From b3223c2c2818e4e1ef49a13be57063c981cf3203 Mon Sep 17 00:00:00 2001 From: Peter Hutterer Date: Apr 17 2013 04:23:44 +0000 Subject: CVE-2013-1940: Fix xf86FlushInput() to drain evdev events (#950438, #952949) --- diff --git a/0001-xf86-fix-flush-input-to-work-with-Linux-evdev-device.patch b/0001-xf86-fix-flush-input-to-work-with-Linux-evdev-device.patch new file mode 100644 index 0000000..8d37032 --- /dev/null +++ b/0001-xf86-fix-flush-input-to-work-with-Linux-evdev-device.patch @@ -0,0 +1,38 @@ +From 8647ee8f422e1ea9212d84ae14ef2163793bcdc8 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Wed, 10 Apr 2013 16:09:01 +1000 +Subject: [PATCH] xf86: fix flush input to work with Linux evdev devices. + +So when we VT switch back and attempt to flush the input devices, +we don't succeed because evdev won't return part of an event, +since we were only asking for 4 bytes, we'd only get -EINVAL back. + +This could later cause events to be flushed that we shouldn't have +gotten. + +This is a fix for CVE-2013-1940. + +Signed-off-by: Dave Airlie +Reviewed-by: Peter Hutterer +Signed-off-by: Peter Hutterer +--- + hw/xfree86/os-support/shared/posix_tty.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/xfree86/os-support/shared/posix_tty.c b/hw/xfree86/os-support/shared/posix_tty.c +index ab3757a..4d08c1e 100644 +--- a/hw/xfree86/os-support/shared/posix_tty.c ++++ b/hw/xfree86/os-support/shared/posix_tty.c +@@ -421,7 +421,8 @@ xf86FlushInput(int fd) + { + fd_set fds; + struct timeval timeout; +- char c[4]; ++ /* this needs to be big enough to flush an evdev event. */ ++ char c[256]; + + DebugF("FlushingSerial\n"); + if (tcflush(fd, TCIFLUSH) == 0) +-- +1.8.1.4 + diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 0b2c2ed..d5087ec 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -42,7 +42,7 @@ Summary: X.Org X11 X server Name: xorg-x11-server Version: 1.14.0 -Release: 3%{?gitdate:.%{gitdate}}%{dist} +Release: 4%{?gitdate:.%{gitdate}}%{dist} URL: http://www.x.org License: MIT Group: User Interface/X @@ -118,6 +118,11 @@ Patch7070: 0001-randr-report-changes-when-we-disconnect-a-GPU-slave.patch Patch7071: 0001-os-use-libunwind-to-generate-backtraces.patch %endif +# Bug 950438 - CVE-2013-1940 xorg-x11-server: +# Information disclosure due enabling events from hot-plug devices despite +# input from the device being momentarily disabled +Patch7072: 0001-xf86-fix-flush-input-to-work-with-Linux-evdev-device.patch + %global moduledir %{_libdir}/xorg/modules %global drimoduledir %{_libdir}/dri %global sdkdir %{_includedir}/xorg @@ -590,6 +595,10 @@ rm -rf $RPM_BUILD_ROOT %{xserver_source_dir} %changelog +* Wed Apr 17 2013 Peter Hutterer 1.14.0-4 +- CVE-2013-1940: Fix xf86FlushInput() to drain evdev events + (#950438, #952949) + * Fri Mar 22 2013 Dan HorĂ¡k 1.14.0-3 - libunwind exists only on selected arches