debian/changelog | 25 +++++++++--
debian/patches/avoid-use-after-free.diff | 70 -------------------------------
debian/patches/series | 1
debian/rules | 2
dix/dixfonts.c | 5 ++
glx/glxdricommon.c | 24 +++++++++-
6 files changed, 50 insertions(+), 77 deletions(-)
New commits:
commit 66bd387d06798676121675547f0610ae19712098
Author: Maarten Lankhorst <maarten.lankho...@canonical.com>
Date: Mon Nov 25 16:27:17 2013 +0100
Merge released debian-unstable to fix mesa-10 loading.
Drop avoid-use-after-free.diff, upstreamed.
diff --git a/debian/changelog b/debian/changelog
index f4774c3..56d263d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+xorg-server (2:1.14.3-5ubuntu1) trusty; urgency=low
+
+ * Merge released debian-unstable to fix mesa-10 loading.
+ * Drop avoid-use-after-free.diff, upstreamed.
+
+ -- Maarten Lankhorst <maarten.lankho...@ubuntu.com> Mon, 25 Nov 2013
16:17:49 +0100
+
xorg-server (2:1.14.3-5) unstable; urgency=low
* Cherry-pick a upstream commit to fix mesa-10 driver loading.
diff --git a/debian/patches/avoid-use-after-free.diff
b/debian/patches/avoid-use-after-free.diff
deleted file mode 100644
index 86d8fc2..0000000
--- a/debian/patches/avoid-use-after-free.diff
+++ /dev/null
@@ -1,70 +0,0 @@
-commit 3afbfc4913db988b29f9aa6879b7501321e448d4
-Author: Alan Coopersmith <alan.coopersm...@oracle.com>
-Date: Mon Sep 16 21:47:16 2013 -0700
-
- Avoid use-after-free in dix/dixfonts.c: doImageText()
-
- Save a pointer to the passed in closure structure before copying it
- and overwriting the *c pointer to point to our copy instead of the
- original. If we hit an error, once we free(c), reset c to point to
- the original structure before jumping to the cleanup code that
- references *c.
-
- Since one of the errors being checked for is whether the server was
- able to malloc(c->nChars * itemSize), the client can potentially pass
- a number of characters chosen to cause the malloc to fail and the
- error path to be taken, resulting in the read from freed memory.
-
- Since the memory is accessed almost immediately afterwards, and the
- X server is mostly single threaded, the odds of the free memory having
- invalid contents are low with most malloc implementations when not using
- memory debugging features, but some allocators will definitely overwrite
- the memory there, leading to a likely crash.
-
- Reported-by: Pedro Ribeiro <ped...@gmail.com>
- Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
- Reviewed-by: Julien Cristau <jcris...@debian.org>
-
-diff --git a/dix/dixfonts.c b/dix/dixfonts.c
-index feb765d..2e34d37 100644
---- a/dix/dixfonts.c
-+++ b/dix/dixfonts.c
-@@ -1425,6 +1425,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
- GC *pGC;
- unsigned char *data;
- ITclosurePtr new_closure;
-+ ITclosurePtr old_closure;
-
- /* We're putting the client to sleep. We need to
- save some state. Similar problem to that handled
-@@ -1436,12 +1437,14 @@ doImageText(ClientPtr client, ITclosurePtr c)
- err = BadAlloc;
- goto bail;
- }
-+ old_closure = c;
- *new_closure = *c;
- c = new_closure;
-
- data = malloc(c->nChars * itemSize);
- if (!data) {
- free(c);
-+ c = old_closure;
- err = BadAlloc;
- goto bail;
- }
-@@ -1452,6 +1455,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
- if (!pGC) {
- free(c->data);
- free(c);
-+ c = old_closure;
- err = BadAlloc;
- goto bail;
- }
-@@ -1464,6 +1468,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
- FreeScratchGC(pGC);
- free(c->data);
- free(c);
-+ c = old_closure;
- err = BadAlloc;
- goto bail;
- }
diff --git a/debian/patches/series b/debian/patches/series
index ee8ffeb..81f7267 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -61,5 +61,4 @@ glx-corner-case-drawablegone.patch
glx-link-against-glapi.patch
aarch64.patch
xmir.patch
-avoid-use-after-free.diff
pixman-validate.patch
commit 1c3bc9b0de7059b54592ed0b7497ae3cf3fe5eb9
Author: Maarten Lankhorst <maarten.lankho...@canonical.com>
Date: Mon Nov 25 14:53:02 2013 +0100
release to unstable
diff --git a/debian/changelog b/debian/changelog
index ab35c44..eb503f0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,8 @@
-xorg-server (2:1.14.3-5) UNRELEASED; urgency=low
+xorg-server (2:1.14.3-5) unstable; urgency=low
* Cherry-pick a upstream commit to fix mesa-10 driver loading.
