pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2008Q1]: pkgsrc/x11/modular-xorg-server Pullup ticket #2433 - ...
details: https://anonhg.NetBSD.org/pkgsrc/rev/1777ad5f0dcc
branches: pkgsrc-2008Q1
changeset: 540432:1777ad5f0dcc
user: tron <tron%pkgsrc.org@localhost>
date: Wed Jun 25 10:20:58 2008 +0000
description:
Pullup ticket #2433 - requested by joerg
Security patch for modular-xorg-server
Revisions pulled up:
- x11/modular-xorg-server/Makefile 1.30 via patch
- x11/modular-xorg-server/distinfo 1.21
- x11/modular-xorg-server/patches/patch-ac 1.3
- x11/modular-xorg-server/patches/patch-ae 1.5
- x11/modular-xorg-server/patches/patch-da delete
- x11/modular-xorg-server/patches/patch-ed 1.2
- x11/modular-xorg-server/patches/patch-ef 1.2
---
Module Name: pkgsrc
Committed By: joerg
Date: Fri Jun 20 13:34:40 UTC 2008
Modified Files:
pkgsrc/x11/modular-xorg-server: Makefile distinfo
pkgsrc/x11/modular-xorg-server/patches: patch-ed patch-ef
Added Files:
pkgsrc/x11/modular-xorg-server/patches: patch-ac patch-ae
Removed Files:
pkgsrc/x11/modular-xorg-server/patches: patch-da
Log Message:
modular-xorg-server-1.3.0.0nb9:
Fix CVE-2008-1377, CVE-2008-1379, CVE-2008-2360, CVE-2008-2361 and
CVE-2008-2362 based on upstream patches.
diffstat:
x11/modular-xorg-server/Makefile | 4 +-
x11/modular-xorg-server/distinfo | 9 ++--
x11/modular-xorg-server/patches/patch-ac | 34 +++++++++++++++++
x11/modular-xorg-server/patches/patch-ae | 63 ++++++++++++++++++++++++++++++++
x11/modular-xorg-server/patches/patch-da | 13 ------
x11/modular-xorg-server/patches/patch-ed | 29 +++++++++++++-
x11/modular-xorg-server/patches/patch-ef | 39 +++++++++++++++++--
7 files changed, 164 insertions(+), 27 deletions(-)
diffs (286 lines):
diff -r 6a015e4c9689 -r 1777ad5f0dcc x11/modular-xorg-server/Makefile
--- a/x11/modular-xorg-server/Makefile Tue Jun 24 12:52:01 2008 +0000
+++ b/x11/modular-xorg-server/Makefile Wed Jun 25 10:20:58 2008 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.27 2008/03/29 17:54:40 wiz Exp $
+# $NetBSD: Makefile,v 1.27.2.1 2008/06/25 10:20:58 tron Exp $
DISTNAME= xorg-server-1.3.0.0
PKGNAME= modular-${DISTNAME}
-PKGREVISION= 7
+PKGREVISION= 9
CATEGORIES= x11
MASTER_SITES= http://xorg.freedesktop.org/releases/individual/xserver/
EXTRACT_SUFX= .tar.bz2
diff -r 6a015e4c9689 -r 1777ad5f0dcc x11/modular-xorg-server/distinfo
--- a/x11/modular-xorg-server/distinfo Tue Jun 24 12:52:01 2008 +0000
+++ b/x11/modular-xorg-server/distinfo Wed Jun 25 10:20:58 2008 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.20 2008/02/25 15:39:16 joerg Exp $
+$NetBSD: distinfo,v 1.20.2.1 2008/06/25 10:20:58 tron Exp $
SHA1 (MesaLib-6.5.2.tar.bz2) = ba860bb6ee57c02202342dfd5927464a068ea18f
RMD160 (MesaLib-6.5.2.tar.bz2) = 9a92d69110c066ae6734bcaafb78f222ac2df6d3
@@ -8,12 +8,13 @@
Size (xorg-server-1.3.0.0.tar.bz2) = 5968263 bytes
SHA1 (patch-aa) = f72780165c9ecd3e9ab31d03c1b2d777290d09e2
SHA1 (patch-ab) = d99c045eff730b3fbdc92938faaa75b653640c58
+SHA1 (patch-ac) = 06b26c3f0658bc323363ec860063b7ffc636ac2e
