diff options
author | Patrick J Volkerding <volkerdi@slackware.com> | 2018-05-25 23:29:36 +0000 |
---|---|---|
committer | Eric Hameleers <alien@slackware.com> | 2018-05-31 15:10:50 -0700 |
commit | 329684b59b8d55dd403c2c59f76d37210ba2f517 (patch) | |
tree | 10421c6ee3bf179d50915cc00d4c15c1b83cb77a /patches/source/xorg-server/patch/xorg-server | |
parent | b76270bf9e6dd375e495fec92140a79a79415d27 (diff) | |
download | current-329684b59b8d55dd403c2c59f76d37210ba2f517.tar.gz current-329684b59b8d55dd403c2c59f76d37210ba2f517.tar.xz |
Fri May 25 23:29:36 UTC 201813.1
patches/packages/glibc-zoneinfo-2018e-noarch-2_slack13.1.txz: Rebuilt.
Handle removal of US/Pacific-New timezone. If we see that the machine is
using this, it will be automatically switched to US/Pacific.
Diffstat (limited to 'patches/source/xorg-server/patch/xorg-server')
6 files changed, 253 insertions, 0 deletions
diff --git a/patches/source/xorg-server/patch/xorg-server/x11.startwithblackscreen.diff b/patches/source/xorg-server/patch/xorg-server/x11.startwithblackscreen.diff new file mode 100644 index 000000000..bfa9c305d --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/x11.startwithblackscreen.diff @@ -0,0 +1,13 @@ +--- ./dix/window.c.orig 2007-01-22 23:39:15.000000000 -0600 ++++ ./dix/window.c 2007-02-14 03:21:03.000000000 -0600 +@@ -140,8 +140,8 @@ + * + ******/ + +-static unsigned char _back_lsb[4] = {0x88, 0x22, 0x44, 0x11}; +-static unsigned char _back_msb[4] = {0x11, 0x44, 0x22, 0x88}; ++static unsigned char _back_lsb[4] = {0x00, 0x00, 0x00, 0x00}; ++static unsigned char _back_msb[4] = {0x00, 0x00, 0x00, 0x00}; + + _X_EXPORT int screenIsSaved = SCREEN_SAVER_OFF; + diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2010-2240.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2010-2240.diff new file mode 100644 index 000000000..0001df45d --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2010-2240.diff @@ -0,0 +1,130 @@ +--- ./os/osinit.c.orig 2010-04-20 21:00:27.000000000 -0500 ++++ ./os/osinit.c 2010-08-20 12:25:00.116604519 -0500 +@@ -96,6 +96,14 @@ + #ifdef RLIMIT_NOFILE + int limitNoFile = -1; + #endif ++#ifdef RLIMIT_AS ++#ifdef _XSERVER64 ++#define XORG_AS_LIMIT 10737418240LL ++#else ++#define XORG_AS_LIMIT 1610612736 ++#endif ++long limitAddressSpace = XORG_AS_LIMIT; ++#endif + + static OsSigWrapperPtr OsSigWrapper = NULL; + +@@ -302,6 +310,22 @@ + } + } + #endif ++#ifdef RLIMIT_AS ++ if (limitAddressSpace >= 0) ++ { ++ struct rlimit rlim; ++ ++ if (!getrlimit(RLIMIT_AS, &rlim)) ++ { ++ if ((limitAddressSpace > 0) ++ && (limitAddressSpace < rlim.rlim_max)) ++ rlim.rlim_cur = limitAddressSpace; ++ else ++ rlim.rlim_cur = rlim.rlim_max; ++ (void)setrlimit(RLIMIT_AS, &rlim); ++ } ++ } ++#endif + LockServer(); + been_here = TRUE; + } +--- ./os/utils.c.orig 2010-05-03 19:48:00.000000000 -0500 ++++ ./os/utils.c 2010-08-20 12:26:06.448480889 -0500 +@@ -63,6 +63,36 @@ + __stdcall unsigned long GetTickCount(void); + #endif + ++/* ++ * issetugid() ++ * ++ * Copyright (C) - 2007 Robert Connolly ++ * ++ * Permission to reproduce, copy, delete, distribute, transmit, use, modify, ++ * build upon or otherwise exploit this software, in any form, for any ++ * purpose, in any way, and by anyone, including by methods that have not ++ * yet been invented or conceived, is hereby granted. ++ */ ++#include <unistd.h> ++extern int __libc_enable_secure; ++int issetugid(void) ++{ ++ if (__libc_enable_secure) ++ { ++ return 1; ++ } ++ if (getuid() != geteuid()) ++ { ++ return 1; ++ } ++ if (getgid() != getegid()) ++ { ++ return 1; ++ } ++ /* Else */ ++ return 0; ++} ++ + #if defined(WIN32) && !defined(__CYGWIN__) + #include <X11/Xwinsock.h> + #endif +@@ -758,6 +788,22 @@ + UseMsg(); + } + #endif ++#ifdef RLIMIT_AS ++ else if ( strcmp( argv[i], "-la") == 0) ++ { ++ if (getuid() != 0 && issetugid()) { ++ FatalError("The '-la' option can only be used by root.\n"); ++ } ++ if(++i < argc) ++ { ++ limitAddressSpace = atol(argv[i]); ++ if (limitAddressSpace > 0) ++ limitAddressSpace *= 1024; ++ } ++ else ++ UseMsg(); ++ } ++#endif + #ifdef SERVER_LOCK + else if ( strcmp ( argv[i], "-nolock") == 0) + { +--- ./doc/Xserver.man.pre.orig 2010-05-03 19:47:58.000000000 -0500 ++++ ./doc/Xserver.man.pre 2010-08-20 12:25:00.116604519 -0500 +@@ -293,6 +293,13 @@ + A value of zero makes the stack size as large as possible. The default value + of \-1 leaves the stack space limit unchanged. + .TP 8 ++.B \-la \fIkilobytes\fP ++sets the address space limit of the server to the specified number of ++kilobytes. ++A value of zero makes address space as large as