- -- Maarten Lankhorst <maarten.lankho...@ubuntu.com> Mon, 25 Nov 2013
12:30:11 +0100
+ -- Maarten Lankhorst <maarten.lankho...@ubuntu.com> Mon, 25 Nov 2013
14:52:54 +0100
xorg-server (2:1.14.3-4) unstable; urgency=high
commit 3ac959c25cb50a11d9249c5afedfec1c99cc4d91
Author: Maarten Lankhorst <maarten.lankho...@canonical.com>
Date: Mon Nov 25 14:52:48 2013 +0100
Cherry-pick a upstream commit to fix mesa-10 driver loading.
diff --git a/debian/changelog b/debian/changelog
index 7492008..ab35c44 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+xorg-server (2:1.14.3-5) UNRELEASED; urgency=low
+
+ * Cherry-pick a upstream commit to fix mesa-10 driver loading.
+
+ -- Maarten Lankhorst <maarten.lankho...@ubuntu.com> Mon, 25 Nov 2013
12:30:11 +0100
+
xorg-server (2:1.14.3-4) unstable; urgency=high
[ Timo Aaltonen ]
commit f91d0780f402caeed1f7a391dab2d5a98f3a545f
Author: Eric Anholt <e...@anholt.net>
Date: Tue Oct 22 14:22:04 2013 -0700
glx: Add support for the new DRI loader entrypoint.
This is going to be exposed (and not the old entrypoint) for some DRI
drivers once the megadrivers series lands, and the plan is to
eventually transition all drivers to that. Hopefully this is
unobtrusive enough to merge to stable X servers so that they can be
compatible with new Mesa versions.
v2: typo fix in the comment
Signed-off-by: Eric Anholt <e...@anholt.net>
Reviewed-by: Adam Jackson <a...@redhat.com>
Signed-off-by: Keith Packard <kei...@keithp.com>
(cherry picked from commit 7ecfab47eb221dbb996ea6c033348b8eceaeb893)
diff --git a/glx/glxdricommon.c b/glx/glxdricommon.c
index c90f380..5686c5f 100644
--- a/glx/glxdricommon.c
+++ b/glx/glxdricommon.c
@@ -209,6 +209,14 @@ glxConvertConfigs(const __DRIcoreExtension * core,
static const char dri_driver_path[] = DRI_DRIVER_PATH;
+/* Temporary define to allow building without a dri_interface.h from
+ * updated Mesa. Some day when we don't care about Mesa that old any
+ * more this can be removed.
+ */
+#ifndef __DRI_DRIVER_GET_EXTENSIONS
+#define __DRI_DRIVER_GET_EXTENSIONS "__driDriverGetExtensions"
+#endif
+
void *
glxProbeDriver(const char *driverName,
void **coreExt, const char *coreName, int coreVersion,
@@ -217,7 +225,8 @@ glxProbeDriver(const char *driverName,
int i;
void *driver;
char filename[PATH_MAX];
- const __DRIextension **extensions;
+ char *get_extensions_name;
+ const __DRIextension **extensions = NULL;
snprintf(filename, sizeof filename, "%s/%s_dri.so",
dri_driver_path, driverName);
@@ -229,7 +238,18 @@ glxProbeDriver(const char *driverName,
goto cleanup_failure;
}
- extensions = dlsym(driver, __DRI_DRIVER_EXTENSIONS);
+ if (asprintf(&get_extensions_name, "%s_%s",
+ __DRI_DRIVER_GET_EXTENSIONS, driverName) != -1) {
+ const __DRIextension **(*get_extensions)(void);
+
+ get_extensions = dlsym(driver, get_extensions_name);
+ if (get_extensions)
+ extensions = get_extensions();
+ free(get_extensions_name);
+ }
+
+ if (!extensions)
+ extensions = dlsym(driver, __DRI_DRIVER_EXTENSIONS);
if (extensions == NULL) {
LogMessage(X_ERROR, "AIGLX error: %s exports no extensions (%s)\n",
driverName, dlerror());
commit f1ddfa9389bbdb0f80b4668e5d28b15a354c6cf5
Author: Maarten Lankhorst <maarten.lankho...@canonical.com>
Date: Wed Oct 23 09:42:06 2013 +0200
add warning that xorg-server version needs to be bumped on minor abi
changes too
diff --git a/debian/rules b/debian/rules
index 9933dc8..1b1a7b5 100755
--- a/debian/rules
+++ b/debian/rules
@@ -296,6 +296,8 @@ abibumpcheck: debian/serverminver
# Compare both files:
@if ! cmp --quiet $(SERVERMINVER) $(SERVERMINVER).new; then \
echo "serverminver bump required, ABI changed!";\
+ echo "When bumping major or minor, always bump required xorg-server
minimum";\
+ echo "version too, the newly built drivers are not backwards
compatible!";\
diff -u $(SERVERMINVER) $(SERVERMINVER).new; \
exit 1; \
else \
commit b97d59cfaf10c4363cc709881e353e695d207dd9
Author: Julien Cristau <jcris...@debian.org>
Date: Sat Oct 5 15:58:03 2013 +0200
Upload to unstable
diff --git a/debian/changelog b/debian/changelog
index 15ec5ee..7492008 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,14 @@
-xorg-server (2:1.14.3-4) UNRELEASED; urgency=low
+xorg-server (2:1.14.3-4) unstable; urgency=high
+ [ Timo Aaltonen ]
* rules: Drop defoma support from the font path. (Closes: #689233,
LP: #986061)
- -- Timo Aaltonen <tjaal...@ubuntu.com> Wed, 25 Sep 2013 15:53:06 +0300
+ [ Julien Cristau ]
+ * Avoid use-after-free in dix/dixfonts.c: doImageText(). Addresses
+ CVE-2013-4396.
+
+ -- Julien Cristau <jcris...@debian.org> Sat, 05 Oct 2013 15:57:55 +0200
xorg-server (2:1.14.3-3) unstable; urgency=low
commit 3afbfc4913db988b29f9aa6879b7501321e448d4
Author: Alan Coopersmith <alan.coopersm...@oracle.com>
Date: Mon Sep 16 21:47:16 2013 -0700
Avoid use-after-free in dix/dixfonts.c: doImageText()
Save a pointer to the passed in closure structure before copying it
and overwriting the *c pointer to point to our copy instead of the
original. If we hit an error, once we free(c), reset c to point to
the original structure before jumping to the cleanup code that
references *c.
Since one of the errors being checked for is whether the server was
able to malloc(c->nChars * itemSize), the client can potentially pass
a number of characters chosen to cause the malloc to fail and the
error path to be taken, resulting in the read from freed memory.
Since the memory is accessed almost immediately afterwards, and the
X server is mostly single threaded, the odds of the free memory having
invalid contents are low with most malloc implementations when not using
memory debugging features, but some allocators will definitely overwrite
the memory there, leading to a likely crash.
Reported-by: Pedro Ribeiro <ped...@gmail.com>
Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
Reviewed-by: Julien Cristau <jcris...@debian.org>
diff --git a/dix/dixfonts.c b/dix/dixfonts.c
index feb765d..2e34d37 100644
--- a/dix/dixfonts.c
+++ b/dix/dixfonts.c
@@ -1425,6 +1425,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
GC *pGC;
unsigned char *data;
ITclosurePtr new_closure;
+ ITclosurePtr old_closure;
/* We're putting the client to sleep. We need to
save some state. Similar problem to that handled
@@ -1436,12 +1437,14 @@ doImageText(ClientPtr client, ITclosurePtr c)
err = BadAlloc;
goto bail;
}
+ old_closure = c;
*new_closure = *c;
c = new_closure;
data = malloc(c->nChars * itemSize);
if (!data) {
free(c);
+ c = old_closure;
err = BadAlloc;
goto bail;
}
@@ -1452,6 +1455,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
if (!pGC) {
free(c->data);
free(c);
+ c = old_closure;
err = BadAlloc;
goto bail;
}
@@ -1464,6 +1468,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
FreeScratchGC(pGC);
free(c->data);
free(c);
+ c = old_closure;
err = BadAlloc;
goto bail;
}
--
To UNSUBSCRIBE, email to debian-x-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/e1vky5z-0002yq...@moszumanska.debian.org
