xorg-server: Changes to 'debian-etch'
debian/changelog | 11 +
debian/patches/idef-apr08-v3-xserver-1.4.diff | 202 ++++++++++++++++++++++++++
debian/patches/series | 1
3 files changed, 214 insertions(+)
New commits:
commit 52da140f88dc6075b93d979d229cdbed9d72ca59
Author: Julien Cristau <jcristau@debian.org>
Date: Thu May 29 12:25:46 2008 +0200
Prepare changelog for upload
diff --git a/debian/changelog b/debian/changelog
index 8ab5688..921867c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-xorg-server (2:1.1.1-21etch5) UNRELEASED; urgency=high
+xorg-server (2:1.1.1-21etch5) stable-security; urgency=high
* Security update, fixes several vulnerabilities. References:
CVE-2008-2360 - RENDER Extension heap buffer overflow
@@ -7,7 +7,7 @@ xorg-server (2:1.1.1-21etch5) UNRELEASED; urgency=high
CVE-2008-1379 - MIT-SHM arbitrary memory read
CVE-2008-1377 - RECORD and Security extensions memory corruption
- -- Julien Cristau <jcristau@debian.org> Wed, 07 May 2008 14:46:10 +0200
+ -- Julien Cristau <jcristau@debian.org> Thu, 29 May 2008 12:25:37 +0200
xorg-server (2:1.1.1-21etch4) stable; urgency=low
commit c6e842267b1703da02857b1ba765fb82e2a3e707
Author: Julien Cristau <jcristau@debian.org>
Date: Thu May 29 12:24:45 2008 +0200
Security update, fixes several vulnerabilities.
References:
CVE-2008-2360 - RENDER Extension heap buffer overflow
CVE-2008-2361 - RENDER Extension crash
CVE-2008-2362 - RENDER Extension memory corruption
CVE-2008-1379 - MIT-SHM arbitrary memory read
CVE-2008-1377 - RECORD and Security extensions memory corruption
diff --git a/debian/changelog b/debian/changelog
index 32a4aa6..8ab5688 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+xorg-server (2:1.1.1-21etch5) UNRELEASED; urgency=high
+
+ * Security update, fixes several vulnerabilities. References:
+ CVE-2008-2360 - RENDER Extension heap buffer overflow
+ CVE-2008-2361 - RENDER Extension crash
+ CVE-2008-2362 - RENDER Extension memory corruption
+ CVE-2008-1379 - MIT-SHM arbitrary memory read
+ CVE-2008-1377 - RECORD and Security extensions memory corruption
+
+ -- Julien Cristau <jcristau@debian.org> Wed, 07 May 2008 14:46:10 +0200
+
xorg-server (2:1.1.1-21etch4) stable; urgency=low
[ Julien Cristau ]
diff --git a/debian/patches/idef-apr08-v3-xserver-1.4.diff b/debian/patches/idef-apr08-v3-xserver-1.4.diff
new file mode 100644
index 0000000..07ced6e
--- /dev/null
+++ b/debian/patches/idef-apr08-v3-xserver-1.4.diff
@@ -0,0 +1,202 @@
+--- xorg-server.orig/Xext/security.c
++++ xorg-server/Xext/security.c
+@@ -652,15 +652,19 @@
+ register char n;
+ CARD32 *values;
+ unsigned long nvalues;
++ int values_offset;
+
+ swaps(&stuff->length, n);
+ REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
+ swaps(&stuff->nbytesAuthProto, n);
+ swaps(&stuff->nbytesAuthData, n);
+ swapl(&stuff->valueMask, n);
+- values = (CARD32 *)(&stuff[1]) +
+- ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
+- ((stuff->nbytesAuthData + (unsigned)3) >> 2);
++ values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
++ ((stuff->nbytesAuthData + (unsigned)3) >> 2);
++ if (values_offset >
++ stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
++ return BadLength;
++ values = (CARD32 *)(&stuff[1]) + values_offset;
+ nvalues = (((CARD32 *)stuff) + stuff->length) - values;
+ SwapLongs(values, nvalues);
+ return ProcSecurityGenerateAuthorization(client);
+--- xorg-server.orig/Xext/shm.c
++++ xorg-server/Xext/shm.c
+@@ -861,8 +861,17 @@
+ return BadValue;
+ }
+
+- VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
+- client);
++ /*
++ * There's a potential integer overflow in this check:
++ * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
++ * client);
++ * the version below ought to avoid it
++ */
++ if (stuff->totalHeight != 0 &&
++ length > (shmdesc->size - stuff->offset)/stuff->totalHeight) {
++ client->errorValue = stuff->totalWidth;
++ return BadValue;
++ }
+ if (stuff->srcX > stuff->totalWidth)
+ {
+ client->errorValue = stuff->srcX;
+--- xorg-server.orig/record/record.c
++++ xorg-server/record/record.c
+@@ -2659,7 +2659,7 @@
+ } /* SProcRecordQueryVersion */
+
+
+-static void
++static int
+ SwapCreateRegister(xRecordRegisterClientsReq *stuff)
+ {
+ register char n;
+@@ -2670,11 +2670,17 @@
+ swapl(&stuff->nClients, n);
+ swapl(&stuff->nRanges, n);
+ pClientID = (XID *)&stuff[1];
++ if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2))
++ return BadLength;
+ for (i = 0; i < stuff->nClients; i++, pClientID++)
+ {
+ swapl(pClientID, n);
+ }
++ if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2)
++ - stuff->nClients)
++ return BadLength;
+ RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges);
++ return Success;
+ } /* SwapCreateRegister */
+
+
+@@ -2682,11 +2688,13 @@
+ SProcRecordCreateContext(ClientPtr client)
+ {
+ REQUEST(xRecordCreateContextReq);
++ int status;
+ register char n;
+
+ swaps(&stuff->length, n);
+ REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
+- SwapCreateRegister((pointer)stuff);
++ if ((status = SwapCreateRegister((pointer)stuff)) != Success)
++ return status;
+ return ProcRecordCreateContext(client);
+ } /* SProcRecordCreateContext */
+
+@@ -2695,11 +2703,13 @@
+ SProcRecordRegisterClients(ClientPtr client)
+ {
+ REQUEST(xRecordRegisterClientsReq);
++ int status;
+ register char n;
+
+ swaps(&stuff->length, n);
+ REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
+- SwapCreateRegister((pointer)stuff);
++ if ((status = SwapCreateRegister((pointer)stuff)) != Success)
++ return status;
+ return ProcRecordRegisterClients(client);
+ } /* SProcRecordRegisterClients */
+
+--- xorg-server.orig/render/glyph.c
++++ xorg-server/render/glyph.c
+@@ -43,6 +43,8 @@
+ #include "picturestr.h"
+ #include "glyphstr.h"
+
++#include <stdint.h>
++
+ /*
+ * From Knuth -- a good choice for hash/rehash values is p, p-2 where
+ * p and p-2 are both prime. These tables are sized to have an extra 10%
+@@ -627,8 +629,12 @@
+ int size;
+ GlyphPtr glyph;
+ int i;
+-
+- size = gi->height * PixmapBytePad (gi->width, glyphDepths[fdepth]);
++ size_t padded_width;
++
++ padded_width = PixmapBytePad (gi->width, glyphDepths[fdepth]);
++ if (gi->height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi->height)
++ return 0;
++ size = gi->height * padded_width;
+ glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec));
+ if (!glyph)
+ return 0;
+--- xorg-server.orig/render/render.c
++++ xorg-server/render/render.c
+@@ -1504,6 +1504,8 @@
+ pScreen = pSrc->pDrawable->pScreen;
+ width = pSrc->pDrawable->width;
+ height = pSrc->pDrawable->height;
++ if (height && width > UINT32_MAX/(height*sizeof(CARD32)))
++ return BadAlloc;
+ if ( stuff->x > width
+ || stuff->y > height )
+ return (BadMatch);
+@@ -1917,6 +1919,8 @@
+ LEGAL_NEW_RESOURCE(stuff->pid, client);
+
+ len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
++ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
++ return BadLength;
+ if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
+
+@@ -2488,18 +2492,18 @@
+ return (*ProcRenderVector[stuff->renderReqType]) (client);
+ }
+
+-static void swapStops(void *stuff, int n)
++static void swapStops(void *stuff, int num)
+ {
+- int i;
++ int i, n;
+ CARD32 *stops;
+ CARD16 *colors;
+ stops = (CARD32 *)(stuff);
+- for (i = 0; i < n; ++i) {
++ for (i = 0; i < num; ++i) {
+ swapl(stops, n);
+ ++stops;
+ }
+ colors = (CARD16 *)(stops);
+- for (i = 0; i < 4*n; ++i) {
++ for (i = 0; i < 4*num; ++i) {
+ swaps(stops, n);
+ ++stops;
+ }
+@@ -2522,6 +2526,8 @@
+ swapl(&stuff->nStops, n);
+
+ len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
++ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
++ return BadLength;
+ if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
+
+@@ -2549,6 +2555,8 @@
+ swapl(&stuff->nStops, n);
+
+ len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq);
++ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
++ return BadLength;
+ if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
+
+@@ -2573,6 +2581,8 @@
+ swapl(&stuff->nStops, n);
+
+ len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq);
++ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
++ return BadLength;
+ if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
+
diff --git a/debian/patches/series b/debian/patches/series
index 755ab6b..07df961 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -50,3 +50,4 @@
52_bug-13526.diff
53_CVE-2007-5958.diff
54_fb_asm_fix.diff
+idef-apr08-v3-xserver-1.4.diff
Reply to: