From 39366733c3fe943363566756e2e152c45a1b3cb2 Mon Sep 17 00:00:00 2001 From: Patrick J Volkerding Date: Fri, 25 May 2018 23:29:36 +0000 Subject: Fri May 25 23:29:36 UTC 2018 patches/packages/glibc-zoneinfo-2018e-noarch-2_slack14.2.txz: Rebuilt. Handle removal of US/Pacific-New timezone. If we see that the machine is using this, it will be automatically switched to US/Pacific. --- .../xorg-server/x11.startwithblackscreen.diff | 14 + .../xorg-server/xorg-server.CVE-2017-10971.diff | 40 ++ .../xorg-server/xorg-server.CVE-2017-10972.diff | 36 ++ .../xorg-server/xorg-server.CVE-2017-12176.diff | 31 ++ .../xorg-server/xorg-server.CVE-2017-12177.diff | 41 ++ .../xorg-server/xorg-server.CVE-2017-12178.diff | 29 + .../xorg-server/xorg-server.CVE-2017-12179_p1.diff | 42 ++ .../xorg-server/xorg-server.CVE-2017-12179_p2.diff | 46 ++ .../xorg-server.CVE-2017-12180_12181_12182.diff | 601 +++++++++++++++++++++ .../xorg-server/xorg-server.CVE-2017-12183.diff | 95 ++++ ...rg-server.CVE-2017-12184_12185_12186_12187.diff | 139 +++++ .../xorg-server/xorg-server.CVE-2017-13721.diff | 27 + .../xorg-server/xorg-server.CVE-2017-13723.diff | 116 ++++ .../xorg-server.combo.mouse.keyboard.layout.patch | 49 ++ 14 files changed, 1306 insertions(+) create mode 100644 patches/source/xorg-server/patch/xorg-server/x11.startwithblackscreen.diff create mode 100644 patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10971.diff create mode 100644 patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10972.diff create mode 100644 patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12176.diff create mode 100644 patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12177.diff create mode 100644 patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12178.diff create mode 100644 patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12179_p1.diff create mode 100644 patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12179_p2.diff create mode 100644 patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12180_12181_12182.diff create mode 100644 patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12183.diff create mode 100644 patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12184_12185_12186_12187.diff create mode 100644 patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-13721.diff create mode 100644 patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-13723.diff create mode 100644 patches/source/xorg-server/patch/xorg-server/xorg-server.combo.mouse.keyboard.layout.patch (limited to 'patches/source/xorg-server/patch/xorg-server') diff --git a/patches/source/xorg-server/patch/xorg-server/x11.startwithblackscreen.diff b/patches/source/xorg-server/patch/xorg-server/x11.startwithblackscreen.diff new file mode 100644 index 000000000..8c0e3b546 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/x11.startwithblackscreen.diff @@ -0,0 +1,14 @@ +diff -Nur xorg-server-1.12.1.orig/dix/window.c xorg-server-1.12.1/dix/window.c +--- xorg-server-1.12.1.orig/dix/window.c 2012-03-29 21:57:25.000000000 -0500 ++++ xorg-server-1.12.1/dix/window.c 2012-04-13 22:01:24.456073603 -0500 +@@ -145,8 +145,8 @@ + + Bool bgNoneRoot = FALSE; + +-static unsigned char _back_lsb[4] = { 0x88, 0x22, 0x44, 0x11 }; +-static unsigned char _back_msb[4] = { 0x11, 0x44, 0x22, 0x88 }; ++static unsigned char _back_lsb[4] = { 0x00, 0x00, 0x00, 0x00 }; ++static unsigned char _back_msb[4] = { 0x00, 0x00, 0x00, 0x00 }; + + static Bool WindowParentHasDeviceCursor(WindowPtr pWin, + DeviceIntPtr pDev, CursorPtr pCurs); diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10971.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10971.diff new file mode 100644 index 000000000..00ed28ac3 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10971.diff @@ -0,0 +1,40 @@ +From ba336b24052122b136486961c82deac76bbde455 Mon Sep 17 00:00:00 2001 +From: Michal Srb +Date: Wed, 24 May 2017 15:54:42 +0300 +Subject: Xi: Do not try to swap GenericEvent. + +The SProcXSendExtensionEvent must not attempt to swap GenericEvent because +it is assuming that the event has fixed size and gives the swapping function +xEvent-sized buffer. + +A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway. + +Signed-off-by: Michal Srb +Reviewed-by: Peter Hutterer +Signed-off-by: Peter Hutterer + +diff --git a/Xi/sendexev.c b/Xi/sendexev.c +index 5e63bfc..5c2e0fc 100644 +--- a/Xi/sendexev.c ++++ b/Xi/sendexev.c +@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client) + + eventP = (xEvent *) &stuff[1]; + for (i = 0; i < stuff->num_events; i++, eventP++) { ++ if (eventP->u.u.type == GenericEvent) { ++ client->errorValue = eventP->u.u.type; ++ return BadValue; ++ } ++ + proc = EventSwapVector[eventP->u.u.type & 0177]; +- if (proc == NotImplemented) /* no swapping proc; invalid event type? */ ++ /* no swapping proc; invalid event type? */ ++ if (proc == NotImplemented) { ++ client->errorValue = eventP->u.u.type; + return BadValue; ++ } + (*proc) (eventP, &eventT); + *eventP = eventT; + } +-- +cgit v0.10.2 diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10972.