[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

xorg-server: Changes to 'ubuntu'

 debian/changelog                                       |   11 ++
 debian/patches/170_xorg-xserver-1.4-cve-2008-1377.diff |   88 +++++++++++++++++
 debian/patches/171_xorg-xserver-1.4-cve-2008-1379.diff |   24 ++++
 debian/patches/172_xorg-xserver-1.4-cve-2008-2360.diff |   32 ++++++
 debian/patches/173_xorg-xserver-1.4-cve-2008-2361.diff |   13 ++
 debian/patches/174_xorg-xserver-1.4-cve-2008-2362.diff |   63 ++++++++++++
 debian/patches/series                                  |    5 
 7 files changed, 236 insertions(+)

New commits:
commit 56e7f0a416b4bd2c16e5db7997a716fa495dd64a
Author: Bryce Harrington <bryce@bryceharrington.org>
Date:   Wed Jun 11 10:54:56 2008 -0700

    Security fixes

diff --git a/debian/changelog b/debian/changelog
index 2b44c46..66c8b20 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+xorg-server (2:1.4.1~git20080131-1ubuntu12) intrepid; urgency=low
+
+   * Fix multiple security issues:
+     + CVE-2008-2360 - RENDER Extension heap buffer overflow
+     + CVE-2008-2361 - RENDER Extension crash
+     + CVE-2008-2362 - RENDER Extension memory corruption
+     + CVE-2008-1379 - MIT-SHM arbitrary memory read
+     + CVE-2008-1377 - RECORD and Security extensions memory corruption
+
+ -- Bryce Harrington <bryce@ubuntu.com>  Wed, 11 Jun 2008 10:54:15 -0700
+
 xorg-server (2:1.4.1~git20080131-1ubuntu11) intrepid; urgency=low
 
   * 169_xf86AutoConfig_choose_default_driver_if_no_pci.patch
diff --git a/debian/patches/170_xorg-xserver-1.4-cve-2008-1377.diff b/debian/patches/170_xorg-xserver-1.4-cve-2008-1377.diff
new file mode 100644
index 0000000..4eb7e1d
--- /dev/null
+++ b/debian/patches/170_xorg-xserver-1.4-cve-2008-1377.diff
@@ -0,0 +1,88 @@
+diff --git a/Xext/security.c b/Xext/security.c
+index ba057de..f34c463 100644
+--- a/Xext/security.c
++++ b/Xext/security.c
+@@ -651,15 +651,19 @@ SProcSecurityGenerateAuthorization(
+     register char 	n;
+     CARD32 *values;
+     unsigned long nvalues;
++    int values_offset;
+ 
+     swaps(&stuff->length, n);
+     REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
+     swaps(&stuff->nbytesAuthProto, n);
+     swaps(&stuff->nbytesAuthData, n);
+     swapl(&stuff->valueMask, n);
+-    values = (CARD32 *)(&stuff[1]) +
+-	((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
+-	((stuff->nbytesAuthData + (unsigned)3) >> 2);
++    values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
++		    ((stuff->nbytesAuthData + (unsigned)3) >> 2);
++    if (values_offset > 
++	stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
++	return BadLength;
++    values = (CARD32 *)(&stuff[1]) + values_offset;
+     nvalues = (((CARD32 *)stuff) + stuff->length) - values;
+     SwapLongs(values, nvalues);
+     return ProcSecurityGenerateAuthorization(client);
+diff --git a/record/record.c b/record/record.c
+index 0ed8f84..9a166d6 100644
+--- a/record/record.c
++++ b/record/record.c
+@@ -2656,7 +2656,7 @@ SProcRecordQueryVersion(ClientPtr client)
+ } /* SProcRecordQueryVersion */
+ 
+ 
+-static void
++static int
+ SwapCreateRegister(xRecordRegisterClientsReq *stuff)
+ {
+     register char n;
+@@ -2667,11 +2667,17 @@ SwapCreateRegister(xRecordRegisterClientsReq *stuff)
+     swapl(&stuff->nClients, n);
+     swapl(&stuff->nRanges, n);
+     pClientID = (XID *)&stuff[1];
++    if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2))
++	return BadLength;
+     for (i = 0; i < stuff->nClients; i++, pClientID++)
+     {
+ 	swapl(pClientID, n);
+     }
++    if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2)
++	- stuff->nClients)
++	return BadLength;
+     RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges);
++    return Success;
+ } /* SwapCreateRegister */
+ 
+ 
+@@ -2679,11 +2685,13 @@ static int
+ SProcRecordCreateContext(ClientPtr client)
+ {
+     REQUEST(xRecordCreateContextReq);
++    int			status;
+     register char 	n;
+ 
+     swaps(&stuff->length, n);
+     REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
+-    SwapCreateRegister((pointer)stuff);
++    if ((status = SwapCreateRegister((pointer)stuff)) != Success)
++	return status;
+     return ProcRecordCreateContext(client);
+ } /* SProcRecordCreateContext */
+ 
+@@ -2692,11 +2700,13 @@ static int
+ SProcRecordRegisterClients(ClientPtr client)
+ {
+     REQUEST(xRecordRegisterClientsReq);
++    int			status;
+     register char 	n;
+ 
+     swaps(&stuff->length, n);
+     REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
+-    SwapCreateRegister((pointer)stuff);
++    if ((status = SwapCreateRegister((pointer)stuff)) != Success)
++	return status;
+     return ProcRecordRegisterClients(client);
+ } /* SProcRecordRegisterClients */
+ 
diff --git a/debian/patches/171_xorg-xserver-1.4-cve-2008-1379.diff b/debian/patches/171_xorg-xserver-1.4-cve-2008-1379.diff
new file mode 100644
index 0000000..180d126
--- /dev/null
+++ b/debian/patches/171_xorg-xserver-1.4-cve-2008-1379.diff
@@ -0,0 +1,24 @@
+diff --git a/Xext/shm.c b/Xext/shm.c
+index ac587be..e08df36 100644
+--- a/Xext/shm.c
++++ b/Xext/shm.c
+@@ -831,8 +831,17 @@ ProcShmPutImage(client)
+         return BadValue;
+     }
+ 
+-    VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
+-		   client);
++    /* 
++     * There's a potential integer overflow in this check:
++     * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
++     *                client);
++     * the version below ought to avoid it
++     */
++    if (stuff->totalHeight != 0 && 
++	length > (shmdesc->size - stuff->offset)/stuff->totalHeight) {
++	client->errorValue = stuff->totalWidth;
++	return BadValue;
++    }
+     if (stuff->srcX > stuff->totalWidth)
+     {
+ 	client->errorValue = stuff->srcX;
diff --git a/debian/patches/172_xorg-xserver-1.4-cve-2008-2360.diff b/debian/patches/172_xorg-xserver-1.4-cve-2008-2360.diff
new file mode 100644
index 0000000..f14afce
--- /dev/null
+++ b/debian/patches/172_xorg-xserver-1.4-cve-2008-2360.diff
@@ -0,0 +1,32 @@
+diff --git a/render/glyph.c b/render/glyph.c
+index 583a52b..42ae65d 100644
+--- a/render/glyph.c
++++ b/render/glyph.c
+@@ -42,6 +42,12 @@
+ #include "picturestr.h"
+ #include "glyphstr.h"
+ 
++#if HAVE_STDINT_H
++#include <stdint.h>
++#elif !defined(UINT32_MAX)
++#define UINT32_MAX 0xffffffffU
++#endif
++
+ /*
+  * From Knuth -- a good choice for hash/rehash values is p, p-2 where
+  * p and p-2 are both prime.  These tables are sized to have an extra 10%
+@@ -626,8 +632,12 @@ AllocateGlyph (xGlyphInfo *gi, int fdepth)
+     int		     size;
+     GlyphPtr	     glyph;
+     int		     i;
+-
+-    size = gi->height * PixmapBytePad (gi->width, glyphDepths[fdepth]);
++    size_t	     padded_width;
++    
++    padded_width = PixmapBytePad (gi->width, glyphDepths[fdepth]);
++    if (gi->height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi->height)
++	return 0;
++    size = gi->height * padded_width;
+     glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec));
+     if (!glyph)
+ 	return 0;
diff --git a/debian/patches/173_xorg-xserver-1.4-cve-2008-2361.diff b/debian/patches/173_xorg-xserver-1.4-cve-2008-2361.diff
new file mode 100644
index 0000000..0749331
--- /dev/null
+++ b/debian/patches/173_xorg-xserver-1.4-cve-2008-2361.diff
@@ -0,0 +1,13 @@
+diff --git a/render/render.c b/render/render.c
+index caaa278..b53e878 100644
+--- a/render/render.c
++++ b/render/render.c
+@@ -1504,6 +1504,8 @@ ProcRenderCreateCursor (ClientPtr client)
+     pScreen = pSrc->pDrawable->pScreen;
+     width = pSrc->pDrawable->width;
+     height = pSrc->pDrawable->height;
++    if (height && width > UINT32_MAX/(height*sizeof(CARD32)))
++	return BadAlloc;
+     if ( stuff->x > width 
+       || stuff->y > height )
+ 	return (BadMatch);
diff --git a/debian/patches/174_xorg-xserver-1.4-cve-2008-2362.diff b/debian/patches/174_xorg-xserver-1.4-cve-2008-2362.diff
new file mode 100644
index 0000000..a254d7a
--- /dev/null
+++ b/debian/patches/174_xorg-xserver-1.4-cve-2008-2362.diff
@@ -0,0 +1,63 @@
+diff --git a/render/render.c b/render/render.c
+index 74c5f63..b53e878 100644
+--- a/render/render.c
++++ b/render/render.c
+@@ -1920,6 +1920,8 @@ static int ProcRenderCreateLinearGradient (ClientPtr client)
+     LEGAL_NEW_RESOURCE(stuff->pid, client);
+ 
+     len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
++    if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
++	return BadLength;
+     if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
+         return BadLength;
+ 
+@@ -2493,18 +2495,18 @@ SProcRenderCreateSolidFill(ClientPtr client)
+     return (*ProcRenderVector[stuff->renderReqType]) (client);
+ }
+ 
+-static void swapStops(void *stuff, int n)
++static void swapStops(void *stuff, int num)
+ {
+-    int i;
++    int i, n;
+     CARD32 *stops;
+     CARD16 *colors;
+     stops = (CARD32 *)(stuff);
+-    for (i = 0; i < n; ++i) {
++    for (i = 0; i < num; ++i) {
+         swapl(stops, n);
+         ++stops;
+     }
+     colors = (CARD16 *)(stops);
+-    for (i = 0; i < 4*n; ++i) {
++    for (i = 0; i < 4*num; ++i) {
+         swaps(stops, n);
+         ++stops;
+     }
+@@ -2527,6 +2529,8 @@ SProcRenderCreateLinearGradient (ClientPtr client)
+     swapl(&stuff->nStops, n);
+ 
+     len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
++    if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
++	return BadLength;
+     if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
+         return BadLength;
+ 
+@@ -2554,6 +2558,8 @@ SProcRenderCreateRadialGradient (ClientPtr client)
+     swapl(&stuff->nStops, n);
+ 
+     len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq);
++    if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
++	return BadLength;
+     if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
+         return BadLength;
+ 
+@@ -2578,6 +2584,8 @@ SProcRenderCreateConicalGradient (ClientPtr client)
+     swapl(&stuff->nStops, n);
+ 
+     len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq);
++    if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
++	return BadLength;
+     if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
+         return BadLength;
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 526af56..a2f333d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -64,3 +64,8 @@
 167_xf86AutoConfig_geode_addition.diff -p0
 168_closedir.patch
 169_xf86AutoConfig_choose_default_driver_if_no_pci.patch
+170_xorg-xserver-1.4-cve-2008-1377.diff
+171_xorg-xserver-1.4-cve-2008-1379.diff
+172_xorg-xserver-1.4-cve-2008-2360.diff
+173_xorg-xserver-1.4-cve-2008-2361.diff
+174_xorg-xserver-1.4-cve-2008-2362.diff

commit 78aadba2598355047113b1b61d0779d96c003b31
Author: Bryce Harrington <bryce@bryceharrington.org>
Date:   Tue May 13 18:58:17 2008 -0700

    adding patch 169

diff --git a/debian/changelog b/debian/changelog
index 3d2624b..2b44c46 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+xorg-server (2:1.4.1~git20080131-1ubuntu11) intrepid; urgency=low
+
+  * 169_xf86AutoConfig_choose_default_driver_if_no_pci.patch
+    - Choose the default driver for the platform instead of the generic
+      default (vesa) if there is no PCI info.  Without this, on platforms
+      like PS3 where fbdev should be used rather than vesa, the system
+      will fail to start up.  (LP: #219424)
+
+ -- Bryce Harrington <bryce@ubuntu.com>  Tue, 13 May 2008 13:09:17 -0700
+  
+
 xorg-server (2:1.4.1~git20080131-1ubuntu10) intrepid; urgency=low
 
   [Timo Aaltonen]
diff --git a/debian/patches/series b/debian/patches/series
index 381b6dc..526af56 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -63,3 +63,4 @@
 166_fix_lpl_monitors.diff
 167_xf86AutoConfig_geode_addition.diff -p0
 168_closedir.patch
+169_xf86AutoConfig_choose_default_driver_if_no_pci.patch
Reply to: