diff options
author | Michał Masłowski <mtjm@mtjm.eu> | 2013-07-04 19:48:31 +0200 |
---|---|---|
committer | Michał Masłowski <mtjm@mtjm.eu> | 2013-07-04 19:48:31 +0200 |
commit | ee9c1a601c6ce156c295e4a4608ad50535192954 (patch) | |
tree | 49757b312b758e793ffd8bfedd2d6665cd0b3e29 /extra/mesa/CVE-2013-1993.patch | |
parent | 2690b2e42de85dbcbca602f3299ae4404918e94d (diff) | |
parent | e9eb2503b10fe4c4aefbee39226c8962d72d58bd (diff) |
Merge branch 'master' of ssh://parabolagnulinux.org:1863/home/parabola/abslibre-pre-mips64el
Conflicts:
community/bitcoin/PKGBUILD
community/calc/PKGBUILD
community/fcitx/PKGBUILD
community/gloobus-preview/PKGBUILD
community/linux-tools/PKGBUILD
community/smc/PKGBUILD
extra/elfutils/PKGBUILD
extra/freenx/PKGBUILD
extra/gnome-alsamixer/PKGBUILD
extra/gvfs/PKGBUILD
extra/kdenetwork/PKGBUILD
extra/kdepim/PKGBUILD
extra/kdesdk-kate/PKGBUILD
extra/lcms2/PKGBUILD
extra/libmspack/PKGBUILD
extra/libtheora/PKGBUILD
extra/mesa/PKGBUILD
extra/nx-common/PKGBUILD
extra/opennx/PKGBUILD
extra/perl-tk/PKGBUILD
extra/qt4/PKGBUILD
extra/soprano/PKGBUILD
extra/wireshark/PKGBUILD
extra/xmlsec/PKGBUILD
extra/xorg-server/PKGBUILD
libre/audacious-plugins-libre/PKGBUILD
libre/ipsec-tools-libre/PKGBUILD
libre/tomoyo-tools-libre/PKGBUILD
pcr/amsynth/PKGBUILD
Diffstat (limited to 'extra/mesa/CVE-2013-1993.patch')
-rw-r--r-- | extra/mesa/CVE-2013-1993.patch | 82 |
1 files changed, 0 insertions, 82 deletions
diff --git a/extra/mesa/CVE-2013-1993.patch b/extra/mesa/CVE-2013-1993.patch deleted file mode 100644 index 00f723d35..000000000 --- a/extra/mesa/CVE-2013-1993.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 80ac3b279e776b3d9f45a209e52c5bd34ba7e7df Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Fri, 26 Apr 2013 23:31:58 +0000 -Subject: integer overflow in XF86DRIOpenConnection() [CVE-2013-1993 1/2] - -busIdStringLength is a CARD32 and needs to be bounds checked before adding -one to it to come up with the total size to allocate, to avoid integer -overflow leading to underallocation and writing data from the network past -the end of the allocated buffer. - -NOTE: This is a candidate for stable release branches. - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Reviewed-by: Brian Paul <brianp@vmware.com> -(cherry picked from commit 2e5a268f18be30df15aed0b44b01a18a37fb5df4) ---- -diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c -index b1cdc9b..8f53bd7 100644 ---- a/src/glx/XF86dri.c -+++ b/src/glx/XF86dri.c -@@ -43,6 +43,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - #include <X11/extensions/Xext.h> - #include <X11/extensions/extutil.h> - #include "xf86dristr.h" -+#include <limits.h> - - static XExtensionInfo _xf86dri_info_data; - static XExtensionInfo *xf86dri_info = &_xf86dri_info_data; -@@ -201,7 +202,11 @@ XF86DRIOpenConnection(Display * dpy, int screen, drm_handle_t * hSAREA, - } - - if (rep.length) { -- if (!(*busIdString = calloc(rep.busIdStringLength + 1, 1))) { -+ if (rep.busIdStringLength < INT_MAX) -+ *busIdString = calloc(rep.busIdStringLength + 1, 1); -+ else -+ *busIdString = NULL; -+ if (*busIdString == NULL) { - _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3)); - UnlockDisplay(dpy); - SyncHandle(); --- -cgit v0.9.0.2-2-gbebe -From 6de60ddf9ccac6f185d8f4e88ddfc63a94bd670f Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Fri, 26 Apr 2013 23:33:03 +0000 -Subject: integer overflow in XF86DRIGetClientDriverName() [CVE-2013-1993 2/2] - -clientDriverNameLength is a CARD32 and needs to be bounds checked before -adding one to it to come up with the total size to allocate, to avoid -integer overflow leading to underallocation and writing data from the -network past the end of the allocated buffer. - -NOTE: This is a candidate for stable release branches. - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Reviewed-by: Brian Paul <brianp@vmware.com> -(cherry picked from commit 306f630e676eb901789dd09a0f30d7e7fa941ebe) ---- -diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c -index 8f53bd7..56e3557 100644 ---- a/src/glx/XF86dri.c -+++ b/src/glx/XF86dri.c -@@ -305,9 +305,11 @@ XF86DRIGetClientDriverName(Display * dpy, int screen, - *ddxDriverPatchVersion = rep.ddxDriverPatchVersion; - - if (rep.length) { -- if (! -- (*clientDriverName = -- calloc(rep.clientDriverNameLength + 1, 1))) { -+ if (rep.clientDriverNameLength < INT_MAX) -+ *clientDriverName = calloc(rep.clientDriverNameLength + 1, 1); -+ else -+ *clientDriverName = NULL; -+ if (*clientDriverName == NULL) { - _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3)); - UnlockDisplay(dpy); - SyncHandle(); --- -cgit v0.9.0.2-2-gbebe |