Hello community,
here is the log from the commit of package xorg-x11-server
checked in at Sat Jan 26 18:22:55 CET 2008.
--------
--- xorg-x11-server/xorg-x11-server.changes 2007-12-12 23:32:34.000000000 +0100
+++ /mounts/work_src_done/STABLE/xorg-x11-server/xorg-x11-server.changes 2008-01-24 11:42:17.000000000 +0100
@@ -1,0 +2,48 @@
+Thu Jan 24 11:41:44 CET 2008 - schwab@suse.de
+
+- Move manpage to the sub package that provides the binary.
+
+-------------------------------------------------------------------
+Wed Jan 23 12:29:17 CET 2008 - sndirsch@suse.de
+
+- update to Mesa bugfix release 7.0.3 RC1 sources
+ * Added missing glw.pc.in file to release tarball
+ * Fix GLUT/Fortran issues
+ * GLSL gl_FrontLightModelProduct.sceneColor variable wasn't
+ defined
+ * Fix crash upon GLSL variable array indexes (not yet supported)
+ * Two-sided stencil test didn't work in software rendering
+ * Fix two-sided lighting bugs/crashes (bug 13368)
+ * GLSL gl_FrontFacing didn't work properly
+ * glGetActiveUniform returned incorrect sizes (bug 13751)
+ * Fix several bugs relating to uniforms and attributes in GLSL
+ API (Bruce Merry, bug 13753)
+ * glTexImage3D(GL_PROXY_TEXTURE_3D) mis-set teximage depth field
+
+-------------------------------------------------------------------
+Mon Jan 21 17:30:48 CET 2008 - sndirsch@suse.de
+
+- updated patch for CVE-2007-6429 once more (X.Org Bug #13520)
+ * Always test for size+offset wrapping.
+
+-------------------------------------------------------------------
+Sun Jan 20 02:54:11 CET 2008 - sndirsch@suse.de
+
+- updated patch for CVE-2007-6429 (Bug #345131)
+ * Don't spuriously reject <8bpp shm pixmaps.
+ Move size validation after depth validation, and only validate
+ size if the bpp of the pixmap format is > 8. If bpp < 8 then
+ we're already protected from overflow by the width and height
+ checks.
+
+-------------------------------------------------------------------
+Fri Jan 18 00:53:20 CET 2008 - sndirsch@suse.de
+
+- X.Org security update
+ * CVE-2007-5760 - XFree86 Misc extension out of bounds array index
+ * CVE-2007-6427 - Xinput extension memory corruption.
+ * CVE-2007-6428 - TOG-cup extension memory corruption.
+ * CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows.
+ * CVE-2008-0006 - PCF Font parser buffer overflow.
+
+-------------------------------------------------------------------
Old:
----
MesaLib-7.0.2.tar.bz2
New:
----
CVE-2007-5760-xf86misc.diff
CVE-2007-6427-xinput.diff
CVE-2007-6428-TOG-cup.diff
CVE-2007-6429-shm_evi.diff
CVE-2008-0006-pcf_font.diff
MesaLib-7.0.3-rc1.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ xorg-x11-server.spec ++++++
++++ 791 lines (skipped)
++++ between xorg-x11-server/xorg-x11-server.spec
++++ and /mounts/work_src_done/STABLE/xorg-x11-server/xorg-x11-server.spec
++++++ CVE-2007-5760-xf86misc.diff ++++++
diff --git a/hw/xfree86/common/xf86MiscExt.c b/hw/xfree86/common/xf86MiscExt.c
index c1b9c60..40c196a 100644
--- a/hw/xfree86/common/xf86MiscExt.c
+++ b/hw/xfree86/common/xf86MiscExt.c
@@ -548,6 +548,10 @@ MiscExtPassMessage(int scrnIndex, const char *msgtype, const char *msgval,
{
ScrnInfoPtr pScr = xf86Screens[scrnIndex];
+ /* should check this in the protocol, but xf86NumScreens isn't exported */
+ if (scrnIndex >= xf86NumScreens)
+ return BadValue;
+
if (*pScr->HandleMessage == NULL)
return BadImplementation;
