forked from pool/xorg-x11-server
Accepting request 45855 from X11:XOrg
Copy from X11:XOrg/xorg-x11-server based on submit request 45855 from user sndirsch OBS-URL: https://build.opensuse.org/request/show/45855 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/xorg-x11-server?expand=0&rev=175
This commit is contained in:
commit
eab5947e38
121
CVE-2010-2240-address_space_limit.patch
Normal file
121
CVE-2010-2240-address_space_limit.patch
Normal file
@ -0,0 +1,121 @@
|
|||||||
|
>From fedf91eeabcfdd6d26b52529a16a64f744aa42ad Mon Sep 17 00:00:00 2001
|
||||||
|
From: Matthieu Herrb <matthieu.herrb@laas.fr>
|
||||||
|
Date: Mon, 28 Jun 2010 23:54:13 +0200
|
||||||
|
Subject: [PATCH] Workaround for CVE-2010-2240.
|
||||||
|
|
||||||
|
By limiting the address space that the X server can use,
|
||||||
|
it prevents stack and mmap()ed areas to become so close that
|
||||||
|
the stack will grow over a mmaped area.
|
||||||
|
|
||||||
|
Credits: Rafal Wojtczuk <rafal@invisiblethingslab.com>
|
||||||
|
---
|
||||||
|
doc/Xserver.man.pre | 7 +++++++
|
||||||
|
include/opaque.h | 3 +++
|
||||||
|
os/osinit.c | 24 ++++++++++++++++++++++++
|
||||||
|
os/utils.c | 16 ++++++++++++++++
|
||||||
|
4 files changed, 50 insertions(+), 0 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/doc/Xserver.man.pre b/doc/Xserver.man.pre
|
||||||
|
index ce3b3a1..91c595f 100644
|
||||||
|
--- a/doc/Xserver.man.pre
|
||||||
|
+++ b/doc/Xserver.man.pre
|
||||||
|
@@ -285,6 +285,13 @@ sets the stack space limit of the server to the specified number of kilobytes.
|
||||||
|
A value of zero makes the stack size as large as possible. The default value
|
||||||
|
of \-1 leaves the stack space limit unchanged.
|
||||||
|
.TP 8
|
||||||
|
+.B \-la \fIkilobytes\fP
|
||||||
|
+sets the address space limit of the server to the specified number of
|
||||||
|
+kilobytes.
|
||||||
|
+A value of zero makes address space as large as possible.
|
||||||
|
+The default value is 1572864 (1.5GB) on 32 bit architectures and
|
||||||
|
+10485760 (10GB) on 64 bit architectures.
|
||||||
|
+.TP 8
|
||||||
|
.B \-logo
|
||||||
|
turns on the X Window System logo display in the screen-saver.
|
||||||
|
There is currently no way to change this from a client.
|
||||||
|
diff --git a/include/opaque.h b/include/opaque.h
|
||||||
|
index b3c7c70..4208d03 100644
|
||||||
|
--- a/include/opaque.h
|
||||||
|
+++ b/include/opaque.h
|
||||||
|
@@ -67,6 +67,9 @@ extern _X_EXPORT int limitStackSpace;
|
||||||
|
#ifdef RLIMIT_NOFILE
|
||||||
|
extern _X_EXPORT int limitNoFile;
|
||||||
|
#endif
|
||||||
|
+#ifdef RLIMIT_AS
|
||||||
|
+extern _X_EXPORT int limitAddressSpace;
|
||||||
|
+#endif
|
||||||
|
extern _X_EXPORT Bool defeatAccessControl;
|
||||||
|
extern _X_EXPORT long maxBigRequestSize;
|
||||||
|
extern _X_EXPORT Bool party_like_its_1989;
|
||||||
|
diff --git a/os/osinit.c b/os/osinit.c
|
||||||
|
index 32747df..723fb14 100644
|
||||||
|
--- a/os/osinit.c
|
||||||
|
+++ b/os/osinit.c
|
||||||
|
@@ -96,6 +96,14 @@ int limitStackSpace = -1;
|
||||||
|
#ifdef RLIMIT_NOFILE
|
||||||
|
int limitNoFile = -1;
|
||||||
|
#endif
|
||||||
|
+#ifdef RLIMIT_AS
|
||||||
|
+#ifdef _XSERVER64
|
||||||
|
+#define XORG_AS_LIMIT 10737418240LL
|
||||||
|
+#else
|
||||||
|
+#define XORG_AS_LIMIT 1610612736
|
||||||
|
+#endif
|
||||||
|
+long limitAddressSpace = XORG_AS_LIMIT;
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
static OsSigWrapperPtr OsSigWrapper = NULL;
|
||||||
|
|
||||||
|
@@ -301,6 +309,22 @@ OsInit(void)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
+#ifdef RLIMIT_AS
|
||||||
|
+ if (limitAddressSpace >= 0)
|
||||||
|
+ {
|
||||||
|
+ struct rlimit rlim;
|
||||||
|
+
|
||||||
|
+ if (!getrlimit(RLIMIT_AS, &rlim))
|
||||||
|
+ {
|
||||||
|
+ if ((limitAddressSpace > 0)
|
||||||
|
+ && (limitAddressSpace < rlim.rlim_max))
|
||||||
|
+ rlim.rlim_cur = limitAddressSpace;
|
||||||
|
+ else
|
||||||
|
+ rlim.rlim_cur = rlim.rlim_max;
|
||||||
|
+ (void)setrlimit(RLIMIT_AS, &rlim);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
LockServer();
|
||||||
|
been_here = TRUE;
|
||||||
|
}
|
||||||
|
diff --git a/os/utils.c b/os/utils.c
|
||||||
|
index 51455cc..4af0cb3 100644
|
||||||
|
--- a/os/utils.c
|
||||||
|
+++ b/os/utils.c
|
||||||
|
@@ -745,6 +745,22 @@ ProcessCommandLine(int argc, char *argv[])
|
||||||
|
UseMsg();
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
+#ifdef RLIMIT_AS
|
||||||
|
+ else if ( strcmp( argv[i], "-la") == 0)
|
||||||
|
+ {
|
||||||
|
+ if (getuid() != geteuid()) {
|
||||||
|
+ FatalError("The '-la' option can only be used by root.\n");
|
||||||
|
+ }
|
||||||
|
+ if(++i < argc)
|
||||||
|
+ {
|
||||||
|
+ limitAddressSpace = atol(argv[i]);
|
||||||
|
+ if (limitAddressSpace > 0)
|
||||||
|
+ limitAddressSpace *= 1024;
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ UseMsg();
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
else if ( strcmp ( argv[i], "-nolock") == 0)
|
||||||
|
{
|
||||||
|
#if !defined(WIN32) && !defined(__CYGWIN__)
|
||||||
|
--
|
||||||
|
1.7.0.5
|
||||||
|
|
73
CVE-2010-2240-tree_depth_limit.patch
Normal file
73
CVE-2010-2240-tree_depth_limit.patch
Normal file
@ -0,0 +1,73 @@
|
|||||||
|
--- xorg-server-1.8.0/dix/window.c.orig 2010-08-07 17:45:14.000000000 +0200
|
||||||
|
+++ xorg-server-1.8.0/dix/window.c 2010-08-07 17:52:58.000000000 +0200
|
||||||
|
@@ -546,6 +546,48 @@ RealChildHead(WindowPtr pWin)
|
||||||
|
return (NullWindow);
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int
|
||||||
|
+TreeDepth(WindowPtr pWin)
|
||||||
|
+{
|
||||||
|
+ int depth = 1;
|
||||||
|
+ int max_depth = 1;
|
||||||
|
+ WindowPtr pChild;
|
||||||
|
+
|
||||||
|
+ if (!(pChild = pWin))
|
||||||
|
+ return 0;
|
||||||
|
+ while (1)
|
||||||
|
+ {
|
||||||
|
+ if (pChild->firstChild)
|
||||||
|
+ {
|
||||||
|
+ ++depth;
|
||||||
|
+ pChild = pChild->firstChild;
|
||||||
|
+ continue;
|
||||||
|
+ } else if (depth > max_depth)
|
||||||
|
+ max_depth = depth;
|
||||||
|
+ while (!pChild->nextSib && (pChild != pWin)) {
|
||||||
|
+ --depth;
|
||||||
|
+ pChild = pChild->parent;
|
||||||
|
+ }
|
||||||
|
+ if (pChild == pWin)
|
||||||
|
+ break;
|
||||||
|
+ pChild = pChild->nextSib;
|
||||||
|
+ }
|
||||||
|
+ return max_depth;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int
|
||||||
|
+WindowDepth(WindowPtr pWin)
|
||||||
|
+{
|
||||||
|
+ int depth = 0;
|
||||||
|
+ while (pWin) {
|
||||||
|
+ ++depth;
|
||||||
|
+ pWin = pWin->parent;
|
||||||
|
+ }
|
||||||
|
+ return depth;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#define MAX_TREE_DEPTH 256
|
||||||
|
+
|
||||||
|
/*****
|
||||||
|
* CreateWindow
|
||||||
|
* Makes a window in response to client request
|
||||||
|
@@ -566,6 +608,11 @@ CreateWindow(Window wid, WindowPtr pPare
|
||||||
|
PixmapFormatRec *format;
|
||||||
|
WindowOptPtr ancwopt;
|
||||||
|
|
||||||
|
+ if (WindowDepth(pParent) >= MAX_TREE_DEPTH - 1) {
|
||||||
|
+ *error = BadAlloc;
|
||||||
|
+ return NullWindow;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (class == CopyFromParent)
|
||||||
|
class = pParent->drawable.class;
|
||||||
|
|
||||||
|
@@ -2457,6 +2504,9 @@ ReparentWindow(WindowPtr pWin, WindowPtr
|
||||||
|
int bw = wBorderWidth (pWin);
|
||||||
|
ScreenPtr pScreen;
|
||||||
|
|
||||||
|
+ if (WindowDepth(pParent) + TreeDepth(pWin) >= MAX_TREE_DEPTH)
|
||||||
|
+ return BadAlloc;
|
||||||
|
+
|
||||||
|
pScreen = pWin->drawable.pScreen;
|
||||||
|
if (TraverseTree(pWin, CompareWIDs, (pointer)&pParent->drawable.id) == WT_STOPWALKING)
|
||||||
|
return(BadMatch);
|
32
xorg-server-commit-21ed660.diff
Normal file
32
xorg-server-commit-21ed660.diff
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
commit 21ed660f30a3f96c787ab00a16499e0fb034b2ad
|
||||||
|
Author: Chris Humbert <freedesktop@mahadri.com>
|
||||||
|
Date: Fri May 7 17:02:43 2010 +1000
|
||||||
|
|
||||||
|
dix: make DeviceEvent coordinates signed for Xinerama. #24986
|
||||||
|
|
||||||
|
With Xinerama enabled, event coordinates are relative to Screen 0, so
|
||||||
|
they can be negative. The new DeviceEvent's coordinates are of type
|
||||||
|
uint16_t, making screens above and to the left of Screen 0 unusable.
