configure.ac | 4 +-
debian/changelog | 11 +++++-
debian/patches/01_xfs_fixes.diff | 64 +++++++++++++++++++++------------------
difs/dispatch.c | 13 +++++++
difs/fontinfo.c | 19 +++++++++++
xfs.man | 39 +++++++++++++++++++++--
6 files changed, 115 insertions(+), 35 deletions(-)
New commits:
commit cef29096503593e872be3abda0749847b13e9cc2
Author: David Nusinow <[EMAIL PROTECTED]>
Date: Wed Oct 3 21:12:22 2007 -0400
* Fix up 01_xfs_fixes.diff. This one needs to go upstream yesterday.
diff --git a/debian/changelog b/debian/changelog
index 0a738da..e1e84b9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -11,8 +11,9 @@ xfs (1:1.0.5-1) unstable; urgency=high
* New upstream release. High priority for security fixes.
+ fix for integer overflows in build_range(). CVE-4568
+ Fix for heap overwrite in swap_char2b() CVE-2007-4568
+ * Fix up 01_xfs_fixes.diff. This one needs to go upstream yesterday.
- -- David Nusinow <[EMAIL PROTECTED]> Wed, 03 Oct 2007 20:26:51 -0400
+ -- David Nusinow <[EMAIL PROTECTED]> Wed, 03 Oct 2007 21:11:50 -0400
xfs (1:1.0.4-2) unstable; urgency=high
diff --git a/debian/patches/01_xfs_fixes.diff b/debian/patches/01_xfs_fixes.diff
index a8ffb1f..10bbcc6 100644
--- a/debian/patches/01_xfs_fixes.diff
+++ b/debian/patches/01_xfs_fixes.diff
@@ -27,8 +27,8 @@ Not submitted upstream yet.
Index: os/utils.c
===================================================================
---- os/utils.c.orig 2007-03-03 01:02:00.000000000 +0100
-+++ os/utils.c 2007-03-03 01:07:29.000000000 +0100
+--- os/utils.c.orig 2007-10-03 20:34:16.000000000 -0400
++++ os/utils.c 2007-10-03 20:34:57.000000000 -0400
@@ -3,7 +3,7 @@
* misc os utilities
*/
@@ -278,9 +278,9 @@ Index: os/utils.c
+}
Index: xfs.man
===================================================================
---- xfs.man.orig 2007-03-03 01:02:00.000000000 +0100
-+++ xfs.man 2007-03-03 01:12:48.000000000 +0100
-@@ -37,206 +37,320 @@
+--- xfs.man.orig 2007-10-03 20:34:16.000000000 -0400
++++ xfs.man 2007-10-03 21:07:48.000000000 -0400
+@@ -37,137 +37,236 @@
.\" suitability of this software for any purpose. It is provided "as is"
.\" without express or implied warranty.
.\" $Xorg: xfs.man,v 1.4 2001/02/09 02:05:42 xorgcvs Exp $
@@ -323,7 +323,7 @@ Index: xfs.man
+.BI "\-user " username
+]
.SH DESCRIPTION
-+.B xfs
+++.B xfs
+is the X Window System font server.
+It supplies fonts to X Window System display servers.
+The server is usually run by a system administrator, and started via
@@ -509,8 +509,6 @@ Index: xfs.man
-.\" Size in bytes of the font server cache.
-.IP "catalogue (list of string)"
-Ordered list of font path element names.
--Use of the keyword "catalogue" is very misleading at present,
--the current implementation only supports a single catalogue ("all"),
+.TP
+.BR alternate\-servers " (list of \fIstring\fPs)"
+lists alternate servers for this font server.
@@ -524,9 +522,10 @@ Index: xfs.man
+.BR catalogue " (list of \fIstring\fPs)"
+declares as ordered list of font path element names from which fonts will
+be served.
-+Use of the keyword \(oqcatalogue\(cq is very misleading at present: the
-+current implementation only supports a single catalogue (\(oqall\(cq),
- containing all of the specified fonts.
+ The current implementation only supports a single catalogue ("all")
+ containing all of the specified fonts. A special directory with
+ symlinks to font paths can be specified using a catalogue:<dir>
+ entry. See the CATALOGUE DIR section below for details.
-.IP "alternate-servers (list of string)"
-List of alternate servers for this font server.
-.IP "client-limit (cardinal)"
@@ -574,9 +573,22 @@ Index: xfs.man
-.IP "error-file (string)"
-Filename of the error file. All warnings and errors
-will be logged here.
--.IP "no-listen (trans-type)"
--Disable a transport type. For example, TCP/IP connections can
--be disabled with no-listen tcp
++.TP
++.BR deferglyphs " (\fIstring\fP)"
++sets the mode for delayed fetching and caching of glyphs.
++.I string
++should be one of \(oqnone\(cq, meaning glyphs deferment is disabled,
++\(oqall\(cq, meaning it is enabled for all fonts, and \(oq16\(cq, meaning
++it is enabled only for 16-bit fonts.
++.TP
++.BR error\-file " (\fIstring\fP)"
++indicates the filename of the error file.
++All warnings and errors will be logged here, unless
++.B use\-syslog
++is set to a true value (see below).
+ .IP "no-listen (trans-type)"
+ Disable a transport type. For example, TCP/IP connections can
+ be disabled with no-listen tcp
-.IP "port (cardinal)"
-TCP port on which the server will listen for connections.
-.IP "use-syslog (boolean)"
@@ -591,20 +603,6 @@ Index: xfs.man
-.\" Those clients the fontserver will talk to. Others
-.\" will be refused for the initial connection. An empty
-.\" list means the server will talk to any client.
--.SH "EXAMPLE"
-+.TP
-+.BR deferglyphs " (\fIstring\fP)"
-+sets the mode for delayed fetching and caching of glyphs.
-+.I string
-+should be one of \(oqnone\(cq, meaning glyphs deferment is disabled,
-+\(oqall\(cq, meaning it is enabled for all fonts, and \(oq16\(cq, meaning
-+it is enabled only for 16-bit fonts.
-+.TP
-+.BR error\-file " (\fIstring\fP)"
-+indicates the filename of the error file.
-+All warnings and errors will be logged here, unless
-+.B use\-syslog
-+is set to a true value (see below).
+.TP
+.BR no\-listen " (\fItrans-type\fP)"
+disables the specified transport type.
@@ -625,6 +623,14 @@ Index: xfs.man
+(on supported systems) instead of being written to the
+.B error\-file
+(see above).
+ .SH "CATALOGUE DIR"
+ You can specify a special kind of font path in the form \fBcatalogue:<dir>\fR.
+ The directory specified after the catalogue: prefix will be scanned for
symlinks
+@@ -200,76 +299,94 @@
+ /usr/share/fonts/default/Type1,
+ /usr/share/fonts/default/ghostscript
+ .fi
+-.SH "EXAMPLE"
+.SS "Example Configuration File"
.nf
XCOMM
@@ -746,7 +752,7 @@ Index: xfs.man
+file.
.SH BUGS
Multiple catalogues should be supported.
-+.SH "FUTURE DIRECTIONS"
+++.SH "FUTURE DIRECTIONS"
+Significant further development of
+.B xfs
+is unlikely.
commit e3e7f5cace042a087269ba59edef1746ddbb2591
Author: David Nusinow <[EMAIL PROTECTED]>
Date: Wed Oct 3 20:28:55 2007 -0400
* New upstream release. High priority for security fixes.
+ fix for integer overflows in build_range(). CVE-4568
+ Fix for heap overwrite in swap_char2b() CVE-2007-4568
diff --git a/debian/changelog b/debian/changelog
index 76d39cb..0a738da 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,12 +1,18 @@
-xfs (1:1.0.4-3) UNRELEASED; urgency=low
+xfs (1:1.0.5-1) unstable; urgency=high
+ [ Brice Goglin ]
* Restore and update the old xfs.options.5 manpage which got lost
during the monolothic/modular transition. It might still help
since the maintainer scripts still look at the corresponding
config file. Closes: #364587.
+ Use dh_installman
- -- Brice Goglin <[EMAIL PROTECTED]> Wed, 15 Aug 2007 12:19:31 +0200
+ [ David Nusinow ]
+ * New upstream release. High priority for security fixes.
+ + fix for integer overflows in build_range(). CVE-4568
+ + Fix for heap overwrite in swap_char2b() CVE-2007-4568
+
+ -- David Nusinow <[EMAIL PROTECTED]> Wed, 03 Oct 2007 20:26:51 -0400
xfs (1:1.0.4-2) unstable; urgency=high
commit 0bd59b5938059c7ff5501b928ebe80ecea27f008
Author: Matthieu Herrb <[EMAIL PROTECTED]>
Date: Mon Oct 1 21:55:52 2007 +0200
Bump to 1.0.5
diff --git a/configure.ac b/configure.ac
index 6924e10..a4ebb65 100644
--- a/configure.ac
+++ b/configure.ac
@@ -22,7 +22,7 @@ dnl
dnl Process this file with autoconf to create configure.
AC_PREREQ([2.57])
-AC_INIT(xfs,[1.0.4],
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg],xfs)
+AC_INIT(xfs,[1.0.5],
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg],xfs)
AM_INIT_AUTOMAKE([dist-bzip2])
AM_MAINTAINER_MODE
commit ec3ca8fd4c599f41e6f977ce912805ac8ac74f32
Author: Matthieu Herrb <[EMAIL PROTECTED]>
Date: Mon Oct 1 21:53:41 2007 +0200
Fix for heap overwrite in swap_char2b() CVE-2007-4568.
diff --git a/difs/dispatch.c b/difs/dispatch.c
index f1a0a85..9a6b87c 100644
--- a/difs/dispatch.c
+++ b/difs/dispatch.c
@@ -933,6 +933,13 @@ ProcQueryXExtents(ClientPtr client)
}
item_size = (stuff->reqType == FS_QueryXExtents8) ? 1 : 2;
+ if (stuff->num_ranges >
+ ((stuff->length << 2) - SIZEOF(fsQueryXExtents8Req))/item_size) {
+ int num_ranges = stuff->num_ranges;
+ SendErrToClient(client, FSBadLength, (pointer)&num_ranges);
+ return FSBadLength;
+ }
+
/* get the extents */
err = QueryExtents(client, cfp, item_size,
stuff->num_ranges, stuff->range,
@@ -969,6 +976,12 @@ ProcQueryXBitmaps(ClientPtr client)
assert((stuff->reqType == FS_QueryXBitmaps8) || (stuff->reqType ==
FS_QueryXBitmaps16));
item_size = (stuff->reqType == FS_QueryXBitmaps8) ? 1 : 2;
+ if (stuff->num_ranges >
+ ((stuff->length << 2) - SIZEOF(fsQueryXBitmaps8Req))/item_size) {
+ int num_ranges = stuff->num_ranges;
+ SendErrToClient(client, FSBadLength, (pointer)&num_ranges);
+ return FSBadLength;
+ }
/* get the glyphs */
err = QueryBitmaps(client, cfp, item_size, stuff->format,
stuff->num_ranges, stuff->range,
commit 380fb68316f13012ff7cb2ac4addc2626fa2dad0
Author: Matthieu Herrb <[EMAIL PROTECTED]>
Date: Mon Oct 1 21:51:40 2007 +0200
fix for integer overflows in build_range(). CVE-4568.
diff --git a/configure.ac b/configure.ac
index 748b8ce..6924e10 100644
--- a/configure.ac
+++ b/configure.ac
@@ -41,6 +41,8 @@ case $host_os in
;;
esac
+AC_CHECK_HEADERS([stdint.h])
+
# Checks for pkg-config packages
PKG_CHECK_MODULES(XFS, libfs xfont xtrans)
XFS_CFLAGS="$XFS_CFLAGS $OS_CFLAGS"
diff --git a/difs/fontinfo.c b/difs/fontinfo.c
index 23893e0..e7e627d 100644
--- a/difs/fontinfo.c
+++ b/difs/fontinfo.c
@@ -62,6 +62,21 @@ in this Software without prior written authorization from
The Open Group.
#include <swapreq.h>
#include <swaprep.h>
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#ifdef HAVE_STDINT_H
+#include <stdint.h>
+#endif
+#include <limits.h>
+#ifndef SIZE_MAX
+# ifdef ULONG_MAX
+# define SIZE_MAX ULONG_MAX
+# else
+# define SIZE_MAX UINT_MAX
+# endif
+#endif
+
void
CopyCharInfo(
CharInfoPtr ci,
@@ -181,6 +196,8 @@ build_range(
return new;
}
+ if (src_num >= SIZE_MAX / sizeof(fsRange) * 2 - 1)
+ return NULL;
np = new = (fsRange *) fsalloc(sizeof(fsRange) * (src_num + 1) / 2);
if (!np)
return np;
@@ -210,6 +227,8 @@ build_range(
unsigned char *pp = src;
src_num = *num;
+ if (src_num >= SIZE_MAX / sizeof(fsRange))
+ return NULL;
np = new = (fsRange *) fsalloc(SIZEOF(fsRange) * src_num);
if (!np)
return np;
commit 63596c80ec1c406a35780f45ea43d8004b020869
Author: Ademar de Souza Reis Jr <[EMAIL PROTECTED]>
Date: Wed Jun 20 13:31:40 2007 -0300
Document catalogue:<dir> feature
diff --git a/xfs.man b/xfs.man
index 1a5cd11..049e60a 100644
--- a/xfs.man
+++ b/xfs.man
@@ -124,9 +124,10 @@ Recognized keywords include:
.\" Size in bytes of the font server cache.
.IP "catalogue (list of string)"
Ordered list of font path element names.
-Use of the keyword "catalogue" is very misleading at present,
-the current implementation only supports a single catalogue ("all"),
-containing all of the specified fonts.
+The current implementation only supports a single catalogue ("all")
+containing all of the specified fonts. A special directory with
+symlinks to font paths can be specified using a catalogue:<dir>
+entry. See the CATALOGUE DIR section below for details.
.IP "alternate-servers (list of string)"
List of alternate servers for this font server.
.IP "client-limit (cardinal)"
@@ -167,6 +168,38 @@ enabled for all fonts, and "16", meaning it is enabled
only for
.\" Those clients the fontserver will talk to. Others
.\" will be refused for the initial connection. An empty
.\" list means the server will talk to any client.
+.SH "CATALOGUE DIR"
+You can specify a special kind of font path in the form \fBcatalogue:<dir>\fR.
+The directory specified after the catalogue: prefix will be scanned for
symlinks
+and each symlink destination will be added as a local fontfile FPE.
+.PP
+The symlink can be suffixed by attributes such as '\fBunscaled\fR', which
+will be passed through to the underlying fontfile FPE. The only exception is
+the newly introduced '\fBpri\fR' attribute, which will be used for ordering
+the font paths specified by the symlinks.
+
+An example configuration:
+
+.nf
+ 75dpi:unscaled:pri=20 \-> /usr/share/X11/fonts/75dpi
+ ghostscript:pri=60 \-> /usr/share/fonts/default/ghostscript
+ misc:unscaled:pri=10 \-> /usr/share/X11/fonts/misc
+ type1:pri=40 \-> /usr/share/X11/fonts/Type1
+ type1:pri=50 \-> /usr/share/fonts/default/Type1
+.fi
+
+This will add /usr/share/X11/fonts/misc as the first FPE with the attribute
+'unscaled', second FPE will be /usr/share/X11/fonts/75dpi, also with
+the attribute unscaled etc. This is functionally equivalent to setting
+the following font path:
+
+.nf
+ /usr/share/X11/fonts/misc:unscaled,
+ /usr/share/X11/fonts/75dpi:unscaled,
+ /usr/share/X11/fonts/Type1,
+ /usr/share/fonts/default/Type1,
+ /usr/share/fonts/default/ghostscript
+.fi
.SH "EXAMPLE"
.nf
XCOMM
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
