summaryrefslogtreecommitdiffstats
path: root/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-13721.diff
diff options
context:
space:
mode:
Diffstat (limited to 'patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-13721.diff')
-rw-r--r--patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-13721.diff27
1 files changed, 27 insertions, 0 deletions
diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-13721.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-13721.diff
new file mode 100644
index 000000000..8341a3372
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-13721.diff
@@ -0,0 +1,27 @@
+From b95f25af141d33a65f6f821ea9c003f66a01e1f1 Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@suse.com>
+Date: Fri, 28 Jul 2017 16:27:10 +0200
+Subject: Xext/shm: Validate shmseg resource id (CVE-2017-13721)
+
+Otherwise it can belong to a non-existing client and abort X server with
+FatalError "client not in use", or overwrite existing segment of another
+existing client.
+
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+
+diff --git a/Xext/shm.c b/Xext/shm.c
+index 91ea90b..2f9a788 100644
+--- a/Xext/shm.c
++++ b/Xext/shm.c
+@@ -1238,6 +1238,7 @@ ProcShmCreateSegment(ClientPtr client)
+ };
+
+ REQUEST_SIZE_MATCH(xShmCreateSegmentReq);
++ LEGAL_NEW_RESOURCE(stuff->shmseg, client);
+ if ((stuff->readOnly != xTrue) && (stuff->readOnly != xFalse)) {
+ client->errorValue = stuff->readOnly;
+ return BadValue;
+--
+cgit v0.10.2
+
+