xorg-server: Changes to 'debian-etch'
debian/changelog | 13 +
debian/patches/47_CVE-2007-6427.diff | 244 +++++++++++++++++++++++++++
debian/patches/48_CVE-2007-6428.diff | 14 +
debian/patches/49_CVE-2007-6429-EVI.diff | 96 ++++++++++
debian/patches/50_CVE-2007-6429-MIT-SHM.diff | 100 +++++++++++
debian/patches/51_CVE-2007-5760.diff | 15 +
debian/patches/52_bug-13526.diff | 18 +
debian/patches/53_CVE-2007-5958.diff | 22 ++
debian/patches/series | 7
9 files changed, 529 insertions(+)
New commits:
commit 91cfbba613fb2fd680b4dfef5968c006fabf388f
Author: Julien Cristau <jcristau@debian.org>
Date: Mon Jan 7 13:14:42 2008 +0100
Prepare changelog for upload to stable-security.
diff --git a/debian/changelog b/debian/changelog
index 8ce337d..2f34cb5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-xorg-server (2:1.1.1-21etch2) UNRELEASED; urgency=high
+xorg-server (2:1.1.1-21etch2) stable-security; urgency=high
* Security update, fixes the following vulnerabilities:
+ CVE-2007-6427: XInput Extension Memory Corruption (fd.o bug#13522)
@@ -9,7 +9,7 @@ xorg-server (2:1.1.1-21etch2) UNRELEASED; urgency=high
+ PCF font parser buffer overflow (fd.o bug#13526)
+ CVE-2007-5958: file existence disclosure (fd.o bug#13706)
- -- Julien Cristau <jcristau@debian.org> Sun, 06 Jan 2008 17:57:26 +0100
+ -- Julien Cristau <jcristau@debian.org> Mon, 07 Jan 2008 13:14:19 +0100
xorg-server (2:1.1.1-21etch1) stable-security; urgency=high
commit f42aca01d86324bbf0ad3526e2f9618bf80c1579
Author: Julien Cristau <jcristau@debian.org>
Date: Sat Jan 5 15:27:43 2008 +0100
* Security update, fixes the following vulnerabilities:
+ CVE-2007-6427: XInput Extension Memory Corruption (fd.o bug#13522)
+ CVE-2007-6428: TOG-CUP Extension Memory Corruption (fd.o bug#13523)
+ CVE-2007-6429: EVI Extension Integer Overflow (fd.o bug#13519),
MIT-SHM Extension Integer Overflow (fd.o bug#13520)
+ CVE-2007-5760: XFree86-Misc Extension Invalid Array Index (fd.o bug#13524)
+ PCF font parser buffer overflow (fd.o bug#13526)
+ CVE-2007-5958: file existence disclosure (fd.o bug#13706)
diff --git a/debian/changelog b/debian/changelog
index 3e06b8b..8ce337d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+xorg-server (2:1.1.1-21etch2) UNRELEASED; urgency=high
+
+ * Security update, fixes the following vulnerabilities:
+ + CVE-2007-6427: XInput Extension Memory Corruption (fd.o bug#13522)
+ + CVE-2007-6428: TOG-CUP Extension Memory Corruption (fd.o bug#13523)
+ + CVE-2007-6429: EVI Extension Integer Overflow (fd.o bug#13519),
+ MIT-SHM Extension Integer Overflow (fd.o bug#13520)
+ + CVE-2007-5760: XFree86-Misc Extension Invalid Array Index (fd.o bug#13524)
+ + PCF font parser buffer overflow (fd.o bug#13526)
+ + CVE-2007-5958: file existence disclosure (fd.o bug#13706)
+
+ -- Julien Cristau <jcristau@debian.org> Sun, 06 Jan 2008 17:57:26 +0100
+
xorg-server (2:1.1.1-21etch1) stable-security; urgency=high
* Add patch to fix a buffer overflow in the composite extension
diff --git a/debian/patches/47_CVE-2007-6427.diff b/debian/patches/47_CVE-2007-6427.diff
new file mode 100644
index 0000000..1af1d3c
--- /dev/null
+++ b/debian/patches/47_CVE-2007-6427.diff
@@ -0,0 +1,244 @@
+Index: xorg-server/Xi/chgfctl.c
+===================================================================
+--- xorg-server.orig/Xi/chgfctl.c 2008-01-05 13:04:46.000000000 +0100
++++ xorg-server/Xi/chgfctl.c 2008-01-05 14:57:10.000000000 +0100
+@@ -451,18 +451,13 @@
+ xStringFeedbackCtl * f)
+ {
+ register char n;
+- register long *p;
+ int i, j;
+ KeySym *syms, *sup_syms;
+
+ syms = (KeySym *) (f + 1);
+ if (client->swapped) {
+ swaps(&f->length, n); /* swapped num_keysyms in calling proc */
+- p = (long *)(syms);
+- for (i = 0; i < f->num_keysyms; i++) {
+- swapl(p, n);
+- p++;
+- }
++ SwapLongs((CARD32 *) syms, f->num_keysyms);
+ }
+
+ if (f->num_keysyms > s->ctrl.max_symbols) {
+Index: xorg-server/Xi/chgkmap.c
+===================================================================
+--- xorg-server.orig/Xi/chgkmap.c 2008-01-05 13:04:46.000000000 +0100
++++ xorg-server/Xi/chgkmap.c 2008-01-05 14:58:36.000000000 +0100
+@@ -79,18 +79,14 @@
+ SProcXChangeDeviceKeyMapping(register ClientPtr client)
+ {
+ register char n;
+- register long *p;
+- register int i, count;
++ unsigned int count;
+
+ REQUEST(xChangeDeviceKeyMappingReq);
+ swaps(&stuff->length, n);
+ REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
+- p = (long *)&stuff[1];
+ count = stuff->keyCodes * stuff->keySymsPerKeyCode;
+- for (i = 0; i < count; i++) {
+- swapl(p, n);
+- p++;
+- }
++ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
++ SwapLongs((CARD32 *) (&stuff[1]), count);
+ return (ProcXChangeDeviceKeyMapping(client));
+ }
+
+@@ -106,10 +102,14 @@
+ int ret;
+ unsigned len;
+ DeviceIntPtr dev;
++ unsigned int count;
+
+ REQUEST(xChangeDeviceKeyMappingReq);
+ REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
+
++ count = stuff->keyCodes * stuff->keySymsPerKeyCode;
++ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
++
+ dev = LookupDeviceIntRec(stuff->deviceid);
+ if (dev == NULL) {
+ SendErrorToClient(client, IReqCode, X_ChangeDeviceKeyMapping, 0,
+Index: xorg-server/Xi/chgprop.c
+===================================================================
+--- xorg-server.orig/Xi/chgprop.c 2008-01-05 13:04:46.000000000 +0100
++++ xorg-server/Xi/chgprop.c 2008-01-05 15:00:37.000000000 +0100
+@@ -81,19 +81,15 @@
+ SProcXChangeDeviceDontPropagateList(register ClientPtr client)
+ {
+ register char n;
+- register long *p;
+- register int i;
+
+ REQUEST(xChangeDeviceDontPropagateListReq);
+ swaps(&stuff->length, n);
+ REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq);
+ swapl(&stuff->window, n);
+ swaps(&stuff->count, n);
+- p = (long *)&stuff[1];
+- for (i = 0; i < stuff->count; i++) {
+- swapl(p, n);
+- p++;
+- }
++ REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq,
++ stuff->count * sizeof(CARD32));
++ SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
+ return (ProcXChangeDeviceDontPropagateList(client));
+ }
+
+Index: xorg-server/Xi/grabdev.c
+===================================================================
+--- xorg-server.orig/Xi/grabdev.c 2008-01-05 13:04:46.000000000 +0100
++++ xorg-server/Xi/grabdev.c 2008-01-05 15:01:20.000000000 +0100
+@@ -82,8 +82,6 @@
+ SProcXGrabDevice(register ClientPtr client)
+ {
+ register char n;
+- register long *p;
+- register int i;
+
+ REQUEST(xGrabDeviceReq);
+ swaps(&stuff->length, n);
+@@ -91,11 +89,11 @@
+ swapl(&stuff->grabWindow, n);
+ swapl(&stuff->time, n);
+ swaps(&stuff->event_count, n);
+- p = (long *)&stuff[1];
+- for (i = 0; i < stuff->event_count; i++) {
+- swapl(p, n);
+- p++;
+- }
++
++ if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count)
++ return BadLength;
++
++ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
+
+ return (ProcXGrabDevice(client));
+ }
+Index: xorg-server/Xi/grabdevb.c
+===================================================================
+--- xorg-server.orig/Xi/grabdevb.c 2008-01-05 13:04:46.000000000 +0100
++++ xorg-server/Xi/grabdevb.c 2008-01-05 15:02:17.000000000 +0100
+@@ -80,8 +80,6 @@
+ SProcXGrabDeviceButton(register ClientPtr client)
+ {
+ register char n;
+- register long *p;
+- register int i;
+
+ REQUEST(xGrabDeviceButtonReq);
+ swaps(&stuff->length, n);
+@@ -89,11 +87,9 @@
+ swapl(&stuff->grabWindow, n);
+ swaps(&stuff->modifiers, n);
+ swaps(&stuff->event_count, n);
+- p = (long *)&stuff[1];
+- for (i = 0; i < stuff->event_count; i++) {
+- swapl(p, n);
+- p++;
+- }
++ REQUEST_FIXED_SIZE(xGrabDeviceButtonReq,
++ stuff->event_count * sizeof(CARD32));
++ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
+
+ return (ProcXGrabDeviceButton(client));
+ }
+Index: xorg-server/Xi/grabdevk.c
+===================================================================
+--- xorg-server.orig/Xi/grabdevk.c 2008-01-05 13:04:46.000000000 +0100
++++ xorg-server/Xi/grabdevk.c 2008-01-05 15:04:48.000000000 +0100
+@@ -80,8 +80,6 @@
+ SProcXGrabDeviceKey(register ClientPtr client)
+ {
+ register char n;
+- register long *p;
+- register int i;
+
+ REQUEST(xGrabDeviceKeyReq);
+ swaps(&stuff->length, n);
+@@ -89,11 +87,8 @@
+ swapl(&stuff->grabWindow, n);
+ swaps(&stuff->modifiers, n);
+ swaps(&stuff->event_count, n);
+- p = (long *)&stuff[1];
+- for (i = 0; i < stuff->event_count; i++) {
+- swapl(p, n);
+- p++;
+- }
++ REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32));
++ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
+ return (ProcXGrabDeviceKey(client));
+ }
+
+Index: xorg-server/Xi/selectev.c
+===================================================================
+--- xorg-server.orig/Xi/selectev.c 2008-01-05 13:04:46.000000000 +0100
++++ xorg-server/Xi/selectev.c 2008-01-05 15:06:28.000000000 +0100
+@@ -84,19 +84,16 @@
+ SProcXSelectExtensionEvent(register ClientPtr client)
+ {
+ register char n;
+- register long *p;
+- register int i;
+
+ REQUEST(xSelectExtensionEventReq);
+ swaps(&stuff->length, n);
+ REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq);
+ swapl(&stuff->window, n);
+ swaps(&stuff->count, n);
+- p = (long *)&stuff[1];
+- for (i = 0; i < stuff->count; i++) {
+- swapl(p, n);
+- p++;
+- }
++ REQUEST_FIXED_SIZE(xSelectExtensionEventReq,
++ stuff->count * sizeof(CARD32));
++ SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
++
+ return (ProcXSelectExtensionEvent(client));
+ }
+
+Index: xorg-server/Xi/sendexev.c
+===================================================================
+--- xorg-server.orig/Xi/sendexev.c 2008-01-05 13:04:46.000000000 +0100
++++ xorg-server/Xi/sendexev.c 2008-01-05 15:09:37.000000000 +0100
+@@ -83,7 +83,7 @@
+ SProcXSendExtensionEvent(register ClientPtr client)
+ {
+ register char n;
+- register long *p;
++ CARD32 *p;
+ register int i;
+ xEvent eventT;
+ xEvent *eventP;
+@@ -94,6 +94,11 @@
+ REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
+ swapl(&stuff->destination, n);
+ swaps(&stuff->count, n);
++
++ if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count +
++ (stuff->num_events * (sizeof(xEvent) >> 2)))
++ return BadLength;
++
+ eventP = (xEvent *) & stuff[1];
+ for (i = 0; i < stuff->num_events; i++, eventP++) {
+ proc = EventSwapVector[eventP->u.u.type & 0177];
+@@ -103,11 +108,8 @@
+ *eventP = eventT;
+ }
+
+- p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events);
+- for (i = 0; i < stuff->count; i++) {
+- swapl(p, n);
+- p++;
+- }
++ p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events);
++ SwapLongs(p, stuff->count);
+ return (ProcXSendExtensionEvent(client));
+ }
+
diff --git a/debian/patches/48_CVE-2007-6428.diff b/debian/patches/48_CVE-2007-6428.diff
new file mode 100644
index 0000000..749c5f3
--- /dev/null
+++ b/debian/patches/48_CVE-2007-6428.diff
@@ -0,0 +1,14 @@
+Index: xorg-server/Xext/cup.c
+===================================================================
+--- xorg-server.orig/Xext/cup.c 2008-01-05 13:04:45.000000000 +0100
++++ xorg-server/Xext/cup.c 2008-01-05 15:10:07.000000000 +0100
+@@ -198,6 +198,9 @@
+
+ REQUEST_SIZE_MATCH (xXcupGetReservedColormapEntriesReq);
+
++ if (stuff->screen >= screenInfo.numScreens)
++ return BadValue;
++
+ #ifndef HAVE_SPECIAL_DESKTOP_COLORS
+ citems[CUP_BLACK_PIXEL].pixel =
+ screenInfo.screens[stuff->screen]->blackPixel;
diff --git a/debian/patches/49_CVE-2007-6429-EVI.diff b/debian/patches/49_CVE-2007-6429-EVI.diff
new file mode 100644
index 0000000..bb71ff1
--- /dev/null
+++ b/debian/patches/49_CVE-2007-6429-EVI.diff
@@ -0,0 +1,96 @@
+Index: xorg-server/Xext/EVI.c
+===================================================================
+--- xorg-server.orig/Xext/EVI.c 2008-01-05 14:54:16.000000000 +0100
++++ xorg-server/Xext/EVI.c 2008-01-05 14:54:37.000000000 +0100
+@@ -36,6 +36,7 @@
+ #include <X11/extensions/XEVIstr.h>
+ #include "EVIstruct.h"
+ #include "modinit.h"
++#include "scrnintstr.h"
+
+ #if 0
+ static unsigned char XEVIReqCode = 0;
+@@ -89,10 +90,22 @@
+ {
+ REQUEST(xEVIGetVisualInfoReq);
+ xEVIGetVisualInfoReply rep;
+- int n, n_conflict, n_info, sz_info, sz_conflict;
++ int i, n, n_conflict, n_info, sz_info, sz_conflict;
+ VisualID32 *conflict;
++ unsigned int total_visuals = 0;
+ xExtendedVisualInfo *eviInfo;
+ int status;
++
++ /*
++ * do this first, otherwise REQUEST_FIXED_SIZE can overflow. we assume
++ * here that you don't have more than 2^32 visuals over all your screens;
++ * this seems like a safe assumption.
++ */
++ for (i = 0; i < screenInfo.numScreens; i++)
++ total_visuals += screenInfo.screens[i]->numVisuals;
++ if (stuff->n_visual > total_visuals)
++ return BadValue;
++
+ REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
+ status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual,
+ &eviInfo, &n_info, &conflict, &n_conflict);
+Index: xorg-server/Xext/sampleEVI.c
+===================================================================
+--- xorg-server.orig/Xext/sampleEVI.c 2008-01-05 14:54:16.000000000 +0100
++++ xorg-server/Xext/sampleEVI.c 2008-01-05 14:54:37.000000000 +0100
+@@ -36,6 +36,13 @@
+ #include <X11/extensions/XEVIstr.h>
+ #include "EVIstruct.h"
+ #include "scrnintstr.h"
++
++#if HAVE_STDINT_H
++#include <stdint.h>
++#elif !defined(INT_MAX)
++#define INT_MAX 0x7fffffff
++#endif
++
+ static int sampleGetVisualInfo(
+ VisualID32 *visual,
+ int n_visual,
+@@ -44,24 +51,36 @@
+ VisualID32 **conflict_rn,
+ int *n_conflict_rn)
+ {
+- int max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens;
++ unsigned int max_sz_evi;
+ VisualID32 *temp_conflict;
+ xExtendedVisualInfo *evi;
+- int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
++ unsigned int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
+ register int visualI, scrI, sz_evi = 0, conflictI, n_conflict;
+- *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi);
+- if (!*evi_rn)
+- return BadAlloc;
++
++ if (n_visual > UINT32_MAX/(sz_xExtendedVisualInfo * screenInfo.numScreens))
++ return BadAlloc;
++ max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens;
++
+ for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
+ if (screenInfo.screens[scrI]->numVisuals > max_visuals)
+ max_visuals = screenInfo.screens[scrI]->numVisuals;
+ }
++
++ if (n_visual > UINT32_MAX/(sz_VisualID32 * screenInfo.numScreens
++ * max_visuals))
++ return BadAlloc;
+ max_sz_conflict = n_visual * sz_VisualID32 * screenInfo.numScreens * max_visuals;
++
++ *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi);
++ if (!*evi_rn)
++ return BadAlloc;
++
+ temp_conflict = (VisualID32 *)xalloc(max_sz_conflict);
+ if (!temp_conflict) {
+ xfree(*evi_rn);
+ return BadAlloc;
+ }
++
+ for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
+ for (visualI = 0; visualI < n_visual; visualI++) {
+ evi[sz_evi].core_visual_id = visual[visualI];
diff --git a/debian/patches/50_CVE-2007-6429-MIT-SHM.diff b/debian/patches/50_CVE-2007-6429-MIT-SHM.diff
new file mode 100644
index 0000000..9a788d5
--- /dev/null
+++ b/debian/patches/50_CVE-2007-6429-MIT-SHM.diff
@@ -0,0 +1,100 @@
+Index: xorg-server/Xext/shm.c
+===================================================================
+--- xorg-server.orig/Xext/shm.c 2008-01-05 14:54:14.000000000 +0100
++++ xorg-server/Xext/shm.c 2008-01-05 14:54:48.000000000 +0100
+@@ -725,6 +725,8 @@
+ int i, j, result;
+ ShmDescPtr shmdesc;
+ REQUEST(xShmCreatePixmapReq);
++ unsigned int width, height, depth;
++ unsigned long size;
+ PanoramiXRes *newPix;
+
+ REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
+@@ -734,11 +736,26 @@
+ LEGAL_NEW_RESOURCE(stuff->pid, client);
+ VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
+ VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
+- if (!stuff->width || !stuff->height)
++
++ width = stuff->width;
++ height = stuff->height;
++ depth = stuff->depth;
++ if (!width || !height || !depth)
+ {
+ client->errorValue = 0;
+ return BadValue;
+ }
++ if (width > 32767 || height > 32767)
++ return BadAlloc;
++ size = PixmapBytePad(width, depth) * height;
++ if (sizeof(size) == 4) {
++ if (size < width * height)
++ return BadAlloc;
++ /* thankfully, offset is unsigned */
++ if (stuff->offset + size < size)
++ return BadAlloc;
++ }
++
+ if (stuff->depth != 1)
+ {
+ pDepth = pDraw->pScreen->allowedDepths;
+@@ -749,9 +766,7 @@
+ return BadValue;
+ }
+ CreatePmap:
+- VERIFY_SHMSIZE(shmdesc, stuff->offset,
+- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
+- client);
++ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
+
+ if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
+ return BadAlloc;
+@@ -1049,6 +1064,8 @@
+ register int i;
+ ShmDescPtr shmdesc;
+ REQUEST(xShmCreatePixmapReq);
++ unsigned int width, height, depth;
++ unsigned long size;
+
+ REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
+ client->errorValue = stuff->pid;
+@@ -1057,11 +1074,26 @@
+ LEGAL_NEW_RESOURCE(stuff->pid, client);
+ VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
+ VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
+- if (!stuff->width || !stuff->height)
++
++ width = stuff->width;
++ height = stuff->height;
++ depth = stuff->depth;
++ if (!width || !height || !depth)
+ {
+ client->errorValue = 0;
+ return BadValue;
+ }
++ if (width > 32767 || height > 32767)
++ return BadAlloc;
++ size = PixmapBytePad(width, depth) * height;
++ if (sizeof(size) == 4) {
++ if (size < width * height)
++ return BadAlloc;
++ /* thankfully, offset is unsigned */
++ if (stuff->offset + size < size)
++ return BadAlloc;
++ }
++
+ if (stuff->depth != 1)
+ {
+ pDepth = pDraw->pScreen->allowedDepths;
+@@ -1072,9 +1104,7 @@
+ return BadValue;
+ }
+ CreatePmap:
+- VERIFY_SHMSIZE(shmdesc, stuff->offset,
+- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
+- client);
++ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
+ pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
+ pDraw->pScreen, stuff->width,
+ stuff->height, stuff->depth,
diff --git a/debian/patches/51_CVE-2007-5760.diff b/debian/patches/51_CVE-2007-5760.diff
new file mode 100644
index 0000000..a144e7a
--- /dev/null
+++ b/debian/patches/51_CVE-2007-5760.diff
@@ -0,0 +1,15 @@
+Index: xorg-server/hw/xfree86/common/xf86MiscExt.c
+===================================================================
+--- xorg-server.orig/hw/xfree86/common/xf86MiscExt.c 2008-01-05 13:04:49.000000000 +0100
++++ xorg-server/hw/xfree86/common/xf86MiscExt.c 2008-01-05 15:10:15.000000000 +0100
+@@ -647,6 +647,10 @@
+
+ DEBUG_P("MiscExtPassMessage");
+
++ /* should check this in the protocol, but xf86NumScreens isn't exported */
++ if (scrnIndex >= xf86NumScreens)
++ return BadValue;
++
+ if (*pScr->HandleMessage == NULL)
+ return BadImplementation;
+ return (*pScr->HandleMessage)(scrnIndex, msgtype, msgval, retstr);
diff --git a/debian/patches/52_bug-13526.diff b/debian/patches/52_bug-13526.diff
new file mode 100644
index 0000000..bcd8249
--- /dev/null
+++ b/debian/patches/52_bug-13526.diff
@@ -0,0 +1,18 @@
+Index: xorg-server/dix/dixfonts.c
+===================================================================
+--- xorg-server.orig/dix/dixfonts.c 2008-01-05 14:54:17.000000000 +0100
++++ xorg-server/dix/dixfonts.c 2008-01-05 14:54:22.000000000 +0100
+@@ -336,6 +336,13 @@
+ err = BadFontName;
+ goto bail;
+ }
++ /* check values for firstCol, lastCol, firstRow, and lastRow */
++ if (pfont->info.firstCol > pfont->info.lastCol ||
++ pfont->info.firstRow > pfont->info.lastRow ||
++ pfont->info.lastCol - pfont->info.firstCol > 255) {
++ err = AllocError;
++ goto bail;
++ }
+ if (!pfont->fpe)
+ pfont->fpe = fpe;
+ pfont->refcnt++;
diff --git a/debian/patches/53_CVE-2007-5958.diff b/debian/patches/53_CVE-2007-5958.diff
new file mode 100644
index 0000000..186ef4d
--- /dev/null
+++ b/debian/patches/53_CVE-2007-5958.diff
@@ -0,0 +1,22 @@
+Index: xorg-server/Xext/security.c
+===================================================================
+--- xorg-server.orig/Xext/security.c 2008-01-05 13:04:45.000000000 +0100
++++ xorg-server/Xext/security.c 2008-01-05 15:11:22.000000000 +0100
+@@ -1646,7 +1646,7 @@
+ return;
+
+ #ifndef __UNIXOS2__
+- f = fopen(SecurityPolicyFile, "r");
++ f = Fopen(SecurityPolicyFile, "r");
+ #else
+ f = fopen((char*)__XOS2RedirRoot(SecurityPolicyFile), "r");
+ #endif
+@@ -1732,7 +1732,7 @@
+ }
+ #endif /* PROPDEBUG */
+
+- fclose(f);
++ Fclose(f);
+ } /* SecurityLoadPropertyAccessList */
+
+
diff --git a/debian/patches/series b/debian/patches/series
index 107bc8a..819e87d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -42,3 +42,10 @@
44_kdrive-ephyr-free-screen-struct.patch
45_CVE-2007-1003.diff -p0
46_security_fdo-bug-7447.diff
+47_CVE-2007-6427.diff
+48_CVE-2007-6428.diff
+49_CVE-2007-6429-EVI.diff
+50_CVE-2007-6429-MIT-SHM.diff
+51_CVE-2007-5760.diff
+52_bug-13526.diff
+53_CVE-2007-5958.diff
Reply to: