Bug#211361: xserver crashes in starup running on vmware

[Branden Robinson <branden@debian.org>]

retitle 211361 xserver-xfree86: [vmware] crash on startup on PCI SVGA (FIFO) rev 0
thanks

On Thu, Sep 18, 2003 at 06:19:37PM +1000, Daniel Stone wrote:
> On Wed, Sep 17, 2003 at 01:37:35PM +0200, Bertram Lueckehe wrote:
> > i was using vmware_drv.o that is in the debian package
> > xserver-xfree86. I replaced it now by the version you can download
> > from http://www.vmware.com/download/downloadxserver.html and now it
> > works.
> > 
> > You should replace the file in the package with the new one from
> > vmware (sourcecode is available) or remove it from the package.
> 
> Thanks for your analysis, Bertram - sorry about the incorrect closure
> of this bug, I forgot about the new VMware module being open and stuff
> (this has changed since the last time I used VMware).
> 
> Can anyone confirm whether this bug is woody-only, or whether it also
> applies to 4.2.x/4.3.x? Until we establish how wide the reach of this
> bug is, I'm leaving this as moreinfo.

I don't think the stable release manager will permit a large driver
update of this nature.

I've seen similar crashes with VMWare Workstation 4 and XFree86's vmware
driver on 4.1.0-16.  I don't think this has anything to do with the
security release.  The crash I saw *did* have to do, interestingly, with
what applications you decided to start.  A basic session with just an
xterm was fine, but running "configlets-druid" would cause the server to
core.

I've gotten other reports recently of the X server "suddenly breaking" with the
security update.  I have no choice but to be a little skeptical of such claims,
given the following (quoting from another mail I recently sent):

  A perusal of the differences between the xfree86 4.1.0-16 and
  4.1.0-16woody1 packages will reveal that this security update
  contained *no* changes that were not related to rectifying the
  security vulnerabilities in question.

  There were certainly no changes to the XF86Config file parser or the
  mga driver.

  Moreover, the security update packages were built in a woody chroot,
  so the build environment should have looked much the same as, and
  generated the same code as the build environment for the 4.1.0-16
  release.

  I have attached a diff of the unpacked source trees so you can verify
  my claims about the limited scope of changes to this package for
  yourself.

My theory is that have people edited the XF86Config-4 configuration
file, probably without remembering it, and failed both to tell debconf to
leave the file alone, and to remove the "debconf region markers" from
this file.

In the next release of Debian, a different strategy for managing the
configuration files will be used which interprets any changes by the
user as an instruction to never fool with the file again.  (This new
strategy is already present in the xfree86 4.2.1-11 packages.)

At any rate, I concur with Daniel's stated requirements for closing this
bug.  A testimonial that the vmware driver in a later version of XFree86
works will be sufficient to resolve this bug.

-- 
G. Branden Robinson                |    I have a truly elegant proof of the
Debian GNU/Linux                   |    above, but it is too long to fit
branden@debian.org                 |    into this .signature file.
http://people.debian.org/~branden/ |

diff -urN xfree86-4.1.0-16/debian/changelog xfree86-4.1.0-16woody1/debian/changelog
--- xfree86-4.1.0-16/debian/changelog	2003-09-16 12:09:32.000000000 -0500
+++ xfree86-4.1.0-16woody1/debian/changelog	2003-09-16 12:11:32.000000000 -0500
@@ -1,3 +1,42 @@
+xfree86 (4.1.0-16woody1) stable-security; urgency=high
+
+  * Security update release.  Resolves the following issues:
+    + CAN-2003-0063 (xterm window title reporting can deceive user)
+    + CAN-2003-0071 (xterm susceptible to DEC UDK sequence DoS attack)
+    + CAN-2002-0164 (flaw in X server's MIT-SHM extension permits user owning
+                    X session to read and write arbitrary shared memory
+                    segments)
+    + CAN-2003-0730 (multiple integer overflows in the font libraries for
+                    XFree86 allow local or remote attackers to cause a denial
+                    of service or execute arbitrary code via heap-based and
+                    stack-based buffer overflow attacks)
+
+  * patch #069: new; disable xterm's window title reporting escape sequence
+
+  * patch #070: new; fix term to ignore malformed DEC UDK escape sequences
+    instead of locking up
+
+  * patch #071: new; updated fix to MIT-SHM vulnerability from upstream CVS:
+    - Implement LocalClientCred() to return the credentials of local clients
+      connected through Unix domain sockets on systems that have the required
+      support (for now recent Linux, FreeBSD >= 4.6, OpenBSD >= 3.0 are
+      implemented), and use that in ShmAttach() to grant access to the client.
+      When client credentials are not available, require world accessibility.
+    The original fix did not cover the case where the X server is started
+    from an X display manager such as xdm.
+
+  * patch #072: new; fixes for integer overflows in font libraries from
+    upstream CVS:
+    - fixes for potential integer overflows in font libraries (blexim, Matthieu
+      Herrb).
+    - For integer overflow tests, use SIZE_MAX which is more standard than
+      SIZE_T_MAX, and default to ULONG_MAX for the case of LP64 systems.  Based
+      on reports by Matthias Scheler and Alan Coopersmith (Bugzilla #646).
+
+  * patch #400: resynced offsets in the wake of patch #071
+
+ -- Branden Robinson <branden@debian.org>  Wed,  3 Sep 2003 19:40:13 -0500
+
 xfree86 (4.1.0-16) unstable; urgency=high
 
