[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

xorg-server: Changes to 'debian-etch'



 debian/changelog                              |   11 +
 debian/patches/idef-apr08-v3-xserver-1.4.diff |  202 ++++++++++++++++++++++++++
 debian/patches/series                         |    1 
 3 files changed, 214 insertions(+)

New commits:
commit 52da140f88dc6075b93d979d229cdbed9d72ca59
Author: Julien Cristau <jcristau@debian.org>
Date:   Thu May 29 12:25:46 2008 +0200

    Prepare changelog for upload

diff --git a/debian/changelog b/debian/changelog
index 8ab5688..921867c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-xorg-server (2:1.1.1-21etch5) UNRELEASED; urgency=high
+xorg-server (2:1.1.1-21etch5) stable-security; urgency=high
 
   * Security update, fixes several vulnerabilities.  References:
     CVE-2008-2360 - RENDER Extension heap buffer overflow
@@ -7,7 +7,7 @@ xorg-server (2:1.1.1-21etch5) UNRELEASED; urgency=high
     CVE-2008-1379 - MIT-SHM arbitrary memory read
     CVE-2008-1377 - RECORD and Security extensions memory corruption
 
- -- Julien Cristau <jcristau@debian.org>  Wed, 07 May 2008 14:46:10 +0200
+ -- Julien Cristau <jcristau@debian.org>  Thu, 29 May 2008 12:25:37 +0200
 
 xorg-server (2:1.1.1-21etch4) stable; urgency=low
 

commit c6e842267b1703da02857b1ba765fb82e2a3e707
Author: Julien Cristau <jcristau@debian.org>
Date:   Thu May 29 12:24:45 2008 +0200

    Security update, fixes several vulnerabilities.
    
    References:
    CVE-2008-2360 - RENDER Extension heap buffer overflow
    CVE-2008-2361 - RENDER Extension crash
    CVE-2008-2362 - RENDER Extension memory corruption
    CVE-2008-1379 - MIT-SHM arbitrary memory read
    CVE-2008-1377 - RECORD and Security extensions memory corruption

diff --git a/debian/changelog b/debian/changelog
index 32a4aa6..8ab5688 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+xorg-server (2:1.1.1-21etch5) UNRELEASED; urgency=high
+
+  * Security update, fixes several vulnerabilities.  References:
+    CVE-2008-2360 - RENDER Extension heap buffer overflow
+    CVE-2008-2361 - RENDER Extension crash
+    CVE-2008-2362 - RENDER Extension memory corruption
+    CVE-2008-1379 - MIT-SHM arbitrary memory read
+    CVE-2008-1377 - RECORD and Security extensions memory corruption
+
+ -- Julien Cristau <jcristau@debian.org>  Wed, 07 May 2008 14:46:10 +0200
+
 xorg-server (2:1.1.1-21etch4) stable; urgency=low
 
   [ Julien Cristau ]
diff --git a/debian/patches/idef-apr08-v3-xserver-1.4.diff b/debian/patches/idef-apr08-v3-xserver-1.4.diff
new file mode 100644
index 0000000..07ced6e
--- /dev/null
+++ b/debian/patches/idef-apr08-v3-xserver-1.4.diff
@@ -0,0 +1,202 @@
+--- xorg-server.orig/Xext/security.c
++++ xorg-server/Xext/security.c
+@@ -652,15 +652,19 @@
+     register char 	n;
+     CARD32 *values;
+     unsigned long nvalues;
++    int values_offset;
+ 
+     swaps(&stuff->length, n);
+     REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
+     swaps(&stuff->nbytesAuthProto, n);
+     swaps(&stuff->nbytesAuthData, n);
+     swapl(&stuff->valueMask, n);
+-    values = (CARD32 *)(&stuff[1]) +
+-	((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
+-	((stuff->nbytesAuthData + (unsigned)3) >> 2);
++    values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
++		    ((stuff->nbytesAuthData + (unsigned)3) >> 2);
++    if (values_offset > 
++	stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
++	return BadLength;
++    values = (CARD32 *)(&stuff[1]) + values_offset;
+     nvalues = (((CARD32 *)stuff) + stuff->length) - values;
+     SwapLongs(values, nvalues);
+     return ProcSecurityGenerateAuthorization(client);
+--- xorg-server.orig/Xext/shm.c
++++ xorg-server/Xext/shm.c
+@@ -861,8 +861,17 @@
+         return BadValue;
+     }
+ 
+-    VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
+-		   client);
++    /* 
++     * There's a potential integer overflow in this check:
++     * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
++     *                client);
++     * the version below ought to avoid it
++     */
++    if (stuff->totalHeight != 0 && 
++	length > (shmdesc->size - stuff->offset)/stuff->totalHeight) {
++	client->errorValue = stuff->totalWidth;
++	return BadValue;
++    }
+     if (stuff->srcX > stuff->totalWidth)
+     {
+ 	client->errorValue = stuff->srcX;
+--- xorg-server.orig/record/record.c
++++ xorg-server/record/record.c
+@@ -2659,7 +2659,7 @@
+ } /* SProcRecordQueryVersion */
+ 
+ 
+-static void
++static int
+ SwapCreateRegister(xRecordRegisterClientsReq *stuff)
+ {
+     register char n;
+@@ -2670,11 +2670,17 @@
+     swapl(&stuff->nClients, n);
+     swapl(&stuff->nRanges, n);
+     pClientID = (XID *)&stuff[1];
++    if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2))
++	return BadLength;
+     for (i = 0; i < stuff->nClients; i++, pClientID++)
+     {
+ 	swapl(pClientID, n);
+     }
++    if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2)
++	- stuff->nClients)
++	return BadLength;
+     RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges);
++    return Success;
+ } /* SwapCreateRegister */
+ 
+ 
+@@ -2682,11 +2688,13 @@
+ SProcRecordCreateContext(ClientPtr client)
+ {
+     REQUEST(xRecordCreateContextReq);
++    int			status;
+     register char 	n;
+ 
+     swaps(&stuff->length, n);
+     REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
+-    SwapCreateRegister((pointer)stuff);
++    if ((status = SwapCreateRegister((pointer)stuff)) != Success)
++	return status;
+     return ProcRecordCreateContext(client);
+ } /* SProcRecordCreateContext */
+ 
+@@ -2695,11 +2703,13 @@
+ SProcRecordRegisterClients(ClientPtr client)
+ {
+     REQUEST(xRecordRegisterClientsReq);
++    int			status;
+     register char 	n;
+ 
+     swaps(&stuff->length, n);
+     REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
+-    SwapCreateRegister((pointer)stuff);
++    if ((status = SwapCreateRegister((pointer)stuff)) != Success)
++	return status;
+     return ProcRecordRegisterClients(client);
+ } /* SProcRecordRegisterClients */
+ 
+--- xorg-server.orig/render/glyph.c
++++ xorg-server/render/glyph.c
+@@ -43,6 +43,8 @@
+ #include "picturestr.h"
+ #include "glyphstr.h"
+ 
++#include <stdint.h>
++
+ /*
+  * From Knuth -- a good choice for hash/rehash values is p, p-2 where
+  * p and p-2 are both prime.  These tables are sized to have an extra 10%
+@@ -627,8 +629,12 @@
+     int		     size;
+     GlyphPtr	     glyph;
+     int		     i;
+-
+-    size = gi->height * PixmapBytePad (gi->width, glyphDepths[fdepth]);
++    size_t	     padded_width;
++    
++    padded_width = PixmapBytePad (gi->width, glyphDepths[fdepth]);
++    if (gi->height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi->height)
++	return 0;
++    size = gi->height * padded_width;
+     glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec));
+     if (!glyph)
+ 	return 0;
+--- xorg-server.orig/render/render.c
++++ xorg-server/render/render.c
+@@ -1504,6 +1504,8 @@
+     pScreen = pSrc->pDrawable->pScreen;
+     width = pSrc->pDrawable->width;
+     height = pSrc->pDrawable->height;
++    if (height && width > UINT32_MAX/(height*sizeof(CARD32)))
++	return BadAlloc;
+     if ( stuff->x > width 
+       || stuff->y > height )
+ 	return (BadMatch);
+@@ -1917,6 +1919,8 @@
+     LEGAL_NEW_RESOURCE(stuff->pid, client);
+ 
+     len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
++    if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
++	return BadLength;
+     if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
+         return BadLength;
+ 
+@@ -2488,18 +2492,18 @@
+     return (*ProcRenderVector[stuff->renderReqType]) (client);
+ }
+ 
+-static void swapStops(void *stuff, int n)
++static void swapStops(void *stuff, int num)
+ {
+-    int i;
++    int i, n;
+     CARD32 *stops;
+     CARD16 *colors;
+     stops = (CARD32 *)(stuff);
+-    for (i = 0; i < n; ++i) {
++    for (i = 0; i < num; ++i) {
+         swapl(stops, n);
+         ++stops;
+     }
+     colors = (CARD16 *)(stops);
+-    for (i = 0; i < 4*n; ++i) {
++    for (i = 0; i < 4*num; ++i) {
+         swaps(stops, n);
+         ++stops;
+     }
+@@ -2522,6 +2526,8 @@
+     swapl(&stuff->nStops, n);
+ 
+     len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
++    if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
++	return BadLength;
+     if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
+         return BadLength;
+ 
+@@ -2549,6 +2555,8 @@
+     swapl(&stuff->nStops, n);
+ 
+     len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq);
++    if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
++	return BadLength;
+     if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
+         return BadLength;
+ 
+@@ -2573,6 +2581,8 @@
+     swapl(&stuff->nStops, n);
+ 
+     len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq);
++    if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
++	return BadLength;
+     if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
+         return BadLength;
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 755ab6b..07df961 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -50,3 +50,4 @@
 52_bug-13526.diff
 53_CVE-2007-5958.diff
 54_fb_asm_fix.diff
+idef-apr08-v3-xserver-1.4.diff


Reply to: