* Fri Jan 18 2008 Dave Airlie <airlied@redhat.com> 1.4.99.1-0.18

- cve-2007-6429.patch: Fix patch to not break java apps
2008-01-18 20:00:12 +00:00 · 2008-01-18 20:00:12 +00:00 · 277f8aacd1
commit 277f8aacd1
parent e002a5ab25
2 changed files with 84 additions and 93 deletions
--- a/cve-2007-6429.patch
+++ b/cve-2007-6429.patch
@ -1,69 +1,20 @@
-From 6de61f82728df22ea01f9659df6581b87f33f11d Mon Sep 17 00:00:00 2001
+--- xorg-server-1.1.1/Xext/sampleEVI.c.cve-2007-6429	2006-07-05 14:31:36.000000000 -0400
-From: Matthieu Herrb <matthieu@bluenote.herrb.com>
+++ xorg-server-1.1.1/Xext/sampleEVI.c	2008-01-18 14:15:44.000000000 -0500
-Date: Thu, 17 Jan 2008 15:28:42 +0100
+@@ -36,6 +36,13 @@
 Subject: [PATCH] Fix for CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows.
 ---
 Xext/EVI.c       |   15 ++++++++++++++-
 Xext/sampleEVI.c |   29 ++++++++++++++++++++++++-----
 Xext/shm.c       |   46 ++++++++++++++++++++++++++++++++++++++--------
 3 files changed, 76 insertions(+), 14 deletions(-)
 diff --git a/Xext/EVI.c b/Xext/EVI.c
 index 4bd050c..a637bae 100644
 --- a/Xext/EVI.c
 +++ b/Xext/EVI.c
@@ -34,6 +34,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
 #include <X11/extensions/XEVIstr.h>
 #include "EVIstruct.h"
 #include "modinit.h"
 +#include "scrnintstr.h"
 static EviPrivPtr eviPriv;
@@ -84,10 +85,22 @@ ProcEVIGetVisualInfo(ClientPtr client)
 {
     REQUEST(xEVIGetVisualInfoReq);
     xEVIGetVisualInfoReply rep;
 -    int n, n_conflict, n_info, sz_info, sz_conflict;
 +    int i, n, n_conflict, n_info, sz_info, sz_conflict;
     VisualID32 *conflict;
 +    unsigned int total_visuals = 0;
     xExtendedVisualInfo *eviInfo;
     int status;
 +
 +    /*
 +     * do this first, otherwise REQUEST_FIXED_SIZE can overflow.  we assume
 +     * here that you don't have more than 2^32 visuals over all your screens;
 +     * this seems like a safe assumption.
 +     */
 +    for (i = 0; i < screenInfo.numScreens; i++)
 +	total_visuals += screenInfo.screens[i]->numVisuals;
 +    if (stuff->n_visual > total_visuals)
 +	return BadValue;
 +
     REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
     status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual,
 		&eviInfo, &n_info, &conflict, &n_conflict);
 diff --git a/Xext/sampleEVI.c b/Xext/sampleEVI.c
 index 7508aa7..b871bfd 100644
 --- a/Xext/sampleEVI.c
 +++ b/Xext/sampleEVI.c
@@ -34,6 +34,13 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
 #include <X11/extensions/XEVIstr.h>
 #include "EVIstruct.h"
 #include "scrnintstr.h"
 +
 +#if HAVE_STDINT_H
 +#include <stdint.h>
-+#elif !defined(UINT32_MAX)
+#elif !defined(INT_MAX)
-+#define UINT32_MAX 0xffffffffU
+#define INT_MAX 0x7fffffff
 +#endif
 +
 static int sampleGetVisualInfo(
     VisualID32 *visual,
     int n_visual,
-@@ -42,24 +49,36 @@ static int sampleGetVisualInfo(
+@@ -44,24 +51,36 @@
     VisualID32 **conflict_rn,
     int *n_conflict_rn)
 {
@ -105,12 +56,44 @@ index 7508aa7..b871bfd 100644
     for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
         for (visualI = 0; visualI < n_visual; visualI++) {
 	    evi[sz_evi].core_visual_id = visual[visualI];
-diff --git a/Xext/shm.c b/Xext/shm.c
+--- xorg-server-1.1.1/Xext/EVI.c.cve-2007-6429	2006-07-05 14:31:36.000000000 -0400
-index e3d7a23..c545e49 100644
+++ xorg-server-1.1.1/Xext/EVI.c	2008-01-18 14:15:44.000000000 -0500
--- a/Xext/shm.c
+@@ -36,6 +36,7 @@
-+++ b/Xext/shm.c
+ #include <X11/extensions/XEVIstr.h>
-@@ -757,6 +757,8 @@ ProcPanoramiXShmCreatePixmap(
+ #include "EVIstruct.h"
-     int i, j, result, rc;
+ #include "modinit.h"
 +#include "scrnintstr.h"
 #if 0
 static unsigned char XEVIReqCode = 0;
@@ -89,10 +90,22 @@
 {
     REQUEST(xEVIGetVisualInfoReq);
     xEVIGetVisualInfoReply rep;
 -    int n, n_conflict, n_info, sz_info, sz_conflict;
 +    int i, n, n_conflict, n_info, sz_info, sz_conflict;
     VisualID32 *conflict;
 +    unsigned int total_visuals = 0;
     xExtendedVisualInfo *eviInfo;
     int status;
 +
 +    /*
 +     * do this first, otherwise REQUEST_FIXED_SIZE can overflow.  we assume
 +     * here that you don't have more than 2^32 visuals over all your screens;
 +     * this seems like a safe assumption.
