Keith: kindly pull the following into the xserver master branch. As you know, these are the fixes for today's security advisory which have been reviewed on the xorg-security mailing list.
Julien: once Keith is done, please backport as appropriate into the xorg-server-1.16 branch. Known issues for backporting include: - the RegionSizeof patch is currently written to be applied after commit 995ecfb51d4ab8197e from the 1.17 development timeframe - the "Additional paranoia in __glXGetAnswerBuffer" patch causes __glXGetAnswerBuffer to return NULL in more cases, which depends on commit 61a292adf45405641d from the 1.17 development timeframe to make sure callers check for possible NULL results. ---------------------------------------------------------------- The following changes since commit 3e7218a6c23354d66f508b18164cac98a346b3ee: Merge remote-tracking branch 'jturney/indirect-glx-fixes' (2014-12-08 18:07:55 -0800) are available in the git repository at: git://people.freedesktop.org/~alanc/xserver master for you to fetch changes up to 7e7630bbb775573eea2a2335adb9d190c3e1e971: glx: Fix mask truncation in __glXGetAnswerBuffer [CVE-2014-8093 6/6] (2014-12-08 18:09:50 -0800) ---------------------------------------------------------------- Adam Jackson (12): glx: Be more paranoid about variable-length requests [CVE-2014-8093 1/6] glx: Be more strict about rejecting invalid image sizes [CVE-2014-8093 2/6] glx: Additional paranoia in __glXGetAnswerBuffer / __GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6] glx: Fix image size computation for EXT_texture_integer [CVE-2014-8098 1/8] glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6] glx: Integer overflow protection for non-generated render requests (v3) [CVE-2014-8093 5/6] glx: Length checking for RenderLarge requests (v2) [CVE-2014-8098 3/8] glx: Top-level length checking for swapped VendorPrivate requests [CVE-2014-8098 4/8] glx: Request length checks for SetClientInfoARB [CVE-2014-8098 5/8] glx: Length-checking for non-generated vendor private requests [CVE-2014-8098 6/8] glx: Length checking for non-generated single requests (v2) [CVE-2014-8098 7/8] glx: Pass remaining request length into ->varsize (v2) [CVE-2014-8098 8/8] Alan Coopersmith (18): unchecked malloc may allow unauthed client to crash Xserver [CVE-2014-8091] dix: integer overflow in ProcPutImage() [CVE-2014-8092 1/4] dix: integer overflow in GetHosts() [CVE-2014-8092 2/4] dix: integer overflow in RegionSizeof() [CVE-2014-8092 3/4] dix: integer overflow in REQUEST_FIXED_SIZE() [CVE-2014-8092 4/4] dri2: integer overflow in ProcDRI2GetBuffers() [CVE-2014-8094] dbe: unvalidated lengths in DbeSwapBuffers calls [CVE-2014-8097] Xi: unvalidated lengths in Xinput extension [CVE-2014-8095] xcmisc: unvalidated length in SProcXCMiscGetXIDList() [CVE-2014-8096] Xv: unvalidated lengths in XVideo extension swapped procs [CVE-2014-8099] dri3: unvalidated lengths in DRI3 extension swapped procs [CVE-2014-8103 1/2] present: unvalidated lengths in Present extension procs [CVE-2014-8103 2/2] randr: unvalidated lengths in RandR extension swapped procs [CVE-2014-8101] render: unvalidated lengths in Render extn. swapped procs [CVE-2014-8100 2/2] xfixes: unvalidated length in SProcXFixesSelectSelectionInput [CVE-2014-8102] Add request length checking test cases for some Xinput 1.x requests Add request length checking test cases for some Xinput 2.x requests Add REQUEST_FIXED_SIZE testcases to test/misc.c Julien Cristau (2): render: check request size before reading it [CVE-2014-8100 1/2] glx: Length checking for GLXRender requests (v2) [CVE-2014-8098 2/8] Robert Morell (1): glx: Fix mask truncation in __glXGetAnswerBuffer [CVE-2014-8093 6/6] Xext/xcmisc.c | 1 + Xext/xvdisp.c | 20 ++++ Xi/chgdctl.c | 8 +- Xi/chgfctl.c | 2 + Xi/sendexev.c | 3 + Xi/xiallowev.c | 2 + Xi/xichangecursor.c | 2 +- Xi/xichangehierarchy.c | 35 +++++- Xi/xigetclientpointer.c | 1 + Xi/xigrabdev.c | 9 +- Xi/xipassivegrab.c | 12 +- Xi/xiproperty.c | 14 +-- Xi/xiquerydevice.c | 1 + Xi/xiquerypointer.c | 2 + Xi/xiselectev.c | 8 ++ Xi/xisetclientpointer.c | 3 +- Xi/xisetdevfocus.c | 4 + Xi/xiwarppointer.c | 2 + configure.ac | 1 + dbe/dbe.c | 11 +- dix/dispatch.c | 3 + dix/region.c | 20 ++-- dri3/dri3_request.c | 6 + glx/clientinfo.c | 19 +++- glx/glxcmds.c | 85 ++++++++------ glx/glxcmdsswap.c | 4 + glx/glxserver.h | 43 ++++++- glx/indirect_program.c | 2 + glx/indirect_reqsize.c | 142 ++++++++++++----------- glx/indirect_reqsize.h | 181 ++++++++++++++++++------------ glx/indirect_texture_compression.c | 4 + glx/indirect_util.c | 9 +- glx/rensize.c | 114 +++++++++++-------- glx/single2.c | 23 +++- glx/single2swap.c | 19 +++- glx/singlepix.c | 60 ++++++---- glx/singlepixswap.c | 50 ++++++--- glx/swap_interval.c | 2 + glx/unpack.h | 3 +- hw/xfree86/dri2/dri2ext.c | 3 + include/dix.h | 7 +- include/regionstr.h | 10 +- os/access.c | 6 + os/rpcauth.c | 4 + present/present_request.c | 6 + randr/rrsdispatch.c | 4 + render/render.c | 20 +++- test/Makefile.am | 2 +- test/misc.c | 37 ++++++ test/xi1/Makefile.am | 34 ++++++ test/xi1/protocol-xchangedevicecontrol.c | 122 ++++++++++++++++++++ test/xi2/protocol-xigetclientpointer.c | 5 + test/xi2/protocol-xipassivegrabdevice.c | 8 ++ test/xi2/protocol-xiquerypointer.c | 4 + test/xi2/protocol-xiwarppointer.c | 3 + xfixes/select.c | 1 + 56 files changed, 893 insertions(+), 313 deletions(-) create mode 100644 test/xi1/Makefile.am create mode 100644 test/xi1/protocol-xchangedevicecontrol.c -- -Alan Coopersmith- alan.coopersm...@oracle.com X.Org Security Response Team - xorg-secur...@lists.x.org
pgpW733yjtsYP.pgp
Description: PGP signature
_______________________________________________ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel