svn commit: r378903 - in branches/2015Q1/x11-servers/xorg-server: . files
Koop Mast
kwm at FreeBSD.org
Thu Feb 12 23:37:30 UTC 2015
Author: kwm
Date: Thu Feb 12 23:37:29 2015
New Revision: 378903
URL: https://svnweb.freebsd.org/changeset/ports/378903
QAT: https://qat.redports.org/buildarchive/r378903/
Log:
MFH: r378889
Fix CVE-2015-0255.
Information leak in the XkbSetGeometry request of X servers.
Submitted by: http://lists.freedesktop.org/archives/xorg/2015-February/057158.html
Obtained from: upstream
Approved by: ports-secteam (delphij@)
Added:
branches/2015Q1/x11-servers/xorg-server/files/patch-CVE-2015-0255
- copied unchanged from r378889, head/x11-servers/xorg-server/files/patch-CVE-2015-0255
Modified:
branches/2015Q1/x11-servers/xorg-server/Makefile
Directory Properties:
branches/2015Q1/ (props changed)
Modified: branches/2015Q1/x11-servers/xorg-server/Makefile
==============================================================================
--- branches/2015Q1/x11-servers/xorg-server/Makefile Thu Feb 12 22:44:14 2015 (r378902)
+++ branches/2015Q1/x11-servers/xorg-server/Makefile Thu Feb 12 23:37:29 2015 (r378903)
@@ -3,7 +3,7 @@
PORTNAME?= xorg-server
PORTVERSION= 1.14.7
-PORTREVISION?= 1
+PORTREVISION?= 2
PORTEPOCH?= 1
CATEGORIES= x11-servers
MASTER_SITES= XORG
Copied: branches/2015Q1/x11-servers/xorg-server/files/patch-CVE-2015-0255 (from r378889, head/x11-servers/xorg-server/files/patch-CVE-2015-0255)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/2015Q1/x11-servers/xorg-server/files/patch-CVE-2015-0255 Thu Feb 12 23:37:29 2015 (r378903, copy of r378889, head/x11-servers/xorg-server/files/patch-CVE-2015-0255)
@@ -0,0 +1,175 @@
+This patch has two commits. One is needed to address the CVE the other
+is allow the patch to apply.
+
+http://lists.freedesktop.org/archives/xorg/2015-February/057158.html
+
+http://cgit.freedesktop.org/xorg/xserver/patch/?id=20079c36cf7d377938ca5478447d8b9045cb7d43
+http://cgit.freedesktop.org/xorg/xserver/patch/?id=81c90dc8f0aae3b65730409b1b615b5fa7280ebd
+
+--- xkb/xkb.c.orig 2015-02-12 20:30:54.131767000 +0100
++++ xkb/xkb.c 2015-02-12 20:31:01.849633000 +0100
+@@ -4958,26 +4958,29 @@ ProcXkbGetGeometry(ClientPtr client)
+
+ /***====================================================================***/
+
+-static char *
+-_GetCountedString(char **wire_inout, Bool swap)
++static Status
++_GetCountedString(char **wire_inout, ClientPtr client, char **str)
+ {
+- char *wire, *str;
+- CARD16 len, *plen;
++ char *wire, *next;
++ CARD16 len;
+
+ wire = *wire_inout;
+- plen = (CARD16 *) wire;
+- if (swap) {
+- swaps(plen);
+- }
+- len = *plen;
+- str = malloc(len + 1);
+- if (str) {
+- memcpy(str, &wire[2], len);
+- str[len] = '\0';
++ len = *(CARD16 *) wire;
++ if (client->swapped) {
++ swaps(&len);
+ }
+- wire += XkbPaddedSize(len + 2);
+- *wire_inout = wire;
+- return str;
++ next = wire + XkbPaddedSize(len + 2);
++ /* Check we're still within the size of the request */
++ if (client->req_len <
++ bytes_to_int32(next - (char *) client->requestBuffer))
++ return BadValue;
++ *str = malloc(len + 1);
++ if (!*str)
++ return BadAlloc;
++ memcpy(*str, &wire[2], len);
++ *(*str + len) = '\0';
++ *wire_inout = next;
++ return Success;
+ }
+
+ static Status
+@@ -4986,25 +4989,29 @@ _CheckSetDoodad(char **wire_inout,
+ {
+ char *wire;
+ xkbDoodadWireDesc *dWire;
++ xkbAnyDoodadWireDesc any;
++ xkbTextDoodadWireDesc text;
+ XkbDoodadPtr doodad;
++ Status status;
+
+ dWire = (xkbDoodadWireDesc *) (*wire_inout);
++ any = dWire->any;
+ wire = (char *) &dWire[1];
+ if (client->swapped) {
+- swapl(&dWire->any.name);
+- swaps(&dWire->any.top);
+- swaps(&dWire->any.left);
+- swaps(&dWire->any.angle);
++ swapl(&any.name);
++ swaps(&any.top);
++ swaps(&any.left);
++ swaps(&any.angle);
+ }
+ CHK_ATOM_ONLY(dWire->any.name);
+- doodad = XkbAddGeomDoodad(geom, section, dWire->any.name);
++ doodad = XkbAddGeomDoodad(geom, section, any.name);
+ if (!doodad)
+ return BadAlloc;
+ doodad->any.type = dWire->any.type;
+ doodad->any.priority = dWire->any.priority;
+- doodad->any.top = dWire->any.top;
+- doodad->any.left = dWire->any.left;
+- doodad->any.angle = dWire->any.angle;
++ doodad->any.top = any.top;
++ doodad->any.left = any.left;
++ doodad->any.angle = any.angle;
+ switch (doodad->any.type) {
+ case XkbOutlineDoodad:
+ case XkbSolidDoodad:
+@@ -5027,15 +5034,22 @@ _CheckSetDoodad(char **wire_inout,
+ dWire->text.colorNdx);
+ return BadMatch;
+ }
++ text = dWire->text;
+ if (client->swapped) {
+- swaps(&dWire->text.width);
+- swaps(&dWire->text.height);
++ swaps(&text.width);
++ swaps(&text.height);
+ }
+- doodad->text.width = dWire->text.width;
+- doodad->text.height = dWire->text.height;
++ doodad->text.width = text.width;
++ doodad->text.height = text.height;
+ doodad->text.color_ndx = dWire->text.colorNdx;
+- doodad->text.text = _GetCountedString(&wire, client->swapped);
+- doodad->text.font = _GetCountedString(&wire, client->swapped);
++ status = _GetCountedString(&wire, client, &doodad->text.text);
++ if (status != Success)
++ return status;
++ status = _GetCountedString(&wire, client, &doodad->text.font);
++ if (status != Success) {
++ free (doodad->text.text);
++ return status;
++ }
+ break;
+ case XkbIndicatorDoodad:
+ if (dWire->indicator.onColorNdx >= geom->num_colors) {
+@@ -5070,7 +5084,9 @@ _CheckSetDoodad(char **wire_inout,
+ }
+ doodad->logo.color_ndx = dWire->logo.colorNdx;
+ doodad->logo.shape_ndx = dWire->logo.shapeNdx;
+- doodad->logo.logo_name = _GetCountedString(&wire, client->swapped);
++ status = _GetCountedString(&wire, client, &doodad->logo.logo_name);
++ if (status != Success)
++ return status;
+ break;
+ default:
+ client->errorValue = _XkbErrCode2(0x4F, dWire->any.type);
+@@ -5302,18 +5318,20 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSe
+ char *wire;
+
+ wire = (char *) &req[1];
+- geom->label_font = _GetCountedString(&wire, client->swapped);
++ status = _GetCountedString(&wire, client, &geom->label_font);
++ if (status != Success)
++ return status;
+
+ for (i = 0; i < req->nProperties; i++) {
+ char *name, *val;
+
+- name = _GetCountedString(&wire, client->swapped);
+- if (!name)
+- return BadAlloc;
+- val = _GetCountedString(&wire, client->swapped);
+- if (!val) {
++ status = _GetCountedString(&wire, client, &name);
++ if (status != Success)
++ return status;
++ status = _GetCountedString(&wire, client, &val);
++ if (status != Success) {
+ free(name);
+- return BadAlloc;
++ return status;
+ }
+ if (XkbAddGeomProperty(geom, name, val) == NULL) {
+ free(name);
+@@ -5347,9 +5365,9 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSe
+ for (i = 0; i < req->nColors; i++) {
+ char *name;
+
+- name = _GetCountedString(&wire, client->swapped);
+- if (!name)
+- return BadAlloc;
++ status = _GetCountedString(&wire, client, &name);
++ if (status != Success)
++ return status;
+ if (!XkbAddGeomColor(geom, name, geom->num_colors)) {
+ free(name);
+ return BadAlloc;
More information about the svn-ports-branches
mailing list