xorg-server: Changes to 'ubuntu'
debian/changelog | 6 ++
debian/patches/avoid-use-after-free.diff | 70 +++++++++++++++++++++++++++++++
debian/patches/series | 1
3 files changed, 77 insertions(+)
New commits:
commit e960d0aee5485f090ffe9fb7fce696846d8afb7a
Author: Timo Aaltonen <tjaalton@ubuntu.com>
Date: Tue Oct 15 12:06:27 2013 +0300
avoid-use-after-free.diff: Fix CVE-2013-4396.
diff --git a/debian/changelog b/debian/changelog
index d14bd68..5cd5b79 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+xorg-server (2:1.14.3-3ubuntu2) saucy-proposed; urgency=low
+
+ * avoid-use-after-free.diff: Fix CVE-2013-4396.
+
+ -- Timo Aaltonen <tjaalton@ubuntu.com> Tue, 15 Oct 2013 12:05:48 +0300
+
xorg-server (2:1.14.3-3ubuntu1) saucy; urgency=low
* Merge from unreleased debian git.
diff --git a/debian/patches/avoid-use-after-free.diff b/debian/patches/avoid-use-after-free.diff
new file mode 100644
index 0000000..86d8fc2
--- /dev/null
+++ b/debian/patches/avoid-use-after-free.diff
@@ -0,0 +1,70 @@
+commit 3afbfc4913db988b29f9aa6879b7501321e448d4
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Mon Sep 16 21:47:16 2013 -0700
+
+ Avoid use-after-free in dix/dixfonts.c: doImageText()
+
+ Save a pointer to the passed in closure structure before copying it
+ and overwriting the *c pointer to point to our copy instead of the
+ original. If we hit an error, once we free(c), reset c to point to
+ the original structure before jumping to the cleanup code that
+ references *c.
+
+ Since one of the errors being checked for is whether the server was
+ able to malloc(c->nChars * itemSize), the client can potentially pass
+ a number of characters chosen to cause the malloc to fail and the
+ error path to be taken, resulting in the read from freed memory.
+
+ Since the memory is accessed almost immediately afterwards, and the
+ X server is mostly single threaded, the odds of the free memory having
+ invalid contents are low with most malloc implementations when not using
+ memory debugging features, but some allocators will definitely overwrite
+ the memory there, leading to a likely crash.
+
+ Reported-by: Pedro Ribeiro <pedrib@gmail.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Reviewed-by: Julien Cristau <jcristau@debian.org>
+
+diff --git a/dix/dixfonts.c b/dix/dixfonts.c
+index feb765d..2e34d37 100644
+--- a/dix/dixfonts.c
++++ b/dix/dixfonts.c
+@@ -1425,6 +1425,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
+ GC *pGC;
+ unsigned char *data;
+ ITclosurePtr new_closure;
++ ITclosurePtr old_closure;
+
+ /* We're putting the client to sleep. We need to
+ save some state. Similar problem to that handled
+@@ -1436,12 +1437,14 @@ doImageText(ClientPtr client, ITclosurePtr c)
+ err = BadAlloc;
+ goto bail;
+ }
++ old_closure = c;
+ *new_closure = *c;
+ c = new_closure;
+
+ data = malloc(c->nChars * itemSize);
+ if (!data) {
+ free(c);
++ c = old_closure;
+ err = BadAlloc;
+ goto bail;
+ }
+@@ -1452,6 +1455,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
+ if (!pGC) {
+ free(c->data);
+ free(c);
++ c = old_closure;
+ err = BadAlloc;
+ goto bail;
+ }
+@@ -1464,6 +1468,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
+ FreeScratchGC(pGC);
+ free(c->data);
+ free(c);
++ c = old_closure;
+ err = BadAlloc;
+ goto bail;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 69b99c3..4288da4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -61,3 +61,4 @@ glx-corner-case-drawablegone.patch
glx-link-against-glapi.patch
aarch64.patch
xmir.patch
+avoid-use-after-free.diff
Reply to: