summaryrefslogtreecommitdiff
path: root/extra/xorg-server
diff options
context:
space:
mode:
authorroot <root@rshg054.dnsready.net>2013-10-10 01:59:31 -0700
committerroot <root@rshg054.dnsready.net>2013-10-10 01:59:31 -0700
commit361f95d1ff881daf5f87cb14917bd524511abfc5 (patch)
tree80a94568027dded4548d525a8a3ed7621ccf325d /extra/xorg-server
parent737832e1bd70820f477143512b5c89a30a6e81d0 (diff)
Thu Oct 10 01:58:46 PDT 2013
Diffstat (limited to 'extra/xorg-server')
-rw-r--r--extra/xorg-server/0001-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch76
-rw-r--r--extra/xorg-server/PKGBUILD23
2 files changed, 96 insertions, 3 deletions
diff --git a/extra/xorg-server/0001-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch b/extra/xorg-server/0001-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch
new file mode 100644
index 000000000..b550bcedd
--- /dev/null
+++ b/extra/xorg-server/0001-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch
@@ -0,0 +1,76 @@
+From 7bddc2ba16a2a15773c2ea8947059afa27727764 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Mon, 16 Sep 2013 21:47:16 -0700
+Subject: [PATCH] Avoid use-after-free in dix/dixfonts.c: doImageText()
+ [CVE-2013-4396]
+
+Save a pointer to the passed in closure structure before copying it
+and overwriting the *c pointer to point to our copy instead of the
+original. If we hit an error, once we free(c), reset c to point to
+the original structure before jumping to the cleanup code that
+references *c.
+
+Since one of the errors being checked for is whether the server was
+able to malloc(c->nChars * itemSize), the client can potentially pass
+a number of characters chosen to cause the malloc to fail and the
+error path to be taken, resulting in the read from freed memory.
+
+Since the memory is accessed almost immediately afterwards, and the
+X server is mostly single threaded, the odds of the free memory having
+invalid contents are low with most malloc implementations when not using
+memory debugging features, but some allocators will definitely overwrite
+the memory there, leading to a likely crash.
+
+Reported-by: Pedro Ribeiro <pedrib@gmail.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+---
+ dix/dixfonts.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/dix/dixfonts.c b/dix/dixfonts.c
+index feb765d..2e34d37 100644
+--- a/dix/dixfonts.c
++++ b/dix/dixfonts.c
+@@ -1425,6 +1425,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
+ GC *pGC;
+ unsigned char *data;
+ ITclosurePtr new_closure;
++ ITclosurePtr old_closure;
+
+ /* We're putting the client to sleep. We need to
+ save some state. Similar problem to that handled
+@@ -1436,12 +1437,14 @@ doImageText(ClientPtr client, ITclosurePtr c)
+ err = BadAlloc;
+ goto bail;
+ }
++ old_closure = c;
+ *new_closure = *c;
+ c = new_closure;
+
+ data = malloc(c->nChars * itemSize);
+ if (!data) {
+ free(c);
++ c = old_closure;
+ err = BadAlloc;
+ goto bail;
+ }
+@@ -1452,6 +1455,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
+ if (!pGC) {
+ free(c->data);
+ free(c);
++ c = old_closure;
+ err = BadAlloc;
+ goto bail;
+ }
+@@ -1464,6 +1468,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
+ FreeScratchGC(pGC);
+ free(c->data);
+ free(c);
++ c = old_closure;
+ err = BadAlloc;
+ goto bail;
+ }
+--
+1.7.9.2
+
diff --git a/extra/xorg-server/PKGBUILD b/extra/xorg-server/PKGBUILD
index e6e01ef2a..064578096 100644
--- a/extra/xorg-server/PKGBUILD
+++ b/extra/xorg-server/PKGBUILD
@@ -1,11 +1,11 @@
-# $Id: PKGBUILD 194374 2013-09-15 07:40:13Z andyrtr $
+# $Id: PKGBUILD 196227 2013-10-08 22:59:23Z lcarlier $
# Maintainer: AndyRTR <andyrtr@archlinux.org>
# Maintainer: Jan de Groot <jgc@archlinux.org>
pkgbase=xorg-server
pkgname=('xorg-server' 'xorg-server-xephyr' 'xorg-server-xdmx' 'xorg-server-xvfb' 'xorg-server-xnest' 'xorg-server-common' 'xorg-server-devel')
pkgver=1.14.3
-pkgrel=1
+pkgrel=2
arch=('i686' 'x86_64')
license=('custom')
url="http://xorg.freedesktop.org"
@@ -23,7 +23,8 @@ source=(${url}/releases/individual/xserver/${pkgbase}-${pkgver}.tar.bz2
xvfb-run
xvfb-run.1
10-quirks.conf
- fb-rename-wfbDestroyGlyphCache.patch)
+ fb-rename-wfbDestroyGlyphCache.patch
+ 0001-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch)
sha256sums=('02125ae13a443dcbb55f964d5c37f1da2f58ad54c2102356037bec23c1b84f5e'
'66e25f76a7496c429e0aff4b0670f168719bb0ceaeb88c6f2272f2bf3ed21162'
'd027776fac1f7675b0a9ee817502290b1c45f9c09b0f0a6bb058c35f92361e84'
@@ -54,7 +55,12 @@ prepare() {
# http://cgit.freedesktop.org/xorg/xserver/commit/fb/wfbrename.h?id=5047810a4c20fab444b8c6eb146c55dcdb0d4219
patch -Np1 -i ../fb-rename-wfbDestroyGlyphCache.patch
+
+ # CVE-2013-4396: Use after free in Xserver handling of ImageText requests
+ # (to be included in xorg-server 1.15.0 and 1.14.4)
+ patch -Np1 -i ../0001-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch
}
+
build() {
cd "${pkgbase}-${pkgver}"
autoreconf -fi
@@ -218,3 +224,14 @@ package_xorg-server-devel() {
install -m755 -d "${pkgdir}/usr/share/licenses/xorg-server-devel"
ln -sf ../xorg-server-common/COPYING "${pkgdir}/usr/share/licenses/xorg-server-devel/COPYING"
}
+sha256sums=('02125ae13a443dcbb55f964d5c37f1da2f58ad54c2102356037bec23c1b84f5e'
+ '66e25f76a7496c429e0aff4b0670f168719bb0ceaeb88c6f2272f2bf3ed21162'
+ 'd027776fac1f7675b0a9ee817502290b1c45f9c09b0f0a6bb058c35f92361e84'
+ 'e033f9bcc21980f7f0428e6ed6c362a3d55ad293b05fd6e6c6c1933b86f9e63a'
+ '26ee6ff255a60d7c1e136c612925eb63c86e85a4a3a55d531852ad9275526588'
+ 'bb63658d250c21bbfaf94c5417f2920ce5963ee1f7db6cac2b163a54f2e9b619'
+ 'ff0156309470fc1d378fd2e104338020a884295e285972cc88e250e031cc35b9'
+ '2460adccd3362fefd4cdc5f1c70f332d7b578091fb9167bf88b5f91265bbd776'
+ '94612f5c0d34a3b7152915c2e285c7b462e9d8e38d3539bd551a339498eac166'
+ 'd0832cc16b5e6c1dee2959055a4b327f5c87e2a67b5f427d654663057207b2c1'
+ '2b90ce92a900b6d4edda9ef33acdd3d2c2708fec2344175c2d8dfd4265f56d32')
generated by cgit v1.2.2 (git 2.25.0) at 2024-05-13 08:10:26 +0000