return (*pScr->HandleMessage)(scrnIndex, msgtype, msgval, retstr);
++++++ CVE-2007-6427-xinput.diff ++++++
diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
index 8fc24d5..696b74a 100644
--- a/Xi/chgfctl.c
+++ b/Xi/chgfctl.c
@@ -302,18 +302,13 @@ ChangeStringFeedback(ClientPtr client, DeviceIntPtr dev,
xStringFeedbackCtl * f)
{
char n;
- long *p;
int i, j;
KeySym *syms, *sup_syms;
syms = (KeySym *) (f + 1);
if (client->swapped) {
swaps(&f->length, n); /* swapped num_keysyms in calling proc */
- p = (long *)(syms);
- for (i = 0; i < f->num_keysyms; i++) {
- swapl(p, n);
- p++;
- }
+ SwapLongs((CARD32 *) syms, f->num_keysyms);
}
if (f->num_keysyms > s->ctrl.max_symbols)
diff --git a/Xi/chgkmap.c b/Xi/chgkmap.c
index 3361e98..df334c1 100644
--- a/Xi/chgkmap.c
+++ b/Xi/chgkmap.c
@@ -75,18 +75,14 @@ int
SProcXChangeDeviceKeyMapping(ClientPtr client)
{
char n;
- long *p;
- int i, count;
+ unsigned int count;
REQUEST(xChangeDeviceKeyMappingReq);
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
- p = (long *)&stuff[1];
count = stuff->keyCodes * stuff->keySymsPerKeyCode;
- for (i = 0; i < count; i++) {
- swapl(p, n);
- p++;
- }
+ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
+ SwapLongs((CARD32 *) (&stuff[1]), count);
return (ProcXChangeDeviceKeyMapping(client));
}
@@ -102,10 +98,14 @@ ProcXChangeDeviceKeyMapping(ClientPtr client)
int ret;
unsigned len;
DeviceIntPtr dev;
+ unsigned int count;
REQUEST(xChangeDeviceKeyMappingReq);
REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
+ count = stuff->keyCodes * stuff->keySymsPerKeyCode;
+ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
+
dev = LookupDeviceIntRec(stuff->deviceid);
if (dev == Success)
SendErrorToClient(client, IReqCode, X_ChangeDeviceKeyMapping, 0,
diff --git a/Xi/chgprop.c b/Xi/chgprop.c
index 58db886..3fb33e1 100644
--- a/Xi/chgprop.c
+++ b/Xi/chgprop.c
@@ -77,19 +77,15 @@ int
SProcXChangeDeviceDontPropagateList(ClientPtr client)
{
char n;
- long *p;
- int i;
REQUEST(xChangeDeviceDontPropagateListReq);
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq);
swapl(&stuff->window, n);
swaps(&stuff->count, n);
- p = (long *)&stuff[1];
- for (i = 0; i < stuff->count; i++) {
- swapl(p, n);
- p++;
- }
+ REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq,
+ stuff->count * sizeof(CARD32));
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
return (ProcXChangeDeviceDontPropagateList(client));
}
diff --git a/Xi/grabdev.c b/Xi/grabdev.c
index 110fc6b..0671e0e 100644
--- a/Xi/grabdev.c
+++ b/Xi/grabdev.c
@@ -78,8 +78,6 @@ int
SProcXGrabDevice(ClientPtr client)
{
char n;
- long *p;
- int i;
REQUEST(xGrabDeviceReq);
swaps(&stuff->length, n);
@@ -87,11 +85,11 @@ SProcXGrabDevice(ClientPtr client)
swapl(&stuff->grabWindow, n);
swapl(&stuff->time, n);
swaps(&stuff->event_count, n);
- p = (long *)&stuff[1];
- for (i = 0; i < stuff->event_count; i++) {
- swapl(p, n);
- p++;
- }
+
+ if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count)
+ return BadLength;
+
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
return (ProcXGrabDevice(client));
}
diff --git a/Xi/grabdevb.c b/Xi/grabdevb.c
index c2661e8..ce0dcc5 100644
--- a/Xi/grabdevb.c
+++ b/Xi/grabdevb.c
@@ -77,8 +77,6 @@ int
SProcXGrabDeviceButton(ClientPtr client)
{
char n;
- long *p;
- int i;
REQUEST(xGrabDeviceButtonReq);
swaps(&stuff->length, n);
@@ -86,11 +84,9 @@ SProcXGrabDeviceButton(ClientPtr client)
swapl(&stuff->grabWindow, n);
swaps(&stuff->modifiers, n);
swaps(&stuff->event_count, n);
- p = (long *)&stuff[1];
- for (i = 0; i < stuff->event_count; i++) {
- swapl(p, n);
- p++;
- }
+ REQUEST_FIXED_SIZE(xGrabDeviceButtonReq,
+ stuff->event_count * sizeof(CARD32));
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
return (ProcXGrabDeviceButton(client));
}
diff --git a/Xi/grabdevk.c b/Xi/grabdevk.c
index 43b1928..d4b7fe8 100644
--- a/Xi/grabdevk.c
+++ b/Xi/grabdevk.c
@@ -77,8 +77,6 @@ int
SProcXGrabDeviceKey(ClientPtr client)
{
char n;
- long *p;
- int i;
REQUEST(xGrabDeviceKeyReq);
swaps(&stuff->length, n);
@@ -86,11 +84,8 @@ SProcXGrabDeviceKey(ClientPtr client)
swapl(&stuff->grabWindow, n);
swaps(&stuff->modifiers, n);
swaps(&stuff->event_count, n);
- p = (long *)&stuff[1];
- for (i = 0; i < stuff->event_count; i++) {
- swapl(p, n);
- p++;
- }
+ REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32));
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
return (ProcXGrabDeviceKey(client));
}
diff --git a/Xi/selectev.c b/Xi/selectev.c
index b93618a..d3670ab 100644
--- a/Xi/selectev.c
+++ b/Xi/selectev.c
@@ -127,19 +127,16 @@ int
SProcXSelectExtensionEvent(ClientPtr client)
{
char n;
- long *p;
- int i;
REQUEST(xSelectExtensionEventReq);
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq);
swapl(&stuff->window, n);
swaps(&stuff->count, n);
- p = (long *)&stuff[1];
- for (i = 0; i < stuff->count; i++) {
- swapl(p, n);
- p++;
- }
+ REQUEST_FIXED_SIZE(xSelectExtensionEventReq,
+ stuff->count * sizeof(CARD32));
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
+
return (ProcXSelectExtensionEvent(client));
}
diff --git a/Xi/sendexev.c b/Xi/sendexev.c
index e4e38d7..588c910 100644
--- a/Xi/sendexev.c
+++ b/Xi/sendexev.c
@@ -80,7 +80,7 @@ int
SProcXSendExtensionEvent(ClientPtr client)
{
char n;
- long *p;
+ CARD32 *p;
int i;
xEvent eventT;
xEvent *eventP;
@@ -91,6 +91,11 @@ SProcXSendExtensionEvent(ClientPtr client)
REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
swapl(&stuff->destination, n);
swaps(&stuff->count, n);
+
+ if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count +
+ (stuff->num_events * (sizeof(xEvent) >> 2)))
+ return BadLength;
+
eventP = (xEvent *) & stuff[1];
for (i = 0; i < stuff->num_events; i++, eventP++) {
proc = EventSwapVector[eventP->u.u.type & 0177];
@@ -100,11 +105,8 @@ SProcXSendExtensionEvent(ClientPtr client)
*eventP = eventT;
}
- p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events);
- for (i = 0; i < stuff->count; i++) {
- swapl(p, n);
- p++;
- }
+ p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events);
+ SwapLongs(p, stuff->count);
return (ProcXSendExtensionEvent(client));
}
++++++ CVE-2007-6428-TOG-cup.diff ++++++
diff --git a/Xext/cup.c b/Xext/cup.c
index d0e820c..fd1409e 100644
--- a/Xext/cup.c
+++ b/Xext/cup.c
@@ -176,6 +176,9 @@ int ProcGetReservedColormapEntries(
REQUEST_SIZE_MATCH (xXcupGetReservedColormapEntriesReq);
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
#ifndef HAVE_SPECIAL_DESKTOP_COLORS
citems[CUP_BLACK_PIXEL].pixel =
screenInfo.screens[stuff->screen]->blackPixel;
++++++ CVE-2007-6429-shm_evi.diff ++++++
diff --git a/Xext/EVI.c b/Xext/EVI.c
index 4bd050c..a637bae 100644
--- a/Xext/EVI.c
+++ b/Xext/EVI.c
@@ -34,6 +34,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
#include