[arch-commits] Commit in xorg-server/trunk (2 files)
Laurent Carlier
lcarlier at nymeria.archlinux.org
Tue Oct 8 20:54:42 UTC 2013
Date: Tuesday, October 8, 2013 @ 22:54:41
Author: lcarlier
Revision: 196225
upgpkg: xorg-server 1.14.3-2
Fix CVE-2013-4396
Added:
xorg-server/trunk/0001-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch
Modified:
xorg-server/trunk/PKGBUILD
-----------------------------------------------------------------+
0001-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch | 76 ++++++++++
PKGBUILD | 21 ++
2 files changed, 95 insertions(+), 2 deletions(-)
Added: 0001-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch
===================================================================
--- 0001-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch (rev 0)
+++ 0001-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch 2013-10-08 20:54:41 UTC (rev 196225)
@@ -0,0 +1,76 @@
+From 7bddc2ba16a2a15773c2ea8947059afa27727764 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith at oracle.com>
+Date: Mon, 16 Sep 2013 21:47:16 -0700
+Subject: [PATCH] Avoid use-after-free in dix/dixfonts.c: doImageText()
+ [CVE-2013-4396]
+
+Save a pointer to the passed in closure structure before copying it
+and overwriting the *c pointer to point to our copy instead of the
+original. If we hit an error, once we free(c), reset c to point to
+the original structure before jumping to the cleanup code that
+references *c.
+
+Since one of the errors being checked for is whether the server was
+able to malloc(c->nChars * itemSize), the client can potentially pass
+a number of characters chosen to cause the malloc to fail and the
+error path to be taken, resulting in the read from freed memory.
+
+Since the memory is accessed almost immediately afterwards, and the
+X server is mostly single threaded, the odds of the free memory having
+invalid contents are low with most malloc implementations when not using
+memory debugging features, but some allocators will definitely overwrite
+the memory there, leading to a likely crash.
+
+Reported-by: Pedro Ribeiro <pedrib at gmail.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Reviewed-by: Julien Cristau <jcristau at debian.org>
+---
+ dix/dixfonts.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/dix/dixfonts.c b/dix/dixfonts.c
+index feb765d..2e34d37 100644
+--- a/dix/dixfonts.c
++++ b/dix/dixfonts.c
+@@ -1425,6 +1425,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
+ GC *pGC;
+ unsigned char *data;
+ ITclosurePtr new_closure;
++ ITclosurePtr old_closure;
+
+ /* We're putting the client to sleep. We need to
+ save some state. Similar problem to that handled
+@@ -1436,12 +1437,14 @@ doImageText(ClientPtr client, ITclosurePtr c)
+ err = BadAlloc;
+ goto bail;
+ }
++ old_closure = c;
+ *new_closure = *c;
+ c = new_closure;
+
+ data = malloc(c->nChars * itemSize);
+ if (!data) {
+ free(c);
++ c = old_closure;
+ err = BadAlloc;
+ goto bail;
+ }
+@@ -1452,6 +1455,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
+ if (!pGC) {
+ free(c->data);
+ free(c);
++ c = old_closure;
+ err = BadAlloc;
+ goto bail;
+ }
+@@ -1464,6 +1468,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
+ FreeScratchGC(pGC);
+ free(c->data);
+ free(c);
++ c = old_closure;
+ err = BadAlloc;
+ goto bail;
+ }
+--
+1.7.9.2
+
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2013-10-08 20:28:33 UTC (rev 196224)
+++ PKGBUILD 2013-10-08 20:54:41 UTC (rev 196225)
@@ -5,7 +5,7 @@
pkgbase=xorg-server
pkgname=('xorg-server' 'xorg-server-xephyr' 'xorg-server-xdmx' 'xorg-server-xvfb' 'xorg-server-xnest' 'xorg-server-common' 'xorg-server-devel')
pkgver=1.14.3
-pkgrel=1
+pkgrel=2
arch=('i686' 'x86_64')
license=('custom')
url="http://xorg.freedesktop.org"
@@ -23,7 +23,8 @@
xvfb-run
xvfb-run.1
10-quirks.conf
- fb-rename-wfbDestroyGlyphCache.patch)
+ fb-rename-wfbDestroyGlyphCache.patch
+ 0001-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch)
sha256sums=('02125ae13a443dcbb55f964d5c37f1da2f58ad54c2102356037bec23c1b84f5e'
'66e25f76a7496c429e0aff4b0670f168719bb0ceaeb88c6f2272f2bf3ed21162'
'd027776fac1f7675b0a9ee817502290b1c45f9c09b0f0a6bb058c35f92361e84'
@@ -54,7 +55,12 @@
# http://cgit.freedesktop.org/xorg/xserver/commit/fb/wfbrename.h?id=5047810a4c20fab444b8c6eb146c55dcdb0d4219
patch -Np1 -i ../fb-rename-wfbDestroyGlyphCache.patch
+
+ # CVE-2013-4396: Use after free in Xserver handling of ImageText requests
+ # (to be included in xorg-server 1.15.0 and 1.14.4)
+ patch -Np1 -i ../0001-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch
}
+
build() {
cd "${pkgbase}-${pkgver}"
autoreconf -fi
@@ -218,3 +224,14 @@
install -m755 -d "${pkgdir}/usr/share/licenses/xorg-server-devel"
ln -sf ../xorg-server-common/COPYING "${pkgdir}/usr/share/licenses/xorg-server-devel/COPYING"
}
+sha256sums=('02125ae13a443dcbb55f964d5c37f1da2f58ad54c2102356037bec23c1b84f5e'
+ '66e25f76a7496c429e0aff4b0670f168719bb0ceaeb88c6f2272f2bf3ed21162'
+ 'd027776fac1f7675b0a9ee817502290b1c45f9c09b0f0a6bb058c35f92361e84'
+ 'e033f9bcc21980f7f0428e6ed6c362a3d55ad293b05fd6e6c6c1933b86f9e63a'
+ '26ee6ff255a60d7c1e136c612925eb63c86e85a4a3a55d531852ad9275526588'
+ 'bb63658d250c21bbfaf94c5417f2920ce5963ee1f7db6cac2b163a54f2e9b619'
+ 'ff0156309470fc1d378fd2e104338020a884295e285972cc88e250e031cc35b9'
+ '2460adccd3362fefd4cdc5f1c70f332d7b578091fb9167bf88b5f91265bbd776'
+ '94612f5c0d34a3b7152915c2e285c7b462e9d8e38d3539bd551a339498eac166'
+ 'd0832cc16b5e6c1dee2959055a4b327f5c87e2a67b5f427d654663057207b2c1'
+ '2b90ce92a900b6d4edda9ef33acdd3d2c2708fec2344175c2d8dfd4265f56d32')
More information about the arch-commits
mailing list