Date: Thu, 12 Feb 2015 23:37:29 +0000 (UTC) From: Koop Mast <kwm@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r378903 - in branches/2015Q1/x11-servers/xorg-server: . files Message-ID: <201502122337.t1CNbTsV076606@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kwm Date: Thu Feb 12 23:37:29 2015 New Revision: 378903 URL: https://svnweb.freebsd.org/changeset/ports/378903 QAT: https://qat.redports.org/buildarchive/r378903/ Log: MFH: r378889 Fix CVE-2015-0255. Information leak in the XkbSetGeometry request of X servers. Submitted by: http://lists.freedesktop.org/archives/xorg/2015-February/057158.html Obtained from: upstream Approved by: ports-secteam (delphij@) Added: branches/2015Q1/x11-servers/xorg-server/files/patch-CVE-2015-0255 - copied unchanged from r378889, head/x11-servers/xorg-server/files/patch-CVE-2015-0255 Modified: branches/2015Q1/x11-servers/xorg-server/Makefile Directory Properties: branches/2015Q1/ (props changed) Modified: branches/2015Q1/x11-servers/xorg-server/Makefile ============================================================================== --- branches/2015Q1/x11-servers/xorg-server/Makefile Thu Feb 12 22:44:14 2015 (r378902) +++ branches/2015Q1/x11-servers/xorg-server/Makefile Thu Feb 12 23:37:29 2015 (r378903) @@ -3,7 +3,7 @@ PORTNAME?= xorg-server PORTVERSION= 1.14.7 -PORTREVISION?= 1 +PORTREVISION?= 2 PORTEPOCH?= 1 CATEGORIES= x11-servers MASTER_SITES= XORG Copied: branches/2015Q1/x11-servers/xorg-server/files/patch-CVE-2015-0255 (from r378889, head/x11-servers/xorg-server/files/patch-CVE-2015-0255) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2015Q1/x11-servers/xorg-server/files/patch-CVE-2015-0255 Thu Feb 12 23:37:29 2015 (r378903, copy of r378889, head/x11-servers/xorg-server/files/patch-CVE-2015-0255) @@ -0,0 +1,175 @@ +This patch has two commits. One is needed to address the CVE the other +is allow the patch to apply. + +http://lists.freedesktop.org/archives/xorg/2015-February/057158.html + +http://cgit.freedesktop.org/xorg/xserver/patch/?id=20079c36cf7d377938ca5478447d8b9045cb7d43 +http://cgit.freedesktop.org/xorg/xserver/patch/?id=81c90dc8f0aae3b65730409b1b615b5fa7280ebd + +--- xkb/xkb.c.orig 2015-02-12 20:30:54.131767000 +0100 ++++ xkb/xkb.c 2015-02-12 20:31:01.849633000 +0100 +@@ -4958,26 +4958,29 @@ ProcXkbGetGeometry(ClientPtr client) + + /***====================================================================***/ + +-static char * +-_GetCountedString(char **wire_inout, Bool swap) ++static Status ++_GetCountedString(char **wire_inout, ClientPtr client, char **str) + { +- char *wire, *str; +- CARD16 len, *plen; ++ char *wire, *next; ++ CARD16 len; + + wire = *wire_inout; +- plen = (CARD16 *) wire; +- if (swap) { +- swaps(plen); +- } +- len = *plen; +- str = malloc(len + 1); +- if (str) { +- memcpy(str, &wire[2], len); +- str[len] = '\0'; ++ len = *(CARD16 *) wire; ++ if (client->swapped) { ++ swaps(&len); + } +- wire += XkbPaddedSize(len + 2); +- *wire_inout = wire; +- return str; ++ next = wire + XkbPaddedSize(len + 2); ++ /* Check we're still within the size of the request */ ++ if (client->req_len < ++ bytes_to_int32(next - (char *) client->requestBuffer)) ++ return BadValue; ++ *str = malloc(len + 1); ++ if (!*str) ++ return BadAlloc; ++ memcpy(*str, &wire[2], len); ++ *(*str + len) = '\0'; ++ *wire_inout = next; ++ return Success; + } + + static Status +@@ -4986,25 +4989,29 @@ _CheckSetDoodad(char **wire_inout, + { + char *wire; + xkbDoodadWireDesc *dWire; ++ xkbAnyDoodadWireDesc any; ++ xkbTextDoodadWireDesc text; + XkbDoodadPtr doodad; ++ Status status; + + dWire = (xkbDoodadWireDesc *) (*wire_inout); ++ any = dWire->any; + wire = (char *) &dWire[1]; + if (client->swapped) { +- swapl(&dWire->any.name); +- swaps(&dWire->any.top); +- swaps(&dWire->any.left); +- swaps(&dWire->any.angle); ++ swapl(&any.name); ++ swaps(&any.top); ++ swaps(&any.left); ++ swaps(&any.angle); + } + CHK_ATOM_ONLY(dWire->any.name); +- doodad = XkbAddGeomDoodad(geom, section, dWire->any.name); ++ doodad = XkbAddGeomDoodad(geom, section, any.name); + if (!doodad) + return BadAlloc; + doodad->any.type = dWire->any.type; + doodad->any.priority = dWire->any.priority; +- doodad->any.top = dWire->any.top; +- doodad->any.left = dWire->any.left; +- doodad->any.angle = dWire->any.angle; ++ doodad->any.top = any.top; ++ doodad->any.left = any.left; ++ doodad->any.angle = any.angle; + switch (doodad->any.type) { + case XkbOutlineDoodad: + case XkbSolidDoodad: +@@ -5027,15 +5034,22 @@ _CheckSetDoodad(char **wire_inout, + dWire->text.colorNdx); + return BadMatch; + } ++ text = dWire->text; + if (client->swapped) { +- swaps(&dWire->text.width); +- swaps(&dWire->text.height); ++ swaps(&text.width); ++ swaps(&text.height); + } +- doodad->text.width = dWire->text.width; +- doodad->text.height = dWire->text.height; ++ doodad->text.width = text.width; ++ doodad->text.height = text.height; + doodad->text.color_ndx = dWire->text.colorNdx; +- doodad->text.text = _GetCountedString(&wire, client->swapped); +- doodad->text.font = _GetCountedString(&wire, client->swapped); ++ status = _GetCountedString(&wire, client, &doodad->text.text); ++ if (status != Success) ++ return status; ++ status = _GetCountedString(&wire, client, &doodad->text.font); ++ if (status != Success) { ++ free (doodad->text.text); ++ return status; ++ } + break; + case XkbIndicatorDoodad: + if (dWire->indicator.onColorNdx >= geom->num_colors) { +@@ -5070,7 +5084,9 @@ _CheckSetDoodad(char **wire_inout, + } + doodad->logo.color_ndx = dWire->logo.colorNdx; + doodad->logo.shape_ndx = dWire->logo.shapeNdx; +- doodad->logo.logo_name = _GetCountedString(&wire, client->swapped); ++ status = _GetCountedString(&wire, client, &doodad->logo.logo_name); ++ if (status != Success) ++ return status; + break; + default: + client->errorValue = _XkbErrCode2(0x4F, dWire->any.type); +@@ -5302,18 +5318,20 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSe + char *wire; + + wire = (char *) &req[1]; +- geom->label_font = _GetCountedString(&wire, client->swapped); ++ status = _GetCountedString(&wire, client, &geom->label_font); ++ if (status != Success) ++ return status; + + for (i = 0; i < req->nProperties; i++) { + char *name, *val; + +- name = _GetCountedString(&wire, client->swapped); +- if (!name) +- return BadAlloc; +- val = _GetCountedString(&wire, client->swapped); +- if (!val) { ++ status = _GetCountedString(&wire, client, &name); ++ if (status != Success) ++ return status; ++ status = _GetCountedString(&wire, client, &val); ++ if (status != Success) { + free(name); +- return BadAlloc; ++ return status; + } + if (XkbAddGeomProperty(geom, name, val) == NULL) { + free(name); +@@ -5347,9 +5365,9 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSe + for (i = 0; i < req->nColors; i++) { + char *name; + +- name = _GetCountedString(&wire, client->swapped); +- if (!name) +- return BadAlloc; ++ status = _GetCountedString(&wire, client, &name); ++ if (status != Success) ++ return status; + if (!XkbAddGeomColor(geom, name, geom->num_colors)) { + free(name); + return BadAlloc;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201502122337.t1CNbTsV076606>