xorg-server: Changes to 'debian-etch'

To: debian-x@lists.debian.org
Subject: xorg-server: Changes to 'debian-etch'
From: Julien Cristau <jcristau@alioth.debian.org>
Date: Fri, 18 Jan 2008 20:47:28 +0000
Message-id: <[🔎] E1JFy7c-0002lw-2p@alioth.debian.org>

 debian/changelog                             |    7 +++
 debian/patches/50_CVE-2007-6429-MIT-SHM.diff |   56 ++++++++++++++-------------
 2 files changed, 38 insertions(+), 25 deletions(-)

New commits:
commit 5491c0f2570d1b122fe4f6ba92c748054d4bc37b
Author: Julien Cristau <jcristau@debian.org>
Date:   Fri Jan 18 20:45:31 2008 +0100

    Fix regression introduced in DSA-1466-1.
    
    Add patch by Adam Jackson from Red Hat to fix regression introduced by the
    MIT-SHM patch in -21etch2 (closes: #461410).

diff --git a/debian/changelog b/debian/changelog
index 2f34cb5..5761156 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+xorg-server (2:1.1.1-21etch3) stable-security; urgency=high
+
+  * Add patch by Adam Jackson from Red Hat to fix regression introduced by the
+    MIT-SHM patch in -21etch2 (closes: #461410).
+
+ -- Julien Cristau <jcristau@debian.org>  Fri, 18 Jan 2008 20:39:28 +0100
+
 xorg-server (2:1.1.1-21etch2) stable-security; urgency=high
 
   * Security update, fixes the following vulnerabilities:
diff --git a/debian/patches/50_CVE-2007-6429-MIT-SHM.diff b/debian/patches/50_CVE-2007-6429-MIT-SHM.diff
index 9a788d5..3458bc6 100644
--- a/debian/patches/50_CVE-2007-6429-MIT-SHM.diff
+++ b/debian/patches/50_CVE-2007-6429-MIT-SHM.diff
@@ -1,7 +1,5 @@
-Index: xorg-server/Xext/shm.c
-===================================================================
---- xorg-server.orig/Xext/shm.c	2008-01-05 14:54:14.000000000 +0100
-+++ xorg-server/Xext/shm.c	2008-01-05 14:54:48.000000000 +0100
+--- xorg-server-1.1.1/Xext/shm.c.cve-2007-6429	2006-07-05 14:31:36.000000000 -0400
++++ xorg-server-1.1.1/Xext/shm.c	2008-01-18 14:19:28.000000000 -0500
 @@ -725,6 +725,8 @@
      int i, j, result;
      ShmDescPtr shmdesc;
@@ -11,7 +9,7 @@ Index: xorg-server/Xext/shm.c
      PanoramiXRes *newPix;
  
      REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
-@@ -734,11 +736,26 @@
+@@ -734,11 +736,18 @@
      LEGAL_NEW_RESOURCE(stuff->pid, client);
      VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
      VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
@@ -27,30 +25,34 @@ Index: xorg-server/Xext/shm.c
      }
 +    if (width > 32767 || height > 32767)
 +        return BadAlloc;
-+    size = PixmapBytePad(width, depth) * height;
-+    if (sizeof(size) == 4) {
-+        if (size < width * height)
-+            return BadAlloc;
-+        /* thankfully, offset is unsigned */
-+        if (stuff->offset + size < size)
-+            return BadAlloc;
-+    }
 +
      if (stuff->depth != 1)
      {
          pDepth = pDraw->pScreen->allowedDepths;
-@@ -749,9 +766,7 @@
+@@ -748,10 +757,19 @@
+ 	client->errorValue = stuff->depth;
          return BadValue;
      }
++
  CreatePmap:
 -    VERIFY_SHMSIZE(shmdesc, stuff->offset,
 -		   PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
 -		   client);
++    /* now w/h/d are valid; but will they overflow a 32-bit pointer? */
++    size = PixmapBytePad(width, depth) * height;
++    if (sizeof(void *) == 4 && BitsPerPixel(depth) > 8) {
++        if (size < width * height)
++            return BadAlloc;
++        /* thankfully, offset is unsigned */
++        if (stuff->offset + size < size)
++            return BadAlloc;
++    }
++
 +    VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
  
      if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
  	return BadAlloc;
-@@ -1049,6 +1064,8 @@
+@@ -1049,6 +1067,8 @@
      register int i;
      ShmDescPtr shmdesc;
      REQUEST(xShmCreatePixmapReq);
@@ -59,7 +61,7 @@ Index: xorg-server/Xext/shm.c
  
      REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
      client->errorValue = stuff->pid;
-@@ -1057,11 +1074,26 @@
+@@ -1057,11 +1077,18 @@
      LEGAL_NEW_RESOURCE(stuff->pid, client);
      VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
      VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
@@ -75,25 +77,29 @@ Index: xorg-server/Xext/shm.c
      }
 +    if (width > 32767 || height > 32767)
 +	return BadAlloc;
-+    size = PixmapBytePad(width, depth) * height;
-+    if (sizeof(size) == 4) {
-+	if (size < width * height)
-+	    return BadAlloc;
-+	/* thankfully, offset is unsigned */
-+	if (stuff->offset + size < size)
-+	    return BadAlloc;
-+    }
 +
      if (stuff->depth != 1)
      {
          pDepth = pDraw->pScreen->allowedDepths;
-@@ -1072,9 +1104,7 @@
+@@ -1071,10 +1098,19 @@
+ 	client->errorValue = stuff->depth;
          return BadValue;
      }
++
  CreatePmap:
 -    VERIFY_SHMSIZE(shmdesc, stuff->offset,
 -		   PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
 -		   client);
++    /* now w/h/d are valid; but will they overflow a 32-bit pointer? */
++    size = PixmapBytePad(width, depth) * height;
++    if (sizeof(void *) == 4 && BitsPerPixel(depth) > 8) {
++        if (size < width * height)
++            return BadAlloc;
++        /* thankfully, offset is unsigned */
++        if (stuff->offset + size < size)
++            return BadAlloc;
++    }
++
 +    VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
      pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
  			    pDraw->pScreen, stuff->width,

Reply to:

Prev by Date: Processed: reassign 461472 to xserver-xorg-core, forcibly merging 461410 461472
Next by Date: Bug#461471: Bug with latest xserver-xorg-core 2:1.1.1-21-etch2 package
Previous by thread: xorg-server: Changes to 'debian-etch'
Next by thread: xorg-server: Changes to 'debian-etch'
Index(es):
- Date
- Thread