From 8ff4f2f51a6cf07fc33742ce3bee81328896e49b Mon Sep 17 00:00:00 2001 From: Patrick J Volkerding Date: Fri, 25 May 2018 23:29:36 +0000 Subject: Fri May 25 23:29:36 UTC 2018 patches/packages/glibc-zoneinfo-2018e-noarch-2_slack14.1.txz: Rebuilt. Handle removal of US/Pacific-New timezone. If we see that the machine is using this, it will be automatically switched to US/Pacific. --- ...s-bounds-check-using-wrong-pointer-value-.patch | 35 ++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 patches/source/xorg-server/patch/xorg-server/0002-dix-GetHosts-bounds-check-using-wrong-pointer-value-.patch (limited to 'patches/source/xorg-server/patch/xorg-server/0002-dix-GetHosts-bounds-check-using-wrong-pointer-value-.patch') diff --git a/patches/source/xorg-server/patch/xorg-server/0002-dix-GetHosts-bounds-check-using-wrong-pointer-value-.patch b/patches/source/xorg-server/patch/xorg-server/0002-dix-GetHosts-bounds-check-using-wrong-pointer-value-.patch new file mode 100644 index 000000000..c75c0a8f4 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/0002-dix-GetHosts-bounds-check-using-wrong-pointer-value-.patch @@ -0,0 +1,35 @@ +From 1559a94395258fd73e369f1a2c98a44bfe21a486 Mon Sep 17 00:00:00 2001 +From: Keith Packard +Date: Tue, 9 Dec 2014 09:31:00 -0800 +Subject: [PATCH 2/2] dix: GetHosts bounds check using wrong pointer value + [CVE-2014-8092 pt. 6] + +GetHosts saves the pointer to allocated memory in *data, and then +wants to bounds-check writes to that region, but was mistakenly using +a bare 'data' instead of '*data'. Also, data is declared as void **, +so we need a cast to turn it into a byte pointer so we can actually do +pointer comparisons. + +Signed-off-by: Keith Packard +Reviewed-by: Alan Coopersmith +Signed-off-by: Alan Coopersmith +--- + os/access.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/os/access.c b/os/access.c +index f393c8d..28f2d32 100644 +--- a/os/access.c ++++ b/os/access.c +@@ -1308,7 +1308,7 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled) + } + for (host = validhosts; host; host = host->next) { + len = host->len; +- if ((ptr + sizeof(xHostEntry) + len) > (data + n)) ++ if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n)) + break; + ((xHostEntry *) ptr)->family = host->family; + ((xHostEntry *) ptr)->length = len; +-- +2.1.0 + -- cgit v1.2.3