diff options
| author |   Patrick J Volkerding <volkerdi@slackware.com> | 2018-05-25 23:29:36 +0000 |
|---|---|---|
| committer |   Eric Hameleers <alien@slackware.com> | 2018-05-31 15:18:32 -0700 |
| commit | 8ff4f2f51a6cf07fc33742ce3bee81328896e49b (patch) | |
| tree | 4a166b8389404be98a6c098babaa444e2dec8f48 /patches/source/xorg-server/patch/xorg-server/0018-glx-Be-more-paranoid-about-variable-length-requests-.patch | |
| parent | 76fc4757ac91ac7947a01fb7b53dddf9a78a01d1 (diff) | |
| download | current-14.1.tar.gz current-14.1.tar.xz | |
Fri May 25 23:29:36 UTC 201814.1
patches/packages/glibc-zoneinfo-2018e-noarch-2_slack14.1.txz: Rebuilt.
Handle removal of US/Pacific-New timezone. If we see that the machine is
using this, it will be automatically switched to US/Pacific.
Diffstat (limited to 'patches/source/xorg-server/patch/xorg-server/0018-glx-Be-more-paranoid-about-variable-length-requests-.patch')
| -rw-r--r-- | patches/source/xorg-server/patch/xorg-server/0018-glx-Be-more-paranoid-about-variable-length-requests-.patch | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/patches/source/xorg-server/patch/xorg-server/0018-glx-Be-more-paranoid-about-variable-length-requests-.patch b/patches/source/xorg-server/patch/xorg-server/0018-glx-Be-more-paranoid-about-variable-length-requests-.patch new file mode 100644 index 000000000..a39ebd1bb --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/0018-glx-Be-more-paranoid-about-variable-length-requests-.patch @@ -0,0 +1,48 @@ +From 352687dcfcfc35fe3817c9baf1bc891401165605 Mon Sep 17 00:00:00 2001 +From: Adam Jackson <ajax@redhat.com> +Date: Mon, 10 Nov 2014 12:13:36 -0500 +Subject: [PATCH 18/31] glx: Be more paranoid about variable-length requests + [CVE-2014-8093 1/6] + +If the size computation routine returns -1 we should just reject the +request outright. Clamping it to zero could give an attacker the +opportunity to also mangle cmdlen in such a way that the subsequent +length check passes, and the request would get executed, thus passing +data we wanted to reject to the renderer. + +Reviewed-by: Keith Packard <keithp@keithp.com> +Reviewed-by: Julien Cristau <jcristau@debian.org> +Reviewed-by: Michal Srb <msrb@suse.com> +Reviewed-by: Andy Ritger <aritger@nvidia.com> +Signed-off-by: Adam Jackson <ajax@redhat.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> +--- + glx/glxcmds.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/glx/glxcmds.c b/glx/glxcmds.c +index c1f4e22..5b50785 100644 +--- a/glx/glxcmds.c ++++ b/glx/glxcmds.c +@@ -2008,7 +2008,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc) + extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE, + client->swapped); + if (extra < 0) { +- extra = 0; ++ return BadLength; + } + if (cmdlen != __GLX_PAD(entry.bytes + extra)) { + return BadLength; +@@ -2125,7 +2125,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc) + extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE, + client->swapped); + if (extra < 0) { +- extra = 0; ++ return BadLength; + } + /* large command's header is 4 bytes longer, so add 4 */ + if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) { +-- +1.9.3 + |