ports/107733: update for x11-servers/xorg-server: multiple vulnerabilities

Eygene Ryabinkin rea-fbsd at codelabs.ru
Wed Jan 10 10:00:31 UTC 2007


>Number:         107733
>Category:       ports
>Synopsis:       update for x11-servers/xorg-server: multiple vulnerabilities
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jan 10 10:00:30 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 6.2-PRERELEASE i386
>Organization:
Code Labs
>Environment:
System: FreeBSD XXX 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #10: Fri Dec 8 14:49:46 MSK 2006 root at XXX:/usr/obj/usr/src/sys/XXX i386
>Description:
Two patches was issued by X.org that are fixing
- CVE-2006-6101 CVE-2006-6102 CVE-2006-6103,
- CVE-2006-2006-3739 and CVE 2006-3740.
Current xorg-server-6.9.0_5 misses them.
>How-To-Repeat:
Go to http://xorg.freedesktop.org/releases/X11R6.9.0/patches/index.html
and read entries about aforementioned vulnerabilities.
>Fix:
The patch that incorporates original vendor patches and bumps the
portrevision is attached. Original patch x11r6.9.0-dbe-render.diff was
modified: made proper patchfile locations by adding 'programs/Xserver/'
to patch file locations. The code was untouched.

--- CVE-2006-3739-3740-6102-6103-6104.diff begins here ---
diff -urN xorg-server.orig/Makefile xorg-server/Makefile
--- xorg-server.orig/Makefile	Wed Jan 10 11:47:36 2007
+++ xorg-server/Makefile	Wed Jan 10 11:49:43 2007
@@ -7,7 +7,7 @@
 