   * patch #000_stolen_from_HEAD:
diff -urN xfree86-4.1.0-16/debian/patches/069_SECURITY_xterm_window_title_reporting.diff xfree86-4.1.0-16woody1/debian/patches/069_SECURITY_xterm_window_title_reporting.diff
--- xfree86-4.1.0-16/debian/patches/069_SECURITY_xterm_window_title_reporting.diff	1969-12-31 19:00:00.000000000 -0500
+++ xfree86-4.1.0-16woody1/debian/patches/069_SECURITY_xterm_window_title_reporting.diff	2003-09-16 12:11:30.000000000 -0500
@@ -0,0 +1,39 @@
+> - Xterm, provided as part of the XFree86 packages, provides an escape
+> sequence for reporting the current window title. This escape sequence
+> essentially takes the current title and places it directly on the command
+> line. An attacker can craft an escape sequence that sets the victim's Xterm
+> window title to an arbitrary command, and then reports it to the command
+> line. Since it is not possible to embed a carriage return into the window
+> title, the attacker would then have to convince the victim to press Enter
+> for the shell to process the title as a command, although the attacker
+> could craft other escape sequences that might convince the victim to do so.
+> The Common Vulnerabilities and Exposures project (cve.mitre.org) has
+> assigned the name CAN-2003-0063 to this issue.
+
+Thomas Dickey fixed this in XTerm #174, which was committed to XFree86
+CVS HEAD in 2003-02-25.  XTerm #174 makes window title reporting a
+user-configurable option via the X resource allowWindowOps, which
+defaults off.  This option is documented in the manual page as of that
+version.
+
+Red Hat's fix is to ignore the escape sequence that prints the window
+title.
+
+This is Red Hat's fix.
+
+--- xc/programs/xterm/charproc.c	2002-01-07 16:02:44.000000000 -0500
++++ xc/programs/xterm/charproc.c	2003-04-03 11:43:14.000000000 -0500
+@@ -3751,11 +3751,13 @@
+ 		break;
+ 
+ 	case 21:	/* Report the window's title */
++#if 0
+ 		report_win_label(screen, 'l', &text,
+ 			XGetWMName(
+ 				screen->display,
+ 				VShellWindow,
+ 				&text));
++#endif
+ 		break;
+ 
+ 	default: /* DECSLPP (24, 25, 36, 48, 72, 144) */
diff -urN xfree86-4.1.0-16/debian/patches/070_SECURITY_xterm_dec_udk_sequence_DoS.diff xfree86-4.1.0-16woody1/debian/patches/070_SECURITY_xterm_dec_udk_sequence_DoS.diff
--- xfree86-4.1.0-16/debian/patches/070_SECURITY_xterm_dec_udk_sequence_DoS.diff	1969-12-31 19:00:00.000000000 -0500
+++ xfree86-4.1.0-16woody1/debian/patches/070_SECURITY_xterm_dec_udk_sequence_DoS.diff	2003-09-16 12:11:30.000000000 -0500
@@ -0,0 +1,27 @@
+> - It is possible to lock up versions of Xterm by sending an invalid DEC
+> UDK escape sequence. (CAN-2003-0071)
+
+Thomas Dickey fixed this in XTerm #173, which was committed to XFree86
+CVS HEAD on 2003-02-06.
+
+This patch is derived from XTerm #173.
+
+--- xc/programs/xterm/misc.c	2001-10-23 21:21:24.000000000 -0400
++++ xc/programs/xterm/misc.c	2003-04-03 11:00:48.000000000 -0500
+@@ -1649,6 +1649,7 @@
+ 				reset_decudk();
+ 
+ 			while (*cp) {
++				char *base = cp;
+ 				char *str = (char *)malloc(strlen(cp) + 2);
+ 				unsigned key = 0;
+ 				int len = 0;
+@@ -1675,6 +1676,8 @@
+ 				}
+ 				if (*cp == ';')
+ 					cp++;
++				if (cp == base) /* badly-formed sequence - bail out */
++					break;
+ 			}
+ 		}
+ 		break;
diff -urN xfree86-4.1.0-16/debian/patches/071_SECURITY_improved_MIT-SHM_fix.diff xfree86-4.1.0-16woody1/debian/patches/071_SECURITY_improved_MIT-SHM_fix.diff
--- xfree86-4.1.0-16/debian/patches/071_SECURITY_improved_MIT-SHM_fix.diff	1969-12-31 19:00:00.000000000 -0500
