* Fri Jan 18 2008 Dave Airlie <airlied@redhat.com> 1.4.99.1-0.18

- cve-2007-6429.patch: Fix patch to not break java apps
2008-01-18 20:00:12 +00:00 · 2008-01-18 20:00:12 +00:00 · 277f8aacd1
commit 277f8aacd1
parent e002a5ab25
2 changed files with 84 additions and 93 deletions
--- a/cve-2007-6429.patch
+++ b/cve-2007-6429.patch
@ -1,69 +1,20 @@
-From 6de61f82728df22ea01f9659df6581b87f33f11d Mon Sep 17 00:00:00 2001
-From: Matthieu Herrb <matthieu@bluenote.herrb.com>
-Date: Thu, 17 Jan 2008 15:28:42 +0100
-Subject: [PATCH] Fix for CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows.
-
---
- Xext/EVI.c       |   15 ++++++++++++++-
- Xext/sampleEVI.c |   29 ++++++++++++++++++++++++-----
- Xext/shm.c       |   46 ++++++++++++++++++++++++++++++++++++++--------
- 3 files changed, 76 insertions(+), 14 deletions(-)
-
-diff --git a/Xext/EVI.c b/Xext/EVI.c
-index 4bd050c..a637bae 100644
--- a/Xext/EVI.c
-+++ b/Xext/EVI.c
-@@ -34,6 +34,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
- #include <X11/extensions/XEVIstr.h>
- #include "EVIstruct.h"
- #include "modinit.h"
-+#include "scrnintstr.h"
- 
- static EviPrivPtr eviPriv;
- 
-@@ -84,10 +85,22 @@ ProcEVIGetVisualInfo(ClientPtr client)
- {
-     REQUEST(xEVIGetVisualInfoReq);
-     xEVIGetVisualInfoReply rep;
-    int n, n_conflict, n_info, sz_info, sz_conflict;
-+    int i, n, n_conflict, n_info, sz_info, sz_conflict;
-     VisualID32 *conflict;
-+    unsigned int total_visuals = 0;
-     xExtendedVisualInfo *eviInfo;
-     int status;
-+
-+    /*
-+     * do this first, otherwise REQUEST_FIXED_SIZE can overflow.  we assume
-+     * here that you don't have more than 2^32 visuals over all your screens;
-+     * this seems like a safe assumption.
-+     */
-+    for (i = 0; i < screenInfo.numScreens; i++)
-+	total_visuals += screenInfo.screens[i]->numVisuals;
-+    if (stuff->n_visual > total_visuals)
-+	return BadValue;
-+
-     REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
-     status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual,
- 		&eviInfo, &n_info, &conflict, &n_conflict);
-diff --git a/Xext/sampleEVI.c b/Xext/sampleEVI.c
-index 7508aa7..b871bfd 100644
--- a/Xext/sampleEVI.c
-+++ b/Xext/sampleEVI.c
-@@ -34,6 +34,13 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
+--- xorg-server-1.1.1/Xext/sampleEVI.c.cve-2007-6429	2006-07-05 14:31:36.000000000 -0400
+++ xorg-server-1.1.1/Xext/sampleEVI.c	2008-01-18 14:15:44.000000000 -0500
+@@ -36,6 +36,13 @@
 #include <X11/extensions/XEVIstr.h>
 #include "EVIstruct.h"
 #include "scrnintstr.h"
 +
 +#if HAVE_STDINT_H
 +#include <stdint.h>
-+#elif !defined(UINT32_MAX)
-+#define UINT32_MAX 0xffffffffU
+#elif !defined(INT_MAX)
+#define INT_MAX 0x7fffffff
 +#endif
 +
 static int sampleGetVisualInfo(
     VisualID32 *visual,
     int n_visual,
-@@ -42,24 +49,36 @@ static int sampleGetVisualInfo(
+@@ -44,24 +51,36 @@
     VisualID32 **conflict_rn,
     int *n_conflict_rn)
 {
@ -105,12 +56,44 @@ index 7508aa7..b871bfd 100644
     for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
         for (visualI = 0; visualI < n_visual; visualI++) {
 	    evi[sz_evi].core_visual_id = visual[visualI];
-diff --git a/Xext/shm.c b/Xext/shm.c
-index e3d7a23..c545e49 100644
--- a/Xext/shm.c
-+++ b/Xext/shm.c
-@@ -757,6 +757,8 @@ ProcPanoramiXShmCreatePixmap(
-     int i, j, result, rc;
+--- xorg-server-1.1.1/Xext/EVI.c.cve-2007-6429	2006-07-05 14:31:36.000000000 -0400
+++ xorg-server-1.1.1/Xext/EVI.c	2008-01-18 14:15:44.000000000 -0500
+@@ -36,6 +36,7 @@
+ #include <X11/extensions/XEVIstr.h>
+ #include "EVIstruct.h"
+ #include "modinit.h"
+#include "scrnintstr.h"
+ 
+ #if 0
+ static unsigned char XEVIReqCode = 0;
+@@ -89,10 +90,22 @@
+ {
+     REQUEST(xEVIGetVisualInfoReq);
+     xEVIGetVisualInfoReply rep;
+-    int n, n_conflict, n_info, sz_info, sz_conflict;
+    int i, n, n_conflict, n_info, sz_info, sz_conflict;
+     VisualID32 *conflict;
+    unsigned int total_visuals = 0;
+     xExtendedVisualInfo *eviInfo;
+     int status;
+
+    /*
+     * do this first, otherwise REQUEST_FIXED_SIZE can overflow.  we assume
+     * here that you don't have more than 2^32 visuals over all your screens;
+     * this seems like a safe assumption.
+     */
+    for (i = 0; i < screenInfo.numScreens; i++)
+	total_visuals += screenInfo.screens[i]->numVisuals;
+    if (stuff->n_visual > total_visuals)
+	return BadValue;
+
+     REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
+     status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual,
+ 		&eviInfo, &n_info, &conflict, &n_conflict);
+--- xorg-server-1.1.1/Xext/shm.c.cve-2007-6429	2006-07-05 14:31:36.000000000 -0400
+++ xorg-server-1.1.1/Xext/shm.c	2008-01-18 14:19:28.000000000 -0500
+@@ -725,6 +725,8 @@
+     int i, j, result;
     ShmDescPtr shmdesc;
     REQUEST(xShmCreatePixmapReq);
 +    unsigned int width, height, depth;
@ -118,9 +101,9 @@ index e3d7a23..c545e49 100644
     PanoramiXRes *newPix;
 
     REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
-@@ -770,11 +772,26 @@ ProcPanoramiXShmCreatePixmap(
- 	return rc;
- 
+@@ -734,11 +736,18 @@
+     LEGAL_NEW_RESOURCE(stuff->pid, client);
+     VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
     VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
 -    if (!stuff->width || !stuff->height)
 +
@ -134,8 +117,22 @@ index e3d7a23..c545e49 100644
     }
 +    if (width > 32767 || height > 32767)
 +        return BadAlloc;
+
+     if (stuff->depth != 1)
+     {
+         pDepth = pDraw->pScreen->allowedDepths;
+@@ -748,10 +757,19 @@
+ 	client->errorValue = stuff->depth;
+         return BadValue;
+     }
+
+ CreatePmap:
+-    VERIFY_SHMSIZE(shmdesc, stuff->offset,
+-		   PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
+-		   client);
+    /* now w/h/d are valid; but will they overflow a 32-bit pointer? */
 +    size = PixmapBytePad(width, depth) * height;
-+    if (sizeof(size) == 4) {
+    if (sizeof(void *) == 4 && BitsPerPixel(depth) > 8) {
 +        if (size < width * height)
 +            return BadAlloc;
 +        /* thankfully, offset is unsigned */
@ -143,22 +140,12 @@ index e3d7a23..c545e49 100644
 +            return BadAlloc;
 +    }
 +
-     if (stuff->depth != 1)
-     {
-         pDepth = pDraw->pScreen->allowedDepths;
-@@ -785,9 +802,7 @@ ProcPanoramiXShmCreatePixmap(
-         return BadValue;
-     }
- CreatePmap:
-    VERIFY_SHMSIZE(shmdesc, stuff->offset,
-		   PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
-		   client);
 +    VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
 
     if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
 	return BadAlloc;
-@@ -1086,6 +1101,8 @@ ProcShmCreatePixmap(client)
-     register int i, rc;
+@@ -1049,6 +1067,8 @@
+     register int i;
     ShmDescPtr shmdesc;
     REQUEST(xShmCreatePixmapReq);
 +    unsigned int width, height, depth;
@ -166,9 +153,9 @@ index e3d7a23..c545e49 100644
 
     REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
     client->errorValue = stuff->pid;
-@@ -1098,11 +1115,26 @@ ProcShmCreatePixmap(client)
- 	return rc;
- 
+@@ -1057,11 +1077,18 @@
+     LEGAL_NEW_RESOURCE(stuff->pid, client);
+     VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
     VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
 -    if (!stuff->width || !stuff->height)
 +    
@ -182,8 +169,22 @@ index e3d7a23..c545e49 100644
     }
 +    if (width > 32767 || height > 32767)
 +	return BadAlloc;
+
+     if (stuff->depth != 1)
+     {
+         pDepth = pDraw->pScreen->allowedDepths;
+@@ -1071,10 +1098,19 @@
+ 	client->errorValue = stuff->depth;
+         return BadValue;
+     }
+
+ CreatePmap:
+-    VERIFY_SHMSIZE(shmdesc, stuff->offset,
+-		   PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
+-		   client);
+    /* now w/h/d are valid; but will they overflow a 32-bit pointer? */
 +    size = PixmapBytePad(width, depth) * height;
-+    if (sizeof(size) == 4) {
+    if (sizeof(void *) == 4 && BitsPerPixel(depth) > 8) {
 +        if (size < width * height)
 +            return BadAlloc;
 +        /* thankfully, offset is unsigned */
@ -191,20 +192,7 @@ index e3d7a23..c545e49 100644
 +            return BadAlloc;
 +    }
 +
-     if (stuff->depth != 1)
-     {
-         pDepth = pDraw->pScreen->allowedDepths;
-@@ -1113,9 +1145,7 @@ ProcShmCreatePixmap(client)
-         return BadValue;
-     }
- CreatePmap:
-    VERIFY_SHMSIZE(shmdesc, stuff->offset,
-		   PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
-		   client);
 +    VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
     pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
 			    pDraw->pScreen, stuff->width,
 			    stuff->height, stuff->depth,
-- 
-1.5.3.6
-
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@ -20,7 +20,7 @@
 Summary:   X.Org X11 X server
 Name:      xorg-x11-server
 Version:   1.4.99.1
-Release:   0.17.%{?gitdate}%{?dist}
+Release:   0.18.%{?gitdate}%{?dist}
 URL:       http://www.x.org
 License:   MIT
 Group:     User Interface/X
@ -515,6 +515,9 @@ rm -rf $RPM_BUILD_ROOT


 %changelog
+* Fri Jan 18 2008 Dave Airlie <airlied@redhat.com> 1.4.99.1-0.18
+- cve-2007-6429.patch: Fix patch to not break java apps
+
 * Fri Jan 18 2008 Dave Airlie <airlied@redhat.com> 1.4.99.1-0.17
 - cve-2007-5760.patch: XFree86-Misc Extension Invalid Array Index Vulnerability
 - cve-2007-6427.patch: XInput Extension Memory Corruption Vulnerability