X Strike Force SVN commit: rev 492 - in trunk/debian: . patches
Author: branden
Date: 2003-09-10 04:05:11 -0500 (Wed, 10 Sep 2003)
New Revision: 492
Modified:
trunk/debian/changelog
trunk/debian/patches/000_stolen_from_HEAD.diff
Log:
debian/patches/000_stolen_from_HEAD.diff: backport security fix from CVS
HEAD: CAN-2003-0730 (multiple integer overflows in the font libraries for
XFree86 allow local or remote attackers to cause a denial of service or
execute arbitrary code via heap-based and stack-based buffer overflow
attacks)
debian/changelog: also set upload urgency to high and explain why
Modified: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog 2003-09-10 08:31:58 UTC (rev 491)
+++ trunk/debian/changelog 2003-09-10 09:05:11 UTC (rev 492)
@@ -1,5 +1,8 @@
-xfree86 (4.2.1-12) unstable; urgency=low
+xfree86 (4.2.1-12) unstable; urgency=high
+ * urgency high due to security fix for font service integer overflow attacks
+ (see below)
+
* debian/twm.menu-method: correctly escape doublequote characters in menu
entry titles (thanks, Bill Allombert) (Closes: #193759)
@@ -30,8 +33,14 @@
* debian/xserver-common.preinst.in: correct erroneous reference to debconf
template name
- -- Branden Robinson <branden@debian.org> Mon, 8 Sep 2003 22:32:13 -0500
+ * patch #000_stolen_from_HEAD: backport security fix from CVS HEAD
+ + CAN-2003-0730 (multiple integer overflows in the font libraries for
+ XFree86 allow local or remote attackers to cause a denial
+ of service or execute arbitrary code via heap-based and
+ stack-based buffer overflow attacks)
+ -- Branden Robinson <branden@debian.org> Wed, 10 Sep 2003 04:01:45 -0500
+
xfree86 (4.2.1-11) unstable; urgency=medium
* urgency set to medium because bug #206790 bites a lot of people (but,
Modified: trunk/debian/patches/000_stolen_from_HEAD.diff
===================================================================
--- trunk/debian/patches/000_stolen_from_HEAD.diff 2003-09-10 08:31:58 UTC (rev 491)
+++ trunk/debian/patches/000_stolen_from_HEAD.diff 2003-09-10 09:05:11 UTC (rev 492)
@@ -238,6 +238,42 @@
+ Backport support for new IA-64 relocation types from post-4.3.0 CVS
HEAD. (Matthew Wilcox)
+(xc/lib/FS/FSFontInfo.c,
+ xc/lib/FS/FSFtNames.c,
+ xc/lib/FS/FSGetCats.c,
+ xc/lib/FS/FSListCats.c,
+ xc/lib/FS/FSListExt.c,
+ xc/lib/FS/FSOpenServ.c,
+ xc/lib/FS/FSQGlyphs.c,
+ xc/lib/FS/FSQXExt.c,
+ xc/lib/FS/FSQXInfo.c,
+ xc/lib/FS/FSlibos.h,
+ xc/lib/font/Type1/Imakefile,
+ xc/lib/font/Type1/arith.c,
+ xc/lib/font/Type1/curves.c,
+ xc/lib/font/Type1/hints.c,
+ xc/lib/font/Type1/module/Imakefile,
+ xc/lib/font/Type1/objects.c,
+ xc/lib/font/Type1/objects.h,
+ xc/lib/font/Type1/paths.c,
+ xc/lib/font/Type1/regions.c,
+ xc/lib/font/Type1/spaces.c,
+ xc/lib/font/Type1/t1funcs.c,
+ xc/lib/font/Type1/t1info.c,
+ xc/lib/font/Type1/t1malloc.c,
+ xc/lib/font/Type1/t1stub.c,
+ xc/lib/font/fc/fsconvert.c,
+ xc/lib/font/fc/fserve.c,
+ xc/lib/font/fc/fslibos.h,
+ xc/lib/font/fontcache/fontcache.h):
+ + Fixes for potential integer overflows in font libraries. (blexim,
+ Matthieu Herrb).
+ + For integer overflow tests, use SIZE_MAX which is more standard than
+ SIZE_T_MAX, and default to ULONG_MAX for the case of LP64 systems.
+ Based on reports by Matthias Scheler and Alan Coopersmith (Bugzilla
+ #646).
+ Backported from XFree86 CVS HEAD.
+
Index: xc/nls/XI18N_OBJS/Imakefile
===================================================================
RCS file: /cvs/xc/nls/XI18N_OBJS/Imakefile,v
@@ -5188,3 +5224,320 @@
}
/*
+diff -urN xc/lib/FS~/FSFontInfo.c xc/lib/FS/FSFontInfo.c
+--- xc/lib/FS~/FSFontInfo.c 2001-12-14 14:53:32.000000000 -0500
++++ xc/lib/FS/FSFontInfo.c 2003-09-10 03:56:13.000000000 -0500
+@@ -65,7 +65,7 @@
+ long nbytes;
+ int i,
+ j;
+- int size = 0;
++ size_t size = 0;
+ FSXFontInfoHeader **fhdr = (FSXFontInfoHeader **) 0;
+ FSPropInfo **pi = (FSPropInfo **) 0;
+ FSPropOffset **po = (FSPropOffset **) 0;
+@@ -123,8 +123,14 @@
+ if (reply.nameLength == 0) /* got last reply in version 1 */
+ break;
+ if ((i + reply.nReplies) >= size) {
++
++ if (reply.nReplies > SIZE_MAX - i - 1)
++ goto badmem;
+ size = i + reply.nReplies + 1;
+
++ if (size > SIZE_MAX / sizeof(char *))
++ goto badmem;
++
+ if (fhdr) {
+ FSXFontInfoHeader **tmp_fhdr = (FSXFontInfoHeader **)
+ FSrealloc((char *) fhdr,
+@@ -237,6 +243,9 @@
+ pi[i]->num_offsets = local_pi.num_offsets;
+ pi[i]->data_len = local_pi.data_len;
+
++ if (pi[i]->num_offsets > SIZE_MAX / sizeof(FSPropOffset))
++ goto badmem;
++
+ po[i] = (FSPropOffset *)
+ FSmalloc(pi[i]->num_offsets * sizeof(FSPropOffset));
+ if (!po[i]) {
+@@ -282,6 +291,10 @@
+ nbytes = pi[i]->data_len + reply.nameLength;
+ _FSEatData(svr, (unsigned long) (((nbytes+3)&~3) - nbytes));
+ }
++ /* avoid integer overflow */
++ if (i > INT_MAX - 1) {
++ goto badmem;
++ }
+ }
+ *info = fhdr;
+ *count = i;
+diff -urN xc/lib/FS~/FSFtNames.c xc/lib/FS/FSFtNames.c
+--- xc/lib/FS~/FSFtNames.c 2001-12-14 14:53:32.000000000 -0500
++++ xc/lib/FS/FSFtNames.c 2003-09-10 03:56:13.000000000 -0500
+@@ -78,7 +78,8 @@
+ (SIZEOF(fsListFontsReply) - SIZEOF(fsGenericReply)) >> 2, fsFalse))
+ return (char **) 0;
+
+- if (rep.nFonts) {
++ if (rep.nFonts && rep.nFonts <= SIZE_MAX / sizeof(char *)
++ && rep.length <= ((SIZE_MAX + SIZEOF(fsListFontsReply) - 1) >> 2)) {
+ flist = (char **) FSmalloc((unsigned) rep.nFonts * sizeof(char *));
+ rlen = (rep.length << 2) - SIZEOF(fsListFontsReply);
+ c = (char *) FSmalloc((unsigned) (rlen + 1));
+diff -urN xc/lib/FS~/FSGetCats.c xc/lib/FS/FSGetCats.c
+--- xc/lib/FS~/FSGetCats.c 2001-12-14 14:53:32.000000000 -0500
++++ xc/lib/FS/FSGetCats.c 2003-09-10 03:56:13.000000000 -0500
+@@ -72,9 +72,10 @@
+ SyncHandle();
+ return (char **) NULL;
+ }
+- if (rep.num_catalogues) {
++ if (rep.num_catalogues && rep.num_catalogues <= SIZE_MAX/sizeof(char *)
++ && rep.length <= ((SIZE_MAX + SIZEOF(fsGetCataloguesReply) - 1)>>2)) {
+ list = (char **)
+- FSmalloc((unsigned) (rep.num_catalogues * sizeof(char *)));
++ FSmalloc((unsigned) (rep.num_catalogues * sizeof(char *)));
+ rlen = (rep.length << 2) - SIZEOF(fsGetCataloguesReply);
+ c = (char *) FSmalloc((unsigned) rlen + 1);
+ if ((!list) || (!c)) {
+diff -urN xc/lib/FS~/FSListCats.c xc/lib/FS/FSListCats.c
+--- xc/lib/FS~/FSListCats.c 2001-12-14 14:53:32.000000000 -0500
++++ xc/lib/FS/FSListCats.c 2003-09-10 03:56:13.000000000 -0500
+@@ -78,7 +78,8 @@
+ (SIZEOF(fsListCataloguesReply) - SIZEOF(fsGenericReply)) >> 2, fsFalse))
+ return (char **) 0;
+
+- if (rep.num_catalogues) {
++ if (rep.num_catalogues && rep.num_catalogues <= SIZE_MAX/sizeof(char *)
++ && rep.length <= ((SIZE_MAX+SIZEOF(fsListCataloguesReply)+1)>>2)) {
+ clist = (char **)
+ FSmalloc((unsigned) rep.num_catalogues * sizeof(char *));
+ rlen = (rep.length << 2) - SIZEOF(fsListCataloguesReply);
+diff -urN xc/lib/FS~/FSListExt.c xc/lib/FS/FSListExt.c
+--- xc/lib/FS~/FSListExt.c 2001-12-14 14:53:32.000000000 -0500
++++ xc/lib/FS/FSListExt.c 2003-09-10 03:56:13.000000000 -0500
+@@ -72,7 +72,8 @@
+ SyncHandle();
+ return (char **) NULL;
+ }
+- if (rep.nExtensions) {
++ if (rep.nExtensions && rep.nExtensions <= SIZE_MAX / sizeof(char *)
++ && rep.length <= ((SIZE_MAX+SIZEOF(fsListExtensionsReply)+1)>>2)) {
+ list = (char **) FSmalloc((unsigned)(rep.nExtensions * sizeof(char *)));
+ rlen = (rep.length << 2) - SIZEOF(fsListExtensionsReply);
+ c = (char *) FSmalloc((unsigned) rlen + 1);
+diff -urN xc/lib/FS~/FSOpenServ.c xc/lib/FS/FSOpenServ.c
+--- xc/lib/FS~/FSOpenServ.c 2001-12-14 14:53:33.000000000 -0500
++++ xc/lib/FS/FSOpenServ.c 2003-09-10 03:57:31.000000000 -0500
+@@ -118,7 +118,7 @@
+ AlternateServer *alts;
+ int altlen;
+ char *vendor_string;
+- long setuplength;
++ unsigned long setuplength;
+
+ if (server == NULL || *server == '\0') {
+ if ((server = getenv("FONTSERVER")) == NULL) {
+@@ -153,7 +153,8 @@
+ _FSRead(svr, (char *) &prefix, (long) SIZEOF(fsConnSetup));
+
+ setuplength = prefix.alternate_len << 2;
+- if ((alt_data = (char *)
++ if (setuplength > (SIZE_MAX>>2)
++ || (alt_data = (char *)
+ (setup = FSmalloc((unsigned) setuplength))) == NULL) {
+ errno = ENOMEM;
+ FSfree((char *) svr);
+@@ -162,6 +163,10 @@
+ _FSRead(svr, (char *) alt_data, setuplength);
+ ad = alt_data;
+
++ if (prefix.num_alternates > SIZE_MAX / sizeof(AlternateServer)) {
++ errno = ENOMEM;
++ return (FSServer *) 0;
++ }
+ alts = (AlternateServer *)
+ FSmalloc(sizeof(AlternateServer) * prefix.num_alternates);
+ if (!alts) {
+@@ -193,7 +198,8 @@
+ svr->num_alternates = prefix.num_alternates;
+
+ setuplength = prefix.auth_len << 2;
+- if ((auth_data = (char *)
++ if (prefix.auth_len > (SIZE_MAX>>2)
++ || (auth_data = (char *)
+ (setup = FSmalloc((unsigned) setuplength))) == NULL) {
+ errno = ENOMEM;
+ FSfree((char *) svr);
+diff -urN xc/lib/FS~/FSQGlyphs.c xc/lib/FS/FSQGlyphs.c
+--- xc/lib/FS~/FSQGlyphs.c 2001-12-14 14:53:33.000000000 -0500
++++ xc/lib/FS/FSQGlyphs.c 2003-09-10 03:56:13.000000000 -0500
+@@ -85,12 +85,20 @@
+ (SIZEOF(fsQueryXBitmaps8Reply) - SIZEOF(fsGenericReply)) >> 2, fsFalse))
+ return FSBadAlloc;
+
++ if (reply.num_chars > SIZE_MAX / sizeof(FSOffset))
++ return FSBadAlloc;
++
+ offs = (FSOffset *) FSmalloc(sizeof(FSOffset) * reply.num_chars);
+ *offsets = offs;
+ if (!offs)
+ return FSBadAlloc;
+ left = (reply.length << 2) - SIZEOF(fsQueryXBitmaps8Reply)
+ - (SIZEOF(fsOffset32) * reply.num_chars);
++ /* XXX This thest is incomplete */
++ if (reply.length > (SIZE_MAX >> 2)) {
++ FSfree((char *) offs);
++ return FSBadAlloc;
++ }
+ gd = (unsigned char *) FSmalloc(left);
+ *glyphdata = gd;
+ if (!gd) {
+@@ -141,6 +149,8 @@
+ int i;
+ fsChar2b_version1 *swapped_str;
+
++ if (str_len > SIZE_MAX/SIZEOF(fsChar2b_version1))
++ return FSBadAlloc;
+ swapped_str = (fsChar2b_version1 *)
+ FSmalloc(SIZEOF(fsChar2b_version1) * str_len);
+ if (!swapped_str)
+@@ -160,12 +170,19 @@
+ fsFalse))
+ return FSBadAlloc;
+
++ if(reply.num_chars > SIZE_MAX/sizeof(FSOffset))
++ return FSBadAlloc;
+ offs = (FSOffset *) FSmalloc(sizeof(FSOffset) * reply.num_chars);
+ *offsets = offs;
+ if (!offs)
+ return FSBadAlloc;
+ left = (reply.length << 2) - SIZEOF(fsQueryXBitmaps16Reply)
+ - (SIZEOF(fsOffset32) * reply.num_chars);
++ /* XXX - this test is incomplete */
++ if (reply.length > (SIZE_MAX>>2)) {
++ FSfree((char *) offs);
++ return FSBadAlloc;
++ }
+ gd = (unsigned char *) FSmalloc(left);
+ *glyphdata = gd;
+ if (!gd) {
+diff -urN xc/lib/FS~/FSQXExt.c xc/lib/FS/FSQXExt.c
+--- xc/lib/FS~/FSQXExt.c 2001-12-14 14:53:33.000000000 -0500
++++ xc/lib/FS/FSQXExt.c 2003-09-10 03:56:13.000000000 -0500
+@@ -93,6 +93,9 @@
+ fsFalse))
+ return FSBadAlloc;
+
++ if (reply.num_extents > SIZE_MAX / sizeof(FSXCharInfo))
++ return FSBadAlloc;
++
+ ext = (FSXCharInfo *) FSmalloc(sizeof(FSXCharInfo) * reply.num_extents);
+ *extents = ext;
+ if (!ext)
+@@ -149,6 +152,9 @@
+ fsFalse))
+ return FSBadAlloc;
+
++ if (reply.num_extents > SIZE_MAX/sizeof(FSXCharInfo))
++ return FSBadAlloc;
++
+ ext = (FSXCharInfo *) FSmalloc(sizeof(FSXCharInfo) * reply.num_extents);
+ *extents = ext;
+ if (!ext)
+diff -urN xc/lib/FS~/FSQXInfo.c xc/lib/FS/FSQXInfo.c
+--- xc/lib/FS~/FSQXInfo.c 2001-12-14 14:53:33.000000000 -0500
++++ xc/lib/FS/FSQXInfo.c 2003-09-10 03:56:13.000000000 -0500
+@@ -91,6 +91,9 @@
+ props->num_offsets = local_pi.num_offsets;
+ props->data_len = local_pi.data_len;
+
++ if (props->num_offsets > SIZE_MAX / sizeof(FSPropOffset))
++ return FSBadAlloc;
++
+ /* prepare for prop data */
+ offset_data = (FSPropOffset *)
+ FSmalloc(props->num_offsets * sizeof(FSPropOffset));
+diff -urN xc/lib/FS~/FSlibos.h xc/lib/FS/FSlibos.h
+--- xc/lib/FS~/FSlibos.h 2001-12-14 14:53:33.000000000 -0500
++++ xc/lib/FS/FSlibos.h 2003-09-10 03:56:13.000000000 -0500
+@@ -76,6 +76,13 @@
+ #undef _POSIX_SOURCE
+ #endif
+ #endif
++#ifndef SIZE_MAX
++# ifdef ULONG_MAX
++# define SIZE_MAX ULONG_MAX
++# else
++# define SIZE_MAX UINT_MAX
++# endif
++#endif
+ #ifndef OPEN_MAX
+ #ifdef SVR4
+ #define OPEN_MAX 256
+diff -urN xc/lib/font~/fc/fsconvert.c xc/lib/font/fc/fsconvert.c
+--- xc/lib/font~/fc/fsconvert.c 2001-01-17 14:43:28.000000000 -0500
++++ xc/lib/font/fc/fsconvert.c 2003-09-10 03:56:13.000000000 -0500
+@@ -36,6 +36,7 @@
+ #include "fontstruct.h"
+ #include "fservestr.h"
+ #include "fontutil.h"
++#include "fslibos.h"
+
+ extern char _fs_glyph_undefined;
+ extern char _fs_glyph_requested;
+@@ -102,6 +103,10 @@
+
+ nprops = pfi->nprops = pi->num_offsets;
+
++ if (nprops < 0
++ || nprops > SIZE_MAX/(sizeof(FontPropRec) + sizeof(char)))
++ return -1;
++
+ dprop = (FontPropPtr) xalloc(sizeof(FontPropRec) * nprops +
+ sizeof (char) * nprops);
+ if (!dprop)
+diff -urN xc/lib/font~/fc/fserve.c xc/lib/font/fc/fserve.c
+--- xc/lib/font~/fc/fserve.c 2001-12-14 14:56:48.000000000 -0500
++++ xc/lib/font/fc/fserve.c 2003-09-10 03:56:13.000000000 -0500
+@@ -1508,7 +1508,7 @@
+ if (conn->blockState & FS_GIVE_UP)
+ return BadFontName;
+
+- if (namelen > sizeof (buf) - 1)
++ if (namelen <= 0 || namelen > sizeof (buf) - 1)
+ return BadFontName;
+
+ /*
+diff -urN xc/lib/font~/fc/fslibos.h xc/lib/font/fc/fslibos.h
+--- xc/lib/font~/fc/fslibos.h 2001-12-14 14:56:49.000000000 -0500
++++ xc/lib/font/fc/fslibos.h 2003-09-10 03:56:13.000000000 -0500
+@@ -48,13 +48,20 @@
+ #ifndef FONT_OPEN_MAX
+
+ #ifndef X_NOT_POSIX
+-#ifdef _POSIX_SOURCE
+-#include <limits.h>
+-#else
+-#define _POSIX_SOURCE
+-#include <limits.h>
+-#undef _POSIX_SOURCE
+-#endif
++# ifdef _POSIX_SOURCE
++# include <limits.h>
++# else
++# define _POSIX_SOURCE
++# include <limits.h>
++# undef _POSIX_SOURCE
++# endif
++#endif
++#ifndef SIZE_MAX
++# ifdef ULONG_MAX
++# define SIZE_MAX ULONG_MAX
++# else
++# define SIZE_MAX UINT_MAX
++# endif
+ #endif
+ #ifndef OPEN_MAX
+ #if defined(SVR4) || defined(__EMX__)
Reply to: