From 8ff4f2f51a6cf07fc33742ce3bee81328896e49b Mon Sep 17 00:00:00 2001
From: Patrick J Volkerding <volkerdi@slackware.com>
Date: Fri, 25 May 2018 23:29:36 +0000
Subject: Fri May 25 23:29:36 UTC 2018

patches/packages/glibc-zoneinfo-2018e-noarch-2_slack14.1.txz:  Rebuilt.
  Handle removal of US/Pacific-New timezone. If we see that the machine is
  using this, it will be automatically switched to US/Pacific.
---
 ...checking-for-GLXRender-requests-v2-CVE-20.patch | 76 ++++++++++++++++++++++
 1 file changed, 76 insertions(+)
 create mode 100644 patches/source/xorg-server/patch/xorg-server/0023-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch

(limited to 'patches/source/xorg-server/patch/xorg-server/0023-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch')

diff --git a/patches/source/xorg-server/patch/xorg-server/0023-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch b/patches/source/xorg-server/patch/xorg-server/0023-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch
new file mode 100644
index 000000000..96de637aa
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/0023-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch
@@ -0,0 +1,76 @@
+From bce43e2e287096be4c737105fa12459ff2e052b2 Mon Sep 17 00:00:00 2001
+From: Julien Cristau <jcristau@debian.org>
+Date: Mon, 10 Nov 2014 12:13:41 -0500
+Subject: [PATCH 23/31] glx: Length checking for GLXRender requests (v2)
+ [CVE-2014-8098 2/8]
+
+v2:
+Remove can't-happen comparison for cmdlen < 0 (Michal Srb)
+
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+Reviewed-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Andy Ritger <aritger@nvidia.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
+---
+ glx/glxcmds.c | 21 ++++++++++-----------
+ 1 file changed, 10 insertions(+), 11 deletions(-)
+
+diff --git a/glx/glxcmds.c b/glx/glxcmds.c
+index 5b50785..969bf01 100644
+--- a/glx/glxcmds.c
++++ b/glx/glxcmds.c
+@@ -1971,7 +1971,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
+     left = (req->length << 2) - sz_xGLXRenderReq;
+     while (left > 0) {
+         __GLXrenderSizeData entry;
+-        int extra;
++        int extra = 0;
+         __GLXdispatchRenderProcPtr proc;
+         int err;
+ 
+@@ -1990,6 +1990,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
+         cmdlen = hdr->length;
+         opcode = hdr->opcode;
+ 
++        if (left < cmdlen)
++            return BadLength;
++
+         /*
+          ** Check for core opcodes and grab entry data.
+          */
+@@ -2003,6 +2006,10 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
+             return __glXError(GLXBadRenderRequest);
+         }
+ 
++        if (cmdlen < entry.bytes) {
++            return BadLength;
++        }
++
+         if (entry.varsize) {
+             /* variable size command */
+             extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
+@@ -2010,17 +2017,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
+             if (extra < 0) {
+                 return BadLength;
+             }
+-            if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
+-                return BadLength;
+-            }
+         }
+-        else {
+-            /* constant size command */
+-            if (cmdlen != __GLX_PAD(entry.bytes)) {
+-                return BadLength;
+-            }
+-        }
+-        if (left < cmdlen) {
++
++        if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) {
+             return BadLength;
+         }
+ 
+-- 
+1.9.3
+
-- 
cgit v1.2.3