diff options
Diffstat (limited to 'patches/source/xorg-server/patch/xorg-server')
7 files changed, 165 insertions, 0 deletions
diff --git a/patches/source/xorg-server/patch/xorg-server/x11.startwithblackscreen.diff b/patches/source/xorg-server/patch/xorg-server/x11.startwithblackscreen.diff new file mode 100644 index 000000000..bfa9c305d --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/x11.startwithblackscreen.diff @@ -0,0 +1,13 @@ +--- ./dix/window.c.orig 2007-01-22 23:39:15.000000000 -0600 ++++ ./dix/window.c 2007-02-14 03:21:03.000000000 -0600 +@@ -140,8 +140,8 @@ + * + ******/ + +-static unsigned char _back_lsb[4] = {0x88, 0x22, 0x44, 0x11}; +-static unsigned char _back_msb[4] = {0x11, 0x44, 0x22, 0x88}; ++static unsigned char _back_lsb[4] = {0x00, 0x00, 0x00, 0x00}; ++static unsigned char _back_msb[4] = {0x00, 0x00, 0x00, 0x00}; + + _X_EXPORT int screenIsSaved = SCREEN_SAVER_OFF; + diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2013-1940.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2013-1940.diff new file mode 100644 index 000000000..cd26673f0 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2013-1940.diff @@ -0,0 +1,12 @@ +--- xorg-server-1.9.5/hw/xfree86/os-support/shared/posix_tty.c.orig 2013-04-18 17:58:55.000000000 -0500 ++++ xorg-server-1.9.5/hw/xfree86/os-support/shared/posix_tty.c 2013-04-18 18:00:20.000000000 -0500 +@@ -460,7 +460,8 @@ + { + fd_set fds; + struct timeval timeout; +- char c[4]; ++ /* this needs to be big enough to flush an evdev event. */ ++ char c[256]; + + DebugF("FlushingSerial\n"); + if (tcflush(fd, TCIFLUSH) == 0) diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2013-4396.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2013-4396.diff new file mode 100644 index 000000000..af517411c --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2013-4396.diff @@ -0,0 +1,42 @@ +--- ./dix/dixfonts.c.orig 2010-10-30 21:47:09.000000000 -0500 ++++ ./dix/dixfonts.c 2013-10-09 21:38:47.607788240 -0500 +@@ -1500,6 +1500,7 @@ + GC *pGC; + unsigned char *data; + ITclosurePtr new_closure; ++ ITclosurePtr old_closure; + + /* We're putting the client to sleep. We need to + save some state. Similar problem to that handled +@@ -1512,6 +1513,7 @@ + err = BadAlloc; + goto bail; + } ++ old_closure = c; + *new_closure = *c; + c = new_closure; + +@@ -1519,6 +1521,7 @@ + if (!data) + { + free(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1530,6 +1533,7 @@ + { + free(c->data); + free(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1543,6 +1547,7 @@ + FreeScratchGC(pGC); + free(c->data); + free(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10971.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10971.diff new file mode 100644 index 000000000..00ed28ac3 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10971.diff @@ -0,0 +1,40 @@ +From ba336b24052122b136486961c82deac76bbde455 Mon Sep 17 00:00:00 2001 +From: Michal Srb <msrb@suse.com> +Date: Wed, 24 May 2017 15:54:42 +0300 +Subject: Xi: Do not try to swap GenericEvent. + +The SProcXSendExtensionEvent must not attempt to swap GenericEvent because +it is assuming that the event has fixed size and gives the swapping function +xEvent-sized buffer. + +A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway. + +Signed-off-by: Michal Srb <msrb@suse.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> + +diff --git a/Xi/sendexev.c b/Xi/sendexev.c +index 5e63bfc..5c2e0fc 100644 +--- a/Xi/sendexev.c ++++ b/Xi/sendexev.c +@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client) + + eventP = (xEvent *) &stuff[1]; + for (i = 0; i < stuff->num_events; i++, eventP++) { ++ if (eventP->u.u.type == GenericEvent) { ++ client->errorValue = eventP->u.u.type; ++ return BadValue; ++ } ++ + proc = EventSwapVector[eventP->u.u.type & 0177]; +- if (proc == NotImplemented) /* no swapping proc; invalid event type? */ ++ /* no swapping proc; invalid event type? */ ++ if (proc == NotImplemented) { ++ client->errorValue = eventP->u.u.type; + return BadValue; ++ } + (*proc) (eventP, &eventT); + *eventP = eventT; + } +-- +cgit v0.10.2 diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10972.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10972.diff new file mode 100644 index 000000000..edddc8d66 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10972.diff @@ -0,0 +1,36 @@ +From 05442de962d3dc624f79fc1a00eca3ffc5489ced Mon Sep 17 00:00:00 2001 +From: Michal Srb <msrb@suse.com> +Date: Wed, 24 May 2017 15:54:39 +0300 +Subject: Xi: Zero target buffer in SProcXSendExtensionEvent. + +Make sure that the xEvent eventT is initialized with zeros, the same way as +in SProcSendEvent. + +Some event swapping functions do not overwrite all 32 bytes of xEvent +structure, for example XSecurityAuthorizationRevoked. Two cooperating +clients, one swapped and the other not, can send +XSecurityAuthorizationRevoked event to each other to retrieve old stack data +from X server. This can be potentialy misused to go around ASLR or +stack-protector. + +Signed-off-by: Michal Srb <msrb@suse.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> + +diff --git a/Xi/sendexev.c b/Xi/sendexev.c +index 11d8202..1cf118a 100644 +--- a/Xi/sendexev.c ++++ b/Xi/sendexev.c +@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client) + { + CARD32 *p; + int i; +- xEvent eventT; ++ xEvent eventT = { .u.u.type = 0 }; + xEvent *eventP; + EventSwapPtr proc; + +-- +cgit v0.10.2 + + diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.fb.fbpict.c.mod.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.fb.fbpict.c.mod.diff new file mode 100644 index 000000000..f8abdccb2 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.fb.fbpict.c.mod.diff @@ -0,0 +1,11 @@ +--- ./fb/fbpict.c.orig 2010-03-11 22:38:21.000000000 -0600 ++++ ./fb/fbpict.c 2010-04-29 14:14:52.000000000 -0500 +@@ -37,7 +37,7 @@ + #include "mipict.h" + #include "fbpict.h" + +-#define mod(a,b) ((b) == 1 ? 0 : (a) >= 0 ? (a) % (b) : (b) - (-a) % (b)) ++#define mod(a,b) ((b) == 1 ? 0 : (a) >= 0 ? (a) % (b) : (b) - (-(a)) % (b)) + + void + fbWalkCompositeRegion (CARD8 op, diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.try_nouveau.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.try_nouveau.diff new file mode 100644 index 000000000..74f799a11 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.try_nouveau.diff @@ -0,0 +1,11 @@ +--- ./hw/xfree86/common/xf86pciBus.c.orig 2010-07-01 12:17:35.000000000 -0500 ++++ ./hw/xfree86/common/xf86pciBus.c 2010-11-18 16:56:57.633003654 -0600 +@@ -1118,7 +1118,7 @@ + break; + case 0x102b: driverList[0] = "mga"; break; + case 0x10c8: driverList[0] = "neomagic"; break; +- case 0x10de: case 0x12d2: driverList[0] = "nv"; break; ++ case 0x10de: case 0x12d2: driverList[0] = "nouveau" ; driverList[1] = "nv"; break; + case 0x1106: driverList[0] = "openchrome"; break; + case 0x1b36: driverList[0] = "qxl"; break; + case 0x1163: driverList[0] = "rendition"; break; |