diff options
| author | root <root@rshg054.dnsready.net> | 2013-11-02 01:12:34 -0700 |
|---|---|---|
| committer | root <root@rshg054.dnsready.net> | 2013-11-02 01:12:34 -0700 |
| commit | eb9cc495e6d7c131c76f9abc178ac65f1e20fab1 (patch) | |
| tree | 2666e8ff27419292a76d9f521c1a67dde999b26a /extra/xorg-server | |
| parent | 22f873a6e3ac2c585a28a1ab2561eaea9765cdc6 (diff) | |
Sat Nov 2 01:09:32 PDT 2013
Diffstat (limited to 'extra/xorg-server')
| -rw-r--r-- | extra/xorg-server/0001-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch | 76 | ||||
| -rw-r--r-- | extra/xorg-server/PKGBUILD | 26 |
2 files changed, 5 insertions, 97 deletions
diff --git a/extra/xorg-server/0001-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch b/extra/xorg-server/0001-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch deleted file mode 100644 index b550bcedd..000000000 --- a/extra/xorg-server/0001-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 7bddc2ba16a2a15773c2ea8947059afa27727764 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Mon, 16 Sep 2013 21:47:16 -0700 -Subject: [PATCH] Avoid use-after-free in dix/dixfonts.c: doImageText() - [CVE-2013-4396] - -Save a pointer to the passed in closure structure before copying it -and overwriting the *c pointer to point to our copy instead of the -original. If we hit an error, once we free(c), reset c to point to -the original structure before jumping to the cleanup code that -references *c. - -Since one of the errors being checked for is whether the server was -able to malloc(c->nChars * itemSize), the client can potentially pass -a number of characters chosen to cause the malloc to fail and the -error path to be taken, resulting in the read from freed memory. - -Since the memory is accessed almost immediately afterwards, and the -X server is mostly single threaded, the odds of the free memory having -invalid contents are low with most malloc implementations when not using -memory debugging features, but some allocators will definitely overwrite -the memory there, leading to a likely crash. - -Reported-by: Pedro Ribeiro <pedrib@gmail.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Reviewed-by: Julien Cristau <jcristau@debian.org> ---- - dix/dixfonts.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/dix/dixfonts.c b/dix/dixfonts.c -index feb765d..2e34d37 100644 ---- a/dix/dixfonts.c -+++ b/dix/dixfonts.c -@@ -1425,6 +1425,7 @@ doImageText(ClientPtr client, ITclosurePtr c) - GC *pGC; - unsigned char *data; - ITclosurePtr new_closure; -+ ITclosurePtr old_closure; - - /* We're putting the client to sleep. We need to - save some state. Similar problem to that handled -@@ -1436,12 +1437,14 @@ doImageText(ClientPtr client, ITclosurePtr c) - err = BadAlloc; - goto bail; - } -+ old_closure = c; - *new_closure = *c; - c = new_closure; - - data = malloc(c->nChars * itemSize); - if (!data) { - free(c); -+ c = old_closure; - err = BadAlloc; - goto bail; - } -@@ -1452,6 +1455,7 @@ doImageText(ClientPtr client, ITclosurePtr c) - if (!pGC) { - free(c->data); - free(c); -+ c = old_closure; - err = BadAlloc; - goto bail; - } -@@ -1464,6 +1468,7 @@ doImageText(ClientPtr client, ITclosurePtr c) - FreeScratchGC(pGC); - free(c->data); - free(c); -+ c = old_closure; - err = BadAlloc; - goto bail; - } --- -1.7.9.2 - diff --git a/extra/xorg-server/PKGBUILD b/extra/xorg-server/PKGBUILD index 2aa9e1767..d8a71d32d 100644 --- a/extra/xorg-server/PKGBUILD +++ b/extra/xorg-server/PKGBUILD @@ -1,11 +1,11 @@ -# $Id: PKGBUILD 198583 2013-10-30 15:46:13Z allan $ +# $Id: PKGBUILD 198667 2013-11-01 16:16:16Z andyrtr $ # Maintainer: AndyRTR <andyrtr@archlinux.org> # Maintainer: Jan de Groot <jgc@archlinux.org> pkgbase=xorg-server pkgname=('xorg-server' 'xorg-server-xephyr' 'xorg-server-xdmx' 'xorg-server-xvfb' 'xorg-server-xnest' 'xorg-server-common' 'xorg-server-devel') -pkgver=1.14.3 -pkgrel=2 +pkgver=1.14.4 +pkgrel=1 arch=('i686' 'x86_64') license=('custom') url="http://xorg.freedesktop.org" @@ -22,9 +22,8 @@ source=(${url}/releases/individual/xserver/${pkgbase}-${pkgver}.tar.bz2 xvfb-run xvfb-run.1 10-quirks.conf - fb-rename-wfbDestroyGlyphCache.patch - 0001-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch) -sha256sums=('02125ae13a443dcbb55f964d5c37f1da2f58ad54c2102356037bec23c1b84f5e' + fb-rename-wfbDestroyGlyphCache.patch) +sha256sums=('608ccfaafb845f6e559884a30f946d365209172416710d687b190e9e1ff65dc3' '66e25f76a7496c429e0aff4b0670f168719bb0ceaeb88c6f2272f2bf3ed21162' 'd027776fac1f7675b0a9ee817502290b1c45f9c09b0f0a6bb058c35f92361e84' 'e033f9bcc21980f7f0428e6ed6c362a3d55ad293b05fd6e6c6c1933b86f9e63a' @@ -54,10 +53,6 @@ prepare() { # http://cgit.freedesktop.org/xorg/xserver/commit/fb/wfbrename.h?id=5047810a4c20fab444b8c6eb146c55dcdb0d4219 patch -Np1 -i ../fb-rename-wfbDestroyGlyphCache.patch - - # CVE-2013-4396: Use after free in Xserver handling of ImageText requests - # (to be included in xorg-server 1.15.0 and 1.14.4) - patch -Np1 -i ../0001-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch } build() { @@ -223,14 +218,3 @@ package_xorg-server-devel() { install -m755 -d "${pkgdir}/usr/share/licenses/xorg-server-devel" ln -sf ../xorg-server-common/COPYING "${pkgdir}/usr/share/licenses/xorg-server-devel/COPYING" } -sha256sums=('02125ae13a443dcbb55f964d5c37f1da2f58ad54c2102356037bec23c1b84f5e' - '66e25f76a7496c429e0aff4b0670f168719bb0ceaeb88c6f2272f2bf3ed21162' - 'd027776fac1f7675b0a9ee817502290b1c45f9c09b0f0a6bb058c35f92361e84' - 'e033f9bcc21980f7f0428e6ed6c362a3d55ad293b05fd6e6c6c1933b86f9e63a' - '26ee6ff255a60d7c1e136c612925eb63c86e85a4a3a55d531852ad9275526588' - 'bb63658d250c21bbfaf94c5417f2920ce5963ee1f7db6cac2b163a54f2e9b619' - 'ff0156309470fc1d378fd2e104338020a884295e285972cc88e250e031cc35b9' - '2460adccd3362fefd4cdc5f1c70f332d7b578091fb9167bf88b5f91265bbd776' - '94612f5c0d34a3b7152915c2e285c7b462e9d8e38d3539bd551a339498eac166' - 'd0832cc16b5e6c1dee2959055a4b327f5c87e2a67b5f427d654663057207b2c1' - '2b90ce92a900b6d4edda9ef33acdd3d2c2708fec2344175c2d8dfd4265f56d32') |