[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

xorg-server: Changes to 'debian-unstable'

 debian/changelog                     |    8 +++++++
 debian/patches/45_CVE-2007-1003.diff |   38 +++++++++++++++++++++++++++++++++++
 debian/patches/series                |    1 
 3 files changed, 47 insertions(+)

New commits:
commit a6d75e5d598ac6fa07b56429ed598e7920f3c8b2
Author: Julien Cristau <jcristau@debian.org>
Date:   Wed Apr 4 00:41:31 2007 +0200

    Fix CVE-2007-1003.
    
    Add patch to fix integer overflow in the ProcXCMiscGetXIDList() function in
    the XC-MISC extension.

diff --git a/debian/changelog b/debian/changelog
index 770df91..da89c8c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+xorg-server (2:1.1.1-21) unstable; urgency=emergency
+
+  * Security update.
+  * Fix integer overflow in the ProcXCMiscGetXIDList() function in the XC-MISC
+    extension.  Reference: CVE-2007-1003.
+
+ -- Julien Cristau <jcristau@debian.org>  Wed, 04 Apr 2007 00:34:51 +0200
+
 xorg-server (2:1.1.1-20) unstable; urgency=low
 
   * xephyr: Add patch from upstream git to fix memory leak in
diff --git a/debian/patches/45_CVE-2007-1003.diff b/debian/patches/45_CVE-2007-1003.diff
new file mode 100644
index 0000000..39aaa70
--- /dev/null
+++ b/debian/patches/45_CVE-2007-1003.diff
@@ -0,0 +1,38 @@
+Index: Xext/xcmisc.c
+===================================================================
+--- Xext/xcmisc.c.orig	2007-04-04 00:33:05.000000000 +0200
++++ Xext/xcmisc.c	2007-04-04 00:37:54.000000000 +0200
+@@ -44,6 +44,12 @@
+ #include <X11/extensions/xcmiscstr.h>
+ #include "modinit.h"
+ 
++#if HAVE_STDINT_H
++#include <stdint.h>
++#elif !defined(UINT32_MAX)
++#define UINT32_MAX 0xffffffffU
++#endif
++
+ #if 0
+ static unsigned char XCMiscCode;
+ #endif
+@@ -145,7 +151,10 @@
+ 
+     REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq);
+ 
+-    pids = (XID *)ALLOCATE_LOCAL(stuff->count * sizeof(XID));
++    if (stuff->count > UINT32_MAX / sizeof(XID))
++	    return BadAlloc;
++
++    pids = (XID *)Xalloc(stuff->count * sizeof(XID));
+     if (!pids)
+     {
+ 	return BadAlloc;
+@@ -166,7 +175,7 @@
+     	client->pSwapReplyFunc = (ReplySwapPtr) Swap32Write;
+ 	WriteSwappedDataToClient(client, count * sizeof(XID), pids);
+     }
+-    DEALLOCATE_LOCAL(pids);
++    Xfree(pids);
+     return(client->noClientException);
+ }
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 2580fe0..7f7d2a4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -40,3 +40,4 @@
 42_build_int10_submodules.diff
 43_fedora-xephyr-keysym-madness.diff
 44_kdrive-ephyr-free-screen-struct.patch
+45_CVE-2007-1003.diff -p0
Reply to: