Hi, I've got a few changes queued up for xorg-server in lenny, and was wondering if it's worth uploading them at some point soonish. I guess I could add the fix for CVE-2009-1573 (a minor bug in xvfb-run). diff --git a/debian/changelog b/debian/changelog index b222ff9..7db9a4a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +xorg-server (2:1.4.2-10.lenny3) UNRELEASED; urgency=low + + * Cherry-pick patch from upstream to set umask to a sane value in Xorg + before opening the log, so we don't create it world-writable (closes: + #555308). Marked as no-dsa in the security tracker. + * Add patch by Olivier Fourdan (Red Hat) to fix the mod() macro in fb and + mi. This came up in the context of CVE-2010-1166, isn't actually security-relevant in lenny afaik. + * render: bounds check for nglyphs in ProcRenderAddGlyphs. + * fb: make isClipped always reject negative coordinates (closes: #320627) These are http://bugs.freedesktop.org/28801 and http://bugs.freedesktop.org/11503. I don't know if anyone evaluated the impact of those bugs. + + -- Julien Cristau <jcristau@debian.org> Sat, 21 Nov 2009 13:09:36 +0100 + xorg-server (2:1.4.2-10.lenny2) stable; urgency=low * Revert change from -10.lenny1. If both PCI and fb drivers are loaded, the diff --git a/debian/patches/55_Fix-mod-macro-in-fb-and-mi.patch b/debian/patches/55_Fix-mod-macro-in-fb-and-mi.patch new file mode 100644 index 0000000..6bebae2 --- /dev/null +++ b/debian/patches/55_Fix-mod-macro-in-fb-and-mi.patch @@ -0,0 +1,44 @@ +From 8f536b80f153337f74f01be1a48f5067cefc47bc Mon Sep 17 00:00:00 2001 +From: Julien Cristau <jcristau@debian.org> +Date: Mon, 29 Mar 2010 23:32:19 +0200 +Subject: [PATCH] Fix mod() macro in fb and mi + +Patch by Olivier Fourdan (Red Hat) via Ubuntu. + +References: +https://bugs.launchpad.net/ubuntu/+source/xorg-server/+bug/551193 +https://bugzilla.redhat.com/show_bug.cgi?id=570089 +--- + fb/fbpict.c | 2 +- + mi/miarc.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fb/fbpict.c b/fb/fbpict.c +index 85b5171..ff29ff2 100644 +--- a/fb/fbpict.c ++++ b/fb/fbpict.c +@@ -37,7 +37,7 @@ + #include "mipict.h" + #include "fbpict.h" + +-#define mod(a,b) ((b) == 1 ? 0 : (a) >= 0 ? (a) % (b) : (b) - (-a) % (b)) ++#define mod(a,b) ((b) == 1 ? 0 : (a) >= 0 ? (a) % (b) : (b) - (-(a)) % (b)) + + void + fbWalkCompositeRegion (CARD8 op, +diff --git a/mi/miarc.c b/mi/miarc.c +index 3b77ce7..34f4bb8 100644 +--- a/mi/miarc.c ++++ b/mi/miarc.c +@@ -1528,7 +1528,7 @@ miRoundCap( + + # define Dsin(d) ((d) == 0.0 ? 0.0 : ((d) == 90.0 ? 1.0 : sin(d*M_PI/180.0))) + # define Dcos(d) ((d) == 0.0 ? 1.0 : ((d) == 90.0 ? 0.0 : cos(d*M_PI/180.0))) +-# define mod(a,b) ((a) >= 0 ? (a) % (b) : (b) - (-a) % (b)) ++# define mod(a,b) ((a) >= 0 ? (a) % (b) : (b) - (-(a)) % (b)) + + static double + miDcos (double a) +-- +1.7.0.3 + diff --git a/debian/patches/series b/debian/patches/series index 25604c9..a6b826e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -28,6 +28,7 @@ 52_xevie-swap-replies.diff 53_Properly-initialize-io.pi_sel.pc_domain-on-kfreebsd.patch 54_more-sanity-checks.diff +55_Fix-mod-macro-in-fb-and-mi.patch 91_ttf2pt1 91_ttf2pt1_updates 92_xprint-security-holes-fix.patch diff --git a/fb/fbbits.h b/fb/fbbits.h index 44991f1..b8af785 100644 --- a/fb/fbbits.h +++ b/fb/fbbits.h @@ -25,7 +25,7 @@ * underlying datatypes instead of masks */ -#define isClipped(c,ul,lr) ((((c) - (ul)) | ((lr) - (c))) & 0x80008000) +#define isClipped(c,ul,lr) (((c) | ((c) - (ul)) | ((lr) - (c))) & 0x80008000) #ifdef HAVE_DIX_CONFIG_H #include <dix-config.h> diff --git a/hw/xfree86/common/xf86Init.c b/hw/xfree86/common/xf86Init.c index 0c9cbd4..f896eb4 100644 --- a/hw/xfree86/common/xf86Init.c +++ b/hw/xfree86/common/xf86Init.c @@ -986,8 +986,10 @@ OsVendorInit() loadableFonts = TRUE; #endif - if (!beenHere) + if (!beenHere) { + umask(022); xf86LogInit(); + } #if SET_STDERR_NONBLOCKING /* Set stderr to non-blocking. */ diff --git a/render/render.c b/render/render.c index b53e878..a5ce0d9 100644 --- a/render/render.c +++ b/render/render.c @@ -1131,6 +1131,14 @@ ProcRenderAddGlyphs (ClientPtr client) gi = (xGlyphInfo *) (gids + nglyphs); bits = (CARD8 *) (gi + nglyphs); remain -= (sizeof (CARD32) + sizeof (xGlyphInfo)) * nglyphs; + + /* protect against bad nglyphs */ + if (gi < stuff || gi > ((CARD32 *)stuff + client->req_len) || + bits < stuff || bits > ((CARD32 *)stuff + client->req_len)) { + err = BadLength; + goto bail; + } + while (remain >= 0 && nglyphs) { glyph = AllocateGlyph (gi, glyphSet->fdepth);
Attachment:
signature.asc
Description: Digital signature