* Fri Jan 18 2008 Dave Airlie <airlied@redhat.com> 1.4.99.1-0.17

- cve-2007-5760.patch: XFree86-Misc Extension Invalid Array Index Vulnerability - cve-2007-6427.patch: XInput Extension Memory Corruption Vulnerability - cve-2007-6428.patch: TOG-CUP Extension Memory Corruption Vulnerability - cve-2007-6429.patch: EVI and MIT-SHM Extension Integer Overflow Vulnerability - cve-2008-0006-server-fixup.patch: PCF Font Vulnerability - this patch isn't strictly required with new version of libXfont.
2008-01-18 03:31:54 +00:00 · 2008-01-18 03:31:54 +00:00 · e002a5ab25
commit e002a5ab25
parent e20d4ef28d
7 changed files with 364 additions and 304 deletions
--- a/cve-2007-5760.patch
+++ b/cve-2007-5760.patch
@ -1,10 +1,19 @@
-diff -up xorg-server-1.1.1/hw/xfree86/dixmods/extmod/xf86misc.c.jx xorg-server-1.1.1/hw/xfree86/dixmods/extmod/xf86misc.c
-diff -up xorg-server-1.1.1/hw/xfree86/common/xf86MiscExt.c.jx xorg-server-1.1.1/hw/xfree86/common/xf86MiscExt.c
--- xorg-server-1.1.1/hw/xfree86/common/xf86MiscExt.c.jx	2006-07-05 14:31:40.000000000 -0400
-+++ xorg-server-1.1.1/hw/xfree86/common/xf86MiscExt.c	2007-12-11 15:03:32.000000000 -0500
-@@ -647,6 +647,10 @@ MiscExtPassMessage(int scrnIndex, const 
- 
-     DEBUG_P("MiscExtPassMessage");
+From bbde5b62a137ba726a747b838d81e92d72c1b42b Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@bluenote.herrb.com>
+Date: Thu, 17 Jan 2008 15:26:41 +0100
+Subject: [PATCH] Fix for CVE-2007-5760 - XFree86 Misc extension out of bounds array index
+
+---
+ hw/xfree86/common/xf86MiscExt.c |    4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+diff --git a/hw/xfree86/common/xf86MiscExt.c b/hw/xfree86/common/xf86MiscExt.c
+index c1b9c60..40c196a 100644
+--- a/hw/xfree86/common/xf86MiscExt.c
+++ b/hw/xfree86/common/xf86MiscExt.c
+@@ -548,6 +548,10 @@ MiscExtPassMessage(int scrnIndex, const char *msgtype, const char *msgval,
+ {
+     ScrnInfoPtr pScr = xf86Screens[scrnIndex];
 
 +    /* should check this in the protocol, but xf86NumScreens isn't exported */
 +    if (scrnIndex >= xf86NumScreens)
@ -13,3 +22,6 @@ diff -up xorg-server-1.1.1/hw/xfree86/common/xf86MiscExt.c.jx xorg-server-1.1.1/
     if (*pScr->HandleMessage == NULL)
 	    return BadImplementation;
     return (*pScr->HandleMessage)(scrnIndex, msgtype, msgval, retstr);
+-- 
+1.5.3.6
+
--- a/cve-2007-5958.patch
+++ b/cve-2007-5958.patch
@ -1,20 +0,0 @@
--- xorg-server-1.3.0.0/Xext/security.c	2007-12-19 23:00:48.062636000 -0800
-+++ xorg-server-1.3.0.0/Xext/security.c	2007-12-21 14:04:40.604373000 -0800
-@@ -1572,7 +1572,7 @@
- 	return;
- 
- #ifndef __UNIXOS2__
-    f = fopen(SecurityPolicyFile, "r");
-+    f = Fopen(SecurityPolicyFile, "r");
- #else
-     f = fopen((char*)__XOS2RedirRoot(SecurityPolicyFile), "r");
- #endif    
-@@ -1658,7 +1658,7 @@
-     }
- #endif /* PROPDEBUG */
- 
-    fclose(f);
-+    Fclose(f);
- } /* SecurityLoadPropertyAccessList */
- 
- 
--- a/cve-2007-6427.patch
+++ b/cve-2007-6427.patch
@ -1,11 +1,94 @@
--- xorg-server-1.1.1/Xi/chgprop.c.da	2006-07-06 04:31:36.000000000 +1000
-+++ xorg-server-1.1.1/Xi/chgprop.c	2007-12-14 11:52:27.000000000 +1000
-@@ -81,19 +81,15 @@
- SProcXChangeDeviceDontPropagateList(register ClientPtr client)
+From dd5e0f5cd5f3a87fee86d99c073ffa7cf89b0a27 Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@bluenote.herrb.com>
+Date: Thu, 17 Jan 2008 15:27:34 +0100
+Subject: [PATCH] Fix for CVE-2007-6427 - Xinput extension memory corruption.
+
+---
+ Xi/chgfctl.c  |    7 +------
+ Xi/chgkmap.c  |   14 +++++++-------
+ Xi/chgprop.c  |   10 +++-------
+ Xi/grabdev.c  |   12 +++++-------
+ Xi/grabdevb.c |   10 +++-------
+ Xi/grabdevk.c |    9 ++-------
+ Xi/selectev.c |   11 ++++-------
+ Xi/sendexev.c |   14 ++++++++------
+ 8 files changed, 33 insertions(+), 54 deletions(-)
+
+diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
+index 8fc24d5..696b74a 100644
+--- a/Xi/chgfctl.c
+++ b/Xi/chgfctl.c
+@@ -302,18 +302,13 @@ ChangeStringFeedback(ClientPtr client, DeviceIntPtr dev,
+ 		     xStringFeedbackCtl * f)
 {
-     register char n;
-    register long *p;
-    register int i;
+     char n;
+-    long *p;
+     int i, j;
+     KeySym *syms, *sup_syms;
+ 
+     syms = (KeySym *) (f + 1);
+     if (client->swapped) {
+ 	swaps(&f->length, n);	/* swapped num_keysyms in calling proc */
+-	p = (long *)(syms);
+-	for (i = 0; i < f->num_keysyms; i++) {
+-	    swapl(p, n);
+-	    p++;
+-	}
+	SwapLongs((CARD32 *) syms, f->num_keysyms);
+     }
+ 
+     if (f->num_keysyms > s->ctrl.max_symbols)
+diff --git a/Xi/chgkmap.c b/Xi/chgkmap.c
+index 3361e98..df334c1 100644
+--- a/Xi/chgkmap.c
+++ b/Xi/chgkmap.c
+@@ -75,18 +75,14 @@ int
+ SProcXChangeDeviceKeyMapping(ClientPtr client)
+ {
+     char n;
+-    long *p;
+-    int i, count;
+    unsigned int count;
+ 
+     REQUEST(xChangeDeviceKeyMappingReq);
+     swaps(&stuff->length, n);
+     REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
+-    p = (long *)&stuff[1];
+     count = stuff->keyCodes * stuff->keySymsPerKeyCode;
+-    for (i = 0; i < count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
+    REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
+    SwapLongs((CARD32 *) (&stuff[1]), count);
+     return (ProcXChangeDeviceKeyMapping(client));
+ }
+ 
+@@ -102,10 +98,14 @@ ProcXChangeDeviceKeyMapping(ClientPtr client)
+     int ret;
+     unsigned len;
+     DeviceIntPtr dev;
+    unsigned int count;
+ 
+     REQUEST(xChangeDeviceKeyMappingReq);
+     REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
+ 
+    count = stuff->keyCodes * stuff->keySymsPerKeyCode;
+    REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
+
+     ret = dixLookupDevice(&dev, stuff->deviceid, client, DixSetAttrAccess);
+     if (ret != Success)
+ 	return ret;
+diff --git a/Xi/chgprop.c b/Xi/chgprop.c
+index 58db886..3fb33e1 100644
+--- a/Xi/chgprop.c
+++ b/Xi/chgprop.c
+@@ -77,19 +77,15 @@ int
+ SProcXChangeDeviceDontPropagateList(ClientPtr client)
+ {
+     char n;
+-    long *p;
+-    int i;
 
     REQUEST(xChangeDeviceDontPropagateListReq);
     swaps(&stuff->length, n);
@ -23,94 +106,50 @@
     return (ProcXChangeDeviceDontPropagateList(client));
 }
 
--- xorg-server-1.1.1/Xi/sendexev.c.da	2006-07-06 04:31:36.000000000 +1000
-+++ xorg-server-1.1.1/Xi/sendexev.c	2007-12-14 11:54:20.000000000 +1000
-@@ -83,7 +83,7 @@
- SProcXSendExtensionEvent(register ClientPtr client)
+diff --git a/Xi/grabdev.c b/Xi/grabdev.c
+index 110fc6b..0671e0e 100644
+--- a/Xi/grabdev.c
+++ b/Xi/grabdev.c
+@@ -78,8 +78,6 @@ int
+ SProcXGrabDevice(ClientPtr client)
 {
-     register char n;
-    register long *p;
-+    register CARD32 *p;
-     register int i;
-     xEvent eventT;
-     xEvent *eventP;
-@@ -94,6 +94,11 @@
-     REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
-     swapl(&stuff->destination, n);
-     swaps(&stuff->count, n);
-+
-+    if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count +
-+	(stuff->num_events * (sizeof(xEvent) >> 2)))
-+	return BadLength;
-+    
-     eventP = (xEvent *) & stuff[1];
-     for (i = 0; i < stuff->num_events; i++, eventP++) {
- 	proc = EventSwapVector[eventP->u.u.type & 0177];
-@@ -103,11 +108,8 @@
- 	*eventP = eventT;
-     }
+     char n;
+-    long *p;
+-    int i;
 
-    p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events);
-    for (i = 0; i < stuff->count; i++) {
-	swapl(p, n);
-	p++;
-    }
-+    p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events);
-+    SwapLongs(p, stuff->count);
-     return (ProcXSendExtensionEvent(client));
- }
- 
--- xorg-server-1.1.1/Xi/chgkmap.c.da	2006-07-06 04:31:36.000000000 +1000
-+++ xorg-server-1.1.1/Xi/chgkmap.c	2007-12-14 11:52:00.000000000 +1000
-@@ -79,18 +79,14 @@
- SProcXChangeDeviceKeyMapping(register ClientPtr client)
- {
-     register char n;
-    register long *p;
-    register int i, count;
-+    register unsigned int count;
- 
-     REQUEST(xChangeDeviceKeyMappingReq);
+     REQUEST(xGrabDeviceReq);
     swaps(&stuff->length, n);
-     REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
+@@ -87,11 +85,11 @@ SProcXGrabDevice(ClientPtr client)
+     swapl(&stuff->grabWindow, n);
+     swapl(&stuff->time, n);
+     swaps(&stuff->event_count, n);
 -    p = (long *)&stuff[1];
-     count = stuff->keyCodes * stuff->keySymsPerKeyCode;
-    for (i = 0; i < count; i++) {
+-    for (i = 0; i < stuff->event_count; i++) {
 -	swapl(p, n);
 -	p++;
 -    }
-+    REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
-+    SwapLongs((CARD32 *) (&stuff[1]), count);
-     return (ProcXChangeDeviceKeyMapping(client));
- }
- 
-@@ -106,10 +102,14 @@
-     int ret;
-     unsigned len;
-     DeviceIntPtr dev;
-+    unsigned int count;
- 
-     REQUEST(xChangeDeviceKeyMappingReq);
-     REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
- 
-+    count = stuff->keyCodes * stuff->keySymsPerKeyCode;
-+    REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
+
+    if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count)
+       return BadLength;
 +    
-     dev = LookupDeviceIntRec(stuff->deviceid);
-     if (dev == NULL) {
- 	SendErrorToClient(client, IReqCode, X_ChangeDeviceKeyMapping, 0,
--- xorg-server-1.1.1/Xi/grabdevb.c.da	2006-07-06 04:31:36.000000000 +1000
-+++ xorg-server-1.1.1/Xi/grabdevb.c	2007-12-14 11:53:03.000000000 +1000
-@@ -80,8 +80,6 @@
- SProcXGrabDeviceButton(register ClientPtr client)
+    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
+ 
+     return (ProcXGrabDevice(client));
+ }
+diff --git a/Xi/grabdevb.c b/Xi/grabdevb.c
+index c2661e8..ce0dcc5 100644
+--- a/Xi/grabdevb.c
+++ b/Xi/grabdevb.c
+@@ -77,8 +77,6 @@ int
+ SProcXGrabDeviceButton(ClientPtr client)
 {
-     register char n;
-    register long *p;
-    register int i;
+     char n;
+-    long *p;
+-    int i;
 
     REQUEST(xGrabDeviceButtonReq);
     swaps(&stuff->length, n);
-@@ -89,11 +87,9 @@
+@@ -86,11 +84,9 @@ SProcXGrabDeviceButton(ClientPtr client)
     swapl(&stuff->grabWindow, n);
     swaps(&stuff->modifiers, n);
     swaps(&stuff->event_count, n);
@ -120,19 +159,48 @@
 -	p++;
 -    }
 +    REQUEST_FIXED_SIZE(xGrabDeviceButtonReq,
-+		       stuff->event_count * sizeof(CARD32));
+                      stuff->event_count * sizeof(CARD32));
 +    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
 
     return (ProcXGrabDeviceButton(client));
 }
--- xorg-server-1.1.1/Xi/selectev.c.da	2006-07-06 04:31:36.000000000 +1000
-+++ xorg-server-1.1.1/Xi/selectev.c	2007-12-14 11:53:54.000000000 +1000
-@@ -84,19 +84,15 @@
- SProcXSelectExtensionEvent(register ClientPtr client)
+diff --git a/Xi/grabdevk.c b/Xi/grabdevk.c
+index 43b1928..d4b7fe8 100644
+--- a/Xi/grabdevk.c
+++ b/Xi/grabdevk.c
+@@ -77,8 +77,6 @@ int
+ SProcXGrabDeviceKey(ClientPtr client)
 {
-     register char n;
-    register long *p;
-    register int i;
+     char n;
+-    long *p;
+-    int i;
+ 
+     REQUEST(xGrabDeviceKeyReq);
+     swaps(&stuff->length, n);
+@@ -86,11 +84,8 @@ SProcXGrabDeviceKey(ClientPtr client)
+     swapl(&stuff->grabWindow, n);
+     swaps(&stuff->modifiers, n);
+     swaps(&stuff->event_count, n);
+-    p = (long *)&stuff[1];
+-    for (i = 0; i < stuff->event_count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
+    REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32));
+    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
+     return (ProcXGrabDeviceKey(client));
+ }
+ 
+diff --git a/Xi/selectev.c b/Xi/selectev.c
+index b93618a..d3670ab 100644
+--- a/Xi/selectev.c
+++ b/Xi/selectev.c
+@@ -127,19 +127,16 @@ int
+ SProcXSelectExtensionEvent(ClientPtr client)
+ {
+     char n;
+-    long *p;
+-    int i;
 
     REQUEST(xSelectExtensionEventReq);
     swaps(&stuff->length, n);
@ -147,81 +215,49 @@
 +    REQUEST_FIXED_SIZE(xSelectExtensionEventReq,
 +                      stuff->count * sizeof(CARD32));
 +    SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
+
     return (ProcXSelectExtensionEvent(client));
 }
 
--- xorg-server-1.1.1/Xi/grabdevk.c.da	2006-07-06 04:31:36.000000000 +1000
-+++ xorg-server-1.1.1/Xi/grabdevk.c	2007-12-14 11:53:15.000000000 +1000
-@@ -80,8 +80,6 @@
- SProcXGrabDeviceKey(register ClientPtr client)
+diff --git a/Xi/sendexev.c b/Xi/sendexev.c
+index e4e38d7..588c910 100644
+--- a/Xi/sendexev.c
+++ b/Xi/sendexev.c
+@@ -80,7 +80,7 @@ int
+ SProcXSendExtensionEvent(ClientPtr client)
 {
-     register char n;
-    register long *p;
-    register int i;
- 
-     REQUEST(xGrabDeviceKeyReq);
-     swaps(&stuff->length, n);
-@@ -89,11 +87,8 @@
-     swapl(&stuff->grabWindow, n);
-     swaps(&stuff->modifiers, n);
-     swaps(&stuff->event_count, n);
-    p = (long *)&stuff[1];
-    for (i = 0; i < stuff->event_count; i++) {
-	swapl(p, n);
-	p++;
-    }
-+    REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32));
-+    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
-     return (ProcXGrabDeviceKey(client));
- }
- 
--- xorg-server-1.1.1/Xi/grabdev.c.da	2006-07-06 04:31:36.000000000 +1000
-+++ xorg-server-1.1.1/Xi/grabdev.c	2007-12-14 11:52:47.000000000 +1000
-@@ -82,8 +82,6 @@
- SProcXGrabDevice(register ClientPtr client)
- {
-     register char n;
-    register long *p;
-    register int i;
- 
-     REQUEST(xGrabDeviceReq);
-     swaps(&stuff->length, n);
-@@ -91,11 +89,11 @@
-     swapl(&stuff->grabWindow, n);
-     swapl(&stuff->time, n);
-     swaps(&stuff->event_count, n);
-    p = (long *)&stuff[1];
-    for (i = 0; i < stuff->event_count; i++) {
-	swapl(p, n);
-	p++;
-    }
+     char n;
+-    long *p;
+    CARD32 *p;
+     int i;
+     xEvent eventT;
+     xEvent *eventP;
+@@ -91,6 +91,11 @@ SProcXSendExtensionEvent(ClientPtr client)
+     REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
+     swapl(&stuff->destination, n);
+     swaps(&stuff->count, n);
 +
-+    if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count)
-+	return BadLength;
-+    
-+    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
- 
-     return (ProcXGrabDevice(client));
- }
--- xorg-server-1.1.1/Xi/chgfctl.c.da	2006-07-06 04:31:36.000000000 +1000
-+++ xorg-server-1.1.1/Xi/chgfctl.c	2007-12-14 11:50:50.000000000 +1000
-@@ -451,18 +451,13 @@
- 		     xStringFeedbackCtl * f)
- {
-     register char n;
-    register long *p;
-     int i, j;
-     KeySym *syms, *sup_syms;
- 
-     syms = (KeySym *) (f + 1);
-     if (client->swapped) {
- 	swaps(&f->length, n);	/* swapped num_keysyms in calling proc */
-	p = (long *)(syms);
-	for (i = 0; i < f->num_keysyms; i++) {
-	    swapl(p, n);
-	    p++;
-	}
-+	SwapLongs((CARD32 *) syms, f->num_keysyms);
+    if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count +
+       (stuff->num_events * (sizeof(xEvent) >> 2)))
+       return BadLength;
+
+     eventP = (xEvent *) & stuff[1];
+     for (i = 0; i < stuff->num_events; i++, eventP++) {
+ 	proc = EventSwapVector[eventP->u.u.type & 0177];
+@@ -100,11 +105,8 @@ SProcXSendExtensionEvent(ClientPtr client)
+ 	*eventP = eventT;
     }
 
-     if (f->num_keysyms > s->ctrl.max_symbols) {
+-    p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events);
+-    for (i = 0; i < stuff->count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
+    p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events);
+    SwapLongs(p, stuff->count);
+     return (ProcXSendExtensionEvent(client));
+ }
+ 
+-- 
+1.5.3.6
+
--- a/cve-2007-6428.patch
+++ b/cve-2007-6428.patch
@ -1,7 +1,17 @@
-diff -up xorg-server-1.1.1/Xext/cup.c.jx xorg-server-1.1.1/Xext/cup.c
--- xorg-server-1.1.1/Xext/cup.c.jx	2006-07-05 14:31:36.000000000 -0400
-+++ xorg-server-1.1.1/Xext/cup.c	2007-12-11 14:28:37.000000000 -0500
-@@ -198,6 +198,9 @@ int ProcGetReservedColormapEntries(
+From 7dc1717ff0f96b99271a912b8948dfce5164d5ad Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@bluenote.herrb.com>
+Date: Thu, 17 Jan 2008 15:28:03 +0100
+Subject: [PATCH] Fix for CVE-2007-6428 - TOG-cup extension memory corruption.
+
+---
+ Xext/cup.c |    3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/Xext/cup.c b/Xext/cup.c
+index d0e820c..fd1409e 100644
+--- a/Xext/cup.c
+++ b/Xext/cup.c
+@@ -176,6 +176,9 @@ int ProcGetReservedColormapEntries(
 
     REQUEST_SIZE_MATCH (xXcupGetReservedColormapEntriesReq);
 
@ -11,3 +21,6 @@ diff -up xorg-server-1.1.1/Xext/cup.c.jx xorg-server-1.1.1/Xext/cup.c
 #ifndef HAVE_SPECIAL_DESKTOP_COLORS
     citems[CUP_BLACK_PIXEL].pixel = 
 	screenInfo.screens[stuff->screen]->blackPixel;
+-- 
+1.5.3.6
+
--- a/cve-2007-6429.patch
+++ b/cve-2007-6429.patch
@ -1,103 +1,16 @@
--- xorg-server-1.1.1/Xext/shm.c.freedesktop-bug-13520	2006-07-06 04:31:36.000000000 +1000
-+++ xorg-server-1.1.1/Xext/shm.c	2007-12-14 13:08:59.000000000 +1000
-@@ -725,6 +725,8 @@
-     int i, j, result;
-     ShmDescPtr shmdesc;
-     REQUEST(xShmCreatePixmapReq);
-+    unsigned int width, height, depth;
-+    unsigned long size;
-     PanoramiXRes *newPix;
- 
-     REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
-@@ -734,11 +736,26 @@
-     LEGAL_NEW_RESOURCE(stuff->pid, client);
-     VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
-     VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
-    if (!stuff->width || !stuff->height)
-+
-+    width = stuff->width;
-+    height = stuff->height;
-+    depth = stuff->depth;
-+    if (!width || !height || !depth)
-     {
- 	client->errorValue = 0;
-         return BadValue;
-     }
-+    if (width > 32767 || height > 32767)
-+        return BadAlloc;
-+    size = PixmapBytePad(width, depth) * height;
-+    if (sizeof(size) == 4) {
-+        if (size < width * height)
-+            return BadAlloc;
-+        /* thankfully, offset is unsigned */
-+        if (stuff->offset + size < size)
-+            return BadAlloc;
-+    }
-+
-     if (stuff->depth != 1)
-     {
-         pDepth = pDraw->pScreen->allowedDepths;
-@@ -749,9 +766,7 @@
-         return BadValue;
-     }
- CreatePmap:
-    VERIFY_SHMSIZE(shmdesc, stuff->offset,
-		   PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
-		   client);
-+    VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
- 
-     if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
- 	return BadAlloc;
-@@ -1049,6 +1064,8 @@
-     register int i;
-     ShmDescPtr shmdesc;
-     REQUEST(xShmCreatePixmapReq);
-+    unsigned int width, height, depth;
-+    unsigned long size;
- 
-     REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
-     client->errorValue = stuff->pid;
-@@ -1057,11 +1074,26 @@
-     LEGAL_NEW_RESOURCE(stuff->pid, client);
-     VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
-     VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
-    if (!stuff->width || !stuff->height)
-+    
-+    width = stuff->width;
-+    height = stuff->height;
-+    depth = stuff->depth;
-+    if (!width || !height || !depth)
-     {
- 	client->errorValue = 0;
-         return BadValue;
-     }
-+    if (width > 32767 || height > 32767)
-+	return BadAlloc;
-+    size = PixmapBytePad(width, depth) * height;
-+    if (sizeof(size) == 4) {
-+	if (size < width * height)
-+	    return BadAlloc;
-+	/* thankfully, offset is unsigned */
-+	if (stuff->offset + size < size)
-+	    return BadAlloc;
-+    }
-+
-     if (stuff->depth != 1)
-     {
-         pDepth = pDraw->pScreen->allowedDepths;
-@@ -1072,9 +1104,7 @@
-         return BadValue;
-     }
- CreatePmap:
-    VERIFY_SHMSIZE(shmdesc, stuff->offset,
-		   PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
-		   client);
-+    VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
-     pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
- 			    pDraw->pScreen, stuff->width,
- 			    stuff->height, stuff->depth,
+From 6de61f82728df22ea01f9659df6581b87f33f11d Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@bluenote.herrb.com>
+Date: Thu, 17 Jan 2008 15:28:42 +0100
+Subject: [PATCH] Fix for CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows.
+
+---
+ Xext/EVI.c       |   15 ++++++++++++++-
+ Xext/sampleEVI.c |   29 ++++++++++++++++++++++++-----
+ Xext/shm.c       |   46 ++++++++++++++++++++++++++++++++++++++--------
+ 3 files changed, 76 insertions(+), 14 deletions(-)
+
 diff --git a/Xext/EVI.c b/Xext/EVI.c
-index 8fe3481..13bd32a 100644
+index 4bd050c..a637bae 100644
 --- a/Xext/EVI.c
 +++ b/Xext/EVI.c
@@ -34,6 +34,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
@ -106,9 +19,9 @@ index 8fe3481..13bd32a 100644
 #include "modinit.h"
 +#include "scrnintstr.h"
 
- #if 0
- static unsigned char XEVIReqCode = 0;
-@@ -87,10 +88,22 @@ ProcEVIGetVisualInfo(ClientPtr client)
+ static EviPrivPtr eviPriv;
+ 
+@@ -84,10 +85,22 @@ ProcEVIGetVisualInfo(ClientPtr client)
 {
     REQUEST(xEVIGetVisualInfoReq);
     xEVIGetVisualInfoReply rep;
@ -133,7 +46,7 @@ index 8fe3481..13bd32a 100644
     status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual,
 		&eviInfo, &n_info, &conflict, &n_conflict);
 diff --git a/Xext/sampleEVI.c b/Xext/sampleEVI.c
-index 7508aa7..b8f39c7 100644
+index 7508aa7..b871bfd 100644
 --- a/Xext/sampleEVI.c
 +++ b/Xext/sampleEVI.c
@@ -34,6 +34,13 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
@ -143,8 +56,8 @@ index 7508aa7..b8f39c7 100644
 +
 +#if HAVE_STDINT_H
 +#include <stdint.h>
-+#elif !defined(INT_MAX)
-+#define INT_MAX 0x7fffffff
+#elif !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
 +#endif
 +
 static int sampleGetVisualInfo(
@ -192,3 +105,106 @@ index 7508aa7..b8f39c7 100644
     for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
         for (visualI = 0; visualI < n_visual; visualI++) {
 	    evi[sz_evi].core_visual_id = visual[visualI];
+diff --git a/Xext/shm.c b/Xext/shm.c
+index e3d7a23..c545e49 100644
+--- a/Xext/shm.c
+++ b/Xext/shm.c
+@@ -757,6 +757,8 @@ ProcPanoramiXShmCreatePixmap(
+     int i, j, result, rc;
+     ShmDescPtr shmdesc;
+     REQUEST(xShmCreatePixmapReq);
+    unsigned int width, height, depth;
+    unsigned long size;
+     PanoramiXRes *newPix;
+ 
+     REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
+@@ -770,11 +772,26 @@ ProcPanoramiXShmCreatePixmap(
+ 	return rc;
+ 
+     VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
+-    if (!stuff->width || !stuff->height)
+
+    width = stuff->width;
+    height = stuff->height;
+    depth = stuff->depth;
+    if (!width || !height || !depth)
+     {
+ 	client->errorValue = 0;
+         return BadValue;
+     }
+    if (width > 32767 || height > 32767)
+        return BadAlloc;
+    size = PixmapBytePad(width, depth) * height;
+    if (sizeof(size) == 4) {
+        if (size < width * height)
+            return BadAlloc;
+        /* thankfully, offset is unsigned */
+        if (stuff->offset + size < size)
+            return BadAlloc;
+    }
+
+     if (stuff->depth != 1)
+     {
+         pDepth = pDraw->pScreen->allowedDepths;
+@@ -785,9 +802,7 @@ ProcPanoramiXShmCreatePixmap(
+         return BadValue;
+     }
+ CreatePmap:
+-    VERIFY_SHMSIZE(shmdesc, stuff->offset,
+-		   PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
+-		   client);
+    VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
+ 
+     if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
+ 	return BadAlloc;
+@@ -1086,6 +1101,8 @@ ProcShmCreatePixmap(client)
+     register int i, rc;
+     ShmDescPtr shmdesc;
+     REQUEST(xShmCreatePixmapReq);
+    unsigned int width, height, depth;
+    unsigned long size;
+ 
+     REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
+     client->errorValue = stuff->pid;
+@@ -1098,11 +1115,26 @@ ProcShmCreatePixmap(client)
+ 	return rc;
+ 
+     VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
+-    if (!stuff->width || !stuff->height)
+    
+    width = stuff->width;
+    height = stuff->height;
+    depth = stuff->depth;
+    if (!width || !height || !depth)
+     {
+ 	client->errorValue = 0;
+         return BadValue;
+     }
+    if (width > 32767 || height > 32767)
+	return BadAlloc;
+    size = PixmapBytePad(width, depth) * height;
+    if (sizeof(size) == 4) {
+	if (size < width * height)
+	    return BadAlloc;
+	/* thankfully, offset is unsigned */
+	if (stuff->offset + size < size)
+	    return BadAlloc;
+    }
+
+     if (stuff->depth != 1)
+     {
+         pDepth = pDraw->pScreen->allowedDepths;
+@@ -1113,9 +1145,7 @@ ProcShmCreatePixmap(client)
+         return BadValue;
+     }
+ CreatePmap:
+-    VERIFY_SHMSIZE(shmdesc, stuff->offset,
+-		   PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
+-		   client);
+    VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
+     pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
+ 			    pDraw->pScreen, stuff->width,
+ 			    stuff->height, stuff->depth,
+-- 
+1.5.3.6
+
--- a/cve-2008-0006-server-fixup.patch
+++ b/cve-2008-0006-server-fixup.patch
@ -1,3 +1,8 @@
+From bbde5b62a137ba726a747b838d81e92d72c1b42b Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@bluenote.herrb.com>
+Date: Thu, 17 Jan 2008 15:26:41 +0100
+Subject: [PATCH] Fix for CVE-2008-0006 - server side part of fix
+
 diff -up xorg-x11-6.8.2/xc/programs/Xserver/dix/dixfonts.c.jx xorg-x11-6.8.2/xc/programs/Xserver/dix/dixfonts.c
 --- xorg-x11-6.8.2/xc/programs/Xserver/dix/dixfonts.c.jx	2004-04-23 15:04:44.000000000 -0400
 +++ xorg-x11-server/dix/dixfonts.c	2008-01-14 11:15:00.000000000 -0500
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@ -59,11 +59,10 @@ Patch2013:  xserver-1.4.99-document-fontpath-correctly.patch

 # Trivial things, already merged - cves already upstream
 Patch3000:  cve-2007-5760.patch
-Patch3001:  cve-2007-5958.patch
-Patch3002:  cve-2007-6427.patch
-Patch3003:  cve-2007-6428.patch
-Patch3004:  cve-2007-6429.patch
-Patch3005:  cve-2008-0006-server-fixup.patch
+Patch3001:  cve-2007-6427.patch
+Patch3002:  cve-2007-6428.patch
+Patch3003:  cve-2007-6429.patch
+Patch3004:  cve-2008-0006-server-fixup.patch

 # Trivial things to maybe merge upstream at next rebase
 #Patch4003: argh-pixman.patch #fixme
@ -518,7 +517,6 @@ rm -rf $RPM_BUILD_ROOT
 %changelog
 * Fri Jan 18 2008 Dave Airlie <airlied@redhat.com> 1.4.99.1-0.17
 - cve-2007-5760.patch: XFree86-Misc Extension Invalid Array Index Vulnerability
- cve-2007-5958.patch: Xorg / XFree86 file existence disclosure vulnerability
 - cve-2007-6427.patch: XInput Extension Memory Corruption Vulnerability
 - cve-2007-6428.patch: TOG-CUP Extension Memory Corruption Vulnerability
 - cve-2007-6429.patch: EVI and MIT-SHM Extension Integer Overflow Vulnerability