xorg-server: Changes to 'refs/tags/xorg-server-2_1.16.2.901-1'
Tag 'xorg-server-2_1.16.2.901-1' created by Julien Cristau <jcristau@debian.org> at 2014-12-09 21:27 +0000
Tagging upload of xorg-server 2:1.16.2.901-1 to unstable.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABCAAGBQJUh2kuAAoJEDEBgAUJBeQMnT0P/2hnNLQz6e9uAPNNaL1ZiZeZ
yvRZk5TukaCPx0Ib9tQY5+ngzHCujhN3gAuVnL3Ba3R1jj5RWhveA4OQR/8cDKlA
lH7jrRJ8vzVXUp6sSJD5IlshiAY1yqbRyBnyg5DLvJorVDhWQ1vCNjrBeWcCyGfc
nOM5vivuj2lSgJkNUzYcJXpYTdyvQ7NklEHleeQVheIsg3fSwbBGyjgZSRkB+dmM
hwu3CFrl5QbZYf9dxHFvfyyfLhQkEXSBmociRWGWulzFpU2VQcrSl5Z/vBxf9c4w
eXTBnDnkY7UEF+t/8hsF+x8ukO04qm9fXySxy6/BwWwZaP9oh8rl2n0cpCr3JKd9
ioc3JSbwk+J3jukKYeEln9Xjxv3rKbQZpF/55hE64R3oxv+SN1um+SWzokzRXdbM
0Xk1RceZzlSO0CtJyiYCNngFOn51dmEb/ZAw2zCBC+Ycs/SoA3OnMqncIs+Y+wE0
5Aj8ooJJGIYpC4wk03+fKh0P7ztlsevXPmgTAQghnW0FxrMOS8p8hq7pm7guLbcC
5W3tW5qZH29hEpgDH2XF2nnTt/w9la8kYZ7395VMypPZ9KpYV5wEFDai5r92UdpK
ghJw+az21h29a+uEckC52YL2OOEufF5XVIZiFS2OByqCCuQ14cmZH+NJyjqx9KkC
O2SfFtP/h3iEBSwBBt1L
=uM+f
-----END PGP SIGNATURE-----
Changes since xorg-server-2_1.16.1.901-1:
Adam Jackson (12):
glx: Be more paranoid about variable-length requests [CVE-2014-8093 1/6]
glx: Be more strict about rejecting invalid image sizes [CVE-2014-8093 2/6]
glx: Additional paranoia in __glXGetAnswerBuffer / __GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6]
glx: Fix image size computation for EXT_texture_integer [CVE-2014-8098 1/8]
glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6]
glx: Integer overflow protection for non-generated render requests (v3) [CVE-2014-8093 5/6]
glx: Length checking for RenderLarge requests (v2) [CVE-2014-8098 3/8]
glx: Top-level length checking for swapped VendorPrivate requests [CVE-2014-8098 4/8]
glx: Request length checks for SetClientInfoARB [CVE-2014-8098 5/8]
glx: Length-checking for non-generated vendor private requests [CVE-2014-8098 6/8]
glx: Length checking for non-generated single requests (v2) [CVE-2014-8098 7/8]
glx: Pass remaining request length into ->varsize (v2) [CVE-2014-8098 8/8]
Alan Coopersmith (19):
Add -iglx & +iglx to Xserver.man
unchecked malloc may allow unauthed client to crash Xserver [CVE-2014-8091]
dix: integer overflow in ProcPutImage() [CVE-2014-8092 1/4]
dix: integer overflow in GetHosts() [CVE-2014-8092 2/4]
dix: integer overflow in RegionSizeof() [CVE-2014-8092 3/4]
dix: integer overflow in REQUEST_FIXED_SIZE() [CVE-2014-8092 4/4]
dri2: integer overflow in ProcDRI2GetBuffers() [CVE-2014-8094]
dbe: unvalidated lengths in DbeSwapBuffers calls [CVE-2014-8097]
Xi: unvalidated lengths in Xinput extension [CVE-2014-8095]
xcmisc: unvalidated length in SProcXCMiscGetXIDList() [CVE-2014-8096]
Xv: unvalidated lengths in XVideo extension swapped procs [CVE-2014-8099]
dri3: unvalidated lengths in DRI3 extension swapped procs [CVE-2014-8103 1/2]
present: unvalidated lengths in Present extension procs [CVE-2014-8103 2/2]
randr: unvalidated lengths in RandR extension swapped procs [CVE-2014-8101]
render: unvalidated lengths in Render extn. swapped procs [CVE-2014-8100 2/2]
xfixes: unvalidated length in SProcXFixesSelectSelectionInput [CVE-2014-8102]
Add request length checking test cases for some Xinput 1.x requests
Add request length checking test cases for some Xinput 2.x requests
Add REQUEST_FIXED_SIZE testcases to test/misc.c
Alex Orange (1):
fb: Fix Bresenham algorithms for commonly used small segments.
Julien Cristau (7):
Bump to 1.16.2
render: check request size before reading it [CVE-2014-8100 1/2]
glx: Length checking for GLXRender requests (v2) [CVE-2014-8098 2/8]
Bump to 1.16.2.901
Merge tag 'xorg-server-1.16.2.901' into debian-unstable
Merge 1.16.2.901
Upload to unstable
Keith Packard (6):
present: Support PresentOptionCopy
glx: check return from __glXGetAnswerBuffer
dbe: Call to DDX SwapBuffers requires address of int, not unsigned int [CVE-2014-8097 pt. 2]
glx: Can't mix declarations and code in X.org sources [CVE-2014-8098 pt. 9]
Missing parens in REQUEST_FIXED_SIZE macro [CVE-2014-8092 pt. 5]
dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092 pt. 6]
Mario Kleiner (2):
present: Avoid crashes in DebugPresent(), a bit more info.
present: Fix use of vsynced pageflips and honor PresentOptionAsync. (v4)
Robert Morell (1):
glx: Fix mask truncation in __glXGetAnswerBuffer [CVE-2014-8093 6/6]
---
ChangeLog | 781 ++++++++++
Xext/xcmisc.c | 1
Xext/xvdisp.c | 20
Xi/chgdctl.c | 8
Xi/chgfctl.c | 2
Xi/sendexev.c | 3
Xi/xiallowev.c | 2
Xi/xichangecursor.c | 2
Xi/xichangehierarchy.c | 35
Xi/xigetclientpointer.c | 1
Xi/xigrabdev.c | 9
Xi/xipassivegrab.c | 12
Xi/xiproperty.c | 14
Xi/xiquerydevice.c | 1
Xi/xiquerypointer.c | 2
Xi/xiselectev.c | 8
Xi/xisetclientpointer.c | 3
Xi/xisetdevfocus.c | 4
Xi/xiwarppointer.c | 2
configure.ac | 5
dbe/dbe.c | 17
debian/changelog | 20
debian/patches/06_Revert-fb-reorder-Bresenham-error-correction-to-avoi.diff | 68
debian/patches/09_Xserver-man-iglx.diff | 16
debian/patches/series | 2
dix/dispatch.c | 3
dix/region.c | 20
dri3/dri3_request.c | 6
fb/fbseg.c | 20
glx/clientinfo.c | 20
glx/glxcmds.c | 85 -
glx/glxcmdsswap.c | 4
glx/glxserver.h | 43
glx/indirect_dispatch.c | 25
glx/indirect_dispatch_swap.c | 26
glx/indirect_program.c | 2
glx/indirect_reqsize.c | 142 -
glx/indirect_reqsize.h | 181 +-
glx/indirect_texture_compression.c | 4
glx/indirect_util.c | 9
glx/rensize.c | 114 -
glx/single2.c | 23
glx/single2swap.c | 19
glx/singlepix.c | 60
glx/singlepixswap.c | 50
glx/swap_interval.c | 2
glx/unpack.h | 3
hw/xfree86/dri2/dri2ext.c | 3
include/dix.h | 7
include/regionstr.h | 10
man/Xserver.man | 10
os/access.c | 6
os/rpcauth.c | 4
present/present.c | 18
present/present_request.c | 6
randr/rrsdispatch.c | 4
render/render.c | 20
test/Makefile.am | 2
test/misc.c | 37
test/xi1/Makefile.am | 34
test/xi1/protocol-xchangedevicecontrol.c | 122 +
test/xi2/protocol-xigetclientpointer.c | 5
test/xi2/protocol-xipassivegrabdevice.c | 8
test/xi2/protocol-xiquerypointer.c | 4
test/xi2/protocol-xiwarppointer.c | 3
xfixes/select.c | 1
66 files changed, 1802 insertions(+), 401 deletions(-)
---
Reply to: