xorg-server: Changes to 'debian-unstable'
debian/changelog | 8 +++++++
debian/patches/45_CVE-2007-1003.diff | 38 +++++++++++++++++++++++++++++++++++
debian/patches/series | 1
3 files changed, 47 insertions(+)
New commits:
commit a6d75e5d598ac6fa07b56429ed598e7920f3c8b2
Author: Julien Cristau <jcristau@debian.org>
Date: Wed Apr 4 00:41:31 2007 +0200
Fix CVE-2007-1003.
Add patch to fix integer overflow in the ProcXCMiscGetXIDList() function in
the XC-MISC extension.
diff --git a/debian/changelog b/debian/changelog
index 770df91..da89c8c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+xorg-server (2:1.1.1-21) unstable; urgency=emergency
+
+ * Security update.
+ * Fix integer overflow in the ProcXCMiscGetXIDList() function in the XC-MISC
+ extension. Reference: CVE-2007-1003.
+
+ -- Julien Cristau <jcristau@debian.org> Wed, 04 Apr 2007 00:34:51 +0200
+
xorg-server (2:1.1.1-20) unstable; urgency=low
* xephyr: Add patch from upstream git to fix memory leak in
diff --git a/debian/patches/45_CVE-2007-1003.diff b/debian/patches/45_CVE-2007-1003.diff
new file mode 100644
index 0000000..39aaa70
--- /dev/null
+++ b/debian/patches/45_CVE-2007-1003.diff
@@ -0,0 +1,38 @@
+Index: Xext/xcmisc.c
+===================================================================
+--- Xext/xcmisc.c.orig 2007-04-04 00:33:05.000000000 +0200
++++ Xext/xcmisc.c 2007-04-04 00:37:54.000000000 +0200
+@@ -44,6 +44,12 @@
+ #include <X11/extensions/xcmiscstr.h>
+ #include "modinit.h"
+
++#if HAVE_STDINT_H
++#include <stdint.h>
++#elif !defined(UINT32_MAX)
++#define UINT32_MAX 0xffffffffU
++#endif
++
+ #if 0
+ static unsigned char XCMiscCode;
+ #endif
+@@ -145,7 +151,10 @@
+
+ REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq);
+
+- pids = (XID *)ALLOCATE_LOCAL(stuff->count * sizeof(XID));
++ if (stuff->count > UINT32_MAX / sizeof(XID))
++ return BadAlloc;
++
++ pids = (XID *)Xalloc(stuff->count * sizeof(XID));
+ if (!pids)
+ {
+ return BadAlloc;
+@@ -166,7 +175,7 @@
+ client->pSwapReplyFunc = (ReplySwapPtr) Swap32Write;
+ WriteSwappedDataToClient(client, count * sizeof(XID), pids);
+ }
+- DEALLOCATE_LOCAL(pids);
++ Xfree(pids);
+ return(client->noClientException);
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
index 2580fe0..7f7d2a4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -40,3 +40,4 @@
42_build_int10_submodules.diff
43_fedora-xephyr-keysym-madness.diff
44_kdrive-ephyr-free-screen-struct.patch
+45_CVE-2007-1003.diff -p0
Reply to: