Date: Monday, January 6, 2014 @ 23:20:54 Author: lcarlier Revision: 203261
fix CVE-2013-6424 (FS#38401) Added: xorg-server/repos/extra-i686/CVE-2013-6424.diff xorg-server/repos/extra-x86_64/CVE-2013-6424.diff Modified: xorg-server/repos/extra-i686/PKGBUILD xorg-server/repos/extra-x86_64/PKGBUILD ---------------------------------+ extra-i686/CVE-2013-6424.diff | 49 ++++++++++++++++++++++++++++++++++++++ extra-i686/PKGBUILD | 11 ++++++-- extra-x86_64/CVE-2013-6424.diff | 49 ++++++++++++++++++++++++++++++++++++++ extra-x86_64/PKGBUILD | 11 ++++++-- 4 files changed, 114 insertions(+), 6 deletions(-) Added: extra-i686/CVE-2013-6424.diff =================================================================== --- extra-i686/CVE-2013-6424.diff (rev 0) +++ extra-i686/CVE-2013-6424.diff 2014-01-06 22:20:54 UTC (rev 203261) @@ -0,0 +1,49 @@ +From patchwork Wed Oct 2 13:47:54 2013 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: exa: only draw valid trapezoids +From: Maarten Lankhorst <maarten.lankho...@canonical.com> +X-Patchwork-Id: 14769 +Message-Id: <524c240a.9010...@canonical.com> +To: "X.Org Devel List" <xorg-de...@lists.freedesktop.org> +Date: Wed, 02 Oct 2013 15:47:54 +0200 + +Fixes freedesktop.org bug https://bugs.freedesktop.org/show_bug.cgi?id=67484 + +If t->bottom is close to MIN_INT, removing top can wraparound, so do the check properly. +A similar fix should also be applied to pixman. + +Signed-off-by: Maarten Lankhorst <maarten.lankho...@canonical.com> + +--- + + +diff --git a/exa/exa_render.c b/exa/exa_render.c +index 172e2b5..807eeba 100644 +--- a/exa/exa_render.c ++++ b/exa/exa_render.c +@@ -1141,7 +1141,8 @@ exaTrapezoids(CARD8 op, PicturePtr pSrc, PicturePtr pDst, + + exaPrepareAccess(pPicture->pDrawable, EXA_PREPARE_DEST); + for (; ntrap; ntrap--, traps++) +- (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1); ++ if (xTrapezoidValid(traps)) ++ (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1); + exaFinishAccess(pPicture->pDrawable, EXA_PREPARE_DEST); + + xRel = bounds.x1 + xSrc - xDst; +diff --git a/render/picture.h b/render/picture.h +index c85353a..fcd6401 100644 +--- a/render/picture.h ++++ b/render/picture.h +@@ -211,7 +211,7 @@ typedef pixman_fixed_t xFixed; + /* whether 't' is a well defined not obviously empty trapezoid */ + #define xTrapezoidValid(t) ((t)->left.p1.y != (t)->left.p2.y && \ + (t)->right.p1.y != (t)->right.p2.y && \ +- (int) ((t)->bottom - (t)->top) > 0) ++ ((t)->bottom > (t)->top)) + + /* + * Standard NTSC luminance conversions: + Modified: extra-i686/PKGBUILD =================================================================== --- extra-i686/PKGBUILD 2014-01-06 22:12:15 UTC (rev 203260) +++ extra-i686/PKGBUILD 2014-01-06 22:20:54 UTC (rev 203261) @@ -5,7 +5,7 @@ pkgbase=xorg-server pkgname=('xorg-server' 'xorg-server-xephyr' 'xorg-server-xdmx' 'xorg-server-xvfb' 'xorg-server-xnest' 'xorg-server-common' 'xorg-server-devel') pkgver=1.14.5 -pkgrel=1 +pkgrel=2 arch=('i686' 'x86_64') license=('custom') url="http://xorg.freedesktop.org" @@ -22,7 +22,8 @@ xvfb-run xvfb-run.1 10-quirks.conf - fb-rename-wfbDestroyGlyphCache.patch) + fb-rename-wfbDestroyGlyphCache.patch + CVE-2013-6424.diff) sha256sums=('8d0f06bf1416487a5170318477088826a8d737d4a201e996b2dc1ecff47461d1' '66e25f76a7496c429e0aff4b0670f168719bb0ceaeb88c6f2272f2bf3ed21162' 'd027776fac1f7675b0a9ee817502290b1c45f9c09b0f0a6bb058c35f92361e84' @@ -32,7 +33,8 @@ 'ff0156309470fc1d378fd2e104338020a884295e285972cc88e250e031cc35b9' '2460adccd3362fefd4cdc5f1c70f332d7b578091fb9167bf88b5f91265bbd776' '94612f5c0d34a3b7152915c2e285c7b462e9d8e38d3539bd551a339498eac166' - 'd0832cc16b5e6c1dee2959055a4b327f5c87e2a67b5f427d654663057207b2c1') + 'd0832cc16b5e6c1dee2959055a4b327f5c87e2a67b5f427d654663057207b2c1' + '89948993afd4d9aec6a0bdbaf62f494e9956bb77a0386307d497f340a818ff61') prepare() { cd "${pkgbase}-${pkgver}" @@ -53,6 +55,9 @@ # http://cgit.freedesktop.org/xorg/xserver/commit/fb/wfbrename.h?id=5047810a4c20fab444b8c6eb146c55dcdb0d4219 patch -Np1 -i ../fb-rename-wfbDestroyGlyphCache.patch + + # Fix CVE-2013-6424 (FS#38401) + patch -Np1 -i ../CVE-2013-6424.diff } build() { Added: extra-x86_64/CVE-2013-6424.diff =================================================================== --- extra-x86_64/CVE-2013-6424.diff (rev 0) +++ extra-x86_64/CVE-2013-6424.diff 2014-01-06 22:20:54 UTC (rev 203261) @@ -0,0 +1,49 @@ +From patchwork Wed Oct 2 13:47:54 2013 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: exa: only draw valid trapezoids +From: Maarten Lankhorst <maarten.lankho...@canonical.com> +X-Patchwork-Id: 14769 +Message-Id: <524c240a.9010...@canonical.com> +To: "X.Org Devel List" <xorg-de...@lists.freedesktop.org> +Date: Wed, 02 Oct 2013 15:47:54 +0200 + +Fixes freedesktop.org bug https://bugs.freedesktop.org/show_bug.cgi?id=67484 + +If t->bottom is close to MIN_INT, removing top can wraparound, so do the check properly. +A similar fix should also be applied to pixman. + +Signed-off-by: Maarten Lankhorst <maarten.lankho...@canonical.com> + +--- + + +diff --git a/exa/exa_render.c b/exa/exa_render.c +index 172e2b5..807eeba 100644 +--- a/exa/exa_render.c ++++ b/exa/exa_render.c +@@ -1141,7 +1141,8 @@ exaTrapezoids(CARD8 op, PicturePtr pSrc, PicturePtr pDst, + + exaPrepareAccess(pPicture->pDrawable, EXA_PREPARE_DEST); + for (; ntrap; ntrap--, traps++) +- (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1); ++ if (xTrapezoidValid(traps)) ++ (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1); + exaFinishAccess(pPicture->pDrawable, EXA_PREPARE_DEST); + + xRel = bounds.x1 + xSrc - xDst; +diff --git a/render/picture.h b/render/picture.h +index c85353a..fcd6401 100644 +--- a/render/picture.h ++++ b/render/picture.h +@@ -211,7 +211,7 @@ typedef pixman_fixed_t xFixed; + /* whether 't' is a well defined not obviously empty trapezoid */ + #define xTrapezoidValid(t) ((t)->left.p1.y != (t)->left.p2.y && \ + (t)->right.p1.y != (t)->right.p2.y && \ +- (int) ((t)->bottom - (t)->top) > 0) ++ ((t)->bottom > (t)->top)) + + /* + * Standard NTSC luminance conversions: + Modified: extra-x86_64/PKGBUILD =================================================================== --- extra-x86_64/PKGBUILD 2014-01-06 22:12:15 UTC (rev 203260) +++ extra-x86_64/PKGBUILD 2014-01-06 22:20:54 UTC (rev 203261) @@ -5,7 +5,7 @@ pkgbase=xorg-server pkgname=('xorg-server' 'xorg-server-xephyr' 'xorg-server-xdmx' 'xorg-server-xvfb' 'xorg-server-xnest' 'xorg-server-common' 'xorg-server-devel') pkgver=1.14.5 -pkgrel=1 +pkgrel=2 arch=('i686' 'x86_64') license=('custom') url="http://xorg.freedesktop.org" @@ -22,7 +22,8 @@ xvfb-run xvfb-run.1 10-quirks.conf - fb-rename-wfbDestroyGlyphCache.patch) + fb-rename-wfbDestroyGlyphCache.patch + CVE-2013-6424.diff) sha256sums=('8d0f06bf1416487a5170318477088826a8d737d4a201e996b2dc1ecff47461d1' '66e25f76a7496c429e0aff4b0670f168719bb0ceaeb88c6f2272f2bf3ed21162' 'd027776fac1f7675b0a9ee817502290b1c45f9c09b0f0a6bb058c35f92361e84' @@ -32,7 +33,8 @@ 'ff0156309470fc1d378fd2e104338020a884295e285972cc88e250e031cc35b9' '2460adccd3362fefd4cdc5f1c70f332d7b578091fb9167bf88b5f91265bbd776' '94612f5c0d34a3b7152915c2e285c7b462e9d8e38d3539bd551a339498eac166' - 'd0832cc16b5e6c1dee2959055a4b327f5c87e2a67b5f427d654663057207b2c1') + 'd0832cc16b5e6c1dee2959055a4b327f5c87e2a67b5f427d654663057207b2c1' + '89948993afd4d9aec6a0bdbaf62f494e9956bb77a0386307d497f340a818ff61') prepare() { cd "${pkgbase}-${pkgver}" @@ -53,6 +55,9 @@ # http://cgit.freedesktop.org/xorg/xserver/commit/fb/wfbrename.h?id=5047810a4c20fab444b8c6eb146c55dcdb0d4219 patch -Np1 -i ../fb-rename-wfbDestroyGlyphCache.patch + + # Fix CVE-2013-6424 (FS#38401) + patch -Np1 -i ../CVE-2013-6424.diff } build() {