From 9858cf87912aadf8d2123398e690ca6bf8715f78 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Wed, 18 Mar 2015 08:18:22 +0000 Subject: main/xorg-server: fix CVE-2015-0255 and upgrade to 1.14.7 fixes #3998 --- main/xorg-server/APKBUILD | 18 ++- main/xorg-server/CVE-2015-0255.patch | 240 +++++++++++++++++++++++++++++++++++ 2 files changed, 251 insertions(+), 7 deletions(-) create mode 100644 main/xorg-server/CVE-2015-0255.patch diff --git a/main/xorg-server/APKBUILD b/main/xorg-server/APKBUILD index 1a2fede4ef..1ddbbddf1c 100644 --- a/main/xorg-server/APKBUILD +++ b/main/xorg-server/APKBUILD @@ -1,6 +1,6 @@ # Maintainer: Natanael Copa pkgname=xorg-server -pkgver=1.14.4 +pkgver=1.14.7 pkgrel=0 pkgdesc="X.Org X servers" url="http://xorg.freedesktop.org" @@ -67,6 +67,7 @@ makedepends=" source="http://xorg.freedesktop.org/releases/individual/xserver/$pkgname-$pkgver.tar.bz2 autoconfig-nvidia.patch autoconfig-sis.patch + CVE-2015-0255.patch " @@ -161,12 +162,15 @@ xnest() { mv "$pkgdir"/usr/bin/Xnest "$subpkgdir"/usr/bin/ } -md5sums="9d68a30258c67faa3c036a4a85e8bf97 xorg-server-1.14.4.tar.bz2 +md5sums="0c285a813a6c3291c88d5a2b710aecb1 xorg-server-1.14.7.tar.bz2 ea4852dedbb89550f6bc113ca66348a2 autoconfig-nvidia.patch -825ca99ea9348c66abdf2c479e0af485 autoconfig-sis.patch" -sha256sums="608ccfaafb845f6e559884a30f946d365209172416710d687b190e9e1ff65dc3 xorg-server-1.14.4.tar.bz2 +825ca99ea9348c66abdf2c479e0af485 autoconfig-sis.patch +865a3b9808751dd5578e645ea4b4f884 CVE-2015-0255.patch" +sha256sums="fcf66fa6ad86227613d2d3e8ae13ded297e2a1e947e9060a083eaf80d323451f xorg-server-1.14.7.tar.bz2 66e25f76a7496c429e0aff4b0670f168719bb0ceaeb88c6f2272f2bf3ed21162 autoconfig-nvidia.patch -7d5d36dd152eb0fab277a4aeba0a08ad77049e591a0dea92f565a4b62f0d0a50 autoconfig-sis.patch" -sha512sums="c288a9d38b08d675b90e860539c4cbd423be90fa27dd1a5fa443076475801bfa74b1f5a0dd6282cc1c9c8ff30bdff77c1eb587186479ebfcaf57185c2affba8a xorg-server-1.14.4.tar.bz2 +7d5d36dd152eb0fab277a4aeba0a08ad77049e591a0dea92f565a4b62f0d0a50 autoconfig-sis.patch +823657d39266e5903efb6a309052ec15421baa3e93cc884050130112a697b7ff CVE-2015-0255.patch" +sha512sums="89424c51f752cbbf6a531363f8c119d2f66c361bc67722290ebc561ee4da56dd3aa18ceaf3dafd4bb3cec97915f73353a5167e00362bf04bdb94ace1e5de7750 xorg-server-1.14.7.tar.bz2 4dcaa60fbfc61636e7220a24a72bba19984a6dc752061cb40b1bd566c0e614d08927b6c223ffaaaa05636765fddacdc3113fde55d25fd09cd0c786ff44f51447 autoconfig-nvidia.patch -30a78f4278edd535c45ee3f80933427cb029a13abaa4b041f816515fdd8f64f00b9c6aef50d4eba2aaf0d4f333e730399864fd97fa18891273601c77a6637200 autoconfig-sis.patch" +30a78f4278edd535c45ee3f80933427cb029a13abaa4b041f816515fdd8f64f00b9c6aef50d4eba2aaf0d4f333e730399864fd97fa18891273601c77a6637200 autoconfig-sis.patch +a6846a618251ca86eead3c898198c8cd2a5a66a68fa85608ac4ba36f1e9c54fb7b396ba1544101b768b94662adfb795d5ac151c4e0b9d0cf7f255a137770717f CVE-2015-0255.patch" diff --git a/main/xorg-server/CVE-2015-0255.patch b/main/xorg-server/CVE-2015-0255.patch new file mode 100644 index 0000000000..32e5681216 --- /dev/null +++ b/main/xorg-server/CVE-2015-0255.patch @@ -0,0 +1,240 @@ +From 81c90dc8f0aae3b65730409b1b615b5fa7280ebd Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Fri, 16 Jan 2015 20:08:59 +0100 +Subject: xkb: Don't swap XkbSetGeometry data in the input buffer + +The XkbSetGeometry request embeds data which needs to be swapped when the +server and the client have different endianess. + +_XkbSetGeometry() invokes functions that swap these data directly in the +input buffer. + +However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once +(if there is more than one keyboard), thus causing on swapped clients the +same data to be swapped twice in memory, further causing a server crash +because the strings lengths on the second time are way off bounds. + +To allow _XkbSetGeometry() to run reliably more than once with swapped +clients, do not swap the data in the buffer, use variables instead. + +Signed-off-by: Olivier Fourdan +Signed-off-by: Peter Hutterer + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 15c7f34..b9a3ac4 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -4961,14 +4961,13 @@ static char * + _GetCountedString(char **wire_inout, Bool swap) + { + char *wire, *str; +- CARD16 len, *plen; ++ CARD16 len; + + wire = *wire_inout; +- plen = (CARD16 *) wire; ++ len = *(CARD16 *) wire; + if (swap) { +- swaps(plen); ++ swaps(&len); + } +- len = *plen; + str = malloc(len + 1); + if (str) { + memcpy(str, &wire[2], len); +@@ -4985,25 +4984,28 @@ _CheckSetDoodad(char **wire_inout, + { + char *wire; + xkbDoodadWireDesc *dWire; ++ xkbAnyDoodadWireDesc any; ++ xkbTextDoodadWireDesc text; + XkbDoodadPtr doodad; + + dWire = (xkbDoodadWireDesc *) (*wire_inout); ++ any = dWire->any; + wire = (char *) &dWire[1]; + if (client->swapped) { +- swapl(&dWire->any.name); +- swaps(&dWire->any.top); +- swaps(&dWire->any.left); +- swaps(&dWire->any.angle); ++ swapl(&any.name); ++ swaps(&any.top); ++ swaps(&any.left); ++ swaps(&any.angle); + } + CHK_ATOM_ONLY(dWire->any.name); +- doodad = XkbAddGeomDoodad(geom, section, dWire->any.name); ++ doodad = XkbAddGeomDoodad(geom, section, any.name); + if (!doodad) + return BadAlloc; + doodad->any.type = dWire->any.type; + doodad->any.priority = dWire->any.priority; +- doodad->any.top = dWire->any.top; +- doodad->any.left = dWire->any.left; +- doodad->any.angle = dWire->any.angle; ++ doodad->any.top = any.top; ++ doodad->any.left = any.left; ++ doodad->any.angle = any.angle; + switch (doodad->any.type) { + case XkbOutlineDoodad: + case XkbSolidDoodad: +@@ -5026,12 +5028,13 @@ _CheckSetDoodad(char **wire_inout, + dWire->text.colorNdx); + return BadMatch; + } ++ text = dWire->text; + if (client->swapped) { +- swaps(&dWire->text.width); +- swaps(&dWire->text.height); ++ swaps(&text.width); ++ swaps(&text.height); + } +- doodad->text.width = dWire->text.width; +- doodad->text.height = dWire->text.height; ++ doodad->text.width = text.width; ++ doodad->text.height = text.height; + doodad->text.color_ndx = dWire->text.colorNdx; + doodad->text.text = _GetCountedString(&wire, client->swapped); + doodad->text.font = _GetCountedString(&wire, client->swapped); +-- +cgit v0.10.2 + +From 20079c36cf7d377938ca5478447d8b9045cb7d43 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Fri, 16 Jan 2015 08:44:45 +0100 +Subject: xkb: Check strings length against request size + +Ensure that the given strings length in an XkbSetGeometry request remain +within the limits of the size of the request. + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Signed-off-by: Peter Hutterer + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index b9a3ac4..f3988f9 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -4957,25 +4957,29 @@ ProcXkbGetGeometry(ClientPtr client) + + /***====================================================================***/ + +-static char * +-_GetCountedString(char **wire_inout, Bool swap) ++static Status ++_GetCountedString(char **wire_inout, ClientPtr client, char **str) + { +- char *wire, *str; ++ char *wire, *next; + CARD16 len; + + wire = *wire_inout; + len = *(CARD16 *) wire; +- if (swap) { ++ if (client->swapped) { + swaps(&len); + } +- str = malloc(len + 1); +- if (str) { +- memcpy(str, &wire[2], len); +- str[len] = '\0'; +- } +- wire += XkbPaddedSize(len + 2); +- *wire_inout = wire; +- return str; ++ next = wire + XkbPaddedSize(len + 2); ++ /* Check we're still within the size of the request */ ++ if (client->req_len < ++ bytes_to_int32(next - (char *) client->requestBuffer)) ++ return BadValue; ++ *str = malloc(len + 1); ++ if (!*str) ++ return BadAlloc; ++ memcpy(*str, &wire[2], len); ++ *(*str + len) = '\0'; ++ *wire_inout = next; ++ return Success; + } + + static Status +@@ -4987,6 +4991,7 @@ _CheckSetDoodad(char **wire_inout, + xkbAnyDoodadWireDesc any; + xkbTextDoodadWireDesc text; + XkbDoodadPtr doodad; ++ Status status; + + dWire = (xkbDoodadWireDesc *) (*wire_inout); + any = dWire->any; +@@ -5036,8 +5041,14 @@ _CheckSetDoodad(char **wire_inout, + doodad->text.width = text.width; + doodad->text.height = text.height; + doodad->text.color_ndx = dWire->text.colorNdx; +- doodad->text.text = _GetCountedString(&wire, client->swapped); +- doodad->text.font = _GetCountedString(&wire, client->swapped); ++ status = _GetCountedString(&wire, client, &doodad->text.text); ++ if (status != Success) ++ return status; ++ status = _GetCountedString(&wire, client, &doodad->text.font); ++ if (status != Success) { ++ free (doodad->text.text); ++ return status; ++ } + break; + case XkbIndicatorDoodad: + if (dWire->indicator.onColorNdx >= geom->num_colors) { +@@ -5072,7 +5083,9 @@ _CheckSetDoodad(char **wire_inout, + } + doodad->logo.color_ndx = dWire->logo.colorNdx; + doodad->logo.shape_ndx = dWire->logo.shapeNdx; +- doodad->logo.logo_name = _GetCountedString(&wire, client->swapped); ++ status = _GetCountedString(&wire, client, &doodad->logo.logo_name); ++ if (status != Success) ++ return status; + break; + default: + client->errorValue = _XkbErrCode2(0x4F, dWire->any.type); +@@ -5304,18 +5317,20 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client) + char *wire; + + wire = (char *) &req[1]; +- geom->label_font = _GetCountedString(&wire, client->swapped); ++ status = _GetCountedString(&wire, client, &geom->label_font); ++ if (status != Success) ++ return status; + + for (i = 0; i < req->nProperties; i++) { + char *name, *val; + +- name = _GetCountedString(&wire, client->swapped); +- if (!name) +- return BadAlloc; +- val = _GetCountedString(&wire, client->swapped); +- if (!val) { ++ status = _GetCountedString(&wire, client, &name); ++ if (status != Success) ++ return status; ++ status = _GetCountedString(&wire, client, &val); ++ if (status != Success) { + free(name); +- return BadAlloc; ++ return status; + } + if (XkbAddGeomProperty(geom, name, val) == NULL) { + free(name); +@@ -5349,9 +5364,9 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client) + for (i = 0; i < req->nColors; i++) { + char *name; + +- name = _GetCountedString(&wire, client->swapped); +- if (!name) +- return BadAlloc; ++ status = _GetCountedString(&wire, client, &name); ++ if (status != Success) ++ return status; + if (!XkbAddGeomColor(geom, name, geom->num_colors)) { + free(name); + return BadAlloc; +-- +cgit v0.10.2 + -- cgit v1.2.3