debian/changelog | 15 +
debian/control | 2
debian/patches/14_default_screen_section.diff | 16 -
debian/patches/15_CVE-2007-6427.diff | 241 ++++++++++++++++++++++++++
debian/patches/16_CVE-2007-6428.diff | 12 +
debian/patches/17_CVE-2007-6429.diff | 190 ++++++++++++++++++++
debian/patches/18_CVE-2007-5760.diff | 13 +
debian/patches/19_CVE-2007-5958.diff | 20 ++
debian/patches/20_CVE-2008-0006.diff | 18 +
debian/patches/series | 6
10 files changed, 520 insertions(+), 13 deletions(-)
New commits:
commit 8b97340f880644b5b98a67ef020a86a326f329d4
Author: Julien Cristau <[EMAIL PROTECTED]>
Date: Thu Jan 17 15:10:17 2008 +0100
Prepare changelog for upload.
diff --git a/debian/changelog b/debian/changelog
index 2872519..c428455 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-xorg-server (2:1.4.1~git20080105-2) UNRELEASED; urgency=low
+xorg-server (2:1.4.1~git20080105-2) unstable; urgency=low
[ David Nusinow ]
* Improve dpms logging patch to correctly label message type
@@ -18,7 +18,7 @@ xorg-server (2:1.4.1~git20080105-2) UNRELEASED; urgency=low
+ CVE-2008-0006: PCF font parser buffer overflow
* Bump Standards-Version to 3.7.3 (no changes).
- -- Julien Cristau <[EMAIL PROTECTED]> Thu, 17 Jan 2008 01:00:26 +0100
+ -- Julien Cristau <[EMAIL PROTECTED]> Thu, 17 Jan 2008 15:10:03 +0100
xorg-server (2:1.4.1~git20080105-1) unstable; urgency=low
commit a6d8330a56e5a5af5b2352bed07381499f4c748a
Author: Julien Cristau <[EMAIL PROTECTED]>
Date: Thu Jan 17 01:00:50 2008 +0100
* Bump Standards-Version to 3.7.3 (no changes).
diff --git a/debian/changelog b/debian/changelog
index 66a152d..2872519 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -16,8 +16,9 @@ xorg-server (2:1.4.1~git20080105-2) UNRELEASED; urgency=low
+ CVE-2007-5760: XFree86-Misc Extension Invalid Array Index
+ CVE-2007-5958: file existence disclosure
+ CVE-2008-0006: PCF font parser buffer overflow
+ * Bump Standards-Version to 3.7.3 (no changes).
- -- Brice Goglin <[EMAIL PROTECTED]> Sun, 13 Jan 2008 16:20:12 +0100
+ -- Julien Cristau <[EMAIL PROTECTED]> Thu, 17 Jan 2008 01:00:26 +0100
xorg-server (2:1.4.1~git20080105-1) unstable; urgency=low
diff --git a/debian/control b/debian/control
index 8907850..431ee4c 100644
--- a/debian/control
+++ b/debian/control
@@ -32,7 +32,7 @@ Build-Depends: debhelper (>= 4.0.0), lsb-release, pkg-config,
bison, flex,
libxtst-dev (>= 1:0.99.1-1), libxres-dev (>= 1:0.99.1-1),
libxfixes-dev (>= 1:3.0.0), libdbus-1-dev [!hurd-i386], libhal-dev
[!hurd-i386]
Build-Conflicts: xlibs-static-dev
-Standards-Version: 3.7.2.0
+Standards-Version: 3.7.3
XS-Vcs-Git: git://git.debian.org/git/pkg-xorg/xserver/xorg-server
XS-Vcs-Browser: http://git.debian.org/?p=pkg-xorg/xserver/xorg-server.git
commit 7fe0a909cedc4ad55d3f7708fc98dd6986323d08
Author: Julien Cristau <[EMAIL PROTECTED]>
Date: Sat Jan 12 01:04:06 2008 +0100
* Fix multiple security issues
+ CVE-2007-6427: XInput Extension Memory Corruption
+ CVE-2007-6428: TOG-CUP Extension Memory Corruption
+ CVE-2007-6429: EVI Extension Integer Overflow,
MIT-SHM Extension Integer Overflow
+ CVE-2007-5760: XFree86-Misc Extension Invalid Array Index
+ CVE-2007-5958: file existence disclosure
+ CVE-2008-0006: PCF font parser buffer overflow
diff --git a/debian/changelog b/debian/changelog
index f57f7f6..66a152d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,16 @@ xorg-server (2:1.4.1~git20080105-2) UNRELEASED; urgency=low
* Grab upstream commit db9ae863536fff80b5463d99e71dc47ae587980d
to set DEFAULT_DPI to 96 instead of 75.
