Re: Request for review: xorg-server 2:1.7.7-18+deb6u2 (CVE-2015-0255)

Mike Gabriel Wed, 22 Apr 2015 05:50:42 -0700

Hi again...

On  Mi 22 Apr 2015 14:31:40 CEST, Mike Gabriel wrote:

Debdiff is attached to this mail. The .dsc file can be obtained via [1].


and here comes the missing .debdiff...

Mike
--

mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunwea...@debian.org, http://sunweavers.net

diff -u xorg-server-1.7.7/debian/changelog xorg-server-1.7.7/debian/changelog
--- xorg-server-1.7.7/debian/changelog
+++ xorg-server-1.7.7/debian/changelog
@@ -1,3 +1,12 @@
+xorg-server (2:1.7.7-18+deb6u2) squeeze-lts; urgency=high
+
+  * Non-maintainer upload by Debian LTS Team.
+  * debian/patches:
+    + Add 30-CVE-2015-0255.patch. Don't swap XkbSetGeometry data in the
+      input buffer, check strings length against request size (CVE-2015-0255).
+
+ -- Mike Gabriel <sunwea...@debian.org>  Wed, 22 Apr 2015 11:45:21 +0200
+
 xorg-server (2:1.7.7-18+deb6u1) squeeze-lts; urgency=high
 
   * Non-maintainer upload by the Debian LTS Team.
diff -u xorg-server-1.7.7/debian/patches/series 
xorg-server-1.7.7/debian/patches/series
--- xorg-server-1.7.7/debian/patches/series
+++ xorg-server-1.7.7/debian/patches/series
@@ -58,0 +59 @@
+30-CVE-2015-0255.patch
only in patch2:
unchanged:
--- xorg-server-1.7.7.orig/debian/patches/30-CVE-2015-0255.patch
+++ xorg-server-1.7.7/debian/patches/30-CVE-2015-0255.patch
@@ -0,0 +1,175 @@
+Description: fix information leak and denial of service in XkbSetGeometry
+Origin: backport, 
http://cgit.freedesktop.org/xorg/xserver/commit/?id=81c90dc8f0aae3b65730409b1b615b5fa7280ebd
+Origin: backport, 
http://cgit.freedesktop.org/xorg/xserver/commit/?id=20079c36cf7d377938ca5478447d8b9045cb7d43
+
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -4819,27 +4819,30 @@
+ 
+ /***====================================================================***/
+ 
+-static char *
+-_GetCountedString(char **wire_inout,Bool swap)
++static Status
++_GetCountedString(char **wire_inout,ClientPtr client, char **str)
+ {
+-char *        wire,*str;
+-CARD16        len,*plen;
++char    *wire,*next;
++CARD16        len;
+ 
+     wire= *wire_inout;
+-    plen= (CARD16 *)wire;
+-    if (swap) {
++    len = *(CARD16 *) wire;
++    if (client->swapped) {
+       register int n;
+-      swaps(plen,n);
+-    }
+-    len= *plen;
+-    str= xalloc(len+1);
+-    if (str) {
+-      memcpy(str,&wire[2],len);
+-      str[len]= '\0';
++      swaps(&len,n);
+     }
+-    wire+= XkbPaddedSize(len+2);
+-    *wire_inout= wire;
+-    return str;
++    next = wire + XkbPaddedSize(len + 2);
++    /* Check we're still within the size of the request */
++    if (client->req_len <
++      bytes_to_int32(next - (char *) client->requestBuffer))
++      return BadValue;
++    *str = malloc(len + 1);
++    if (!*str)
++      return BadAlloc;
++    memcpy(*str, &wire[2], len);
++    *(*str + len) = '\0';
++    *wire_inout = next;
++    return Success;
+ }
+ 
+ static Status
+@@ -4850,26 +4853,30 @@
+ {
+ char *                        wire;
+ xkbDoodadWireDesc *   dWire;
++xkbAnyDoodadWireDesc  any;
++xkbTextDoodadWireDesc text;
+ XkbDoodadPtr          doodad;
++Status                        status;
+ 
+     dWire= (xkbDoodadWireDesc *)(*wire_inout);
++    any = dWire->any;
+     wire= (char *)&dWire[1];
+     if (client->swapped) {
+       register int n;
+-      swapl(&dWire->any.name,n);
+-      swaps(&dWire->any.top,n);
+-      swaps(&dWire->any.left,n);
+-      swaps(&dWire->any.angle,n);
++      swapl(&any.name,n);
++      swaps(&any.top,n);
++      swaps(&any.left,n);
++      swaps(&any.angle,n);
+     }
+     CHK_ATOM_ONLY(dWire->any.name);
+-    doodad= XkbAddGeomDoodad(geom,section,dWire->any.name);
++    doodad= XkbAddGeomDoodad(geom,section,any.name);
+     if (!doodad)
+       return BadAlloc;
+     doodad->any.type= dWire->any.type;
+     doodad->any.priority= dWire->any.priority;
+-    doodad->any.top= dWire->any.top;
+-    doodad->any.left= dWire->any.left;
+-    doodad->any.angle= dWire->any.angle;
++    doodad->any.top= any.top;
++    doodad->any.left= any.left;
++    doodad->any.angle= any.angle;
+     switch (doodad->any.type) {
+       case XkbOutlineDoodad:
+       case XkbSolidDoodad:
+@@ -4892,16 +4899,23 @@
+                                                       dWire->text.colorNdx);
+               return BadMatch;
+           }
++          text = dWire->text;
+           if (client->swapped) {
+               register int n;
+-              swaps(&dWire->text.width,n);
+-              swaps(&dWire->text.height,n);
++              swaps(&text.width,n);
++              swaps(&text.height,n);
+           }
+-          doodad->text.width= dWire->text.width;
+-          doodad->text.height= dWire->text.height;
++          doodad->text.width= text.width;
++          doodad->text.height= text.height;
+           doodad->text.color_ndx= dWire->text.colorNdx;
+-          doodad->text.text= _GetCountedString(&wire,client->swapped);
+-          doodad->text.font= _GetCountedString(&wire,client->swapped);
++          status = _GetCountedString(&wire, client, &doodad->text.text);
++          if (status != Success)
++              return status;
++          status = _GetCountedString(&wire, client, &doodad->text.font);
++          if (status != Success) {
++              free (doodad->text.text);
++              return status;
++          }
+           break;
+       case XkbIndicatorDoodad:
+           if (dWire->indicator.onColorNdx>=geom->num_colors) {
+@@ -4936,7 +4950,9 @@
+           }
+           doodad->logo.color_ndx= dWire->logo.colorNdx;
+           doodad->logo.shape_ndx= dWire->logo.shapeNdx;
+-          doodad->logo.logo_name= _GetCountedString(&wire,client->swapped);
++          status = _GetCountedString(&wire, client, &doodad->logo.logo_name);
++          if (status != Success)
++              return status;
+           break;
+       default:
+           client->errorValue= _XkbErrCode2(0x4F,dWire->any.type);
+@@ -5171,18 +5187,20 @@
+ char *                wire;
+ 
+     wire= (char *)&req[1];
+-    geom->label_font= _GetCountedString(&wire,client->swapped);
++    status = _GetCountedString(&wire, client, &geom->label_font);
++    if (status != Success)
++      return status;
+ 
+     for (i=0;i<req->nProperties;i++) {
+       char *name,*val;
+-      name= _GetCountedString(&wire,client->swapped);
+-        if (!name)
+-            return BadAlloc;
+-      val= _GetCountedString(&wire,client->swapped);
+-        if (!val) {
++      status = _GetCountedString(&wire, client, &name);
++      if (status != Success)
++            return status;
++      status = _GetCountedString(&wire, client, &val);
++      if (status != Success) {
+             xfree(name);
+-            return BadAlloc;
+-        }
++            return status;
++      }
+       if (XkbAddGeomProperty(geom,name,val)==NULL) {
+             xfree(name);
+             xfree(val);
+@@ -5212,9 +5230,9 @@
+ 
+     for (i=0;i<req->nColors;i++) {
+       char *name;
+-      name= _GetCountedString(&wire,client->swapped);
+-      if (!name)
+-            return BadAlloc;
++        status = _GetCountedString(&wire, client, &name);
++        if (status != Success)
++            return status;
+         if (!XkbAddGeomColor(geom,name,geom->num_colors)) {
+             xfree(name);
+           return BadAlloc;

pgp1_VKwTqiXO.pgp
Description: Digitale PGP-Signatur

Re: Request for review: xorg-server 2:1.7.7-18+deb6u2 (CVE-2015-0255)

Reply via email to