SHA1 (patch-ad) = 752235269f10daade0bf60665cccde39d1583064
+SHA1 (patch-ae) = 53ce49bec7674be40b93de33bd8ec01942e18c9c
SHA1 (patch-af) = 6c58872798a30b31154dd7b167c84bf20ac417be
SHA1 (patch-ag) = 222427db3e1bdbf977e992aa91aae5f16992345a
SHA1 (patch-ah) = 23767542ea672d590050e258317c0352bb321810
SHA1 (patch-aj) = 7a538538a04ff466595527b7a65a196fc06a625e
-SHA1 (patch-da) = 73faacda1088304025c5e05f3d58edaf9ae1145f
SHA1 (patch-db) = 28913a094c8499536a71c8d4d7ca57a5efb25b39
SHA1 (patch-dc) = 75df6f37b1cbc9574adb5ee66cb84d0f5ebac853
SHA1 (patch-dd) = cfb7c9d470098b0fcfcddbe9a1363a14f762fe19
@@ -21,8 +22,8 @@
SHA1 (patch-ea) = 435ac0e1795c68fa6e125deceb4624564f7ce0dd
SHA1 (patch-eb) = 925a8a7e7880e545feac439850372548d04e8f87
SHA1 (patch-ec) = 86959d152174cbc8a03dbe6bde32545b824bfd74
-SHA1 (patch-ed) = dfe8f08c0e061c572e0299cba020da20519b87c2
-SHA1 (patch-ef) = 94cd889105a416f9d72adbc247d00b568207a02f
+SHA1 (patch-ed) = 875ee1f03e94e709d878ccbbfc8f9a3ce924eac5
+SHA1 (patch-ef) = 9edb141038c08417a0f06395e4cdff0de9e9fdcf
SHA1 (patch-eg) = 6953b53d41af088b855d22c6459aa1eefd0d25eb
SHA1 (patch-eh) = 5e1dbbf82c01bc340d1ef4029cd5352b9fcf775e
SHA1 (patch-ei) = 893b23b9e67ad640d984c962b93b5db639a780b3
diff -r 6a015e4c9689 -r 1777ad5f0dcc x11/modular-xorg-server/patches/patch-ac
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/x11/modular-xorg-server/patches/patch-ac Wed Jun 25 10:20:58 2008 +0000
@@ -0,0 +1,34 @@
+$NetBSD: patch-ac,v 1.2.10.1 2008/06/25 10:20:58 tron Exp $
+
+CVE-2008-2360
+
+--- render/glyph.c.orig 2006-09-18 08:04:18.000000000 +0200
++++ render/glyph.c
+@@ -42,6 +42,12 @@
+ #include "picturestr.h"
+ #include "glyphstr.h"
+
++#if HAVE_STDINT_H
++#include <stdint.h>
++#elif !defined(UINT32_MAX)
++#define UINT32_MAX 0xffffffffU
++#endif
++
+ /*
+ * From Knuth -- a good choice for hash/rehash values is p, p-2 where
+ * p and p-2 are both prime. These tables are sized to have an extra 10%
+@@ -626,8 +632,12 @@ AllocateGlyph (xGlyphInfo *gi, int fdept
+ int size;
+ GlyphPtr glyph;
+ int i;
+-
+- size = gi->height * PixmapBytePad (gi->width, glyphDepths[fdepth]);
++ size_t padded_width;
++
++ padded_width = PixmapBytePad (gi->width, glyphDepths[fdepth]);
++ if (gi->height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi->height)
++ return 0;
++ size = gi->height * padded_width;
+ glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec));
+ if (!glyph)
+ return 0;
diff -r 6a015e4c9689 -r 1777ad5f0dcc x11/modular-xorg-server/patches/patch-ae
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/x11/modular-xorg-server/patches/patch-ae Wed Jun 25 10:20:58 2008 +0000
@@ -0,0 +1,63 @@
+$NetBSD: patch-ae,v 1.4.6.1 2008/06/25 10:20:58 tron Exp $
+
+CVE-2008-1377
+
+--- record/record.c.orig 2006-09-18 08:04:18.000000000 +0200
++++ record/record.c
+@@ -2656,7 +2656,7 @@ SProcRecordQueryVersion(ClientPtr client
+ } /* SProcRecordQueryVersion */
+
+
+-static void
++static int
+ SwapCreateRegister(xRecordRegisterClientsReq *stuff)
+ {
+ register char n;
+@@ -2667,11 +2667,17 @@ SwapCreateRegister(xRecordRegisterClient
+ swapl(&stuff->nClients, n);
+ swapl(&stuff->nRanges, n);
+ pClientID = (XID *)&stuff[1];
++ if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2))
++ return BadLength;
+ for (i = 0; i < stuff->nClients; i++, pClientID++)
+ {
+ swapl(pClientID, n);
+ }
++ if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2)
++ - stuff->nClients)
++ return BadLength;
+ RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges);
++ return Success;
+ } /* SwapCreateRegister */
+
+
+@@ -2679,11 +2685,13 @@ static int
+ SProcRecordCreateContext(ClientPtr client)
+ {
+ REQUEST(xRecordCreateContextReq);
++ int status;
+ register char n;
+
+ swaps(&stuff->length, n);
+ REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
+- SwapCreateRegister((pointer)stuff);
++ if ((status = SwapCreateRegister((pointer)stuff)) != Success)
++ return status;
+ return ProcRecordCreateContext(client);
+ } /* SProcRecordCreateContext */
+
+@@ -2692,11 +2700,13 @@ static int
+ SProcRecordRegisterClients(ClientPtr client)
+ {
+ REQUEST(xRecordRegisterClientsReq);
++ int status;
+ register char n;
+
+ swaps(&stuff->length, n);
+ REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
+- SwapCreateRegister((pointer)stuff);
++ if ((status = SwapCreateRegister((pointer)stuff)) != Success)
++ return status;
+ return ProcRecordRegisterClients(client);
+ } /* SProcRecordRegisterClients */
+
diff -r 6a015e4c9689 -r 1777ad5f0dcc x11/modular-xorg-server/patches/patch-da
--- a/x11/modular-xorg-server/patches/patch-da Tue Jun 24 12:52:01 2008 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,13 +0,0 @@
-$NetBSD: patch-da,v 1.1 2007/02/05 23:08:36 joerg Exp $
-
---- Xext/shm.c.orig 2007-02-05 20:58:14.000000000 +0000
-+++ Xext/shm.c
-@@ -156,7 +156,7 @@ static ShmFuncs fbFuncs = {fbShmCreatePi
- }
-
-
--#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__)
-+#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__) || defined(__DragonFly__)
- #include <sys/signal.h>
-
- static Bool badSysCall = FALSE;
diff -r 6a015e4c9689 -r 1777ad5f0dcc x11/modular-xorg-server/patches/patch-ed
--- a/x11/modular-xorg-server/patches/patch-ed Tue Jun 24 12:52:01 2008 +0000
+++ b/x11/modular-xorg-server/patches/patch-ed Wed Jun 25 10:20:58 2008 +0000
@@ -1,8 +1,31 @@
-$NetBSD: patch-ed,v 1.1 2008/02/25 15:39:16 joerg Exp $
+$NetBSD: patch-ed,v 1.1.2.1 2008/06/25 10:20:58 tron Exp $
--- Xext/security.c.orig 2006-11-16 18:39:03.000000000 +0100
+++ Xext/security.c
-@@ -1567,9 +1567,9 @@ SecurityLoadPropertyAccessList(void)
+@@ -651,15 +651,19 @@ SProcSecurityGenerateAuthorization(
+ register char n;
+ CARD32 *values;
+ unsigned long nvalues;
++ int values_offset;
+
+ swaps(&stuff->length, n);
+ REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
+ swaps(&stuff->nbytesAuthProto, n);
+ swaps(&stuff->nbytesAuthData, n);
+ swapl(&stuff->valueMask, n);
+- values = (CARD32 *)(&stuff[1]) +
+- ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
+- ((stuff->nbytesAuthData + (unsigned)3) >> 2);
++ values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
++ ((stuff->nbytesAuthData + (unsigned)3) >> 2);
++ if (values_offset >
++ stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
++ return BadLength;
++ values = (CARD32 *)(&stuff[1]) + values_offset;
+ nvalues = (((CARD32 *)stuff) + stuff->length) - values;
+ SwapLongs(values, nvalues);
+ return ProcSecurityGenerateAuthorization(client);
+@@ -1567,9 +1571,9 @@ SecurityLoadPropertyAccessList(void)
return;
#ifndef __UNIXOS2__
@@ -14,7 +37,7 @@
#endif
if (!f)
{
-@@ -1653,7 +1653,7 @@ SecurityLoadPropertyAccessList(void)
+@@ -1653,7 +1657,7 @@ SecurityLoadPropertyAccessList(void)
}
#endif /* PROPDEBUG */
diff -r 6a015e4c9689 -r 1777ad5f0dcc x11/modular-xorg-server/patches/patch-ef
--- a/x11/modular-xorg-server/patches/patch-ef Tue Jun 24 12:52:01 2008 +0000
+++ b/x11/modular-xorg-server/patches/patch-ef Wed Jun 25 10:20:58 2008 +0000
@@ -1,7 +1,16 @@
-$NetBSD: patch-ef,v 1.1 2008/02/25 15:39:16 joerg Exp $
+$NetBSD: patch-ef,v 1.1.2.1 2008/06/25 10:20:58 tron Exp $
---- Xext/shm.c.orig 2008-02-25 15:43:05.000000000 +0100
+--- Xext/shm.c.orig 2008-06-20 14:39:43.000000000 +0200
+++ Xext/shm.c
+@@ -156,7 +156,7 @@ static ShmFuncs fbFuncs = {fbShmCreatePi
+ }
+
+
+-#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__)
++#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__) || defined(__DragonFly__)
+ #include <sys/signal.h>
+
+ static Bool badSysCall = FALSE;
@@ -723,6 +723,8 @@ ProcPanoramiXShmCreatePixmap(
int i, j, result;
ShmDescPtr shmdesc;
@@ -50,7 +59,27 @@
if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
return BadAlloc;
-@@ -1047,6 +1062,8 @@ ProcShmCreatePixmap(client)
+@@ -841,8 +856,17 @@ ProcShmPutImage(client)
+ return BadValue;
+ }
+
+- VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
+- client);
++ /*
++ * There's a potential integer overflow in this check:
++ * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
++ * client);
++ * the version below ought to avoid it
++ */
++ if (stuff->totalHeight != 0 &&
++ length > (shmdesc->size - stuff->offset)/stuff->totalHeight) {
++ client->errorValue = stuff->totalWidth;
++ return BadValue;
++ }
+ if (stuff->srcX > stuff->totalWidth)
+ {
+ client->errorValue = stuff->srcX;
+@@ -1047,6 +1071,8 @@ ProcShmCreatePixmap(client)
register int i;
ShmDescPtr shmdesc;
REQUEST(xShmCreatePixmapReq);
@@ -59,7 +88,7 @@
REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
client->errorValue = stuff->pid;
-@@ -1055,11 +1072,26 @@ ProcShmCreatePixmap(client)
+@@ -1055,11 +1081,26 @@ ProcShmCreatePixmap(client)
LEGAL_NEW_RESOURCE(stuff->pid, client);
VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
@@ -87,7 +116,7 @@
if (stuff->depth != 1)
{
pDepth = pDraw->pScreen->allowedDepths;
-@@ -1070,9 +1102,7 @@ ProcShmCreatePixmap(client)
+@@ -1070,9 +1111,7 @@ ProcShmCreatePixmap(client)
return BadValue;
}
CreatePmap:
Home |
Main Index |
Thread Index |
Old Index