aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2015-03-18 08:18:22 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2015-03-18 08:18:22 +0000
commit9858cf87912aadf8d2123398e690ca6bf8715f78 (patch)
treeeb60dda40af18d579da5a933d7220da45c5f68f3
parent6a6fde0b6ddc9eb00d12e9b4a02294bdc2845053 (diff)
downloadaports-9858cf87912aadf8d2123398e690ca6bf8715f78.tar.bz2
aports-9858cf87912aadf8d2123398e690ca6bf8715f78.tar.xz
main/xorg-server: fix CVE-2015-0255 and upgrade to 1.14.7
fixes #3998
-rw-r--r--main/xorg-server/APKBUILD18
-rw-r--r--main/xorg-server/CVE-2015-0255.patch240
2 files changed, 251 insertions, 7 deletions
diff --git a/main/xorg-server/APKBUILD b/main/xorg-server/APKBUILD
index 1a2fede4ef..1ddbbddf1c 100644
--- a/main/xorg-server/APKBUILD
+++ b/main/xorg-server/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=xorg-server
-pkgver=1.14.4
+pkgver=1.14.7
pkgrel=0
pkgdesc="X.Org X servers"
url="http://xorg.freedesktop.org"
@@ -67,6 +67,7 @@ makedepends="
source="http://xorg.freedesktop.org/releases/individual/xserver/$pkgname-$pkgver.tar.bz2
autoconfig-nvidia.patch
autoconfig-sis.patch
+ CVE-2015-0255.patch
"
@@ -161,12 +162,15 @@ xnest() {
mv "$pkgdir"/usr/bin/Xnest "$subpkgdir"/usr/bin/
}
-md5sums="9d68a30258c67faa3c036a4a85e8bf97 xorg-server-1.14.4.tar.bz2
+md5sums="0c285a813a6c3291c88d5a2b710aecb1 xorg-server-1.14.7.tar.bz2
ea4852dedbb89550f6bc113ca66348a2 autoconfig-nvidia.patch
-825ca99ea9348c66abdf2c479e0af485 autoconfig-sis.patch"
-sha256sums="608ccfaafb845f6e559884a30f946d365209172416710d687b190e9e1ff65dc3 xorg-server-1.14.4.tar.bz2
+825ca99ea9348c66abdf2c479e0af485 autoconfig-sis.patch
+865a3b9808751dd5578e645ea4b4f884 CVE-2015-0255.patch"
+sha256sums="fcf66fa6ad86227613d2d3e8ae13ded297e2a1e947e9060a083eaf80d323451f xorg-server-1.14.7.tar.bz2
66e25f76a7496c429e0aff4b0670f168719bb0ceaeb88c6f2272f2bf3ed21162 autoconfig-nvidia.patch
-7d5d36dd152eb0fab277a4aeba0a08ad77049e591a0dea92f565a4b62f0d0a50 autoconfig-sis.patch"
-sha512sums="c288a9d38b08d675b90e860539c4cbd423be90fa27dd1a5fa443076475801bfa74b1f5a0dd6282cc1c9c8ff30bdff77c1eb587186479ebfcaf57185c2affba8a xorg-server-1.14.4.tar.bz2
+7d5d36dd152eb0fab277a4aeba0a08ad77049e591a0dea92f565a4b62f0d0a50 autoconfig-sis.patch
+823657d39266e5903efb6a309052ec15421baa3e93cc884050130112a697b7ff CVE-2015-0255.patch"
+sha512sums="89424c51f752cbbf6a531363f8c119d2f66c361bc67722290ebc561ee4da56dd3aa18ceaf3dafd4bb3cec97915f73353a5167e00362bf04bdb94ace1e5de7750 xorg-server-1.14.7.tar.bz2
4dcaa60fbfc61636e7220a24a72bba19984a6dc752061cb40b1bd566c0e614d08927b6c223ffaaaa05636765fddacdc3113fde55d25fd09cd0c786ff44f51447 autoconfig-nvidia.patch
-30a78f4278edd535c45ee3f80933427cb029a13abaa4b041f816515fdd8f64f00b9c6aef50d4eba2aaf0d4f333e730399864fd97fa18891273601c77a6637200 autoconfig-sis.patch"
+30a78f4278edd535c45ee3f80933427cb029a13abaa4b041f816515fdd8f64f00b9c6aef50d4eba2aaf0d4f333e730399864fd97fa18891273601c77a6637200 autoconfig-sis.patch
+a6846a618251ca86eead3c898198c8cd2a5a66a68fa85608ac4ba36f1e9c54fb7b396ba1544101b768b94662adfb795d5ac151c4e0b9d0cf7f255a137770717f CVE-2015-0255.patch"
diff --git a/main/xorg-server/CVE-2015-0255.patch b/main/xorg-server/CVE-2015-0255.patch
new file mode 100644
index 0000000000..32e5681216
--- /dev/null
+++ b/main/xorg-server/CVE-2015-0255.patch
@@ -0,0 +1,240 @@
+From 81c90dc8f0aae3b65730409b1b615b5fa7280ebd Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Fri, 16 Jan 2015 20:08:59 +0100
+Subject: xkb: Don't swap XkbSetGeometry data in the input buffer
+
+The XkbSetGeometry request embeds data which needs to be swapped when the
+server and the client have different endianess.
