summaryrefslogtreecommitdiffstats
path: root/patches/source/xorg-server/patch/xorg-server
diff options
context:
space:
mode:
Diffstat (limited to 'patches/source/xorg-server/patch/xorg-server')
-rw-r--r--patches/source/xorg-server/patch/xorg-server/x11.startwithblackscreen.diff13
-rw-r--r--patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2013-1940.diff12
-rw-r--r--patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2013-4396.diff42
-rw-r--r--patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10971.diff40
-rw-r--r--patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10972.diff36
-rw-r--r--patches/source/xorg-server/patch/xorg-server/xorg-server.fb.fbpict.c.mod.diff11
-rw-r--r--patches/source/xorg-server/patch/xorg-server/xorg-server.try_nouveau.diff11
7 files changed, 165 insertions, 0 deletions
diff --git a/patches/source/xorg-server/patch/xorg-server/x11.startwithblackscreen.diff b/patches/source/xorg-server/patch/xorg-server/x11.startwithblackscreen.diff
new file mode 100644
index 000000000..bfa9c305d
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/x11.startwithblackscreen.diff
@@ -0,0 +1,13 @@
+--- ./dix/window.c.orig 2007-01-22 23:39:15.000000000 -0600
++++ ./dix/window.c 2007-02-14 03:21:03.000000000 -0600
+@@ -140,8 +140,8 @@
+ *
+ ******/
+
+-static unsigned char _back_lsb[4] = {0x88, 0x22, 0x44, 0x11};
+-static unsigned char _back_msb[4] = {0x11, 0x44, 0x22, 0x88};
++static unsigned char _back_lsb[4] = {0x00, 0x00, 0x00, 0x00};
++static unsigned char _back_msb[4] = {0x00, 0x00, 0x00, 0x00};
+
+ _X_EXPORT int screenIsSaved = SCREEN_SAVER_OFF;
+
diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2013-1940.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2013-1940.diff
new file mode 100644
index 000000000..cd26673f0
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2013-1940.diff
@@ -0,0 +1,12 @@
+--- xorg-server-1.9.5/hw/xfree86/os-support/shared/posix_tty.c.orig 2013-04-18 17:58:55.000000000 -0500
++++ xorg-server-1.9.5/hw/xfree86/os-support/shared/posix_tty.c 2013-04-18 18:00:20.000000000 -0500
+@@ -460,7 +460,8 @@
+ {
+ fd_set fds;
+ struct timeval timeout;
+- char c[4];
++ /* this needs to be big enough to flush an evdev event. */
++ char c[256];
+
+ DebugF("FlushingSerial\n");
+ if (tcflush(fd, TCIFLUSH) == 0)
diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2013-4396.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2013-4396.diff
new file mode 100644
index 000000000..af517411c
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2013-4396.diff
@@ -0,0 +1,42 @@
+--- ./dix/dixfonts.c.orig 2010-10-30 21:47:09.000000000 -0500
++++ ./dix/dixfonts.c 2013-10-09 21:38:47.607788240 -0500
+@@ -1500,6 +1500,7 @@
+ GC *pGC;
+ unsigned char *data;
+ ITclosurePtr new_closure;
++ ITclosurePtr old_closure;
+
+ /* We're putting the client to sleep. We need to
+ save some state. Similar problem to that handled
+@@ -1512,6 +1513,7 @@
+ err = BadAlloc;
+ goto bail;
+ }
++ old_closure = c;
+ *new_closure = *c;
+ c = new_closure;
+
+@@ -1519,6 +1521,7 @@
+ if (!data)
+ {
+ free(c);
++ c = old_closure;
+ err = BadAlloc;
+ goto bail;
+ }
+@@ -1530,6 +1533,7 @@
+ {
+ free(c->data);
+ free(c);
++ c = old_closure;
+ err = BadAlloc;
+ goto bail;
+ }
+@@ -1543,6 +1547,7 @@
+ FreeScratchGC(pGC);
+ free(c->data);
+ free(c);
++ c = old_closure;
+ err = BadAlloc;
+ goto bail;
+ }
diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10971.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10971.diff
new file mode 100644
index 000000000..00ed28ac3
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10971.diff
@@ -0,0 +1,40 @@
+From ba336b24052122b136486961c82deac76bbde455 Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@suse.com>
+Date: Wed, 24 May 2017 15:54:42 +0300
+Subject: Xi: Do not try to swap GenericEvent.
