pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/pkgsrc-2008Q1]: pkgsrc/x11/modular-xorg-server Pullup ticket #2433 - ...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/1777ad5f0dcc
branches:  pkgsrc-2008Q1
changeset: 540432:1777ad5f0dcc
user:      tron <tron%pkgsrc.org@localhost>
date:      Wed Jun 25 10:20:58 2008 +0000

description:
Pullup ticket #2433 - requested by joerg
Security patch for modular-xorg-server

Revisions pulled up:
- x11/modular-xorg-server/Makefile              1.30 via patch
- x11/modular-xorg-server/distinfo              1.21
- x11/modular-xorg-server/patches/patch-ac      1.3
- x11/modular-xorg-server/patches/patch-ae      1.5
- x11/modular-xorg-server/patches/patch-da      delete
- x11/modular-xorg-server/patches/patch-ed      1.2
- x11/modular-xorg-server/patches/patch-ef      1.2
---
    Module Name:    pkgsrc
    Committed By:   joerg
    Date:           Fri Jun 20 13:34:40 UTC 2008

    Modified Files:
        pkgsrc/x11/modular-xorg-server: Makefile distinfo
        pkgsrc/x11/modular-xorg-server/patches: patch-ed patch-ef
    Added Files:
        pkgsrc/x11/modular-xorg-server/patches: patch-ac patch-ae
    Removed Files:
        pkgsrc/x11/modular-xorg-server/patches: patch-da

    Log Message:
    modular-xorg-server-1.3.0.0nb9:
    Fix CVE-2008-1377, CVE-2008-1379, CVE-2008-2360, CVE-2008-2361 and
    CVE-2008-2362 based on upstream patches.

diffstat:

 x11/modular-xorg-server/Makefile         |   4 +-
 x11/modular-xorg-server/distinfo         |   9 ++--
 x11/modular-xorg-server/patches/patch-ac |  34 +++++++++++++++++
 x11/modular-xorg-server/patches/patch-ae |  63 ++++++++++++++++++++++++++++++++
 x11/modular-xorg-server/patches/patch-da |  13 ------
 x11/modular-xorg-server/patches/patch-ed |  29 +++++++++++++-
 x11/modular-xorg-server/patches/patch-ef |  39 +++++++++++++++++--
 7 files changed, 164 insertions(+), 27 deletions(-)

diffs (286 lines):

diff -r 6a015e4c9689 -r 1777ad5f0dcc x11/modular-xorg-server/Makefile
--- a/x11/modular-xorg-server/Makefile  Tue Jun 24 12:52:01 2008 +0000
+++ b/x11/modular-xorg-server/Makefile  Wed Jun 25 10:20:58 2008 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.27 2008/03/29 17:54:40 wiz Exp $
+# $NetBSD: Makefile,v 1.27.2.1 2008/06/25 10:20:58 tron Exp $
 
 DISTNAME=      xorg-server-1.3.0.0
 PKGNAME=       modular-${DISTNAME}
-PKGREVISION=   7
+PKGREVISION=   9
 CATEGORIES=    x11
 MASTER_SITES=  http://xorg.freedesktop.org/releases/individual/xserver/
 EXTRACT_SUFX=  .tar.bz2
diff -r 6a015e4c9689 -r 1777ad5f0dcc x11/modular-xorg-server/distinfo
--- a/x11/modular-xorg-server/distinfo  Tue Jun 24 12:52:01 2008 +0000
+++ b/x11/modular-xorg-server/distinfo  Wed Jun 25 10:20:58 2008 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.20 2008/02/25 15:39:16 joerg Exp $
+$NetBSD: distinfo,v 1.20.2.1 2008/06/25 10:20:58 tron Exp $
 
 SHA1 (MesaLib-6.5.2.tar.bz2) = ba860bb6ee57c02202342dfd5927464a068ea18f
 RMD160 (MesaLib-6.5.2.tar.bz2) = 9a92d69110c066ae6734bcaafb78f222ac2df6d3
@@ -8,12 +8,13 @@
 Size (xorg-server-1.3.0.0.tar.bz2) = 5968263 bytes
 SHA1 (patch-aa) = f72780165c9ecd3e9ab31d03c1b2d777290d09e2
 SHA1 (patch-ab) = d99c045eff730b3fbdc92938faaa75b653640c58
+SHA1 (patch-ac) = 06b26c3f0658bc323363ec860063b7ffc636ac2e
 SHA1 (patch-ad) = 752235269f10daade0bf60665cccde39d1583064
+SHA1 (patch-ae) = 53ce49bec7674be40b93de33bd8ec01942e18c9c
 SHA1 (patch-af) = 6c58872798a30b31154dd7b167c84bf20ac417be
 SHA1 (patch-ag) = 222427db3e1bdbf977e992aa91aae5f16992345a
 SHA1 (patch-ah) = 23767542ea672d590050e258317c0352bb321810
 SHA1 (patch-aj) = 7a538538a04ff466595527b7a65a196fc06a625e
-SHA1 (patch-da) = 73faacda1088304025c5e05f3d58edaf9ae1145f
 SHA1 (patch-db) = 28913a094c8499536a71c8d4d7ca57a5efb25b39
 SHA1 (patch-dc) = 75df6f37b1cbc9574adb5ee66cb84d0f5ebac853
 SHA1 (patch-dd) = cfb7c9d470098b0fcfcddbe9a1363a14f762fe19
@@ -21,8 +22,8 @@
 SHA1 (patch-ea) = 435ac0e1795c68fa6e125deceb4624564f7ce0dd
 SHA1 (patch-eb) = 925a8a7e7880e545feac439850372548d04e8f87
 SHA1 (patch-ec) = 86959d152174cbc8a03dbe6bde32545b824bfd74
-SHA1 (patch-ed) = dfe8f08c0e061c572e0299cba020da20519b87c2
-SHA1 (patch-ef) = 94cd889105a416f9d72adbc247d00b568207a02f
+SHA1 (patch-ed) = 875ee1f03e94e709d878ccbbfc8f9a3ce924eac5
+SHA1 (patch-ef) = 9edb141038c08417a0f06395e4cdff0de9e9fdcf
 SHA1 (patch-eg) = 6953b53d41af088b855d22c6459aa1eefd0d25eb
 SHA1 (patch-eh) = 5e1dbbf82c01bc340d1ef4029cd5352b9fcf775e
 SHA1 (patch-ei) = 893b23b9e67ad640d984c962b93b5db639a780b3
diff -r 6a015e4c9689 -r 1777ad5f0dcc x11/modular-xorg-server/patches/patch-ac
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/x11/modular-xorg-server/patches/patch-ac  Wed Jun 25 10:20:58 2008 +0000
@@ -0,0 +1,34 @@
+$NetBSD: patch-ac,v 1.2.10.1 2008/06/25 10:20:58 tron Exp $
+
+CVE-2008-2360
+
+--- render/glyph.c.orig        2006-09-18 08:04:18.000000000 +0200
++++ render/glyph.c
+@@ -42,6 +42,12 @@
+ #include "picturestr.h"
+ #include "glyphstr.h"
+ 
++#if HAVE_STDINT_H
++#include <stdint.h>
++#elif !defined(UINT32_MAX)
++#define UINT32_MAX 0xffffffffU
++#endif
++
+ /*
+  * From Knuth -- a good choice for hash/rehash values is p, p-2 where
+  * p and p-2 are both prime.  These tables are sized to have an extra 10%
+@@ -626,8 +632,12 @@ AllocateGlyph (xGlyphInfo *gi, int fdept
+     int                    size;
+     GlyphPtr       glyph;
+     int                    i;
+-
+-    size = gi->height * PixmapBytePad (gi->width, glyphDepths[fdepth]);
++    size_t         padded_width;
++    
++    padded_width = PixmapBytePad (gi->width, glyphDepths[fdepth]);
++    if (gi->height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi->height)
++      return 0;
++    size = gi->height * padded_width;
+     glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec));
+     if (!glyph)
+       return 0;
diff -r 6a015e4c9689 -r 1777ad5f0dcc x11/modular-xorg-server/patches/patch-ae
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/x11/modular-xorg-server/patches/patch-ae  Wed Jun 25 10:20:58 2008 +0000
@@ -0,0 +1,63 @@
+$NetBSD: patch-ae,v 1.4.6.1 2008/06/25 10:20:58 tron Exp $
+
+CVE-2008-1377
+
+--- record/record.c.orig       2006-09-18 08:04:18.000000000 +0200
++++ record/record.c
+@@ -2656,7 +2656,7 @@ SProcRecordQueryVersion(ClientPtr client
+ } /* SProcRecordQueryVersion */
+ 
+ 
+-static void
++static int
+ SwapCreateRegister(xRecordRegisterClientsReq *stuff)
+ {
+     register char n;
+@@ -2667,11 +2667,17 @@ SwapCreateRegister(xRecordRegisterClient
+     swapl(&stuff->nClients, n);
+     swapl(&stuff->nRanges, n);
+     pClientID = (XID *)&stuff[1];
++    if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2))
++      return BadLength;
+     for (i = 0; i < stuff->nClients; i++, pClientID++)
+     {
+       swapl(pClientID, n);
+     }
++    if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2)
++      - stuff->nClients)
++      return BadLength;
+     RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges);
++    return Success;
+ } /* SwapCreateRegister */
+ 
+ 
+@@ -2679,11 +2685,13 @@ static int
+ SProcRecordCreateContext(ClientPtr client)
+ {
+     REQUEST(xRecordCreateContextReq);
++    int                       status;
+     register char     n;
+ 
+     swaps(&stuff->length, n);
+     REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
+-    SwapCreateRegister((pointer)stuff);
++    if ((status = SwapCreateRegister((pointer)stuff)) != Success)
++      return status;
+     return ProcRecordCreateContext(client);
+ } /* SProcRecordCreateContext */
+ 
+@@ -2692,11 +2700,13 @@ static int
+ SProcRecordRegisterClients(ClientPtr client)
+ {
+     REQUEST(xRecordRegisterClientsReq);
++    int                       status;
+     register char     n;
+ 
+     swaps(&stuff->length, n);
+     REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
+-    SwapCreateRegister((pointer)stuff);
++    if ((status = SwapCreateRegister((pointer)stuff)) != Success)
++      return status;
+     return ProcRecordRegisterClients(client);
+ } /* SProcRecordRegisterClients */
+ 
diff -r 6a015e4c9689 -r 1777ad5f0dcc x11/modular-xorg-server/patches/patch-da
--- a/x11/modular-xorg-server/patches/patch-da  Tue Jun 24 12:52:01 2008 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,13 +0,0 @@
-$NetBSD: patch-da,v 1.1 2007/02/05 23:08:36 joerg Exp $
-
---- Xext/shm.c.orig    2007-02-05 20:58:14.000000000 +0000
-+++ Xext/shm.c
-@@ -156,7 +156,7 @@ static ShmFuncs fbFuncs = {fbShmCreatePi
- }
- 
- 
--#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__)
-+#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__) || defined(__DragonFly__)
- #include <sys/signal.h>
- 
- static Bool badSysCall = FALSE;
diff -r 6a015e4c9689 -r 1777ad5f0dcc x11/modular-xorg-server/patches/patch-ed
--- a/x11/modular-xorg-server/patches/patch-ed  Tue Jun 24 12:52:01 2008 +0000
+++ b/x11/modular-xorg-server/patches/patch-ed  Wed Jun 25 10:20:58 2008 +0000
@@ -1,8 +1,31 @@
-$NetBSD: patch-ed,v 1.1 2008/02/25 15:39:16 joerg Exp $
+$NetBSD: patch-ed,v 1.1.2.1 2008/06/25 10:20:58 tron Exp $
 
 --- Xext/security.c.orig       2006-11-16 18:39:03.000000000 +0100
 +++ Xext/security.c
-@@ -1567,9 +1567,9 @@ SecurityLoadPropertyAccessList(void)
+@@ -651,15 +651,19 @@ SProcSecurityGenerateAuthorization(
+     register char     n;
+     CARD32 *values;
+     unsigned long nvalues;
++    int values_offset;
+ 
+     swaps(&stuff->length, n);
+     REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
+     swaps(&stuff->nbytesAuthProto, n);
+     swaps(&stuff->nbytesAuthData, n);
+     swapl(&stuff->valueMask, n);
+-    values = (CARD32 *)(&stuff[1]) +
+-      ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
+-      ((stuff->nbytesAuthData + (unsigned)3) >> 2);
++    values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
++                  ((stuff->nbytesAuthData + (unsigned)3) >> 2);
++    if (values_offset > 
++      stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
++      return BadLength;
++    values = (CARD32 *)(&stuff[1]) + values_offset;
+     nvalues = (((CARD32 *)stuff) + stuff->length) - values;
+     SwapLongs(values, nvalues);
+     return ProcSecurityGenerateAuthorization(client);
+@@ -1567,9 +1571,9 @@ SecurityLoadPropertyAccessList(void)
        return;
  
  #ifndef __UNIXOS2__
@@ -14,7 +37,7 @@
  #endif    
      if (!f)
      {
-@@ -1653,7 +1653,7 @@ SecurityLoadPropertyAccessList(void)
+@@ -1653,7 +1657,7 @@ SecurityLoadPropertyAccessList(void)
      }
  #endif /* PROPDEBUG */
  
diff -r 6a015e4c9689 -r 1777ad5f0dcc x11/modular-xorg-server/patches/patch-ef
--- a/x11/modular-xorg-server/patches/patch-ef  Tue Jun 24 12:52:01 2008 +0000
+++ b/x11/modular-xorg-server/patches/patch-ef  Wed Jun 25 10:20:58 2008 +0000
@@ -1,7 +1,16 @@
-$NetBSD: patch-ef,v 1.1 2008/02/25 15:39:16 joerg Exp $
+$NetBSD: patch-ef,v 1.1.2.1 2008/06/25 10:20:58 tron Exp $
 
---- Xext/shm.c.orig    2008-02-25 15:43:05.000000000 +0100
+--- Xext/shm.c.orig    2008-06-20 14:39:43.000000000 +0200
 +++ Xext/shm.c
+@@ -156,7 +156,7 @@ static ShmFuncs fbFuncs = {fbShmCreatePi
+ }
+ 
+ 
+-#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__)
++#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__) || defined(__DragonFly__)
+ #include <sys/signal.h>
+ 
+ static Bool badSysCall = FALSE;
 @@ -723,6 +723,8 @@ ProcPanoramiXShmCreatePixmap(
      int i, j, result;
      ShmDescPtr shmdesc;
@@ -50,7 +59,27 @@
  
      if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
        return BadAlloc;
-@@ -1047,6 +1062,8 @@ ProcShmCreatePixmap(client)
+@@ -841,8 +856,17 @@ ProcShmPutImage(client)
+         return BadValue;
+     }
+ 
+-    VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
+-                 client);
++    /* 
++     * There's a potential integer overflow in this check:
++     * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
++     *                client);
++     * the version below ought to avoid it
++     */
++    if (stuff->totalHeight != 0 && 
++      length > (shmdesc->size - stuff->offset)/stuff->totalHeight) {
++      client->errorValue = stuff->totalWidth;
++      return BadValue;
++    }
+     if (stuff->srcX > stuff->totalWidth)
+     {
+       client->errorValue = stuff->srcX;
+@@ -1047,6 +1071,8 @@ ProcShmCreatePixmap(client)
      register int i;
      ShmDescPtr shmdesc;
      REQUEST(xShmCreatePixmapReq);
@@ -59,7 +88,7 @@
  
      REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
      client->errorValue = stuff->pid;
-@@ -1055,11 +1072,26 @@ ProcShmCreatePixmap(client)
+@@ -1055,11 +1081,26 @@ ProcShmCreatePixmap(client)
      LEGAL_NEW_RESOURCE(stuff->pid, client);
      VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
      VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
@@ -87,7 +116,7 @@
      if (stuff->depth != 1)
      {
          pDepth = pDraw->pScreen->allowedDepths;
-@@ -1070,9 +1102,7 @@ ProcShmCreatePixmap(client)
+@@ -1070,9 +1111,7 @@ ProcShmCreatePixmap(client)
          return BadValue;
      }
  CreatePmap:



Home | Main Index | Thread Index | Old Index