+
+_XkbSetGeometry() invokes functions that swap these data directly in the
+input buffer.
+
+However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once
+(if there is more than one keyboard), thus causing on swapped clients the
+same data to be swapped twice in memory, further causing a server crash
+because the strings lengths on the second time are way off bounds.
+
+To allow _XkbSetGeometry() to run reliably more than once with swapped
+clients, do not swap the data in the buffer, use variables instead.
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 15c7f34..b9a3ac4 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -4961,14 +4961,13 @@ static char *
+ _GetCountedString(char **wire_inout, Bool swap)
+ {
+ char *wire, *str;
+- CARD16 len, *plen;
++ CARD16 len;
+
+ wire = *wire_inout;
+- plen = (CARD16 *) wire;
++ len = *(CARD16 *) wire;
+ if (swap) {
+- swaps(plen);
++ swaps(&len);
+ }
+- len = *plen;
+ str = malloc(len + 1);
+ if (str) {
+ memcpy(str, &wire[2], len);
+@@ -4985,25 +4984,28 @@ _CheckSetDoodad(char **wire_inout,
+ {
+ char *wire;
+ xkbDoodadWireDesc *dWire;
++ xkbAnyDoodadWireDesc any;
++ xkbTextDoodadWireDesc text;
+ XkbDoodadPtr doodad;
+
+ dWire = (xkbDoodadWireDesc *) (*wire_inout);
++ any = dWire->any;
+ wire = (char *) &dWire[1];
+ if (client->swapped) {
+- swapl(&dWire->any.name);
+- swaps(&dWire->any.top);
+- swaps(&dWire->any.left);
+- swaps(&dWire->any.angle);
++ swapl(&any.name);
++ swaps(&any.top);
++ swaps(&any.left);
++ swaps(&any.angle);
+ }
+ CHK_ATOM_ONLY(dWire->any.name);
+- doodad = XkbAddGeomDoodad(geom, section, dWire->any.name);
++ doodad = XkbAddGeomDoodad(geom, section, any.name);
+ if (!doodad)
+ return BadAlloc;
+ doodad->any.type = dWire->any.type;
+ doodad->any.priority = dWire->any.priority;
+- doodad->any.top = dWire->any.top;
+- doodad->any.left = dWire->any.left;
+- doodad->any.angle = dWire->any.angle;
++ doodad->any.top = any.top;
++ doodad->any.left = any.left;
++ doodad->any.angle = any.angle;
+ switch (doodad->any.type) {
+ case XkbOutlineDoodad:
+ case XkbSolidDoodad:
+@@ -5026,12 +5028,13 @@ _CheckSetDoodad(char **wire_inout,
+ dWire->text.colorNdx);
+ return BadMatch;
+ }
++ text = dWire->text;
+ if (client->swapped) {
+- swaps(&dWire->text.width);
+- swaps(&dWire->text.height);
++ swaps(&text.width);
++ swaps(&text.height);
+ }
+- doodad->text.width = dWire->text.width;
+- doodad->text.height = dWire->text.height;
++ doodad->text.width = text.width;
++ doodad->text.height = text.height;
+ doodad->text.color_ndx = dWire->text.colorNdx;
+ doodad->text.text = _GetCountedString(&wire, client->swapped);
+ doodad->text.font = _GetCountedString(&wire, client->swapped);
+--
+cgit v0.10.2
+
+From 20079c36cf7d377938ca5478447d8b9045cb7d43 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Fri, 16 Jan 2015 08:44:45 +0100
+Subject: xkb: Check strings length against request size
+
+Ensure that the given strings length in an XkbSetGeometry request remain
+within the limits of the size of the request.
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index b9a3ac4..f3988f9 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -4957,25 +4957,29 @@ ProcXkbGetGeometry(ClientPtr client)
+
+ /***====================================================================***/
+
+-static char *
+-_GetCountedString(char **wire_inout, Bool swap)
++static Status
++_GetCountedString(char **wire_inout, ClientPtr client, char **str)
+ {
+- char *wire, *str;
++ char *wire, *next;
+ CARD16 len;
+
+ wire = *wire_inout;
+ len = *(CARD16 *) wire;
+- if (swap) {
++ if (client->swapped) {
+ swaps(&len);
+ }
+- str = malloc(len + 1);
+- if (str) {
+- memcpy(str, &wire[2], len);
+- str[len] = '\0';
+- }
+- wire += XkbPaddedSize(len + 2);
+- *wire_inout = wire;
+- return str;
++ next = wire + XkbPaddedSize(len + 2);
++ /* Check we're still within the size of the request */
++ if (client->req_len <
++ bytes_to_int32(next - (char *) client->requestBuffer))
++ return BadValue;
++ *str = malloc(len + 1);
++ if (!*str)
++ return BadAlloc;
++ memcpy(*str, &wire[2], len);
++ *(*str + len) = '\0';
++ *wire_inout = next;
++ return Success;
+ }
+
+ static Status
+@@ -4987,6 +4991,7 @@ _CheckSetDoodad(char **wire_inout,
+ xkbAnyDoodadWireDesc any;
+ xkbTextDoodadWireDesc text;
+ XkbDoodadPtr doodad;
++ Status status;
+
+ dWire = (xkbDoodadWireDesc *) (*wire_inout);
+ any = dWire->any;
+@@ -5036,8 +5041,14 @@ _CheckSetDoodad(char **wire_inout,
+ doodad->text.width = text.width;
+ doodad->text.height = text.height;
+ doodad->text.color_ndx = dWire->text.colorNdx;
+- doodad->text.text = _GetCountedString(&wire, client->swapped);
+- doodad->text.font = _GetCountedString(&wire, client->swapped);
++ status = _GetCountedString(&wire, client, &doodad->text.text);
++ if (status != Success)
++ return status;
++ status = _GetCountedString(&wire, client, &doodad->text.font);
++ if (status != Success) {
++ free (doodad->text.text);
++ return status;
++ }
+ break;
+ case XkbIndicatorDoodad:
+ if (dWire->indicator.onColorNdx >= geom->num_colors) {
+@@ -5072,7 +5083,9 @@ _CheckSetDoodad(char **wire_inout,
+ }
+ doodad->logo.color_ndx = dWire->logo.colorNdx;
+ doodad->logo.shape_ndx = dWire->logo.shapeNdx;
+- doodad->logo.logo_name = _GetCountedString(&wire, client->swapped);
++ status = _GetCountedString(&wire, client, &doodad->logo.logo_name);
++ if (status != Success)
++ return status;
+ break;
+ default:
+ client->errorValue = _XkbErrCode2(0x4F, dWire->any.type);
+@@ -5304,18 +5317,20 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client)
+ char *wire;
+
+ wire = (char *) &req[1];
+- geom->label_font = _GetCountedString(&wire, client->swapped);
++ status = _GetCountedString(&wire, client, &geom->label_font);
++ if (status != Success)
++ return status;
+
+ for (i = 0; i < req->nProperties; i++) {
+ char *name, *val;
+
+- name = _GetCountedString(&wire, client->swapped);
+- if (!name)
+- return BadAlloc;
+- val = _GetCountedString(&wire, client->swapped);
+- if (!val) {
++ status = _GetCountedString(&wire, client, &name);
++ if (status != Success)
++ return status;
++ status = _GetCountedString(&wire, client, &val);
++ if (status != Success) {
+ free(name);
+- return BadAlloc;
++ return status;
+ }
+ if (XkbAddGeomProperty(geom, name, val) == NULL) {
+ free(name);
+@@ -5349,9 +5364,9 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client)
+ for (i = 0; i < req->nColors; i++) {
+ char *name;
+
+- name = _GetCountedString(&wire, client->swapped);
+- if (!name)
+- return BadAlloc;
++ status = _GetCountedString(&wire, client, &name);
++ if (status != Success)
++ return status;
+ if (!XkbAddGeomColor(geom, name, geom->num_colors)) {
+ free(name);
+ return BadAlloc;
+--
+cgit v0.10.2
+