summaryrefslogtreecommitdiff
path: root/x11/modular-xorg-server
diff options
context:
space:
mode:
authorjoerg <joerg>2008-06-20 13:34:40 +0000
committerjoerg <joerg>2008-06-20 13:34:40 +0000
commite5af1c42be300eaa0e1a8db4fd555f87ddb2dd55 (patch)
treeeb2723508589f6a65af428eed17268d00f23d64f /x11/modular-xorg-server
parent8167e51cf1386ff82e7ccc7d238bebe92f894825 (diff)
downloadpkgsrc-e5af1c42be300eaa0e1a8db4fd555f87ddb2dd55.tar.gz
modular-xorg-server-1.3.0.0nb9:
Fix CVE-2008-1377, CVE-2008-1379, CVE-2008-2360, CVE-2008-2361 and CVE-2008-2362 based on upstream patches.
Diffstat (limited to 'x11/modular-xorg-server')
-rw-r--r--x11/modular-xorg-server/Makefile4
-rw-r--r--x11/modular-xorg-server/distinfo9
-rw-r--r--x11/modular-xorg-server/patches/patch-ac34
-rw-r--r--x11/modular-xorg-server/patches/patch-ae63
-rw-r--r--x11/modular-xorg-server/patches/patch-da13
-rw-r--r--x11/modular-xorg-server/patches/patch-ed29
-rw-r--r--x11/modular-xorg-server/patches/patch-ef39
7 files changed, 164 insertions, 27 deletions
diff --git a/x11/modular-xorg-server/Makefile b/x11/modular-xorg-server/Makefile
index fca5e0c60b3..defa97a58d9 100644
--- a/x11/modular-xorg-server/Makefile
+++ b/x11/modular-xorg-server/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.29 2008/05/24 21:45:16 tnn Exp $
+# $NetBSD: Makefile,v 1.30 2008/06/20 13:34:40 joerg Exp $
DISTNAME= xorg-server-1.3.0.0
PKGNAME= modular-${DISTNAME}
-PKGREVISION= 8
+PKGREVISION= 9
CATEGORIES= x11
MASTER_SITES= ${MASTER_SITE_XORG:=xserver/}
EXTRACT_SUFX= .tar.bz2
diff --git a/x11/modular-xorg-server/distinfo b/x11/modular-xorg-server/distinfo
index 6a8b92191e6..6390c5cf9b1 100644
--- a/x11/modular-xorg-server/distinfo
+++ b/x11/modular-xorg-server/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.20 2008/02/25 15:39:16 joerg Exp $
+$NetBSD: distinfo,v 1.21 2008/06/20 13:34:40 joerg Exp $
SHA1 (MesaLib-6.5.2.tar.bz2) = ba860bb6ee57c02202342dfd5927464a068ea18f
RMD160 (MesaLib-6.5.2.tar.bz2) = 9a92d69110c066ae6734bcaafb78f222ac2df6d3
@@ -8,12 +8,13 @@ RMD160 (xorg-server-1.3.0.0.tar.bz2) = 1a4fecd73aed0d5adabe84066c24ce69dc2c2dc1
Size (xorg-server-1.3.0.0.tar.bz2) = 5968263 bytes
SHA1 (patch-aa) = f72780165c9ecd3e9ab31d03c1b2d777290d09e2
SHA1 (patch-ab) = d99c045eff730b3fbdc92938faaa75b653640c58
+SHA1 (patch-ac) = 06b26c3f0658bc323363ec860063b7ffc636ac2e
SHA1 (patch-ad) = 752235269f10daade0bf60665cccde39d1583064
+SHA1 (patch-ae) = 53ce49bec7674be40b93de33bd8ec01942e18c9c
SHA1 (patch-af) = 6c58872798a30b31154dd7b167c84bf20ac417be
SHA1 (patch-ag) = 222427db3e1bdbf977e992aa91aae5f16992345a
SHA1 (patch-ah) = 23767542ea672d590050e258317c0352bb321810
SHA1 (patch-aj) = 7a538538a04ff466595527b7a65a196fc06a625e
-SHA1 (patch-da) = 73faacda1088304025c5e05f3d58edaf9ae1145f
SHA1 (patch-db) = 28913a094c8499536a71c8d4d7ca57a5efb25b39
SHA1 (patch-dc) = 75df6f37b1cbc9574adb5ee66cb84d0f5ebac853
