debian/changelog | 7 +++ debian/patches/50_CVE-2007-6429-MIT-SHM.diff | 56 ++++++++++++++------------- 2 files changed, 38 insertions(+), 25 deletions(-)
New commits: commit 5491c0f2570d1b122fe4f6ba92c748054d4bc37b Author: Julien Cristau <[EMAIL PROTECTED]> Date: Fri Jan 18 20:45:31 2008 +0100 Fix regression introduced in DSA-1466-1. Add patch by Adam Jackson from Red Hat to fix regression introduced by the MIT-SHM patch in -21etch2 (closes: #461410). diff --git a/debian/changelog b/debian/changelog index 2f34cb5..5761156 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +xorg-server (2:1.1.1-21etch3) stable-security; urgency=high + + * Add patch by Adam Jackson from Red Hat to fix regression introduced by the + MIT-SHM patch in -21etch2 (closes: #461410). + + -- Julien Cristau <[EMAIL PROTECTED]> Fri, 18 Jan 2008 20:39:28 +0100 + xorg-server (2:1.1.1-21etch2) stable-security; urgency=high * Security update, fixes the following vulnerabilities: diff --git a/debian/patches/50_CVE-2007-6429-MIT-SHM.diff b/debian/patches/50_CVE-2007-6429-MIT-SHM.diff index 9a788d5..3458bc6 100644 --- a/debian/patches/50_CVE-2007-6429-MIT-SHM.diff +++ b/debian/patches/50_CVE-2007-6429-MIT-SHM.diff @@ -1,7 +1,5 @@ -Index: xorg-server/Xext/shm.c -=================================================================== ---- xorg-server.orig/Xext/shm.c 2008-01-05 14:54:14.000000000 +0100 -+++ xorg-server/Xext/shm.c 2008-01-05 14:54:48.000000000 +0100 +--- xorg-server-1.1.1/Xext/shm.c.cve-2007-6429 2006-07-05 14:31:36.000000000 -0400 ++++ xorg-server-1.1.1/Xext/shm.c 2008-01-18 14:19:28.000000000 -0500 @@ -725,6 +725,8 @@ int i, j, result; ShmDescPtr shmdesc; @@ -11,7 +9,7 @@ Index: xorg-server/Xext/shm.c PanoramiXRes *newPix; REQUEST_SIZE_MATCH(xShmCreatePixmapReq); -@@ -734,11 +736,26 @@ +@@ -734,11 +736,18 @@ LEGAL_NEW_RESOURCE(stuff->pid, client); VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); @@ -27,30 +25,34 @@ Index: xorg-server/Xext/shm.c } + if (width > 32767 || height > 32767) + return BadAlloc; -+ size = PixmapBytePad(width, depth) * height; -+ if (sizeof(size) == 4) { -+ if (size < width * height) -+ return BadAlloc; -+ /* thankfully, offset is unsigned */ -+ if (stuff->offset + size < size) -+ return BadAlloc; -+ } + if (stuff->depth != 1) { pDepth = pDraw->pScreen->allowedDepths; -@@ -749,9 +766,7 @@ +@@ -748,10 +757,19 @@ + client->errorValue = stuff->depth; return BadValue; } ++ CreatePmap: - VERIFY_SHMSIZE(shmdesc, stuff->offset, - PixmapBytePad(stuff->width, stuff->depth) * stuff->height, - client); ++ /* now w/h/d are valid; but will they overflow a 32-bit pointer? */ ++ size = PixmapBytePad(width, depth) * height; ++ if (sizeof(void *) == 4 && BitsPerPixel(depth) > 8) { ++ if (size < width * height) ++ return BadAlloc; ++ /* thankfully, offset is unsigned */ ++ if (stuff->offset + size < size) ++ return BadAlloc; ++ } ++ + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) return BadAlloc; -@@ -1049,6 +1064,8 @@ +@@ -1049,6 +1067,8 @@ register int i; ShmDescPtr shmdesc; REQUEST(xShmCreatePixmapReq); @@ -59,7 +61,7 @@ Index: xorg-server/Xext/shm.c REQUEST_SIZE_MATCH(xShmCreatePixmapReq); client->errorValue = stuff->pid; -@@ -1057,11 +1074,26 @@ +@@ -1057,11 +1077,18 @@ LEGAL_NEW_RESOURCE(stuff->pid, client); VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); @@ -75,25 +77,29 @@ Index: xorg-server/Xext/shm.c } + if (width > 32767 || height > 32767) + return BadAlloc; -+ size = PixmapBytePad(width, depth) * height; -+ if (sizeof(size) == 4) { -+ if (size < width * height) -+ return BadAlloc; -+ /* thankfully, offset is unsigned */ -+ if (stuff->offset + size < size) -+ return BadAlloc; -+ } + if (stuff->depth != 1) { pDepth = pDraw->pScreen->allowedDepths; -@@ -1072,9 +1104,7 @@ +@@ -1071,10 +1098,19 @@ + client->errorValue = stuff->depth; return BadValue; } ++ CreatePmap: - VERIFY_SHMSIZE(shmdesc, stuff->offset, - PixmapBytePad(stuff->width, stuff->depth) * stuff->height, - client); ++ /* now w/h/d are valid; but will they overflow a 32-bit pointer? */ ++ size = PixmapBytePad(width, depth) * height; ++ if (sizeof(void *) == 4 && BitsPerPixel(depth) > 8) { ++ if (size < width * height) ++ return BadAlloc; ++ /* thankfully, offset is unsigned */ ++ if (stuff->offset + size < size) ++ return BadAlloc; ++ } ++ + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( pDraw->pScreen, stuff->width, -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]