+++ xfree86-4.1.0-16woody1/debian/patches/071_SECURITY_improved_MIT-SHM_fix.diff	2003-09-16 12:11:31.000000000 -0500
@@ -0,0 +1,282 @@
+Implement LocalClientCred() to return the credentials of local clients
+connected through Unix domain sockets on systems that have the required
+support (for now recent Linux, FreeBSD >= 4.6, OpenBSD >= 3.0 are
+implemented), and use that in ShmAttach() to grant access to the client.
+When client credentials are not available, require world accessibility.
+
+This patch from XFree86 CVS.
+
+--- xc/config/cf/Imake.tmpl~	2003-09-02 15:53:44.000000000 -0500
++++ xc/config/cf/Imake.tmpl	2003-09-02 15:58:55.000000000 -0500
+@@ -378,6 +378,9 @@
+ #ifndef HasPamMisc
+ #define HasPamMisc		NO
+ #endif
++#ifndef HasGetpeereid
++#define HasGetpeereid		NO
++#endif
+ /* byte-order defaults */
+ #ifndef ByteOrder
+ #if defined(VaxArchitecture)
+--- xc/doc/specs/Xext/mit-shm.ms	1994-04-27 02:25:28.000000000 -0500
++++ xc/doc/specs/Xext/mit-shm.ms	2002-09-13 01:40:56.000000000 -0500
+@@ -213,6 +213,13 @@
+ shminfo structure.  The server will need that ID to attach itself to the
+ segment.
+ .LP
++Also note that, on many systems for security reasons, the X server
++will only accept to attach to the shared memory segment if it's
++readable and writeable by ``other''. On systems where the X server is
++able to determine the uid of the X client over a local transport, the
++shared memory segment can be readable and writeable only by the uid of
++the client.
++.LP
+ Next, attach this shared memory segment to your process:
+ .Cs
+ shminfo.shmaddr = image->data = shmat (shminfo.shmid, 0, 0);
+--- xc/programs/Xserver/Xext/shm.c~	2003-09-03 19:32:08.000000000 -0500
++++ xc/programs/Xserver/Xext/shm.c	2003-09-03 19:37:06.000000000 -0500
+@@ -33,6 +33,7 @@
+ #include <ipc.h>
+ #include <shm.h>
+ #endif
++#include <sys/stat.h>
+ #define NEED_REPLIES
+ #define NEED_EVENTS
+ #include "X.h"
+@@ -62,12 +63,6 @@
+ extern PanoramiXData   *panoramiXdataPtr;
+ #endif
+ 
+-#if defined(SVR4) || defined(__linux__) || defined(CSRG_BASED)
+-#define HAS_SAVED_IDS_AND_SETEUID
+-#else
+-#include <sys/stat.h>
+-#endif
+-
+ typedef struct _ShmDesc {
+     struct _ShmDesc *next;
+     int shmid;
+@@ -361,35 +356,38 @@
+     return (client->noClientException);
+ }
+ 
+-#ifndef HAS_SAVED_IDS_AND_SETEUID
+ /*
+  * Simulate the access() system call for a shared memory segement,
+- * using the real user and group id of the process
+- * /
++ * using the credentials from the client if available
++ */
+ static int
+-shm_access(uid_t uid, gid_t gid, struct ipc_perm *perm, int readonly)
++shm_access(ClientPtr client, struct ipc_perm *perm, int readonly)
+ {
++    int uid, gid;
+     mode_t mask;
+ 
+-    /* User id 0 always gets access */
+-    if (uid == 0) {
+-	return 0;
+-    }
+-    /* Check the owner */
+-    if (perm->uid == uid || perm->cuid == uid) {
+-	mask = S_IRUSR;
+-	if (!readonly) {
+-	    mask |= S_IWUSR;
++    if (LocalClientCred(client, &uid, &gid) != -1) {
++
++	/* User id 0 always gets access */
++	if (uid == 0) {
++	    return 0;
+ 	}
+-	return (perm->mode & mask) == mask ? 0 : -1;
+-    }
+-    /* Check the group */
+-    if (perm->gid == gid || perm->cgid == gid) {
+-	mask = S_IRGRP;
+-	if (!readonly) {
+-	    mask |= S_IWGRP;
++	/* Check the owner */
++	if (perm->uid == uid || perm->cuid == uid) {
++	    mask = S_IRUSR;
++	    if (!readonly) {
++		mask |= S_IWUSR;
++	    }
++	    return (perm->mode & mask) == mask ? 0 : -1;
++	}
++	/* Check the group */
++	if (perm->gid == gid || perm->cgid == gid) {
++	    mask = S_IRGRP;
++	    if (!readonly) {
++		mask |= S_IWGRP;
++	    }
++	    return (perm->mode & mask) == mask ? 0 : -1;
+ 	}
+-	return (perm->mode & mask) == mask ? 0 : -1;
+     }
+     /* Otherwise, check everyone else */
+     mask = S_IROTH;
+@@ -398,7 +396,6 @@
+     }
+     return (perm->mode & mask) == mask ? 0 : -1;
+ }
+-#endif
+ 
+ static int
+ ProcShmAttach(client)
+@@ -407,12 +404,6 @@
+     struct shmid_ds buf;
+     ShmDescPtr shmdesc;
+     REQUEST(xShmAttachReq);
+-    uid_t ruid;
+-    gid_t rgid;
+-#ifdef HAS_SAVED_IDS_AND_SETEUID
+-    uid_t euid;
+-    gid_t egid;
+-#endif
+ 
+     REQUEST_SIZE_MATCH(xShmAttachReq);
+     LEGAL_NEW_RESOURCE(stuff->shmseg, client);
+@@ -436,44 +427,25 @@
+ 	shmdesc = (ShmDescPtr) xalloc(sizeof(ShmDescRec));
+ 	if (!shmdesc)
+ 	    return BadAlloc;
+-	ruid = getuid();
+-	rgid = getgid();
+-#ifdef HAS_SAVED_IDS_AND_SETEUID
+-	euid = geteuid();
+-	egid = getegid();
+-
+-	if (euid != ruid || egid != rgid) {
+-	    /* Temporarly switch back to real ids */
+-	    if (seteuid(ruid) == -1 || setegid(rgid) == -1) {
+-		return BadAccess;
+-	    }
+-	}
+-#endif
+ 	shmdesc->addr = shmat(stuff->shmid, 0,
+ 			      stuff->readOnly ? SHM_RDONLY : 0);
+-#ifdef HAS_SAVED_IDS_AND_SETEUID
+-	if (euid != ruid || egid != rgid) {
+-	    /* Switch back to root privs */
+-	    if (seteuid(euid) == -1 || setegid(egid) == -1) {
+-		return BadAccess;
+-	    }
+-	} 
+-#endif
+ 	if ((shmdesc->addr == ((char *)-1)) ||
+ 	    shmctl(stuff->shmid, IPC_STAT, &buf))
+ 	{
+ 	    xfree(shmdesc);
+ 	    return BadAccess;
+ 	}
+-#ifndef HAS_SAVED_IDS_AND_SETEUID
++
+ 	/* The attach was performed with root privs. We must
+-	 * do manual checking of access rights for the real uid/gid */
+-	if (shm_access(ruid, rgid, &(buf.shm_perm), stuff->readOnly) == -1) {
++	 * do manual checking of access rights for the credentials
++	 * of the client */
++
++	if (shm_access(client, &(buf.shm_perm), stuff->readOnly) == -1) {
+ 	    shmdt(shmdesc->addr);
+ 	    xfree(shmdesc);
+ 	    return BadAccess;
+ 	}
+-#endif	
++
+ 	shmdesc->shmid = stuff->shmid;
+ 	shmdesc->refcnt = 1;
+ 	shmdesc->writable = !stuff->readOnly;
+--- xc/programs/Xserver/include/os.h~	2003-09-02 16:10:55.000000000 -0500
++++ xc/programs/Xserver/include/os.h	2003-09-02 18:09:05.000000000 -0500
+@@ -625,6 +625,8 @@
+ #endif
+ );
+ 
++extern int LocalClientCred(ClientPtr, int *, int *);
++
+ extern int ChangeAccessControl(
+ #if NeedFunctionPrototypes
+     ClientPtr /*client*/,
+--- xc/programs/Xserver/os/Imakefile~	2003-09-02 18:20:29.000000000 -0500
++++ xc/programs/Xserver/os/Imakefile	2003-09-02 18:21:44.000000000 -0500
+@@ -83,6 +83,10 @@
+ MALLOC_OBJS=xalloc.o
+ #endif
+ 
++#if HasGetpeereid
++GETPEEREID_DEFINES = -DHAS_GETPEEREID
++#endif
++
+ BOOTSTRAPCFLAGS = 
+            SRCS = WaitFor.c access.c connection.c io.c $(COLOR_SRCS) \
+                   osinit.c utils.c auth.c mitauth.c secauth.c $(XDMAUTHSRCS) \
+@@ -114,7 +118,7 @@
+ #if HasPam && HasPamMisc
+     PAM_DEFINES = -DUSE_PAM
+ #endif
+-        DEFINES = -DXSERV_t -DTRANS_SERVER $(CONNECTION_FLAGS) $(MEM_DEFINES) $(XDMAUTHDEFS) $(RPCDEFS) $(SIGNAL_DEFINES) $(OS_DEFINES) $(KRB5_DEFINES) $(RGB_DEFINES)
++        DEFINES = -DXSERV_t -DTRANS_SERVER $(CONNECTION_FLAGS) $(MEM_DEFINES) $(XDMAUTHDEFS) $(RPCDEFS) $(SIGNAL_DEFINES) $(OS_DEFINES) $(KRB5_DEFINES) $(RGB_DEFINES) $(GETPEEREID_DEFINES)
+        INCLUDES = -I.  -I../include -I$(XINCLUDESRC) -I$(EXTINCSRC) -I$(TOP)/lib/Xau -I../lbx Krb5Includes
+  DEPEND_DEFINES = $(DBM_DEFINES) $(XDMCP_DEFINES) $(EXT_DEFINES) $(TRANS_INCLUDES) $(CONNECTION_FLAGS) DependDefines
+        LINTLIBS = ../dix/llib-ldix.ln
+--- xc/programs/Xserver/os/access.c~	2003-09-02 18:26:45.000000000 -0500
++++ xc/programs/Xserver/os/access.c	2003-09-02 18:27:53.000000000 -0500
+@@ -1033,6 +1033,55 @@
+     return FALSE;
+ }
+ 
++/*
++ * Return the uid and gid of a connected local client
++ * or the uid/gid for nobody those ids cannot be determinded
++ *
++ * Used by XShm to test access rights to shared memory segments
++ */
++int
++LocalClientCred(ClientPtr client, int *pUid, int *pGid)
++{
++    int fd;
++    XtransConnInfo ci;
++#ifdef HAS_GETPEEREID
++    uid_t uid;
++    gid_t gid;
++#elif defined(SO_PEERCRED)
++    struct ucred peercred;
++    socklen_t so_len = sizeof(peercred);
++#endif
++
++    if (client == NULL)
++	return -1;
++    ci = ((OsCommPtr)client->osPrivate)->trans_conn;
++    /* We can only determine peer credentials for Unix domain sockets */
++    if (!_XSERVTransIsLocal(ci)) {
++	return -1;
++    }
++    fd = _XSERVTransGetConnectionNumber(ci);
++#ifdef HAS_GETPEEREID
++    if (getpeereid(fd, &uid, &gid) == -1)
++	    return -1;
++    if (pUid != NULL)
++	    *pUid = uid;
++    if (pGid != NULL)
++	    *pGid = gid;
++    return 0;
++#elif defined(SO_PEERCRED)
++    if (getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &peercred, &so_len) == -1)
++	    return -1;
++    if (pUid != NULL)
++	    *pUid = peercred.uid;
++    if (pGid != NULL)
++	    *pGid = peercred.gid;
++    return 0;
++#else
++    /* No system call available to get the credentials of the peer */
++    return -1;
++#endif
++}
++
+ static Bool
+ AuthorizedClient(ClientPtr client)
+ {
diff -urN xfree86-4.1.0-16/debian/patches/072_SECURITY_fix_font_service_overflows.diff xfree86-4.1.0-16woody1/debian/patches/072_SECURITY_fix_font_service_overflows.diff
--- xfree86-4.1.0-16/debian/patches/072_SECURITY_fix_font_service_overflows.diff	1969-12-31 19:00:00.000000000 -0500
+++ xfree86-4.1.0-16woody1/debian/patches/072_SECURITY_fix_font_service_overflows.diff	2003-09-16 12:11:31.000000000 -0500
@@ -0,0 +1,326 @@
+Fixes for potential integer overflows in font libraries. (blexim, Matthieu
+Herrb).
+
+For integer overflow tests, use SIZE_MAX which is more standard than
+SIZE_T_MAX, and default to ULONG_MAX for the case of LP64 systems.  Based
+on reports by Matthias Scheler and Alan Coopersmith (Bugzilla #646).
+
+Backported from XFree86 CVS HEAD.
+
+diff -urN xc/lib~/FS/FSFontInfo.c xc/lib/FS/FSFontInfo.c
+--- xc/lib~/FS/FSFontInfo.c	2001-01-16 17:05:39.000000000 -0500
++++ xc/lib/FS/FSFontInfo.c	2003-09-02 19:46:40.000000000 -0500
+@@ -61,7 +61,7 @@
+     long        nbytes;
+     int         i,
+                 j;
+-    int         size = 0;
++    size_t      size = 0;
+     FSXFontInfoHeader **fhdr = (FSXFontInfoHeader **) 0;
+     FSPropInfo **pi = (FSPropInfo **) 0;
+     FSPropOffset **po = (FSPropOffset **) 0;
+@@ -119,8 +119,14 @@
+ 	if (reply.nameLength == 0)	/* got last reply in version 1 */
+ 	    break;
+ 	if ((i + reply.nReplies) >= size) {
++
++	    if (reply.nReplies > SIZE_MAX - i - 1)
++		goto badmem;
+ 	    size = i + reply.nReplies + 1;
+ 
++	    if (size > SIZE_MAX / sizeof(char *))
++		goto badmem;
++
+ 	    if (fhdr) {
+ 		FSXFontInfoHeader **tmp_fhdr = (FSXFontInfoHeader **)
+ 		FSrealloc((char *) fhdr,
+@@ -233,6 +239,9 @@
+ 	pi[i]->num_offsets = local_pi.num_offsets;
+ 	pi[i]->data_len = local_pi.data_len;
+ 
++	if (pi[i]->num_offsets > SIZE_MAX / sizeof(FSPropOffset))
++	    goto badmem;
++
+ 	po[i] = (FSPropOffset *)
+ 	    FSmalloc(pi[i]->num_offsets * sizeof(FSPropOffset));
+ 	if (!po[i]) {
+@@ -278,6 +287,10 @@
+ 	    nbytes = pi[i]->data_len + reply.nameLength;
+ 	    _FSEatData(svr, (unsigned long) (((nbytes+3)&~3) - nbytes));
+ 	}
++	/* avoid integer overflow */
++	if (i > INT_MAX - 1) {
++	    goto badmem;
++	}
+     }
+     *info = fhdr;
+     *count = i;
+diff -urN xc/lib~/FS/FSFtNames.c xc/lib/FS/FSFtNames.c
+--- xc/lib~/FS/FSFtNames.c	2001-01-16 17:05:39.000000000 -0500
++++ xc/lib/FS/FSFtNames.c	2003-09-02 19:46:40.000000000 -0500
+@@ -74,7 +74,8 @@
+ 	  (SIZEOF(fsListFontsReply) - SIZEOF(fsGenericReply)) >> 2, fsFalse))
+ 	return (char **) 0;
+ 
+-    if (rep.nFonts) {
++    if (rep.nFonts && rep.nFonts <= SIZE_MAX / sizeof(char *)
++	&& rep.length <= ((SIZE_MAX + SIZEOF(fsListFontsReply) - 1) >> 2)) {
+ 	flist = (char **) FSmalloc((unsigned) rep.nFonts * sizeof(char *));
+ 	rlen = (rep.length << 2) - SIZEOF(fsListFontsReply);
+ 	c = (char *) FSmalloc((unsigned) (rlen + 1));
+diff -urN xc/lib~/FS/FSGetCats.c xc/lib/FS/FSGetCats.c
+--- xc/lib~/FS/FSGetCats.c	2001-01-16 17:05:40.000000000 -0500
++++ xc/lib/FS/FSGetCats.c	2003-09-02 19:46:40.000000000 -0500
+@@ -68,9 +68,10 @@
+ 	SyncHandle();
+ 	return (char **) NULL;
+     }
+-    if (rep.num_catalogues) {
++    if (rep.num_catalogues && rep.num_catalogues <= SIZE_MAX/sizeof(char *)
++	&& rep.length <= ((SIZE_MAX + SIZEOF(fsGetCataloguesReply) - 1)>>2)) {
+ 	list = (char **)
+-	    FSmalloc((unsigned) (rep.num_catalogues * sizeof(char *)));
++	       FSmalloc((unsigned) (rep.num_catalogues * sizeof(char *)));
+ 	rlen = (rep.length << 2) - SIZEOF(fsGetCataloguesReply);
+ 	c = (char *) FSmalloc((unsigned) rlen + 1);
+ 	if ((!list) || (!c)) {
+diff -urN xc/lib~/FS/FSListCats.c xc/lib/FS/FSListCats.c
+--- xc/lib~/FS/FSListCats.c	2001-01-16 17:05:41.000000000 -0500
++++ xc/lib/FS/FSListCats.c	2003-09-02 19:46:40.000000000 -0500
+@@ -74,7 +74,8 @@
+     (SIZEOF(fsListCataloguesReply) - SIZEOF(fsGenericReply)) >> 2, fsFalse))
+ 	return (char **) 0;
+ 
+-    if (rep.num_catalogues) {
++    if (rep.num_catalogues && rep.num_catalogues <= SIZE_MAX/sizeof(char *)
++	&& rep.length <= ((SIZE_MAX+SIZEOF(fsListCataloguesReply)+1)>>2)) {
+ 	clist = (char **)
+ 	    FSmalloc((unsigned) rep.num_catalogues * sizeof(char *));
+ 	rlen = (rep.length << 2) - SIZEOF(fsListCataloguesReply);
+diff -urN xc/lib~/FS/FSListExt.c xc/lib/FS/FSListExt.c
+--- xc/lib~/FS/FSListExt.c	2001-01-16 17:05:41.000000000 -0500
++++ xc/lib/FS/FSListExt.c	2003-09-02 19:46:40.000000000 -0500
+@@ -68,7 +68,8 @@
+ 	SyncHandle();
+ 	return (char **) NULL;
+     }
+-    if (rep.nExtensions) {
++    if (rep.nExtensions && rep.nExtensions <= SIZE_MAX / sizeof(char *)
++	&& rep.length <= ((SIZE_MAX+SIZEOF(fsListExtensionsReply)+1)>>2)) {
+ 	list = (char **) FSmalloc((unsigned)(rep.nExtensions * sizeof(char *)));
+ 	rlen = (rep.length << 2) - SIZEOF(fsListExtensionsReply);
+ 	c = (char *) FSmalloc((unsigned) rlen + 1);
+diff -urN xc/lib~/FS/FSOpenServ.c xc/lib/FS/FSOpenServ.c
+--- xc/lib~/FS/FSOpenServ.c	2001-01-17 14:41:28.000000000 -0500
++++ xc/lib/FS/FSOpenServ.c	2003-09-02 19:34:25.000000000 -0500
+@@ -114,7 +114,7 @@
+     AlternateServer *alts;
+     int         altlen;
+     char       *vendor_string;
+-    long        setuplength;
++    unsigned long        setuplength;
+ #ifdef X_NOT_STDC_ENV
+     extern char *getenv();
+ #endif
+@@ -152,7 +152,8 @@
+     _FSRead(svr, (char *) &prefix, (long) SIZEOF(fsConnSetup));
+ 
+     setuplength = prefix.alternate_len << 2;
+-    if ((alt_data = (char *)
++    if (setuplength > (SIZE_MAX>>2)
++	|| (alt_data = (char *)
+ 	 (setup = FSmalloc((unsigned) setuplength))) == NULL) {
+ 	errno = ENOMEM;
+ 	FSfree((char *) svr);
+@@ -161,6 +162,10 @@
+     _FSRead(svr, (char *) alt_data, setuplength);
+     ad = alt_data;
+ 
++    if (prefix.num_alternates > SIZE_MAX / sizeof(AlternateServer)) {
++	errno = ENOMEM;
++	return (FSServer *) 0;
++    }
+     alts = (AlternateServer *)
+ 	FSmalloc(sizeof(AlternateServer) * prefix.num_alternates);
+     if (!alts) {
+@@ -192,7 +197,8 @@
+     svr->num_alternates = prefix.num_alternates;
+ 
+     setuplength = prefix.auth_len << 2;
+-    if ((auth_data = (char *)
++    if (prefix.auth_len > (SIZE_MAX>>2)
++	|| (auth_data = (char *)
+ 	 (setup = FSmalloc((unsigned) setuplength))) == NULL) {
+ 	errno = ENOMEM;
+ 	FSfree((char *) svr);
+diff -urN xc/lib~/FS/FSQGlyphs.c xc/lib/FS/FSQGlyphs.c
+--- xc/lib~/FS/FSQGlyphs.c	2001-01-16 17:05:44.000000000 -0500
++++ xc/lib/FS/FSQGlyphs.c	2003-09-02 19:46:40.000000000 -0500
+@@ -81,12 +81,20 @@
+      (SIZEOF(fsQueryXBitmaps8Reply) - SIZEOF(fsGenericReply)) >> 2, fsFalse))
+ 	return FSBadAlloc;
+ 
++    if (reply.num_chars > SIZE_MAX / sizeof(FSOffset))
++	return FSBadAlloc;
++
+     offs = (FSOffset *) FSmalloc(sizeof(FSOffset) * reply.num_chars);
+     *offsets = offs;
+     if (!offs)
+ 	return FSBadAlloc;
+     left = (reply.length << 2) - SIZEOF(fsQueryXBitmaps8Reply)
+ 	- (SIZEOF(fsOffset32) * reply.num_chars);
++    /* XXX This thest is incomplete */
++    if (reply.length > (SIZE_MAX >> 2)) {
++	FSfree((char *) offs);
++	return FSBadAlloc;
++    }
+     gd = (unsigned char *) FSmalloc(left);
+     *glyphdata = gd;
+     if (!gd) {
+@@ -137,6 +145,8 @@
+ 	int i;
+ 	fsChar2b_version1 *swapped_str;
+ 
++	if (str_len > SIZE_MAX/SIZEOF(fsChar2b_version1)) 
++	    return FSBadAlloc;
+ 	swapped_str = (fsChar2b_version1 *)
+ 	    FSmalloc(SIZEOF(fsChar2b_version1) * str_len);
+ 	if (!swapped_str)
+@@ -156,12 +166,19 @@
+ 		  fsFalse))
+ 	return FSBadAlloc;
+ 
++    if(reply.num_chars > SIZE_MAX/sizeof(FSOffset))
++       return FSBadAlloc;
+     offs = (FSOffset *) FSmalloc(sizeof(FSOffset) * reply.num_chars);
+     *offsets = offs;
+     if (!offs)
+ 	return FSBadAlloc;
+     left = (reply.length << 2) - SIZEOF(fsQueryXBitmaps16Reply)
+ 	- (SIZEOF(fsOffset32) * reply.num_chars);
++    /* XXX - this test is incomplete */
++    if (reply.length > (SIZE_MAX>>2)) {
++	FSfree((char *) offs);
++	return FSBadAlloc;
++    }
+     gd = (unsigned char *) FSmalloc(left);
+     *glyphdata = gd;
+     if (!gd) {
+diff -urN xc/lib~/FS/FSQXExt.c xc/lib/FS/FSQXExt.c
+--- xc/lib~/FS/FSQXExt.c	2001-01-17 14:41:28.000000000 -0500
++++ xc/lib/FS/FSQXExt.c	2003-09-02 19:39:46.000000000 -0500
+@@ -89,6 +89,9 @@
+ 		  fsFalse))
+ 	return FSBadAlloc;
+ 
++    if (reply.num_extents > SIZE_MAX / sizeof(FSXCharInfo))
++	return FSBadAlloc;
++
+     ext = (FSXCharInfo *) FSmalloc(sizeof(FSXCharInfo) * reply.num_extents);
+     *extents = ext;
+     if (!ext)
+@@ -145,6 +148,9 @@
+ 		  fsFalse))
+ 	return FSBadAlloc;
+ 
++    if (reply.num_extents > SIZE_MAX/sizeof(FSXCharInfo))
++	return FSBadAlloc;
++
+     ext = (FSXCharInfo *) FSmalloc(sizeof(FSXCharInfo) * reply.num_extents);
+     *extents = ext;
+     if (!ext)
+diff -urN xc/lib~/FS/FSQXInfo.c xc/lib/FS/FSQXInfo.c
+--- xc/lib~/FS/FSQXInfo.c	2001-01-16 17:05:45.000000000 -0500
++++ xc/lib/FS/FSQXInfo.c	2003-09-02 19:46:40.000000000 -0500
+@@ -87,6 +87,9 @@
+     props->num_offsets = local_pi.num_offsets;
+     props->data_len = local_pi.data_len;
+ 
++    if (props->num_offsets > SIZE_MAX / sizeof(FSPropOffset))
++	return FSBadAlloc;
++
+     /* prepare for prop data */
+     offset_data = (FSPropOffset *)
+ 	FSmalloc(props->num_offsets * sizeof(FSPropOffset));
+diff -urN xc/lib~/FS/FSlibos.h xc/lib/FS/FSlibos.h
+--- xc/lib~/FS/FSlibos.h	2001-01-17 14:41:28.000000000 -0500
++++ xc/lib/FS/FSlibos.h	2003-09-02 19:40:48.000000000 -0500
+@@ -72,6 +72,13 @@
+ #undef _POSIX_SOURCE
+ #endif
+ #endif
++#ifndef SIZE_MAX
++# ifdef ULONG_MAX
++#  define SIZE_MAX ULONG_MAX
++# else
++#  define SIZE_MAX UINT_MAX
++# endif
++#endif
+ #ifndef OPEN_MAX
+ #ifdef SVR4
+ #define OPEN_MAX 256
+diff -urN xc/lib~/font/fc/fsconvert.c xc/lib/font/fc/fsconvert.c
+--- xc/lib~/font/fc/fsconvert.c	2001-01-17 14:43:28.000000000 -0500
++++ xc/lib/font/fc/fsconvert.c	2003-09-02 19:41:47.000000000 -0500
+@@ -36,6 +36,7 @@
+ #include	"fontstruct.h"
+ #include	"fservestr.h"
+ #include	"fontutil.h"
++#include	"fslibos.h"
+ 
+ extern char _fs_glyph_undefined;
+ extern char _fs_glyph_requested;
+@@ -102,6 +103,10 @@
+ 
+     nprops = pfi->nprops = pi->num_offsets;
+ 
++    if (nprops < 0
++	|| nprops > SIZE_MAX/(sizeof(FontPropRec) + sizeof(char)))
++	return -1;
++
+     dprop = (FontPropPtr) xalloc(sizeof(FontPropRec) * nprops +
+ 				 sizeof (char) * nprops);
+     if (!dprop)
+diff -urN xc/lib~/font/fc/fserve.c xc/lib/font/fc/fserve.c
+--- xc/lib~/font/fc/fserve.c	2001-04-05 12:42:27.000000000 -0500
++++ xc/lib/font/fc/fserve.c	2003-09-02 19:43:56.000000000 -0500
+@@ -1512,7 +1512,7 @@
+     if (conn->blockState & FS_GIVE_UP)
+ 	return BadFontName;
+     
+-    if (namelen > sizeof (buf) - 1)
++    if (namelen <= 0 || namelen > sizeof (buf) - 1)
+ 	return BadFontName;
+     
+     /*
+diff -urN xc/lib~/font/fc/fslibos.h xc/lib/font/fc/fslibos.h
+--- xc/lib~/font/fc/fslibos.h	2001-01-17 14:43:29.000000000 -0500
++++ xc/lib/font/fc/fslibos.h	2003-09-02 19:45:21.000000000 -0500
+@@ -44,13 +44,20 @@
+ #ifndef FONT_OPEN_MAX
+ 
+ #ifndef X_NOT_POSIX
+-#ifdef _POSIX_SOURCE
+-#include <limits.h>
+-#else
+-#define _POSIX_SOURCE
+-#include <limits.h>
+-#undef _POSIX_SOURCE
+-#endif
++# ifdef _POSIX_SOURCE
++#  include <limits.h>
++# else
++#  define _POSIX_SOURCE
++#  include <limits.h>
++#  undef _POSIX_SOURCE
++# endif
++#endif
++#ifndef SIZE_MAX
++# ifdef ULONG_MAX
++#  define SIZE_MAX ULONG_MAX
++# else
++#  define SIZE_MAX UINT_MAX
++# endif
+ #endif
+ #ifndef OPEN_MAX
+ #if defined(SVR4) || defined(__EMX__)
diff -urN xfree86-4.1.0-16/debian/patches/400_hppa_support.diff xfree86-4.1.0-16woody1/debian/patches/400_hppa_support.diff
--- xfree86-4.1.0-16/debian/patches/400_hppa_support.diff	2003-09-16 12:09:32.000000000 -0500
+++ xfree86-4.1.0-16woody1/debian/patches/400_hppa_support.diff	2003-09-16 12:11:31.000000000 -0500
@@ -18,8 +18,8 @@
  #  define PowerPCArchitecture
 diff -ur xc-dist/config/cf/Imake.tmpl xc/config/cf/Imake.tmpl
 --- xc-dist/config/cf/Imake.tmpl	Sun Jul 29 03:33:08 2001
-+++ xc/config/cf/Imake.tmpl	Sun Jul 29 03:43:14 2001
-@@ -404,6 +404,8 @@
++++ xc/config/cf/Imake.tmpl	Tue Sep 02 19:57:26 2003
+@@ -407,6 +407,8 @@
  #define ByteOrder		X_LITTLE_ENDIAN
  #elif defined(PpcArchitecture)
  #define ByteOrder		X_BIG_ENDIAN

Attachment: signature.asc
Description: Digital signature