forked from mirrors/nixpkgs
xorg-server: remove now-upstreamed patch
I'm sorry I completely forgot to test the previous commit. Also remove some long unused patch.
This commit is contained in:
parent
834af9c905
commit
feb778507f
|
@ -188,7 +188,6 @@ in
|
|||
patches =
|
||||
[ ./xorgserver-dri-path.patch
|
||||
./xorgserver-xkbcomp-path.patch
|
||||
./xorgserver-cve-2013-4396.patch
|
||||
];
|
||||
buildInputs = attrs.buildInputs ++ [ xtrans ];
|
||||
propagatedBuildInputs =
|
||||
|
|
|
@ -1,75 +0,0 @@
|
|||
From 7bddc2ba16a2a15773c2ea8947059afa27727764 Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Mon, 16 Sep 2013 21:47:16 -0700
|
||||
Subject: [PATCH] Avoid use-after-free in dix/dixfonts.c: doImageText()
|
||||
[CVE-2013-4396]
|
||||
|
||||
Save a pointer to the passed in closure structure before copying it
|
||||
and overwriting the *c pointer to point to our copy instead of the
|
||||
original. If we hit an error, once we free(c), reset c to point to
|
||||
the original structure before jumping to the cleanup code that
|
||||
references *c.
|
||||
|
||||
Since one of the errors being checked for is whether the server was
|
||||
able to malloc(c->nChars * itemSize), the client can potentially pass
|
||||
a number of characters chosen to cause the malloc to fail and the
|
||||
error path to be taken, resulting in the read from freed memory.
|
||||
|
||||
Since the memory is accessed almost immediately afterwards, and the
|
||||
X server is mostly single threaded, the odds of the free memory having
|
||||
invalid contents are low with most malloc implementations when not using
|
||||
memory debugging features, but some allocators will definitely overwrite
|
||||
the memory there, leading to a likely crash.
|
||||
|
||||
Reported-by: Pedro Ribeiro <pedrib@gmail.com>
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Reviewed-by: Julien Cristau <jcristau@debian.org>
|
||||
---
|
||||
dix/dixfonts.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/dix/dixfonts.c b/dix/dixfonts.c
|
||||
index feb765d..2e34d37 100644
|
||||
--- a/dix/dixfonts.c
|
||||
+++ b/dix/dixfonts.c
|
||||
@@ -1425,6 +1425,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
|
||||
GC *pGC;
|
||||
unsigned char *data;
|
||||
ITclosurePtr new_closure;
|
||||
+ ITclosurePtr old_closure;
|
||||
|
||||
/* We're putting the client to sleep. We need to
|
||||
save some state. Similar problem to that handled
|
||||
@@ -1436,12 +1437,14 @@ doImageText(ClientPtr client, ITclosurePtr c)
|
||||
err = BadAlloc;
|
||||
goto bail;
|
||||
}
|
||||
+ old_closure = c;
|
||||
*new_closure = *c;
|
||||
c = new_closure;
|
||||
|
||||
data = malloc(c->nChars * itemSize);
|
||||
if (!data) {
|
||||
free(c);
|
||||
+ c = old_closure;
|
||||
err = BadAlloc;
|
||||
goto bail;
|
||||
}
|
||||
@@ -1452,6 +1455,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
|
||||
if (!pGC) {
|
||||
free(c->data);
|
||||
free(c);
|
||||
+ c = old_closure;
|
||||
err = BadAlloc;
|
||||
goto bail;
|
||||
}
|
||||
@@ -1464,6 +1468,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
|
||||
FreeScratchGC(pGC);
|
||||
free(c->data);
|
||||
free(c);
|
||||
+ c = old_closure;
|
||||
err = BadAlloc;
|
||||
goto bail;
|
||||
}
|
||||
--
|
||||
1.7.9.2
|
|
@ -1,34 +0,0 @@
|
|||
From 6ca03b9161d33b1d2b55a3a1a913cf88deb2343f Mon Sep 17 00:00:00 2001
|
||||
From: Dave Airlie <airlied@gmail.com>
|
||||
Date: Wed, 10 Apr 2013 06:09:01 +0000
|
||||
Subject: xf86: fix flush input to work with Linux evdev devices.
|
||||
|
||||
So when we VT switch back and attempt to flush the input devices,
|
||||
we don't succeed because evdev won't return part of an event,
|
||||
since we were only asking for 4 bytes, we'd only get -EINVAL back.
|
||||
|
||||
This could later cause events to be flushed that we shouldn't have
|
||||
gotten.
|
||||
|
||||
This is a fix for CVE-2013-1940.
|
||||
|
||||
Signed-off-by: Dave Airlie <airlied@redhat.com>
|
||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
---
|
||||
diff --git a/hw/xfree86/os-support/shared/posix_tty.c b/hw/xfree86/os-support/shared/posix_tty.c
|
||||
index ab3757a..4d08c1e 100644
|
||||
--- a/hw/xfree86/os-support/shared/posix_tty.c
|
||||
+++ b/hw/xfree86/os-support/shared/posix_tty.c
|
||||
@@ -421,7 +421,8 @@ xf86FlushInput(int fd)
|
||||
{
|
||||
fd_set fds;
|
||||
struct timeval timeout;
|
||||
- char c[4];
|
||||
+ /* this needs to be big enough to flush an evdev event. */
|
||||
+ char c[256];
|
||||
|
||||
DebugF("FlushingSerial\n");
|
||||
if (tcflush(fd, TCIFLUSH) == 0)
|
||||
--
|
||||
cgit v0.9.0.2-2-gbebe
|
Loading…
Reference in a new issue