diff options
Diffstat (limited to '')
-rw-r--r-- | patches/source/xorg-server/patch/xorg-server/0001-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/patches/source/xorg-server/patch/xorg-server/0001-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch b/patches/source/xorg-server/patch/xorg-server/0001-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch new file mode 100644 index 000000000..483bd74f9 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/0001-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch @@ -0,0 +1,41 @@ +From 2ecba31ddb5f4b953a0a811fec7fb7470b668f13 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Fri, 17 Jan 2014 18:54:03 -0800 +Subject: [PATCH 01/31] unchecked malloc may allow unauthed client to crash + Xserver [CVE-2014-8091] + +authdes_ezdecode() calls malloc() using a length provided by the +connection handshake sent by a newly connected client in order +to authenticate to the server, so should be treated as untrusted. + +It didn't check if malloc() failed before writing to the newly +allocated buffer, so could lead to a server crash if the server +fails to allocate memory (up to UINT16_MAX bytes, since the len +field is a CARD16 in the X protocol). + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> +--- + os/rpcauth.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/os/rpcauth.c b/os/rpcauth.c +index bd219ac..c5bf787 100644 +--- a/os/rpcauth.c ++++ b/os/rpcauth.c +@@ -66,6 +66,10 @@ authdes_ezdecode(const char *inmsg, int len) + SVCXPRT xprt; + + temp_inmsg = malloc(len); ++ if (temp_inmsg == NULL) { ++ why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */ ++ return NULL; ++ } + memmove(temp_inmsg, inmsg, len); + + memset((char *) &msg, 0, sizeof(msg)); +-- +1.9.3 + |