Hello community,
here is the log from the commit of package NX
checked in at Fri Feb 1 23:01:49 CET 2008.
--------
--- NX/NX.changes 2007-12-04 02:35:00.000000000 +0100
+++ NX/NX.changes 2008-01-28 12:00:20.942132000 +0100
@@ -1,0 +2,9 @@
+Sun Jan 27 20:59:19 CET 2008 - sndirsch@suse.de
+
+- X.Org security update (Bug #355629)
+ * CVE-2007-6427 - Xinput extension memory corruption.
+ * CVE-2007-6428 - TOG-cup extension memory corruption.
+ * CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows.
+ * CVE-2008-0006 - PCF Font parser buffer overflow.
+
+-------------------------------------------------------------------
New:
----
CVE-2007-6427-xinput.diff
CVE-2007-6428-TOG-cup.diff
CVE-2007-6429-shm_evi.diff
CVE-2008-0006-pcf_font.diff
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ NX.spec ++++++
--- /var/tmp/diff_new_pack.B19998/_old 2008-02-01 23:00:33.000000000 +0100
+++ /var/tmp/diff_new_pack.B19998/_new 2008-02-01 23:00:33.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package NX (Version 2.1.0)
#
-# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
# package are under the same license as the package itself.
#
@@ -25,7 +25,7 @@
Url: http://www.nomachine.com/sources.php
Group: System/X11/Servers/XF86_4
Version: 2.1.0
-Release: 46
+Release: 57
Summary: Proxy System for X11
#Compression Libraries and Proxy Sources
Source: nxproxy-%{version}-3.tar.gz
@@ -58,6 +58,10 @@
Patch11: bugzilla-154928-integer-overflows.patch
Patch12: bugzilla-190902-handle-malformed-pcf-files.patch
Patch13: nxcomp-gcc43.patch
+Patch15: CVE-2007-6427-xinput.diff
+Patch16: CVE-2007-6428-TOG-cup.diff
+Patch17: CVE-2007-6429-shm_evi.diff
+Patch18: CVE-2008-0006-pcf_font.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%define my_provides /tmp/my-provides
%define my_requires /tmp/my-requires
@@ -104,6 +108,12 @@
pushd nxcomp
%patch13
popd
+pushd nx-X11/programs/Xserver
+%patch15 -p4
+%patch16 -p1
+%patch17 -p1
+%patch18 -p1
+popd
ln -s rdesktop.1 nxdesktop/doc/nxdesktop.1
cat >> nx-X11/config/cf/host.def << EOF
#ifdef i386Architecture
@@ -278,109 +288,115 @@
/usr/share/NX/keymaps-windows/
%changelog
-* Tue Dec 04 2007 - ro@suse.de
+* Sun Jan 27 2008 sndirsch@suse.de
+- X.Org security update (Bug #355629)
+ * CVE-2007-6427 - Xinput extension memory corruption.
+ * CVE-2007-6428 - TOG-cup extension memory corruption.
+ * CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows.
+ * CVE-2008-0006 - PCF Font parser buffer overflow.
+* Tue Dec 04 2007 ro@suse.de
- fix build with gcc-4.3
-* Mon Oct 15 2007 - sndirsch@suse.de
+* Mon Oct 15 2007 sndirsch@suse.de
- Bug #332445:
* handle malformed pcf files (Bug #190902)
* fix several integer overflows. (Bug #154928)
-* Thu Jul 05 2007 - sndirsch@suse.de
+* Thu Jul 05 2007 sndirsch@suse.de
- added build of nxssh (again); required by qtnx
-* Mon Jun 18 2007 - sndirsch@suse.de
+* Mon Jun 18 2007 sndirsch@suse.de
- avoid string compare with char literal
-* Thu May 31 2007 - sndirsch@suse.de
+* Thu May 31 2007 sndirsch@suse.de
- make rpmlint happy (spurious-executable-perm)
-* Tue May 29 2007 - sndirsch@suse.de
+* Tue May 29 2007 sndirsch@suse.de
- added "%%post -p /sbin/ldconfig" to specfile to make rpmlint happy
-* Wed May 02 2007 - sndirsch@suse.de
+* Wed May 02 2007 sndirsch@suse.de
- fixed run-nxagent-client in samples script (-nolimit option for
nxagent no longer available)
-* Wed May 02 2007 - sndirsch@suse.de
+* Wed May 02 2007 sndirsch@suse.de
- updated NX to 2.1.0 (Bug #203197)
-* Wed Apr 11 2007 - sndirsch@suse.de
+* Wed Apr 11 2007 sndirsch@suse.de
- no longer mark nx-X11 tarball as NoSource (Bug #263352)
-* Thu Jan 25 2007 - sndirsch@suse.de
+* Thu Jan 25 2007 sndirsch@suse.de
- fixed "comparison with string literal" warning
-* Mon Dec 18 2006 - sndirsch@suse.de
+* Mon Dec 18 2006 sndirsch@suse.de
- xorg7.diff:
* finally fixed xkb path (Bug #228516)
-* Wed Dec 13 2006 - sndirsch@suse.de
+* Wed Dec 13 2006 sndirsch@suse.de
- finally added ExcludeArch for ia64, ppc64, s390x and x86_64
-* Tue Nov 07 2006 - ro@suse.de
+* Tue Nov 07 2006 ro@suse.de
- fix perms in docfile keymap-names.txt
-* Wed Oct 18 2006 - sndirsch@suse.de
+* Wed Oct 18 2006 sndirsch@suse.de
- removed bogus libX11/libXext/libXrender provides (Bug #212276)
-* Fri Sep 08 2006 - sndirsch@suse.de
+* Fri Sep 08 2006 sndirsch@suse.de
- fixed libX11 locale support
-* Mon Sep 04 2006 - sndirsch@suse.de
+* Mon Sep 04 2006 sndirsch@suse.de
- tried to fix locale support for X.Org 7; disabled for now due
to linking issues (see host.def in specfile)
- fixed default font path for X.Org 7
- sample scripts:
* fixed nxproxy host:port options in run-nxagent-server
-* Mon Sep 04 2006 - sndirsch@suse.de
+* Mon Sep 04 2006 sndirsch@suse.de
- host.def: fixed rgb and SecurityPolicy path for nxagent
- sample scripts:
* removed no longer available "-D" (desktop) nxagent option
* removed no longer available log option for $NX_HOST
-* Fri Sep 01 2006 - sndirsch@suse.de
+* Fri Sep 01 2006 sndirsch@suse.de
- hopefully fixed build cycle by replacing xorg-x11-devel with
xorg-x11-proto-devel/xorg-x11-util-devel
-* Thu Aug 17 2006 - sndirsch@suse.de
+* Thu Aug 17 2006 sndirsch@suse.de
- fixed build for X11R6
-* Fri Aug 11 2006 - sndirsch@suse.de
+* Sat Aug 12 2006 sndirsch@suse.de
- xorg7.diff: adjusted paths to X.Org 7
-* Mon Jul 31 2006 - sndirsch@suse.de
+* Mon Jul 31 2006 sndirsch@suse.de
- fixed build
-* Sun Jul 23 2006 - sndirsch@suse.de
+* Sun Jul 23 2006 sndirsch@suse.de
- fixed build for X.Org 7
-* Fri Jun 16 2006 - sndirsch@suse.de
+* Fri Jun 16 2006 sndirsch@suse.de
- fixed build for SLES9
-* Wed Apr 19 2006 - sndirsch@suse.de
+* Wed Apr 19 2006 sndirsch@suse.de
- removed XLC_LOCALE files with critical license (Bug #153744)
-* Tue Mar 28 2006 - sndirsch@suse.de
+* Tue Mar 28 2006 sndirsch@suse.de
- nxcompext:
* use shared system libz for linking
* also set CFLAGS/CCFLAGS ("-fPIC") to fix build on s390
-* Fri Mar 24 2006 - sndirsch@suse.de
+* Fri Mar 24 2006 sndirsch@suse.de
- enabled nxdesktop build on ppc/ppc64 and s390/s390x
-* Fri Mar 17 2006 - sndirsch@suse.de
+* Fri Mar 17 2006 sndirsch@suse.de
- next try to fix permissions of sample scripts (Bug #156308)
-* Thu Mar 09 2006 - sndirsch@suse.de
+* Thu Mar 09 2006 sndirsch@suse.de
- fixed permissions of sample scripts (Bug #156308)
-* Wed Jan 25 2006 - mls@suse.de
+* Wed Jan 25 2006 mls@suse.de
- converted neededforbuild to BuildRequires
-* Wed Dec 14 2005 - sndirsch@suse.de
+* Wed Dec 14 2005 sndirsch@suse.de
- updated to third maintenance release of 1.5.0
* nxagent: 1.5.0-93 --> 1.5.0-112
* nxcompext: 1.5.0-18 --> 1.5.0-20
* nxdesktop: 1.5.0-75 --> 1.5.0-78
* nxviewer: 1.5.0-14 --> 1.5.0-15
-* Fri Dec 09 2005 - sndirsch@suse.de
+* Fri Dec 09 2005 sndirsch@suse.de
- updated to the latest stable 1.5.0 release of nx-X11/nxcomp
* nx-X11: 1.5.0-15 --> 1.5.0-21
* nxcomp: 1.5.0-65 --> 1.5.0-80
* nxcompext: 1.5.0-16 --> 1.5.0-18
-* Thu Oct 13 2005 - sndirsch@suse.de
+* Fri Oct 14 2005 sndirsch@suse.de
- xorg-CAN-2005-2495.patch:
* This patch fixes an integer overflow in the pixmap handling.
(CAN-2005-2495) An attacker may be able to exploit this bug to
execute code remotely. (#113227)
-* Sat Oct 08 2005 - sndirsch@suse.de
+* Sat Oct 08 2005 sndirsch@suse.de
- updated nxagent/nxdesktop
-* Fri Sep 30 2005 - sndirsch@suse.de
+* Fri Sep 30 2005 sndirsch@suse.de
- README.SuSE:
* NX needs to be the same version on client and server (#119296)
-* Wed Sep 21 2005 - sndirsch@suse.de
+* Wed Sep 21 2005 sndirsch@suse.de
- nxagent: set LD_LIBRARY_PATH correctly
-* Wed Aug 17 2005 - sndirsch@suse.de
+* Wed Aug 17 2005 sndirsch@suse.de
- updated to the latest stable 1.5.0 release of nxagent/nxdesktop
* nxagent: 1.5.0-87 --> 1.5.0-90
* nxdesktop: 1.5.0-59 --> 1.5.0-61
-* Mon Aug 15 2005 - sndirsch@suse.de
+* Mon Aug 15 2005 sndirsch@suse.de
- NX-data-range.patch:
* fixes serious compiler warnings (Bug #104610)
-* Fri Aug 12 2005 - sndirsch@suse.de
+* Fri Aug 12 2005 sndirsch@suse.de
- updated to first maintenance release of NX 1.5.0
(nxcomp 1.5.0-63 --> nxcomp 1.5.0-65)
* nxcomp-1.5.0-65
@@ -404,22 +420,22 @@
- Skipped errors encontered setting the TCP_NODELAY flag on
Mac. Solves TR08C00940.
- Few cosmetic changes.
