Date: Wed, 10 Jan 2007 12:51:08 +0300 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@freebsd.org Cc: x11@FreeBSD.org Subject: update for x11-servers/xorg-server: multiple vulnerabilities Message-ID: <E1H4a6u-0003bs-VV@pobox.codelabs.ru>
next in thread | raw e-mail | index | archive | help
>Submitter-Id: current-users >Originator: Eygene Ryabinkin >Organization: Code Labs >Confidential: no >Synopsis: update for x11-servers/xorg-server: multiple vulnerabilities >Severity: critical >Priority: high >Category: ports >Class: update >Release: FreeBSD 6.2-PRERELEASE i386 >Environment: System: FreeBSD XXX 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #10: Fri Dec 8 14:49:46 MSK 2006 root@XXX:/usr/obj/usr/src/sys/XXX i386 >Description: Two patches was issued by X.org that are fixing - CVE-2006-6101 CVE-2006-6102 CVE-2006-6103, - CVE-2006-2006-3739 and CVE 2006-3740. Current xorg-server-6.9.0_5 misses them. >How-To-Repeat: Go to http://xorg.freedesktop.org/releases/X11R6.9.0/patches/index.html and read entries about aforementioned vulnerabilities. >Fix: The patch that incorporates original vendor patches and bumps the portrevision is attached. Original patch x11r6.9.0-dbe-render.diff was modified: made proper patchfile locations by adding 'programs/Xserver/' to patch file locations. The code was untouched. --- CVE-2006-3739-3740-6102-6103-6104.diff begins here --- diff -urN xorg-server.orig/Makefile xorg-server/Makefile --- xorg-server.orig/Makefile Wed Jan 10 11:47:36 2007 +++ xorg-server/Makefile Wed Jan 10 11:49:43 2007 @@ -7,7 +7,7 @@ PORTNAME= xorg-server PORTVERSION= 6.9.0 -PORTREVISION= 5 +PORTREVISION= 6 CATEGORIES= x11-servers MASTER_SITES= ${MASTER_SITE_XORG} MASTER_SITE_SUBDIR= X11R${PORTVERSION}/src diff -urN xorg-server.orig/files/patch-CVE-2006-3739-3740 xorg-server/files/patch-CVE-2006-3739-3740 --- xorg-server.orig/files/patch-CVE-2006-3739-3740 Thu Jan 1 03:00:00 1970 +++ xorg-server/files/patch-CVE-2006-3739-3740 Wed Jan 10 11:57:09 2007 @@ -0,0 +1,96 @@ +Index: lib/font/Type1/afm.c +=================================================================== +RCS file: /cvs/xorg/xc/lib/font/Type1/afm.c,v +retrieving revision 1.5 +diff -u -u -r1.5 afm.c +--- lib/font/Type1/afm.c 9 Jul 2005 23:30:06 -0000 1.5 ++++ lib/font/Type1/afm.c 12 Sep 2006 07:49:46 -0000 +@@ -29,6 +29,7 @@ + #include <stdio.h> + #include <string.h> + #include <stdlib.h> ++#include <limits.h> + #else + #include "Xmd.h" /* For INT32 declaration */ + #include "Xdefs.h" /* For Bool */ +@@ -118,6 +119,11 @@ + + fi->nChars = atoi(p); + ++ if (fi->nChars < 0 || fi->nChars > INT_MAX / sizeof(Metrics)) { ++ xfree(afmbuf); ++ xfree(fi); ++ return(1); ++ } + fi->metrics = (Metrics *)xalloc(fi->nChars * + sizeof(Metrics)); + if (fi->metrics == NULL) { +Index: lib/font/Type1/scanfont.c +=================================================================== +RCS file: /cvs/xorg/xc/lib/font/Type1/scanfont.c,v +retrieving revision 1.5 +diff -u -u -r1.5 scanfont.c +--- lib/font/Type1/scanfont.c 9 Jul 2005 23:30:06 -0000 1.5 ++++ lib/font/Type1/scanfont.c 12 Sep 2006 07:49:46 -0000 +@@ -57,6 +57,7 @@ + + #ifndef FONTMODULE + #include <string.h> ++#include <limits.h> + #else + #include "Xdefs.h" /* Bool declaration */ + #include "Xmd.h" /* INT32 declaration */ +@@ -654,6 +655,7 @@ + arrayP->data.valueP = tokenStartP; + + /* allocate FDArray */ ++ /* No integer overflow since arrayP->len is unsigned short */ + FDArrayP = (psfont *)vm_alloc(arrayP->len*(sizeof(psfont))); + if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY); + +@@ -850,7 +852,8 @@ + } + return(SCAN_OK); + } +- ++ if (N > INT_MAX / sizeof(psobj)) ++ return (SCAN_ERROR); + arrayP = (psobj *)vm_alloc(N*sizeof(psobj)); + if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY); + FontP->Subrs.len = N; +@@ -911,7 +914,7 @@ + } + else return(rc); /* if next token was not an Int */ + } +- if (N<=0) return(SCAN_ERROR); ++ if (N<=0 || N > INT_MAX / sizeof(psdict)) return(SCAN_ERROR); + /* save number of entries in the dictionary */ + + dictP = (psdict *)vm_alloc((N+1)*sizeof(psdict)); +@@ -1719,6 +1722,10 @@ + if (tokenType == TOKEN_INTEGER) + rangecnt = tokenValue.integer; + ++ if (rangecnt < 0 || rangecnt > INT_MAX / sizeof(spacerangecode)) { ++ rc = SCAN_ERROR; ++ break; ++ } + /* ==> tokenLength, tokenTooLong, tokenType, and */ + /* tokenValue are now set */ + +Index: lib/font/Type1/util.c +=================================================================== +RCS file: /cvs/xorg/xc/lib/font/Type1/util.c,v +retrieving revision 1.5 +diff -u -u -r1.5 util.c +--- lib/font/Type1/util.c 9 Jul 2005 23:30:07 -0000 1.5 ++++ lib/font/Type1/util.c 12 Sep 2006 07:49:46 -0000 +@@ -104,7 +104,7 @@ + bytes = (bytes + 7) & ~7; + + /* Allocate the space, if it is available */ +- if (bytes <= vm_free) { ++ if (bytes > 0 && bytes <= vm_free) { + answer = vm_next; + vm_free -= bytes; + vm_next += bytes; diff -urN xorg-server.orig/files/patch-CVE-2006-6101-6102-6103 xorg-server/files/patch-CVE-2006-6101-6102-6103 --- xorg-server.orig/files/patch-CVE-2006-6101-6102-6103 Thu Jan 1 03:00:00 1970 +++ xorg-server/files/patch-CVE-2006-6101-6102-6103 Wed Jan 10 11:57:31 2007 @@ -0,0 +1,186 @@ +Index: dbe/dbe.c +=================================================================== +RCS file: /cvs/xorg/xc/programs/Xserver/dbe/dbe.c,v +retrieving revision 1.5 +diff -u -u -r1.5 dbe.c +--- programs/Xserver/dbe/dbe.c 3 Jul 2005 07:01:17 -0000 1.5 ++++ programs/Xserver/dbe/dbe.c 9 Jan 2007 12:45:54 -0000 +@@ -55,6 +55,10 @@ + #include "xf86_ansic.h" + #endif + ++#if !defined(UINT32_MAX) ++#define UINT32_MAX 0xffffffffU ++#endif ++ + /* GLOBALS */ + + /* Per-screen initialization functions [init'ed by DbeRegisterFunction()] */ +@@ -733,11 +737,14 @@ + return(Success); + } + ++ if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec)) ++ return BadAlloc; ++ + /* Get to the swap info appended to the end of the request. */ + dbeSwapInfo = (xDbeSwapInfo *)&stuff[1]; + + /* Allocate array to record swap information. */ +- swapInfo = (DbeSwapInfoPtr)ALLOCATE_LOCAL(nStuff * sizeof(DbeSwapInfoRec)); ++ swapInfo = (DbeSwapInfoPtr)Xalloc(nStuff * sizeof(DbeSwapInfoRec)); + if (swapInfo == NULL) + { + return(BadAlloc); +@@ -752,14 +759,14 @@ + if (!(pWin = SecurityLookupWindow(dbeSwapInfo[i].window, client, + SecurityWriteAccess))) + { +- DEALLOCATE_LOCAL(swapInfo); ++ Xfree(swapInfo); + return(BadWindow); + } + + /* Each window must be double-buffered - BadMatch. */ + if (DBE_WINDOW_PRIV(pWin) == NULL) + { +- DEALLOCATE_LOCAL(swapInfo); ++ Xfree(swapInfo); + return(BadMatch); + } + +@@ -768,7 +775,7 @@ + { + if (dbeSwapInfo[i].window == dbeSwapInfo[j].window) + { +- DEALLOCATE_LOCAL(swapInfo); ++ Xfree(swapInfo); + return(BadMatch); + } + } +@@ -779,7 +786,7 @@ + (dbeSwapInfo[i].swapAction != XdbeUntouched ) && + (dbeSwapInfo[i].swapAction != XdbeCopied )) + { +- DEALLOCATE_LOCAL(swapInfo); ++ Xfree(swapInfo); + return(BadValue); + } + +@@ -809,12 +816,12 @@ + error = (*pDbeScreenPriv->SwapBuffers)(client, &nStuff, swapInfo); + if (error != Success) + { +- DEALLOCATE_LOCAL(swapInfo); ++ Xfree(swapInfo); + return(error); + } + } + +- DEALLOCATE_LOCAL(swapInfo); ++ Xfree(swapInfo); + return(Success); + + } /* ProcDbeSwapBuffers() */ +@@ -898,10 +905,12 @@ + + REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq); + ++ if (stuff->n > UINT32_MAX / sizeof(DrawablePtr)) ++ return BadAlloc; + /* Make sure any specified drawables are valid. */ + if (stuff->n != 0) + { +- if (!(pDrawables = (DrawablePtr *)ALLOCATE_LOCAL(stuff->n * ++ if (!(pDrawables = (DrawablePtr *)Xalloc(stuff->n * + sizeof(DrawablePtr)))) + { + return(BadAlloc); +@@ -914,7 +923,7 @@ + if (!(pDrawables[i] = (DrawablePtr)SecurityLookupDrawable( + drawables[i], client, SecurityReadAccess))) + { +- DEALLOCATE_LOCAL(pDrawables); ++ Xfree(pDrawables); + return(BadDrawable); + } + } +@@ -926,7 +935,7 @@ + { + if (pDrawables) + { +- DEALLOCATE_LOCAL(pDrawables); ++ Xfree(pDrawables); + } + + return(BadAlloc); +@@ -953,7 +962,7 @@ + /* Free pDrawables if we needed to allocate it above. */ + if (pDrawables) + { +- DEALLOCATE_LOCAL(pDrawables); ++ Xfree(pDrawables); + } + + return(BadAlloc); +@@ -1034,7 +1043,7 @@ + + if (pDrawables) + { +- DEALLOCATE_LOCAL(pDrawables); ++ Xfree(pDrawables); + } + + return(client->noClientException); +Index: render/render.c +=================================================================== +RCS file: /cvs/xorg/xc/programs/Xserver/render/render.c,v +retrieving revision 1.12 +diff -u -u -r1.12 render.c +--- programs/Xserver/render/render.c 28 Aug 2005 19:47:39 -0000 1.12 ++++ programs/Xserver/render/render.c 9 Jan 2007 12:45:55 -0000 +@@ -52,6 +52,10 @@ + #include "xf86_ansic.h" + #endif + ++#if !defined(UINT32_MAX) ++#define UINT32_MAX 0xffffffffU ++#endif ++ + static int ProcRenderQueryVersion (ClientPtr pClient); + static int ProcRenderQueryPictFormats (ClientPtr pClient); + static int ProcRenderQueryPictIndexValues (ClientPtr pClient); +@@ -1108,11 +1112,14 @@ + } + + nglyphs = stuff->nglyphs; ++ if (nglyphs > UINT32_MAX / sizeof(GlyphNewRec)) ++ return BadAlloc; ++ + if (nglyphs <= NLOCALGLYPH) + glyphsBase = glyphsLocal; + else + { +- glyphsBase = (GlyphNewPtr) ALLOCATE_LOCAL (nglyphs * sizeof (GlyphNewRec)); ++ glyphsBase = (GlyphNewPtr) Xalloc (nglyphs * sizeof (GlyphNewRec)); + if (!glyphsBase) + return BadAlloc; + } +@@ -1169,7 +1176,7 @@ + } + + if (glyphsBase != glyphsLocal) +- DEALLOCATE_LOCAL (glyphsBase); ++ Xfree (glyphsBase); + return client->noClientException; + bail: + while (glyphs != glyphsBase) +@@ -1178,7 +1185,7 @@ + xfree (glyphs->glyph); + } + if (glyphsBase != glyphsLocal) +- DEALLOCATE_LOCAL (glyphsBase); ++ Xfree (glyphsBase); + return err; + } + --- CVE-2006-3739-3740-6102-6103-6104.diff ends here ---
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1H4a6u-0003bs-VV>