Pullup ticket #2433 - requested by joerg

Security patch for modular-xorg-server Revisions pulled up: - x11/modular-xorg-server/Makefile 1.30 via patch - x11/modular-xorg-server/distinfo 1.21 - x11/modular-xorg-server/patches/patch-ac 1.3 - x11/modular-xorg-server/patches/patch-ae 1.5 - x11/modular-xorg-server/patches/patch-da delete - x11/modular-xorg-server/patches/patch-ed 1.2 - x11/modular-xorg-server/patches/patch-ef 1.2 --- Module Name: pkgsrc Committed By: joerg Date: Fri Jun 20 13:34:40 UTC 2008 Modified Files: pkgsrc/x11/modular-xorg-server: Makefile distinfo pkgsrc/x11/modular-xorg-server/patches: patch-ed patch-ef Added Files: pkgsrc/x11/modular-xorg-server/patches: patch-ac patch-ae Removed Files: pkgsrc/x11/modular-xorg-server/patches: patch-da Log Message: modular-xorg-server-1.3.0.0nb9: Fix CVE-2008-1377, CVE-2008-1379, CVE-2008-2360, CVE-2008-2361 and CVE-2008-2362 based on upstream patches.
author: tron <tron@pkgsrc.org> 2008-06-25 10:20:58 +0000
committer: tron <tron@pkgsrc.org> 2008-06-25 10:20:58 +0000
commit: c7e44796a51cb26660c67eb70d6992f54dda0195 (patch)
tree: 5c07321221b0a557b339214c018094889c3d7108
parent: 8f8426147e2c93ad5dfc990e6fbf38e95b5cc32e (diff)
download: pkgsrc-c7e44796a51cb26660c67eb70d6992f54dda0195.tar.gz
7 files changed, 164 insertions, 27 deletions
diff --git a/x11/modular-xorg-server/Makefile b/x11/modular-xorg-server/Makefile
index ad920a598f1..cd2c7d352e0 100644
--- a/x11/modular-xorg-server/Makefile
+++ b/x11/modular-xorg-server/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.27 2008/03/29 17:54:40 wiz Exp $
+# $NetBSD: Makefile,v 1.27.2.1 2008/06/25 10:20:58 tron Exp $
 
 DISTNAME=	xorg-server-1.3.0.0
 PKGNAME=	modular-${DISTNAME}
-PKGREVISION=	7
+PKGREVISION=	9
 CATEGORIES=	x11
 MASTER_SITES=	http://xorg.freedesktop.org/releases/individual/xserver/
 EXTRACT_SUFX=	.tar.bz2
diff --git a/x11/modular-xorg-server/distinfo b/x11/modular-xorg-server/distinfo
index 6a8b92191e6..4836782cc8f 100644
--- a/x11/modular-xorg-server/distinfo
+++ b/x11/modular-xorg-server/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.20 2008/02/25 15:39:16 joerg Exp $
+$NetBSD: distinfo,v 1.20.2.1 2008/06/25 10:20:58 tron Exp $
 
 SHA1 (MesaLib-6.5.2.tar.bz2) = ba860bb6ee57c02202342dfd5927464a068ea18f
 RMD160 (MesaLib-6.5.2.tar.bz2) = 9a92d69110c066ae6734bcaafb78f222ac2df6d3
@@ -8,12 +8,13 @@ RMD160 (xorg-server-1.3.0.0.tar.bz2) = 1a4fecd73aed0d5adabe84066c24ce69dc2c2dc1
 Size (xorg-server-1.3.0.0.tar.bz2) = 5968263 bytes
 SHA1 (patch-aa) = f72780165c9ecd3e9ab31d03c1b2d777290d09e2
 SHA1 (patch-ab) = d99c045eff730b3fbdc92938faaa75b653640c58
+SHA1 (patch-ac) = 06b26c3f0658bc323363ec860063b7ffc636ac2e
 SHA1 (patch-ad) = 752235269f10daade0bf60665cccde39d1583064
+SHA1 (patch-ae) = 53ce49bec7674be40b93de33bd8ec01942e18c9c
 SHA1 (patch-af) = 6c58872798a30b31154dd7b167c84bf20ac417be
 SHA1 (patch-ag) = 222427db3e1bdbf977e992aa91aae5f16992345a
 SHA1 (patch-ah) = 23767542ea672d590050e258317c0352bb321810
 SHA1 (patch-aj) = 7a538538a04ff466595527b7a65a196fc06a625e
-SHA1 (patch-da) = 73faacda1088304025c5e05f3d58edaf9ae1145f
 SHA1 (patch-db) = 28913a094c8499536a71c8d4d7ca57a5efb25b39
 SHA1 (patch-dc) = 75df6f37b1cbc9574adb5ee66cb84d0f5ebac853
 SHA1 (patch-dd) = cfb7c9d470098b0fcfcddbe9a1363a14f762fe19
@@ -21,8 +22,8 @@ SHA1 (patch-de) = f887f3fd09406006b6165779b74be780b7fddd18
 SHA1 (patch-ea) = 435ac0e1795c68fa6e125deceb4624564f7ce0dd
 SHA1 (patch-eb) = 925a8a7e7880e545feac439850372548d04e8f87
 SHA1 (patch-ec) = 86959d152174cbc8a03dbe6bde32545b824bfd74
-SHA1 (patch-ed) = dfe8f08c0e061c572e0299cba020da20519b87c2
-SHA1 (patch-ef) = 94cd889105a416f9d72adbc247d00b568207a02f
+SHA1 (patch-ed) = 875ee1f03e94e709d878ccbbfc8f9a3ce924eac5
+SHA1 (patch-ef) = 9edb141038c08417a0f06395e4cdff0de9e9fdcf
 SHA1 (patch-eg) = 6953b53d41af088b855d22c6459aa1eefd0d25eb
 SHA1 (patch-eh) = 5e1dbbf82c01bc340d1ef4029cd5352b9fcf775e
 SHA1 (patch-ei) = 893b23b9e67ad640d984c962b93b5db639a780b3
diff --git a/x11/modular-xorg-server/patches/patch-ac b/x11/modular-xorg-server/patches/patch-ac
new file mode 100644
index 00000000000..5fccfbd17bd
--- /dev/null
+++ b/x11/modular-xorg-server/patches/patch-ac
@@ -0,0 +1,34 @@
+$NetBSD: patch-ac,v 1.2.10.1 2008/06/25 10:20:58 tron Exp $
+
+CVE-2008-2360
+
+--- render/glyph.c.orig	2006-09-18 08:04:18.000000000 +0200
++++ render/glyph.c
+@@ -42,6 +42,12 @@
+ #include "picturestr.h"
+ #include "glyphstr.h"
+ 
++#if HAVE_STDINT_H
++#include <stdint.h>
++#elif !defined(UINT32_MAX)
++#define UINT32_MAX 0xffffffffU
++#endif
++
+ /*
+  * From Knuth -- a good choice for hash/rehash values is p, p-2 where
+  * p and p-2 are both prime.  These tables are sized to have an extra 10%
+@@ -626,8 +632,12 @@ AllocateGlyph (xGlyphInfo *gi, int fdept
+     int		     size;
+     GlyphPtr	     glyph;
+     int		     i;
+-
+-    size = gi->height * PixmapBytePad (gi->width, glyphDepths[fdepth]);
++    size_t	     padded_width;
++    
++    padded_width = PixmapBytePad (gi->width, glyphDepths[fdepth]);
++    if (gi->height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi->height)
++	return 0;
++    size = gi->height * padded_width;
+     glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec));
+     if (!glyph)
+ 	return 0;
diff --git a/x11/modular-xorg-server/patches/patch-ae b/x11/modular-xorg-server/patches/patch-ae
new file mode 100644
index 00000000000..de830b3b4b5
--- /dev/null
+++ b/x11/modular-xorg-server/patches/patch-ae
@@ -0,0 +1,63 @@
+$NetBSD: patch-ae,v 1.4.6.1 2008/06/25 10:20:58 tron Exp $
+
+CVE-2008-1377
+
+--- record/record.c.orig	2006-09-18 08:04:18.000000000 +0200
++++ record/record.c
+@@ -2656,7 +2656,7 @@ SProcRecordQueryVersion(ClientPtr client
+ } /* SProcRecordQueryVersion */
+ 
+ 
+-static void
++static int
+ SwapCreateRegister(xRecordRegisterClientsReq *stuff)
+ {
+     register char n;
+@@ -2667,11 +2667,17 @@ SwapCreateRegister(xRecordRegisterClient
+     swapl(&stuff->nClients, n);
+     swapl(&stuff->nRanges, n);
+     pClientID = (XID *)&stuff[1];
++    if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2))
++	return BadLength;
+     for (i = 0; i < stuff->nClients; i++, pClientID++)
+     {
+ 	swapl(pClientID, n);
+     }
++    if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2)
++	- stuff->nClients)
++	return BadLength;
+     RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges);
++    return Success;
+ } /* SwapCreateRegister */
+ 
+ 
+@@ -2679,11 +2685,13 @@ static int
+ SProcRecordCreateContext(ClientPtr client)
+ {
+     REQUEST(xRecordCreateContextReq);
++    int			status;
+     register char 	n;
+ 
+     swaps(&stuff->length, n);
+     REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
+-    SwapCreateRegister((pointer)stuff);
++    if ((status = SwapCreateRegister((pointer)stuff)) != Success)
++	return status;
+     return ProcRecordCreateContext(client);
+ } /* SProcRecordCreateContext */
+ 
+@@ -2692,11 +2700,13 @@ static int
+ SProcRecordRegisterClients(ClientPtr client)
+ {
+     REQUEST(xRecordRegisterClientsReq);
++    int			status;
+     register char 	n;
+ 
+     swaps(&stuff->length, n);
+     REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
+-    SwapCreateRegister((pointer)stuff);
++    if ((status = SwapCreateRegister((pointer)stuff)) != Success)
++	return status;
+     return ProcRecordRegisterClients(client);
+ } /* SProcRecordRegisterClients */
+ 
diff --git a/x11/modular-xorg-server/patches/patch-da b/x11/modular-xorg-server/patches/patch-da
deleted file mode 100644
index db54d9adb6c..00000000000
--- a/x11/modular-xorg-server/patches/patch-da
+++ /dev/null
@@ -1,13 +0,0 @@
-$NetBSD: patch-da,v 1.1 2007/02/05 23:08:36 joerg Exp $
-
---- Xext/shm.c.orig	2007-02-05 20:58:14.000000000 +0000
-+++ Xext/shm.c
-@@ -156,7 +156,7 @@ static ShmFuncs fbFuncs = {fbShmCreatePi
- }
- 
- 
--#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__)
-+#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__) || defined(__DragonFly__)
- #include <sys/signal.h>
- 
- static Bool badSysCall = FALSE;
diff --git a/x11/modular-xorg-server/patches/patch-ed b/x11/modular-xorg-server/patches/patch-ed
index 3063b0c39b1..43f320f4cd6 100644
--- a/x11/modular-xorg-server/patches/patch-ed
+++ b/x11/modular-xorg-server/patches/patch-ed
@@ -1,8 +1,31 @@
-$NetBSD: patch-ed,v 1.1 2008/02/25 15:39:16 joerg Exp $
+$NetBSD: patch-ed,v 1.1.2.1 2008/06/25 10:20:58 tron Exp $
 
 --- Xext/security.c.orig	2006-11-16 18:39:03.000000000 +0100
 +++ Xext/security.c
-@@ -1567,9 +1567,9 @@ SecurityLoadPropertyAccessList(void)
+@@ -651,15 +651,19 @@ SProcSecurityGenerateAuthorization(
+     register char 	n;
+     CARD32 *values;
+     unsigned long nvalues;
++    int values_offset;
+ 
+     swaps(&stuff->length, n);
+     REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
+     swaps(&stuff->nbytesAuthProto, n);
+     swaps(&stuff->nbytesAuthData, n);
+     swapl(&stuff->valueMask, n);
+-    values = (CARD32 *)(&stuff[1]) +
+-	((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
+-	((stuff->nbytesAuthData + (unsigned)3) >> 2);
++    values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
++		    ((stuff->nbytesAuthData + (unsigned)3) >> 2);
++    if (values_offset > 
++	stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
++	return BadLength;
++    values = (CARD32 *)(&stuff[1]) + values_offset;
+     nvalues = (((CARD32 *)stuff) + stuff->length) - values;
+     SwapLongs(values, nvalues);
+     return ProcSecurityGenerateAuthorization(client);
+@@ -1567,9 +1571,9 @@ SecurityLoadPropertyAccessList(void)
  	return;
  
  #ifndef __UNIXOS2__
@@ -14,7 +37,7 @@ $NetBSD: patch-ed,v 1.1 2008/02/25 15:39:16 joerg Exp $
  #endif    
      if (!f)
      {
-@@ -1653,7 +1653,7 @@ SecurityLoadPropertyAccessList(void)
+@@ -1653,7 +1657,7 @@ SecurityLoadPropertyAccessList(void)
      }
  #endif /* PROPDEBUG */
  
diff --git a/x11/modular-xorg-server/patches/patch-ef b/x11/modular-xorg-server/patches/patch-ef
index ba2d29e4492..378d070674f 100644
--- a/x11/modular-xorg-server/patches/patch-ef
+++ b/x11/modular-xorg-server/patches/patch-ef
@@ -1,7 +1,16 @@
-$NetBSD: patch-ef,v 1.1 2008/02/25 15:39:16 joerg Exp $
+$NetBSD: patch-ef,v 1.1.2.1 2008/06/25 10:20:58 tron Exp $
 
---- Xext/shm.c.orig	2008-02-25 15:43:05.000000000 +0100
+--- Xext/shm.c.orig	2008-06-20 14:39:43.000000000 +0200
 +++ Xext/shm.c
+@@ -156,7 +156,7 @@ static ShmFuncs fbFuncs = {fbShmCreatePi
+ }
+ 
+ 
+-#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__)
++#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__) || defined(__DragonFly__)
+ #include <sys/signal.h>
+ 
+ static Bool badSysCall = FALSE;
 @@ -723,6 +723,8 @@ ProcPanoramiXShmCreatePixmap(
      int i, j, result;
      ShmDescPtr shmdesc;
@@ -50,7 +59,27 @@ $NetBSD: patch-ef,v 1.1 2008/02/25 15:39:16 joerg Exp $
  
      if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
  	return BadAlloc;
-@@ -1047,6 +1062,8 @@ ProcShmCreatePixmap(client)
+@@ -841,8 +856,17 @@ ProcShmPutImage(client)
+         return BadValue;
+     }
+ 
+-    VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
+-		   client);
++    /* 
++     * There's a potential integer overflow in this check:
++     * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
++     *                client);
++     * the version below ought to avoid it
++     */
++    if (stuff->totalHeight != 0 && 
++	length > (shmdesc->size - stuff->offset)/stuff->totalHeight) {
++	client->errorValue = stuff->totalWidth;
++	return BadValue;
++    }
+     if (stuff->srcX > stuff->totalWidth)
+     {
+ 	client->errorValue = stuff->srcX;
+@@ -1047,6 +1071,8 @@ ProcShmCreatePixmap(client)
      register int i;
      ShmDescPtr shmdesc;
      REQUEST(xShmCreatePixmapReq);
@@ -59,7 +88,7 @@ $NetBSD: patch-ef,v 1.1 2008/02/25 15:39:16 joerg Exp $
  
      REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
      client->errorValue = stuff->pid;
-@@ -1055,11 +1072,26 @@ ProcShmCreatePixmap(client)
+@@ -1055,11 +1081,26 @@ ProcShmCreatePixmap(client)
      LEGAL_NEW_RESOURCE(stuff->pid, client);
      VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
      VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
@@ -87,7 +116,7 @@ $NetBSD: patch-ef,v 1.1 2008/02/25 15:39:16 joerg Exp $
      if (stuff->depth != 1)
      {
          pDepth = pDraw->pScreen->allowedDepths;
-@@ -1070,9 +1102,7 @@ ProcShmCreatePixmap(client)
+@@ -1070,9 +1111,7 @@ ProcShmCreatePixmap(client)
          return BadValue;
      }
  CreatePmap:
author	tron <tron@pkgsrc.org>	2008-06-25 10:20:58 +0000
committer	tron <tron@pkgsrc.org>	2008-06-25 10:20:58 +0000
commit	c7e44796a51cb26660c67eb70d6992f54dda0195 (patch)
tree	5c07321221b0a557b339214c018094889c3d7108
parent	8f8426147e2c93ad5dfc990e6fbf38e95b5cc32e (diff)
download	pkgsrc-c7e44796a51cb26660c67eb70d6992f54dda0195.tar.gz