xorg-server: Changes to 'debian-etch'
debian/changelog | 7 +++
debian/patches/50_CVE-2007-6429-MIT-SHM.diff | 56 ++++++++++++++-------------
2 files changed, 38 insertions(+), 25 deletions(-)
New commits:
commit 5491c0f2570d1b122fe4f6ba92c748054d4bc37b
Author: Julien Cristau <jcristau@debian.org>
Date: Fri Jan 18 20:45:31 2008 +0100
Fix regression introduced in DSA-1466-1.
Add patch by Adam Jackson from Red Hat to fix regression introduced by the
MIT-SHM patch in -21etch2 (closes: #461410).
diff --git a/debian/changelog b/debian/changelog
index 2f34cb5..5761156 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+xorg-server (2:1.1.1-21etch3) stable-security; urgency=high
+
+ * Add patch by Adam Jackson from Red Hat to fix regression introduced by the
+ MIT-SHM patch in -21etch2 (closes: #461410).
+
+ -- Julien Cristau <jcristau@debian.org> Fri, 18 Jan 2008 20:39:28 +0100
+
xorg-server (2:1.1.1-21etch2) stable-security; urgency=high
* Security update, fixes the following vulnerabilities:
diff --git a/debian/patches/50_CVE-2007-6429-MIT-SHM.diff b/debian/patches/50_CVE-2007-6429-MIT-SHM.diff
index 9a788d5..3458bc6 100644
--- a/debian/patches/50_CVE-2007-6429-MIT-SHM.diff
+++ b/debian/patches/50_CVE-2007-6429-MIT-SHM.diff
@@ -1,7 +1,5 @@
-Index: xorg-server/Xext/shm.c
-===================================================================
---- xorg-server.orig/Xext/shm.c 2008-01-05 14:54:14.000000000 +0100
-+++ xorg-server/Xext/shm.c 2008-01-05 14:54:48.000000000 +0100
+--- xorg-server-1.1.1/Xext/shm.c.cve-2007-6429 2006-07-05 14:31:36.000000000 -0400
++++ xorg-server-1.1.1/Xext/shm.c 2008-01-18 14:19:28.000000000 -0500
@@ -725,6 +725,8 @@
int i, j, result;
ShmDescPtr shmdesc;
@@ -11,7 +9,7 @@ Index: xorg-server/Xext/shm.c
PanoramiXRes *newPix;
REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
-@@ -734,11 +736,26 @@
+@@ -734,11 +736,18 @@
LEGAL_NEW_RESOURCE(stuff->pid, client);
VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
@@ -27,30 +25,34 @@ Index: xorg-server/Xext/shm.c
}
+ if (width > 32767 || height > 32767)
+ return BadAlloc;
-+ size = PixmapBytePad(width, depth) * height;
-+ if (sizeof(size) == 4) {
-+ if (size < width * height)
-+ return BadAlloc;
-+ /* thankfully, offset is unsigned */
-+ if (stuff->offset + size < size)
-+ return BadAlloc;
-+ }
+
if (stuff->depth != 1)
{
pDepth = pDraw->pScreen->allowedDepths;
-@@ -749,9 +766,7 @@
+@@ -748,10 +757,19 @@
+ client->errorValue = stuff->depth;
return BadValue;
}
++
CreatePmap:
- VERIFY_SHMSIZE(shmdesc, stuff->offset,
- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
- client);
++ /* now w/h/d are valid; but will they overflow a 32-bit pointer? */
++ size = PixmapBytePad(width, depth) * height;
++ if (sizeof(void *) == 4 && BitsPerPixel(depth) > 8) {
++ if (size < width * height)
++ return BadAlloc;
++ /* thankfully, offset is unsigned */
++ if (stuff->offset + size < size)
++ return BadAlloc;
++ }
++
+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
return BadAlloc;
-@@ -1049,6 +1064,8 @@
+@@ -1049,6 +1067,8 @@
register int i;
ShmDescPtr shmdesc;
REQUEST(xShmCreatePixmapReq);
@@ -59,7 +61,7 @@ Index: xorg-server/Xext/shm.c
REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
client->errorValue = stuff->pid;
-@@ -1057,11 +1074,26 @@
+@@ -1057,11 +1077,18 @@
LEGAL_NEW_RESOURCE(stuff->pid, client);
VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
@@ -75,25 +77,29 @@ Index: xorg-server/Xext/shm.c
}
+ if (width > 32767 || height > 32767)
+ return BadAlloc;
-+ size = PixmapBytePad(width, depth) * height;
-+ if (sizeof(size) == 4) {
-+ if (size < width * height)
-+ return BadAlloc;
-+ /* thankfully, offset is unsigned */
-+ if (stuff->offset + size < size)
-+ return BadAlloc;
-+ }
+
if (stuff->depth != 1)
{
pDepth = pDraw->pScreen->allowedDepths;
-@@ -1072,9 +1104,7 @@
+@@ -1071,10 +1098,19 @@
+ client->errorValue = stuff->depth;
return BadValue;
}
++
CreatePmap:
- VERIFY_SHMSIZE(shmdesc, stuff->offset,
- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
- client);
++ /* now w/h/d are valid; but will they overflow a 32-bit pointer? */
++ size = PixmapBytePad(width, depth) * height;
++ if (sizeof(void *) == 4 && BitsPerPixel(depth) > 8) {
++ if (size < width * height)
++ return BadAlloc;
++ /* thankfully, offset is unsigned */
++ if (stuff->offset + size < size)
++ return BadAlloc;
++ }
++
+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
pDraw->pScreen, stuff->width,
Reply to: