ports/107733: update for x11-servers/xorg-server: multiple vulnerabilities
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Wed Jan 10 10:00:31 UTC 2007
>Number: 107733
>Category: ports
>Synopsis: update for x11-servers/xorg-server: multiple vulnerabilities
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Wed Jan 10 10:00:30 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Eygene Ryabinkin
>Release: FreeBSD 6.2-PRERELEASE i386
>Organization:
Code Labs
>Environment:
System: FreeBSD XXX 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #10: Fri Dec 8 14:49:46 MSK 2006 root at XXX:/usr/obj/usr/src/sys/XXX i386
>Description:
Two patches was issued by X.org that are fixing
- CVE-2006-6101 CVE-2006-6102 CVE-2006-6103,
- CVE-2006-2006-3739 and CVE 2006-3740.
Current xorg-server-6.9.0_5 misses them.
>How-To-Repeat:
Go to http://xorg.freedesktop.org/releases/X11R6.9.0/patches/index.html
and read entries about aforementioned vulnerabilities.
>Fix:
The patch that incorporates original vendor patches and bumps the
portrevision is attached. Original patch x11r6.9.0-dbe-render.diff was
modified: made proper patchfile locations by adding 'programs/Xserver/'
to patch file locations. The code was untouched.
--- CVE-2006-3739-3740-6102-6103-6104.diff begins here ---
diff -urN xorg-server.orig/Makefile xorg-server/Makefile
--- xorg-server.orig/Makefile Wed Jan 10 11:47:36 2007
+++ xorg-server/Makefile Wed Jan 10 11:49:43 2007
@@ -7,7 +7,7 @@
PORTNAME= xorg-server
PORTVERSION= 6.9.0
-PORTREVISION= 5
+PORTREVISION= 6
CATEGORIES= x11-servers
MASTER_SITES= ${MASTER_SITE_XORG}
MASTER_SITE_SUBDIR= X11R${PORTVERSION}/src
diff -urN xorg-server.orig/files/patch-CVE-2006-3739-3740 xorg-server/files/patch-CVE-2006-3739-3740
--- xorg-server.orig/files/patch-CVE-2006-3739-3740 Thu Jan 1 03:00:00 1970
+++ xorg-server/files/patch-CVE-2006-3739-3740 Wed Jan 10 11:57:09 2007
@@ -0,0 +1,96 @@
+Index: lib/font/Type1/afm.c
+===================================================================
+RCS file: /cvs/xorg/xc/lib/font/Type1/afm.c,v
+retrieving revision 1.5
+diff -u -u -r1.5 afm.c
+--- lib/font/Type1/afm.c 9 Jul 2005 23:30:06 -0000 1.5
++++ lib/font/Type1/afm.c 12 Sep 2006 07:49:46 -0000
+@@ -29,6 +29,7 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <stdlib.h>
++#include <limits.h>
+ #else
+ #include "Xmd.h" /* For INT32 declaration */
+ #include "Xdefs.h" /* For Bool */
+@@ -118,6 +119,11 @@
+
+ fi->nChars = atoi(p);
+
++ if (fi->nChars < 0 || fi->nChars > INT_MAX / sizeof(Metrics)) {
++ xfree(afmbuf);
++ xfree(fi);
++ return(1);
++ }
+ fi->metrics = (Metrics *)xalloc(fi->nChars *
+ sizeof(Metrics));
+ if (fi->metrics == NULL) {
+Index: lib/font/Type1/scanfont.c
+===================================================================
+RCS file: /cvs/xorg/xc/lib/font/Type1/scanfont.c,v
+retrieving revision 1.5
+diff -u -u -r1.5 scanfont.c
+--- lib/font/Type1/scanfont.c 9 Jul 2005 23:30:06 -0000 1.5
++++ lib/font/Type1/scanfont.c 12 Sep 2006 07:49:46 -0000
+@@ -57,6 +57,7 @@
+
+ #ifndef FONTMODULE
+ #include <string.h>
++#include <limits.h>
+ #else
+ #include "Xdefs.h" /* Bool declaration */
+ #include "Xmd.h" /* INT32 declaration */
+@@ -654,6 +655,7 @@
+ arrayP->data.valueP = tokenStartP;
+
+ /* allocate FDArray */
++ /* No integer overflow since arrayP->len is unsigned short */
+ FDArrayP = (psfont *)vm_alloc(arrayP->len*(sizeof(psfont)));
+ if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY);
+
+@@ -850,7 +852,8 @@
+ }
+ return(SCAN_OK);
+ }
+-
++ if (N > INT_MAX / sizeof(psobj))
++ return (SCAN_ERROR);
+ arrayP = (psobj *)vm_alloc(N*sizeof(psobj));
+ if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY);
+ FontP->Subrs.len = N;
+@@ -911,7 +914,7 @@
+ }
+ else return(rc); /* if next token was not an Int */
+ }
+- if (N<=0) return(SCAN_ERROR);
++ if (N<=0 || N > INT_MAX / sizeof(psdict)) return(SCAN_ERROR);
+ /* save number of entries in the dictionary */
+
+ dictP = (psdict *)vm_alloc((N+1)*sizeof(psdict));
+@@ -1719,6 +1722,10 @@
+ if (tokenType == TOKEN_INTEGER)
+ rangecnt = tokenValue.integer;
+
++ if (rangecnt < 0 || rangecnt > INT_MAX / sizeof(spacerangecode)) {
++ rc = SCAN_ERROR;
++ break;
++ }
+ /* ==> tokenLength, tokenTooLong, tokenType, and */
+ /* tokenValue are now set */
+
+Index: lib/font/Type1/util.c
+===================================================================
+RCS file: /cvs/xorg/xc/lib/font/Type1/util.c,v
+retrieving revision 1.5
+diff -u -u -r1.5 util.c
+--- lib/font/Type1/util.c 9 Jul 2005 23:30:07 -0000 1.5
++++ lib/font/Type1/util.c 12 Sep 2006 07:49:46 -0000
+@@ -104,7 +104,7 @@
+ bytes = (bytes + 7) & ~7;
+
+ /* Allocate the space, if it is available */
+- if (bytes <= vm_free) {
++ if (bytes > 0 && bytes <= vm_free) {
+ answer = vm_next;
+ vm_free -= bytes;
+ vm_next += bytes;
diff -urN xorg-server.orig/files/patch-CVE-2006-6101-6102-6103 xorg-server/files/patch-CVE-2006-6101-6102-6103
--- xorg-server.orig/files/patch-CVE-2006-6101-6102-6103 Thu Jan 1 03:00:00 1970
+++ xorg-server/files/patch-CVE-2006-6101-6102-6103 Wed Jan 10 11:57:31 2007
@@ -0,0 +1,186 @@
+Index: dbe/dbe.c
+===================================================================
+RCS file: /cvs/xorg/xc/programs/Xserver/dbe/dbe.c,v
+retrieving revision 1.5
+diff -u -u -r1.5 dbe.c
+--- programs/Xserver/dbe/dbe.c 3 Jul 2005 07:01:17 -0000 1.5
++++ programs/Xserver/dbe/dbe.c 9 Jan 2007 12:45:54 -0000
+@@ -55,6 +55,10 @@
+ #include "xf86_ansic.h"
+ #endif
+
++#if !defined(UINT32_MAX)
++#define UINT32_MAX 0xffffffffU
++#endif
++
+ /* GLOBALS */
+
+ /* Per-screen initialization functions [init'ed by DbeRegisterFunction()] */
+@@ -733,11 +737,14 @@
+ return(Success);
+ }
+
++ if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
++ return BadAlloc;
++
+ /* Get to the swap info appended to the end of the request. */
+ dbeSwapInfo = (xDbeSwapInfo *)&stuff[1];
+
+ /* Allocate array to record swap information. */
+- swapInfo = (DbeSwapInfoPtr)ALLOCATE_LOCAL(nStuff * sizeof(DbeSwapInfoRec));
++ swapInfo = (DbeSwapInfoPtr)Xalloc(nStuff * sizeof(DbeSwapInfoRec));
+ if (swapInfo == NULL)
+ {
+ return(BadAlloc);
+@@ -752,14 +759,14 @@
+ if (!(pWin = SecurityLookupWindow(dbeSwapInfo[i].window, client,
+ SecurityWriteAccess)))
+ {
+- DEALLOCATE_LOCAL(swapInfo);
++ Xfree(swapInfo);
+ return(BadWindow);
+ }
+
+ /* Each window must be double-buffered - BadMatch. */
+ if (DBE_WINDOW_PRIV(pWin) == NULL)
+ {
+- DEALLOCATE_LOCAL(swapInfo);
++ Xfree(swapInfo);
+ return(BadMatch);
+ }
+
+@@ -768,7 +775,7 @@
+ {
+ if (dbeSwapInfo[i].window == dbeSwapInfo[j].window)
+ {
+- DEALLOCATE_LOCAL(swapInfo);
++ Xfree(swapInfo);
+ return(BadMatch);
+ }
+ }
+@@ -779,7 +786,7 @@
+ (dbeSwapInfo[i].swapAction != XdbeUntouched ) &&
+ (dbeSwapInfo[i].swapAction != XdbeCopied ))
+ {
+- DEALLOCATE_LOCAL(swapInfo);
++ Xfree(swapInfo);
+ return(BadValue);
+ }
+
+@@ -809,12 +816,12 @@
+ error = (*pDbeScreenPriv->SwapBuffers)(client, &nStuff, swapInfo);
+ if (error != Success)
+ {
+- DEALLOCATE_LOCAL(swapInfo);
++ Xfree(swapInfo);
+ return(error);
+ }
+ }
+
+- DEALLOCATE_LOCAL(swapInfo);
++ Xfree(swapInfo);
+ return(Success);
+
+ } /* ProcDbeSwapBuffers() */
+@@ -898,10 +905,12 @@
+
+ REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
+
++ if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
++ return BadAlloc;
+ /* Make sure any specified drawables are valid. */
+ if (stuff->n != 0)
+ {
+- if (!(pDrawables = (DrawablePtr *)ALLOCATE_LOCAL(stuff->n *
++ if (!(pDrawables = (DrawablePtr *)Xalloc(stuff->n *
+ sizeof(DrawablePtr))))
+ {
+ return(BadAlloc);
+@@ -914,7 +923,7 @@
+ if (!(pDrawables[i] = (DrawablePtr)SecurityLookupDrawable(
+ drawables[i], client, SecurityReadAccess)))
+ {
+- DEALLOCATE_LOCAL(pDrawables);
++ Xfree(pDrawables);
+ return(BadDrawable);
+ }
+ }
+@@ -926,7 +935,7 @@
+ {
+ if (pDrawables)
+ {
+- DEALLOCATE_LOCAL(pDrawables);
++ Xfree(pDrawables);
+ }
+
+ return(BadAlloc);
+@@ -953,7 +962,7 @@
+ /* Free pDrawables if we needed to allocate it above. */
+ if (pDrawables)
+ {
+- DEALLOCATE_LOCAL(pDrawables);
++ Xfree(pDrawables);
+ }
+
+ return(BadAlloc);
+@@ -1034,7 +1043,7 @@
+
+ if (pDrawables)
+ {
+- DEALLOCATE_LOCAL(pDrawables);
++ Xfree(pDrawables);
+ }
+
+ return(client->noClientException);
+Index: render/render.c
+===================================================================
+RCS file: /cvs/xorg/xc/programs/Xserver/render/render.c,v
+retrieving revision 1.12
+diff -u -u -r1.12 render.c
+--- programs/Xserver/render/render.c 28 Aug 2005 19:47:39 -0000 1.12
++++ programs/Xserver/render/render.c 9 Jan 2007 12:45:55 -0000
+@@ -52,6 +52,10 @@
+ #include "xf86_ansic.h"
+ #endif
+
++#if !defined(UINT32_MAX)
++#define UINT32_MAX 0xffffffffU
++#endif
++
+ static int ProcRenderQueryVersion (ClientPtr pClient);
+ static int ProcRenderQueryPictFormats (ClientPtr pClient);
+ static int ProcRenderQueryPictIndexValues (ClientPtr pClient);
+@@ -1108,11 +1112,14 @@
+ }
+
+ nglyphs = stuff->nglyphs;
++ if (nglyphs > UINT32_MAX / sizeof(GlyphNewRec))
++ return BadAlloc;
++
+ if (nglyphs <= NLOCALGLYPH)
+ glyphsBase = glyphsLocal;
+ else
+ {
+- glyphsBase = (GlyphNewPtr) ALLOCATE_LOCAL (nglyphs * sizeof (GlyphNewRec));
++ glyphsBase = (GlyphNewPtr) Xalloc (nglyphs * sizeof (GlyphNewRec));
+ if (!glyphsBase)
+ return BadAlloc;
+ }
+@@ -1169,7 +1176,7 @@
+ }
+
+ if (glyphsBase != glyphsLocal)
+- DEALLOCATE_LOCAL (glyphsBase);
++ Xfree (glyphsBase);
+ return client->noClientException;
+ bail:
+ while (glyphs != glyphsBase)
+@@ -1178,7 +1185,7 @@
+ xfree (glyphs->glyph);
+ }
+ if (glyphsBase != glyphsLocal)
+- DEALLOCATE_LOCAL (glyphsBase);
++ Xfree (glyphsBase);
+ return err;
+ }
+
--- CVE-2006-3739-3740-6102-6103-6104.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list