SHA1 (patch-dd) = cfb7c9d470098b0fcfcddbe9a1363a14f762fe19
@@ -21,8 +22,8 @@ SHA1 (patch-de) = f887f3fd09406006b6165779b74be780b7fddd18
SHA1 (patch-ea) = 435ac0e1795c68fa6e125deceb4624564f7ce0dd
SHA1 (patch-eb) = 925a8a7e7880e545feac439850372548d04e8f87
SHA1 (patch-ec) = 86959d152174cbc8a03dbe6bde32545b824bfd74
-SHA1 (patch-ed) = dfe8f08c0e061c572e0299cba020da20519b87c2
-SHA1 (patch-ef) = 94cd889105a416f9d72adbc247d00b568207a02f
+SHA1 (patch-ed) = 875ee1f03e94e709d878ccbbfc8f9a3ce924eac5
+SHA1 (patch-ef) = 9edb141038c08417a0f06395e4cdff0de9e9fdcf
SHA1 (patch-eg) = 6953b53d41af088b855d22c6459aa1eefd0d25eb
SHA1 (patch-eh) = 5e1dbbf82c01bc340d1ef4029cd5352b9fcf775e
SHA1 (patch-ei) = 893b23b9e67ad640d984c962b93b5db639a780b3
diff --git a/x11/modular-xorg-server/patches/patch-ac b/x11/modular-xorg-server/patches/patch-ac
new file mode 100644
index 00000000000..07d48e63b03
--- /dev/null
+++ b/x11/modular-xorg-server/patches/patch-ac
@@ -0,0 +1,34 @@
+$NetBSD: patch-ac,v 1.3 2008/06/20 13:34:40 joerg Exp $
+
+CVE-2008-2360
+
+--- render/glyph.c.orig 2006-09-18 08:04:18.000000000 +0200
++++ render/glyph.c
+@@ -42,6 +42,12 @@
+ #include "picturestr.h"
+ #include "glyphstr.h"
+
++#if HAVE_STDINT_H
++#include <stdint.h>
++#elif !defined(UINT32_MAX)
++#define UINT32_MAX 0xffffffffU
++#endif
++
+ /*
+ * From Knuth -- a good choice for hash/rehash values is p, p-2 where
+ * p and p-2 are both prime. These tables are sized to have an extra 10%
+@@ -626,8 +632,12 @@ AllocateGlyph (xGlyphInfo *gi, int fdept
+ int size;
+ GlyphPtr glyph;
+ int i;
+-
+- size = gi->height * PixmapBytePad (gi->width, glyphDepths[fdepth]);
++ size_t padded_width;
++
++ padded_width = PixmapBytePad (gi->width, glyphDepths[fdepth]);
++ if (gi->height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi->height)
++ return 0;
++ size = gi->height * padded_width;
+ glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec));
+ if (!glyph)
+ return 0;
diff --git a/x11/modular-xorg-server/patches/patch-ae b/x11/modular-xorg-server/patches/patch-ae
new file mode 100644
index 00000000000..b1f534180dc
--- /dev/null
+++ b/x11/modular-xorg-server/patches/patch-ae
@@ -0,0 +1,63 @@
+$NetBSD: patch-ae,v 1.5 2008/06/20 13:34:40 joerg Exp $
+
+CVE-2008-1377
+
+--- record/record.c.orig 2006-09-18 08:04:18.000000000 +0200
++++ record/record.c
+@@ -2656,7 +2656,7 @@ SProcRecordQueryVersion(ClientPtr client
+ } /* SProcRecordQueryVersion */
+
+
+-static void
++static int
+ SwapCreateRegister(xRecordRegisterClientsReq *stuff)
+ {
+ register char n;
+@@ -2667,11 +2667,17 @@ SwapCreateRegister(xRecordRegisterClient
+ swapl(&stuff->nClients, n);
+ swapl(&stuff->nRanges, n);
+ pClientID = (XID *)&stuff[1];
++ if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2))
++ return BadLength;
+ for (i = 0; i < stuff->nClients; i++, pClientID++)
+ {
+ swapl(pClientID, n);
+ }
++ if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2)
++ - stuff->nClients)
++ return BadLength;
+ RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges);
++ return Success;
+ } /* SwapCreateRegister */
+
+
+@@ -2679,11 +2685,13 @@ static int
+ SProcRecordCreateContext(ClientPtr client)
+ {
+ REQUEST(xRecordCreateContextReq);
++ int status;
+ register char n;
+
+ swaps(&stuff->length, n);
+ REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
+- SwapCreateRegister((pointer)stuff);
++ if ((status = SwapCreateRegister((pointer)stuff)) != Success)
++ return status;
+ return ProcRecordCreateContext(client);
+ } /* SProcRecordCreateContext */
+
+@@ -2692,11 +2700,13 @@ static int
+ SProcRecordRegisterClients(ClientPtr client)
+ {
+ REQUEST(xRecordRegisterClientsReq);
++ int status;
+ register char n;
+
+ swaps(&stuff->length, n);
+ REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
+- SwapCreateRegister((pointer)stuff);
++ if ((status = SwapCreateRegister((pointer)stuff)) != Success)
++ return status;
+ return ProcRecordRegisterClients(client);
+ } /* SProcRecordRegisterClients */
+
diff --git a/x11/modular-xorg-server/patches/patch-da b/x11/modular-xorg-server/patches/patch-da
deleted file mode 100644
index db54d9adb6c..00000000000
--- a/x11/modular-xorg-server/patches/patch-da
+++ /dev/null
@@ -1,13 +0,0 @@
-$NetBSD: patch-da,v 1.1 2007/02/05 23:08:36 joerg Exp $
-
---- Xext/shm.c.orig 2007-02-05 20:58:14.000000000 +0000
-+++ Xext/shm.c
-@@ -156,7 +156,7 @@ static ShmFuncs fbFuncs = {fbShmCreatePi
- }
-
-
--#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__)
-+#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__) || defined(__DragonFly__)
- #include <sys/signal.h>
-
- static Bool badSysCall = FALSE;
diff --git a/x11/modular-xorg-server/patches/patch-ed b/x11/modular-xorg-server/patches/patch-ed
index 3063b0c39b1..94deef642de 100644
--- a/x11/modular-xorg-server/patches/patch-ed
+++ b/x11/modular-xorg-server/patches/patch-ed
@@ -1,8 +1,31 @@
-$NetBSD: patch-ed,v 1.1 2008/02/25 15:39:16 joerg Exp $
+$NetBSD: patch-ed,v 1.2 2008/06/20 13:34:40 joerg Exp $
--- Xext/security.c.orig 2006-11-16 18:39:03.000000000 +0100
+++ Xext/security.c
-@@ -1567,9 +1567,9 @@ SecurityLoadPropertyAccessList(void)
+@@ -651,15 +651,19 @@ SProcSecurityGenerateAuthorization(
+ register char n;
+ CARD32 *values;
+ unsigned long nvalues;
++ int values_offset;
+
+ swaps(&stuff->length, n);
+ REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
+ swaps(&stuff->nbytesAuthProto, n);
+ swaps(&stuff->nbytesAuthData, n);
+ swapl(&stuff->valueMask, n);
+- values = (CARD32 *)(&stuff[1]) +
+- ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
+- ((stuff->nbytesAuthData + (unsigned)3) >> 2);
++ values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
++ ((stuff->nbytesAuthData + (unsigned)3) >> 2);
++ if (values_offset >
++ stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
++ return BadLength;
++ values = (CARD32 *)(&stuff[1]) + values_offset;
+ nvalues = (((CARD32 *)stuff) + stuff->length) - values;
+ SwapLongs(values, nvalues);
+ return ProcSecurityGenerateAuthorization(client);
+@@ -1567,9 +1571,9 @@ SecurityLoadPropertyAccessList(void)
return;
#ifndef __UNIXOS2__
@@ -14,7 +37,7 @@ $NetBSD: patch-ed,v 1.1 2008/02/25 15:39:16 joerg Exp $
#endif
if (!f)
{
-@@ -1653,7 +1653,7 @@ SecurityLoadPropertyAccessList(void)
+@@ -1653,7 +1657,7 @@ SecurityLoadPropertyAccessList(void)
}
#endif /* PROPDEBUG */
diff --git a/x11/modular-xorg-server/patches/patch-ef b/x11/modular-xorg-server/patches/patch-ef
index ba2d29e4492..7d4d9748611 100644
--- a/x11/modular-xorg-server/patches/patch-ef
+++ b/x11/modular-xorg-server/patches/patch-ef
@@ -1,7 +1,16 @@
-$NetBSD: patch-ef,v 1.1 2008/02/25 15:39:16 joerg Exp $
+$NetBSD: patch-ef,v 1.2 2008/06/20 13:34:40 joerg Exp $
---- Xext/shm.c.orig 2008-02-25 15:43:05.000000000 +0100
+--- Xext/shm.c.orig 2008-06-20 14:39:43.000000000 +0200
+++ Xext/shm.c
+@@ -156,7 +156,7 @@ static ShmFuncs fbFuncs = {fbShmCreatePi
+ }
+
+
+-#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__)
++#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__) || defined(__DragonFly__)
+ #include <sys/signal.h>
+
+ static Bool badSysCall = FALSE;
@@ -723,6 +723,8 @@ ProcPanoramiXShmCreatePixmap(
int i, j, result;
ShmDescPtr shmdesc;
@@ -50,7 +59,27 @@ $NetBSD: patch-ef,v 1.1 2008/02/25 15:39:16 joerg Exp $
if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
return BadAlloc;
-@@ -1047,6 +1062,8 @@ ProcShmCreatePixmap(client)
+@@ -841,8 +856,17 @@ ProcShmPutImage(client)
+ return BadValue;
+ }
+
+- VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
+- client);
++ /*
++ * There's a potential integer overflow in this check:
++ * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
++ * client);
++ * the version below ought to avoid it
++ */
++ if (stuff->totalHeight != 0 &&
++ length > (shmdesc->size - stuff->offset)/stuff->totalHeight) {
++ client->errorValue = stuff->totalWidth;
++ return BadValue;
++ }
+ if (stuff->srcX > stuff->totalWidth)
+ {
+ client->errorValue = stuff->srcX;
+@@ -1047,6 +1071,8 @@ ProcShmCreatePixmap(client)
register int i;
ShmDescPtr shmdesc;
REQUEST(xShmCreatePixmapReq);
@@ -59,7 +88,7 @@ $NetBSD: patch-ef,v 1.1 2008/02/25 15:39:16 joerg Exp $
REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
client->errorValue = stuff->pid;
-@@ -1055,11 +1072,26 @@ ProcShmCreatePixmap(client)
+@@ -1055,11 +1081,26 @@ ProcShmCreatePixmap(client)
LEGAL_NEW_RESOURCE(stuff->pid, client);
VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
@@ -87,7 +116,7 @@ $NetBSD: patch-ef,v 1.1 2008/02/25 15:39:16 joerg Exp $
if (stuff->depth != 1)
{
pDepth = pDraw->pScreen->allowedDepths;
-@@ -1070,9 +1102,7 @@ ProcShmCreatePixmap(client)
+@@ -1070,9 +1111,7 @@ ProcShmCreatePixmap(client)
return BadValue;
}
CreatePmap: