diff options
Diffstat (limited to 'patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2010-2240.diff')
| -rw-r--r-- | patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2010-2240.diff | 130 |
1 files changed, 130 insertions, 0 deletions
diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2010-2240.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2010-2240.diff new file mode 100644 index 000000000..0001df45d --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2010-2240.diff @@ -0,0 +1,130 @@ +--- ./os/osinit.c.orig 2010-04-20 21:00:27.000000000 -0500 ++++ ./os/osinit.c 2010-08-20 12:25:00.116604519 -0500 +@@ -96,6 +96,14 @@ + #ifdef RLIMIT_NOFILE + int limitNoFile = -1; + #endif ++#ifdef RLIMIT_AS ++#ifdef _XSERVER64 ++#define XORG_AS_LIMIT 10737418240LL ++#else ++#define XORG_AS_LIMIT 1610612736 ++#endif ++long limitAddressSpace = XORG_AS_LIMIT; ++#endif + + static OsSigWrapperPtr OsSigWrapper = NULL; + +@@ -302,6 +310,22 @@ + } + } + #endif ++#ifdef RLIMIT_AS ++ if (limitAddressSpace >= 0) ++ { ++ struct rlimit rlim; ++ ++ if (!getrlimit(RLIMIT_AS, &rlim)) ++ { ++ if ((limitAddressSpace > 0) ++ && (limitAddressSpace < rlim.rlim_max)) ++ rlim.rlim_cur = limitAddressSpace; ++ else ++ rlim.rlim_cur = rlim.rlim_max; ++ (void)setrlimit(RLIMIT_AS, &rlim); ++ } ++ } ++#endif + LockServer(); + been_here = TRUE; + } +--- ./os/utils.c.orig 2010-05-03 19:48:00.000000000 -0500 ++++ ./os/utils.c 2010-08-20 12:26:06.448480889 -0500 +@@ -63,6 +63,36 @@ + __stdcall unsigned long GetTickCount(void); + #endif + ++/* ++ * issetugid() ++ * ++ * Copyright (C) - 2007 Robert Connolly ++ * ++ * Permission to reproduce, copy, delete, distribute, transmit, use, modify, ++ * build upon or otherwise exploit this software, in any form, for any ++ * purpose, in any way, and by anyone, including by methods that have not ++ * yet been invented or conceived, is hereby granted. ++ */ ++#include <unistd.h> ++extern int __libc_enable_secure; ++int issetugid(void) ++{ ++ if (__libc_enable_secure) ++ { ++ return 1; ++ } ++ if (getuid() != geteuid()) ++ { ++ return 1; ++ } ++ if (getgid() != getegid()) ++ { ++ return 1; ++ } ++ /* Else */ ++ return 0; ++} ++ + #if defined(WIN32) && !defined(__CYGWIN__) + #include <X11/Xwinsock.h> + #endif +@@ -758,6 +788,22 @@ + UseMsg(); + } + #endif ++#ifdef RLIMIT_AS ++ else if ( strcmp( argv[i], "-la") == 0) ++ { ++ if (getuid() != 0 && issetugid()) { ++ FatalError("The '-la' option can only be used by root.\n"); ++ } ++ if(++i < argc) ++ { ++ limitAddressSpace = atol(argv[i]); ++ if (limitAddressSpace > 0) ++ limitAddressSpace *= 1024; ++ } ++ else ++ UseMsg(); ++ } ++#endif + #ifdef SERVER_LOCK + else if ( strcmp ( argv[i], "-nolock") == 0) + { +--- ./doc/Xserver.man.pre.orig 2010-05-03 19:47:58.000000000 -0500 ++++ ./doc/Xserver.man.pre 2010-08-20 12:25:00.116604519 -0500 +@@ -293,6 +293,13 @@ + A value of zero makes the stack size as large as possible. The default value + of \-1 leaves the stack space limit unchanged. + .TP 8 ++.B \-la \fIkilobytes\fP ++sets the address space limit of the server to the specified number of ++kilobytes. ++A value of zero makes address space as large as possible. ++The default value is 1572864 (1.5GB) on 32 bit architectures and ++10485760 (10GB) on 64 bit architectures. ++.TP 8 + .B \-logo + turns on the X Window System logo display in the screen-saver. + There is currently no way to change this from a client. +--- ./include/opaque.h.orig 2010-04-20 21:00:27.000000000 -0500 ++++ ./include/opaque.h 2010-08-20 12:25:00.116604519 -0500 +@@ -67,6 +67,9 @@ + #ifdef RLIMIT_NOFILE + extern _X_EXPORT int limitNoFile; + #endif ++#ifdef RLIMIT_AS ++extern _X_EXPORT int limitAddressSpace; ++#endif + extern _X_EXPORT Bool defeatAccessControl; + extern _X_EXPORT long maxBigRequestSize; + extern _X_EXPORT Bool party_like_its_1989; |