 +     */
 +    for (i = 0; i < screenInfo.numScreens; i++)
 +	total_visuals += screenInfo.screens[i]->numVisuals;
 +    if (stuff->n_visual > total_visuals)
 +	return BadValue;
 +
     REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
     status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual,
 		&eviInfo, &n_info, &conflict, &n_conflict);
 --- xorg-server-1.1.1/Xext/shm.c.cve-2007-6429	2006-07-05 14:31:36.000000000 -0400
 +++ xorg-server-1.1.1/Xext/shm.c	2008-01-18 14:19:28.000000000 -0500
@@ -725,6 +725,8 @@
     int i, j, result;
     ShmDescPtr shmdesc;
     REQUEST(xShmCreatePixmapReq);
 +    unsigned int width, height, depth;
@ -118,9 +101,9 @@ index e3d7a23..c545e49 100644
     PanoramiXRes *newPix;
     REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
-@@ -770,11 +772,26 @@ ProcPanoramiXShmCreatePixmap(
+@@ -734,11 +736,18 @@
- 	return rc;
+     LEGAL_NEW_RESOURCE(stuff->pid, client);
- 
+     VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
     VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
 -    if (!stuff->width || !stuff->height)
 +
@ -134,8 +117,22 @@ index e3d7a23..c545e49 100644
     }
 +    if (width > 32767 || height > 32767)
 +        return BadAlloc;
 +
     if (stuff->depth != 1)
     {
         pDepth = pDraw->pScreen->allowedDepths;
@@ -748,10 +757,19 @@
 	client->errorValue = stuff->depth;
         return BadValue;
     }
 +
 CreatePmap:
 -    VERIFY_SHMSIZE(shmdesc, stuff->offset,
 -		   PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
 -		   client);
 +    /* now w/h/d are valid; but will they overflow a 32-bit pointer? */
 +    size = PixmapBytePad(width, depth) * height;
-+    if (sizeof(size) == 4) {
+    if (sizeof(void *) == 4 && BitsPerPixel(depth) > 8) {
 +        if (size < width * height)
 +            return BadAlloc;
 +        /* thankfully, offset is unsigned */
@ -143,22 +140,12 @@ index e3d7a23..c545e49 100644
 +            return BadAlloc;
 +    }
 +
     if (stuff->depth != 1)
     {
         pDepth = pDraw->pScreen->allowedDepths;
@@ -785,9 +802,7 @@ ProcPanoramiXShmCreatePixmap(
         return BadValue;
     }
 CreatePmap:
 -    VERIFY_SHMSIZE(shmdesc, stuff->offset,
 -		   PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
 -		   client);
 +    VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
     if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
 	return BadAlloc;
-@@ -1086,6 +1101,8 @@ ProcShmCreatePixmap(client)
+@@ -1049,6 +1067,8 @@
-     register int i, rc;
+     register int i;
     ShmDescPtr shmdesc;
     REQUEST(xShmCreatePixmapReq);
 +    unsigned int width, height, depth;
@ -166,9 +153,9 @@ index e3d7a23..c545e49 100644
     REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
     client->errorValue = stuff->pid;
-@@ -1098,11 +1115,26 @@ ProcShmCreatePixmap(client)
+@@ -1057,11 +1077,18 @@
- 	return rc;
+     LEGAL_NEW_RESOURCE(stuff->pid, client);
- 
+     VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
     VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
 -    if (!stuff->width || !stuff->height)
 +    
@ -182,29 +169,30 @@ index e3d7a23..c545e49 100644
     }
 +    if (width > 32767 || height > 32767)
 +	return BadAlloc;
 +    size = PixmapBytePad(width, depth) * height;
 +    if (sizeof(size) == 4) {
 +	if (size < width * height)
 +	    return BadAlloc;
 +	/* thankfully, offset is unsigned */
 +	if (stuff->offset + size < size)
 +	    return BadAlloc;
 +    }
 +
     if (stuff->depth != 1)
     {
         pDepth = pDraw->pScreen->allowedDepths;
-@@ -1113,9 +1145,7 @@ ProcShmCreatePixmap(client)
+@@ -1071,10 +1098,19 @@
 	client->errorValue = stuff->depth;
         return BadValue;
     }
 +
 CreatePmap:
 -    VERIFY_SHMSIZE(shmdesc, stuff->offset,
 -		   PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
 -		   client);
 +    /* now w/h/d are valid; but will they overflow a 32-bit pointer? */
 +    size = PixmapBytePad(width, depth) * height;
 +    if (sizeof(void *) == 4 && BitsPerPixel(depth) > 8) {
 +        if (size < width * height)
 +            return BadAlloc;
 +        /* thankfully, offset is unsigned */
 +        if (stuff->offset + size < size)
 +            return BadAlloc;
 +    }
 +
 +    VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
     pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
 			    pDraw->pScreen, stuff->width,
 			    stuff->height, stuff->depth,
 -- 
 1.5.3.6
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@ -20,7 +20,7 @@
 Summary:   X.Org X11 X server
 Name:      xorg-x11-server
 Version:   1.4.99.1
-Release:   0.17.%{?gitdate}%{?dist}
+Release:   0.18.%{?gitdate}%{?dist}
 URL:       http://www.x.org
 License:   MIT
 Group:     User Interface/X
@ -515,6 +515,9 @@ rm -rf $RPM_BUILD_ROOT
 %changelog
 * Fri Jan 18 2008 Dave Airlie <airlied@redhat.com> 1.4.99.1-0.18
 - cve-2007-6429.patch: Fix patch to not break java apps
 * Fri Jan 18 2008 Dave Airlie <airlied@redhat.com> 1.4.99.1-0.17
 - cve-2007-5760.patch: XFree86-Misc Extension Invalid Array Index Vulnerability
 - cve-2007-6427.patch: XInput Extension Memory Corruption Vulnerability