+ [ Julien Cristau ]
+ * Fix multiple security issues
+ + CVE-2007-6427: XInput Extension Memory Corruption
+ + CVE-2007-6428: TOG-CUP Extension Memory Corruption
+ + CVE-2007-6429: EVI Extension Integer Overflow,
+ MIT-SHM Extension Integer Overflow
+ + CVE-2007-5760: XFree86-Misc Extension Invalid Array Index
+ + CVE-2007-5958: file existence disclosure
+ + CVE-2008-0006: PCF font parser buffer overflow
+
-- Brice Goglin <[EMAIL PROTECTED]> Sun, 13 Jan 2008 16:20:12 +0100
xorg-server (2:1.4.1~git20080105-1) unstable; urgency=low
diff --git a/debian/patches/14_default_screen_section.diff
b/debian/patches/14_default_screen_section.diff
index a3b6061..709261b 100644
--- a/debian/patches/14_default_screen_section.diff
+++ b/debian/patches/14_default_screen_section.diff
@@ -1,8 +1,6 @@
-Index: xorg-server/hw/xfree86/common/xf86Config.c
-===================================================================
---- xorg-server.orig/hw/xfree86/common/xf86Config.c 2007-12-12
19:43:59.000000000 -0500
-+++ xorg-server/hw/xfree86/common/xf86Config.c 2007-12-12 19:44:10.000000000
-0500
-@@ -1801,11 +1801,6 @@
+--- xorg-server.orig/hw/xfree86/common/xf86Config.c
++++ xorg-server/hw/xfree86/common/xf86Config.c
+@@ -1800,11 +1800,6 @@
if (!servlayoutp)
return FALSE;
@@ -14,7 +12,7 @@ Index: xorg-server/hw/xfree86/common/xf86Config.c
/*
* which screen section is the active one?
*
-@@ -1893,6 +1888,12 @@
+@@ -1892,6 +1887,12 @@
XF86ConfAdaptorLinkPtr conf_adaptor;
Bool defaultMonitor = FALSE;
@@ -27,10 +25,8 @@ Index: xorg-server/hw/xfree86/common/xf86Config.c
xf86Msg(from, "|-->Screen \"%s\" (%d)\n", conf_screen->scrn_identifier,
scrnum);
/*
-Index: xorg-server/hw/xfree86/parser/Screen.c
-===================================================================
---- xorg-server.orig/hw/xfree86/parser/Screen.c 2007-12-12
19:43:02.000000000 -0500
-+++ xorg-server/hw/xfree86/parser/Screen.c 2007-12-12 19:44:10.000000000
-0500
+--- xorg-server.orig/hw/xfree86/parser/Screen.c
++++ xorg-server/hw/xfree86/parser/Screen.c
@@ -498,12 +498,6 @@
XF86ConfDevicePtr device;
XF86ConfAdaptorLinkPtr adaptor;
diff --git a/debian/patches/15_CVE-2007-6427.diff
b/debian/patches/15_CVE-2007-6427.diff
new file mode 100644
index 0000000..da62c5e
--- /dev/null
+++ b/debian/patches/15_CVE-2007-6427.diff
@@ -0,0 +1,241 @@
+#
+# Updated but not checked in:
+# (will commit)
+#
+# modified: Xi/chgfctl.c
+# modified: Xi/chgkmap.c
+# modified: Xi/chgprop.c
+# modified: Xi/grabdev.c
+# modified: Xi/grabdevb.c
+# modified: Xi/grabdevk.c
+# modified: Xi/selectev.c
+# modified: Xi/sendexev.c
+#
+--- xorg-server.orig/Xi/chgfctl.c
++++ xorg-server/Xi/chgfctl.c
+@@ -327,18 +327,13 @@
+ xStringFeedbackCtl * f)
+ {
+ char n;
+- long *p;
+ int i, j;
+ KeySym *syms, *sup_syms;
+
+ syms = (KeySym *) (f + 1);
+ if (client->swapped) {
+ swaps(&f->length, n); /* swapped num_keysyms in calling proc */
+- p = (long *)(syms);
+- for (i = 0; i < f->num_keysyms; i++) {
+- swapl(p, n);
+- p++;
+- }
++ SwapLongs((CARD32 *) syms, f->num_keysyms);
+ }
+
+ if (f->num_keysyms > s->ctrl.max_symbols) {
+--- xorg-server.orig/Xi/chgkmap.c
++++ xorg-server/Xi/chgkmap.c
+@@ -79,18 +79,14 @@
+ SProcXChangeDeviceKeyMapping(ClientPtr client)
+ {
+ char n;
+- long *p;
+- int i, count;
++ unsigned int count;
+
+ REQUEST(xChangeDeviceKeyMappingReq);
+ swaps(&stuff->length, n);
+ REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
+- p = (long *)&stuff[1];
+ count = stuff->keyCodes * stuff->keySymsPerKeyCode;
+- for (i = 0; i < count; i++) {
+- swapl(p, n);
+- p++;
+- }
++ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
++ SwapLongs((CARD32 *) (&stuff[1]), count);
+ return (ProcXChangeDeviceKeyMapping(client));
+ }
+
+@@ -106,10 +102,14 @@
+ int ret;
+ unsigned len;
+ DeviceIntPtr dev;
++ unsigned int count;
+
+ REQUEST(xChangeDeviceKeyMappingReq);
+ REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
+
++ count = stuff->keyCodes * stuff->keySymsPerKeyCode;
++ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
++
+ dev = LookupDeviceIntRec(stuff->deviceid);
+ if (dev == NULL) {
+ SendErrorToClient(client, IReqCode, X_ChangeDeviceKeyMapping, 0,
+--- xorg-server.orig/Xi/chgprop.c
++++ xorg-server/Xi/chgprop.c
+@@ -81,19 +81,15 @@
+ SProcXChangeDeviceDontPropagateList(ClientPtr client)
+ {
+ char n;
+- long *p;
+- int i;
+
+ REQUEST(xChangeDeviceDontPropagateListReq);
+ swaps(&stuff->length, n);
+ REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq);
+ swapl(&stuff->window, n);
+ swaps(&stuff->count, n);
+- p = (long *)&stuff[1];
+- for (i = 0; i < stuff->count; i++) {
+- swapl(p, n);
+- p++;
+- }
++ REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq,
++ stuff->count * sizeof(CARD32));
++ SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
+ return (ProcXChangeDeviceDontPropagateList(client));
+ }
+
+--- xorg-server.orig/Xi/grabdev.c
++++ xorg-server/Xi/grabdev.c
+@@ -82,8 +82,6 @@
+ SProcXGrabDevice(ClientPtr client)
+ {
+ char n;
+- long *p;
+- int i;
+
+ REQUEST(xGrabDeviceReq);
+ swaps(&stuff->length, n);
+@@ -91,11 +89,11 @@
+ swapl(&stuff->grabWindow, n);
+ swapl(&stuff->time, n);
+ swaps(&stuff->event_count, n);
+- p = (long *)&stuff[1];
+- for (i = 0; i < stuff->event_count; i++) {
+- swapl(p, n);
+- p++;
+- }
++
++ if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count)
++ return BadLength;
++
++ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
+
+ return (ProcXGrabDevice(client));
+ }
+--- xorg-server.orig/Xi/grabdevb.c
++++ xorg-server/Xi/grabdevb.c
+@@ -80,8 +80,6 @@
+ SProcXGrabDeviceButton(ClientPtr client)
+ {
+ char n;
+- long *p;
+- int i;
+
+ REQUEST(xGrabDeviceButtonReq);
+ swaps(&stuff->length, n);
+@@ -89,11 +87,9 @@
+ swapl(&stuff->grabWindow, n);
+ swaps(&stuff->modifiers, n);
+ swaps(&stuff->event_count, n);
+- p = (long *)&stuff[1];
+- for (i = 0; i < stuff->event_count; i++) {
+- swapl(p, n);
+- p++;
+- }
++ REQUEST_FIXED_SIZE(xGrabDeviceButtonReq,
++ stuff->event_count * sizeof(CARD32));
++ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
+
+ return (ProcXGrabDeviceButton(client));
+ }
+--- xorg-server.orig/Xi/grabdevk.c
++++ xorg-server/Xi/grabdevk.c
+@@ -80,8 +80,6 @@
+ SProcXGrabDeviceKey(ClientPtr client)
+ {
+ char n;
+- long *p;
+- int i;
+
+ REQUEST(xGrabDeviceKeyReq);
+ swaps(&stuff->length, n);
+@@ -89,11 +87,8 @@
+ swapl(&stuff->grabWindow, n);
+ swaps(&stuff->modifiers, n);
+ swaps(&stuff->event_count, n);
+- p = (long *)&stuff[1];
+- for (i = 0; i < stuff->event_count; i++) {
+- swapl(p, n);
+- p++;
+- }
++ REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count *
sizeof(CARD32));
++ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
+ return (ProcXGrabDeviceKey(client));
+ }
+
+--- xorg-server.orig/Xi/selectev.c
++++ xorg-server/Xi/selectev.c
+@@ -131,19 +131,16 @@
+ SProcXSelectExtensionEvent(ClientPtr client)
+ {
+ char n;
+- long *p;
+- int i;
+
+ REQUEST(xSelectExtensionEventReq);
+ swaps(&stuff->length, n);
+ REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq);
+ swapl(&stuff->window, n);
+ swaps(&stuff->count, n);
+- p = (long *)&stuff[1];
+- for (i = 0; i < stuff->count; i++) {
+- swapl(p, n);
+- p++;
+- }
++ REQUEST_FIXED_SIZE(xSelectExtensionEventReq,
++ stuff->count * sizeof(CARD32));
++ SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
++
+ return (ProcXSelectExtensionEvent(client));
+ }
+
+--- xorg-server.orig/Xi/sendexev.c
++++ xorg-server/Xi/sendexev.c
+@@ -83,7 +83,7 @@
+ SProcXSendExtensionEvent(ClientPtr client)
+ {
+ char n;
+- long *p;
++ CARD32 *p;
+ int i;
+ xEvent eventT;
+ xEvent *eventP;
+@@ -94,6 +94,11 @@
+ REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
+ swapl(&stuff->destination, n);
+ swaps(&stuff->count, n);
++
++ if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count
+
++ (stuff->num_events * (sizeof(xEvent) >> 2)))
++ return BadLength;
++
+ eventP = (xEvent *) & stuff[1];
+ for (i = 0; i < stuff->num_events; i++, eventP++) {
+ proc = EventSwapVector[eventP->u.u.type & 0177];
+@@ -103,11 +108,8 @@
+ *eventP = eventT;
+ }
+
+- p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events);
+- for (i = 0; i < stuff->count; i++) {
+- swapl(p, n);
+- p++;
+- }
++ p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events);
++ SwapLongs(p, stuff->count);
+ return (ProcXSendExtensionEvent(client));
+ }
+
diff --git a/debian/patches/16_CVE-2007-6428.diff
b/debian/patches/16_CVE-2007-6428.diff
new file mode 100644
index 0000000..4068315
--- /dev/null
+++ b/debian/patches/16_CVE-2007-6428.diff
@@ -0,0 +1,12 @@
+--- xorg-server.orig/Xext/cup.c
++++ xorg-server/Xext/cup.c
+@@ -196,6 +196,9 @@
+
+ REQUEST_SIZE_MATCH (xXcupGetReservedColormapEntriesReq);
+
++ if (stuff->screen >= screenInfo.numScreens)
++ return BadValue;
++
+ #ifndef HAVE_SPECIAL_DESKTOP_COLORS
+ citems[CUP_BLACK_PIXEL].pixel =
+ screenInfo.screens[stuff->screen]->blackPixel;
diff --git a/debian/patches/17_CVE-2007-6429.diff
b/debian/patches/17_CVE-2007-6429.diff
new file mode 100644
index 0000000..5c6d548
--- /dev/null
+++ b/debian/patches/17_CVE-2007-6429.diff
@@ -0,0 +1,190 @@
+--- xorg-server.orig/Xext/EVI.c
++++ xorg-server/Xext/EVI.c
+@@ -34,6 +34,7 @@
+ #include <X11/extensions/XEVIstr.h>
+ #include "EVIstruct.h"
+ #include "modinit.h"
++#include "scrnintstr.h"
+
+ #if 0
+ static unsigned char XEVIReqCode = 0;
+@@ -87,10 +88,22 @@
+ {
+ REQUEST(xEVIGetVisualInfoReq);
+ xEVIGetVisualInfoReply rep;
+- int n, n_conflict, n_info, sz_info, sz_conflict;
++ int i, n, n_conflict, n_info, sz_info, sz_conflict;
+ VisualID32 *conflict;
++ unsigned int total_visuals = 0;
+ xExtendedVisualInfo *eviInfo;
+ int status;
++
++ /*
++ * do this first, otherwise REQUEST_FIXED_SIZE can overflow. we assume
++ * here that you don't have more than 2^32 visuals over all your screens;
++ * this seems like a safe assumption.
++ */
++ for (i = 0; i < screenInfo.numScreens; i++)
++ total_visuals += screenInfo.screens[i]->numVisuals;
++ if (stuff->n_visual > total_visuals)
++ return BadValue;
++
+ REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
+ status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1],
(int)stuff->n_visual,
+ &eviInfo, &n_info, &conflict, &n_conflict);
+--- xorg-server.orig/Xext/sampleEVI.c
++++ xorg-server/Xext/sampleEVI.c
+@@ -34,6 +34,13 @@
+ #include <X11/extensions/XEVIstr.h>
+ #include "EVIstruct.h"
+ #include "scrnintstr.h"
++
++#if HAVE_STDINT_H
++#include <stdint.h>
++#elif !defined(INT_MAX)
++#define UINT32_MAX 0xffffffffU
++#endif
++
+ static int sampleGetVisualInfo(
+ VisualID32 *visual,
+ int n_visual,
+@@ -42,24 +49,36 @@
+ VisualID32 **conflict_rn,
+ int *n_conflict_rn)
+ {
+- int max_sz_evi = n_visual * sz_xExtendedVisualInfo *
screenInfo.numScreens;
++ unsigned int max_sz_evi;
+ VisualID32 *temp_conflict;
+ xExtendedVisualInfo *evi;
+- int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
++ unsigned int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
+ register int visualI, scrI, sz_evi = 0, conflictI, n_conflict;
+- *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi);
+- if (!*evi_rn)
+- return BadAlloc;
++
++ if (n_visual > UINT32_MAX/(sz_xExtendedVisualInfo *
screenInfo.numScreens))
++ return BadAlloc;
++ max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens;
++
+ for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
+ if (screenInfo.screens[scrI]->numVisuals > max_visuals)
+ max_visuals = screenInfo.screens[scrI]->numVisuals;
+ }
++
++ if (n_visual > UINT32_MAX/(sz_VisualID32 * screenInfo.numScreens
++ * max_visuals))
++ return BadAlloc;
+ max_sz_conflict = n_visual * sz_VisualID32 * screenInfo.numScreens *
max_visuals;
++
++ *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi);
++ if (!*evi_rn)
++ return BadAlloc;
++
+ temp_conflict = (VisualID32 *)xalloc(max_sz_conflict);
+ if (!temp_conflict) {
+ xfree(*evi_rn);
+ return BadAlloc;
+ }
++
+ for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
+ for (visualI = 0; visualI < n_visual; visualI++) {
+ evi[sz_evi].core_visual_id = visual[visualI];
+--- xorg-server.orig/Xext/shm.c
++++ xorg-server/Xext/shm.c
+@@ -711,6 +711,8 @@
+ int i, j, result, rc;
+ ShmDescPtr shmdesc;
+ REQUEST(xShmCreatePixmapReq);
++ unsigned int width, height, depth;
++ unsigned long size;
+ PanoramiXRes *newPix;
+
+ REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
+@@ -724,11 +726,26 @@
+ return rc;
+
+ VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
+- if (!stuff->width || !stuff->height)
++
++ width = stuff->width;
++ height = stuff->height;
++ depth = stuff->depth;
++ if (!width || !height || !depth)
+ {
+ client->errorValue = 0;
+ return BadValue;
+ }
++ if (width > 32767 || height > 32767)
++ return BadAlloc;
++ size = PixmapBytePad(width, depth) * height;
++ if (sizeof(size) == 4) {
++ if (size < width * height)
++ return BadAlloc;
++ /* thankfully, offset is unsigned */
++ if (stuff->offset + size < size)
++ return BadAlloc;
++ }
++
+ if (stuff->depth != 1)
+ {
+ pDepth = pDraw->pScreen->allowedDepths;
+@@ -739,9 +756,7 @@
+ return BadValue;
+ }
+ CreatePmap:
+- VERIFY_SHMSIZE(shmdesc, stuff->offset,
+- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
+- client);
++ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
+
+ if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
+ return BadAlloc;
+@@ -1040,6 +1055,8 @@
+ register int i, rc;
+ ShmDescPtr shmdesc;
+ REQUEST(xShmCreatePixmapReq);
++ unsigned int width, height, depth;
++ unsigned long size;
+
+ REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
+ client->errorValue = stuff->pid;
+@@ -1052,11 +1069,26 @@
+ return rc;
+
+ VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
+- if (!stuff->width || !stuff->height)
++
++ width = stuff->width;
++ height = stuff->height;
++ depth = stuff->depth;
++ if (!width || !height || !depth)
+ {
+ client->errorValue = 0;
+ return BadValue;
+ }
++ if (width > 32767 || height > 32767)
++ return BadAlloc;
++ size = PixmapBytePad(width, depth) * height;
++ if (sizeof(size) == 4) {
++ if (size < width * height)
++ return BadAlloc;
++ /* thankfully, offset is unsigned */
++ if (stuff->offset + size < size)
++ return BadAlloc;
++ }
++
+ if (stuff->depth != 1)
+ {
+ pDepth = pDraw->pScreen->allowedDepths;
+@@ -1067,9 +1099,7 @@
+ return BadValue;
+ }
+ CreatePmap:
+- VERIFY_SHMSIZE(shmdesc, stuff->offset,
+- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
+- client);
++ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
+ pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
+ pDraw->pScreen, stuff->width,
+ stuff->height, stuff->depth,
diff --git a/debian/patches/18_CVE-2007-5760.diff
b/debian/patches/18_CVE-2007-5760.diff
new file mode 100644
index 0000000..6df89ae
--- /dev/null
+++ b/debian/patches/18_CVE-2007-5760.diff
@@ -0,0 +1,13 @@
+--- xorg-server.orig/hw/xfree86/common/xf86MiscExt.c
++++ xorg-server/hw/xfree86/common/xf86MiscExt.c
+@@ -548,6 +548,10 @@
+ {
+ ScrnInfoPtr pScr = xf86Screens[scrnIndex];
+
++ /* should check this in the protocol, but xf86NumScreens isn't exported */
++ if (scrnIndex > xf86NumScreens)
++ return BadValue;
++
+ if (*pScr->HandleMessage == NULL)
+ return BadImplementation;
+ return (*pScr->HandleMessage)(scrnIndex, msgtype, msgval, retstr);
diff --git a/debian/patches/19_CVE-2007-5958.diff
b/debian/patches/19_CVE-2007-5958.diff
new file mode 100644
index 0000000..44b88e5
--- /dev/null
+++ b/debian/patches/19_CVE-2007-5958.diff
@@ -0,0 +1,20 @@
+--- xorg-server.orig/Xext/security.c
++++ xorg-server/Xext/security.c
+@@ -1563,7 +1563,7 @@
+ if (!SecurityPolicyFile)
+ return;
+
+- f = fopen(SecurityPolicyFile, "r");
++ f = Fopen(SecurityPolicyFile, "r");
+ if (!f)
+ {
+ ErrorF("error opening security policy file %s\n",
+@@ -1646,7 +1646,7 @@
+ }
+ #endif /* PROPDEBUG */
+
+- fclose(f);
++ Fclose(f);
+ } /* SecurityLoadPropertyAccessList */
+
+
diff --git a/debian/patches/20_CVE-2008-0006.diff
b/debian/patches/20_CVE-2008-0006.diff
new file mode 100644
index 0000000..d16694a
--- /dev/null
+++ b/debian/patches/20_CVE-2008-0006.diff
@@ -0,0 +1,18 @@
+diff --git a/dix/dixfonts.c b/dix/dixfonts.c
+index c21b3ec..7bb2404 100644
+--- a/dix/dixfonts.c
++++ b/dix/dixfonts.c
+@@ -325,6 +325,13 @@ doOpenFont(ClientPtr client, OFclosurePtr c)
+ err = BadFontName;
+ goto bail;
+ }
++ /* check values for firstCol, lastCol, firstRow, and lastRow */
++ if (pfont->info.firstCol > pfont->info.lastCol ||
++ pfont->info.firstRow > pfont->info.lastRow ||
++ pfont->info.lastCol - pfont->info.firstCol > 255) {
++ err = AllocError;
++ goto bail;
++ }
+ if (!pfont->fpe)
+ pfont->fpe = fpe;
+ pfont->refcnt++;
diff --git a/debian/patches/series b/debian/patches/series
index 2e363d1..baafbbe 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,6 +9,12 @@
10_dont_look_in_home_for_config.diff -p0
13_debian_add_xkbpath_env_variable.diff
14_default_screen_section.diff
+15_CVE-2007-6427.diff
+16_CVE-2007-6428.diff
+17_CVE-2007-6429.diff
+18_CVE-2007-5760.diff
+19_CVE-2007-5958.diff
+20_CVE-2008-0006.diff
21_glx_align_fixes.patch
40_default_dpi_96.patch
41_vbe_filter_less.diff
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
