From a2eb7a9f58e677083ba1917618e6847b0548eef6d043f24f0374f1a6e90a8c29 Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Wed, 25 Jun 2008 23:19:13 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/xorg-x11-server?expand=0&rev=80 --- CVE-2007-5760-xf86misc.diff | 15 -- CVE-2007-6427-xinput.diff | 244 ---------------------- CVE-2007-6428-TOG-cup.diff | 14 -- CVE-2007-6429-shm_evi.diff | 298 --------------------------- CVE-2008-0006-pcf_font.diff | 18 -- commit-37b1258.diff | 76 ------- commit-a6a7fad.diff | 35 ---- remove_bogus_modeline.diff | 17 -- xorg-server-1.4-vnc.patch | 2 +- xorg-server-1.4.0.90.tar.bz2 | 3 - xorg-server-1.4.2.tar.bz2 | 3 + xorg-x11-server.changes | 51 +++++ xorg-x11-server.spec | 65 ++++-- xserver-1.3.0-xkb-and-loathing.patch | 36 ---- xserver-mode-fuzzy-check.diff | 25 ++- 15 files changed, 116 insertions(+), 786 deletions(-) delete mode 100644 CVE-2007-5760-xf86misc.diff delete mode 100644 CVE-2007-6427-xinput.diff delete mode 100644 CVE-2007-6428-TOG-cup.diff delete mode 100644 CVE-2007-6429-shm_evi.diff delete mode 100644 CVE-2008-0006-pcf_font.diff delete mode 100644 commit-37b1258.diff delete mode 100644 commit-a6a7fad.diff delete mode 100644 remove_bogus_modeline.diff delete mode 100644 xorg-server-1.4.0.90.tar.bz2 create mode 100644 xorg-server-1.4.2.tar.bz2 delete mode 100644 xserver-1.3.0-xkb-and-loathing.patch diff --git a/CVE-2007-5760-xf86misc.diff b/CVE-2007-5760-xf86misc.diff deleted file mode 100644 index f0e0a7f..0000000 --- a/CVE-2007-5760-xf86misc.diff +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/hw/xfree86/common/xf86MiscExt.c b/hw/xfree86/common/xf86MiscExt.c -index c1b9c60..40c196a 100644 ---- a/hw/xfree86/common/xf86MiscExt.c -+++ b/hw/xfree86/common/xf86MiscExt.c -@@ -548,6 +548,10 @@ MiscExtPassMessage(int scrnIndex, const char *msgtype, const char *msgval, - { - ScrnInfoPtr pScr = xf86Screens[scrnIndex]; - -+ /* should check this in the protocol, but xf86NumScreens isn't exported */ -+ if (scrnIndex >= xf86NumScreens) -+ return BadValue; -+ - if (*pScr->HandleMessage == NULL) - return BadImplementation; - return (*pScr->HandleMessage)(scrnIndex, msgtype, msgval, retstr); diff --git a/CVE-2007-6427-xinput.diff b/CVE-2007-6427-xinput.diff deleted file mode 100644 index 1343a3c..0000000 --- a/CVE-2007-6427-xinput.diff +++ /dev/null @@ -1,244 +0,0 @@ -diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c -index 8fc24d5..696b74a 100644 ---- a/Xi/chgfctl.c -+++ b/Xi/chgfctl.c -@@ -302,18 +302,13 @@ ChangeStringFeedback(ClientPtr client, DeviceIntPtr dev, - xStringFeedbackCtl * f) - { - char n; -- long *p; - int i, j; - KeySym *syms, *sup_syms; - - syms = (KeySym *) (f + 1); - if (client->swapped) { - swaps(&f->length, n); /* swapped num_keysyms in calling proc */ -- p = (long *)(syms); -- for (i = 0; i < f->num_keysyms; i++) { -- swapl(p, n); -- p++; -- } -+ SwapLongs((CARD32 *) syms, f->num_keysyms); - } - - if (f->num_keysyms > s->ctrl.max_symbols) -diff --git a/Xi/chgkmap.c b/Xi/chgkmap.c -index 3361e98..df334c1 100644 ---- a/Xi/chgkmap.c -+++ b/Xi/chgkmap.c -@@ -75,18 +75,14 @@ int - SProcXChangeDeviceKeyMapping(ClientPtr client) - { - char n; -- long *p; -- int i, count; -+ unsigned int count; - - REQUEST(xChangeDeviceKeyMappingReq); - swaps(&stuff->length, n); - REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq); -- p = (long *)&stuff[1]; - count = stuff->keyCodes * stuff->keySymsPerKeyCode; -- for (i = 0; i < count; i++) { -- swapl(p, n); -- p++; -- } -+ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32)); -+ SwapLongs((CARD32 *) (&stuff[1]), count); - return (ProcXChangeDeviceKeyMapping(client)); - } - -@@ -102,10 +98,14 @@ ProcXChangeDeviceKeyMapping(ClientPtr client) - int ret; - unsigned len; - DeviceIntPtr dev; -+ unsigned int count; - - REQUEST(xChangeDeviceKeyMappingReq); - REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq); - -+ count = stuff->keyCodes * stuff->keySymsPerKeyCode; -+ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32)); -+ - dev = LookupDeviceIntRec(stuff->deviceid); - if (dev == Success) - SendErrorToClient(client, IReqCode, X_ChangeDeviceKeyMapping, 0, -diff --git a/Xi/chgprop.c b/Xi/chgprop.c -index 58db886..3fb33e1 100644 ---- a/Xi/chgprop.c -+++ b/Xi/chgprop.c -@@ -77,19 +77,15 @@ int - SProcXChangeDeviceDontPropagateList(ClientPtr client) - { - char n; -- long *p; -- int i; - - REQUEST(xChangeDeviceDontPropagateListReq); - swaps(&stuff->length, n); - REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq); - swapl(&stuff->window, n); - swaps(&stuff->count, n); -- p = (long *)&stuff[1]; -- for (i = 0; i < stuff->count; i++) { -- swapl(p, n); -- p++; -- } -+ REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq, -+ stuff->count * sizeof(CARD32)); -+ SwapLongs((CARD32 *) (&stuff[1]), stuff->count); - return (ProcXChangeDeviceDontPropagateList(client)); - } - -diff --git a/Xi/grabdev.c b/Xi/grabdev.c -index 110fc6b..0671e0e 100644 ---- a/Xi/grabdev.c -+++ b/Xi/grabdev.c -@@ -78,8 +78,6 @@ int - SProcXGrabDevice(ClientPtr client) - { - char n; -- long *p; -- int i; - - REQUEST(xGrabDeviceReq); - swaps(&stuff->length, n); -@@ -87,11 +85,11 @@ SProcXGrabDevice(ClientPtr client) - swapl(&stuff->grabWindow, n); - swapl(&stuff->time, n); - swaps(&stuff->event_count, n); -- p = (long *)&stuff[1]; -- for (i = 0; i < stuff->event_count; i++) { -- swapl(p, n); -- p++; -- } -+ -+ if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count) -+ return BadLength; -+ -+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count); - - return (ProcXGrabDevice(client)); - } -diff --git a/Xi/grabdevb.c b/Xi/grabdevb.c -index c2661e8..ce0dcc5 100644 ---- a/Xi/grabdevb.c -+++ b/Xi/grabdevb.c -@@ -77,8 +77,6 @@ int - SProcXGrabDeviceButton(ClientPtr client) - { - char n; -- long *p; -- int i; - - REQUEST(xGrabDeviceButtonReq); - swaps(&stuff->length, n); -@@ -86,11 +84,9 @@ SProcXGrabDeviceButton(ClientPtr client) - swapl(&stuff->grabWindow, n); - swaps(&stuff->modifiers, n); - swaps(&stuff->event_count, n); -- p = (long *)&stuff[1]; -- for (i = 0; i < stuff->event_count; i++) { -- swapl(p, n); -- p++; -- } -+ REQUEST_FIXED_SIZE(xGrabDeviceButtonReq, -+ stuff->event_count * sizeof(CARD32)); -+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count); - - return (ProcXGrabDeviceButton(client)); - } -diff --git a/Xi/grabdevk.c b/Xi/grabdevk.c -index 43b1928..d4b7fe8 100644 ---- a/Xi/grabdevk.c -+++ b/Xi/grabdevk.c -@@ -77,8 +77,6 @@ int - SProcXGrabDeviceKey(ClientPtr client) - { - char n; -- long *p; -- int i; - - REQUEST(xGrabDeviceKeyReq); - swaps(&stuff->length, n); -@@ -86,11 +84,8 @@ SProcXGrabDeviceKey(ClientPtr client) - swapl(&stuff->grabWindow, n); - swaps(&stuff->modifiers, n); - swaps(&stuff->event_count, n); -- p = (long *)&stuff[1]; -- for (i = 0; i < stuff->event_count; i++) { -- swapl(p, n); -- p++; -- } -+ REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32)); -+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count); - return (ProcXGrabDeviceKey(client)); - } - -diff --git a/Xi/selectev.c b/Xi/selectev.c -index b93618a..d3670ab 100644 ---- a/Xi/selectev.c -+++ b/Xi/selectev.c -@@ -127,19 +127,16 @@ int - SProcXSelectExtensionEvent(ClientPtr client) - { - char n; -- long *p; -- int i; - - REQUEST(xSelectExtensionEventReq); - swaps(&stuff->length, n); - REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq); - swapl(&stuff->window, n); - swaps(&stuff->count, n); -- p = (long *)&stuff[1]; -- for (i = 0; i < stuff->count; i++) { -- swapl(p, n); -- p++; -- } -+ REQUEST_FIXED_SIZE(xSelectExtensionEventReq, -+ stuff->count * sizeof(CARD32)); -+ SwapLongs((CARD32 *) (&stuff[1]), stuff->count); -+ - return (ProcXSelectExtensionEvent(client)); - } - -diff --git a/Xi/sendexev.c b/Xi/sendexev.c -index e4e38d7..588c910 100644 ---- a/Xi/sendexev.c -+++ b/Xi/sendexev.c -@@ -80,7 +80,7 @@ int - SProcXSendExtensionEvent(ClientPtr client) - { - char n; -- long *p; -+ CARD32 *p; - int i; - xEvent eventT; - xEvent *eventP; -@@ -91,6 +91,11 @@ SProcXSendExtensionEvent(ClientPtr client) - REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq); - swapl(&stuff->destination, n); - swaps(&stuff->count, n); -+ -+ if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count + -+ (stuff->num_events * (sizeof(xEvent) >> 2))) -+ return BadLength; -+ - eventP = (xEvent *) & stuff[1]; - for (i = 0; i < stuff->num_events; i++, eventP++) { - proc = EventSwapVector[eventP->u.u.type & 0177]; -@@ -100,11 +105,8 @@ SProcXSendExtensionEvent(ClientPtr client) - *eventP = eventT; - } - -- p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events); -- for (i = 0; i < stuff->count; i++) { -- swapl(p, n); -- p++; -- } -+ p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events); -+ SwapLongs(p, stuff->count); - return (ProcXSendExtensionEvent(client)); - } - diff --git a/CVE-2007-6428-TOG-cup.diff b/CVE-2007-6428-TOG-cup.diff deleted file mode 100644 index 177e949..0000000 --- a/CVE-2007-6428-TOG-cup.diff +++ /dev/null @@ -1,14 +0,0 @@ -diff --git a/Xext/cup.c b/Xext/cup.c -index d0e820c..fd1409e 100644 ---- a/Xext/cup.c -+++ b/Xext/cup.c -@@ -176,6 +176,9 @@ int ProcGetReservedColormapEntries( - - REQUEST_SIZE_MATCH (xXcupGetReservedColormapEntriesReq); - -+ if (stuff->screen >= screenInfo.numScreens) -+ return BadValue; -+ - #ifndef HAVE_SPECIAL_DESKTOP_COLORS - citems[CUP_BLACK_PIXEL].pixel = - screenInfo.screens[stuff->screen]->blackPixel; diff --git a/CVE-2007-6429-shm_evi.diff b/CVE-2007-6429-shm_evi.diff deleted file mode 100644 index 9604a78..0000000 --- a/CVE-2007-6429-shm_evi.diff +++ /dev/null @@ -1,298 +0,0 @@ -diff --git a/Xext/EVI.c b/Xext/EVI.c -index 4bd050c..a637bae 100644 ---- a/Xext/EVI.c -+++ b/Xext/EVI.c -@@ -34,6 +34,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. - #include - #include "EVIstruct.h" - #include "modinit.h" -+#include "scrnintstr.h" - - static EviPrivPtr eviPriv; - -@@ -84,10 +85,22 @@ ProcEVIGetVisualInfo(ClientPtr client) - { - REQUEST(xEVIGetVisualInfoReq); - xEVIGetVisualInfoReply rep; -- int n, n_conflict, n_info, sz_info, sz_conflict; -+ int i, n, n_conflict, n_info, sz_info, sz_conflict; - VisualID32 *conflict; -+ unsigned int total_visuals = 0; - xExtendedVisualInfo *eviInfo; - int status; -+ -+ /* -+ * do this first, otherwise REQUEST_FIXED_SIZE can overflow. we assume -+ * here that you don't have more than 2^32 visuals over all your screens; -+ * this seems like a safe assumption. -+ */ -+ for (i = 0; i < screenInfo.numScreens; i++) -+ total_visuals += screenInfo.screens[i]->numVisuals; -+ if (stuff->n_visual > total_visuals) -+ return BadValue; -+ - REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32); - status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual, - &eviInfo, &n_info, &conflict, &n_conflict); -diff --git a/Xext/sampleEVI.c b/Xext/sampleEVI.c -index 7508aa7..b871bfd 100644 ---- a/Xext/sampleEVI.c -+++ b/Xext/sampleEVI.c -@@ -34,6 +34,13 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. - #include - #include "EVIstruct.h" - #include "scrnintstr.h" -+ -+#if HAVE_STDINT_H -+#include -+#elif !defined(UINT32_MAX) -+#define UINT32_MAX 0xffffffffU -+#endif -+ - static int sampleGetVisualInfo( - VisualID32 *visual, - int n_visual, -@@ -42,24 +49,36 @@ static int sampleGetVisualInfo( - VisualID32 **conflict_rn, - int *n_conflict_rn) - { -- int max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens; -+ unsigned int max_sz_evi; - VisualID32 *temp_conflict; - xExtendedVisualInfo *evi; -- int max_visuals = 0, max_sz_conflict, sz_conflict = 0; -+ unsigned int max_visuals = 0, max_sz_conflict, sz_conflict = 0; - register int visualI, scrI, sz_evi = 0, conflictI, n_conflict; -- *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi); -- if (!*evi_rn) -- return BadAlloc; -+ -+ if (n_visual > UINT32_MAX/(sz_xExtendedVisualInfo * screenInfo.numScreens)) -+ return BadAlloc; -+ max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens; -+ - for (scrI = 0; scrI < screenInfo.numScreens; scrI++) { - if (screenInfo.screens[scrI]->numVisuals > max_visuals) - max_visuals = screenInfo.screens[scrI]->numVisuals; - } -+ -+ if (n_visual > UINT32_MAX/(sz_VisualID32 * screenInfo.numScreens -+ * max_visuals)) -+ return BadAlloc; - max_sz_conflict = n_visual * sz_VisualID32 * screenInfo.numScreens * max_visuals; -+ -+ *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi); -+ if (!*evi_rn) -+ return BadAlloc; -+ - temp_conflict = (VisualID32 *)xalloc(max_sz_conflict); - if (!temp_conflict) { - xfree(*evi_rn); - return BadAlloc; - } -+ - for (scrI = 0; scrI < screenInfo.numScreens; scrI++) { - for (visualI = 0; visualI < n_visual; visualI++) { - evi[sz_evi].core_visual_id = visual[visualI]; -diff --git a/Xext/shm.c b/Xext/shm.c -index e3d7a23..c545e49 100644 ---- a/Xext/shm.c -+++ b/Xext/shm.c -@@ -757,6 +757,8 @@ ProcPanoramiXShmCreatePixmap( - int i, j, result, rc; - ShmDescPtr shmdesc; - REQUEST(xShmCreatePixmapReq); -+ unsigned int width, height, depth; -+ unsigned long size; - PanoramiXRes *newPix; - - REQUEST_SIZE_MATCH(xShmCreatePixmapReq); -@@ -770,11 +772,26 @@ ProcPanoramiXShmCreatePixmap( - return rc; - - VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); -- if (!stuff->width || !stuff->height) -+ -+ width = stuff->width; -+ height = stuff->height; -+ depth = stuff->depth; -+ if (!width || !height || !depth) - { - client->errorValue = 0; - return BadValue; - } -+ if (width > 32767 || height > 32767) -+ return BadAlloc; -+ size = PixmapBytePad(width, depth) * height; -+ if (sizeof(size) == 4) { -+ if (size < width * height) -+ return BadAlloc; -+ /* thankfully, offset is unsigned */ -+ if (stuff->offset + size < size) -+ return BadAlloc; -+ } -+ - if (stuff->depth != 1) - { - pDepth = pDraw->pScreen->allowedDepths; -@@ -785,9 +802,7 @@ ProcPanoramiXShmCreatePixmap( - return BadValue; - } - CreatePmap: -- VERIFY_SHMSIZE(shmdesc, stuff->offset, -- PixmapBytePad(stuff->width, stuff->depth) * stuff->height, -- client); -+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); - - if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) - return BadAlloc; -@@ -1086,6 +1101,8 @@ ProcShmCreatePixmap(client) - register int i, rc; - ShmDescPtr shmdesc; - REQUEST(xShmCreatePixmapReq); -+ unsigned int width, height, depth; -+ unsigned long size; - - REQUEST_SIZE_MATCH(xShmCreatePixmapReq); - client->errorValue = stuff->pid; -@@ -1098,11 +1115,26 @@ ProcShmCreatePixmap(client) - return rc; - - VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); -- if (!stuff->width || !stuff->height) -+ -+ width = stuff->width; -+ height = stuff->height; -+ depth = stuff->depth; -+ if (!width || !height || !depth) - { - client->errorValue = 0; - return BadValue; - } -+ if (width > 32767 || height > 32767) -+ return BadAlloc; -+ size = PixmapBytePad(width, depth) * height; -+ if (sizeof(size) == 4) { -+ if (size < width * height) -+ return BadAlloc; -+ /* thankfully, offset is unsigned */ -+ if (stuff->offset + size < size) -+ return BadAlloc; -+ } -+ - if (stuff->depth != 1) - { - pDepth = pDraw->pScreen->allowedDepths; -@@ -1113,9 +1145,7 @@ ProcShmCreatePixmap(client) - return BadValue; - } - CreatePmap: -- VERIFY_SHMSIZE(shmdesc, stuff->offset, -- PixmapBytePad(stuff->width, stuff->depth) * stuff->height, -- client); -+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); - pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( - pDraw->pScreen, stuff->width, - stuff->height, stuff->depth, -diff --git a/Xext/shm.c b/Xext/shm.c -index c545e49..e46f6fc 100644 ---- a/Xext/shm.c -+++ b/Xext/shm.c -@@ -783,14 +783,6 @@ ProcPanoramiXShmCreatePixmap( - } - if (width > 32767 || height > 32767) - return BadAlloc; -- size = PixmapBytePad(width, depth) * height; -- if (sizeof(size) == 4) { -- if (size < width * height) -- return BadAlloc; -- /* thankfully, offset is unsigned */ -- if (stuff->offset + size < size) -- return BadAlloc; -- } - - if (stuff->depth != 1) - { -@@ -801,7 +793,17 @@ ProcPanoramiXShmCreatePixmap( - client->errorValue = stuff->depth; - return BadValue; - } -+ - CreatePmap: -+ size = PixmapBytePad(width, depth) * height; -+ if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { -+ if (size < width * height) -+ return BadAlloc; -+ /* thankfully, offset is unsigned */ -+ if (stuff->offset + size < size) -+ return BadAlloc; -+ } -+ - VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); - - if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) -@@ -1126,14 +1128,6 @@ ProcShmCreatePixmap(client) - } - if (width > 32767 || height > 32767) - return BadAlloc; -- size = PixmapBytePad(width, depth) * height; -- if (sizeof(size) == 4) { -- if (size < width * height) -- return BadAlloc; -- /* thankfully, offset is unsigned */ -- if (stuff->offset + size < size) -- return BadAlloc; -- } - - if (stuff->depth != 1) - { -@@ -1144,7 +1138,17 @@ ProcShmCreatePixmap(client) - client->errorValue = stuff->depth; - return BadValue; - } -+ - CreatePmap: -+ size = PixmapBytePad(width, depth) * height; -+ if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { -+ if (size < width * height) -+ return BadAlloc; -+ /* thankfully, offset is unsigned */ -+ if (stuff->offset + size < size) -+ return BadAlloc; -+ } -+ - VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); - pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( - pDraw->pScreen, stuff->width, -diff --git a/Xext/shm.c b/Xext/shm.c -index e46f6fc..a7a1ecf 100644 ---- a/Xext/shm.c -+++ b/Xext/shm.c -@@ -799,10 +799,10 @@ CreatePmap: - if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { - if (size < width * height) - return BadAlloc; -- /* thankfully, offset is unsigned */ -- if (stuff->offset + size < size) -- return BadAlloc; - } -+ /* thankfully, offset is unsigned */ -+ if (stuff->offset + size < size) -+ return BadAlloc; - - VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); - -@@ -1144,10 +1144,10 @@ CreatePmap: - if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { - if (size < width * height) - return BadAlloc; -- /* thankfully, offset is unsigned */ -- if (stuff->offset + size < size) -- return BadAlloc; - } -+ /* thankfully, offset is unsigned */ -+ if (stuff->offset + size < size) -+ return BadAlloc; - - VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); - pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( diff --git a/CVE-2008-0006-pcf_font.diff b/CVE-2008-0006-pcf_font.diff deleted file mode 100644 index 37bb8bb..0000000 --- a/CVE-2008-0006-pcf_font.diff +++ /dev/null @@ -1,18 +0,0 @@ -diff --git a/dix/dixfonts.c b/dix/dixfonts.c -index 2979c64..04f1f1b 100644 ---- a/dix/dixfonts.c -+++ b/dix/dixfonts.c -@@ -326,6 +326,13 @@ doOpenFont(ClientPtr client, OFclosurePtr c) - err = BadFontName; - goto bail; - } -+ /* check values for firstCol, lastCol, firstRow, and lastRow */ -+ if (pfont->info.firstCol > pfont->info.lastCol || -+ pfont->info.firstRow > pfont->info.lastRow || -+ pfont->info.lastCol - pfont->info.firstCol > 255) { -+ err = AllocError; -+ goto bail; -+ } - if (!pfont->fpe) - pfont->fpe = fpe; - pfont->refcnt++; diff --git a/commit-37b1258.diff b/commit-37b1258.diff deleted file mode 100644 index f4103e8..0000000 --- a/commit-37b1258.diff +++ /dev/null @@ -1,76 +0,0 @@ -commit 37b1258f0a288a79ce6a3eef3559e17a67c4dd96 -Author: Thomas Jaeger -Date: Tue Apr 1 15:27:06 2008 +0300 - - XKB: Fix processInputProc wrapping - - If input processing is frozen, only wrap realInputProc: don't smash - processInputProc as well. When input processing is thawed, pIP will be - rewrapped correctly. - - This supersedes the previous workaround in 50e80c9. - - Signed-off-by: Daniel Stone - -diff --git a/include/xkbsrv.h b/include/xkbsrv.h -index ef99e94..040bb93 100644 ---- a/include/xkbsrv.h -+++ b/include/xkbsrv.h -@@ -237,6 +237,14 @@ typedef struct _XkbSrvLedInfo { - typedef struct - { - ProcessInputProc processInputProc; -+ /* If processInputProc is set to something different than realInputProc, -+ * UNWRAP and COND_WRAP will not touch processInputProc and update only -+ * realInputProc. This ensures that -+ * processInputProc == (frozen ? EnqueueEvent : realInputProc) -+ * -+ * WRAP_PROCESS_INPUT_PROC should only be called during initialization, -+ * since it may destroy this invariant. -+ */ - ProcessInputProc realInputProc; - DeviceUnwrapProc unwrapProc; - } xkbDeviceInfoRec, *xkbDeviceInfoPtr; -@@ -254,14 +262,14 @@ typedef struct - device->public.processInputProc = proc; \ - oldprocs->processInputProc = \ - oldprocs->realInputProc = device->public.realInputProc; \ -- if (proc != device->public.enqueueInputProc) \ -- device->public.realInputProc = proc; \ -+ device->public.realInputProc = proc; \ - oldprocs->unwrapProc = device->unwrapProc; \ - device->unwrapProc = unwrapproc; - - #define UNWRAP_PROCESS_INPUT_PROC(device, oldprocs, backupproc) \ -- backupproc = device->public.processInputProc; \ -- device->public.processInputProc = oldprocs->processInputProc; \ -+ backupproc = device->public.realInputProc; \ -+ if (device->public.processInputProc == device->public.realInputProc)\ -+ device->public.processInputProc = oldprocs->realInputProc; \ - device->public.realInputProc = oldprocs->realInputProc; \ - device->unwrapProc = oldprocs->unwrapProc; - -diff --git a/xkb/xkbActions.c b/xkb/xkbActions.c -index 890cf42..8c72874 100644 ---- a/xkb/xkbActions.c -+++ b/xkb/xkbActions.c -@@ -49,15 +49,14 @@ xkbUnwrapProc(DeviceIntPtr device, DeviceHandleProc proc, - pointer data) - { - xkbDeviceInfoPtr xkbPrivPtr = XKBDEVICEINFO(device); -- ProcessInputProc tmp = device->public.processInputProc; -- ProcessInputProc dummy; /* unused, but neede for macro */ -+ ProcessInputProc backupproc; - if(xkbPrivPtr->unwrapProc) - xkbPrivPtr->unwrapProc = NULL; - -- UNWRAP_PROCESS_INPUT_PROC(device,xkbPrivPtr, dummy); -+ UNWRAP_PROCESS_INPUT_PROC(device,xkbPrivPtr, backupproc); - proc(device,data); -- WRAP_PROCESS_INPUT_PROC(device,xkbPrivPtr, -- tmp,xkbUnwrapProc); -+ COND_WRAP_PROCESS_INPUT_PROC(device,xkbPrivPtr, -+ backupproc,xkbUnwrapProc); - } - - diff --git a/commit-a6a7fad.diff b/commit-a6a7fad.diff deleted file mode 100644 index 91f4716..0000000 --- a/commit-a6a7fad.diff +++ /dev/null @@ -1,35 +0,0 @@ -commit a6a7fadbb03ee99312dfb15ac478ab3c414c1c0b -Author: Kristian Høgsberg -Date: Wed Jan 16 20:24:11 2008 -0500 - - Don't break grab and focus state for a window when redirecting it. - - Composite uses an unmap/map cycle to trigger backing pixmap allocation - and cliprect recomputation when a window is redirected or unredirected. - To avoid protocol visible side effects, map and unmap events are - disabled temporarily. However, when a window is unmapped it is also - removed from grabs and loses focus, but these state changes are not - disabled. - - This change supresses the unmap side effects during the composite - unmap/map cycle and fixes this bug: - - http://bugzilla.gnome.org/show_bug.cgi?id=488264 - - where compiz would cause gnome-screensaver to lose its grab when - compiz unredirects the fullscreen lock window. - -diff --git a/dix/window.c b/dix/window.c -index 33cf76b..1ccf126 100644 ---- a/dix/window.c -+++ b/dix/window.c -@@ -2993,7 +2993,8 @@ UnrealizeTree( - } - #endif - (* Unrealize)(pChild); -- DeleteWindowFromAnyEvents(pChild, FALSE); -+ if (MapUnmapEventsEnabled(pWin)) -+ DeleteWindowFromAnyEvents(pChild, FALSE); - if (pChild->viewable) - { - #ifdef DO_SAVE_UNDERS diff --git a/remove_bogus_modeline.diff b/remove_bogus_modeline.diff deleted file mode 100644 index e78524a..0000000 --- a/remove_bogus_modeline.diff +++ /dev/null @@ -1,17 +0,0 @@ -diff --git a/hw/xfree86/modes/xf86EdidModes.c b/hw/xfree86/modes/xf86EdidModes.c -index 2f26a64..9489947 100644 ---- a/hw/xfree86/modes/xf86EdidModes.c -+++ b/hw/xfree86/modes/xf86EdidModes.c -@@ -327,6 +327,12 @@ DDCModeFromDetailedTiming(int scrnIndex, struct detailed_timings *timing, - Mode->VSyncEnd = Mode->VSyncStart + timing->v_sync_width; - Mode->VTotal = timing->v_active + timing->v_blanking; - -+ /* perform basic check on the detail timing */ -+ if (Mode->HSyncEnd > Mode->HTotal || Mode->VSyncEnd > Mode->VTotal) { -+ xfree(Mode); -+ return NULL; -+ } -+ - xf86SetModeDefaultName(Mode); - - /* We ignore h/v_size and h/v_border for now. */ diff --git a/xorg-server-1.4-vnc.patch b/xorg-server-1.4-vnc.patch index 4fef32b..fcbe07c 100644 --- a/xorg-server-1.4-vnc.patch +++ b/xorg-server-1.4-vnc.patch @@ -276,9 +276,9 @@ diff -pNur xorg-server-1.4.orig/hw/dmx/Makefile.am xorg-server-1.4/hw/dmx/Makefi + vnc/libdmxvnc.a \ config/libdmxconfig.a \ + -ljpeg -lcrypt \ + @XSERVER_LIBS@ \ @DMXMODULES_LIBS@ - # Man page diff -pNur xorg-server-1.4.orig/hw/dmx/vnc/Makefile.am xorg-server-1.4/hw/dmx/vnc/Makefile.am --- xorg-server-1.4.orig/hw/dmx/vnc/Makefile.am 1969-12-31 16:00:00.000000000 -0800 +++ xorg-server-1.4/hw/dmx/vnc/Makefile.am 2007-09-06 16:09:45.000000000 -0700 diff --git a/xorg-server-1.4.0.90.tar.bz2 b/xorg-server-1.4.0.90.tar.bz2 deleted file mode 100644 index 4feabb6..0000000 --- a/xorg-server-1.4.0.90.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:b89f2d17be5ba71e3cc25379e18155c55ea36ba94ac1abae953214f13c020ffe -size 6315011 diff --git a/xorg-server-1.4.2.tar.bz2 b/xorg-server-1.4.2.tar.bz2 new file mode 100644 index 0000000..56ceb92 --- /dev/null +++ b/xorg-server-1.4.2.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:829c66ec4c295822700067c87afae796b8e67530cc65a7b83060ea29a4ff316d +size 6216638 diff --git a/xorg-x11-server.changes b/xorg-x11-server.changes index 3410854..6f92f68 100644 --- a/xorg-x11-server.changes +++ b/xorg-x11-server.changes @@ -1,3 +1,54 @@ +------------------------------------------------------------------- +Fri Jun 13 15:31:51 CEST 2008 - sndirsch@suse.de + +- xorg-x11-Xvnc: added meta file for SuSEfirewall2 (bnc #398855) + +------------------------------------------------------------------- +Wed Jun 11 18:19:43 CEST 2008 - sndirsch@suse.de + +- xorg-server 1.4.2 + * CVE-2008-2360 - RENDER Extension heap buffer overflow + * CVE-2008-2361 - RENDER Extension crash + * CVE-2008-2362 - RENDER Extension memory corruption + * CVE-2008-1377 - RECORD and Security extensions memory corruption + * CVE-2008-1379 - MIT-SHM arbitrary memory read +- obsoletes bfo-bug15222.diff + +------------------------------------------------------------------- +Tue Jun 10 22:22:18 CEST 2008 - sndirsch@suse.de + +- xorg-server 1.4.1 + * Contains a few security and input fixes, some memory leak + fixes, and a few misc bits. + * obsolete patches: + - CVE-2007-5760-xf86misc.diff + - CVE-2007-6427-xinput.diff + - CVE-2007-6428-TOG-cup.diff + - CVE-2007-6429-shm_evi.diff + - CVE-2008-0006-pcf_font.diff + - commit-37b1258.diff + - commit-a6a7fad.diff + - remove_bogus_modeline.diff + - xserver-1.3.0-xkb-and-loathing.patch + * adjusted patches + - xorg-server-1.4-vnc.patch + +------------------------------------------------------------------- +Thu Jun 5 23:04:47 CEST 2008 - sndirsch@suse.de + +- bfo-bug15222.diff (bfo #15222, bnc #374318) + * CVE-2008-2360 - RENDER Extension heap buffer overflow + * CVE-2008-2361 - RENDER Extension crash + * CVE-2008-2362 - RENDER Extension memory corruption + * CVE-2008-1379 - MIT-SHM arbitrary memory read + * CVE-2008-1377 - RECORD and Security extensions memory corruption + +------------------------------------------------------------------- +Tue May 27 17:51:32 CEST 2008 - sndirsch@suse.de + +- xserver-mode-fuzzy-check.diff + * Make mode checking more tolerant like in pre-RandR times. + ------------------------------------------------------------------- Mon May 26 19:27:39 CEST 2008 - sndirsch@suse.de diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 38f0869..12a3aa7 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -12,7 +12,7 @@ Name: xorg-x11-server -%define dirsuffix 1.4.0.90 +%define dirsuffix 1.4.2 %define fglrx_driver_hack 0 %define vnc 1 BuildRequires: Mesa-devel fontconfig-devel freetype2-devel ghostscript-library glitz-devel libdrm-devel pkgconfig xorg-x11 xorg-x11-devel xorg-x11-libICE-devel xorg-x11-libSM-devel xorg-x11-libX11-devel xorg-x11-libXau-devel xorg-x11-libXdmcp-devel xorg-x11-libXext-devel xorg-x11-libXfixes-devel xorg-x11-libXmu-devel xorg-x11-libXp-devel xorg-x11-libXpm-devel xorg-x11-libXprintUtil-devel xorg-x11-libXrender-devel xorg-x11-libXt-devel xorg-x11-libXv-devel xorg-x11-libfontenc-devel xorg-x11-libxkbfile-devel xorg-x11-proto-devel xorg-x11-xtrans-devel @@ -22,7 +22,7 @@ BuildRequires: libjpeg-devel Url: http://xorg.freedesktop.org/ %define EXPERIMENTAL 0 Version: 7.3 -Release: 106 +Release: 112 License: X11/MIT BuildRoot: %{_tmppath}/%{name}-%{version}-build Group: System/X11/Servers/XF86_4 @@ -86,7 +86,6 @@ Patch69: xserver-mode-fuzzy-check.diff Patch72: randr12-8d230319040f0a7f72231da2bf5ec97dc3612e21.diff Patch77: fbdevhw.diff Patch79: edit_data_sanity_check.diff -Patch81: xserver-1.3.0-xkb-and-loathing.patch Patch83: ia64linuxPciInit.diff Patch84: commit-feac075.diff Patch85: commit-29e0e18.diff @@ -96,20 +95,12 @@ Patch88: commit-f6401f9.diff Patch89: commit-184e571.diff Patch90: commit-fa19e84.diff Patch91: commit-f7dd0c7.diff -Patch92: remove_bogus_modeline.diff Patch93: pixman.diff -Patch94: CVE-2007-5760-xf86misc.diff -Patch95: CVE-2007-6427-xinput.diff -Patch96: CVE-2007-6428-TOG-cup.diff -Patch97: CVE-2007-6429-shm_evi.diff -Patch98: CVE-2008-0006-pcf_font.diff Patch99: commit-50e80c3.diff -Patch100: commit-a6a7fad.diff Patch101: zap_warning_xserver.diff Patch102: xorg-server-1.4-vnc-memory.diff Patch103: confine_to_shape.diff Patch104: bitmap_always_unscaled.diff -Patch105: commit-37b1258.diff Patch106: randr1_1-sig11.diff Patch107: XAANoOffscreenPixmaps.diff Patch108: xkb_action.diff @@ -236,7 +227,6 @@ popd %patch72 -p1 %patch77 %patch79 -p1 -%patch81 -p1 %patch83 %patch84 -p1 %patch85 -p1 @@ -246,19 +236,11 @@ popd %patch89 -p1 %patch90 -p1 %patch91 -p1 -%patch92 -p1 %patch93 -%patch94 -p1 -%patch95 -p1 -%patch96 -p1 -%patch97 -p1 -%patch98 -p1 %patch99 -p1 -%patch100 -p1 %patch101 -p1 %patch103 %patch104 -p1 -%patch105 -p1 %patch106 -p1 %patch107 -p0 %patch108 -p1 @@ -383,6 +365,12 @@ install -m 644 $RPM_SOURCE_DIR/modprobe.nvidia $RPM_BUILD_ROOT/etc/modprobe.d/nv rm $RPM_BUILD_ROOT/mfb.h %endif %endif +mkdir -p $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services +cat > $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services/%{name} << EOF +## Name: VNC Server +## Description: Opens ports for VNC Server +TCP="5801 5901" +EOF %clean rm -rf "$RPM_BUILD_ROOT" @@ -566,10 +554,47 @@ exit 0 %files -n xorg-x11-Xvnc %defattr(-, root, root) +/etc/sysconfig/SuSEfirewall2.d/services/%{name} /usr/bin/Xvnc %endif %changelog +* Fri Jun 13 2008 sndirsch@suse.de +- xorg-x11-Xvnc: added meta file for SuSEfirewall2 (bnc #398855) +* Wed Jun 11 2008 sndirsch@suse.de +- xorg-server 1.4.2 + * CVE-2008-2360 - RENDER Extension heap buffer overflow + * CVE-2008-2361 - RENDER Extension crash + * CVE-2008-2362 - RENDER Extension memory corruption + * CVE-2008-1377 - RECORD and Security extensions memory corruption + * CVE-2008-1379 - MIT-SHM arbitrary memory read +- obsoletes bfo-bug15222.diff +* Wed Jun 11 2008 sndirsch@suse.de +- xorg-server 1.4.1 + * Contains a few security and input fixes, some memory leak + fixes, and a few misc bits. + * obsolete patches: + - CVE-2007-5760-xf86misc.diff + - CVE-2007-6427-xinput.diff + - CVE-2007-6428-TOG-cup.diff + - CVE-2007-6429-shm_evi.diff + - CVE-2008-0006-pcf_font.diff + - commit-37b1258.diff + - commit-a6a7fad.diff + - remove_bogus_modeline.diff + - xserver-1.3.0-xkb-and-loathing.patch + * adjusted patches + - xorg-server-1.4-vnc.patch +* Fri Jun 06 2008 sndirsch@suse.de +- bfo-bug15222.diff (bfo #15222, bnc #374318) + * CVE-2008-2360 - RENDER Extension heap buffer overflow + * CVE-2008-2361 - RENDER Extension crash + * CVE-2008-2362 - RENDER Extension memory corruption + * CVE-2008-1379 - MIT-SHM arbitrary memory read + * CVE-2008-1377 - RECORD and Security extensions memory corruption +* Tue May 27 2008 sndirsch@suse.de +- xserver-mode-fuzzy-check.diff + * Make mode checking more tolerant like in pre-RandR times. * Mon May 26 2008 sndirsch@suse.de - fix-dpi-values.diff * fixes DPI values for RANDR 1.2 capable drivers (bnc #393001) diff --git a/xserver-1.3.0-xkb-and-loathing.patch b/xserver-1.3.0-xkb-and-loathing.patch deleted file mode 100644 index 0f195d7..0000000 --- a/xserver-1.3.0-xkb-and-loathing.patch +++ /dev/null @@ -1,36 +0,0 @@ ---- xorg-server-1.3.0.0/os/utils.c.jx 2007-04-25 13:28:05.000000000 -0400 -+++ xorg-server-1.3.0.0/os/utils.c 2007-04-30 14:33:04.000000000 -0400 -@@ -1725,6 +1725,8 @@ - int pid; - } *pidlist; - -+static sighandler_t old_alarm = NULL; /* XXX horrible awful hack */ -+ - pointer - Popen(char *command, char *type) - { -@@ -1746,11 +1748,15 @@ - return NULL; - } - -+ /* Ignore the smart scheduler while this is going on */ -+ old_alarm = signal(SIGALRM, SIG_IGN); -+ - switch (pid = fork()) { - case -1: /* error */ - close(pdes[0]); - close(pdes[1]); - xfree(cur); -+ signal(SIGALRM, old_alarm); - return NULL; - case 0: /* child */ - if (setgid(getgid()) == -1) -@@ -1926,6 +1932,8 @@ - /* allow EINTR again */ - OsReleaseSignals (); - -+ signal(SIGALRM, old_alarm); -+ - return pid == -1 ? -1 : pstat; - } - diff --git a/xserver-mode-fuzzy-check.diff b/xserver-mode-fuzzy-check.diff index a313ee8..cd1e381 100644 --- a/xserver-mode-fuzzy-check.diff +++ b/xserver-mode-fuzzy-check.diff @@ -1,35 +1,42 @@ +commit 45cc03726b49f6ad4afe6c3fb4ad65d1051928b4 +Author: Matthias Hopf +Date: Thu Oct 11 18:23:25 2007 +0200 + + Make mode checking more tolerant like in pre-RandR times. + diff --git a/hw/xfree86/modes/xf86Modes.c b/hw/xfree86/modes/xf86Modes.c -index ea9f85b..0ead704 100644 +index f49c292..9981789 100644 --- a/hw/xfree86/modes/xf86Modes.c +++ b/hw/xfree86/modes/xf86Modes.c -@@ -389,8 +389,8 @@ xf86ValidateModesSync(ScrnInfoPtr pScrn, +@@ -389,8 +389,8 @@ xf86ValidateModesSync(ScrnInfoPtr pScrn, DisplayModePtr modeList, bad = TRUE; for (i = 0; i < mon->nHsync; i++) { - if (xf86ModeHSync(mode) >= mon->hsync[i].lo && - xf86ModeHSync(mode) <= mon->hsync[i].hi) -+ if (xf86ModeHSync(mode) >= mon->hsync[i].lo - .5 && -+ xf86ModeHSync(mode) <= mon->hsync[i].hi + .5) ++ if (xf86ModeHSync(mode) >= mon->hsync[i].lo * (1-SYNC_TOLERANCE) && ++ xf86ModeHSync(mode) <= mon->hsync[i].hi * (1+SYNC_TOLERANCE)) { bad = FALSE; } -@@ -400,8 +400,8 @@ xf86ValidateModesSync(ScrnInfoPtr pScrn, +@@ -400,8 +400,8 @@ xf86ValidateModesSync(ScrnInfoPtr pScrn, DisplayModePtr modeList, bad = TRUE; for (i = 0; i < mon->nVrefresh; i++) { - if (xf86ModeVRefresh(mode) >= mon->vrefresh[i].lo && - xf86ModeVRefresh(mode) <= mon->vrefresh[i].hi) -+ if (xf86ModeVRefresh(mode) >= mon->vrefresh[i].lo - .5 && -+ xf86ModeVRefresh(mode) <= mon->vrefresh[i].hi + .5) ++ if (xf86ModeVRefresh(mode) >= mon->vrefresh[i].lo * (1-SYNC_TOLERANCE) && ++ xf86ModeVRefresh(mode) <= mon->vrefresh[i].hi * (1+SYNC_TOLERANCE)) { bad = FALSE; } -@@ -434,7 +434,7 @@ xf86ValidateModesClocks(ScrnInfoPtr pScr +@@ -434,7 +434,8 @@ xf86ValidateModesClocks(ScrnInfoPtr pScrn, DisplayModePtr modeList, for (mode = modeList; mode != NULL; mode = mode->next) { Bool good = FALSE; for (i = 0; i < n_ranges; i++) { - if (mode->Clock >= min[i] && mode->Clock <= max[i]) { -+ if (mode->Clock >= min[i] - .5 && mode->Clock <= max[i] + .5) { ++ if (mode->Clock >= min[i] * (1-SYNC_TOLERANCE) && ++ mode->Clock <= max[i] * (1+SYNC_TOLERANCE)) { good = TRUE; break; }