-* Tue Jul 26 2005 - sndirsch@suse.de
+* Tue Jul 26 2005 sndirsch@suse.de
- update nxproxy to stable 1.5.0 version
-* Sat Jul 23 2005 - sndirsch@suse.de
+* Sat Jul 23 2005 sndirsch@suse.de
- removed obsolete 1.4.0 patches
- updated to stable 1.5.0 release
-* Fri Jul 22 2005 - sndirsch@suse.de
+* Fri Jul 22 2005 sndirsch@suse.de
- removed patch for non-fatal build warnings, which were never
reviewed by anyone and nobody is interested in upstream
-* Wed Jul 13 2005 - sndirsch@suse.de
+* Wed Jul 13 2005 sndirsch@suse.de
- updated to fourth development snapshot of NX 1.5.0
-* Tue Jun 28 2005 - sndirsch@suse.de
+* Tue Jun 28 2005 sndirsch@suse.de
- ppc-no-signed-char.diff:
* removed "-fsigned-char" (Bug #93869)
-* Fri Jun 24 2005 - sndirsch@suse.de
+* Fri Jun 24 2005 sndirsch@suse.de
- updated to third development snapshot of NX 1.5.0
-* Mon Jun 06 2005 - sndirsch@suse.de
+* Mon Jun 06 2005 sndirsch@suse.de
- updated to second development snapshot of NX 1.5.0
* support for the GLX extension
* support for the RANDR extension, to allow users to fully manage
@@ -431,21 +447,21 @@
- obsoletes nx-X11-1.5.0-4-nx-X11-1.5.0-4-GFP1.ksh /
nxagent-1.5.0-23-nxagent-1.5.0-23-GFP1.ksh
- adjusted NX-1.5.diff
-* Fri Jun 03 2005 - sndirsch@suse.de
+* Fri Jun 03 2005 sndirsch@suse.de
- nx-X11-1.5.0-4-nx-X11-1.5.0-4-GFP1.ksh/
nxagent-1.5.0-23-nxagent-1.5.0-23-GFP1.ksh
* adds support for GLX (unaccelerated)
-* Tue May 24 2005 - sndirsch@suse.de
+* Tue May 24 2005 sndirsch@suse.de
- gcc4-friends.patch
* fixes new gcc build error:
"ISO C++ forbids declaration of 'xxx' with no type"
-* Sat May 14 2005 - sndirsch@suse.de
+* Sat May 14 2005 sndirsch@suse.de
- fixed fatal "uninitialized" warnings
-* Thu May 12 2005 - sndirsch@suse.de
+* Fri May 13 2005 sndirsch@suse.de
- use norootforbuild
-* Thu May 05 2005 - sndirsch@suse.de
+* Thu May 05 2005 sndirsch@suse.de
- #neededforbuild: audiofile, audiofile-devel not required
-* Thu Apr 28 2005 - sndirsch@suse.de
+* Thu Apr 28 2005 sndirsch@suse.de
- update to snapshot 1.5.0 release
nx-X11-1.4.0-10.tar.gz --> nx-X11-1.5.0-4.tar.gz
nxagent-1.4.0-65.tar.gz --> nxagent-1.5.0-23.tar.gz
@@ -458,30 +474,30 @@
- obsoletes NX-no-strict-aliasing.diff
- adjusted NX.diff
- NX-1.5.diff: fixed build
-* Mon Apr 25 2005 - sndirsch@suse.de
+* Mon Apr 25 2005 sndirsch@suse.de
- NX-bufferoverflow.diff:
* fixes buffer overflow
-* Thu Apr 14 2005 - sbrabec@suse.cz
+* Thu Apr 14 2005 sbrabec@suse.cz
- Added audiofile-devel to neededforbuild.
-* Mon Apr 04 2005 - schwab@suse.de
+* Mon Apr 04 2005 schwab@suse.de
- Build with -fno-strict-aliasing.
-* Fri Feb 11 2005 - sndirsch@suse.de
+* Fri Feb 11 2005 sndirsch@suse.de
- update to latest 1.4.0 sources:
* nx-X11-1.4.0-7.tar.gz --> nx-X11-1.4.0-10.tar.gz
-* Tue Feb 08 2005 - sndirsch@suse.de
+* Wed Feb 09 2005 sndirsch@suse.de
- update to latest 1.4.0 sources:
* nxagent-1.4.0-64.tar.gz --> nxagent-1.4.0-65.tar.gz
* nxcomp-1.4.0-30.tar.gz --> nxcomp-1.4.0-31.tar.gz
-* Sun Jan 02 2005 - sndirsch@suse.de
+* Sun Jan 02 2005 sndirsch@suse.de
- update to latest 1.4.0 sources:
* nx-X11-1.4.0-6.tar.gz --> nx-X11-1.4.0-7.tar.gz
* nxagent-1.4.0-63.tar.gz --> nxagent-1.4.0-64.tar.gz
* nxcomp-1.4.0-29.tar.gz --> nxcomp-1.4.0-30.tar.gz
* nxdesktop-1.4.0-57.tar.gz --> nxdesktop-1.4.0-61.tar.gz
-* Fri Nov 05 2004 - sndirsch@suse.de
+* Fri Nov 05 2004 sndirsch@suse.de
- updated to 1.4.0 final release (nx-X11, nxagent, nxcomp,
nxdesktop, nxviewer)
-* Sat Sep 25 2004 - sndirsch@suse.de
+* Sat Sep 25 2004 sndirsch@suse.de
- updated to 1.4.0 snapshot release 6 (nx-X11, nxagent, nxcomp,
nxdesktop):
* the protocol errors
@@ -489,73 +505,73 @@
Error: Please report this problem to support personnel
don't occur as long as you don't use different NX (snapshot)
releases on client and server
-* Tue Sep 14 2004 - sndirsch@suse.de
+* Tue Sep 14 2004 sndirsch@suse.de
- downgraded to 1.4.0 snaphot release 4 again (nxagent, nxcomp)
as I could reproduce the protocol errors, which prevent nxproxy
from working:
Error: Failure decoding data in context [N].
Error: Please report this problem to support personnel.
-* Sat Sep 11 2004 - sndirsch@suse.de
+* Sat Sep 11 2004 sndirsch@suse.de
- updated to 1.4.0 snaphot release 5 (nxagent, nxcomp)
-* Sat Sep 11 2004 - sndirsch@suse.de
+* Sat Sep 11 2004 sndirsch@suse.de
- removed no longer required sources/patches (nxauth, nxcompsh,
nxssh, NX-conf.diff)
- adjusted NX.diff
- removed dummy config tool NXDialog
-* Tue Sep 07 2004 - sndirsch@suse.de
+* Tue Sep 07 2004 sndirsch@suse.de
- removed stuff, which isn't used by FreeNX/knx (nxdarwin, nxesd,
nxkbd, nxkdrive, nxrun, nxuexec, nxwin)
-* Tue Sep 07 2004 - sndirsch@suse.de
+* Tue Sep 07 2004 sndirsch@suse.de
- removed dummy config tool nxclient (provided by FreeNX now)
-* Mon Sep 06 2004 - sndirsch@suse.de
+* Mon Sep 06 2004 sndirsch@suse.de
- downgraded to 1.4.0 snaphot release 4 (backward compatibility
problems in snapshot release 5)
-* Sat Sep 04 2004 - sndirsch@suse.de
+* Sat Sep 04 2004 sndirsch@suse.de
- update to latest 1.4.0 snapshot release
-* Thu Sep 02 2004 - sndirsch@suse.de
+* Thu Sep 02 2004 sndirsch@suse.de
- README.SuSE:
* added link to NX interview with Fabian Franz/Kurt Pfeifle
(english version on OSnews)
* nxsamples --> nxscripts
-* Thu Aug 19 2004 - sndirsch@suse.de
+* Thu Aug 19 2004 sndirsch@suse.de
- README.SuSE:
* added link to NX interview with Fabian Franz/Kurt Pfeifle
-* Wed Aug 18 2004 - sndirsch@suse.de
+* Wed Aug 18 2004 sndirsch@suse.de
- enabled build of nxkbd, nxuexec
-* Wed Aug 18 2004 - sndirsch@suse.de
+* Wed Aug 18 2004 sndirsch@suse.de
- updated to 1.4.0 snapshot release
* disabled build of nxdesktop for ppc/ppc64, s390/s390x
* added sources for nxkbd, nxkdrive, nxuexec
- enabled build of nxesd (requires audiofile in #neededforbuild)
-* Mon Jul 26 2004 - sndirsch@suse.de
+* Mon Jul 26 2004 sndirsch@suse.de
- docs.tar.bz2
* run-nxapp: DISPLAY needs to be set to ":$NX_PORT"
* run-nxagent-client/run-nxagent-server: use of cookies
* README: nxproxy/nxagent connection works now with Xserver
access control restrictions
-* Tue Jul 20 2004 - schwab@suse.de
+* Tue Jul 20 2004 schwab@suse.de
- Use autoreconf.
-* Wed Jun 30 2004 - sndirsch@suse.de
+* Wed Jun 30 2004 sndirsch@suse.de
- improved documentation and sample scripts for nxproxy/nxproxy and
nxproxy/nxagent connections
-* Mon Jun 28 2004 - sndirsch@suse.de
+* Mon Jun 28 2004 sndirsch@suse.de
- added dummy config tools nxclient/NXdialog
- added more documentation and some sample scripts
-* Mon May 31 2004 - sndirsch@suse.de
+* Mon May 31 2004 sndirsch@suse.de
- NX.diff/p_XFree86-4.3-ppc64.diff:
* fixed build on ppc64
-* Mon May 24 2004 - sndirsch@suse.de
+* Mon May 24 2004 sndirsch@suse.de
- fixed nxviewer build
-* Fri May 21 2004 - sndirsch@suse.de
+* Fri May 21 2004 sndirsch@suse.de
- added presentation about NX by Kurt Pfeifle
- install X11 libs correctly (symlinks should remain symlinks)
-* Wed May 19 2004 - sndirsch@suse.de
+* Wed May 19 2004 sndirsch@suse.de
- added README, which includes some NX related links
-* Wed May 19 2004 - sndirsch@suse.de
+* Wed May 19 2004 sndirsch@suse.de
- removed some duplicate or useless documentation
-* Tue May 18 2004 - sndirsch@suse.de
+* Tue May 18 2004 sndirsch@suse.de
- added documentation
-* Tue May 18 2004 - sndirsch@suse.de
+* Tue May 18 2004 sndirsch@suse.de
- using wrapper scripts for nxagent, nxdesktop, nxproxy, nxviewer;
binaries moved to /usr/lib/NX
- using /usr/share/NX/keymaps-windows/ for keyboard tables now
@@ -564,7 +580,7 @@
- moved nxauth, nxpasswd to /usr/bin
- moved nxauth manual page to /usr/share/man/man1
- removed shared libXcompsh (nxrun is statically linked)
-* Mon May 17 2004 - sndirsch@suse.de
+* Mon May 17 2004 sndirsch@suse.de
- fix build on non-i386 archs
-* Fri May 14 2004 - sndirsch@suse.de
+* Fri May 14 2004 sndirsch@suse.de
- created package
++++++ CVE-2007-6427-xinput.diff ++++++
--- XFree86-4.3.0/xc/programs/Xserver/Xi/chgprop.c.da 2007-12-14 10:33:13.000000000 +1000
+++ XFree86-4.3.0/xc/programs/Xserver/Xi/chgprop.c 2007-12-14 10:33:54.000000000 +1000
@@ -81,20 +81,15 @@
register ClientPtr client;
{
register char n;
- register long *p;
- register int i;
REQUEST(xChangeDeviceDontPropagateListReq);
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq);
swapl(&stuff->window, n);
swaps(&stuff->count, n);
- p = (long *) &stuff[1];
- for (i=0; i<stuff->count; i++)
- {
- swapl(p, n);
- p++;
- }
+ REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq,
+ stuff->count * sizeof(CARD32));
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
return(ProcXChangeDeviceDontPropagateList(client));
}
--- XFree86-4.3.0/xc/programs/Xserver/Xi/sendexev.c.da 2007-12-14 10:40:35.000000000 +1000
+++ XFree86-4.3.0/xc/programs/Xserver/Xi/sendexev.c 2007-12-14 10:42:54.000000000 +1000
@@ -83,7 +83,7 @@
register ClientPtr client;
{
register char n;
- register long *p;
+ register CARD32 *p;
register int i;
xEvent eventT;
xEvent *eventP;
@@ -94,6 +94,11 @@
REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
swapl(&stuff->destination, n);
swaps(&stuff->count, n);
+
+ if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count +
+ (stuff->num_events * (sizeof(xEvent) >> 2)))
+ return BadLength;
+
eventP = (xEvent *) &stuff[1];
for (i=0; i<stuff->num_events; i++,eventP++)
{
@@ -104,12 +109,8 @@
*eventP = eventT;
}
- p = (long *) (((xEvent *) &stuff[1]) + stuff->num_events);
- for (i=0; i<stuff->count; i++)
- {
- swapl(p, n);
- p++;
- }
+ p = (CARD32 *) (((xEvent *) &stuff[1]) + stuff->num_events);
+ SwapLongs(p, stuff->count);
return(ProcXSendExtensionEvent(client));
}
--- XFree86-4.3.0/xc/programs/Xserver/Xi/chgkmap.c.da 2007-12-14 10:30:31.000000000 +1000
+++ XFree86-4.3.0/xc/programs/Xserver/Xi/chgkmap.c 2007-12-14 10:33:06.000000000 +1000
@@ -79,19 +79,14 @@
register ClientPtr client;
{
register char n;
- register long *p;
- register int i, count;
+ register unsigned int count;
REQUEST(xChangeDeviceKeyMappingReq);
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
- p = (long *) &stuff[1];
count = stuff->keyCodes * stuff->keySymsPerKeyCode;
- for (i = 0; i < count; i++)
- {
- swapl(p, n);
- p++;
- }
+ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
+ SwapLongs((CARD32 *) (&stuff[1]), count);
return(ProcXChangeDeviceKeyMapping(client));
}
@@ -108,10 +103,14 @@
int ret;
unsigned len;
DeviceIntPtr dev;
+ unsigned int count;
REQUEST(xChangeDeviceKeyMappingReq);
REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
+ count = stuff->keyCodes * stuff->keySymsPerKeyCode;
+ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
+
dev = LookupDeviceIntRec (stuff->deviceid);
if (dev == NULL)
{
--- XFree86-4.3.0/xc/programs/Xserver/Xi/grabdevb.c.da 2007-12-14 10:36:17.000000000 +1000
+++ XFree86-4.3.0/xc/programs/Xserver/Xi/grabdevb.c 2007-12-14 10:36:54.000000000 +1000
@@ -80,8 +80,6 @@
register ClientPtr client;
{
register char n;
- register long *p;
- register int i;
REQUEST(xGrabDeviceButtonReq);
swaps(&stuff->length, n);
@@ -89,13 +87,9 @@
swapl(&stuff->grabWindow, n);
swaps(&stuff->modifiers, n);
swaps(&stuff->event_count, n);
- p = (long *) &stuff[1];
- for (i=0; i<stuff->event_count; i++)
- {
- swapl(p, n);
- p++;
- }
-
+ REQUEST_FIXED_SIZE(xGrabDeviceButtonReq,
+ stuff->event_count * sizeof(CARD32));
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
return(ProcXGrabDeviceButton(client));
}
--- XFree86-4.3.0/xc/programs/Xserver/Xi/selectev.c.da 2007-12-14 10:39:21.000000000 +1000
+++ XFree86-4.3.0/xc/programs/Xserver/Xi/selectev.c 2007-12-14 10:40:29.000000000 +1000
@@ -84,20 +84,15 @@
register ClientPtr client;
{
register char n;
- register long *p;
- register int i;
REQUEST(xSelectExtensionEventReq);
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq);
swapl(&stuff->window, n);
swaps(&stuff->count, n);
- p = (long *) &stuff[1];
- for (i=0; i<stuff->count; i++)
- {
- swapl(p, n);
- p++;
- }
+ REQUEST_FIXED_SIZE(xSelectExtensionEventReq,
+ stuff->count * sizeof(CARD32));
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
return(ProcXSelectExtensionEvent(client));
}
--- XFree86-4.3.0/xc/programs/Xserver/Xi/grabdevk.c.da 2007-12-14 10:37:46.000000000 +1000
+++ XFree86-4.3.0/xc/programs/Xserver/Xi/grabdevk.c 2007-12-14 10:38:15.000000000 +1000
@@ -80,8 +80,6 @@
register ClientPtr client;
{
register char n;
- register long *p;
- register int i;
REQUEST(xGrabDeviceKeyReq);
swaps(&stuff->length, n);
@@ -89,12 +87,8 @@
swapl(&stuff->grabWindow, n);
swaps(&stuff->modifiers, n);
swaps(&stuff->event_count, n);
- p = (long *) &stuff[1];
- for (i=0; i<stuff->event_count; i++)
- {
- swapl(p, n);
- p++;
- }
+ REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32));
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
return(ProcXGrabDeviceKey(client));
}
--- XFree86-4.3.0/xc/programs/Xserver/Xi/grabdev.c.da 2007-12-14 10:34:05.000000000 +1000
+++ XFree86-4.3.0/xc/programs/Xserver/Xi/grabdev.c 2007-12-14 10:36:08.000000000 +1000
@@ -83,8 +83,6 @@
register ClientPtr client;
{
register char n;
- register long *p;
- register int i;
REQUEST(xGrabDeviceReq);
swaps(&stuff->length, n);
@@ -92,13 +90,11 @@
swapl(&stuff->grabWindow, n);
swapl(&stuff->time, n);
swaps(&stuff->event_count, n);
- p = (long *) &stuff[1];
- for (i=0; i<stuff->event_count; i++)
- {
- swapl(p, n);
- p++;
- }
+ if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count)
+ return BadLength;
+
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
return(ProcXGrabDevice(client));
}
--- XFree86-4.3.0/xc/programs/Xserver/Xi/chgfctl.c.da 2007-12-14 10:29:58.000000000 +1000
+++ XFree86-4.3.0/xc/programs/Xserver/Xi/chgfctl.c 2007-12-14 10:30:19.000000000 +1000
@@ -502,7 +502,6 @@
xStringFeedbackCtl *f;
{
register char n;
- register long *p;
int i, j;
KeySym *syms, *sup_syms;
@@ -510,12 +509,7 @@
if (client->swapped)
{
swaps(&f->length,n); /* swapped num_keysyms in calling proc */
- p = (long *) (syms);
- for (i=0; i<f->num_keysyms; i++)
- {
- swapl(p, n);
- p++;
- }
+ SwapLongs((CARD32 *) syms, f->num_keysyms);
}
if (f->num_keysyms > s->ctrl.max_symbols)
++++++ CVE-2007-6428-TOG-cup.diff ++++++
diff --git a/Xext/cup.c b/Xext/cup.c
index d0e820c..fd1409e 100644
--- a/Xext/cup.c
+++ b/Xext/cup.c
@@ -176,6 +176,9 @@ int ProcGetReservedColormapEntries(
REQUEST_SIZE_MATCH (xXcupGetReservedColormapEntriesReq);
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
#ifndef HAVE_SPECIAL_DESKTOP_COLORS
citems[CUP_BLACK_PIXEL].pixel =
screenInfo.screens[stuff->screen]->blackPixel;
++++++ CVE-2007-6429-shm_evi.diff ++++++
diff --git a/Xext/EVI.c b/Xext/EVI.c
index 4bd050c..a637bae 100644
--- a/Xext/EVI.c
+++ b/Xext/EVI.c
@@ -31,6 +31,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
#define _XEVI_SERVER_
#include "XEVIstr.h"
#include "EVIstruct.h"
+#include "scrnintstr.h"
static unsigned char XEVIReqCode = 0;
static EviPrivPtr eviPriv;
static int
@@ -84,10 +85,22 @@ ProcEVIGetVisualInfo(ClientPtr client)
{
REQUEST(xEVIGetVisualInfoReq);
xEVIGetVisualInfoReply rep;
- int n, n_conflict, n_info, sz_info, sz_conflict;
+ int i, n, n_conflict, n_info, sz_info, sz_conflict;
VisualID32 *conflict;
+ unsigned int total_visuals = 0;
xExtendedVisualInfo *eviInfo;
int status;
+
+ /*
+ * do this first, otherwise REQUEST_FIXED_SIZE can overflow. we assume
+ * here that you don't have more than 2^32 visuals over all your screens;
+ * this seems like a safe assumption.
+ */
+ for (i = 0; i < screenInfo.numScreens; i++)
+ total_visuals += screenInfo.screens[i]->numVisuals;
+ if (stuff->n_visual > total_visuals)
+ return BadValue;
+
REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual,
&eviInfo, &n_info, &conflict, &n_conflict);
diff --git a/Xext/sampleEVI.c b/Xext/sampleEVI.c
index 7508aa7..b871bfd 100644
--- a/Xext/sampleEVI.c
+++ b/Xext/sampleEVI.c
@@ -34,6 +34,13 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
#include