From 8ff4f2f51a6cf07fc33742ce3bee81328896e49b Mon Sep 17 00:00:00 2001 From: Patrick J Volkerding Date: Fri, 25 May 2018 23:29:36 +0000 Subject: Fri May 25 23:29:36 UTC 2018 patches/packages/glibc-zoneinfo-2018e-noarch-2_slack14.1.txz: Rebuilt. Handle removal of US/Pacific-New timezone. If we see that the machine is using this, it will be automatically switched to US/Pacific. --- ...nal-paranoia-in-__glXGetAnswerBuffer-__GL.patch | 60 ++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 patches/source/xorg-server/patch/xorg-server/0020-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch (limited to 'patches/source/xorg-server/patch/xorg-server/0020-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch') diff --git a/patches/source/xorg-server/patch/xorg-server/0020-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch b/patches/source/xorg-server/patch/xorg-server/0020-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch new file mode 100644 index 000000000..d7ca0f388 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/0020-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch @@ -0,0 +1,60 @@ +From 9cf40ac3793ab273d9c6c94fca93daf17ebb8881 Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Mon, 10 Nov 2014 12:13:38 -0500 +Subject: [PATCH 20/31] glx: Additional paranoia in __glXGetAnswerBuffer / + __GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6] + +If the computed reply size is negative, something went wrong, treat it +as an error. + +v2: Be more careful about size_t being unsigned (Matthieu Herrb) +v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith) + +Reviewed-by: Julien Cristau +Reviewed-by: Michal Srb +Reviewed-by: Andy Ritger +Signed-off-by: Adam Jackson +Signed-off-by: Alan Coopersmith +Signed-off-by: Fedora X Ninjas +--- + glx/indirect_util.c | 7 ++++++- + glx/unpack.h | 3 ++- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/glx/indirect_util.c b/glx/indirect_util.c +index a30b1f8..7431d43 100644 +--- a/glx/indirect_util.c ++++ b/glx/indirect_util.c +@@ -81,9 +81,14 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size, + const unsigned mask = alignment - 1; + + if (local_size < required_size) { +- const size_t worst_case_size = required_size + alignment; ++ size_t worst_case_size; + intptr_t temp_buf; + ++ if (required_size < SIZE_MAX - alignment) ++ worst_case_size = required_size + alignment; ++ else ++ return NULL; ++ + if (cl->returnBufSize < worst_case_size) { + void *temp = realloc(cl->returnBuf, worst_case_size); + +diff --git a/glx/unpack.h b/glx/unpack.h +index 52fba74..2b1ebcf 100644 +--- a/glx/unpack.h ++++ b/glx/unpack.h +@@ -83,7 +83,8 @@ extern xGLXSingleReply __glXReply; + ** pointer. + */ + #define __GLX_GET_ANSWER_BUFFER(res,cl,size,align) \ +- if ((size) > sizeof(answerBuffer)) { \ ++ if (size < 0) return BadLength; \ ++ else if ((size) > sizeof(answerBuffer)) { \ + int bump; \ + if ((cl)->returnBufSize < (size)+(align)) { \ + (cl)->returnBuf = (GLbyte*)realloc((cl)->returnBuf, \ +-- +1.9.3 + -- cgit v1.2.3