diff options
author | joerg <joerg> | 2008-06-20 13:34:40 +0000 |
---|---|---|
committer | joerg <joerg> | 2008-06-20 13:34:40 +0000 |
commit | e5af1c42be300eaa0e1a8db4fd555f87ddb2dd55 (patch) | |
tree | eb2723508589f6a65af428eed17268d00f23d64f /x11/modular-xorg-server | |
parent | 8167e51cf1386ff82e7ccc7d238bebe92f894825 (diff) | |
download | pkgsrc-e5af1c42be300eaa0e1a8db4fd555f87ddb2dd55.tar.gz |
modular-xorg-server-1.3.0.0nb9:
Fix CVE-2008-1377, CVE-2008-1379, CVE-2008-2360, CVE-2008-2361 and
CVE-2008-2362 based on upstream patches.
Diffstat (limited to 'x11/modular-xorg-server')
-rw-r--r-- | x11/modular-xorg-server/Makefile | 4 | ||||
-rw-r--r-- | x11/modular-xorg-server/distinfo | 9 | ||||
-rw-r--r-- | x11/modular-xorg-server/patches/patch-ac | 34 | ||||
-rw-r--r-- | x11/modular-xorg-server/patches/patch-ae | 63 | ||||
-rw-r--r-- | x11/modular-xorg-server/patches/patch-da | 13 | ||||
-rw-r--r-- | x11/modular-xorg-server/patches/patch-ed | 29 | ||||
-rw-r--r-- | x11/modular-xorg-server/patches/patch-ef | 39 |
7 files changed, 164 insertions, 27 deletions
diff --git a/x11/modular-xorg-server/Makefile b/x11/modular-xorg-server/Makefile index fca5e0c60b3..defa97a58d9 100644 --- a/x11/modular-xorg-server/Makefile +++ b/x11/modular-xorg-server/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.29 2008/05/24 21:45:16 tnn Exp $ +# $NetBSD: Makefile,v 1.30 2008/06/20 13:34:40 joerg Exp $ DISTNAME= xorg-server-1.3.0.0 PKGNAME= modular-${DISTNAME} -PKGREVISION= 8 +PKGREVISION= 9 CATEGORIES= x11 MASTER_SITES= ${MASTER_SITE_XORG:=xserver/} EXTRACT_SUFX= .tar.bz2 diff --git a/x11/modular-xorg-server/distinfo b/x11/modular-xorg-server/distinfo index 6a8b92191e6..6390c5cf9b1 100644 --- a/x11/modular-xorg-server/distinfo +++ b/x11/modular-xorg-server/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.20 2008/02/25 15:39:16 joerg Exp $ +$NetBSD: distinfo,v 1.21 2008/06/20 13:34:40 joerg Exp $ SHA1 (MesaLib-6.5.2.tar.bz2) = ba860bb6ee57c02202342dfd5927464a068ea18f RMD160 (MesaLib-6.5.2.tar.bz2) = 9a92d69110c066ae6734bcaafb78f222ac2df6d3 @@ -8,12 +8,13 @@ RMD160 (xorg-server-1.3.0.0.tar.bz2) = 1a4fecd73aed0d5adabe84066c24ce69dc2c2dc1 Size (xorg-server-1.3.0.0.tar.bz2) = 5968263 bytes SHA1 (patch-aa) = f72780165c9ecd3e9ab31d03c1b2d777290d09e2 SHA1 (patch-ab) = d99c045eff730b3fbdc92938faaa75b653640c58 +SHA1 (patch-ac) = 06b26c3f0658bc323363ec860063b7ffc636ac2e SHA1 (patch-ad) = 752235269f10daade0bf60665cccde39d1583064 +SHA1 (patch-ae) = 53ce49bec7674be40b93de33bd8ec01942e18c9c SHA1 (patch-af) = 6c58872798a30b31154dd7b167c84bf20ac417be SHA1 (patch-ag) = 222427db3e1bdbf977e992aa91aae5f16992345a SHA1 (patch-ah) = 23767542ea672d590050e258317c0352bb321810 SHA1 (patch-aj) = 7a538538a04ff466595527b7a65a196fc06a625e -SHA1 (patch-da) = 73faacda1088304025c5e05f3d58edaf9ae1145f SHA1 (patch-db) = 28913a094c8499536a71c8d4d7ca57a5efb25b39 SHA1 (patch-dc) = 75df6f37b1cbc9574adb5ee66cb84d0f5ebac853 SHA1 (patch-dd) = cfb7c9d470098b0fcfcddbe9a1363a14f762fe19 @@ -21,8 +22,8 @@ SHA1 (patch-de) = f887f3fd09406006b6165779b74be780b7fddd18 SHA1 (patch-ea) = 435ac0e1795c68fa6e125deceb4624564f7ce0dd SHA1 (patch-eb) = 925a8a7e7880e545feac439850372548d04e8f87 SHA1 (patch-ec) = 86959d152174cbc8a03dbe6bde32545b824bfd74 -SHA1 (patch-ed) = dfe8f08c0e061c572e0299cba020da20519b87c2 -SHA1 (patch-ef) = 94cd889105a416f9d72adbc247d00b568207a02f +SHA1 (patch-ed) = 875ee1f03e94e709d878ccbbfc8f9a3ce924eac5 +SHA1 (patch-ef) = 9edb141038c08417a0f06395e4cdff0de9e9fdcf SHA1 (patch-eg) = 6953b53d41af088b855d22c6459aa1eefd0d25eb SHA1 (patch-eh) = 5e1dbbf82c01bc340d1ef4029cd5352b9fcf775e SHA1 (patch-ei) = 893b23b9e67ad640d984c962b93b5db639a780b3 diff --git a/x11/modular-xorg-server/patches/patch-ac b/x11/modular-xorg-server/patches/patch-ac new file mode 100644 index 00000000000..07d48e63b03 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-ac @@ -0,0 +1,34 @@ +$NetBSD: patch-ac,v 1.3 2008/06/20 13:34:40 joerg Exp $ + +CVE-2008-2360 + +--- render/glyph.c.orig 2006-09-18 08:04:18.000000000 +0200 ++++ render/glyph.c +@@ -42,6 +42,12 @@ + #include "picturestr.h" + #include "glyphstr.h" + ++#if HAVE_STDINT_H ++#include <stdint.h> ++#elif !defined(UINT32_MAX) ++#define UINT32_MAX 0xffffffffU ++#endif ++ + /* + * From Knuth -- a good choice for hash/rehash values is p, p-2 where + * p and p-2 are both prime. These tables are sized to have an extra 10% +@@ -626,8 +632,12 @@ AllocateGlyph (xGlyphInfo *gi, int fdept + int size; + GlyphPtr glyph; + int i; +- +- size = gi->height * PixmapBytePad (gi->width, glyphDepths[fdepth]); ++ size_t padded_width; ++ ++ padded_width = PixmapBytePad (gi->width, glyphDepths[fdepth]); ++ if (gi->height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi->height) ++ return 0; ++ size = gi->height * padded_width; + glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec)); + if (!glyph) + return 0; diff --git a/x11/modular-xorg-server/patches/patch-ae b/x11/modular-xorg-server/patches/patch-ae new file mode 100644 index 00000000000..b1f534180dc --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-ae @@ -0,0 +1,63 @@ +$NetBSD: patch-ae,v 1.5 2008/06/20 13:34:40 joerg Exp $ + +CVE-2008-1377 + +--- record/record.c.orig 2006-09-18 08:04:18.000000000 +0200 ++++ record/record.c +@@ -2656,7 +2656,7 @@ SProcRecordQueryVersion(ClientPtr client + } /* SProcRecordQueryVersion */ + + +-static void ++static int + SwapCreateRegister(xRecordRegisterClientsReq *stuff) + { + register char n; +@@ -2667,11 +2667,17 @@ SwapCreateRegister(xRecordRegisterClient + swapl(&stuff->nClients, n); + swapl(&stuff->nRanges, n); + pClientID = (XID *)&stuff[1]; ++ if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2)) ++ return BadLength; + for (i = 0; i < stuff->nClients; i++, pClientID++) + { + swapl(pClientID, n); + } ++ if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2) ++ - stuff->nClients) ++ return BadLength; + RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges); ++ return Success; + } /* SwapCreateRegister */ + + +@@ -2679,11 +2685,13 @@ static int + SProcRecordCreateContext(ClientPtr client) + { + REQUEST(xRecordCreateContextReq); ++ int status; + register char n; + + swaps(&stuff->length, n); + REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq); +- SwapCreateRegister((pointer)stuff); ++ if ((status = SwapCreateRegister((pointer)stuff)) != Success) ++ return status; + return ProcRecordCreateContext(client); + } /* SProcRecordCreateContext */ + +@@ -2692,11 +2700,13 @@ static int + SProcRecordRegisterClients(ClientPtr client) + { + REQUEST(xRecordRegisterClientsReq); ++ int status; + register char n; + + swaps(&stuff->length, n); + REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq); +- SwapCreateRegister((pointer)stuff); ++ if ((status = SwapCreateRegister((pointer)stuff)) != Success) ++ return status; + return ProcRecordRegisterClients(client); + } /* SProcRecordRegisterClients */ + diff --git a/x11/modular-xorg-server/patches/patch-da b/x11/modular-xorg-server/patches/patch-da deleted file mode 100644 index db54d9adb6c..00000000000 --- a/x11/modular-xorg-server/patches/patch-da +++ /dev/null @@ -1,13 +0,0 @@ -$NetBSD: patch-da,v 1.1 2007/02/05 23:08:36 joerg Exp $ - ---- Xext/shm.c.orig 2007-02-05 20:58:14.000000000 +0000 -+++ Xext/shm.c -@@ -156,7 +156,7 @@ static ShmFuncs fbFuncs = {fbShmCreatePi - } - - --#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__) -+#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__) || defined(__DragonFly__) - #include <sys/signal.h> - - static Bool badSysCall = FALSE; diff --git a/x11/modular-xorg-server/patches/patch-ed b/x11/modular-xorg-server/patches/patch-ed index 3063b0c39b1..94deef642de 100644 --- a/x11/modular-xorg-server/patches/patch-ed +++ b/x11/modular-xorg-server/patches/patch-ed @@ -1,8 +1,31 @@ -$NetBSD: patch-ed,v 1.1 2008/02/25 15:39:16 joerg Exp $ +$NetBSD: patch-ed,v 1.2 2008/06/20 13:34:40 joerg Exp $ --- Xext/security.c.orig 2006-11-16 18:39:03.000000000 +0100 +++ Xext/security.c -@@ -1567,9 +1567,9 @@ SecurityLoadPropertyAccessList(void) +@@ -651,15 +651,19 @@ SProcSecurityGenerateAuthorization( + register char n; + CARD32 *values; + unsigned long nvalues; ++ int values_offset; + + swaps(&stuff->length, n); + REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq); + swaps(&stuff->nbytesAuthProto, n); + swaps(&stuff->nbytesAuthData, n); + swapl(&stuff->valueMask, n); +- values = (CARD32 *)(&stuff[1]) + +- ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + +- ((stuff->nbytesAuthData + (unsigned)3) >> 2); ++ values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + ++ ((stuff->nbytesAuthData + (unsigned)3) >> 2); ++ if (values_offset > ++ stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2)) ++ return BadLength; ++ values = (CARD32 *)(&stuff[1]) + values_offset; + nvalues = (((CARD32 *)stuff) + stuff->length) - values; + SwapLongs(values, nvalues); + return ProcSecurityGenerateAuthorization(client); +@@ -1567,9 +1571,9 @@ SecurityLoadPropertyAccessList(void) return; #ifndef __UNIXOS2__ @@ -14,7 +37,7 @@ $NetBSD: patch-ed,v 1.1 2008/02/25 15:39:16 joerg Exp $ #endif if (!f) { -@@ -1653,7 +1653,7 @@ SecurityLoadPropertyAccessList(void) +@@ -1653,7 +1657,7 @@ SecurityLoadPropertyAccessList(void) } #endif /* PROPDEBUG */ diff --git a/x11/modular-xorg-server/patches/patch-ef b/x11/modular-xorg-server/patches/patch-ef index ba2d29e4492..7d4d9748611 100644 --- a/x11/modular-xorg-server/patches/patch-ef +++ b/x11/modular-xorg-server/patches/patch-ef @@ -1,7 +1,16 @@ -$NetBSD: patch-ef,v 1.1 2008/02/25 15:39:16 joerg Exp $ +$NetBSD: patch-ef,v 1.2 2008/06/20 13:34:40 joerg Exp $ ---- Xext/shm.c.orig 2008-02-25 15:43:05.000000000 +0100 +--- Xext/shm.c.orig 2008-06-20 14:39:43.000000000 +0200 +++ Xext/shm.c +@@ -156,7 +156,7 @@ static ShmFuncs fbFuncs = {fbShmCreatePi + } + + +-#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__) ++#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__) || defined(__DragonFly__) + #include <sys/signal.h> + + static Bool badSysCall = FALSE; @@ -723,6 +723,8 @@ ProcPanoramiXShmCreatePixmap( int i, j, result; ShmDescPtr shmdesc; @@ -50,7 +59,27 @@ $NetBSD: patch-ef,v 1.1 2008/02/25 15:39:16 joerg Exp $ if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) return BadAlloc; -@@ -1047,6 +1062,8 @@ ProcShmCreatePixmap(client) +@@ -841,8 +856,17 @@ ProcShmPutImage(client) + return BadValue; + } + +- VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight, +- client); ++ /* ++ * There's a potential integer overflow in this check: ++ * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight, ++ * client); ++ * the version below ought to avoid it ++ */ ++ if (stuff->totalHeight != 0 && ++ length > (shmdesc->size - stuff->offset)/stuff->totalHeight) { ++ client->errorValue = stuff->totalWidth; ++ return BadValue; ++ } + if (stuff->srcX > stuff->totalWidth) + { + client->errorValue = stuff->srcX; +@@ -1047,6 +1071,8 @@ ProcShmCreatePixmap(client) register int i; ShmDescPtr shmdesc; REQUEST(xShmCreatePixmapReq); @@ -59,7 +88,7 @@ $NetBSD: patch-ef,v 1.1 2008/02/25 15:39:16 joerg Exp $ REQUEST_SIZE_MATCH(xShmCreatePixmapReq); client->errorValue = stuff->pid; -@@ -1055,11 +1072,26 @@ ProcShmCreatePixmap(client) +@@ -1055,11 +1081,26 @@ ProcShmCreatePixmap(client) LEGAL_NEW_RESOURCE(stuff->pid, client); VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); @@ -87,7 +116,7 @@ $NetBSD: patch-ef,v 1.1 2008/02/25 15:39:16 joerg Exp $ if (stuff->depth != 1) { pDepth = pDraw->pScreen->allowedDepths; -@@ -1070,9 +1102,7 @@ ProcShmCreatePixmap(client) +@@ -1070,9 +1111,7 @@ ProcShmCreatePixmap(client) return BadValue; } CreatePmap: |