diff options
Diffstat (limited to 'source/x/x11/patch/xorg-server')
-rw-r--r-- | source/x/x11/patch/xorg-server/xorg-server.CVE-2013-4396.diff | 73 | ||||
-rw-r--r-- | source/x/x11/patch/xorg-server/xorg-server.combo.mouse.keyboard.layout.patch | 49 |
2 files changed, 49 insertions, 73 deletions
diff --git a/source/x/x11/patch/xorg-server/xorg-server.CVE-2013-4396.diff b/source/x/x11/patch/xorg-server/xorg-server.CVE-2013-4396.diff deleted file mode 100644 index 14c31782f..000000000 --- a/source/x/x11/patch/xorg-server/xorg-server.CVE-2013-4396.diff +++ /dev/null @@ -1,73 +0,0 @@ -From 7bddc2ba16a2a15773c2ea8947059afa27727764 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith at oracle.com> -Date: Mon, 16 Sep 2013 21:47:16 -0700 -Subject: [PATCH] Avoid use-after-free in dix/dixfonts.c: doImageText() - [CVE-2013-4396] - -Save a pointer to the passed in closure structure before copying it -and overwriting the *c pointer to point to our copy instead of the -original. If we hit an error, once we free(c), reset c to point to -the original structure before jumping to the cleanup code that -references *c. - -Since one of the errors being checked for is whether the server was -able to malloc(c->nChars * itemSize), the client can potentially pass -a number of characters chosen to cause the malloc to fail and the -error path to be taken, resulting in the read from freed memory. - -Since the memory is accessed almost immediately afterwards, and the -X server is mostly single threaded, the odds of the free memory having -invalid contents are low with most malloc implementations when not using -memory debugging features, but some allocators will definitely overwrite -the memory there, leading to a likely crash. - -Reported-by: Pedro Ribeiro <pedrib at gmail.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com> -Reviewed-by: Julien Cristau <jcristau at debian.org> ---- - dix/dixfonts.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/dix/dixfonts.c b/dix/dixfonts.c -index feb765d..2e34d37 100644 ---- a/dix/dixfonts.c -+++ b/dix/dixfonts.c -@@ -1425,6 +1425,7 @@ doImageText(ClientPtr client, ITclosurePtr c) - GC *pGC; - unsigned char *data; - ITclosurePtr new_closure; -+ ITclosurePtr old_closure; - - /* We're putting the client to sleep. We need to - save some state. Similar problem to that handled -@@ -1436,12 +1437,14 @@ doImageText(ClientPtr client, ITclosurePtr c) - err = BadAlloc; - goto bail; - } -+ old_closure = c; - *new_closure = *c; - c = new_closure; - - data = malloc(c->nChars * itemSize); - if (!data) { - free(c); -+ c = old_closure; - err = BadAlloc; - goto bail; - } -@@ -1452,6 +1455,7 @@ doImageText(ClientPtr client, ITclosurePtr c) - if (!pGC) { - free(c->data); - free(c); -+ c = old_closure; - err = BadAlloc; - goto bail; - } -@@ -1464,6 +1468,7 @@ doImageText(ClientPtr client, ITclosurePtr c) - FreeScratchGC(pGC); - free(c->data); - free(c); -+ c = old_closure; - err = BadAlloc; - goto bail; - } diff --git a/source/x/x11/patch/xorg-server/xorg-server.combo.mouse.keyboard.layout.patch b/source/x/x11/patch/xorg-server/xorg-server.combo.mouse.keyboard.layout.patch new file mode 100644 index 000000000..83f673030 --- /dev/null +++ b/source/x/x11/patch/xorg-server/xorg-server.combo.mouse.keyboard.layout.patch @@ -0,0 +1,49 @@ +--- b/Xi/exevents.c 2013-12-27 19:38:52.000000000 +0200 ++++ a/Xi/exevents.c 2014-03-04 19:44:15.228721619 +0200 +@@ -665,7 +665,8 @@ + DeepCopyFeedbackClasses(from, to); + + if ((dce->flags & DEVCHANGE_KEYBOARD_EVENT)) +- DeepCopyKeyboardClasses(from, to); ++ /* We need to copy to MASTER_KEYBOARD. Didn't worked with 'to'. */ ++ DeepCopyKeyboardClasses(from, GetMaster(from, MASTER_KEYBOARD)); + if ((dce->flags & DEVCHANGE_POINTER_EVENT)) + DeepCopyPointerClasses(from, to); + } +--- b/dix/getevents.c 2013-12-27 19:38:52.000000000 +0200 ++++ a/dix/getevents.c 2014-03-04 19:46:50.126336327 +0200 +@@ -706,12 +706,19 @@ + { + DeviceIntPtr master; + +- master = +- GetMaster(dev, +- (type & DEVCHANGE_POINTER_EVENT) ? MASTER_POINTER : +- MASTER_KEYBOARD); ++ /* Don't guess the master upon the event type. Use MASTER_ATTACHED, ++ * otherwise we'll never get a DeviceChangedEvent(reason:SlaveSwith). */ ++ master = GetMaster(dev, MASTER_ATTACHED); ++ /* Need to track the slave event type. Other we'le never get a ++ * DeviceChangedEvent(reason:SlaveSwith) for the 'keyboard' if the ++ * 'pointer' has been touched before. */ ++ int slave_type = (type & DEVCHANGE_KEYBOARD_EVENT) | ++ (type & DEVCHANGE_POINTER_EVENT); + +- if (master && master->last.slave != dev) { ++ if (master && ++ ((master->last.slave != dev) || ++ (master->last.slave == dev && master->last.slave_type != slave_type))) { ++ master->last.slave_type = slave_type; + CreateClassesChangedEvent(events, master, dev, + type | DEVCHANGE_SLAVE_SWITCH); + if (IsPointerDevice(master)) { +--- b/include/inputstr.h 2013-12-27 19:38:52.000000000 +0200 ++++ a/include/inputstr.h 2014-03-04 19:47:28.074051116 +0200 +@@ -577,6 +577,7 @@ + double valuators[MAX_VALUATORS]; + int numValuators; + DeviceIntPtr slave; ++ int slave_type; + ValuatorMask *scroll; + int num_touches; /* size of the touches array */ + DDXTouchPointInfoPtr touches; |