possible xorg-server update in lenny?

To: debian-release@lists.debian.org
Cc: team@security.debian.org
Subject: possible xorg-server update in lenny?
From: Julien Cristau <jcristau@debian.org>
Date: Sun, 19 Sep 2010 01:29:00 +0200
Message-id: <[🔎] 20100918232900.GF4998@radis.liafa.jussieu.fr>

Hi,

I've got a few changes queued up for xorg-server in lenny, and was
wondering if it's worth uploading them at some point soonish.  I guess I
could add the fix for CVE-2009-1573 (a minor bug in xvfb-run).

diff --git a/debian/changelog b/debian/changelog
index b222ff9..7db9a4a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+xorg-server (2:1.4.2-10.lenny3) UNRELEASED; urgency=low
+
+  * Cherry-pick patch from upstream to set umask to a sane value in Xorg
+    before opening the log, so we don't create it world-writable (closes:
+    #555308).

Marked as no-dsa in the security tracker.

+  * Add patch by Olivier Fourdan (Red Hat) to fix the mod() macro in fb and
+    mi.

This came up in the context of CVE-2010-1166, isn't actually
security-relevant in lenny afaik.

+  * render: bounds check for nglyphs in ProcRenderAddGlyphs.
+  * fb: make isClipped always reject negative coordinates (closes: #320627)

These are http://bugs.freedesktop.org/28801 and
http://bugs.freedesktop.org/11503.  I don't know if anyone evaluated the
impact of those bugs.

+
+ -- Julien Cristau <jcristau@debian.org>  Sat, 21 Nov 2009 13:09:36 +0100
+
 xorg-server (2:1.4.2-10.lenny2) stable; urgency=low
 
   * Revert change from -10.lenny1.  If both PCI and fb drivers are loaded, the
diff --git a/debian/patches/55_Fix-mod-macro-in-fb-and-mi.patch b/debian/patches/55_Fix-mod-macro-in-fb-and-mi.patch
new file mode 100644
index 0000000..6bebae2
--- /dev/null
+++ b/debian/patches/55_Fix-mod-macro-in-fb-and-mi.patch
@@ -0,0 +1,44 @@
+From 8f536b80f153337f74f01be1a48f5067cefc47bc Mon Sep 17 00:00:00 2001
+From: Julien Cristau <jcristau@debian.org>
+Date: Mon, 29 Mar 2010 23:32:19 +0200
+Subject: [PATCH] Fix mod() macro in fb and mi
+
+Patch by Olivier Fourdan (Red Hat) via Ubuntu.
+
+References:
+https://bugs.launchpad.net/ubuntu/+source/xorg-server/+bug/551193
+https://bugzilla.redhat.com/show_bug.cgi?id=570089
+---
+ fb/fbpict.c |    2 +-
+ mi/miarc.c  |    2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fb/fbpict.c b/fb/fbpict.c
+index 85b5171..ff29ff2 100644
+--- a/fb/fbpict.c
++++ b/fb/fbpict.c
+@@ -37,7 +37,7 @@
+ #include "mipict.h"
+ #include "fbpict.h"
+ 
+-#define mod(a,b) ((b) == 1 ? 0 : (a) >= 0 ? (a) % (b) : (b) - (-a) % (b))
++#define mod(a,b) ((b) == 1 ? 0 : (a) >= 0 ? (a) % (b) : (b) - (-(a)) % (b))
+ 
+ void
+ fbWalkCompositeRegion (CARD8 op,
+diff --git a/mi/miarc.c b/mi/miarc.c
+index 3b77ce7..34f4bb8 100644
+--- a/mi/miarc.c
++++ b/mi/miarc.c
+@@ -1528,7 +1528,7 @@ miRoundCap(
+ 
+ # define Dsin(d)	((d) == 0.0 ? 0.0 : ((d) == 90.0 ? 1.0 : sin(d*M_PI/180.0)))
+ # define Dcos(d)	((d) == 0.0 ? 1.0 : ((d) == 90.0 ? 0.0 : cos(d*M_PI/180.0)))
+-# define mod(a,b)	((a) >= 0 ? (a) % (b) : (b) - (-a) % (b))
++# define mod(a,b)	((a) >= 0 ? (a) % (b) : (b) - (-(a)) % (b))
+ 
+ static double
+ miDcos (double a)
+-- 
+1.7.0.3
+
diff --git a/debian/patches/series b/debian/patches/series
index 25604c9..a6b826e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -28,6 +28,7 @@
 52_xevie-swap-replies.diff
 53_Properly-initialize-io.pi_sel.pc_domain-on-kfreebsd.patch
 54_more-sanity-checks.diff
+55_Fix-mod-macro-in-fb-and-mi.patch
 91_ttf2pt1
 91_ttf2pt1_updates
 92_xprint-security-holes-fix.patch
diff --git a/fb/fbbits.h b/fb/fbbits.h
index 44991f1..b8af785 100644
--- a/fb/fbbits.h
+++ b/fb/fbbits.h
@@ -25,7 +25,7 @@
  * underlying datatypes instead of masks
  */
 
-#define isClipped(c,ul,lr)  ((((c) - (ul)) | ((lr) - (c))) & 0x80008000)
+#define isClipped(c,ul,lr)  (((c) | ((c) - (ul)) | ((lr) - (c))) & 0x80008000)
 
 #ifdef HAVE_DIX_CONFIG_H
 #include <dix-config.h>
diff --git a/hw/xfree86/common/xf86Init.c b/hw/xfree86/common/xf86Init.c
index 0c9cbd4..f896eb4 100644
--- a/hw/xfree86/common/xf86Init.c
+++ b/hw/xfree86/common/xf86Init.c
@@ -986,8 +986,10 @@ OsVendorInit()
   loadableFonts = TRUE;
 #endif
 
-  if (!beenHere)
+  if (!beenHere) {
+    umask(022);
     xf86LogInit();
+  }
 
 #if SET_STDERR_NONBLOCKING
         /* Set stderr to non-blocking. */
diff --git a/render/render.c b/render/render.c
index b53e878..a5ce0d9 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1131,6 +1131,14 @@ ProcRenderAddGlyphs (ClientPtr client)
     gi = (xGlyphInfo *) (gids + nglyphs);
     bits = (CARD8 *) (gi + nglyphs);
     remain -= (sizeof (CARD32) + sizeof (xGlyphInfo)) * nglyphs;
+
+    /* protect against bad nglyphs */
+    if (gi < stuff || gi > ((CARD32 *)stuff + client->req_len) ||
+        bits < stuff || bits > ((CARD32 *)stuff + client->req_len)) {
+        err = BadLength;
+        goto bail;
+    }
+
     while (remain >= 0 && nglyphs)
     {
 	glyph = AllocateGlyph (gi, glyphSet->fdepth);

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: possible xorg-server update in lenny?
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: possible xorg-server update in lenny?
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: [britney] RFC: Behaviour change for "approve" hints
Next by Date: Re: [britney] RFC: Behaviour change for "approve" hints
Previous by thread: Re: [britney] RFC: Behaviour change for "approve" hints
Next by thread: Re: possible xorg-server update in lenny?
Index(es):
- Date
- Thread