debian/changelog | 6 ++ debian/local/xvfb-run | 5 +- debian/patches/55_Fix-mod-macro-in-fb-and-mi.patch | 44 +++++++++++++++++++++ debian/patches/series | 1 fb/fbbits.h | 2 render/render.c | 8 +++ 6 files changed, 63 insertions(+), 3 deletions(-)
New commits: commit 5e56865b7b1cc2cb6c69ed706f99d106ec3bed95 Author: Julien Cristau <jcris...@debian.org> Date: Sun Sep 19 17:44:03 2010 +0200 xvfb-run: don't pass the magic cookie to xauth on the command line Use xauth source to pass the cookie via stdin. This addresses CVE-2009-1573. Thanks, Loïc Minier! (cherry picked from commit ecf09e571198ee16256a5efd1c23fd286a4f2249) Conflicts: debian/changelog diff --git a/debian/changelog b/debian/changelog index 7db9a4a..9c573c1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -7,6 +7,8 @@ xorg-server (2:1.4.2-10.lenny3) UNRELEASED; urgency=low mi. * render: bounds check for nglyphs in ProcRenderAddGlyphs. * fb: make isClipped always reject negative coordinates (closes: #320627) + * xvfb-run: don't pass the magic cookie to xauth on the command line + (CVE-2009-1573). Thanks, Loïc Minier! -- Julien Cristau <jcris...@debian.org> Sat, 21 Nov 2009 13:09:36 +0100 diff --git a/debian/local/xvfb-run b/debian/local/xvfb-run index c85f86a..b11130a 100644 --- a/debian/local/xvfb-run +++ b/debian/local/xvfb-run @@ -157,8 +157,9 @@ fi # Start Xvfb. MCOOKIE=$(mcookie) -XAUTHORITY=$AUTHFILE xauth add ":$SERVERNUM" "$XAUTHPROTO" "$MCOOKIE" \ - >>"$ERRORFILE" 2>&1 +XAUTHORITY=$AUTHFILE xauth source - << EOF >>"$ERRORFILE" 2>&1 +add :$SERVERNUM $XAUTHPROTO $MCOOKIE +EOF XAUTHORITY=$AUTHFILE Xvfb ":$SERVERNUM" $XVFBARGS $LISTENTCP >>"$ERRORFILE" \ 2>&1 & XVFBPID=$! commit 1fe0ca9d4f82effe4cd85f71b3d4202bf3454ddd Author: Julien Cristau <jcris...@debian.org> Date: Sun Sep 12 14:12:14 2010 +0200 Update changelog diff --git a/debian/changelog b/debian/changelog index 12ca313..7db9a4a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,6 +5,8 @@ xorg-server (2:1.4.2-10.lenny3) UNRELEASED; urgency=low #555308). * Add patch by Olivier Fourdan (Red Hat) to fix the mod() macro in fb and mi. + * render: bounds check for nglyphs in ProcRenderAddGlyphs. + * fb: make isClipped always reject negative coordinates (closes: #320627) -- Julien Cristau <jcris...@debian.org> Sat, 21 Nov 2009 13:09:36 +0100 commit fa8e429c2e091e97c6ba617f9e622b0a23dbf7ff Author: Keith Packard <kei...@keithp.com> Date: Fri Aug 20 10:01:48 2010 -0700 fb: make isClipped always reject negative coordinates (bug 11503) A window with either dimension > 32767 can be positioned such that coordinates > 32767 are visible on the screen. Attempts to draw to those pixels will generate coordinates wrapped around to negative values. The optimized clipping macro, 'isClipped', in fbbits.h, computes clipping in window space rather than screen space using int16 values, and so it too has coordinates wrapped around to negative values and hence ends up accepting the wrapped drawing coordinates. Two possible fixes for this problem 1) Detect wrapped region coordinates and clip those to 32767. 2) Detect negative incoming coordinates and reject those This patch takes the second approach as it is much shorter, simply detecting when either X or Y incoming coordinate is negative, which can never be 'within' any drawable. Signed-off-by: Keith Packard <kei...@keithp.com> Reviewed-by: Adam Jackson <a...@redhat.com> (cherry picked from commit 3e56efcfb63677cd8574e1e435e61d96f79ea536) (cherry picked from commit 7c544986656713b5bbdb936bb7c3cb5a83d9f833) diff --git a/fb/fbbits.h b/fb/fbbits.h index 44991f1..b8af785 100644 --- a/fb/fbbits.h +++ b/fb/fbbits.h @@ -25,7 +25,7 @@ * underlying datatypes instead of masks */ -#define isClipped(c,ul,lr) ((((c) - (ul)) | ((lr) - (c))) & 0x80008000) +#define isClipped(c,ul,lr) (((c) | ((c) - (ul)) | ((lr) - (c))) & 0x80008000) #ifdef HAVE_DIX_CONFIG_H #include <dix-config.h> commit ba65e70a460e4312f777fbf27936e55fdcf950df Author: Adam Jackson <a...@redhat.com> Date: Mon Jun 28 18:08:50 2010 -0400 render: Bounds check for nglyphs in ProcRenderAddGlyphs (#28801) Signed-off-by: Adam Jackson <a...@redhat.com> Reviewed-by: Julien Cristau <jcris...@debian.org> Signed-off-by: Keith Packard <kei...@keithp.com> (cherry picked from commit 5725849a1b427cd4a72b84e57f211edb35838718) diff --git a/render/render.c b/render/render.c index b53e878..a5ce0d9 100644 --- a/render/render.c +++ b/render/render.c @@ -1131,6 +1131,14 @@ ProcRenderAddGlyphs (ClientPtr client) gi = (xGlyphInfo *) (gids + nglyphs); bits = (CARD8 *) (gi + nglyphs); remain -= (sizeof (CARD32) + sizeof (xGlyphInfo)) * nglyphs; + + /* protect against bad nglyphs */ + if (gi < stuff || gi > ((CARD32 *)stuff + client->req_len) || + bits < stuff || bits > ((CARD32 *)stuff + client->req_len)) { + err = BadLength; + goto bail; + } + while (remain >= 0 && nglyphs) { glyph = AllocateGlyph (gi, glyphSet->fdepth); commit f2387edf0ead0861f0c545341c3b0e4e6852b6ba Author: Julien Cristau <jcris...@debian.org> Date: Mon Mar 29 23:40:20 2010 +0200 Add patch by Olivier Fourdan (Red Hat) to fix the mod() macro in fb and mi. diff --git a/debian/changelog b/debian/changelog index 1e33d5c..12ca313 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,8 @@ xorg-server (2:1.4.2-10.lenny3) UNRELEASED; urgency=low * Cherry-pick patch from upstream to set umask to a sane value in Xorg before opening the log, so we don't create it world-writable (closes: #555308). + * Add patch by Olivier Fourdan (Red Hat) to fix the mod() macro in fb and + mi. -- Julien Cristau <jcris...@debian.org> Sat, 21 Nov 2009 13:09:36 +0100 diff --git a/debian/patches/55_Fix-mod-macro-in-fb-and-mi.patch b/debian/patches/55_Fix-mod-macro-in-fb-and-mi.patch new file mode 100644 index 0000000..6bebae2 --- /dev/null +++ b/debian/patches/55_Fix-mod-macro-in-fb-and-mi.patch @@ -0,0 +1,44 @@ +From 8f536b80f153337f74f01be1a48f5067cefc47bc Mon Sep 17 00:00:00 2001 +From: Julien Cristau <jcris...@debian.org> +Date: Mon, 29 Mar 2010 23:32:19 +0200 +Subject: [PATCH] Fix mod() macro in fb and mi + +Patch by Olivier Fourdan (Red Hat) via Ubuntu. + +References: +https://bugs.launchpad.net/ubuntu/+source/xorg-server/+bug/551193 +https://bugzilla.redhat.com/show_bug.cgi?id=570089 +--- + fb/fbpict.c | 2 +- + mi/miarc.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fb/fbpict.c b/fb/fbpict.c +index 85b5171..ff29ff2 100644 +--- a/fb/fbpict.c ++++ b/fb/fbpict.c +@@ -37,7 +37,7 @@ + #include "mipict.h" + #include "fbpict.h" + +-#define mod(a,b) ((b) == 1 ? 0 : (a) >= 0 ? (a) % (b) : (b) - (-a) % (b)) ++#define mod(a,b) ((b) == 1 ? 0 : (a) >= 0 ? (a) % (b) : (b) - (-(a)) % (b)) + + void + fbWalkCompositeRegion (CARD8 op, +diff --git a/mi/miarc.c b/mi/miarc.c +index 3b77ce7..34f4bb8 100644 +--- a/mi/miarc.c ++++ b/mi/miarc.c +@@ -1528,7 +1528,7 @@ miRoundCap( + + # define Dsin(d) ((d) == 0.0 ? 0.0 : ((d) == 90.0 ? 1.0 : sin(d*M_PI/180.0))) + # define Dcos(d) ((d) == 0.0 ? 1.0 : ((d) == 90.0 ? 0.0 : cos(d*M_PI/180.0))) +-# define mod(a,b) ((a) >= 0 ? (a) % (b) : (b) - (-a) % (b)) ++# define mod(a,b) ((a) >= 0 ? (a) % (b) : (b) - (-(a)) % (b)) + + static double + miDcos (double a) +-- +1.7.0.3 + diff --git a/debian/patches/series b/debian/patches/series index 25604c9..a6b826e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -28,6 +28,7 @@ 52_xevie-swap-replies.diff 53_Properly-initialize-io.pi_sel.pc_domain-on-kfreebsd.patch 54_more-sanity-checks.diff +55_Fix-mod-macro-in-fb-and-mi.patch 91_ttf2pt1 91_ttf2pt1_updates 92_xprint-security-holes-fix.patch -- To UNSUBSCRIBE, email to debian-x-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1oxm4r-0005kc...@alioth.debian.org