[arch-commits] CVS update of extra/x11/xorg-server (2 files)

Jan de Groot jgc at archlinux.org
Sun Jan 20 20:09:14 UTC 2008 

    Date: Sunday, January 20, 2008 @ 15:09:14
  Author: jgc
    Path: /home/cvs-extra/extra/x11/xorg-server

   Added: xorg-server-1.4-CVE-2007-6429.patch (1.1)
Modified: PKGBUILD (1.48 -> 1.49)

upgpkg: xorg-server 1.4.0.90-5
Add fix for regression due to last security update


-------------------------------------+
 PKGBUILD                            |   15 +++---
 xorg-server-1.4-CVE-2007-6429.patch |   82 ++++++++++++++++++++++++++++++++++
 2 files changed, 91 insertions(+), 6 deletions(-)


Index: extra/x11/xorg-server/PKGBUILD
diff -u extra/x11/xorg-server/PKGBUILD:1.48 extra/x11/xorg-server/PKGBUILD:1.49
--- extra/x11/xorg-server/PKGBUILD:1.48	Fri Jan 18 06:25:23 2008
+++ extra/x11/xorg-server/PKGBUILD	Sun Jan 20 15:09:14 2008
@@ -1,9 +1,9 @@
-# $Id: PKGBUILD,v 1.48 2008/01/18 11:25:23 alexander Exp $
+# $Id: PKGBUILD,v 1.49 2008/01/20 20:09:14 jgc Exp $
 # Maintainer: Alexander Baldeck <kth5 at archlinux.org>
 # Contributor: Jan de Groot <jgc at archlinux.org>
 pkgname=xorg-server
 pkgver=1.4.0.90
-pkgrel=4
+pkgrel=5
 _mesaver=7.0.1
 pkgdesc="X.Org X servers"
 arch=('i686' 'x86_64')
@@ -15,8 +15,8 @@
 makedepends=('pkgconfig' 'xf86driproto' 'xcmiscproto' 'xtrans' 'bigreqsproto'
              'xf86bigfontproto' 'resourceproto' 'evieext' 'damageproto>=1.1.0'
 	     'compositeproto>=0.4' 'scrnsaverproto' 'libxres' 'xorg-util-macros'
-	     'randrproto' 'glproto>=1.4.9' 'renderproto>=0.9.3' 'autoconf' 'automake'
-	     'libtool' 'bison' 'flex' 'gcc')
+	     'randrproto' 'glproto>=1.4.9' 'renderproto>=0.9.3' 'autoconf'
+	     'automake' 'libtool' 'bison' 'flex' 'gcc')
 options=('!libtool')
 provides=('x-server')
 groups=('xorg')
@@ -57,12 +57,14 @@
 	121_only_switch_vt_when_active.diff
 	102_ubuntu_sharevts_load_cpu.patch
 	104_fedora_init_origins_fix.patch
-	133_psb_auto.patch)
+	133_psb_auto.patch
+	xorg-server-1.4-CVE-2007-6429.patch)
 
 build() {
   cd ${startdir}/src/${pkgname}-${pkgver}
   # X.org security fixes
   patch -Np1 -i ${startdir}/src/xorg-xserver-1.4-multiple-overflows.diff || return 1
+  patch -Np1 -i ${startdir}/src/xorg-server-1.4-CVE-2007-6429.patch || return 1
 
   # patches from Debian
   patch -Np1 -i ${startdir}/src/01-kernel-headers-fix.patch || return 1
@@ -188,4 +190,5 @@
          'd7a5dd4cadf1ed70adc7e12fdf3133d2'
          '128f9245b2787479fcbf082f9e148aa8'
          '1dc001817b7a3951a63876415ad1eb91'
-         'c6c0c98dd96cdb79584953ca8a235ffc')
+         'c6c0c98dd96cdb79584953ca8a235ffc'
+	 '94acd7f97ea6ebcd735c529fbf257dc8')
Index: extra/x11/xorg-server/xorg-server-1.4-CVE-2007-6429.patch
diff -u /dev/null extra/x11/xorg-server/xorg-server-1.4-CVE-2007-6429.patch:1.1
--- /dev/null	Sun Jan 20 15:09:14 2008
+++ extra/x11/xorg-server/xorg-server-1.4-CVE-2007-6429.patch	Sun Jan 20 15:09:14 2008
@@ -0,0 +1,82 @@
+From: Adam Jackson <ajax at redhat.com>
+Date: Fri, 18 Jan 2008 19:41:20 +0000 (-0500)
+Subject: CVE-2007-6429: Don't spuriously reject <8bpp shm pixmaps.
+X-Git-Tag: xf-3_9_16Z / xf-3_9_16d / xf-3_9_16e / xf-3_9_16f
+X-Git-Url: http://gitweb.freedesktop.org/?p=xorg/xserver.git;a=commitdiff;h=b6d4cdf64f43ae805beada6122c8be2ed138742c
+
+CVE-2007-6429: Don't spuriously reject <8bpp shm pixmaps.
+
+Move size validation after depth validation, and only validate size if
+the bpp of the pixmap format is > 8.  If bpp < 8 then we're already
+protected from overflow by the width and height checks.
+(cherry picked from commit e9fa7c1c88a8130a48f772c92b186b8b777986b5)
+---
+
+--- a/Xext/shm.c
++++ b/Xext/shm.c
+@@ -737,14 +737,6 @@ ProcPanoramiXShmCreatePixmap(
+     }
+     if (width > 32767 || height > 32767)
+         return BadAlloc;
+-    size = PixmapBytePad(width, depth) * height;
+-    if (sizeof(size) == 4) {
+-        if (size < width * height)
+-            return BadAlloc;
+-        /* thankfully, offset is unsigned */
+-        if (stuff->offset + size < size)
+-            return BadAlloc;
+-    }
+ 
+     if (stuff->depth != 1)
+     {
+@@ -755,7 +747,17 @@ ProcPanoramiXShmCreatePixmap(
+ 	client->errorValue = stuff->depth;
+         return BadValue;
+     }
++
+ CreatePmap:
++    size = PixmapBytePad(width, depth) * height;
++    if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
++        if (size < width * height)
++            return BadAlloc;
++        /* thankfully, offset is unsigned */
++        if (stuff->offset + size < size)
++            return BadAlloc;
++    }
++
+     VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
+ 
+     if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
+@@ -1080,14 +1082,6 @@ ProcShmCreatePixmap(client)
+     }
+     if (width > 32767 || height > 32767)
+ 	return BadAlloc;
+-    size = PixmapBytePad(width, depth) * height;
+-    if (sizeof(size) == 4) {
+-	if (size < width * height)
+-	    return BadAlloc;
+-	/* thankfully, offset is unsigned */
+-	if (stuff->offset + size < size)
+-	    return BadAlloc;
+-    }
+ 
+     if (stuff->depth != 1)
+     {
+@@ -1098,7 +1092,17 @@ ProcShmCreatePixmap(client)
+ 	client->errorValue = stuff->depth;
+         return BadValue;
+     }
++
+ CreatePmap:
++    size = PixmapBytePad(width, depth) * height;
++    if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
++	if (size < width * height)
++	    return BadAlloc;
++	/* thankfully, offset is unsigned */
++	if (stuff->offset + size < size)
++	    return BadAlloc;
++    }
++
+     VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
+     pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
+ 			    pDraw->pScreen, stuff->width,

More information about the arch-commits mailing list