possible. ++The default value is 1572864 (1.5GB) on 32 bit architectures and ++10485760 (10GB) on 64 bit architectures. ++.TP 8 + .B \-logo + turns on the X Window System logo display in the screen-saver. + There is currently no way to change this from a client. +--- ./include/opaque.h.orig 2010-04-20 21:00:27.000000000 -0500 ++++ ./include/opaque.h 2010-08-20 12:25:00.116604519 -0500 +@@ -67,6 +67,9 @@ + #ifdef RLIMIT_NOFILE + extern _X_EXPORT int limitNoFile; + #endif ++#ifdef RLIMIT_AS ++extern _X_EXPORT int limitAddressSpace; ++#endif + extern _X_EXPORT Bool defeatAccessControl; + extern _X_EXPORT long maxBigRequestSize; + extern _X_EXPORT Bool party_like_its_1989; diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2013-4396.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2013-4396.diff new file mode 100644 index 000000000..dc4d0a255 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2013-4396.diff @@ -0,0 +1,42 @@ +--- ./dix/dixfonts.c.orig 2010-05-03 19:47:57.000000000 -0500 ++++ ./dix/dixfonts.c 2013-10-09 21:45:40.215770648 -0500 +@@ -1508,6 +1508,7 @@ + GC *pGC; + unsigned char *data; + ITclosurePtr new_closure; ++ ITclosurePtr old_closure; + + /* We're putting the client to sleep. We need to + save some state. Similar problem to that handled +@@ -1520,6 +1521,7 @@ + err = BadAlloc; + goto bail; + } ++ old_closure = c; + *new_closure = *c; + c = new_closure; + +@@ -1527,6 +1529,7 @@ + if (!data) + { + xfree(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1538,6 +1541,7 @@ + { + xfree(c->data); + xfree(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1551,6 +1555,7 @@ + FreeScratchGC(pGC); + xfree(c->data); + xfree(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10971.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10971.diff new file mode 100644 index 000000000..25f09ee1a --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10971.diff @@ -0,0 +1,21 @@ +--- ./Xi/sendexev.c.orig 2010-04-30 04:26:35.000000000 -0500 ++++ ./Xi/sendexev.c 2017-08-15 14:58:25.709950954 -0500 +@@ -95,9 +95,17 @@ + + eventP = (xEvent *) & stuff[1]; + for (i = 0; i < stuff->num_events; i++, eventP++) { ++ if (eventP->u.u.type == GenericEvent) { ++ client->errorValue = eventP->u.u.type; ++ return BadValue; ++ } ++ + proc = EventSwapVector[eventP->u.u.type & 0177]; +- if (proc == NotImplemented) /* no swapping proc; invalid event type? */ ++ /* no swapping proc; invalid event type? */ ++ if (proc == NotImplemented) { ++ client->errorValue = eventP->u.u.type; + return (BadValue); ++ } + (*proc) (eventP, &eventT); + *eventP = eventT; + } diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10972.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10972.diff new file mode 100644 index 000000000..edddc8d66 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10972.diff @@ -0,0 +1,36 @@ +From 05442de962d3dc624f79fc1a00eca3ffc5489ced Mon Sep 17 00:00:00 2001 +From: Michal Srb <msrb@suse.com> +Date: Wed, 24 May 2017 15:54:39 +0300 +Subject: Xi: Zero target buffer in SProcXSendExtensionEvent. + +Make sure that the xEvent eventT is initialized with zeros, the same way as +in SProcSendEvent. + +Some event swapping functions do not overwrite all 32 bytes of xEvent +structure, for example XSecurityAuthorizationRevoked. Two cooperating +clients, one swapped and the other not, can send +XSecurityAuthorizationRevoked event to each other to retrieve old stack data +from X server. This can be potentialy misused to go around ASLR or +stack-protector. + +Signed-off-by: Michal Srb <msrb@suse.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> + +diff --git a/Xi/sendexev.c b/Xi/sendexev.c +index 11d8202..1cf118a 100644 +--- a/Xi/sendexev.c ++++ b/Xi/sendexev.c +@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client) + { + CARD32 *p; + int i; +- xEvent eventT; ++ xEvent eventT = { .u.u.type = 0 }; + xEvent *eventP; + EventSwapPtr proc; + +-- +cgit v0.10.2 + + diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.fb.fbpict.c.mod.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.fb.fbpict.c.mod.diff new file mode 100644 index 000000000..f8abdccb2 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.fb.fbpict.c.mod.diff @@ -0,0 +1,11 @@ +--- ./fb/fbpict.c.orig 2010-03-11 22:38:21.000000000 -0600 ++++ ./fb/fbpict.c 2010-04-29 14:14:52.000000000 -0500 +@@ -37,7 +37,7 @@ + #include "mipict.h" + #include "fbpict.h" + +-#define mod(a,b) ((b) == 1 ? 0 : (a) >= 0 ? (a) % (b) : (b) - (-a) % (b)) ++#define mod(a,b) ((b) == 1 ? 0 : (a) >= 0 ? (a) % (b) : (b) - (-(a)) % (b)) + + void + fbWalkCompositeRegion (CARD8 op, |