[src/netbsd-6-0]: src/doc Ticket #966.

[jdc <jdc%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/e0421a7bbf38
branches:  netbsd-6-0
changeset: 774873:e0421a7bbf38
user:      jdc <jdc%NetBSD.org@localhost>
date:      Sat Oct 12 19:00:01 2013 +0000

description:
Ticket #966.

diffstat:

 doc/CHANGES-6.0.4 |  13 ++++++++++++-
 1 files changed, 12 insertions(+), 1 deletions(-)

diffs (24 lines):

diff -r 26f351cfa11b -r e0421a7bbf38 doc/CHANGES-6.0.4
--- a/doc/CHANGES-6.0.4 Sat Oct 12 18:53:17 2013 +0000
+++ b/doc/CHANGES-6.0.4 Sat Oct 12 19:00:01 2013 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.0.4,v 1.1.2.1 2013/10/12 18:53:17 jdc Exp $
+# $NetBSD: CHANGES-6.0.4,v 1.1.2.2 2013/10/12 19:00:01 jdc Exp $
 
 A complete list of changes from the NetBSD 6.0.3 release to the NetBSD 6.0.4
 release:
@@ -10,3 +10,14 @@
        Welcome to 6.0.3_PATCH.
        [jdc]
 
+xsrc/external/mit/xorg-server/dist/dix/dixfonts.c      1.2
+xsrc/xfree/xc/programs/Xserver/dix/dixfonts.c          1.4
+
+       Fix CVE-2013-4396 using a patch from Alan Coopersmith:
+       Save a pointer to the passed in closure structure before copying it
+       and overwriting the *c pointer to point to our copy instead of the
+       original.  If we hit an error, once we free(c), reset c to point to
+       the original structure before jumping to the cleanup code that
+       references *c.
+       [spz, ticket #966]
+