From c2b476eb594b8c77fe7b0da71857f07a7ed6ca3a Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Apr 17 2013 04:39:01 +0000
Subject: CVE-2013-1940: Fix xf86FlushInput() to drain evdev events too (#950438)


---

diff --git a/0001-xf86-fix-flush-input-to-work-with-Linux-evdev-device.patch b/0001-xf86-fix-flush-input-to-work-with-Linux-evdev-device.patch
new file mode 100644
index 0000000..45257d4
--- /dev/null
+++ b/0001-xf86-fix-flush-input-to-work-with-Linux-evdev-device.patch
@@ -0,0 +1,37 @@
+From 8647ee8f422e1ea9212d84ae14ef2163793bcdc8 Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied@gmail.com>
+Date: Wed, 10 Apr 2013 16:09:01 +1000
+Subject: [PATCH] xf86: fix flush input to work with Linux evdev devices.
+
+So when we VT switch back and attempt to flush the input devices,
+we don't succeed because evdev won't return part of an event,
+since we were only asking for 4 bytes, we'd only get -EINVAL back.
+
+This could later cause events to be flushed that we shouldn't have
+gotten.
+
+This is a fix for CVE-2013-1940.
+
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ hw/xfree86/os-support/shared/posix_tty.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/hw/xfree86/os-support/shared/posix_tty.c b/hw/xfree86/os-support/shared/posix_tty.c
+index ab3757a..4d08c1e 100644
+--- a/hw/xfree86/os-support/shared/posix_tty.c
++++ b/hw/xfree86/os-support/shared/posix_tty.c
+@@ -421,7 +421,8 @@ xf86FlushInput(int fd)
+ {
+     fd_set fds;
+     struct timeval timeout;
+-    char c[4];
++    /* this needs to be big enough to flush an evdev event. */
++    char c[256];
+
+     DebugF("FlushingSerial\n");
+     if (tcflush(fd, TCIFLUSH) == 0)
+--
+1.8.1.4
diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec
index 2e7c5b4..c9d5d14 100644
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@@ -42,7 +42,7 @@
 Summary:   X.Org X11 X server
 Name:      xorg-x11-server
 Version:   1.14.0
-Release:   5%{?gitdate:.%{gitdate}}%{dist}
+Release:   6%{?gitdate:.%{gitdate}}%{dist}
 URL:       http://www.x.org
 License:   MIT
 Group:     User Interface/X
@@ -121,11 +121,15 @@ Patch7071: 0001-os-use-libunwind-to-generate-backtraces.patch
 # upstream submitted
 Patch7072: xserver-1.14.0-fix-gpu-hotplug-vt-switch.patch
 
+# Bug 950438 - CVE-2013-1940 xorg-x11-server:
+# Information disclosure due enabling events from hot-plug devices despite
+# input from the device being momentarily disabled
+Patch7073: 0001-xf86-fix-flush-input-to-work-with-Linux-evdev-device.patch
+
 # on way upstream: fixes for reverse optimus
 Patch8000: 0001-dix-allow-pixmap-dirty-helper-to-be-used-for-non-sha.patch
 Patch8001: 0001-xserver-call-CSR-for-gpus.patch
 
-
 %global moduledir	%{_libdir}/xorg/modules
 %global drimoduledir	%{_libdir}/dri
 %global sdkdir		%{_includedir}/xorg
@@ -598,6 +602,10 @@ rm -rf $RPM_BUILD_ROOT
 %{xserver_source_dir}
 
 %changelog
+* Wed Apr 17 2013 Peter Hutterer <peter.hutterer@redhat.com> 1.14.0-6
+- CVE-2013-1940: Fix xf86FlushInput() to drain evdev events
+  (#950438, #952949)
+
 * Fri Apr 12 2013 Dave Airlie <airlied@redhat.com> 1.14.0-5
 - reenable reverse optimus and some missing patch from F18