debian/changelog | 11 ++
debian/patches/170_xorg-xserver-1.4-cve-2008-1377.diff | 88 +++++++++++++++++
debian/patches/171_xorg-xserver-1.4-cve-2008-1379.diff | 24 ++++
debian/patches/172_xorg-xserver-1.4-cve-2008-2360.diff | 32 ++++++
debian/patches/173_xorg-xserver-1.4-cve-2008-2361.diff | 13 ++
debian/patches/174_xorg-xserver-1.4-cve-2008-2362.diff | 63 ++++++++++++
debian/patches/series | 5
7 files changed, 236 insertions(+)
New commits:
commit 56e7f0a416b4bd2c16e5db7997a716fa495dd64a
Author: Bryce Harrington <[EMAIL PROTECTED]>
Date: Wed Jun 11 10:54:56 2008 -0700
Security fixes
diff --git a/debian/changelog b/debian/changelog
index 2b44c46..66c8b20 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+xorg-server (2:1.4.1~git20080131-1ubuntu12) intrepid; urgency=low
+
+ * Fix multiple security issues:
+ + CVE-2008-2360 - RENDER Extension heap buffer overflow
+ + CVE-2008-2361 - RENDER Extension crash
+ + CVE-2008-2362 - RENDER Extension memory corruption
+ + CVE-2008-1379 - MIT-SHM arbitrary memory read
+ + CVE-2008-1377 - RECORD and Security extensions memory corruption
+
+ -- Bryce Harrington <[EMAIL PROTECTED]> Wed, 11 Jun 2008 10:54:15 -0700
+
xorg-server (2:1.4.1~git20080131-1ubuntu11) intrepid; urgency=low
* 169_xf86AutoConfig_choose_default_driver_if_no_pci.patch
diff --git a/debian/patches/170_xorg-xserver-1.4-cve-2008-1377.diff
b/debian/patches/170_xorg-xserver-1.4-cve-2008-1377.diff
new file mode 100644
index 0000000..4eb7e1d
--- /dev/null
+++ b/debian/patches/170_xorg-xserver-1.4-cve-2008-1377.diff
@@ -0,0 +1,88 @@
+diff --git a/Xext/security.c b/Xext/security.c
+index ba057de..f34c463 100644
+--- a/Xext/security.c
++++ b/Xext/security.c
+@@ -651,15 +651,19 @@ SProcSecurityGenerateAuthorization(
+ register char n;
+ CARD32 *values;
+ unsigned long nvalues;
++ int values_offset;
+
+ swaps(&stuff->length, n);
+ REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
+ swaps(&stuff->nbytesAuthProto, n);
+ swaps(&stuff->nbytesAuthData, n);
+ swapl(&stuff->valueMask, n);
+- values = (CARD32 *)(&stuff[1]) +
+- ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
+- ((stuff->nbytesAuthData + (unsigned)3) >> 2);
++ values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
++ ((stuff->nbytesAuthData + (unsigned)3) >> 2);
++ if (values_offset >
++ stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
++ return BadLength;
++ values = (CARD32 *)(&stuff[1]) + values_offset;
+ nvalues = (((CARD32 *)stuff) + stuff->length) - values;
+ SwapLongs(values, nvalues);
+ return ProcSecurityGenerateAuthorization(client);
+diff --git a/record/record.c b/record/record.c
+index 0ed8f84..9a166d6 100644
+--- a/record/record.c
++++ b/record/record.c
+@@ -2656,7 +2656,7 @@ SProcRecordQueryVersion(ClientPtr client)
+ } /* SProcRecordQueryVersion */
+
+
+-static void
++static int
+ SwapCreateRegister(xRecordRegisterClientsReq *stuff)
+ {
+ register char n;
+@@ -2667,11 +2667,17 @@ SwapCreateRegister(xRecordRegisterClientsReq *stuff)
+ swapl(&stuff->nClients, n);
+ swapl(&stuff->nRanges, n);
+ pClientID = (XID *)&stuff[1];
++ if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2))
++ return BadLength;
+ for (i = 0; i < stuff->nClients; i++, pClientID++)
+ {
+ swapl(pClientID, n);
+ }
++ if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2)
++ - stuff->nClients)
++ return BadLength;
+ RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges);
++ return Success;
+ } /* SwapCreateRegister */
+
+
+@@ -2679,11 +2685,13 @@ static int
+ SProcRecordCreateContext(ClientPtr client)
+ {
+ REQUEST(xRecordCreateContextReq);
++ int status;
+ register char n;
+
+ swaps(&stuff->length, n);
+ REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
+- SwapCreateRegister((pointer)stuff);
++ if ((status = SwapCreateRegister((pointer)stuff)) != Success)
++ return status;
+ return ProcRecordCreateContext(client);
+ } /* SProcRecordCreateContext */
+
+@@ -2692,11 +2700,13 @@ static int
+ SProcRecordRegisterClients(ClientPtr client)
+ {
+ REQUEST(xRecordRegisterClientsReq);
++ int status;
+ register char n;
+
+ swaps(&stuff->length, n);
+ REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
+- SwapCreateRegister((pointer)stuff);
++ if ((status = SwapCreateRegister((pointer)stuff)) != Success)
++ return status;
+ return ProcRecordRegisterClients(client);
+ } /* SProcRecordRegisterClients */
+
diff --git a/debian/patches/171_xorg-xserver-1.4-cve-2008-1379.diff
b/debian/patches/171_xorg-xserver-1.4-cve-2008-1379.diff
new file mode 100644
index 0000000..180d126
--- /dev/null
+++ b/debian/patches/171_xorg-xserver-1.4-cve-2008-1379.diff
@@ -0,0 +1,24 @@
+diff --git a/Xext/shm.c b/Xext/shm.c
+index ac587be..e08df36 100644
+--- a/Xext/shm.c
++++ b/Xext/shm.c
+@@ -831,8 +831,17 @@ ProcShmPutImage(client)
+ return BadValue;
+ }
+
+- VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
+- client);
++ /*
++ * There's a potential integer overflow in this check:
++ * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
++ * client);
++ * the version below ought to avoid it
++ */
++ if (stuff->totalHeight != 0 &&
++ length > (shmdesc->size - stuff->offset)/stuff->totalHeight) {
++ client->errorValue = stuff->totalWidth;
++ return BadValue;
++ }
+ if (stuff->srcX > stuff->totalWidth)
+ {
+ client->errorValue = stuff->srcX;
diff --git a/debian/patches/172_xorg-xserver-1.4-cve-2008-2360.diff
b/debian/patches/172_xorg-xserver-1.4-cve-2008-2360.diff
new file mode 100644
index 0000000..f14afce
--- /dev/null
+++ b/debian/patches/172_xorg-xserver-1.4-cve-2008-2360.diff
@@ -0,0 +1,32 @@
+diff --git a/render/glyph.c b/render/glyph.c
+index 583a52b..42ae65d 100644
+--- a/render/glyph.c
++++ b/render/glyph.c
+@@ -42,6 +42,12 @@
+ #include "picturestr.h"
+ #include "glyphstr.h"
+
++#if HAVE_STDINT_H
++#include <stdint.h>
++#elif !defined(UINT32_MAX)
++#define UINT32_MAX 0xffffffffU
++#endif
++
+ /*
+ * From Knuth -- a good choice for hash/rehash values is p, p-2 where
+ * p and p-2 are both prime. These tables are sized to have an extra 10%
+@@ -626,8 +632,12 @@ AllocateGlyph (xGlyphInfo *gi, int fdepth)
+ int size;
+ GlyphPtr glyph;
+ int i;
+-
+- size = gi->height * PixmapBytePad (gi->width, glyphDepths[fdepth]);
++ size_t padded_width;
++
++ padded_width = PixmapBytePad (gi->width, glyphDepths[fdepth]);
++ if (gi->height && padded_width > (UINT32_MAX -
sizeof(GlyphRec))/gi->height)
++ return 0;
++ size = gi->height * padded_width;
+ glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec));
+ if (!glyph)
+ return 0;
diff --git a/debian/patches/173_xorg-xserver-1.4-cve-2008-2361.diff
b/debian/patches/173_xorg-xserver-1.4-cve-2008-2361.diff
new file mode 100644
index 0000000..0749331
--- /dev/null
+++ b/debian/patches/173_xorg-xserver-1.4-cve-2008-2361.diff
@@ -0,0 +1,13 @@
+diff --git a/render/render.c b/render/render.c
+index caaa278..b53e878 100644
+--- a/render/render.c
++++ b/render/render.c
+@@ -1504,6 +1504,8 @@ ProcRenderCreateCursor (ClientPtr client)
+ pScreen = pSrc->pDrawable->pScreen;
+ width = pSrc->pDrawable->width;
+ height = pSrc->pDrawable->height;
++ if (height && width > UINT32_MAX/(height*sizeof(CARD32)))
++ return BadAlloc;
+ if ( stuff->x > width
+ || stuff->y > height )
+ return (BadMatch);
diff --git a/debian/patches/174_xorg-xserver-1.4-cve-2008-2362.diff
b/debian/patches/174_xorg-xserver-1.4-cve-2008-2362.diff
new file mode 100644
index 0000000..a254d7a
--- /dev/null
+++ b/debian/patches/174_xorg-xserver-1.4-cve-2008-2362.diff
@@ -0,0 +1,63 @@
+diff --git a/render/render.c b/render/render.c
+index 74c5f63..b53e878 100644
+--- a/render/render.c
++++ b/render/render.c
+@@ -1920,6 +1920,8 @@ static int ProcRenderCreateLinearGradient (ClientPtr
client)
+ LEGAL_NEW_RESOURCE(stuff->pid, client);
+
+ len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
++ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
++ return BadLength;
+ if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
+
+@@ -2493,18 +2495,18 @@ SProcRenderCreateSolidFill(ClientPtr client)
+ return (*ProcRenderVector[stuff->renderReqType]) (client);
+ }
+
+-static void swapStops(void *stuff, int n)
++static void swapStops(void *stuff, int num)
+ {
+- int i;
++ int i, n;
+ CARD32 *stops;
+ CARD16 *colors;
+ stops = (CARD32 *)(stuff);
+- for (i = 0; i < n; ++i) {
++ for (i = 0; i < num; ++i) {
+ swapl(stops, n);
+ ++stops;
+ }
+ colors = (CARD16 *)(stops);
+- for (i = 0; i < 4*n; ++i) {
++ for (i = 0; i < 4*num; ++i) {
+ swaps(stops, n);
+ ++stops;
+ }
+@@ -2527,6 +2529,8 @@ SProcRenderCreateLinearGradient (ClientPtr client)
+ swapl(&stuff->nStops, n);
+
+ len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
++ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
++ return BadLength;
+ if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
+
+@@ -2554,6 +2558,8 @@ SProcRenderCreateRadialGradient (ClientPtr client)
+ swapl(&stuff->nStops, n);
+
+ len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq);
++ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
++ return BadLength;
+ if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
+
+@@ -2578,6 +2584,8 @@ SProcRenderCreateConicalGradient (ClientPtr client)
+ swapl(&stuff->nStops, n);
+
+ len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq);
++ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
++ return BadLength;
+ if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
+
diff --git a/debian/patches/series b/debian/patches/series
index 526af56..a2f333d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -64,3 +64,8 @@
167_xf86AutoConfig_geode_addition.diff -p0
168_closedir.patch
169_xf86AutoConfig_choose_default_driver_if_no_pci.patch
+170_xorg-xserver-1.4-cve-2008-1377.diff
+171_xorg-xserver-1.4-cve-2008-1379.diff
+172_xorg-xserver-1.4-cve-2008-2360.diff
+173_xorg-xserver-1.4-cve-2008-2361.diff
+174_xorg-xserver-1.4-cve-2008-2362.diff
commit 78aadba2598355047113b1b61d0779d96c003b31
Author: Bryce Harrington <[EMAIL PROTECTED]>
Date: Tue May 13 18:58:17 2008 -0700
adding patch 169
diff --git a/debian/changelog b/debian/changelog
index 3d2624b..2b44c46 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+xorg-server (2:1.4.1~git20080131-1ubuntu11) intrepid; urgency=low
+
+ * 169_xf86AutoConfig_choose_default_driver_if_no_pci.patch
+ - Choose the default driver for the platform instead of the generic
+ default (vesa) if there is no PCI info. Without this, on platforms
+ like PS3 where fbdev should be used rather than vesa, the system
+ will fail to start up. (LP: #219424)
+
+ -- Bryce Harrington <[EMAIL PROTECTED]> Tue, 13 May 2008 13:09:17 -0700
+
+
xorg-server (2:1.4.1~git20080131-1ubuntu10) intrepid; urgency=low
[Timo Aaltonen]
diff --git a/debian/patches/series b/debian/patches/series
index 381b6dc..526af56 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -63,3 +63,4 @@
166_fix_lpl_monitors.diff
167_xf86AutoConfig_geode_addition.diff -p0
168_closedir.patch
+169_xf86AutoConfig_choose_default_driver_if_no_pci.patch
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