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10972.diff new file mode 100644 index 000000000..edddc8d66 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10972.diff @@ -0,0 +1,36 @@ +From 05442de962d3dc624f79fc1a00eca3ffc5489ced Mon Sep 17 00:00:00 2001 +From: Michal Srb +Date: Wed, 24 May 2017 15:54:39 +0300 +Subject: Xi: Zero target buffer in SProcXSendExtensionEvent. + +Make sure that the xEvent eventT is initialized with zeros, the same way as +in SProcSendEvent. + +Some event swapping functions do not overwrite all 32 bytes of xEvent +structure, for example XSecurityAuthorizationRevoked. Two cooperating +clients, one swapped and the other not, can send +XSecurityAuthorizationRevoked event to each other to retrieve old stack data +from X server. This can be potentialy misused to go around ASLR or +stack-protector. + +Signed-off-by: Michal Srb +Reviewed-by: Peter Hutterer +Signed-off-by: Peter Hutterer + +diff --git a/Xi/sendexev.c b/Xi/sendexev.c +index 11d8202..1cf118a 100644 +--- a/Xi/sendexev.c ++++ b/Xi/sendexev.c +@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client) + { + CARD32 *p; + int i; +- xEvent eventT; ++ xEvent eventT = { .u.u.type = 0 }; + xEvent *eventP; + EventSwapPtr proc; + +-- +cgit v0.10.2 + + diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12176.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12176.diff new file mode 100644 index 000000000..9caf31247 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12176.diff @@ -0,0 +1,31 @@ +From b747da5e25be944337a9cd1415506fc06b70aa81 Mon Sep 17 00:00:00 2001 +From: Nathan Kidd +Date: Fri, 9 Jan 2015 10:15:46 -0500 +Subject: Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176) + +Reviewed-by: Julien Cristau +Signed-off-by: Nathan Kidd +Signed-off-by: Julien Cristau + +diff --git a/dix/dispatch.c b/dix/dispatch.c +index 8b371b6..176c7a0 100644 +--- a/dix/dispatch.c ++++ b/dix/dispatch.c +@@ -3702,7 +3702,12 @@ ProcEstablishConnection(ClientPtr client) + prefix = (xConnClientPrefix *) ((char *) stuff + sz_xReq); + auth_proto = (char *) prefix + sz_xConnClientPrefix; + auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto); +- if ((prefix->majorVersion != X_PROTOCOL) || ++ ++ if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix + ++ pad_to_int32(prefix->nbytesAuthProto) + ++ pad_to_int32(prefix->nbytesAuthString)) ++ reason = "Bad length"; ++ else if ((prefix->majorVersion != X_PROTOCOL) || + (prefix->minorVersion != X_PROTOCOL_REVISION)) + reason = "Protocol version mismatch"; + else +-- +cgit v0.10.2 + + diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12177.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12177.diff new file mode 100644 index 000000000..4a3eaa9e9 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12177.diff @@ -0,0 +1,41 @@ +From 4ca68b878e851e2136c234f40a25008297d8d831 Mon Sep 17 00:00:00 2001 +From: Nathan Kidd +Date: Fri, 9 Jan 2015 10:09:14 -0500 +Subject: dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo + (CVE-2017-12177) + +v2: Protect against integer overflow (Alan Coopersmith) + +Reviewed-by: Alan Coopersmith +Reviewed-by: Jeremy Huddleston Sequoia +Reviewed-by: Julien Cristau +Signed-off-by: Nathan Kidd +Signed-off-by: Julien Cristau + +diff --git a/dbe/dbe.c b/dbe/dbe.c +index 9a0c7a7..292a223 100644 +--- a/dbe/dbe.c ++++ b/dbe/dbe.c +@@ -574,6 +574,9 @@ ProcDbeGetVisualInfo(ClientPtr client) + XdbeScreenVisualInfo *pScrVisInfo; + + REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq); ++ if (stuff->n > UINT32_MAX / sizeof(CARD32)) ++ return BadLength; ++ REQUEST_FIXED_SIZE(xDbeGetVisualInfoReq, stuff->n * sizeof(CARD32)); + + if (stuff->n > UINT32_MAX / sizeof(DrawablePtr)) + return BadAlloc; +@@ -924,7 +927,7 @@ SProcDbeSwapBuffers(ClientPtr client) + + swapl(&stuff->n); + if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec)) +- return BadAlloc; ++ return BadLength; + REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo)); + + if (stuff->n != 0) { +-- +cgit v0.10.2 + + diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12178.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12178.diff new file mode 100644 index 000000000..8177c119d --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12178.diff @@ -0,0 +1,29 @@ +From 859b08d523307eebde7724fd1a0789c44813e821 Mon Sep 17 00:00:00 2001 +From: Nathan Kidd +Date: Wed, 24 Dec 2014 16:22:18 -0500 +Subject: Xi: fix wrong extra length check in ProcXIChangeHierarchy + (CVE-2017-12178) + +Reviewed-by: Alan Coopersmith +Reviewed-by: Jeremy Huddleston Sequoia +Reviewed-by: Julien Cristau +Signed-off-by: Nathan Kidd +Signed-off-by: Julien Cristau + +diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c +index 87f191f..cbdd912 100644 +--- a/Xi/xichangehierarchy.c ++++ b/Xi/xichangehierarchy.c +@@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client) + if (!stuff->num_changes) + return rc; + +- len = ((size_t)stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo); ++ len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq); + + any = (xXIAnyHierarchyChangeInfo *) &stuff[1]; + while (stuff->num_changes--) { +-- +cgit v0.10.2 + + diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12179_p1.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12179_p1.diff new file mode 100644 index 000000000..0b3734642 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12179_p1.diff @@ -0,0 +1,42 @@ +From 211e05ac85a294ef361b9f80d689047fa52b9076 Mon Sep 17 00:00:00 2001 +From: Michal Srb +Date: Fri, 7 Jul 2017 17:21:46 +0200 +Subject: Xi: Test exact size of XIBarrierReleasePointer + +Otherwise a client can send any value of num_barriers and cause reading or swapping of values on heap behind the receive buffer. + +Signed-off-by: Peter Hutterer + +diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c +index af1562e..d82ecb6 100644 +--- a/Xi/xibarriers.c ++++ b/Xi/xibarriers.c +@@ -830,10 +830,13 @@ SProcXIBarrierReleasePointer(ClientPtr client) + REQUEST(xXIBarrierReleasePointerReq); + int i; + +- info = (xXIBarrierReleasePointerInfo*) &stuff[1]; +- + swaps(&stuff->length); ++ REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq); ++ + swapl(&stuff->num_barriers); ++ REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo)); ++ ++ info = (xXIBarrierReleasePointerInfo*) &stuff[1]; + for (i = 0; i < stuff->num_barriers; i++, info++) { + swaps(&info->deviceid); + swapl(&info->barrier); +@@ -853,7 +856,7 @@ ProcXIBarrierReleasePointer(ClientPtr client) + xXIBarrierReleasePointerInfo *info; + + REQUEST(xXIBarrierReleasePointerReq); +- REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq); ++ REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo)); + + info = (xXIBarrierReleasePointerInfo*) &stuff[1]; + for (i = 0; i < stuff->num_barriers; i++, info++) { +-- +cgit v0.10.2 + + diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12179_p2.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12179_p2.diff new file mode 100644 index 000000000..346756033 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12179_p2.diff @@ -0,0 +1,46 @@ +From d088e3c1286b548a58e62afdc70bb40981cdb9e8 Mon Sep 17 00:00:00 2001 +From: Nathan Kidd +Date: Fri, 9 Jan 2015 10:04:41 -0500 +Subject: Xi: integer overflow and unvalidated length in + (S)ProcXIBarrierReleasePointer + +[jcristau: originally this patch fixed the same issue as commit + 211e05ac85 "Xi: Test exact size of XIBarrierReleasePointer", with the + addition of these checks] + +This addresses CVE-2017-12179 + +Reviewed-by: Alan Coopersmith +Reviewed-by: Jeremy Huddleston Sequoia +Reviewed-by: Julien Cristau +Signed-off-by: Jeremy Huddleston Sequoia +Signed-off-by: Nathan Kidd +Signed-off-by: Julien Cristau + +diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c +index d82ecb6..d0be701 100644 +--- a/Xi/xibarriers.c ++++ b/Xi/xibarriers.c +@@ -834,6 +834,8 @@ SProcXIBarrierReleasePointer(ClientPtr client) + REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq); + + swapl(&stuff->num_barriers); ++ if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo)) ++ return BadLength; + REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo)); + + info = (xXIBarrierReleasePointerInfo*) &stuff[1]; +@@ -856,6 +858,9 @@ ProcXIBarrierReleasePointer(ClientPtr client) + xXIBarrierReleasePointerInfo *info; + + REQUEST(xXIBarrierReleasePointerReq); ++ REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq); ++ if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo)) ++ return BadLength; + REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo)); + + info = (xXIBarrierReleasePointerInfo*) &stuff[1]; +-- +cgit v0.10.2 + + diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12180_12181_12182.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12180_12181_12182.diff new file mode 100644 index 000000000..70ebee8c2 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12180_12181_12182.diff @@ -0,0 +1,601 @@ +From 1b1d4c04695dced2463404174b50b3581dbd857b Mon Sep 17 00:00:00 2001 +From: Nathan Kidd +Date: Sun, 21 Dec 2014 01:10:03 -0500 +Subject: hw/xfree86: unvalidated lengths + +This addresses: +CVE-2017-12180 in XFree86-VidModeExtension +CVE-2017-12181 in XFree86-DGA +CVE-2017-12182 in XFree86-DRI + +Reviewed-by: Jeremy Huddleston Sequoia +Reviewed-by: Julien Cristau +Signed-off-by: Nathan Kidd +Signed-off-by: Julien Cristau + +diff --git a/Xext/vidmode.c b/Xext/vidmode.c +index 8ba919a..6e4a7c7 100644 +--- a/Xext/vidmode.c ++++ b/Xext/vidmode.c +@@ -454,6 +454,20 @@ ProcVidModeAddModeLine(ClientPtr client) + DEBUG_P("XF86VidModeAddModeline"); + + ver = ClientMajorVersion(client); ++ ++ if (ver < 2) { ++ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeAddModeLineReq); ++ len = ++ client->req_len - ++ bytes_to_int32(sizeof(xXF86OldVidModeAddModeLineReq)); ++ } ++ else { ++ REQUEST_AT_LEAST_SIZE(xXF86VidModeAddModeLineReq); ++ len = ++ client->req_len - ++ bytes_to_int32(sizeof(xXF86VidModeAddModeLineReq)); ++ } ++ + if (ver < 2) { + /* convert from old format */ + stuff = &newstuff; +@@ -501,18 +515,6 @@ ProcVidModeAddModeLine(ClientPtr client) + stuff->after_vsyncend, stuff->after_vtotal, + (unsigned long) stuff->after_flags); + +- if (ver < 2) { +- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeAddModeLineReq); +- len = +- client->req_len - +- bytes_to_int32(sizeof(xXF86OldVidModeAddModeLineReq)); +- } +- else { +- REQUEST_AT_LEAST_SIZE(xXF86VidModeAddModeLineReq); +- len = +- client->req_len - +- bytes_to_int32(sizeof(xXF86VidModeAddModeLineReq)); +- } + if (len != stuff->privsize) + return BadLength; + +@@ -622,6 +624,20 @@ ProcVidModeDeleteModeLine(ClientPtr client) + DEBUG_P("XF86VidModeDeleteModeline"); + + ver = ClientMajorVersion(client); ++ ++ if (ver < 2) { ++ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeDeleteModeLineReq); ++ len = ++ client->req_len - ++ bytes_to_int32(sizeof(xXF86OldVidModeDeleteModeLineReq)); ++ } ++ else { ++ REQUEST_AT_LEAST_SIZE(xXF86VidModeDeleteModeLineReq); ++ len = ++ client->req_len - ++ bytes_to_int32(sizeof(xXF86VidModeDeleteModeLineReq)); ++ } ++ + if (ver < 2) { + /* convert from old format */ + stuff = &newstuff; +@@ -649,18 +665,6 @@ ProcVidModeDeleteModeLine(ClientPtr client) + stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal, + (unsigned long) stuff->flags); + +- if (ver < 2) { +- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeDeleteModeLineReq); +- len = +- client->req_len - +- bytes_to_int32(sizeof(xXF86OldVidModeDeleteModeLineReq)); +- } +- else { +- REQUEST_AT_LEAST_SIZE(xXF86VidModeDeleteModeLineReq); +- len = +- client->req_len - +- bytes_to_int32(sizeof(xXF86VidModeDeleteModeLineReq)); +- } + if (len != stuff->privsize) { + DebugF("req_len = %ld, sizeof(Req) = %d, privsize = %ld, " + "len = %d, length = %d\n", +@@ -744,6 +748,20 @@ ProcVidModeModModeLine(ClientPtr client) + DEBUG_P("XF86VidModeModModeline"); + + ver = ClientMajorVersion(client); ++ ++ if (ver < 2) { ++ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeModModeLineReq); ++ len = ++ client->req_len - ++ bytes_to_int32(sizeof(xXF86OldVidModeModModeLineReq)); ++ } ++ else { ++ REQUEST_AT_LEAST_SIZE(xXF86VidModeModModeLineReq); ++ len = ++ client->req_len - ++ bytes_to_int32(sizeof(xXF86VidModeModModeLineReq)); ++ } ++ + if (ver < 2) { + /* convert from old format */ + stuff = &newstuff; +@@ -768,18 +786,6 @@ ProcVidModeModModeLine(ClientPtr client) + stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, + stuff->vtotal, (unsigned long) stuff->flags); + +- if (ver < 2) { +- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeModModeLineReq); +- len = +- client->req_len - +- bytes_to_int32(sizeof(xXF86OldVidModeModModeLineReq)); +- } +- else { +- REQUEST_AT_LEAST_SIZE(xXF86VidModeModModeLineReq); +- len = +- client->req_len - +- bytes_to_int32(sizeof(xXF86VidModeModModeLineReq)); +- } + if (len != stuff->privsize) + return BadLength; + +@@ -877,6 +883,19 @@ ProcVidModeValidateModeLine(ClientPtr client) + DEBUG_P("XF86VidModeValidateModeline"); + + ver = ClientMajorVersion(client); ++ ++ if (ver < 2) { ++ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeValidateModeLineReq); ++ len = client->req_len - ++ bytes_to_int32(sizeof(xXF86OldVidModeValidateModeLineReq)); ++ } ++ else { ++ REQUEST_AT_LEAST_SIZE(xXF86VidModeValidateModeLineReq); ++ len = ++ client->req_len - ++ bytes_to_int32(sizeof(xXF86VidModeValidateModeLineReq)); ++ } ++ + if (ver < 2) { + /* convert from old format */ + stuff = &newstuff; +@@ -905,17 +924,6 @@ ProcVidModeValidateModeLine(ClientPtr client) + stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal, + (unsigned long) stuff->flags); + +- if (ver < 2) { +- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeValidateModeLineReq); +- len = client->req_len - +- bytes_to_int32(sizeof(xXF86OldVidModeValidateModeLineReq)); +- } +- else { +- REQUEST_AT_LEAST_SIZE(xXF86VidModeValidateModeLineReq); +- len = +- client->req_len - +- bytes_to_int32(sizeof(xXF86VidModeValidateModeLineReq)); +- } + if (len != stuff->privsize) + return BadLength; + +@@ -1027,6 +1035,20 @@ ProcVidModeSwitchToMode(ClientPtr client) + DEBUG_P("XF86VidModeSwitchToMode"); + + ver = ClientMajorVersion(client); ++ ++ if (ver < 2) { ++ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeSwitchToModeReq); ++ len = ++ client->req_len - ++ bytes_to_int32(sizeof(xXF86OldVidModeSwitchToModeReq)); ++ } ++ else { ++ REQUEST_AT_LEAST_SIZE(xXF86VidModeSwitchToModeReq); ++ len = ++ client->req_len - ++ bytes_to_int32(sizeof(xXF86VidModeSwitchToModeReq)); ++ } ++ + if (ver < 2) { + /* convert from old format */ + stuff = &newstuff; +@@ -1055,18 +1077,6 @@ ProcVidModeSwitchToMode(ClientPtr client) + stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal, + (unsigned long) stuff->flags); + +- if (ver < 2) { +- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeSwitchToModeReq); +- len = +- client->req_len - +- bytes_to_int32(sizeof(xXF86OldVidModeSwitchToModeReq)); +- } +- else { +- REQUEST_AT_LEAST_SIZE(xXF86VidModeSwitchToModeReq); +- len = +- client->req_len - +- bytes_to_int32(sizeof(xXF86VidModeSwitchToModeReq)); +- } + if (len != stuff->privsize) + return BadLength; + +@@ -1457,6 +1467,7 @@ ProcVidModeSetGammaRamp(ClientPtr client) + VidModePtr pVidMode; + + REQUEST(xXF86VidModeSetGammaRampReq); ++ REQUEST_AT_LEAST_SIZE(xXF86VidModeSetGammaRampReq); + + if (stuff->screen >= screenInfo.numScreens) + return BadValue; +diff --git a/hw/xfree86/common/xf86DGA.c b/hw/xfree86/common/xf86DGA.c +index 95434e8..505b019 100644 +--- a/hw/xfree86/common/xf86DGA.c ++++ b/hw/xfree86/common/xf86DGA.c +@@ -1272,13 +1272,14 @@ ProcXDGAOpenFramebuffer(ClientPtr client) + char *deviceName; + int nameSize; + ++ REQUEST_SIZE_MATCH(xXDGAOpenFramebufferReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (!DGAAvailable(stuff->screen)) + return DGAErrorBase + XF86DGANoDirectVideoMode; + +- REQUEST_SIZE_MATCH(xXDGAOpenFramebufferReq); + rep.type = X_Reply; + rep.length = 0; + rep.sequenceNumber = client->sequence; +@@ -1305,14 +1306,14 @@ ProcXDGACloseFramebuffer(ClientPtr client) + { + REQUEST(xXDGACloseFramebufferReq); + ++ REQUEST_SIZE_MATCH(xXDGACloseFramebufferReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (!DGAAvailable(stuff->screen)) + return DGAErrorBase + XF86DGANoDirectVideoMode; + +- REQUEST_SIZE_MATCH(xXDGACloseFramebufferReq); +- + DGACloseFramebuffer(stuff->screen); + + return Success; +@@ -1328,10 +1329,11 @@ ProcXDGAQueryModes(ClientPtr client) + xXDGAModeInfo info; + XDGAModePtr mode; + ++ REQUEST_SIZE_MATCH(xXDGAQueryModesReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + +- REQUEST_SIZE_MATCH(xXDGAQueryModesReq); + rep.type = X_Reply; + rep.length = 0; + rep.number = 0; +@@ -1443,11 +1445,12 @@ ProcXDGASetMode(ClientPtr client) + ClientPtr owner; + int size; + ++ REQUEST_SIZE_MATCH(xXDGASetModeReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + owner = DGA_GETCLIENT(stuff->screen); + +- REQUEST_SIZE_MATCH(xXDGASetModeReq); + rep.type = X_Reply; + rep.length = 0; + rep.offset = 0; +@@ -1533,14 +1536,14 @@ ProcXDGASetViewport(ClientPtr client) + { + REQUEST(xXDGASetViewportReq); + ++ REQUEST_SIZE_MATCH(xXDGASetViewportReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXDGASetViewportReq); +- + DGASetViewport(stuff->screen, stuff->x, stuff->y, stuff->flags); + + return Success; +@@ -1554,14 +1557,14 @@ ProcXDGAInstallColormap(ClientPtr client) + + REQUEST(xXDGAInstallColormapReq); + ++ REQUEST_SIZE_MATCH(xXDGAInstallColormapReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXDGAInstallColormapReq); +- + rc = dixLookupResourceByType((void **) &cmap, stuff->cmap, RT_COLORMAP, + client, DixInstallAccess); + if (rc != Success) +@@ -1575,14 +1578,14 @@ ProcXDGASelectInput(ClientPtr client) + { + REQUEST(xXDGASelectInputReq); + ++ REQUEST_SIZE_MATCH(xXDGASelectInputReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXDGASelectInputReq); +- + if (DGA_GETCLIENT(stuff->screen) == client) + DGASelectInput(stuff->screen, client, stuff->mask); + +@@ -1594,14 +1597,14 @@ ProcXDGAFillRectangle(ClientPtr client) + { + REQUEST(xXDGAFillRectangleReq); + ++ REQUEST_SIZE_MATCH(xXDGAFillRectangleReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXDGAFillRectangleReq); +- + if (Success != DGAFillRect(stuff->screen, stuff->x, stuff->y, + stuff->width, stuff->height, stuff->color)) + return BadMatch; +@@ -1614,14 +1617,14 @@ ProcXDGACopyArea(ClientPtr client) + { + REQUEST(xXDGACopyAreaReq); + ++ REQUEST_SIZE_MATCH(xXDGACopyAreaReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXDGACopyAreaReq); +- + if (Success != DGABlitRect(stuff->screen, stuff->srcx, stuff->srcy, + stuff->width, stuff->height, stuff->dstx, + stuff->dsty)) +@@ -1635,14 +1638,14 @@ ProcXDGACopyTransparentArea(ClientPtr client) + { + REQUEST(xXDGACopyTransparentAreaReq); + ++ REQUEST_SIZE_MATCH(xXDGACopyTransparentAreaReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXDGACopyTransparentAreaReq); +- + if (Success != DGABlitTransRect(stuff->screen, stuff->srcx, stuff->srcy, + stuff->width, stuff->height, stuff->dstx, + stuff->dsty, stuff->key)) +@@ -1657,13 +1660,14 @@ ProcXDGAGetViewportStatus(ClientPtr client) + REQUEST(xXDGAGetViewportStatusReq); + xXDGAGetViewportStatusReply rep; + ++ REQUEST_SIZE_MATCH(xXDGAGetViewportStatusReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXDGAGetViewportStatusReq); + rep.type = X_Reply; + rep.length = 0; + rep.sequenceNumber = client->sequence; +@@ -1680,13 +1684,14 @@ ProcXDGASync(ClientPtr client) + REQUEST(xXDGASyncReq); + xXDGASyncReply rep; + ++ REQUEST_SIZE_MATCH(xXDGASyncReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXDGASyncReq); + rep.type = X_Reply; + rep.length = 0; + rep.sequenceNumber = client->sequence; +@@ -1725,13 +1730,14 @@ ProcXDGAChangePixmapMode(ClientPtr client) + xXDGAChangePixmapModeReply rep; + int x, y; + ++ REQUEST_SIZE_MATCH(xXDGAChangePixmapModeReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXDGAChangePixmapModeReq); + rep.type = X_Reply; + rep.length = 0; + rep.sequenceNumber = client->sequence; +@@ -1755,14 +1761,14 @@ ProcXDGACreateColormap(ClientPtr client) + REQUEST(xXDGACreateColormapReq); + int result; + ++ REQUEST_SIZE_MATCH(xXDGACreateColormapReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXDGACreateColormapReq); +- + if (!stuff->mode) + return BadValue; + +@@ -1791,10 +1797,11 @@ ProcXF86DGAGetVideoLL(ClientPtr client) + int num, offset, flags; + char *name; + ++ REQUEST_SIZE_MATCH(xXF86DGAGetVideoLLReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + +- REQUEST_SIZE_MATCH(xXF86DGAGetVideoLLReq); + rep.type = X_Reply; + rep.length = 0; + rep.sequenceNumber = client->sequence; +@@ -1831,9 +1838,10 @@ ProcXF86DGADirectVideo(ClientPtr client) + + REQUEST(xXF86DGADirectVideoReq); + ++ REQUEST_SIZE_MATCH(xXF86DGADirectVideoReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; +- REQUEST_SIZE_MATCH(xXF86DGADirectVideoReq); + + if (!DGAAvailable(stuff->screen)) + return DGAErrorBase + XF86DGANoDirectVideoMode; +@@ -1889,10 +1897,11 @@ ProcXF86DGAGetViewPortSize(ClientPtr client) + REQUEST(xXF86DGAGetViewPortSizeReq); + xXF86DGAGetViewPortSizeReply rep; + ++ REQUEST_SIZE_MATCH(xXF86DGAGetViewPortSizeReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + +- REQUEST_SIZE_MATCH(xXF86DGAGetViewPortSizeReq); + rep.type = X_Reply; + rep.length = 0; + rep.sequenceNumber = client->sequence; +@@ -1917,14 +1926,14 @@ ProcXF86DGASetViewPort(ClientPtr client) + { + REQUEST(xXF86DGASetViewPortReq); + ++ REQUEST_SIZE_MATCH(xXF86DGASetViewPortReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXF86DGASetViewPortReq); +- + if (!DGAAvailable(stuff->screen)) + return DGAErrorBase + XF86DGANoDirectVideoMode; + +@@ -1944,10 +1953,11 @@ ProcXF86DGAGetVidPage(ClientPtr client) + REQUEST(xXF86DGAGetVidPageReq); + xXF86DGAGetVidPageReply rep; + ++ REQUEST_SIZE_MATCH(xXF86DGAGetVidPageReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + +- REQUEST_SIZE_MATCH(xXF86DGAGetVidPageReq); + rep.type = X_Reply; + rep.length = 0; + rep.sequenceNumber = client->sequence; +@@ -1962,11 +1972,11 @@ ProcXF86DGASetVidPage(ClientPtr client) + { + REQUEST(xXF86DGASetVidPageReq); + ++ REQUEST_SIZE_MATCH(xXF86DGASetVidPageReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + +- REQUEST_SIZE_MATCH(xXF86DGASetVidPageReq); +- + /* silently fail */ + + return Success; +@@ -1980,14 +1990,14 @@ ProcXF86DGAInstallColormap(ClientPtr client) + + REQUEST(xXF86DGAInstallColormapReq); + ++ REQUEST_SIZE_MATCH(xXF86DGAInstallColormapReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXF86DGAInstallColormapReq); +- + if (!DGAActive(stuff->screen)) + return DGAErrorBase + XF86DGADirectNotActivated; + +@@ -2008,10 +2018,11 @@ ProcXF86DGAQueryDirectVideo(ClientPtr client) + REQUEST(xXF86DGAQueryDirectVideoReq); + xXF86DGAQueryDirectVideoReply rep; + ++ REQUEST_SIZE_MATCH(xXF86DGAQueryDirectVideoReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + +- REQUEST_SIZE_MATCH(xXF86DGAQueryDirectVideoReq); + rep.type = X_Reply; + rep.length = 0; + rep.sequenceNumber = client->sequence; +@@ -2030,14 +2041,14 @@ ProcXF86DGAViewPortChanged(ClientPtr client) + REQUEST(xXF86DGAViewPortChangedReq); + xXF86DGAViewPortChangedReply rep; + ++ REQUEST_SIZE_MATCH(xXF86DGAViewPortChangedReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXF86DGAViewPortChangedReq); +- + if (!DGAActive(stuff->screen)) + return DGAErrorBase + XF86DGADirectNotActivated; + +diff --git a/hw/xfree86/dri/xf86dri.c b/hw/xfree86/dri/xf86dri.c +index 8f3c2d6..d356db9 100644 +--- a/hw/xfree86/dri/xf86dri.c ++++ b/hw/xfree86/dri/xf86dri.c +@@ -570,6 +570,7 @@ static int _X_COLD + SProcXF86DRIQueryDirectRenderingCapable(register ClientPtr client) + { + REQUEST(xXF86DRIQueryDirectRenderingCapableReq); ++ REQUEST_SIZE_MATCH(xXF86DRIQueryDirectRenderingCapableReq); + swaps(&stuff->length); + swapl(&stuff->screen); + return ProcXF86DRIQueryDirectRenderingCapable(client); +-- +cgit v0.10.2 + + diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12183.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12183.diff new file mode 100644 index 000000000..b88ba950e --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12183.diff @@ -0,0 +1,95 @@ +From 55caa8b08c84af2b50fbc936cf334a5a93dd7db5 Mon Sep 17 00:00:00 2001 +From: Nathan Kidd +Date: Fri, 9 Jan 2015 11:43:05 -0500 +Subject: xfixes: unvalidated lengths (CVE-2017-12183) + +v2: Use before swap (Jeremy Huddleston Sequoia) + +v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith) + +Reviewed-by: Alan Coopersmith +Reviewed-by: Jeremy Huddleston Sequoia +Reviewed-by: Julien Cristau +Signed-off-by: Jeremy Huddleston Sequoia +Signed-off-by: Nathan Kidd +Signed-off-by: Julien Cristau + +diff --git a/xfixes/cursor.c b/xfixes/cursor.c +index c1ab3be..dc447ed 100644 +--- a/xfixes/cursor.c ++++ b/xfixes/cursor.c +@@ -281,6 +281,7 @@ int _X_COLD + SProcXFixesSelectCursorInput(ClientPtr client) + { + REQUEST(xXFixesSelectCursorInputReq); ++ REQUEST_SIZE_MATCH(xXFixesSelectCursorInputReq); + + swaps(&stuff->length); + swapl(&stuff->window); +@@ -414,7 +415,7 @@ ProcXFixesSetCursorName(ClientPtr client) + REQUEST(xXFixesSetCursorNameReq); + Atom atom; + +- REQUEST_AT_LEAST_SIZE(xXFixesSetCursorNameReq); ++ REQUEST_FIXED_SIZE(xXFixesSetCursorNameReq, stuff->nbytes); + VERIFY_CURSOR(pCursor, stuff->cursor, client, DixSetAttrAccess); + tchar = (char *) &stuff[1]; + atom = MakeAtom(tchar, stuff->nbytes, TRUE); +@@ -1007,6 +1008,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client) + int i; + CARD16 *in_devices = (CARD16 *) &stuff[1]; + ++ REQUEST_AT_LEAST_SIZE(xXFixesCreatePointerBarrierReq); ++ + swaps(&stuff->length); + swaps(&stuff->num_devices); + REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices)); +diff --git a/xfixes/region.c b/xfixes/region.c +index e773701..7c0a7d2 100644 +--- a/xfixes/region.c ++++ b/xfixes/region.c +@@ -359,6 +359,7 @@ ProcXFixesCopyRegion(ClientPtr client) + RegionPtr pSource, pDestination; + + REQUEST(xXFixesCopyRegionReq); ++ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq); + + VERIFY_REGION(pSource, stuff->source, client, DixReadAccess); + VERIFY_REGION(pDestination, stuff->destination, client, DixWriteAccess); +@@ -375,7 +376,7 @@ SProcXFixesCopyRegion(ClientPtr client) + REQUEST(xXFixesCopyRegionReq); + + swaps(&stuff->length); +- REQUEST_AT_LEAST_SIZE(xXFixesCopyRegionReq); ++ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq); + swapl(&stuff->source); + swapl(&stuff->destination); + return (*ProcXFixesVector[stuff->xfixesReqType]) (client); +diff --git a/xfixes/saveset.c b/xfixes/saveset.c +index 2043153..fd9c7a1 100644 +--- a/xfixes/saveset.c ++++ b/xfixes/saveset.c +@@ -62,6 +62,7 @@ int _X_COLD + SProcXFixesChangeSaveSet(ClientPtr client) + { + REQUEST(xXFixesChangeSaveSetReq); ++ REQUEST_SIZE_MATCH(xXFixesChangeSaveSetReq); + + swaps(&stuff->length); + swapl(&stuff->window); +diff --git a/xfixes/xfixes.c b/xfixes/xfixes.c +index 77efd64..248bf02 100644 +--- a/xfixes/xfixes.c ++++ b/xfixes/xfixes.c +@@ -160,6 +160,7 @@ static _X_COLD int + SProcXFixesQueryVersion(ClientPtr client) + { + REQUEST(xXFixesQueryVersionReq); ++ REQUEST_SIZE_MATCH(xXFixesQueryVersionReq); + + swaps(&stuff->length); + swapl(&stuff->majorVersion); +-- +cgit v0.10.2 + + diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12184_12185_12186_12187.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12184_12185_12186_12187.diff new file mode 100644 index 000000000..d29956864 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12184_12185_12186_12187.diff @@ -0,0 +1,139 @@ +From cad5a1050b7184d828aef9c1dd151c3ab649d37e Mon Sep 17 00:00:00 2001 +From: Nathan Kidd +Date: Fri, 9 Jan 2015 09:57:23 -0500 +Subject: Unvalidated lengths + +v2: Add overflow check and remove unnecessary check (Julien Cristau) + +This addresses: +CVE-2017-12184 in XINERAMA +CVE-2017-12185 in MIT-SCREEN-SAVER +CVE-2017-12186 in X-Resource +CVE-2017-12187 in RENDER + +Reviewed-by: Jeremy Huddleston Sequoia +Reviewed-by: Julien Cristau +Signed-off-by: Nathan Kidd +Signed-off-by: Julien Cristau + +diff --git a/Xext/panoramiX.c b/Xext/panoramiX.c +index 209df29..844ea49 100644 +--- a/Xext/panoramiX.c ++++ b/Xext/panoramiX.c +@@ -988,10 +988,11 @@ ProcPanoramiXGetScreenSize(ClientPtr client) + xPanoramiXGetScreenSizeReply rep; + int rc; + ++ REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq); ++ + if (stuff->screen >= PanoramiXNumScreens) + return BadMatch; + +- REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq); + rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess); + if (rc != Success) + return rc; +diff --git a/Xext/saver.c b/Xext/saver.c +index 0949761..f6090d8 100644 +--- a/Xext/saver.c ++++ b/Xext/saver.c +@@ -1186,6 +1186,8 @@ ProcScreenSaverUnsetAttributes(ClientPtr client) + PanoramiXRes *draw; + int rc, i; + ++ REQUEST_SIZE_MATCH(xScreenSaverUnsetAttributesReq); ++ + rc = dixLookupResourceByClass((void **) &draw, stuff->drawable, + XRC_DRAWABLE, client, DixWriteAccess); + if (rc != Success) +diff --git a/Xext/xres.c b/Xext/xres.c +index 21239f5..0242158 100644 +--- a/Xext/xres.c ++++ b/Xext/xres.c +@@ -947,6 +947,8 @@ ProcXResQueryResourceBytes (ClientPtr client) + ConstructResourceBytesCtx ctx; + + REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq); ++ if (stuff->numSpecs > UINT32_MAX / sizeof(ctx.specs[0])) ++ return BadLength; + REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq, + stuff->numSpecs * sizeof(ctx.specs[0])); + +@@ -1052,8 +1054,8 @@ SProcXResQueryResourceBytes (ClientPtr client) + int c; + xXResResourceIdSpec *specs = (void*) ((char*) stuff + sizeof(*stuff)); + +- swapl(&stuff->numSpecs); + REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq); ++ swapl(&stuff->numSpecs); + REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq, + stuff->numSpecs * sizeof(specs[0])); + +diff --git a/Xext/xvdisp.c b/Xext/xvdisp.c +index d99d3d4..5232b37 100644 +--- a/Xext/xvdisp.c ++++ b/Xext/xvdisp.c +@@ -1493,12 +1493,14 @@ XineramaXvShmPutImage(ClientPtr client) + { + REQUEST(xvShmPutImageReq); + PanoramiXRes *draw, *gc, *port; +- Bool send_event = stuff->send_event; ++ Bool send_event; + Bool isRoot; + int result, i, x, y; + + REQUEST_SIZE_MATCH(xvShmPutImageReq); + ++ send_event = stuff->send_event; ++ + result = dixLookupResourceByClass((void **) &draw, stuff->drawable, + XRC_DRAWABLE, client, DixWriteAccess); + if (result != Success) +diff --git a/hw/dmx/dmxpict.c b/hw/dmx/dmxpict.c +index 1f1022e..63caec9 100644 +--- a/hw/dmx/dmxpict.c ++++ b/hw/dmx/dmxpict.c +@@ -716,6 +716,8 @@ dmxProcRenderSetPictureFilter(ClientPtr client) + filter = (char *) (stuff + 1); + params = (XFixed *) (filter + ((stuff->nbytes + 3) & ~3)); + nparams = ((XFixed *) stuff + client->req_len) - params; ++ if (nparams < 0) ++ return BadLength; + + XRenderSetPictureFilter(dmxScreen->beDisplay, + pPictPriv->pict, filter, params, nparams); +diff --git a/pseudoramiX/pseudoramiX.c b/pseudoramiX/pseudoramiX.c +index d8b2593..95f6e10 100644 +--- a/pseudoramiX/pseudoramiX.c ++++ b/pseudoramiX/pseudoramiX.c +@@ -297,10 +297,11 @@ ProcPseudoramiXGetScreenSize(ClientPtr client) + + TRACE; + ++ REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq); ++ + if (stuff->screen >= pseudoramiXNumScreens) + return BadMatch; + +- REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq); + rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess); + if (rc != Success) + return rc; +diff --git a/render/render.c b/render/render.c +index ccae49a..7d94bd5 100644 +--- a/render/render.c ++++ b/render/render.c +@@ -1757,6 +1757,9 @@ ProcRenderSetPictureFilter(ClientPtr client) + name = (char *) (stuff + 1); + params = (xFixed *) (name + pad_to_int32(stuff->nbytes)); + nparams = ((xFixed *) stuff + client->req_len) - params; ++ if (nparams < 0) ++ return BadLength; ++ + result = SetPictureFilter(pPicture, name, stuff->nbytes, params, nparams); + return result; + } +-- +cgit v0.10.2 + + diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-13721.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-13721.diff new file mode 100644 index 000000000..8341a3372 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-13721.diff @@ -0,0 +1,27 @@ +From b95f25af141d33a65f6f821ea9c003f66a01e1f1 Mon Sep 17 00:00:00 2001 +From: Michal Srb +Date: Fri, 28 Jul 2017 16:27:10 +0200 +Subject: Xext/shm: Validate shmseg resource id (CVE-2017-13721) + +Otherwise it can belong to a non-existing client and abort X server with +FatalError "client not in use", or overwrite existing segment of another +existing client. + +Signed-off-by: Julien Cristau + +diff --git a/Xext/shm.c b/Xext/shm.c +index 91ea90b..2f9a788 100644 +--- a/Xext/shm.c ++++ b/Xext/shm.c +@@ -1238,6 +1238,7 @@ ProcShmCreateSegment(ClientPtr client) + }; + + REQUEST_SIZE_MATCH(xShmCreateSegmentReq); ++ LEGAL_NEW_RESOURCE(stuff->shmseg, client); + if ((stuff->readOnly != xTrue) && (stuff->readOnly != xFalse)) { + client->errorValue = stuff->readOnly; + return BadValue; +-- +cgit v0.10.2 + + diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-13723.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-13723.diff new file mode 100644 index 000000000..6e37be485 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-13723.diff @@ -0,0 +1,116 @@ +From 94f11ca5cf011ef123bd222cabeaef6f424d76ac Mon Sep 17 00:00:00 2001 +From: Keith Packard +Date: Thu, 27 Jul 2017 10:08:32 -0700 +Subject: xkb: Handle xkb formated string output safely (CVE-2017-13723) + +Generating strings for XKB data used a single shared static buffer, +which offered several opportunities for errors. Use a ring of +resizable buffers instead, to avoid problems when strings end up +longer than anticipated. + +Reviewed-by: Michal Srb +Signed-off-by: Keith Packard +Signed-off-by: Julien Cristau + +diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c +index ead2b1a..d2a2567 100644 +--- a/xkb/xkbtext.c ++++ b/xkb/xkbtext.c +@@ -47,23 +47,27 @@ + + /***====================================================================***/ + +-#define BUFFER_SIZE 512 +- +-static char textBuffer[BUFFER_SIZE]; +-static int tbNext = 0; ++#define NUM_BUFFER 8 ++static struct textBuffer { ++ int size; ++ char *buffer; ++} textBuffer[NUM_BUFFER]; ++static int textBufferIndex; + + static char * + tbGetBuffer(unsigned size) + { +- char *rtrn; ++ struct textBuffer *tb; + +- if (size >= BUFFER_SIZE) +- return NULL; +- if ((BUFFER_SIZE - tbNext) <= size) +- tbNext = 0; +- rtrn = &textBuffer[tbNext]; +- tbNext += size; +- return rtrn; ++ tb = &textBuffer[textBufferIndex]; ++ textBufferIndex = (textBufferIndex + 1) % NUM_BUFFER; ++ ++ if (size > tb->size) { ++ free(tb->buffer); ++ tb->buffer = xnfalloc(size); ++ tb->size = size; ++ } ++ return tb->buffer; + } + + /***====================================================================***/ +@@ -79,8 +83,6 @@ XkbAtomText(Atom atm, unsigned format) + int len; + + len = strlen(atmstr) + 1; +- if (len > BUFFER_SIZE) +- len = BUFFER_SIZE - 2; + rtrn = tbGetBuffer(len); + strlcpy(rtrn, atmstr, len); + } +@@ -128,8 +130,6 @@ XkbVModIndexText(XkbDescPtr xkb, unsigned ndx, unsigned format) + len = strlen(tmp) + 1; + if (format == XkbCFile) + len += 4; +- if (len >= BUFFER_SIZE) +- len = BUFFER_SIZE - 1; + rtrn = tbGetBuffer(len); + if (format == XkbCFile) { + strcpy(rtrn, "vmod_"); +@@ -140,6 +140,8 @@ XkbVModIndexText(XkbDescPtr xkb, unsigned ndx, unsigned format) + return rtrn; + } + ++#define VMOD_BUFFER_SIZE 512 ++ + char * + XkbVModMaskText(XkbDescPtr xkb, + unsigned modMask, unsigned mask, unsigned format) +@@ -147,7 +149,7 @@ XkbVModMaskText(XkbDescPtr xkb, + register int i, bit; + int len; + char *mm, *rtrn; +- char *str, buf[BUFFER_SIZE]; ++ char *str, buf[VMOD_BUFFER_SIZE]; + + if ((modMask == 0) && (mask == 0)) { + rtrn = tbGetBuffer(5); +@@ -173,7 +175,7 @@ XkbVModMaskText(XkbDescPtr xkb, + len = strlen(tmp) + 1 + (str == buf ? 0 : 1); + if (format == XkbCFile) + len += 4; +- if ((str - (buf + len)) <= BUFFER_SIZE) { ++ if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) { + if (str != buf) { + if (format == XkbCFile) + *str++ = '|'; +@@ -199,8 +201,6 @@ XkbVModMaskText(XkbDescPtr xkb, + len = 0; + if (str) + len += strlen(str) + (mm == NULL ? 0 : 1); +- if (len >= BUFFER_SIZE) +- len = BUFFER_SIZE - 1; + rtrn = tbGetBuffer(len + 1); + rtrn[0] = '\0'; + +-- +cgit v0.10.2 + + diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.combo.mouse.keyboard.layout.patch b/patches/source/xorg-server/patch/xorg-server/xorg-server.combo.mouse.keyboard.layout.patch new file mode 100644 index 000000000..83f673030 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.combo.mouse.keyboard.layout.patch @@ -0,0 +1,49 @@ +--- b/Xi/exevents.c 2013-12-27 19:38:52.000000000 +0200 ++++ a/Xi/exevents.c 2014-03-04 19:44:15.228721619 +0200 +@@ -665,7 +665,8 @@ + DeepCopyFeedbackClasses(from, to); + + if ((dce->flags & DEVCHANGE_KEYBOARD_EVENT)) +- DeepCopyKeyboardClasses(from, to); ++ /* We need to copy to MASTER_KEYBOARD. Didn't worked with 'to'. */ ++ DeepCopyKeyboardClasses(from, GetMaster(from, MASTER_KEYBOARD)); + if ((dce->flags & DEVCHANGE_POINTER_EVENT)) + DeepCopyPointerClasses(from, to); + } +--- b/dix/getevents.c 2013-12-27 19:38:52.000000000 +0200 ++++ a/dix/getevents.c 2014-03-04 19:46:50.126336327 +0200 +@@ -706,12 +706,19 @@ + { + DeviceIntPtr master; + +- master = +- GetMaster(dev, +- (type & DEVCHANGE_POINTER_EVENT) ? MASTER_POINTER : +- MASTER_KEYBOARD); ++ /* Don't guess the master upon the event type. Use MASTER_ATTACHED, ++ * otherwise we'll never get a DeviceChangedEvent(reason:SlaveSwith). */ ++ master = GetMaster(dev, MASTER_ATTACHED); ++ /* Need to track the slave event type. Other we'le never get a ++ * DeviceChangedEvent(reason:SlaveSwith) for the 'keyboard' if the ++ * 'pointer' has been touched before. */ ++ int slave_type = (type & DEVCHANGE_KEYBOARD_EVENT) | ++ (type & DEVCHANGE_POINTER_EVENT); + +- if (master && master->last.slave != dev) { ++ if (master && ++ ((master->last.slave != dev) || ++ (master->last.slave == dev && master->last.slave_type != slave_type))) { ++ master->last.slave_type = slave_type; + CreateClassesChangedEvent(events, master, dev, + type | DEVCHANGE_SLAVE_SWITCH); + if (IsPointerDevice(master)) { +--- b/include/inputstr.h 2013-12-27 19:38:52.000000000 +0200 ++++ a/include/inputstr.h 2014-03-04 19:47:28.074051116 +0200 +@@ -577,6 +577,7 @@ + double valuators[MAX_VALUATORS]; + int numValuators; + DeviceIntPtr slave; ++ int slave_type; + ValuatorMask *scroll; + int num_touches; /* size of the touches array */ + DDXTouchPointInfoPtr touches; -- cgit v1.2.3