpict.c | 2 +-
+ mi/miarc.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fb/fbpict.c b/fb/fbpict.c
+index 85b5171..ff29ff2 100644
+--- a/fb/fbpict.c
++++ b/fb/fbpict.c
+@@ -37,7 +37,7 @@
+ #include "mipict.h"
+ #include "fbpict.h"
+
+-#define mod(a,b) ((b) == 1 ? 0 : (a) >= 0 ? (a) % (b) : (b) - (-a) % (b))
++#define mod(a,b) ((b) == 1 ? 0 : (a) >= 0 ? (a) % (b) : (b) - (-(a)) % (b))
+
+ void
+ fbWalkCompositeRegion (CARD8 op,
+diff --git a/mi/miarc.c b/mi/miarc.c
+index 3b77ce7..34f4bb8 100644
+--- a/mi/miarc.c
++++ b/mi/miarc.c
+@@ -1528,7 +1528,7 @@ miRoundCap(
+
+ # define Dsin(d) ((d) == 0.0 ? 0.0 : ((d) == 90.0 ? 1.0 : sin(d*M_PI/180.0)))
+ # define Dcos(d) ((d) == 0.0 ? 1.0 : ((d) == 90.0 ? 0.0 : cos(d*M_PI/180.0)))
+-# define mod(a,b) ((a) >= 0 ? (a) % (b) : (b) - (-a) % (b))
++# define mod(a,b) ((a) >= 0 ? (a) % (b) : (b) - (-(a)) % (b))
+
+ static double
+ miDcos (double a)
+--
+1.7.0.3
+
diff --git a/debian/patches/series b/debian/patches/series
index 25604c9..a6b826e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -28,6 +28,7 @@
52_xevie-swap-replies.diff
53_Properly-initialize-io.pi_sel.pc_domain-on-kfreebsd.patch
54_more-sanity-checks.diff
+55_Fix-mod-macro-in-fb-and-mi.patch
91_ttf2pt1
91_ttf2pt1_updates
92_xprint-security-holes-fix.patch
Reply to: