- Update to prerelease 1.14.4-rc1 (1.14.3.901)

* bugfixes * fixes for security issue CVE-2013-4396 - obsoletes u_Avoid-use-after-free-in-dix-dixfonts.c-doImageText.patch OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=464
2013-10-28 08:10:57 +00:00 · 2013-10-28 08:10:57 +00:00 · df16a98b5b
commit df16a98b5b
parent 93fbf7ad2a
5 changed files with 12 additions and 81 deletions
--- a/u_Avoid-use-after-free-in-dix-dixfonts.c-doImageText.patch
+++ b/u_Avoid-use-after-free-in-dix-dixfonts.c-doImageText.patch
@ -1,75 +0,0 @@
-From a4d9bf1259ad28f54b6d59a480b2009cc89ca623 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Mon, 16 Sep 2013 21:47:16 -0700
-Subject: [PATCH] Avoid use-after-free in dix/dixfonts.c: doImageText()
-
-Save a pointer to the passed in closure structure before copying it
-and overwriting the *c pointer to point to our copy instead of the
-original.  If we hit an error, once we free(c), reset c to point to
-the original structure before jumping to the cleanup code that
-references *c.
-
-Since one of the errors being checked for is whether the server was
-able to malloc(c->nChars * itemSize), the client can potentially pass
-a number of characters chosen to cause the malloc to fail and the
-error path to be taken, resulting in the read from freed memory.
-
-Since the memory is accessed almost immediately afterwards, and the
-X server is mostly single threaded, the odds of the free memory having
-invalid contents are low with most malloc implementations when not using
-memory debugging features, but some allocators will definitely overwrite
-the memory there, leading to a likely crash.
-
-Reported-by: Pedro Ribeiro <pedrib@gmail.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Julien Cristau <jcristau@debian.org>
---
- dix/dixfonts.c |    5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/dix/dixfonts.c b/dix/dixfonts.c
-index feb765d..2e34d37 100644
--- a/dix/dixfonts.c
-+++ b/dix/dixfonts.c
-@@ -1425,6 +1425,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
-             GC *pGC;
-             unsigned char *data;
-             ITclosurePtr new_closure;
-+            ITclosurePtr old_closure;
- 
-             /* We're putting the client to sleep.  We need to
-                save some state.  Similar problem to that handled
-@@ -1436,12 +1437,14 @@ doImageText(ClientPtr client, ITclosurePtr c)
-                 err = BadAlloc;
-                 goto bail;
-             }
-+            old_closure = c;
-             *new_closure = *c;
-             c = new_closure;
- 
-             data = malloc(c->nChars * itemSize);
-             if (!data) {
-                 free(c);
-+                c = old_closure;
-                 err = BadAlloc;
-                 goto bail;
-             }
-@@ -1452,6 +1455,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
-             if (!pGC) {
-                 free(c->data);
-                 free(c);
-+                c = old_closure;
-                 err = BadAlloc;
-                 goto bail;
-             }
-@@ -1464,6 +1468,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
-                 FreeScratchGC(pGC);
-                 free(c->data);
-                 free(c);
-+                c = old_closure;
-                 err = BadAlloc;
-                 goto bail;
-             }
-- 
-1.7.9.2
-
--- a/xorg-server-1.14.3.901.tar.bz2
+++ b/xorg-server-1.14.3.901.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3d8481f60d6ef67bb9b72c1ee375f5a64e69ba32c613c01367b3c2b5c154ab0a
+size 5510351
--- a/xorg-server-1.14.3.tar.bz2
+++ b/xorg-server-1.14.3.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:02125ae13a443dcbb55f964d5c37f1da2f58ad54c2102356037bec23c1b84f5e
-size 5502845
--- a/xorg-x11-server.changes
+++ b/xorg-x11-server.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Mon Oct 28 08:00:16 UTC 2013 - sndirsch@suse.com
+
+- Update to prerelease 1.14.4-rc1 (1.14.3.901)
+  * bugfixes
+  * fixes for security issue CVE-2013-4396
+- obsoletes u_Avoid-use-after-free-in-dix-dixfonts.c-doImageText.patch
+
 -------------------------------------------------------------------
 Fri Oct 25 12:31:46 UTC 2013 - msrb@suse.com

--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@ -18,7 +18,7 @@

 Name:           xorg-x11-server

-%define dirsuffix 1.14.3
+%define dirsuffix 1.14.3.901

 Summary:        X
 License:        GPL-2.0+ and MIT
@ -156,7 +156,6 @@ Patch229:       u_disable-acpi-code.patch
 Patch230:       u_xserver_xvfb-randr.patch

 Patch240:       U_revert_dri2_realloc_dri2_drawable_if-pixmap_serial_changes.patch
-Patch241:       u_Avoid-use-after-free-in-dix-dixfonts.c-doImageText.patch

 Patch242:       U_randr_dont_directly_set_changed_bits_in_randr_screen.patch
 Patch243:       U_randr_report_changes_when_we_disconnect_a_GPU_slave.patch
@ -249,7 +248,6 @@ cp %{SOURCE96} .
 %patch230 -p1

 %patch240 -p1
-%patch241 -p1

 %patch242 -p1
 %patch243 -p1