X Strike Force XFree86 SVN commit: rev 966 - in branches/4.1.0/woody/debian: . patches
Author: branden
Date: 2004-01-22 20:10:54 -0500 (Thu, 22 Jan 2004)
New Revision: 966
Added:
branches/4.1.0/woody/debian/patches/074_SECURITY_DRI_and_GLX_DoS_fix.diff
Modified:
branches/4.1.0/woody/debian/changelog
Log:
Backport fix for denial-of-service attacks against X server from XFree86
CVS.
Add validation for the screen number parameter received over the wire by
the X server's DRI extension code, and fix some similar checks in the GLX
code. This fixes X server segfaults when an invalid screen value is
provided (#A.1434, Felix K?\195?\188hling).
Modified: branches/4.1.0/woody/debian/changelog
===================================================================
--- branches/4.1.0/woody/debian/changelog 2004-01-22 20:39:21 UTC (rev 965)
+++ branches/4.1.0/woody/debian/changelog 2004-01-23 01:10:54 UTC (rev 966)
@@ -1,18 +1,26 @@
xfree86 (4.1.0-16woody2) stable-security; urgency=high
- * Security update release. Resolves the following issue:
+ * Security update release. Resolves the following issues:
+ CAN-2003-0690: xdm does not verify whether the pam_setcred function call
succeeds, which may allow attackers to gain root privileges by
triggering error conditions within PAM modules, as demonstrated in
certain configurations of the MIT pam_krb5 module.
+ + Denial-of-service attacks against X server by clients using the GLX
+ extension and Direct Rendering Infrastructure.
* Patch xdm to call pam_strerror(), log the returned error, and exit the
StartClient() function with a zero exit status (failure) if pam_setcred()
returns a value other than PAM_SUCCESS.
- debian/patches/073_SECURITY_xdm_pam_setcred_error_handling.diff
- -- Branden Robinson <branden@debian.org> Wed, 21 Jan 2004 17:19:48 -0500
+ * Add validation for the screen number parameter received over the wire by
+ the X server's DRI extension code, and fix some similar checks in the GLX
+ code. This fixes X server segfaults when an invalid screen value is
+ provided (#A.1434, Felix K�).
+ - debian/patches/074_SECURITY_DRI_and_GLX_DoS_fix.diff
+ -- Branden Robinson <branden@debian.org> Thu, 22 Jan 2004 20:07:06 -0500
+
xfree86 (4.1.0-16woody1) stable-security; urgency=high
* Security update release. Resolves the following issues:
Added: branches/4.1.0/woody/debian/patches/074_SECURITY_DRI_and_GLX_DoS_fix.diff
===================================================================
--- branches/4.1.0/woody/debian/patches/074_SECURITY_DRI_and_GLX_DoS_fix.diff 2004-01-22 20:39:21 UTC (rev 965)
+++ branches/4.1.0/woody/debian/patches/074_SECURITY_DRI_and_GLX_DoS_fix.diff 2004-01-23 01:10:54 UTC (rev 966)
@@ -0,0 +1,208 @@
+$Id$
+
+xc/programs/Xserver/GL/dri/xf86dri.c @ 1.12
+xc/programs/Xserver/GL/glx/glxcmds.c @ 1.9
+ 628. Add validation for the screen number parameter received over the wire
+ by the X server's DRI extension code, and fix some similar checks in
+ the GLX code. This fixes X server segfaults when an invalid screen
+ value is provided (#A.1434, Felix Kühling).
+
+--- xc/programs/Xserver/GL/dri/xf86dri.c 29 Oct 2002 20:28:57 -0000 1.10
++++ xc/programs/Xserver/GL/dri/xf86dri.c 13 Dec 2002 15:51:57 -0000
+@@ -155,6 +155,11 @@
+
+ REQUEST(xXF86DRIQueryDirectRenderingCapableReq);
+ REQUEST_SIZE_MATCH(xXF86DRIQueryDirectRenderingCapableReq);
++ if (stuff->screen >= screenInfo.numScreens) {
++ client->errorValue = stuff->screen;
++ return BadValue;
++ }
++
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+@@ -184,6 +189,10 @@
+
+ REQUEST(xXF86DRIOpenConnectionReq);
+ REQUEST_SIZE_MATCH(xXF86DRIOpenConnectionReq);
++ if (stuff->screen >= screenInfo.numScreens) {
++ client->errorValue = stuff->screen;
++ return BadValue;
++ }
+
+ if (!DRIOpenConnection( screenInfo.screens[stuff->screen],
+ &hSAREA,
+@@ -221,6 +230,10 @@
+
+ REQUEST(xXF86DRIAuthConnectionReq);
+ REQUEST_SIZE_MATCH(xXF86DRIAuthConnectionReq);
++ if (stuff->screen >= screenInfo.numScreens) {
++ client->errorValue = stuff->screen;
++ return BadValue;
++ }
+
+ rep.type = X_Reply;
+ rep.length = 0;
+@@ -242,6 +255,10 @@
+ {
+ REQUEST(xXF86DRICloseConnectionReq);
+ REQUEST_SIZE_MATCH(xXF86DRICloseConnectionReq);
++ if (stuff->screen >= screenInfo.numScreens) {
++ client->errorValue = stuff->screen;
++ return BadValue;
++ }
+
+ DRICloseConnection( screenInfo.screens[stuff->screen]);
+
+@@ -258,6 +275,10 @@
+
+ REQUEST(xXF86DRIGetClientDriverNameReq);
+ REQUEST_SIZE_MATCH(xXF86DRIGetClientDriverNameReq);
++ if (stuff->screen >= screenInfo.numScreens) {
++ client->errorValue = stuff->screen;
++ return BadValue;
++ }
+
+ DRIGetClientDriverName( screenInfo.screens[stuff->screen],
+ (int *)&rep.ddxDriverMajorVersion,
+@@ -295,6 +316,11 @@
+
+ REQUEST(xXF86DRICreateContextReq);
+ REQUEST_SIZE_MATCH(xXF86DRICreateContextReq);
++ if (stuff->screen >= screenInfo.numScreens) {
++ client->errorValue = stuff->screen;
++ return BadValue;
++ }
++
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+@@ -329,6 +355,10 @@
+ {
+ REQUEST(xXF86DRIDestroyContextReq);
+ REQUEST_SIZE_MATCH(xXF86DRIDestroyContextReq);
++ if (stuff->screen >= screenInfo.numScreens) {
++ client->errorValue = stuff->screen;
++ return BadValue;
++ }
+
+ if (!DRIDestroyContext( screenInfo.screens[stuff->screen],
+ stuff->context)) {
+@@ -348,6 +378,11 @@
+
+ REQUEST(xXF86DRICreateDrawableReq);
+ REQUEST_SIZE_MATCH(xXF86DRICreateDrawableReq);
++ if (stuff->screen >= screenInfo.numScreens) {
++ client->errorValue = stuff->screen;
++ return BadValue;
++ }
++
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+@@ -378,6 +413,10 @@
+ REQUEST(xXF86DRIDestroyDrawableReq);
+ DrawablePtr pDrawable;
+ REQUEST_SIZE_MATCH(xXF86DRIDestroyDrawableReq);
++ if (stuff->screen >= screenInfo.numScreens) {
++ client->errorValue = stuff->screen;
++ return BadValue;
++ }
+
+ if (!(pDrawable = (DrawablePtr)SecurityLookupDrawable(
+ (Drawable)stuff->drawable,
+@@ -409,6 +448,11 @@
+
+ REQUEST(xXF86DRIGetDrawableInfoReq);
+ REQUEST_SIZE_MATCH(xXF86DRIGetDrawableInfoReq);
++ if (stuff->screen >= screenInfo.numScreens) {
++ client->errorValue = stuff->screen;
++ return BadValue;
++ }
++
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+@@ -483,6 +527,11 @@
+
+ REQUEST(xXF86DRIGetDeviceInfoReq);
+ REQUEST_SIZE_MATCH(xXF86DRIGetDeviceInfoReq);
++ if (stuff->screen >= screenInfo.numScreens) {
++ client->errorValue = stuff->screen;
++ return BadValue;
++ }
++
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+@@ -528,6 +577,11 @@
+ DrawablePtr pDrawable;
+
+ REQUEST_SIZE_MATCH(xXF86DRIOpenFullScreenReq);
++ if (stuff->screen >= screenInfo.numScreens) {
++ client->errorValue = stuff->screen;
++ return BadValue;
++ }
++
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+@@ -554,6 +608,11 @@
+ DrawablePtr pDrawable;
+
+ REQUEST_SIZE_MATCH(xXF86DRICloseFullScreenReq);
++ if (stuff->screen >= screenInfo.numScreens) {
++ client->errorValue = stuff->screen;
++ return BadValue;
++ }
++
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+--- xc/programs/Xserver/GL/glx/glxcmds.c 25 Nov 2002 19:58:38 -0000 1.8
++++ xc/programs/Xserver/GL/glx/glxcmds.c 13 Dec 2002 15:52:01 -0000
+@@ -761,7 +761,7 @@
+ int i, p;
+
+ screen = req->screen;
+- if (screen > screenInfo.numScreens) {
++ if (screen >= screenInfo.numScreens) {
+ /* The client library must send a valid screen number. */
+ client->errorValue = screen;
+ return BadValue;
+@@ -1466,7 +1466,7 @@
+ ClientPtr client = cl->client;
+ xGLXQueryExtensionsStringReq *req = (xGLXQueryExtensionsStringReq *) pc;
+ xGLXQueryExtensionsStringReply reply;
+- GLint screen;
++ GLuint screen;
+ size_t n, length;
+ const char *ptr;
+ char *buf;
+@@ -1475,7 +1475,7 @@
+ /*
+ ** Check if screen exists.
+ */
+- if ((screen < 0) || (screen >= screenInfo.numScreens)) {
++ if (screen >= screenInfo.numScreens) {
+ client->errorValue = screen;
+ return BadValue;
+ }
+@@ -1511,7 +1511,7 @@
+ xGLXQueryServerStringReq *req = (xGLXQueryServerStringReq *) pc;
+ xGLXQueryServerStringReply reply;
+ int name;
+- GLint screen;
++ GLuint screen;
+ size_t n, length;
+ const char *ptr;
+ char *buf;
+@@ -1521,7 +1521,7 @@
+ /*
+ ** Check if screen exists.
+ */
+- if ((screen < 0) || (screen >= screenInfo.numScreens)) {
++ if (screen >= screenInfo.numScreens) {
+ client->errorValue = screen;
+ return BadValue;
+ }
Property changes on: branches/4.1.0/woody/debian/patches/074_SECURITY_DRI_and_GLX_DoS_fix.diff
___________________________________________________________________
Name: svn:keywords
+ Id
Reply to: