From 8ff4f2f51a6cf07fc33742ce3bee81328896e49b Mon Sep 17 00:00:00 2001 From: Patrick J Volkerding Date: Fri, 25 May 2018 23:29:36 +0000 Subject: Fri May 25 23:29:36 UTC 2018 patches/packages/glibc-zoneinfo-2018e-noarch-2_slack14.1.txz: Rebuilt. Handle removal of US/Pacific-New timezone. If we see that the machine is using this, it will be automatically switched to US/Pacific. --- ...-overflow-in-ProcPutImage-CVE-2014-8092-1.patch | 38 ++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 patches/source/xorg-server/patch/xorg-server/0002-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch (limited to 'patches/source/xorg-server/patch/xorg-server/0002-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch') diff --git a/patches/source/xorg-server/patch/xorg-server/0002-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch b/patches/source/xorg-server/patch/xorg-server/0002-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch new file mode 100644 index 000000000..151a59aa5 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/0002-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch @@ -0,0 +1,38 @@ +From 37dd6285cdfc2129a49f26d09addb27cb017ae61 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Wed, 22 Jan 2014 21:11:16 -0800 +Subject: [PATCH 02/31] dix: integer overflow in ProcPutImage() [CVE-2014-8092 + 1/4] + +ProcPutImage() calculates a length field from a width, left pad and depth +specified by the client (if the specified format is XYPixmap). + +The calculations for the total amount of memory the server needs for the +pixmap can overflow a 32-bit number, causing out-of-bounds memory writes +on 32-bit systems (since the length is stored in a long int variable). + +Reported-by: Ilja Van Sprundel +Signed-off-by: Alan Coopersmith +Reviewed-by: Peter Hutterer +Signed-off-by: Fedora X Ninjas +--- + dix/dispatch.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/dix/dispatch.c b/dix/dispatch.c +index 979ba48..8cb23d1 100644 +--- a/dix/dispatch.c ++++ b/dix/dispatch.c +@@ -1955,6 +1955,9 @@ ProcPutImage(ClientPtr client) + tmpImage = (char *) &stuff[1]; + lengthProto = length; + ++ if (lengthProto >= (INT32_MAX / stuff->height)) ++ return BadLength; ++ + if ((bytes_to_int32(lengthProto * stuff->height) + + bytes_to_int32(sizeof(xPutImageReq))) != client->req_len) + return BadLength; +-- +1.9.3 + -- cgit v1.2.3