diff --git a/cve-2008-1377.patch b/cve-2008-1377.patch new file mode 100644 index 0000000..4eb7e1d --- /dev/null +++ b/cve-2008-1377.patch @@ -0,0 +1,88 @@ +diff --git a/Xext/security.c b/Xext/security.c +index ba057de..f34c463 100644 +--- a/Xext/security.c ++++ b/Xext/security.c +@@ -651,15 +651,19 @@ SProcSecurityGenerateAuthorization( + register char n; + CARD32 *values; + unsigned long nvalues; ++ int values_offset; + + swaps(&stuff->length, n); + REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq); + swaps(&stuff->nbytesAuthProto, n); + swaps(&stuff->nbytesAuthData, n); + swapl(&stuff->valueMask, n); +- values = (CARD32 *)(&stuff[1]) + +- ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + +- ((stuff->nbytesAuthData + (unsigned)3) >> 2); ++ values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + ++ ((stuff->nbytesAuthData + (unsigned)3) >> 2); ++ if (values_offset > ++ stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2)) ++ return BadLength; ++ values = (CARD32 *)(&stuff[1]) + values_offset; + nvalues = (((CARD32 *)stuff) + stuff->length) - values; + SwapLongs(values, nvalues); + return ProcSecurityGenerateAuthorization(client); +diff --git a/record/record.c b/record/record.c +index 0ed8f84..9a166d6 100644 +--- a/record/record.c ++++ b/record/record.c +@@ -2656,7 +2656,7 @@ SProcRecordQueryVersion(ClientPtr client) + } /* SProcRecordQueryVersion */ + + +-static void ++static int + SwapCreateRegister(xRecordRegisterClientsReq *stuff) + { + register char n; +@@ -2667,11 +2667,17 @@ SwapCreateRegister(xRecordRegisterClientsReq *stuff) + swapl(&stuff->nClients, n); + swapl(&stuff->nRanges, n); + pClientID = (XID *)&stuff[1]; ++ if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2)) ++ return BadLength; + for (i = 0; i < stuff->nClients; i++, pClientID++) + { + swapl(pClientID, n); + } ++ if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2) ++ - stuff->nClients) ++ return BadLength; + RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges); ++ return Success; + } /* SwapCreateRegister */ + + +@@ -2679,11 +2685,13 @@ static int + SProcRecordCreateContext(ClientPtr client) + { + REQUEST(xRecordCreateContextReq); ++ int status; + register char n; + + swaps(&stuff->length, n); + REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq); +- SwapCreateRegister((pointer)stuff); ++ if ((status = SwapCreateRegister((pointer)stuff)) != Success) ++ return status; + return ProcRecordCreateContext(client); + } /* SProcRecordCreateContext */ + +@@ -2692,11 +2700,13 @@ static int + SProcRecordRegisterClients(ClientPtr client) + { + REQUEST(xRecordRegisterClientsReq); ++ int status; + register char n; + + swaps(&stuff->length, n); + REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq); +- SwapCreateRegister((pointer)stuff); ++ if ((status = SwapCreateRegister((pointer)stuff)) != Success) ++ return status; + return ProcRecordRegisterClients(client); + } /* SProcRecordRegisterClients */ + diff --git a/cve-2008-1379.patch b/cve-2008-1379.patch new file mode 100644 index 0000000..180d126 --- /dev/null +++ b/cve-2008-1379.patch @@ -0,0 +1,24 @@ +diff --git a/Xext/shm.c b/Xext/shm.c +index ac587be..e08df36 100644 +--- a/Xext/shm.c ++++ b/Xext/shm.c +@@ -831,8 +831,17 @@ ProcShmPutImage(client) + return BadValue; + } + +- VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight, +- client); ++ /* ++ * There's a potential integer overflow in this check: ++ * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight, ++ * client); ++ * the version below ought to avoid it ++ */ ++ if (stuff->totalHeight != 0 && ++ length > (shmdesc->size - stuff->offset)/stuff->totalHeight) { ++ client->errorValue = stuff->totalWidth; ++ return BadValue; ++ } + if (stuff->srcX > stuff->totalWidth) + { + client->errorValue = stuff->srcX; diff --git a/cve-2008-2360.patch b/cve-2008-2360.patch new file mode 100644 index 0000000..b544df7 --- /dev/null +++ b/cve-2008-2360.patch @@ -0,0 +1,32 @@ +diff -up ./render/glyph.c.cve-2008-2360 ./render/glyph.c +--- ./render/glyph.c.cve-2008-2360 2006-07-06 04:31:44.000000000 +1000 ++++ ./render/glyph.c 2008-05-29 16:22:06.000000000 +1000 +@@ -43,6 +43,12 @@ + #include "picturestr.h" + #include "glyphstr.h" + ++#if HAVE_STDINT_H ++#include ++#else ++#define UINT32_MAX 0xffffffffU ++#endif ++ + /* + * From Knuth -- a good choice for hash/rehash values is p, p-2 where + * p and p-2 are both prime. These tables are sized to have an extra 10% +@@ -627,8 +633,14 @@ AllocateGlyph (xGlyphInfo *gi, int fdept + int size; + GlyphPtr glyph; + int i; ++ size_t padded_width; ++ ++ padded_width = PixmapBytePad (gi->width, glyphDepths[fdepth]); ++ ++ if (gi->height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi->height) ++ return 0; + +- size = gi->height * PixmapBytePad (gi->width, glyphDepths[fdepth]); ++ size = gi->height * padded_width; + glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec)); + if (!glyph) + return 0; diff --git a/cve-2008-2361.patch b/cve-2008-2361.patch new file mode 100644 index 0000000..0749331 --- /dev/null +++ b/cve-2008-2361.patch @@ -0,0 +1,13 @@ +diff --git a/render/render.c b/render/render.c +index caaa278..b53e878 100644 +--- a/render/render.c ++++ b/render/render.c +@@ -1504,6 +1504,8 @@ ProcRenderCreateCursor (ClientPtr client) + pScreen = pSrc->pDrawable->pScreen; + width = pSrc->pDrawable->width; + height = pSrc->pDrawable->height; ++ if (height && width > UINT32_MAX/(height*sizeof(CARD32))) ++ return BadAlloc; + if ( stuff->x > width + || stuff->y > height ) + return (BadMatch); diff --git a/cve-2008-2362.patch b/cve-2008-2362.patch new file mode 100644 index 0000000..91238ff --- /dev/null +++ b/cve-2008-2362.patch @@ -0,0 +1,63 @@ +diff --git a/render/render.c b/render/render.c +index caaa278..b53e878 100644 +--- a/render/render.c ++++ b/render/render.c +@@ -1918,6 +1920,8 @@ static int ProcRenderCreateLinearGradient (ClientPtr client) + LEGAL_NEW_RESOURCE(stuff->pid, client); + + len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq); ++ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor))) ++ return BadLength; + if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor))) + return BadLength; + +@@ -2491,18 +2495,18 @@ SProcRenderCreateSolidFill(ClientPtr client) + return (*ProcRenderVector[stuff->renderReqType]) (client); + } + +-static void swapStops(void *stuff, int n) ++static void swapStops(void *stuff, int num) + { +- int i; ++ int i, n; + CARD32 *stops; + CARD16 *colors; + stops = (CARD32 *)(stuff); +- for (i = 0; i < n; ++i) { ++ for (i = 0; i < num; ++i) { + swapl(stops, n); + ++stops; + } + colors = (CARD16 *)(stops); +- for (i = 0; i < 4*n; ++i) { ++ for (i = 0; i < 4*num; ++i) { + swaps(stops, n); + ++stops; + } +@@ -2525,6 +2529,8 @@ SProcRenderCreateLinearGradient (ClientPtr client) + swapl(&stuff->nStops, n); + + len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq); ++ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor))) ++ return BadLength; + if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor))) + return BadLength; + +@@ -2552,6 +2558,8 @@ SProcRenderCreateRadialGradient (ClientPtr client) + swapl(&stuff->nStops, n); + + len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq); ++ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor))) ++ return BadLength; + if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor))) + return BadLength; + +@@ -2576,6 +2584,8 @@ SProcRenderCreateConicalGradient (ClientPtr client) + swapl(&stuff->nStops, n); + + len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq); ++ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor))) ++ return BadLength; + if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor))) + return BadLength; + diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 0be6c53..dfa005a 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -9,7 +9,7 @@ Summary: X.Org X11 X server Name: xorg-x11-server Version: 1.3.0.0 -Release: 45%{?dist} +Release: 46%{?dist} URL: http://www.x.org License: MIT Group: User Interface/X @@ -105,6 +105,11 @@ Patch3003: cve-2007-6428.patch Patch3004: cve-2007-6429.patch Patch3005: cve-2008-0006-server-fixup.patch Patch3006: cve-2007-3920.patch +Patch3007: cve-2008-1377.patch +Patch3008: cve-2008-1379.patch +Patch3009: cve-2008-2360.patch +Patch3010: cve-2008-2361.patch +Patch3011: cve-2008-2362.patch %define moduledir %{_libdir}/xorg/modules %define drimoduledir %{_libdir}/dri @@ -389,6 +394,11 @@ Xserver source code needed to build VNC server (Xvnc) %patch3004 -p1 -b .cve-2007-6429 %patch3005 -p1 -b .cve-2008-0006 %patch3006 -p1 -b .cve-2007-3920 +%patch3007 -p1 -b .cve-2008-1377 +%patch3008 -p1 -b .cve-2008-1379 +%patch3009 -p1 -b .cve-2008-2360 +%patch3010 -p1 -b .cve-2008-2361 +%patch3011 -p1 -b .cve-2008-2362 %build @@ -657,6 +667,13 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Thu Jun 12 2008 Dave Airlie 1.3.0.0-46 +- cve-2008-1377.patch: Record and Security Extension Input validation +- cve-2008-1379.patch: MIT-SHM extension Input Validation flaw +- cve-2008-2360.patch: Render AllocateGlyph extension Integer overflows +- cve-2008-2361.patch: Render CreateCursor extension Integer overflows +- cve-2008-2362.patch: Render Gradient extension Integer overflows + * Wed Apr 30 2008 Dave Airlie 1.3.0.0-45 - fix EXA pixmap maximum size to not fail on 32-bpp * 8192 pixmaps.