* Fri Jan 18 2008 Dave Airlie <airlied@redhat.com> 1.4.99.1-0.17

- cve-2007-5760.patch: XFree86-Misc Extension Invalid Array Index Vulnerability - cve-2007-5958.patch: Xorg / XFree86 file existence disclosure vulnerability - cve-2007-6427.patch: XInput Extension Memory Corruption Vulnerability - cve-2007-6428.patch: TOG-CUP Extension Memory Corruption Vulnerability - cve-2007-6429.patch: EVI and MIT-SHM Extension Integer Overflow Vulnerability
2008-01-18 02:52:04 +00:00 · 2008-01-18 02:52:04 +00:00 · ac5c859b15
commit ac5c859b15
parent 65380501e0
6 changed files with 483 additions and 3 deletions
--- a/cve-2007-5760.patch
+++ b/cve-2007-5760.patch
@ -0,0 +1,15 @@
 diff -up xorg-server-1.1.1/hw/xfree86/dixmods/extmod/xf86misc.c.jx xorg-server-1.1.1/hw/xfree86/dixmods/extmod/xf86misc.c
 diff -up xorg-server-1.1.1/hw/xfree86/common/xf86MiscExt.c.jx xorg-server-1.1.1/hw/xfree86/common/xf86MiscExt.c
 --- xorg-server-1.1.1/hw/xfree86/common/xf86MiscExt.c.jx	2006-07-05 14:31:40.000000000 -0400
 +++ xorg-server-1.1.1/hw/xfree86/common/xf86MiscExt.c	2007-12-11 15:03:32.000000000 -0500
@@ -647,6 +647,10 @@ MiscExtPassMessage(int scrnIndex, const 
     DEBUG_P("MiscExtPassMessage");
 +    /* should check this in the protocol, but xf86NumScreens isn't exported */
 +    if (scrnIndex >= xf86NumScreens)
 +	return BadValue;
 +
     if (*pScr->HandleMessage == NULL)
 	    return BadImplementation;
     return (*pScr->HandleMessage)(scrnIndex, msgtype, msgval, retstr);
--- a/cve-2007-5958.patch
+++ b/cve-2007-5958.patch
@ -0,0 +1,20 @@
 --- xorg-server-1.3.0.0/Xext/security.c	2007-12-19 23:00:48.062636000 -0800
 +++ xorg-server-1.3.0.0/Xext/security.c	2007-12-21 14:04:40.604373000 -0800
@@ -1572,7 +1572,7 @@
 	return;
 #ifndef __UNIXOS2__
 -    f = fopen(SecurityPolicyFile, "r");
 +    f = Fopen(SecurityPolicyFile, "r");
 #else
     f = fopen((char*)__XOS2RedirRoot(SecurityPolicyFile), "r");
 #endif    
@@ -1658,7 +1658,7 @@
     }
 #endif /* PROPDEBUG */
 -    fclose(f);
 +    Fclose(f);
 } /* SecurityLoadPropertyAccessList */
--- a/cve-2007-6427.patch
+++ b/cve-2007-6427.patch
@ -0,0 +1,227 @@
 --- xorg-server-1.1.1/Xi/chgprop.c.da	2006-07-06 04:31:36.000000000 +1000
 +++ xorg-server-1.1.1/Xi/chgprop.c	2007-12-14 11:52:27.000000000 +1000
@@ -81,19 +81,15 @@
 SProcXChangeDeviceDontPropagateList(register ClientPtr client)
 {
     register char n;
 -    register long *p;
 -    register int i;
     REQUEST(xChangeDeviceDontPropagateListReq);
     swaps(&stuff->length, n);
     REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq);
     swapl(&stuff->window, n);
     swaps(&stuff->count, n);
 -    p = (long *)&stuff[1];
 -    for (i = 0; i < stuff->count; i++) {
 -	swapl(p, n);
 -	p++;
 -    }
 +    REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq,
 +                      stuff->count * sizeof(CARD32));
 +    SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
     return (ProcXChangeDeviceDontPropagateList(client));
 }
 --- xorg-server-1.1.1/Xi/sendexev.c.da	2006-07-06 04:31:36.000000000 +1000
 +++ xorg-server-1.1.1/Xi/sendexev.c	2007-12-14 11:54:20.000000000 +1000
@@ -83,7 +83,7 @@
 SProcXSendExtensionEvent(register ClientPtr client)
 {
     register char n;
 -    register long *p;
 +    register CARD32 *p;
     register int i;
     xEvent eventT;
     xEvent *eventP;
@@ -94,6 +94,11 @@
     REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
     swapl(&stuff->destination, n);
     swaps(&stuff->count, n);
 +
 +    if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count +
 +	(stuff->num_events * (sizeof(xEvent) >> 2)))
 +	return BadLength;
 +    
     eventP = (xEvent *) & stuff[1];
     for (i = 0; i < stuff->num_events; i++, eventP++) {
 	proc = EventSwapVector[eventP->u.u.type & 0177];
@@ -103,11 +108,8 @@
 	*eventP = eventT;
     }
 -    p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events);
 -    for (i = 0; i < stuff->count; i++) {
 -	swapl(p, n);
 -	p++;
 -    }
 +    p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events);
 +    SwapLongs(p, stuff->count);
     return (ProcXSendExtensionEvent(client));
 }
 --- xorg-server-1.1.1/Xi/chgkmap.c.da	2006-07-06 04:31:36.000000000 +1000
 +++ xorg-server-1.1.1/Xi/chgkmap.c	2007-12-14 11:52:00.000000000 +1000
@@ -79,18 +79,14 @@
 SProcXChangeDeviceKeyMapping(register ClientPtr client)
 {
     register char n;
 -    register long *p;
 -    register int i, count;
 +    register unsigned int count;
     REQUEST(xChangeDeviceKeyMappingReq);
     swaps(&stuff->length, n);
     REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
 -    p = (long *)&stuff[1];
     count = stuff->keyCodes * stuff->keySymsPerKeyCode;
 -    for (i = 0; i < count; i++) {
 -	swapl(p, n);
 -	p++;
 -    }
 +    REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
 +    SwapLongs((CARD32 *) (&stuff[1]), count);
     return (ProcXChangeDeviceKeyMapping(client));
 }
@@ -106,10 +102,14 @@
     int ret;
     unsigned len;
     DeviceIntPtr dev;
 +    unsigned int count;
     REQUEST(xChangeDeviceKeyMappingReq);
     REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
 +    count = stuff->keyCodes * stuff->keySymsPerKeyCode;
 +    REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
 +    
     dev = LookupDeviceIntRec(stuff->deviceid);
     if (dev == NULL) {
 	SendErrorToClient(client, IReqCode, X_ChangeDeviceKeyMapping, 0,
 --- xorg-server-1.1.1/Xi/grabdevb.c.da	2006-07-06 04:31:36.000000000 +1000
 +++ xorg-server-1.1.1/Xi/grabdevb.c	2007-12-14 11:53:03.000000000 +1000
@@ -80,8 +80,6 @@
 SProcXGrabDeviceButton(register ClientPtr client)
 {
     register char n;
 -    register long *p;
 -    register int i;
     REQUEST(xGrabDeviceButtonReq);
     swaps(&stuff->length, n);
@@ -89,11 +87,9 @@
     swapl(&stuff->grabWindow, n);
     swaps(&stuff->modifiers, n);
     swaps(&stuff->event_count, n);
 -    p = (long *)&stuff[1];
 -    for (i = 0; i < stuff->event_count; i++) {
 -	swapl(p, n);
 -	p++;
 -    }
 +    REQUEST_FIXED_SIZE(xGrabDeviceButtonReq,
 +		       stuff->event_count * sizeof(CARD32));
 +    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
     return (ProcXGrabDeviceButton(client));
 }
 --- xorg-server-1.1.1/Xi/selectev.c.da	2006-07-06 04:31:36.000000000 +1000
 +++ xorg-server-1.1.1/Xi/selectev.c	2007-12-14 11:53:54.000000000 +1000
@@ -84,19 +84,15 @@
 SProcXSelectExtensionEvent(register ClientPtr client)
 {
     register char n;
 -    register long *p;
 -    register int i;
     REQUEST(xSelectExtensionEventReq);
     swaps(&stuff->length, n);
     REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq);
     swapl(&stuff->window, n);
     swaps(&stuff->count, n);
 -    p = (long *)&stuff[1];
 -    for (i = 0; i < stuff->count; i++) {
 -	swapl(p, n);
 -	p++;
 -    }
 +    REQUEST_FIXED_SIZE(xSelectExtensionEventReq,
 +                      stuff->count * sizeof(CARD32));
 +    SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
     return (ProcXSelectExtensionEvent(client));
 }
 --- xorg-server-1.1.1/Xi/grabdevk.c.da	2006-07-06 04:31:36.000000000 +1000
 +++ xorg-server-1.1.1/Xi/grabdevk.c	2007-12-14 11:53:15.000000000 +1000
@@ -80,8 +80,6 @@
 SProcXGrabDeviceKey(register ClientPtr client)
 {
     register char n;
 -    register long *p;
 -    register int i;
     REQUEST(xGrabDeviceKeyReq);
     swaps(&stuff->length, n);
@@ -89,11 +87,8 @@
     swapl(&stuff->grabWindow, n);
     swaps(&stuff->modifiers, n);
     swaps(&stuff->event_count, n);
 -    p = (long *)&stuff[1];
 -    for (i = 0; i < stuff->event_count; i++) {
 -	swapl(p, n);
 -	p++;
 -    }
 +    REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32));
 +    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
     return (ProcXGrabDeviceKey(client));
 }
 --- xorg-server-1.1.1/Xi/grabdev.c.da	2006-07-06 04:31:36.000000000 +1000
 +++ xorg-server-1.1.1/Xi/grabdev.c	2007-12-14 11:52:47.000000000 +1000
@@ -82,8 +82,6 @@
 SProcXGrabDevice(register ClientPtr client)
 {
     register char n;
 -    register long *p;
 -    register int i;
     REQUEST(xGrabDeviceReq);
     swaps(&stuff->length, n);
@@ -91,11 +89,11 @@
     swapl(&stuff->grabWindow, n);
     swapl(&stuff->time, n);
     swaps(&stuff->event_count, n);
 -    p = (long *)&stuff[1];
 -    for (i = 0; i < stuff->event_count; i++) {
 -	swapl(p, n);
 -	p++;
 -    }
 +
 +    if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count)
 +	return BadLength;
 +    
 +    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
     return (ProcXGrabDevice(client));
 }
 --- xorg-server-1.1.1/Xi/chgfctl.c.da	2006-07-06 04:31:36.000000000 +1000
 +++ xorg-server-1.1.1/Xi/chgfctl.c	2007-12-14 11:50:50.000000000 +1000
@@ -451,18 +451,13 @@
 		     xStringFeedbackCtl * f)
 {
     register char n;
 -    register long *p;
     int i, j;
     KeySym *syms, *sup_syms;
     syms = (KeySym *) (f + 1);
     if (client->swapped) {
 	swaps(&f->length, n);	/* swapped num_keysyms in calling proc */
 -	p = (long *)(syms);
 -	for (i = 0; i < f->num_keysyms; i++) {
 -	    swapl(p, n);
 -	    p++;
 -	}
 +	SwapLongs((CARD32 *) syms, f->num_keysyms);
     }
     if (f->num_keysyms > s->ctrl.max_symbols) {
--- a/cve-2007-6428.patch
+++ b/cve-2007-6428.patch
@ -0,0 +1,13 @@
 diff -up xorg-server-1.1.1/Xext/cup.c.jx xorg-server-1.1.1/Xext/cup.c
 --- xorg-server-1.1.1/Xext/cup.c.jx	2006-07-05 14:31:36.000000000 -0400
 +++ xorg-server-1.1.1/Xext/cup.c	2007-12-11 14:28:37.000000000 -0500
@@ -198,6 +198,9 @@ int ProcGetReservedColormapEntries(
     REQUEST_SIZE_MATCH (xXcupGetReservedColormapEntriesReq);
 +    if (stuff->screen >= screenInfo.numScreens)
 +	return BadValue;
 +
 #ifndef HAVE_SPECIAL_DESKTOP_COLORS
     citems[CUP_BLACK_PIXEL].pixel = 
 	screenInfo.screens[stuff->screen]->blackPixel;
--- a/cve-2007-6429.patch
+++ b/cve-2007-6429.patch
@ -0,0 +1,194 @@
 --- xorg-server-1.1.1/Xext/shm.c.freedesktop-bug-13520	2006-07-06 04:31:36.000000000 +1000
 +++ xorg-server-1.1.1/Xext/shm.c	2007-12-14 13:08:59.000000000 +1000
@@ -725,6 +725,8 @@
     int i, j, result;
     ShmDescPtr shmdesc;
     REQUEST(xShmCreatePixmapReq);
 +    unsigned int width, height, depth;
 +    unsigned long size;
     PanoramiXRes *newPix;
     REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
@@ -734,11 +736,26 @@
     LEGAL_NEW_RESOURCE(stuff->pid, client);
     VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
     VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
 -    if (!stuff->width || !stuff->height)
 +
 +    width = stuff->width;
 +    height = stuff->height;
 +    depth = stuff->depth;
 +    if (!width || !height || !depth)
     {
 	client->errorValue = 0;
         return BadValue;
     }
 +    if (width > 32767 || height > 32767)
 +        return BadAlloc;
 +    size = PixmapBytePad(width, depth) * height;
 +    if (sizeof(size) == 4) {
 +        if (size < width * height)
 +            return BadAlloc;
 +        /* thankfully, offset is unsigned */
 +        if (stuff->offset + size < size)
 +            return BadAlloc;
 +    }
 +
     if (stuff->depth != 1)
     {
         pDepth = pDraw->pScreen->allowedDepths;
@@ -749,9 +766,7 @@
         return BadValue;
     }
 CreatePmap:
 -    VERIFY_SHMSIZE(shmdesc, stuff->offset,
 -		   PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
 -		   client);
 +    VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
     if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
 	return BadAlloc;
@@ -1049,6 +1064,8 @@
     register int i;
     ShmDescPtr shmdesc;
     REQUEST(xShmCreatePixmapReq);
 +    unsigned int width, height, depth;
 +    unsigned long size;
     REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
     client->errorValue = stuff->pid;
@@ -1057,11 +1074,26 @@
     LEGAL_NEW_RESOURCE(stuff->pid, client);
     VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
     VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
 -    if (!stuff->width || !stuff->height)
 +    
 +    width = stuff->width;
 +    height = stuff->height;
 +    depth = stuff->depth;
 +    if (!width || !height || !depth)
     {
 	client->errorValue = 0;
         return BadValue;
     }
 +    if (width > 32767 || height > 32767)
 +	return BadAlloc;
 +    size = PixmapBytePad(width, depth) * height;
 +    if (sizeof(size) == 4) {
 +	if (size < width * height)
 +	    return BadAlloc;
 +	/* thankfully, offset is unsigned */
 +	if (stuff->offset + size < size)
 +	    return BadAlloc;
 +    }
 +
     if (stuff->depth != 1)
     {
         pDepth = pDraw->pScreen->allowedDepths;
@@ -1072,9 +1104,7 @@
         return BadValue;
     }
 CreatePmap:
 -    VERIFY_SHMSIZE(shmdesc, stuff->offset,
 -		   PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
 -		   client);
 +    VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
     pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
 			    pDraw->pScreen, stuff->width,
 			    stuff->height, stuff->depth,
 diff --git a/Xext/EVI.c b/Xext/EVI.c
 index 8fe3481..13bd32a 100644
 --- a/Xext/EVI.c
 +++ b/Xext/EVI.c
@@ -34,6 +34,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
 #include <X11/extensions/XEVIstr.h>
 #include "EVIstruct.h"
 #include "modinit.h"
 +#include "scrnintstr.h"
 #if 0
 static unsigned char XEVIReqCode = 0;
@@ -87,10 +88,22 @@ ProcEVIGetVisualInfo(ClientPtr client)
 {
     REQUEST(xEVIGetVisualInfoReq);
     xEVIGetVisualInfoReply rep;
 -    int n, n_conflict, n_info, sz_info, sz_conflict;
 +    int i, n, n_conflict, n_info, sz_info, sz_conflict;
     VisualID32 *conflict;
 +    unsigned int total_visuals = 0;
     xExtendedVisualInfo *eviInfo;
     int status;
 +
 +    /*
 +     * do this first, otherwise REQUEST_FIXED_SIZE can overflow.  we assume
 +     * here that you don't have more than 2^32 visuals over all your screens;
 +     * this seems like a safe assumption.
 +     */
 +    for (i = 0; i < screenInfo.numScreens; i++)
 +	total_visuals += screenInfo.screens[i]->numVisuals;
 +    if (stuff->n_visual > total_visuals)
 +	return BadValue;
 +
     REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
     status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual,
 		&eviInfo, &n_info, &conflict, &n_conflict);
 diff --git a/Xext/sampleEVI.c b/Xext/sampleEVI.c
 index 7508aa7..b8f39c7 100644
 --- a/Xext/sampleEVI.c
 +++ b/Xext/sampleEVI.c
@@ -34,6 +34,13 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
 #include <X11/extensions/XEVIstr.h>
 #include "EVIstruct.h"
 #include "scrnintstr.h"
 +
 +#if HAVE_STDINT_H
 +#include <stdint.h>
 +#elif !defined(INT_MAX)
 +#define INT_MAX 0x7fffffff
 +#endif
 +
 static int sampleGetVisualInfo(
     VisualID32 *visual,
     int n_visual,
@@ -42,24 +49,36 @@ static int sampleGetVisualInfo(
     VisualID32 **conflict_rn,
     int *n_conflict_rn)
 {
 -    int max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens;
 +    unsigned int max_sz_evi;
     VisualID32 *temp_conflict;
     xExtendedVisualInfo *evi;
 -    int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
 +    unsigned int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
     register int visualI, scrI, sz_evi = 0, conflictI, n_conflict;
 -    *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi);
 -    if (!*evi_rn)
 -         return BadAlloc;
 +
 +    if (n_visual > UINT32_MAX/(sz_xExtendedVisualInfo * screenInfo.numScreens))
 +	return BadAlloc;
 +    max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens;
 +    
     for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
         if (screenInfo.screens[scrI]->numVisuals > max_visuals)
             max_visuals = screenInfo.screens[scrI]->numVisuals;
     }
 +
 +    if (n_visual > UINT32_MAX/(sz_VisualID32 * screenInfo.numScreens 
 +			       * max_visuals)) 
 +	return BadAlloc;
     max_sz_conflict = n_visual * sz_VisualID32 * screenInfo.numScreens * max_visuals;
 +
 +    *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi);
 +    if (!*evi_rn)
 +         return BadAlloc;
 +
     temp_conflict = (VisualID32 *)xalloc(max_sz_conflict);
     if (!temp_conflict) {
         xfree(*evi_rn);
         return BadAlloc;
     }
 +
     for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
         for (visualI = 0; visualI < n_visual; visualI++) {
 	    evi[sz_evi].core_visual_id = visual[visualI];
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@ -20,7 +20,7 @@
 Summary:   X.Org X11 X server
 Name:      xorg-x11-server
 Version:   1.4.99.1
-Release:   0.16.%{?gitdate}%{?dist}
+Release:   0.17.%{?gitdate}%{?dist}
 URL:       http://www.x.org
 License:   MIT
 Group:     User Interface/X
@ -57,8 +57,12 @@ Patch2004:  xserver-1.3.0-honor-displaysize.patch
 Patch2007:  xserver-1.3.0-randr12-config-hack.patch
 Patch2013:  xserver-1.4.99-document-fontpath-correctly.patch
-# Trivial things, already merged
+# Trivial things, already merged - cves already upstream
-#Patch3000:
+Patch3000:  cve-2007-5760.patch
 Patch3001:  cve-2007-5958.patch
 Patch3002:  cve-2007-6427.patch
 Patch3003:  cve-2007-6428.patch
 Patch3004:  cve-2007-6429.patch
 # Trivial things to maybe merge upstream at next rebase
 #Patch4003: argh-pixman.patch #fixme
@ -511,6 +515,13 @@ rm -rf $RPM_BUILD_ROOT
 %changelog
 * Fri Jan 18 2008 Dave Airlie <airlied@redhat.com> 1.4.99.1-0.17
 - cve-2007-5760.patch: XFree86-Misc Extension Invalid Array Index Vulnerability
 - cve-2007-5958.patch: Xorg / XFree86 file existence disclosure vulnerability
 - cve-2007-6427.patch: XInput Extension Memory Corruption Vulnerability
 - cve-2007-6428.patch: TOG-CUP Extension Memory Corruption Vulnerability
 - cve-2007-6429.patch: EVI and MIT-SHM Extension Integer Overflow Vulnerability
 * Wed Jan 16 2008 Kristian Høgsberg <krh@redhat.com> 1.4.99.1-0.16
 - Add xserver-1.4.99-engage-composite-crack-mode.patch to better hide
  protocol side effects such as loss of grabs and focus when