diff options
Diffstat (limited to 'x11')
-rw-r--r-- | x11/modular-xorg-server/Makefile | 5 | ||||
-rw-r--r-- | x11/modular-xorg-server/distinfo | 3 | ||||
-rw-r--r-- | x11/modular-xorg-server/patches/patch-dix_dixfonts.c | 74 |
3 files changed, 78 insertions, 4 deletions
diff --git a/x11/modular-xorg-server/Makefile b/x11/modular-xorg-server/Makefile index d55fa3ef4f0..e7e7a5edf70 100644 --- a/x11/modular-xorg-server/Makefile +++ b/x11/modular-xorg-server/Makefile @@ -1,9 +1,8 @@ -# $NetBSD: Makefile,v 1.80 2013/06/16 13:34:30 obache Exp $ -# +# $NetBSD: Makefile,v 1.80.4.1 2013/10/09 07:36:29 spz Exp $ DISTNAME= xorg-server-1.12.4 PKGNAME= modular-${DISTNAME} -PKGREVISION= 2 +PKGREVISION= 3 CATEGORIES= x11 MASTER_SITES= ${MASTER_SITE_XORG:=xserver/} EXTRACT_SUFX= .tar.bz2 diff --git a/x11/modular-xorg-server/distinfo b/x11/modular-xorg-server/distinfo index 63df5061ef5..4356354a2b5 100644 --- a/x11/modular-xorg-server/distinfo +++ b/x11/modular-xorg-server/distinfo @@ -1,8 +1,9 @@ -$NetBSD: distinfo,v 1.51 2013/05/21 18:38:03 joerg Exp $ +$NetBSD: distinfo,v 1.51.4.1 2013/10/09 07:36:29 spz Exp $ SHA1 (xorg-server-1.12.4.tar.bz2) = 6d616874f9c7677bda08dc073c03f83e78fbc585 RMD160 (xorg-server-1.12.4.tar.bz2) = 4907b5dc42efd6b3fb6bf9d64f1441080a6a6983 Size (xorg-server-1.12.4.tar.bz2) = 5444761 bytes SHA1 (patch-configure) = 031bc0accf1dd71ed687e7aac3fcc9498cb06784 +SHA1 (patch-dix_dixfonts.c) = 2f1fd51c538eab12c06b85c4ddab18af25338174 SHA1 (patch-hw_xfree86_common_compiler.h) = 88de747715b80b22f448869ab32dce1641bcb6db SHA1 (patch-hw_xfree86_os-support_xf86__OSlib.h) = 7c2760509610b44915da077b22899bef9c338cc1 diff --git a/x11/modular-xorg-server/patches/patch-dix_dixfonts.c b/x11/modular-xorg-server/patches/patch-dix_dixfonts.c new file mode 100644 index 00000000000..f7eaf532e2e --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-dix_dixfonts.c @@ -0,0 +1,74 @@ +$NetBSD: patch-dix_dixfonts.c,v 1.1.2.2 2013/10/09 07:36:30 spz Exp $ + +Fix CVE-2013-4396. + +From a4d9bf1259ad28f54b6d59a480b2009cc89ca623 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Mon, 16 Sep 2013 21:47:16 -0700 +Subject: [PATCH] Avoid use-after-free in dix/dixfonts.c: doImageText() + +Save a pointer to the passed in closure structure before copying it +and overwriting the *c pointer to point to our copy instead of the +original. If we hit an error, once we free(c), reset c to point to +the original structure before jumping to the cleanup code that +references *c. + +Since one of the errors being checked for is whether the server was +able to malloc(c->nChars * itemSize), the client can potentially pass +a number of characters chosen to cause the malloc to fail and the +error path to be taken, resulting in the read from freed memory. + +Since the memory is accessed almost immediately afterwards, and the +X server is mostly single threaded, the odds of the free memory having +invalid contents are low with most malloc implementations when not using +memory debugging features, but some allocators will definitely overwrite +the memory there, leading to a likely crash. + +Reported-by: Pedro Ribeiro <pedrib@gmail.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Julien Cristau <jcristau@debian.org> +--- + dix/dixfonts.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- dix/dixfonts.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ dix/dixfonts.c +@@ -1414,6 +1414,7 @@ doImageText(ClientPtr client, ITclosureP + GC *pGC; + unsigned char *data; + ITclosurePtr new_closure; ++ ITclosurePtr old_closure; + + /* We're putting the client to sleep. We need to + save some state. Similar problem to that handled +@@ -1425,12 +1426,14 @@ doImageText(ClientPtr client, ITclosureP + err = BadAlloc; + goto bail; + } ++ old_closure = c; + *new_closure = *c; + c = new_closure; + + data = malloc(c->nChars * itemSize); + if (!data) { + free(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1441,6 +1444,7 @@ doImageText(ClientPtr client, ITclosureP + if (!pGC) { + free(c->data); + free(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1453,6 +1457,7 @@ doImageText(ClientPtr client, ITclosureP + FreeScratchGC(pGC); + free(c->data); + free(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } |