[arch-commits] Commit in xorg-server/trunk (2 files)
Andreas Radke
andyrtr at nymeria.archlinux.org
Fri Nov 1 16:15:20 UTC 2013
Date: Friday, November 1, 2013 @ 17:15:19
Author: andyrtr
Revision: 198666
upgpkg: xorg-server 1.14.4-1
upstream update 1.14.4
Modified:
xorg-server/trunk/PKGBUILD
Deleted:
xorg-server/trunk/0001-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch
-----------------------------------------------------------------+
0001-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch | 76 ----------
PKGBUILD | 24 ---
2 files changed, 4 insertions(+), 96 deletions(-)
Deleted: 0001-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch
===================================================================
--- 0001-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch 2013-11-01 16:09:51 UTC (rev 198665)
+++ 0001-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch 2013-11-01 16:15:19 UTC (rev 198666)
@@ -1,76 +0,0 @@
-From 7bddc2ba16a2a15773c2ea8947059afa27727764 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Mon, 16 Sep 2013 21:47:16 -0700
-Subject: [PATCH] Avoid use-after-free in dix/dixfonts.c: doImageText()
- [CVE-2013-4396]
-
-Save a pointer to the passed in closure structure before copying it
-and overwriting the *c pointer to point to our copy instead of the
-original. If we hit an error, once we free(c), reset c to point to
-the original structure before jumping to the cleanup code that
-references *c.
-
-Since one of the errors being checked for is whether the server was
-able to malloc(c->nChars * itemSize), the client can potentially pass
-a number of characters chosen to cause the malloc to fail and the
-error path to be taken, resulting in the read from freed memory.
-
-Since the memory is accessed almost immediately afterwards, and the
-X server is mostly single threaded, the odds of the free memory having
-invalid contents are low with most malloc implementations when not using
-memory debugging features, but some allocators will definitely overwrite
-the memory there, leading to a likely crash.
-
-Reported-by: Pedro Ribeiro <pedrib at gmail.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Reviewed-by: Julien Cristau <jcristau at debian.org>
----
- dix/dixfonts.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/dix/dixfonts.c b/dix/dixfonts.c
-index feb765d..2e34d37 100644
---- a/dix/dixfonts.c
-+++ b/dix/dixfonts.c
-@@ -1425,6 +1425,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
- GC *pGC;
- unsigned char *data;
- ITclosurePtr new_closure;
-+ ITclosurePtr old_closure;
-
- /* We're putting the client to sleep. We need to
- save some state. Similar problem to that handled
-@@ -1436,12 +1437,14 @@ doImageText(ClientPtr client, ITclosurePtr c)
- err = BadAlloc;
- goto bail;
- }
-+ old_closure = c;
- *new_closure = *c;
- c = new_closure;
-
- data = malloc(c->nChars * itemSize);
- if (!data) {
- free(c);
-+ c = old_closure;
- err = BadAlloc;
- goto bail;
- }
-@@ -1452,6 +1455,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
- if (!pGC) {
- free(c->data);
- free(c);
-+ c = old_closure;
- err = BadAlloc;
- goto bail;
- }
-@@ -1464,6 +1468,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
- FreeScratchGC(pGC);
- free(c->data);
- free(c);
-+ c = old_closure;
- err = BadAlloc;
- goto bail;
- }
---
-1.7.9.2
-
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2013-11-01 16:09:51 UTC (rev 198665)
+++ PKGBUILD 2013-11-01 16:15:19 UTC (rev 198666)
@@ -4,8 +4,8 @@
pkgbase=xorg-server
pkgname=('xorg-server' 'xorg-server-xephyr' 'xorg-server-xdmx' 'xorg-server-xvfb' 'xorg-server-xnest' 'xorg-server-common' 'xorg-server-devel')
-pkgver=1.14.3
-pkgrel=2
+pkgver=1.14.4
+pkgrel=1
arch=('i686' 'x86_64')
license=('custom')
url="http://xorg.freedesktop.org"
@@ -22,9 +22,8 @@
xvfb-run
xvfb-run.1
10-quirks.conf
- fb-rename-wfbDestroyGlyphCache.patch
- 0001-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch)
-sha256sums=('02125ae13a443dcbb55f964d5c37f1da2f58ad54c2102356037bec23c1b84f5e'
+ fb-rename-wfbDestroyGlyphCache.patch)
+sha256sums=('608ccfaafb845f6e559884a30f946d365209172416710d687b190e9e1ff65dc3'
'66e25f76a7496c429e0aff4b0670f168719bb0ceaeb88c6f2272f2bf3ed21162'
'd027776fac1f7675b0a9ee817502290b1c45f9c09b0f0a6bb058c35f92361e84'
'e033f9bcc21980f7f0428e6ed6c362a3d55ad293b05fd6e6c6c1933b86f9e63a'
@@ -54,10 +53,6 @@
# http://cgit.freedesktop.org/xorg/xserver/commit/fb/wfbrename.h?id=5047810a4c20fab444b8c6eb146c55dcdb0d4219
patch -Np1 -i ../fb-rename-wfbDestroyGlyphCache.patch
-
- # CVE-2013-4396: Use after free in Xserver handling of ImageText requests
- # (to be included in xorg-server 1.15.0 and 1.14.4)
- patch -Np1 -i ../0001-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch
}
build() {
@@ -223,14 +218,3 @@
install -m755 -d "${pkgdir}/usr/share/licenses/xorg-server-devel"
ln -sf ../xorg-server-common/COPYING "${pkgdir}/usr/share/licenses/xorg-server-devel/COPYING"
}
-sha256sums=('02125ae13a443dcbb55f964d5c37f1da2f58ad54c2102356037bec23c1b84f5e'
- '66e25f76a7496c429e0aff4b0670f168719bb0ceaeb88c6f2272f2bf3ed21162'
- 'd027776fac1f7675b0a9ee817502290b1c45f9c09b0f0a6bb058c35f92361e84'
- 'e033f9bcc21980f7f0428e6ed6c362a3d55ad293b05fd6e6c6c1933b86f9e63a'
- '26ee6ff255a60d7c1e136c612925eb63c86e85a4a3a55d531852ad9275526588'
- 'bb63658d250c21bbfaf94c5417f2920ce5963ee1f7db6cac2b163a54f2e9b619'
- 'ff0156309470fc1d378fd2e104338020a884295e285972cc88e250e031cc35b9'
- '2460adccd3362fefd4cdc5f1c70f332d7b578091fb9167bf88b5f91265bbd776'
- '94612f5c0d34a3b7152915c2e285c7b462e9d8e38d3539bd551a339498eac166'
- 'd0832cc16b5e6c1dee2959055a4b327f5c87e2a67b5f427d654663057207b2c1'
- '2b90ce92a900b6d4edda9ef33acdd3d2c2708fec2344175c2d8dfd4265f56d32')
More information about the arch-commits
mailing list