Date: Thu, 24 Oct 2013 13:05:10 +0000 (UTC) From: Koop Mast <kwm@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r331484 - in head: security/vuxml x11-servers/xorg-server x11-servers/xorg-server/files Message-ID: <201310241305.r9OD5AbM073178@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kwm Date: Thu Oct 24 13:05:10 2013 New Revision: 331484 URL: http://svnweb.freebsd.org/changeset/ports/331484 Log: Document xorg-server use after free CVE. Reviewed by: zeising@ Added: head/x11-servers/xorg-server/files/extra-new-dix_dixfonts.c (contents, props changed) head/x11-servers/xorg-server/files/extra-old-dix_dixfonts.c (contents, props changed) Modified: head/security/vuxml/vuln.xml head/x11-servers/xorg-server/Makefile Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Oct 24 13:02:54 2013 (r331483) +++ head/security/vuxml/vuln.xml Thu Oct 24 13:05:10 2013 (r331484) @@ -51,6 +51,36 @@ Note: Please add new entries to the beg --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="9a57c607-3cab-11e3-b4d9-bcaec565249c"> + <topic>xorg-server -- use after free</topic> + <affects> + <package> + <name>xorg-server</name> + <range><ge>1.7.0</ge><lt>1.7.7_11</lt></range> + <range><ge>1.12.0</ge><lt>1.12.4_4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Alan Coopersmith reports:</p> + <blockquote cite="http://lists.x.org/archives/xorg-announce/2013-October/002332.html">; + <p>Pedro Ribeiro (pedrib at gmail.com) reported an issue to the X.Org + security team in which an authenticated X client can cause an X + server to use memory after it was freed, potentially leading to + crash and/or memory corruption.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2013-4396</cvename> + <url>http://lists.x.org/archives/xorg-announce/2013-October/002332.html</url>; + </references> + <dates> + <discovery>2013-10-08</discovery> + <entry>2013-10-24</entry> + </dates> + </vuln> + <vuln vid="c0f122e2-3897-11e3-a084-3c970e169bc2"> <topic>pycrypto -- PRNG reseed race condition</topic> <affects> Modified: head/x11-servers/xorg-server/Makefile ============================================================================== --- head/x11-servers/xorg-server/Makefile Thu Oct 24 13:02:54 2013 (r331483) +++ head/x11-servers/xorg-server/Makefile Thu Oct 24 13:05:10 2013 (r331484) @@ -35,20 +35,22 @@ OPTIONS_EXCLUDE_sparc64= HAL .if defined(WITH_NEW_XORG) XORG_VERSION= 1.12.4 -XORG_REVISION= 3 +XORG_REVISION= 4 PLIST_SUB+= OLD="@comment " NEW="" EXTRA_PATCHES+= ${FILESDIR}/extra-clang \ - ${FILESDIR}/extra-configure + ${FILESDIR}/extra-configure \ + ${FILESDIR}/extra-new-dix_dixfonts.c .else XORG_VERSION= 1.7.7 -XORG_REVISION= 10 +XORG_REVISION= 11 PLIST_SUB+= OLD="" NEW="@comment " EXTRA_PATCHES+= ${FILESDIR}/extra-Xext-xace.c \ ${FILESDIR}/extra-Xserver-os-xprintf.c \ ${FILESDIR}/extra-include_eventstr.h \ ${FILESDIR}/extra-os-utils.c \ ${FILESDIR}/extra-dix_events.c \ - ${FILESDIR}/extra-Xserver-hw-xfree86-common-xf86Config.c + ${FILESDIR}/extra-Xserver-hw-xfree86-common-xf86Config.c \ + ${FILESDPR}/extra-old-dix_dixfonts.c .endif USE_BZIP2= yes Added: head/x11-servers/xorg-server/files/extra-new-dix_dixfonts.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/x11-servers/xorg-server/files/extra-new-dix_dixfonts.c Thu Oct 24 13:05:10 2013 (r331484) @@ -0,0 +1,41 @@ +--- dix/dixfonts.c.orig 2012-05-17 19:09:01.000000000 +0200 ++++ dix/dixfonts.c 2013-10-09 10:49:38.158284440 +0200 +@@ -1414,6 +1414,7 @@ + GC *pGC; + unsigned char *data; + ITclosurePtr new_closure; ++ ITclosurePtr old_closure; + + /* We're putting the client to sleep. We need to + save some state. Similar problem to that handled +@@ -1425,12 +1426,14 @@ + err = BadAlloc; + goto bail; + } ++ old_closure = c; + *new_closure = *c; + c = new_closure; + + data = malloc(c->nChars * itemSize); + if (!data) { + free(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1441,6 +1444,7 @@ + if (!pGC) { + free(c->data); + free(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1453,6 +1457,7 @@ + FreeScratchGC(pGC); + free(c->data); + free(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } Added: head/x11-servers/xorg-server/files/extra-old-dix_dixfonts.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/x11-servers/xorg-server/files/extra-old-dix_dixfonts.c Thu Oct 24 13:05:10 2013 (r331484) @@ -0,0 +1,42 @@ +--- dix/dixfonts.c.orig 2010-05-04 02:47:57.000000000 +0200 ++++ dix/dixfonts.c 2013-10-09 10:54:40.488267646 +0200 +@@ -1508,6 +1508,7 @@ + GC *pGC; + unsigned char *data; + ITclosurePtr new_closure; ++ ITclosurePtr old_closure; + + /* We're putting the client to sleep. We need to + save some state. Similar problem to that handled +@@ -1520,6 +1521,7 @@ + err = BadAlloc; + goto bail; + } ++ old_closure = c; + *new_closure = *c; + c = new_closure; + +@@ -1527,6 +1529,7 @@ + if (!data) + { + xfree(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1538,6 +1541,7 @@ + { + xfree(c->data); + xfree(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1551,6 +1555,7 @@ + FreeScratchGC(pGC); + xfree(c->data); + xfree(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201310241305.r9OD5AbM073178>