xorg-server: remove now-upstreamed patch
I'm sorry I completely forgot to test the previous commit. Also remove some long unused patch.
This commit is contained in:
Vladimír Čunát
parent
834af9c905
commit
feb778507f
@ -188,7 +188,6 @@ in
|
|||||||
patches =
|
patches =
|
||||||
[ ./xorgserver-dri-path.patch
|
[ ./xorgserver-dri-path.patch
|
||||||
./xorgserver-xkbcomp-path.patch
|
./xorgserver-xkbcomp-path.patch
|
||||||
./xorgserver-cve-2013-4396.patch
|
|
||||||
];
|
];
|
||||||
buildInputs = attrs.buildInputs ++ [ xtrans ];
|
buildInputs = attrs.buildInputs ++ [ xtrans ];
|
||||||
propagatedBuildInputs =
|
propagatedBuildInputs =
|
||||||
|
|||||||
@ -1,75 +0,0 @@
|
|||||||
From 7bddc2ba16a2a15773c2ea8947059afa27727764 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
||||||
Date: Mon, 16 Sep 2013 21:47:16 -0700
|
|
||||||
Subject: [PATCH] Avoid use-after-free in dix/dixfonts.c: doImageText()
|
|
||||||
[CVE-2013-4396]
|
|
||||||
|
|
||||||
Save a pointer to the passed in closure structure before copying it
|
|
||||||
and overwriting the *c pointer to point to our copy instead of the
|
|
||||||
original. If we hit an error, once we free(c), reset c to point to
|
|
||||||
the original structure before jumping to the cleanup code that
|
|
||||||
references *c.
|
|
||||||
|
|
||||||
Since one of the errors being checked for is whether the server was
|
|
||||||
able to malloc(c->nChars * itemSize), the client can potentially pass
|
|
||||||
a number of characters chosen to cause the malloc to fail and the
|
|
||||||
error path to be taken, resulting in the read from freed memory.
|
|
||||||
|
|
||||||
Since the memory is accessed almost immediately afterwards, and the
|
|
||||||
X server is mostly single threaded, the odds of the free memory having
|
|
||||||
invalid contents are low with most malloc implementations when not using
|
|
||||||
memory debugging features, but some allocators will definitely overwrite
|
|
||||||
the memory there, leading to a likely crash.
|
|
||||||
|
|
||||||
Reported-by: Pedro Ribeiro <pedrib@gmail.com>
|
|
||||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
||||||
Reviewed-by: Julien Cristau <jcristau@debian.org>
|
|
||||||
---
|
|
||||||
dix/dixfonts.c | 5 +++++
|
|
||||||
1 file changed, 5 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/dix/dixfonts.c b/dix/dixfonts.c
|
|
||||||
index feb765d..2e34d37 100644
|
|
||||||
--- a/dix/dixfonts.c
|
|
||||||
+++ b/dix/dixfonts.c
|
|
||||||
@@ -1425,6 +1425,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
|
|
||||||
GC *pGC;
|
|
||||||
unsigned char *data;
|
|
||||||
ITclosurePtr new_closure;
|
|
||||||
+ ITclosurePtr old_closure;
|
|
||||||
|
|
||||||
/* We're putting the client to sleep. We need to
|
|
||||||
save some state. Similar problem to that handled
|
|
||||||
@@ -1436,12 +1437,14 @@ doImageText(ClientPtr client, ITclosurePtr c)
|
|
||||||
err = BadAlloc;
|
|
||||||
goto bail;
|
|
||||||
}
|
|
||||||
+ old_closure = c;
|
|
||||||
*new_closure = *c;
|
|
||||||
c = new_closure;
|
|
||||||
|
|
||||||
data = malloc(c->nChars * itemSize);
|
|
||||||
if (!data) {
|
|
||||||
free(c);
|
|
||||||
+ c = old_closure;
|
|
||||||
err = BadAlloc;
|
|
||||||
goto bail;
|
|
||||||
}
|
|
||||||
@@ -1452,6 +1455,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
|
|
||||||
if (!pGC) {
|
|
||||||
free(c->data);
|
|
||||||
free(c);
|
|
||||||
+ c = old_closure;
|
|
||||||
err = BadAlloc;
|
|
||||||
goto bail;
|
|
||||||
}
|
|
||||||
@@ -1464,6 +1468,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
|
|
||||||
FreeScratchGC(pGC);
|
|
||||||
free(c->data);
|
|
||||||
free(c);
|
|
||||||
+ c = old_closure;
|
|
||||||
err = BadAlloc;
|
|
||||||
goto bail;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
1.7.9.2
|
|
||||||
@ -1,34 +0,0 @@
|
|||||||
From 6ca03b9161d33b1d2b55a3a1a913cf88deb2343f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Dave Airlie <airlied@gmail.com>
|
|
||||||
Date: Wed, 10 Apr 2013 06:09:01 +0000
|
|
||||||
Subject: xf86: fix flush input to work with Linux evdev devices.
|
|
||||||
|
|
||||||
So when we VT switch back and attempt to flush the input devices,
|
|
||||||
we don't succeed because evdev won't return part of an event,
|
|
||||||
since we were only asking for 4 bytes, we'd only get -EINVAL back.
|
|
||||||
|
|
||||||
This could later cause events to be flushed that we shouldn't have
|
|
||||||
gotten.
|
|
||||||
|
|
||||||
This is a fix for CVE-2013-1940.
|
|
||||||
|
|
||||||
Signed-off-by: Dave Airlie <airlied@redhat.com>
|
|
||||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
||||||
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
||||||
---
|
|
||||||
diff --git a/hw/xfree86/os-support/shared/posix_tty.c b/hw/xfree86/os-support/shared/posix_tty.c
|
|
||||||
index ab3757a..4d08c1e 100644
|
|
||||||
--- a/hw/xfree86/os-support/shared/posix_tty.c
|
|
||||||
+++ b/hw/xfree86/os-support/shared/posix_tty.c
|
|
||||||
@@ -421,7 +421,8 @@ xf86FlushInput(int fd)
|
|
||||||
{
|
|
||||||
fd_set fds;
|
|
||||||
struct timeval timeout;
|
|
||||||
- char c[4];
|
|
||||||
+ /* this needs to be big enough to flush an evdev event. */
|
|
||||||
+ char c[256];
|
|
||||||
|
|
||||||
DebugF("FlushingSerial\n");
|
|
||||||
if (tcflush(fd, TCIFLUSH) == 0)
|
|
||||||
--
|
|
||||||
cgit v0.9.0.2-2-gbebe
|
|
||||||
Loading…
Reference in New Issue
Block a user