+
+The SProcXSendExtensionEvent must not attempt to swap GenericEvent because
+it is assuming that the event has fixed size and gives the swapping function
+xEvent-sized buffer.
+
+A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway.
+
+Signed-off-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+diff --git a/Xi/sendexev.c b/Xi/sendexev.c
+index 5e63bfc..5c2e0fc 100644
+--- a/Xi/sendexev.c
++++ b/Xi/sendexev.c
+@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client)
+
+ eventP = (xEvent *) &stuff[1];
+ for (i = 0; i < stuff->num_events; i++, eventP++) {
++ if (eventP->u.u.type == GenericEvent) {
++ client->errorValue = eventP->u.u.type;
++ return BadValue;
++ }
++
+ proc = EventSwapVector[eventP->u.u.type & 0177];
+- if (proc == NotImplemented) /* no swapping proc; invalid event type? */
++ /* no swapping proc; invalid event type? */
++ if (proc == NotImplemented) {
++ client->errorValue = eventP->u.u.type;
+ return BadValue;
++ }
+ (*proc) (eventP, &eventT);
+ *eventP = eventT;
+ }
+--
+cgit v0.10.2
diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10972.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10972.diff
new file mode 100644
index 000000000..edddc8d66
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10972.diff
@@ -0,0 +1,36 @@
+From 05442de962d3dc624f79fc1a00eca3ffc5489ced Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@suse.com>
+Date: Wed, 24 May 2017 15:54:39 +0300
+Subject: Xi: Zero target buffer in SProcXSendExtensionEvent.
+
+Make sure that the xEvent eventT is initialized with zeros, the same way as
+in SProcSendEvent.
+
+Some event swapping functions do not overwrite all 32 bytes of xEvent
+structure, for example XSecurityAuthorizationRevoked. Two cooperating
+clients, one swapped and the other not, can send
+XSecurityAuthorizationRevoked event to each other to retrieve old stack data
+from X server. This can be potentialy misused to go around ASLR or
+stack-protector.
+
+Signed-off-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+diff --git a/Xi/sendexev.c b/Xi/sendexev.c
+index 11d8202..1cf118a 100644
+--- a/Xi/sendexev.c
++++ b/Xi/sendexev.c
+@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client)
+ {
+ CARD32 *p;
+ int i;
+- xEvent eventT;
++ xEvent eventT = { .u.u.type = 0 };
+ xEvent *eventP;
+ EventSwapPtr proc;
+
+--
+cgit v0.10.2
+
+
diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.fb.fbpict.c.mod.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.fb.fbpict.c.mod.diff
new file mode 100644
index 000000000..f8abdccb2
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.fb.fbpict.c.mod.diff
@@ -0,0 +1,11 @@
+--- ./fb/fbpict.c.orig 2010-03-11 22:38:21.000000000 -0600
++++ ./fb/fbpict.c 2010-04-29 14:14:52.000000000 -0500
+@@ -37,7 +37,7 @@
+ #include "mipict.h"
+ #include "fbpict.h"
+
+-#define mod(a,b) ((b) == 1 ? 0 : (a) >= 0 ? (a) % (b) : (b) - (-a) % (b))
++#define mod(a,b) ((b) == 1 ? 0 : (a) >= 0 ? (a) % (b) : (b) - (-(a)) % (b))
+
+ void
+ fbWalkCompositeRegion (CARD8 op,
diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.try_nouveau.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.try_nouveau.diff
new file mode 100644
index 000000000..74f799a11
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.try_nouveau.diff
@@ -0,0 +1,11 @@
+--- ./hw/xfree86/common/xf86pciBus.c.orig 2010-07-01 12:17:35.000000000 -0500
++++ ./hw/xfree86/common/xf86pciBus.c 2010-11-18 16:56:57.633003654 -0600
+@@ -1118,7 +1118,7 @@
+ break;
+ case 0x102b: driverList[0] = "mga"; break;
+ case 0x10c8: driverList[0] = "neomagic"; break;
+- case 0x10de: case 0x12d2: driverList[0] = "nv"; break;
++ case 0x10de: case 0x12d2: driverList[0] = "nouveau" ; driverList[1] = "nv"; break;
+ case 0x1106: driverList[0] = "openchrome"; break;
+ case 0x1b36: driverList[0] = "qxl"; break;
+ case 0x1163: driverList[0] = "rendition"; break;
generated by cgit v1.2.3 (git 2.26.2) at 2024-05-02 19:47:35 +0000