From 8ff4f2f51a6cf07fc33742ce3bee81328896e49b Mon Sep 17 00:00:00 2001 From: Patrick J Volkerding Date: Fri, 25 May 2018 23:29:36 +0000 Subject: Fri May 25 23:29:36 UTC 2018 patches/packages/glibc-zoneinfo-2018e-noarch-2_slack14.1.txz: Rebuilt. Handle removal of US/Pacific-New timezone. If we see that the machine is using this, it will be automatically switched to US/Pacific. --- ...-length-checks-for-SetClientInfoARB-CVE-2.patch | 75 ++++++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 patches/source/xorg-server/patch/xorg-server/0026-glx-Request-length-checks-for-SetClientInfoARB-CVE-2.patch (limited to 'patches/source/xorg-server/patch/xorg-server/0026-glx-Request-length-checks-for-SetClientInfoARB-CVE-2.patch') diff --git a/patches/source/xorg-server/patch/xorg-server/0026-glx-Request-length-checks-for-SetClientInfoARB-CVE-2.patch b/patches/source/xorg-server/patch/xorg-server/0026-glx-Request-length-checks-for-SetClientInfoARB-CVE-2.patch new file mode 100644 index 000000000..29c189614 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/0026-glx-Request-length-checks-for-SetClientInfoARB-CVE-2.patch @@ -0,0 +1,75 @@ +From 84f275b466fa69d14d91b2ad1353d05f642d3808 Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Mon, 10 Nov 2014 12:13:45 -0500 +Subject: [PATCH 26/31] glx: Request length checks for SetClientInfoARB + [CVE-2014-8098 5/8] + +Reviewed-by: Keith Packard +Reviewed-by: Julien Cristau +Reviewed-by: Michal Srb +Reviewed-by: Andy Ritger +Signed-off-by: Adam Jackson +Signed-off-by: Alan Coopersmith +Signed-off-by: Fedora X Ninjas +--- + glx/clientinfo.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/glx/clientinfo.c b/glx/clientinfo.c +index 4aaa4c9..c5fef30 100644 +--- a/glx/clientinfo.c ++++ b/glx/clientinfo.c +@@ -33,18 +33,21 @@ static int + set_client_info(__GLXclientState * cl, xGLXSetClientInfoARBReq * req, + unsigned bytes_per_version) + { ++ ClientPtr client = cl->client; + char *gl_extensions; + char *glx_extensions; + ++ REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq); ++ + /* Verify that the size of the packet matches the size inferred from the + * sizes specified for the various fields. + */ +- const unsigned expected_size = sz_xGLXSetClientInfoARBReq +- + (req->numVersions * bytes_per_version) +- + __GLX_PAD(req->numGLExtensionBytes) +- + __GLX_PAD(req->numGLXExtensionBytes); ++ int size = sz_xGLXSetClientInfoARBReq; ++ size = safe_add(size, safe_mul(req->numVersions, bytes_per_version)); ++ size = safe_add(size, safe_pad(req->numGLExtensionBytes)); ++ size = safe_add(size, safe_pad(req->numGLXExtensionBytes)); + +- if (req->length != (expected_size / 4)) ++ if (size < 0 || req->length != (size / 4)) + return BadLength; + + /* Verify that the actual length of the GL extension string matches what's +@@ -80,8 +83,11 @@ __glXDisp_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc) + int + __glXDispSwap_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc; + ++ REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq); ++ + req->length = bswap_16(req->length); + req->numVersions = bswap_32(req->numVersions); + req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes); +@@ -99,8 +105,11 @@ __glXDisp_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc) + int + __glXDispSwap_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc; + ++ REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq); ++ + req->length = bswap_16(req->length); + req->numVersions = bswap_32(req->numVersions); + req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes); +-- +1.9.3 + -- cgit v1.2.3