From e002a5ab259b6aecec1450851a6b4a3f97b9d5a2 Mon Sep 17 00:00:00 2001 From: Dave Airlie Date: Fri, 18 Jan 2008 03:31:54 +0000 Subject: [PATCH] * Fri Jan 18 2008 Dave Airlie 1.4.99.1-0.17 - cve-2007-5760.patch: XFree86-Misc Extension Invalid Array Index Vulnerability - cve-2007-6427.patch: XInput Extension Memory Corruption Vulnerability - cve-2007-6428.patch: TOG-CUP Extension Memory Corruption Vulnerability - cve-2007-6429.patch: EVI and MIT-SHM Extension Integer Overflow Vulnerability - cve-2008-0006-server-fixup.patch: PCF Font Vulnerability - this patch isn't strictly required with new version of libXfont. --- cve-2007-5760.patch | 26 ++- cve-2007-5958.patch | 20 -- cve-2007-6427.patch | 360 +++++++++++++++++-------------- cve-2007-6428.patch | 21 +- cve-2007-6429.patch | 226 ++++++++++--------- cve-2008-0006-server-fixup.patch | 5 + xorg-x11-server.spec | 10 +- 7 files changed, 364 insertions(+), 304 deletions(-) delete mode 100644 cve-2007-5958.patch diff --git a/cve-2007-5760.patch b/cve-2007-5760.patch index b24da3c..7b62fc7 100644 --- a/cve-2007-5760.patch +++ b/cve-2007-5760.patch @@ -1,10 +1,19 @@ -diff -up xorg-server-1.1.1/hw/xfree86/dixmods/extmod/xf86misc.c.jx xorg-server-1.1.1/hw/xfree86/dixmods/extmod/xf86misc.c -diff -up xorg-server-1.1.1/hw/xfree86/common/xf86MiscExt.c.jx xorg-server-1.1.1/hw/xfree86/common/xf86MiscExt.c ---- xorg-server-1.1.1/hw/xfree86/common/xf86MiscExt.c.jx 2006-07-05 14:31:40.000000000 -0400 -+++ xorg-server-1.1.1/hw/xfree86/common/xf86MiscExt.c 2007-12-11 15:03:32.000000000 -0500 -@@ -647,6 +647,10 @@ MiscExtPassMessage(int scrnIndex, const - - DEBUG_P("MiscExtPassMessage"); +From bbde5b62a137ba726a747b838d81e92d72c1b42b Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Thu, 17 Jan 2008 15:26:41 +0100 +Subject: [PATCH] Fix for CVE-2007-5760 - XFree86 Misc extension out of bounds array index + +--- + hw/xfree86/common/xf86MiscExt.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +diff --git a/hw/xfree86/common/xf86MiscExt.c b/hw/xfree86/common/xf86MiscExt.c +index c1b9c60..40c196a 100644 +--- a/hw/xfree86/common/xf86MiscExt.c ++++ b/hw/xfree86/common/xf86MiscExt.c +@@ -548,6 +548,10 @@ MiscExtPassMessage(int scrnIndex, const char *msgtype, const char *msgval, + { + ScrnInfoPtr pScr = xf86Screens[scrnIndex]; + /* should check this in the protocol, but xf86NumScreens isn't exported */ + if (scrnIndex >= xf86NumScreens) @@ -13,3 +22,6 @@ diff -up xorg-server-1.1.1/hw/xfree86/common/xf86MiscExt.c.jx xorg-server-1.1.1/ if (*pScr->HandleMessage == NULL) return BadImplementation; return (*pScr->HandleMessage)(scrnIndex, msgtype, msgval, retstr); +-- +1.5.3.6 + diff --git a/cve-2007-5958.patch b/cve-2007-5958.patch deleted file mode 100644 index 6acac91..0000000 --- a/cve-2007-5958.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- xorg-server-1.3.0.0/Xext/security.c 2007-12-19 23:00:48.062636000 -0800 -+++ xorg-server-1.3.0.0/Xext/security.c 2007-12-21 14:04:40.604373000 -0800 -@@ -1572,7 +1572,7 @@ - return; - - #ifndef __UNIXOS2__ -- f = fopen(SecurityPolicyFile, "r"); -+ f = Fopen(SecurityPolicyFile, "r"); - #else - f = fopen((char*)__XOS2RedirRoot(SecurityPolicyFile), "r"); - #endif -@@ -1658,7 +1658,7 @@ - } - #endif /* PROPDEBUG */ - -- fclose(f); -+ Fclose(f); - } /* SecurityLoadPropertyAccessList */ - - diff --git a/cve-2007-6427.patch b/cve-2007-6427.patch index bc2fbb2..421130c 100644 --- a/cve-2007-6427.patch +++ b/cve-2007-6427.patch @@ -1,11 +1,94 @@ ---- xorg-server-1.1.1/Xi/chgprop.c.da 2006-07-06 04:31:36.000000000 +1000 -+++ xorg-server-1.1.1/Xi/chgprop.c 2007-12-14 11:52:27.000000000 +1000 -@@ -81,19 +81,15 @@ - SProcXChangeDeviceDontPropagateList(register ClientPtr client) +From dd5e0f5cd5f3a87fee86d99c073ffa7cf89b0a27 Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Thu, 17 Jan 2008 15:27:34 +0100 +Subject: [PATCH] Fix for CVE-2007-6427 - Xinput extension memory corruption. + +--- + Xi/chgfctl.c | 7 +------ + Xi/chgkmap.c | 14 +++++++------- + Xi/chgprop.c | 10 +++------- + Xi/grabdev.c | 12 +++++------- + Xi/grabdevb.c | 10 +++------- + Xi/grabdevk.c | 9 ++------- + Xi/selectev.c | 11 ++++------- + Xi/sendexev.c | 14 ++++++++------ + 8 files changed, 33 insertions(+), 54 deletions(-) + +diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c +index 8fc24d5..696b74a 100644 +--- a/Xi/chgfctl.c ++++ b/Xi/chgfctl.c +@@ -302,18 +302,13 @@ ChangeStringFeedback(ClientPtr client, DeviceIntPtr dev, + xStringFeedbackCtl * f) { - register char n; -- register long *p; -- register int i; + char n; +- long *p; + int i, j; + KeySym *syms, *sup_syms; + + syms = (KeySym *) (f + 1); + if (client->swapped) { + swaps(&f->length, n); /* swapped num_keysyms in calling proc */ +- p = (long *)(syms); +- for (i = 0; i < f->num_keysyms; i++) { +- swapl(p, n); +- p++; +- } ++ SwapLongs((CARD32 *) syms, f->num_keysyms); + } + + if (f->num_keysyms > s->ctrl.max_symbols) +diff --git a/Xi/chgkmap.c b/Xi/chgkmap.c +index 3361e98..df334c1 100644 +--- a/Xi/chgkmap.c ++++ b/Xi/chgkmap.c +@@ -75,18 +75,14 @@ int + SProcXChangeDeviceKeyMapping(ClientPtr client) + { + char n; +- long *p; +- int i, count; ++ unsigned int count; + + REQUEST(xChangeDeviceKeyMappingReq); + swaps(&stuff->length, n); + REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq); +- p = (long *)&stuff[1]; + count = stuff->keyCodes * stuff->keySymsPerKeyCode; +- for (i = 0; i < count; i++) { +- swapl(p, n); +- p++; +- } ++ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32)); ++ SwapLongs((CARD32 *) (&stuff[1]), count); + return (ProcXChangeDeviceKeyMapping(client)); + } + +@@ -102,10 +98,14 @@ ProcXChangeDeviceKeyMapping(ClientPtr client) + int ret; + unsigned len; + DeviceIntPtr dev; ++ unsigned int count; + + REQUEST(xChangeDeviceKeyMappingReq); + REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq); + ++ count = stuff->keyCodes * stuff->keySymsPerKeyCode; ++ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32)); ++ + ret = dixLookupDevice(&dev, stuff->deviceid, client, DixSetAttrAccess); + if (ret != Success) + return ret; +diff --git a/Xi/chgprop.c b/Xi/chgprop.c +index 58db886..3fb33e1 100644 +--- a/Xi/chgprop.c ++++ b/Xi/chgprop.c +@@ -77,19 +77,15 @@ int + SProcXChangeDeviceDontPropagateList(ClientPtr client) + { + char n; +- long *p; +- int i; REQUEST(xChangeDeviceDontPropagateListReq); swaps(&stuff->length, n); @@ -23,94 +106,50 @@ return (ProcXChangeDeviceDontPropagateList(client)); } ---- xorg-server-1.1.1/Xi/sendexev.c.da 2006-07-06 04:31:36.000000000 +1000 -+++ xorg-server-1.1.1/Xi/sendexev.c 2007-12-14 11:54:20.000000000 +1000 -@@ -83,7 +83,7 @@ - SProcXSendExtensionEvent(register ClientPtr client) +diff --git a/Xi/grabdev.c b/Xi/grabdev.c +index 110fc6b..0671e0e 100644 +--- a/Xi/grabdev.c ++++ b/Xi/grabdev.c +@@ -78,8 +78,6 @@ int + SProcXGrabDevice(ClientPtr client) { - register char n; -- register long *p; -+ register CARD32 *p; - register int i; - xEvent eventT; - xEvent *eventP; -@@ -94,6 +94,11 @@ - REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq); - swapl(&stuff->destination, n); - swaps(&stuff->count, n); -+ -+ if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count + -+ (stuff->num_events * (sizeof(xEvent) >> 2))) -+ return BadLength; -+ - eventP = (xEvent *) & stuff[1]; - for (i = 0; i < stuff->num_events; i++, eventP++) { - proc = EventSwapVector[eventP->u.u.type & 0177]; -@@ -103,11 +108,8 @@ - *eventP = eventT; - } + char n; +- long *p; +- int i; -- p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events); -- for (i = 0; i < stuff->count; i++) { -- swapl(p, n); -- p++; -- } -+ p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events); -+ SwapLongs(p, stuff->count); - return (ProcXSendExtensionEvent(client)); - } - ---- xorg-server-1.1.1/Xi/chgkmap.c.da 2006-07-06 04:31:36.000000000 +1000 -+++ xorg-server-1.1.1/Xi/chgkmap.c 2007-12-14 11:52:00.000000000 +1000 -@@ -79,18 +79,14 @@ - SProcXChangeDeviceKeyMapping(register ClientPtr client) - { - register char n; -- register long *p; -- register int i, count; -+ register unsigned int count; - - REQUEST(xChangeDeviceKeyMappingReq); + REQUEST(xGrabDeviceReq); swaps(&stuff->length, n); - REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq); +@@ -87,11 +85,11 @@ SProcXGrabDevice(ClientPtr client) + swapl(&stuff->grabWindow, n); + swapl(&stuff->time, n); + swaps(&stuff->event_count, n); - p = (long *)&stuff[1]; - count = stuff->keyCodes * stuff->keySymsPerKeyCode; -- for (i = 0; i < count; i++) { +- for (i = 0; i < stuff->event_count; i++) { - swapl(p, n); - p++; - } -+ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32)); -+ SwapLongs((CARD32 *) (&stuff[1]), count); - return (ProcXChangeDeviceKeyMapping(client)); - } - -@@ -106,10 +102,14 @@ - int ret; - unsigned len; - DeviceIntPtr dev; -+ unsigned int count; - - REQUEST(xChangeDeviceKeyMappingReq); - REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq); - -+ count = stuff->keyCodes * stuff->keySymsPerKeyCode; -+ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32)); ++ ++ if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count) ++ return BadLength; + - dev = LookupDeviceIntRec(stuff->deviceid); - if (dev == NULL) { - SendErrorToClient(client, IReqCode, X_ChangeDeviceKeyMapping, 0, ---- xorg-server-1.1.1/Xi/grabdevb.c.da 2006-07-06 04:31:36.000000000 +1000 -+++ xorg-server-1.1.1/Xi/grabdevb.c 2007-12-14 11:53:03.000000000 +1000 -@@ -80,8 +80,6 @@ - SProcXGrabDeviceButton(register ClientPtr client) ++ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count); + + return (ProcXGrabDevice(client)); + } +diff --git a/Xi/grabdevb.c b/Xi/grabdevb.c +index c2661e8..ce0dcc5 100644 +--- a/Xi/grabdevb.c ++++ b/Xi/grabdevb.c +@@ -77,8 +77,6 @@ int + SProcXGrabDeviceButton(ClientPtr client) { - register char n; -- register long *p; -- register int i; + char n; +- long *p; +- int i; REQUEST(xGrabDeviceButtonReq); swaps(&stuff->length, n); -@@ -89,11 +87,9 @@ +@@ -86,11 +84,9 @@ SProcXGrabDeviceButton(ClientPtr client) swapl(&stuff->grabWindow, n); swaps(&stuff->modifiers, n); swaps(&stuff->event_count, n); @@ -120,19 +159,48 @@ - p++; - } + REQUEST_FIXED_SIZE(xGrabDeviceButtonReq, -+ stuff->event_count * sizeof(CARD32)); ++ stuff->event_count * sizeof(CARD32)); + SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count); return (ProcXGrabDeviceButton(client)); } ---- xorg-server-1.1.1/Xi/selectev.c.da 2006-07-06 04:31:36.000000000 +1000 -+++ xorg-server-1.1.1/Xi/selectev.c 2007-12-14 11:53:54.000000000 +1000 -@@ -84,19 +84,15 @@ - SProcXSelectExtensionEvent(register ClientPtr client) +diff --git a/Xi/grabdevk.c b/Xi/grabdevk.c +index 43b1928..d4b7fe8 100644 +--- a/Xi/grabdevk.c ++++ b/Xi/grabdevk.c +@@ -77,8 +77,6 @@ int + SProcXGrabDeviceKey(ClientPtr client) { - register char n; -- register long *p; -- register int i; + char n; +- long *p; +- int i; + + REQUEST(xGrabDeviceKeyReq); + swaps(&stuff->length, n); +@@ -86,11 +84,8 @@ SProcXGrabDeviceKey(ClientPtr client) + swapl(&stuff->grabWindow, n); + swaps(&stuff->modifiers, n); + swaps(&stuff->event_count, n); +- p = (long *)&stuff[1]; +- for (i = 0; i < stuff->event_count; i++) { +- swapl(p, n); +- p++; +- } ++ REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32)); ++ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count); + return (ProcXGrabDeviceKey(client)); + } + +diff --git a/Xi/selectev.c b/Xi/selectev.c +index b93618a..d3670ab 100644 +--- a/Xi/selectev.c ++++ b/Xi/selectev.c +@@ -127,19 +127,16 @@ int + SProcXSelectExtensionEvent(ClientPtr client) + { + char n; +- long *p; +- int i; REQUEST(xSelectExtensionEventReq); swaps(&stuff->length, n); @@ -147,81 +215,49 @@ + REQUEST_FIXED_SIZE(xSelectExtensionEventReq, + stuff->count * sizeof(CARD32)); + SwapLongs((CARD32 *) (&stuff[1]), stuff->count); ++ return (ProcXSelectExtensionEvent(client)); } ---- xorg-server-1.1.1/Xi/grabdevk.c.da 2006-07-06 04:31:36.000000000 +1000 -+++ xorg-server-1.1.1/Xi/grabdevk.c 2007-12-14 11:53:15.000000000 +1000 -@@ -80,8 +80,6 @@ - SProcXGrabDeviceKey(register ClientPtr client) +diff --git a/Xi/sendexev.c b/Xi/sendexev.c +index e4e38d7..588c910 100644 +--- a/Xi/sendexev.c ++++ b/Xi/sendexev.c +@@ -80,7 +80,7 @@ int + SProcXSendExtensionEvent(ClientPtr client) { - register char n; -- register long *p; -- register int i; - - REQUEST(xGrabDeviceKeyReq); - swaps(&stuff->length, n); -@@ -89,11 +87,8 @@ - swapl(&stuff->grabWindow, n); - swaps(&stuff->modifiers, n); - swaps(&stuff->event_count, n); -- p = (long *)&stuff[1]; -- for (i = 0; i < stuff->event_count; i++) { -- swapl(p, n); -- p++; -- } -+ REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32)); -+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count); - return (ProcXGrabDeviceKey(client)); - } - ---- xorg-server-1.1.1/Xi/grabdev.c.da 2006-07-06 04:31:36.000000000 +1000 -+++ xorg-server-1.1.1/Xi/grabdev.c 2007-12-14 11:52:47.000000000 +1000 -@@ -82,8 +82,6 @@ - SProcXGrabDevice(register ClientPtr client) - { - register char n; -- register long *p; -- register int i; - - REQUEST(xGrabDeviceReq); - swaps(&stuff->length, n); -@@ -91,11 +89,11 @@ - swapl(&stuff->grabWindow, n); - swapl(&stuff->time, n); - swaps(&stuff->event_count, n); -- p = (long *)&stuff[1]; -- for (i = 0; i < stuff->event_count; i++) { -- swapl(p, n); -- p++; -- } + char n; +- long *p; ++ CARD32 *p; + int i; + xEvent eventT; + xEvent *eventP; +@@ -91,6 +91,11 @@ SProcXSendExtensionEvent(ClientPtr client) + REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq); + swapl(&stuff->destination, n); + swaps(&stuff->count, n); + -+ if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count) -+ return BadLength; -+ -+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count); - - return (ProcXGrabDevice(client)); - } ---- xorg-server-1.1.1/Xi/chgfctl.c.da 2006-07-06 04:31:36.000000000 +1000 -+++ xorg-server-1.1.1/Xi/chgfctl.c 2007-12-14 11:50:50.000000000 +1000 -@@ -451,18 +451,13 @@ - xStringFeedbackCtl * f) - { - register char n; -- register long *p; - int i, j; - KeySym *syms, *sup_syms; - - syms = (KeySym *) (f + 1); - if (client->swapped) { - swaps(&f->length, n); /* swapped num_keysyms in calling proc */ -- p = (long *)(syms); -- for (i = 0; i < f->num_keysyms; i++) { -- swapl(p, n); -- p++; -- } -+ SwapLongs((CARD32 *) syms, f->num_keysyms); ++ if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count + ++ (stuff->num_events * (sizeof(xEvent) >> 2))) ++ return BadLength; ++ + eventP = (xEvent *) & stuff[1]; + for (i = 0; i < stuff->num_events; i++, eventP++) { + proc = EventSwapVector[eventP->u.u.type & 0177]; +@@ -100,11 +105,8 @@ SProcXSendExtensionEvent(ClientPtr client) + *eventP = eventT; } - if (f->num_keysyms > s->ctrl.max_symbols) { +- p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events); +- for (i = 0; i < stuff->count; i++) { +- swapl(p, n); +- p++; +- } ++ p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events); ++ SwapLongs(p, stuff->count); + return (ProcXSendExtensionEvent(client)); + } + +-- +1.5.3.6 + diff --git a/cve-2007-6428.patch b/cve-2007-6428.patch index 6d953ec..c7728fe 100644 --- a/cve-2007-6428.patch +++ b/cve-2007-6428.patch @@ -1,7 +1,17 @@ -diff -up xorg-server-1.1.1/Xext/cup.c.jx xorg-server-1.1.1/Xext/cup.c ---- xorg-server-1.1.1/Xext/cup.c.jx 2006-07-05 14:31:36.000000000 -0400 -+++ xorg-server-1.1.1/Xext/cup.c 2007-12-11 14:28:37.000000000 -0500 -@@ -198,6 +198,9 @@ int ProcGetReservedColormapEntries( +From 7dc1717ff0f96b99271a912b8948dfce5164d5ad Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Thu, 17 Jan 2008 15:28:03 +0100 +Subject: [PATCH] Fix for CVE-2007-6428 - TOG-cup extension memory corruption. + +--- + Xext/cup.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +diff --git a/Xext/cup.c b/Xext/cup.c +index d0e820c..fd1409e 100644 +--- a/Xext/cup.c ++++ b/Xext/cup.c +@@ -176,6 +176,9 @@ int ProcGetReservedColormapEntries( REQUEST_SIZE_MATCH (xXcupGetReservedColormapEntriesReq); @@ -11,3 +21,6 @@ diff -up xorg-server-1.1.1/Xext/cup.c.jx xorg-server-1.1.1/Xext/cup.c #ifndef HAVE_SPECIAL_DESKTOP_COLORS citems[CUP_BLACK_PIXEL].pixel = screenInfo.screens[stuff->screen]->blackPixel; +-- +1.5.3.6 + diff --git a/cve-2007-6429.patch b/cve-2007-6429.patch index da28336..9cfc3a6 100644 --- a/cve-2007-6429.patch +++ b/cve-2007-6429.patch @@ -1,103 +1,16 @@ ---- xorg-server-1.1.1/Xext/shm.c.freedesktop-bug-13520 2006-07-06 04:31:36.000000000 +1000 -+++ xorg-server-1.1.1/Xext/shm.c 2007-12-14 13:08:59.000000000 +1000 -@@ -725,6 +725,8 @@ - int i, j, result; - ShmDescPtr shmdesc; - REQUEST(xShmCreatePixmapReq); -+ unsigned int width, height, depth; -+ unsigned long size; - PanoramiXRes *newPix; - - REQUEST_SIZE_MATCH(xShmCreatePixmapReq); -@@ -734,11 +736,26 @@ - LEGAL_NEW_RESOURCE(stuff->pid, client); - VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); - VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); -- if (!stuff->width || !stuff->height) -+ -+ width = stuff->width; -+ height = stuff->height; -+ depth = stuff->depth; -+ if (!width || !height || !depth) - { - client->errorValue = 0; - return BadValue; - } -+ if (width > 32767 || height > 32767) -+ return BadAlloc; -+ size = PixmapBytePad(width, depth) * height; -+ if (sizeof(size) == 4) { -+ if (size < width * height) -+ return BadAlloc; -+ /* thankfully, offset is unsigned */ -+ if (stuff->offset + size < size) -+ return BadAlloc; -+ } -+ - if (stuff->depth != 1) - { - pDepth = pDraw->pScreen->allowedDepths; -@@ -749,9 +766,7 @@ - return BadValue; - } - CreatePmap: -- VERIFY_SHMSIZE(shmdesc, stuff->offset, -- PixmapBytePad(stuff->width, stuff->depth) * stuff->height, -- client); -+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); - - if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) - return BadAlloc; -@@ -1049,6 +1064,8 @@ - register int i; - ShmDescPtr shmdesc; - REQUEST(xShmCreatePixmapReq); -+ unsigned int width, height, depth; -+ unsigned long size; - - REQUEST_SIZE_MATCH(xShmCreatePixmapReq); - client->errorValue = stuff->pid; -@@ -1057,11 +1074,26 @@ - LEGAL_NEW_RESOURCE(stuff->pid, client); - VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); - VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); -- if (!stuff->width || !stuff->height) -+ -+ width = stuff->width; -+ height = stuff->height; -+ depth = stuff->depth; -+ if (!width || !height || !depth) - { - client->errorValue = 0; - return BadValue; - } -+ if (width > 32767 || height > 32767) -+ return BadAlloc; -+ size = PixmapBytePad(width, depth) * height; -+ if (sizeof(size) == 4) { -+ if (size < width * height) -+ return BadAlloc; -+ /* thankfully, offset is unsigned */ -+ if (stuff->offset + size < size) -+ return BadAlloc; -+ } -+ - if (stuff->depth != 1) - { - pDepth = pDraw->pScreen->allowedDepths; -@@ -1072,9 +1104,7 @@ - return BadValue; - } - CreatePmap: -- VERIFY_SHMSIZE(shmdesc, stuff->offset, -- PixmapBytePad(stuff->width, stuff->depth) * stuff->height, -- client); -+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); - pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( - pDraw->pScreen, stuff->width, - stuff->height, stuff->depth, +From 6de61f82728df22ea01f9659df6581b87f33f11d Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Thu, 17 Jan 2008 15:28:42 +0100 +Subject: [PATCH] Fix for CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows. + +--- + Xext/EVI.c | 15 ++++++++++++++- + Xext/sampleEVI.c | 29 ++++++++++++++++++++++++----- + Xext/shm.c | 46 ++++++++++++++++++++++++++++++++++++++-------- + 3 files changed, 76 insertions(+), 14 deletions(-) + diff --git a/Xext/EVI.c b/Xext/EVI.c -index 8fe3481..13bd32a 100644 +index 4bd050c..a637bae 100644 --- a/Xext/EVI.c +++ b/Xext/EVI.c @@ -34,6 +34,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. @@ -106,9 +19,9 @@ index 8fe3481..13bd32a 100644 #include "modinit.h" +#include "scrnintstr.h" - #if 0 - static unsigned char XEVIReqCode = 0; -@@ -87,10 +88,22 @@ ProcEVIGetVisualInfo(ClientPtr client) + static EviPrivPtr eviPriv; + +@@ -84,10 +85,22 @@ ProcEVIGetVisualInfo(ClientPtr client) { REQUEST(xEVIGetVisualInfoReq); xEVIGetVisualInfoReply rep; @@ -133,7 +46,7 @@ index 8fe3481..13bd32a 100644 status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual, &eviInfo, &n_info, &conflict, &n_conflict); diff --git a/Xext/sampleEVI.c b/Xext/sampleEVI.c -index 7508aa7..b8f39c7 100644 +index 7508aa7..b871bfd 100644 --- a/Xext/sampleEVI.c +++ b/Xext/sampleEVI.c @@ -34,6 +34,13 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. @@ -143,8 +56,8 @@ index 7508aa7..b8f39c7 100644 + +#if HAVE_STDINT_H +#include -+#elif !defined(INT_MAX) -+#define INT_MAX 0x7fffffff ++#elif !defined(UINT32_MAX) ++#define UINT32_MAX 0xffffffffU +#endif + static int sampleGetVisualInfo( @@ -192,3 +105,106 @@ index 7508aa7..b8f39c7 100644 for (scrI = 0; scrI < screenInfo.numScreens; scrI++) { for (visualI = 0; visualI < n_visual; visualI++) { evi[sz_evi].core_visual_id = visual[visualI]; +diff --git a/Xext/shm.c b/Xext/shm.c +index e3d7a23..c545e49 100644 +--- a/Xext/shm.c ++++ b/Xext/shm.c +@@ -757,6 +757,8 @@ ProcPanoramiXShmCreatePixmap( + int i, j, result, rc; + ShmDescPtr shmdesc; + REQUEST(xShmCreatePixmapReq); ++ unsigned int width, height, depth; ++ unsigned long size; + PanoramiXRes *newPix; + + REQUEST_SIZE_MATCH(xShmCreatePixmapReq); +@@ -770,11 +772,26 @@ ProcPanoramiXShmCreatePixmap( + return rc; + + VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); +- if (!stuff->width || !stuff->height) ++ ++ width = stuff->width; ++ height = stuff->height; ++ depth = stuff->depth; ++ if (!width || !height || !depth) + { + client->errorValue = 0; + return BadValue; + } ++ if (width > 32767 || height > 32767) ++ return BadAlloc; ++ size = PixmapBytePad(width, depth) * height; ++ if (sizeof(size) == 4) { ++ if (size < width * height) ++ return BadAlloc; ++ /* thankfully, offset is unsigned */ ++ if (stuff->offset + size < size) ++ return BadAlloc; ++ } ++ + if (stuff->depth != 1) + { + pDepth = pDraw->pScreen->allowedDepths; +@@ -785,9 +802,7 @@ ProcPanoramiXShmCreatePixmap( + return BadValue; + } + CreatePmap: +- VERIFY_SHMSIZE(shmdesc, stuff->offset, +- PixmapBytePad(stuff->width, stuff->depth) * stuff->height, +- client); ++ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); + + if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) + return BadAlloc; +@@ -1086,6 +1101,8 @@ ProcShmCreatePixmap(client) + register int i, rc; + ShmDescPtr shmdesc; + REQUEST(xShmCreatePixmapReq); ++ unsigned int width, height, depth; ++ unsigned long size; + + REQUEST_SIZE_MATCH(xShmCreatePixmapReq); + client->errorValue = stuff->pid; +@@ -1098,11 +1115,26 @@ ProcShmCreatePixmap(client) + return rc; + + VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); +- if (!stuff->width || !stuff->height) ++ ++ width = stuff->width; ++ height = stuff->height; ++ depth = stuff->depth; ++ if (!width || !height || !depth) + { + client->errorValue = 0; + return BadValue; + } ++ if (width > 32767 || height > 32767) ++ return BadAlloc; ++ size = PixmapBytePad(width, depth) * height; ++ if (sizeof(size) == 4) { ++ if (size < width * height) ++ return BadAlloc; ++ /* thankfully, offset is unsigned */ ++ if (stuff->offset + size < size) ++ return BadAlloc; ++ } ++ + if (stuff->depth != 1) + { + pDepth = pDraw->pScreen->allowedDepths; +@@ -1113,9 +1145,7 @@ ProcShmCreatePixmap(client) + return BadValue; + } + CreatePmap: +- VERIFY_SHMSIZE(shmdesc, stuff->offset, +- PixmapBytePad(stuff->width, stuff->depth) * stuff->height, +- client); ++ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); + pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( + pDraw->pScreen, stuff->width, + stuff->height, stuff->depth, +-- +1.5.3.6 + diff --git a/cve-2008-0006-server-fixup.patch b/cve-2008-0006-server-fixup.patch index 70f0cb8..b797118 100644 --- a/cve-2008-0006-server-fixup.patch +++ b/cve-2008-0006-server-fixup.patch @@ -1,3 +1,8 @@ +From bbde5b62a137ba726a747b838d81e92d72c1b42b Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Thu, 17 Jan 2008 15:26:41 +0100 +Subject: [PATCH] Fix for CVE-2008-0006 - server side part of fix + diff -up xorg-x11-6.8.2/xc/programs/Xserver/dix/dixfonts.c.jx xorg-x11-6.8.2/xc/programs/Xserver/dix/dixfonts.c --- xorg-x11-6.8.2/xc/programs/Xserver/dix/dixfonts.c.jx 2004-04-23 15:04:44.000000000 -0400 +++ xorg-x11-server/dix/dixfonts.c 2008-01-14 11:15:00.000000000 -0500 diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 2e2c495..dc3200e 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -59,11 +59,10 @@ Patch2013: xserver-1.4.99-document-fontpath-correctly.patch # Trivial things, already merged - cves already upstream Patch3000: cve-2007-5760.patch -Patch3001: cve-2007-5958.patch -Patch3002: cve-2007-6427.patch -Patch3003: cve-2007-6428.patch -Patch3004: cve-2007-6429.patch -Patch3005: cve-2008-0006-server-fixup.patch +Patch3001: cve-2007-6427.patch +Patch3002: cve-2007-6428.patch +Patch3003: cve-2007-6429.patch +Patch3004: cve-2008-0006-server-fixup.patch # Trivial things to maybe merge upstream at next rebase #Patch4003: argh-pixman.patch #fixme @@ -518,7 +517,6 @@ rm -rf $RPM_BUILD_ROOT %changelog * Fri Jan 18 2008 Dave Airlie 1.4.99.1-0.17 - cve-2007-5760.patch: XFree86-Misc Extension Invalid Array Index Vulnerability -- cve-2007-5958.patch: Xorg / XFree86 file existence disclosure vulnerability - cve-2007-6427.patch: XInput Extension Memory Corruption Vulnerability - cve-2007-6428.patch: TOG-CUP Extension Memory Corruption Vulnerability - cve-2007-6429.patch: EVI and MIT-SHM Extension Integer Overflow Vulnerability