|
||||||
|
|
||||||
|
X.Org Bug 24986 <https://bugs.freedesktop.org/show_bug.cgi?id=24986>
|
||||||
|
|
||||||
|
Signed-off-by: Chris Humbert <freedesktop@mahadri.com>
|
||||||
|
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||||
|
Signed-off-by: Keith Packard <keithp@keithp.com>
|
||||||
|
|
||||||
|
diff --git a/include/eventstr.h b/include/eventstr.h
|
||||||
|
index 79685c1..433227e 100644
|
||||||
|
--- a/include/eventstr.h
|
||||||
|
+++ b/include/eventstr.h
|
||||||
|
@@ -91,9 +91,9 @@ struct _DeviceEvent
|
||||||
|
uint32_t button; /**< Button number */
|
||||||
|
uint32_t key; /**< Key code */
|
||||||
|
} detail;
|
||||||
|
- uint16_t root_x; /**< Pos relative to root window in integral data */
|
||||||
|
+ int16_t root_x; /**< Pos relative to root window in integral data */
|
||||||
|
float root_x_frac; /**< Pos relative to root window in frac part */
|
||||||
|
- uint16_t root_y; /**< Pos relative to root window in integral part */
|
||||||
|
+ int16_t root_y; /**< Pos relative to root window in integral part */
|
||||||
|
float root_y_frac; /**< Pos relative to root window in frac part */
|
||||||
|
uint8_t buttons[(MAX_BUTTONS + 7)/8]; /**< Button mask */
|
||||||
|
struct {
|
@ -1,245 +1,28 @@
|
|||||||
--- xorg-server-1.8.0/os/access.c 2009-12-17 05:58:44.000000000 +0000
|
--- xorg-server-1.6.5/os/access.c
|
||||||
+++ xorg-server-1.8.0-20100708/os/access.c 2010-07-08 13:55:08.000000000 +0000
|
+++ xorg-server-1.6.5/os/access.c
|
||||||
@@ -800,18 +800,6 @@
|
@@ -781,7 +781,9 @@
|
||||||
)
|
|
||||||
continue;
|
|
||||||
|
|
||||||
- /*
|
|
||||||
- * ignore 'localhost' entries as they're not useful
|
|
||||||
- * on the other end of the wire
|
|
||||||
- */
|
|
||||||
- if (ifr->ifa_flags & IFF_LOOPBACK)
|
|
||||||
- continue;
|
|
||||||
-
|
|
||||||
- if (family == FamilyInternet &&
|
|
||||||
- addr[0] == 127 && addr[1] == 0 &&
|
|
||||||
- addr[2] == 0 && addr[3] == 1)
|
|
||||||
- continue;
|
|
||||||
-
|
|
||||||
/*
|
/*
|
||||||
* Ignore '0.0.0.0' entries as they are
|
* ignore 'localhost' entries as they're not useful
|
||||||
* returned by some OSes for unconfigured NICs but they are
|
- * on the other end of the wire
|
||||||
@@ -821,11 +809,6 @@
|
+ * on the other end of the wire and because on hosts
|
||||||
addr[0] == 0 && addr[1] == 0 &&
|
+ * with shared home dirs they'll result in conflic
|
||||||
addr[2] == 0 && addr[3] == 0)
|
+ * entries in ~/.Xauthority
|
||||||
|
*/
|
||||||
|
if (ifr->ifa_flags & IFF_LOOPBACK)
|
||||||
continue;
|
continue;
|
||||||
-#if defined(IPv6) && defined(AF_INET6)
|
@@ -804,6 +806,14 @@
|
||||||
- else if (family == FamilyInternet6 &&
|
else if (family == FamilyInternet6 &&
|
||||||
- IN6_IS_ADDR_LOOPBACK((struct in6_addr *)addr))
|
IN6_IS_ADDR_LOOPBACK((struct in6_addr *)addr))
|
||||||
- continue;
|
continue;
|
||||||
-#endif
|
+
|
||||||
|
+ /* Ignore IPv6 link local addresses (fe80::/10), because
|
||||||
|
+ * they need a scope identifier, which we have no way
|
||||||
|
+ * of telling to the other end.
|
||||||
|
+ */
|
||||||
|
+ if (family == FamilyInternet6 &&
|
||||||
|
+ IN6_IS_ADDR_LINKLOCAL((struct in6_addr *)addr))
|
||||||
|
+ continue;
|
||||||
|
#endif
|
||||||
XdmcpRegisterConnection(family, (char *)addr, len);
|
XdmcpRegisterConnection(family, (char *)addr, len);
|
||||||
#if defined(IPv6) && defined(AF_INET6)
|
#if defined(IPv6) && defined(AF_INET6)
|
||||||
if (family == FamilyInternet6)
|
|
||||||
--- xorg-server-1.8.0/os/xdmcp.c 2009-11-04 16:25:50.000000000 +0000
|
|
||||||
+++ xorg-server-1.8.0-20100708/os/xdmcp.c 2010-07-08 13:56:36.000000000 +0000
|
|
||||||
@@ -27,6 +27,7 @@
|
|
||||||
#include <sys/param.h>
|
|
||||||
#include <sys/socket.h>
|
|
||||||
#include <netinet/in.h>
|
|
||||||
+#include <arpa/inet.h>
|
|
||||||
#include <netdb.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
@@ -209,6 +210,50 @@
|
|
||||||
|
|
||||||
static ARRAY8 ManufacturerDisplayID;
|
|
||||||
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+static int is_loopback(int type, void *a)
|
|
||||||
+{
|
|
||||||
+ char *addr = a;
|
|
||||||
+ int ret = 0;
|
|
||||||
+ int gairet;
|
|
||||||
+ struct sockaddr_storage s;
|
|
||||||
+ struct sockaddr_in *s4 = (struct sockaddr_in *)&s;
|
|
||||||
+ struct sockaddr_in6 *s6 = (struct sockaddr_in6 *)&s;
|
|
||||||
+ char host[NI_MAXHOST];
|
|
||||||
+
|
|
||||||
+ memset(&s, 0, sizeof(s));
|
|
||||||
+ if (type == FamilyInternet) {
|
|
||||||
+ s4->sin_family = AF_INET;
|
|
||||||
+ s4->sin_addr.s_addr = *((in_addr_t*)a);
|
|
||||||
+ if (addr[0] == 127) {
|
|
||||||
+ /* IPv4 loopback /8 net */
|
|
||||||
+ ret = 1;
|
|
||||||
+ }
|
|
||||||
+ } else if (type == FamilyInternet6) {
|
|
||||||
+ s6->sin6_family = AF_INET6;
|
|
||||||
+ memcpy(&(s6->sin6_addr), a, sizeof(struct in6_addr));
|
|
||||||
+ if (IN6_IS_ADDR_LOOPBACK(addr)) {
|
|
||||||
+ /* IPv6 loopback address */
|
|
||||||
+ ret = 1;
|
|
||||||
+ } else if (IN6_IS_ADDR_V4MAPPED(addr) &&
|
|
||||||
+ ((struct in6_addr*)addr)->s6_addr[12] == 127) {
|
|
||||||
+ /* IPv4 mapped loopback address */
|
|
||||||
+ ret = 1;
|
|
||||||
+ }
|
|
||||||
+ } else {
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ gairet = getnameinfo((struct sockaddr*)&s, sizeof(struct sockaddr_storage),
|
|
||||||
+ host, NI_MAXHOST, NULL, 0, NI_NUMERICHOST);
|
|
||||||
+ if (gairet != 0) {
|
|
||||||
+ ErrorF(" => %s\n", gai_strerror(gairet));
|
|
||||||
+ } else {
|
|
||||||
+ ErrorF("is_loopback(%s) = %d\n", host, ret);
|
|
||||||
+ }
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static void
|
|
||||||
XdmcpRegisterManufacturerDisplayID (char *name, int length)
|
|
||||||
{
|
|
||||||
@@ -438,8 +483,8 @@
|
|
||||||
* Register the host address for the display
|
|
||||||
*/
|
|
||||||
|
|
||||||
-static ARRAY16 ConnectionTypes;
|
|
||||||
-static ARRAYofARRAY8 ConnectionAddresses;
|
|
||||||
+static ARRAY16 ConnectionTypes[2];
|
|
||||||
+static ARRAYofARRAY8 ConnectionAddresses[2];
|
|
||||||
static long xdmcpGeneration;
|
|
||||||
|
|
||||||
void
|
|
||||||
@@ -451,12 +496,21 @@
|
|
||||||
int i;
|
|
||||||
CARD8 *newAddress;
|
|
||||||
|
|
||||||
+ /*
|
|
||||||
+ * Index for ConnectionTypes and ConnectionAddresses:
|
|
||||||
+ * 1 for loopback address, 0 for remote addresses.
|
|
||||||
+ */
|
|
||||||
+ int l;
|
|
||||||
+
|
|
||||||
if (xdmcpGeneration != serverGeneration)
|
|
||||||
{
|
|
||||||
- XdmcpDisposeARRAY16 (&ConnectionTypes);
|
|
||||||
- XdmcpDisposeARRAYofARRAY8 (&ConnectionAddresses);
|
|
||||||
+ XdmcpDisposeARRAY16 (&ConnectionTypes[0]);
|
|
||||||
+ XdmcpDisposeARRAY16 (&ConnectionTypes[1]);
|
|
||||||
+ XdmcpDisposeARRAYofARRAY8 (&ConnectionAddresses[0]);
|
|
||||||
+ XdmcpDisposeARRAYofARRAY8 (&ConnectionAddresses[1]);
|
|
||||||
xdmcpGeneration = serverGeneration;
|
|
||||||
}
|
|
||||||
+ l = is_loopback(type, address);
|
|
||||||
if (xdm_from != NULL) { /* Only register the requested address */
|
|
||||||
const void *regAddr = address;
|
|
||||||
const void *fromAddr = NULL;
|
|
||||||
@@ -490,27 +544,27 @@
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
- if (ConnectionAddresses.length + 1 == 256)
|
|
||||||
+ if (ConnectionAddresses[l].length + 1 == 256)
|
|
||||||
return;
|
|
||||||
newAddress = xalloc (addrlen * sizeof (CARD8));
|
|
||||||
if (!newAddress)
|
|
||||||
return;
|
|
||||||
- if (!XdmcpReallocARRAY16 (&ConnectionTypes, ConnectionTypes.length + 1))
|
|
||||||
+ if (!XdmcpReallocARRAY16 (&ConnectionTypes[l], ConnectionTypes[l].length + 1))
|
|
||||||
{
|
|
||||||
xfree (newAddress);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
- if (!XdmcpReallocARRAYofARRAY8 (&ConnectionAddresses,
|
|
||||||
- ConnectionAddresses.length + 1))
|
|
||||||
+ if (!XdmcpReallocARRAYofARRAY8 (&ConnectionAddresses[l],
|
|
||||||
+ ConnectionAddresses[l].length + 1))
|
|
||||||
{
|
|
||||||
xfree (newAddress);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
- ConnectionTypes.data[ConnectionTypes.length - 1] = (CARD16) type;
|
|
||||||
+ ConnectionTypes[l].data[ConnectionTypes[l].length - 1] = (CARD16) type;
|
|
||||||
for (i = 0; i < addrlen; i++)
|
|
||||||
newAddress[i] = address[i];
|
|
||||||
- ConnectionAddresses.data[ConnectionAddresses.length-1].data = newAddress;
|
|
||||||
- ConnectionAddresses.data[ConnectionAddresses.length-1].length = addrlen;
|
|
||||||
+ ConnectionAddresses[l].data[ConnectionAddresses[l].length-1].data = newAddress;
|
|
||||||
+ ConnectionAddresses[l].data[ConnectionAddresses[l].length-1].length = addrlen;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
@@ -1176,12 +1230,19 @@
|
|
||||||
CARD16 XdmcpConnectionType;
|
|
||||||
ARRAY8 authenticationData;
|
|
||||||
int socketfd = xdmcpSocket;
|
|
||||||
+ int l;
|
|
||||||
|
|
||||||
switch (SOCKADDR_FAMILY(ManagerAddress))
|
|
||||||
{
|
|
||||||
- case AF_INET: XdmcpConnectionType=FamilyInternet; break;
|
|
||||||
+ case AF_INET:
|
|
||||||
+ XdmcpConnectionType=FamilyInternet;
|
|
||||||
+ l = is_loopback(XdmcpConnectionType, &(((struct sockaddr_in*)&ManagerAddress)->sin_addr.s_addr));
|
|
||||||
+ break;
|
|
||||||
#if defined(IPv6) && defined(AF_INET6)
|
|
||||||
- case AF_INET6: XdmcpConnectionType=FamilyInternet6; break;
|
|
||||||
+ case AF_INET6:
|
|
||||||
+ XdmcpConnectionType=FamilyInternet6;
|
|
||||||
+ l = is_loopback(XdmcpConnectionType, ((struct sockaddr_in6*)&ManagerAddress)->sin6_addr.s6_addr);
|
|
||||||
+ break;
|
|
||||||
#endif
|
|
||||||
default: XdmcpConnectionType=0xffff; break;
|
|
||||||
}
|
|
||||||
@@ -1190,10 +1251,10 @@
|
|
||||||
header.opcode = (CARD16) REQUEST;
|
|
||||||
|
|
||||||
length = 2; /* display number */
|
|
||||||
- length += 1 + 2 * ConnectionTypes.length; /* connection types */
|
|
||||||
+ length += 1 + 2 * ConnectionTypes[l].length; /* connection types */
|
|
||||||
length += 1; /* connection addresses */
|
|
||||||
- for (i = 0; i < ConnectionAddresses.length; i++)
|
|
||||||
- length += 2 + ConnectionAddresses.data[i].length;
|
|
||||||
+ for (i = 0; i < ConnectionAddresses[l].length; i++)
|
|
||||||
+ length += 2 + ConnectionAddresses[l].data[i].length;
|
|
||||||
authenticationData.length = 0;
|
|
||||||
authenticationData.data = 0;
|
|
||||||
if (AuthenticationFuncs)
|
|
||||||
@@ -1216,27 +1277,27 @@
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
XdmcpWriteCARD16 (&buffer, DisplayNumber);
|
|
||||||
- XdmcpWriteCARD8 (&buffer, ConnectionTypes.length);
|
|
||||||
+ XdmcpWriteCARD8 (&buffer, ConnectionTypes[l].length);
|
|
||||||
|
|
||||||
/* The connection array is send reordered, so that connections of */
|
|
||||||
/* the same address type as the XDMCP manager connection are send */
|
|
||||||
/* first. This works around a bug in xdm. mario@klebsch.de */
|
|
||||||
- for (i = 0; i < (int)ConnectionTypes.length; i++)
|
|
||||||
- if (ConnectionTypes.data[i]==XdmcpConnectionType)
|
|
||||||
- XdmcpWriteCARD16 (&buffer, ConnectionTypes.data[i]);
|
|
||||||
- for (i = 0; i < (int)ConnectionTypes.length; i++)
|
|
||||||
- if (ConnectionTypes.data[i]!=XdmcpConnectionType)
|
|
||||||
- XdmcpWriteCARD16 (&buffer, ConnectionTypes.data[i]);
|
|
||||||
-
|
|
||||||
- XdmcpWriteCARD8 (&buffer, ConnectionAddresses.length);
|
|
||||||
- for (i = 0; i < (int)ConnectionAddresses.length; i++)
|
|
||||||
- if ( (i<ConnectionTypes.length) &&
|
|
||||||
- (ConnectionTypes.data[i]==XdmcpConnectionType) )
|
|
||||||
- XdmcpWriteARRAY8 (&buffer, &ConnectionAddresses.data[i]);
|
|
||||||
- for (i = 0; i < (int)ConnectionAddresses.length; i++)
|
|
||||||
- if ( (i>=ConnectionTypes.length) ||
|
|
||||||
- (ConnectionTypes.data[i]!=XdmcpConnectionType) )
|
|
||||||
- XdmcpWriteARRAY8 (&buffer, &ConnectionAddresses.data[i]);
|
|
||||||
+ for (i = 0; i < (int)ConnectionTypes[l].length; i++)
|
|
||||||
+ if (ConnectionTypes[l].data[i]==XdmcpConnectionType)
|
|
||||||
+ XdmcpWriteCARD16 (&buffer, ConnectionTypes[l].data[i]);
|
|
||||||
+ for (i = 0; i < (int)ConnectionTypes[l].length; i++)
|
|
||||||
+ if (ConnectionTypes[l].data[i]!=XdmcpConnectionType)
|
|
||||||
+ XdmcpWriteCARD16 (&buffer, ConnectionTypes[l].data[i]);
|
|
||||||
+
|
|
||||||
+ XdmcpWriteCARD8 (&buffer, ConnectionAddresses[l].length);
|
|
||||||
+ for (i = 0; i < (int)ConnectionAddresses[l].length; i++)
|
|
||||||
+ if ( (i<ConnectionTypes[l].length) &&
|
|
||||||
+ (ConnectionTypes[l].data[i]==XdmcpConnectionType) )
|
|
||||||
+ XdmcpWriteARRAY8 (&buffer, &ConnectionAddresses[l].data[i]);
|
|
||||||
+ for (i = 0; i < (int)ConnectionAddresses[l].length; i++)
|
|
||||||
+ if ( (i>=ConnectionTypes[l].length) ||
|
|
||||||
+ (ConnectionTypes[l].data[i]!=XdmcpConnectionType) )
|
|
||||||
+ XdmcpWriteARRAY8 (&buffer, &ConnectionAddresses[l].data[i]);
|
|
||||||
|
|
||||||
XdmcpWriteARRAY8 (&buffer, AuthenticationName);
|
|
||||||
XdmcpWriteARRAY8 (&buffer, &authenticationData);
|
|
||||||
|
@ -1,3 +1,23 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Aug 19 15:53:11 CEST 2010 - max@suse.de
|
||||||
|
|
||||||
|
- Replaced the previous xdmcp fix with a simpler approach that
|
||||||
|
doesn't cause login problems in xdm and kdm. (bnc#625593)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Aug 17 17:23:45 CEST 2010 - sndirsch@suse.de
|
||||||
|
|
||||||
|
- CVE-2010-2240-address_space_limit.patch/
|
||||||
|
CVE-2010-2240-tree_depth_limit.patch
|
||||||
|
* xorg stack/heap overlap fix (bnc #618152)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Aug 16 12:50:39 CEST 2010 - sndirsch@suse.de
|
||||||
|
|
||||||
|
- xorg-server-commit-21ed660.diff
|
||||||
|
* dix: make DeviceEvent coordinates signed for Xinerama
|
||||||
|
(bnc #628295, bfo #24986)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Aug 10 20:56:13 CEST 2010 - sndirsch@suse.de
|
Tue Aug 10 20:56:13 CEST 2010 - sndirsch@suse.de
|
||||||
|
|
||||||
|
@ -32,7 +32,7 @@ BuildRequires: libjpeg-devel
|
|||||||
%endif
|
%endif
|
||||||
Url: http://xorg.freedesktop.org/
|
Url: http://xorg.freedesktop.org/
|
||||||
Version: 7.5_%{dirsuffix}
|
Version: 7.5_%{dirsuffix}
|
||||||
Release: 15
|
Release: 16
|
||||||
License: GPLv2+ ; MIT License (or similar)
|
License: GPLv2+ ; MIT License (or similar)
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
Group: System/X11/Servers/XF86_4
|
Group: System/X11/Servers/XF86_4
|
||||||
@ -117,6 +117,9 @@ Patch212: dmx-silly.patch
|
|||||||
Patch213: xorg-server-xdmcp.patch
|
Patch213: xorg-server-xdmcp.patch
|
||||||
Patch214: xorg-x11-server-gl-apps-crash.patch
|
Patch214: xorg-x11-server-gl-apps-crash.patch
|
||||||
Patch215: xorg-server-revert-event-mask.patch
|
Patch215: xorg-server-revert-event-mask.patch
|
||||||
|
Patch216: xorg-server-commit-21ed660.diff
|
||||||
|
Patch217: CVE-2010-2240-address_space_limit.patch
|
||||||
|
Patch218: CVE-2010-2240-tree_depth_limit.patch
|
||||||
%if %moblin
|
%if %moblin
|
||||||
Patch300: moblin-use_preferred_mode_for_all_outputs.diff
|
Patch300: moblin-use_preferred_mode_for_all_outputs.diff
|
||||||
%endif
|
%endif
|
||||||
@ -244,6 +247,9 @@ popd
|
|||||||
%patch213 -p1
|
%patch213 -p1
|
||||||
%patch214 -p1
|
%patch214 -p1
|
||||||
%patch215 -p1
|
%patch215 -p1
|
||||||
|
%patch216 -p1
|
||||||
|
%patch217 -p1
|
||||||
|
%patch218 -p1
|
||||||
%if %moblin
|
%if %moblin
|
||||||
%patch300 -p1
|
%patch300 -p1
|
||||||
%endif
|
%endif
|
||||||
|
Loading…
Reference in New Issue
Block a user