 PORTNAME=	xorg-server
 PORTVERSION=	6.9.0
-PORTREVISION=	5
+PORTREVISION=	6
 CATEGORIES=	x11-servers
 MASTER_SITES=	${MASTER_SITE_XORG}
 MASTER_SITE_SUBDIR=	X11R${PORTVERSION}/src
diff -urN xorg-server.orig/files/patch-CVE-2006-3739-3740 xorg-server/files/patch-CVE-2006-3739-3740
--- xorg-server.orig/files/patch-CVE-2006-3739-3740	Thu Jan  1 03:00:00 1970
+++ xorg-server/files/patch-CVE-2006-3739-3740	Wed Jan 10 11:57:09 2007
@@ -0,0 +1,96 @@
+Index: lib/font/Type1/afm.c
+===================================================================
+RCS file: /cvs/xorg/xc/lib/font/Type1/afm.c,v
+retrieving revision 1.5
+diff -u -u -r1.5 afm.c
+--- lib/font/Type1/afm.c	9 Jul 2005 23:30:06 -0000	1.5
++++ lib/font/Type1/afm.c	12 Sep 2006 07:49:46 -0000
+@@ -29,6 +29,7 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <stdlib.h>
++#include <limits.h>
+ #else
+ #include "Xmd.h"        /* For INT32 declaration */
+ #include "Xdefs.h"      /* For Bool */
+@@ -118,6 +119,11 @@
+             
+             fi->nChars = atoi(p);
+ 
++	    if (fi->nChars < 0 || fi->nChars > INT_MAX / sizeof(Metrics)) {
++		xfree(afmbuf);
++		xfree(fi);
++		return(1);
++	    }
+             fi->metrics = (Metrics *)xalloc(fi->nChars * 
+                 sizeof(Metrics));
+             if (fi->metrics == NULL) {
+Index: lib/font/Type1/scanfont.c
+===================================================================
+RCS file: /cvs/xorg/xc/lib/font/Type1/scanfont.c,v
+retrieving revision 1.5
+diff -u -u -r1.5 scanfont.c
+--- lib/font/Type1/scanfont.c	9 Jul 2005 23:30:06 -0000	1.5
++++ lib/font/Type1/scanfont.c	12 Sep 2006 07:49:46 -0000
+@@ -57,6 +57,7 @@
+ 
+ #ifndef FONTMODULE
+ #include <string.h>
++#include <limits.h>
+ #else
+ #include "Xdefs.h"	/* Bool declaration */
+ #include "Xmd.h"	/* INT32 declaration */
+@@ -654,6 +655,7 @@
+   arrayP->data.valueP = tokenStartP;
+ 
+   /* allocate FDArray */
++  /* No integer overflow since arrayP->len is unsigned short */
+   FDArrayP = (psfont *)vm_alloc(arrayP->len*(sizeof(psfont)));
+   if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY);
+ 
+@@ -850,7 +852,8 @@
+      }
+      return(SCAN_OK);
+    }
+- 
++   if (N > INT_MAX / sizeof(psobj)) 
++       return (SCAN_ERROR);
+    arrayP = (psobj *)vm_alloc(N*sizeof(psobj));
+    if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY);
+    FontP->Subrs.len = N;
+@@ -911,7 +914,7 @@
+      }
+      else return(rc);  /* if next token was not an Int */
+    }
+-   if (N<=0) return(SCAN_ERROR);
++   if (N<=0 || N > INT_MAX / sizeof(psdict)) return(SCAN_ERROR);
+    /* save number of entries in the dictionary */
+  
+    dictP = (psdict *)vm_alloc((N+1)*sizeof(psdict));
+@@ -1719,6 +1722,10 @@
+     if (tokenType == TOKEN_INTEGER)
+       rangecnt = tokenValue.integer;
+ 
++    if (rangecnt < 0 || rangecnt > INT_MAX / sizeof(spacerangecode)) {
++	rc = SCAN_ERROR;
++	break;
++    }
+     /* ==> tokenLength, tokenTooLong, tokenType, and */
+     /* tokenValue are now set                        */
+ 
+Index: lib/font/Type1/util.c
+===================================================================
+RCS file: /cvs/xorg/xc/lib/font/Type1/util.c,v
+retrieving revision 1.5
+diff -u -u -r1.5 util.c
+--- lib/font/Type1/util.c	9 Jul 2005 23:30:07 -0000	1.5
++++ lib/font/Type1/util.c	12 Sep 2006 07:49:46 -0000
+@@ -104,7 +104,7 @@
+   bytes = (bytes + 7) & ~7;
+  
+   /* Allocate the space, if it is available */
+-  if (bytes <= vm_free) {
++  if (bytes > 0 && bytes <= vm_free) {
+     answer = vm_next;
+     vm_free -= bytes;
+     vm_next += bytes;
diff -urN xorg-server.orig/files/patch-CVE-2006-6101-6102-6103 xorg-server/files/patch-CVE-2006-6101-6102-6103
--- xorg-server.orig/files/patch-CVE-2006-6101-6102-6103	Thu Jan  1 03:00:00 1970
+++ xorg-server/files/patch-CVE-2006-6101-6102-6103	Wed Jan 10 11:57:31 2007
@@ -0,0 +1,186 @@
+Index: dbe/dbe.c
+===================================================================
+RCS file: /cvs/xorg/xc/programs/Xserver/dbe/dbe.c,v
+retrieving revision 1.5
+diff -u -u -r1.5 dbe.c
+--- programs/Xserver/dbe/dbe.c	3 Jul 2005 07:01:17 -0000	1.5
++++ programs/Xserver/dbe/dbe.c	9 Jan 2007 12:45:54 -0000
+@@ -55,6 +55,10 @@
+ #include "xf86_ansic.h"
+ #endif
+ 
++#if !defined(UINT32_MAX)
++#define UINT32_MAX 0xffffffffU
++#endif
++
+ /* GLOBALS */
+ 
+ /* Per-screen initialization functions [init'ed by DbeRegisterFunction()] */
+@@ -733,11 +737,14 @@
+         return(Success);
+     }
+ 
++    if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
++	    return BadAlloc;
++
+     /* Get to the swap info appended to the end of the request. */
+     dbeSwapInfo = (xDbeSwapInfo *)&stuff[1];
+ 
+     /* Allocate array to record swap information. */ 
+-    swapInfo = (DbeSwapInfoPtr)ALLOCATE_LOCAL(nStuff * sizeof(DbeSwapInfoRec));
++    swapInfo = (DbeSwapInfoPtr)Xalloc(nStuff * sizeof(DbeSwapInfoRec));
+     if (swapInfo == NULL)
+     {
+         return(BadAlloc);
+@@ -752,14 +759,14 @@
+         if (!(pWin = SecurityLookupWindow(dbeSwapInfo[i].window, client,
+ 					  SecurityWriteAccess)))
+         {
+-            DEALLOCATE_LOCAL(swapInfo);
++            Xfree(swapInfo);
+ 	    return(BadWindow);
+         }
+ 
+         /* Each window must be double-buffered - BadMatch. */
+         if (DBE_WINDOW_PRIV(pWin) == NULL)
+         {
+-            DEALLOCATE_LOCAL(swapInfo);
++            Xfree(swapInfo);
+             return(BadMatch);
+         }
+ 
+@@ -768,7 +775,7 @@
+         {
+             if (dbeSwapInfo[i].window == dbeSwapInfo[j].window)
+             {
+-                DEALLOCATE_LOCAL(swapInfo);
++                Xfree(swapInfo);
+                 return(BadMatch);
+ 	    }
+         }
+@@ -779,7 +786,7 @@
+             (dbeSwapInfo[i].swapAction != XdbeUntouched ) &&
+             (dbeSwapInfo[i].swapAction != XdbeCopied    ))
+         {
+-            DEALLOCATE_LOCAL(swapInfo);
++            Xfree(swapInfo);
+             return(BadValue);
+         }
+ 
+@@ -809,12 +816,12 @@
+         error = (*pDbeScreenPriv->SwapBuffers)(client, &nStuff, swapInfo);
+         if (error != Success)
+         {
+-            DEALLOCATE_LOCAL(swapInfo);
++            Xfree(swapInfo);
+             return(error);
+         }
+     }
+     
+-    DEALLOCATE_LOCAL(swapInfo);
++    Xfree(swapInfo);
+     return(Success);
+ 
+ } /* ProcDbeSwapBuffers() */
+@@ -898,10 +905,12 @@
+ 
+     REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
+ 
++    if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
++	    return BadAlloc;
+     /* Make sure any specified drawables are valid. */
+     if (stuff->n != 0)
+     {
+-        if (!(pDrawables = (DrawablePtr *)ALLOCATE_LOCAL(stuff->n *
++        if (!(pDrawables = (DrawablePtr *)Xalloc(stuff->n *
+                                                  sizeof(DrawablePtr))))
+         {
+             return(BadAlloc);
+@@ -914,7 +923,7 @@
+             if (!(pDrawables[i] = (DrawablePtr)SecurityLookupDrawable(
+ 				drawables[i], client, SecurityReadAccess)))
+             {
+-                DEALLOCATE_LOCAL(pDrawables);
++                Xfree(pDrawables);
+                 return(BadDrawable);
+             }
+         }
+@@ -926,7 +935,7 @@
+     {
+         if (pDrawables)
+         {
+-            DEALLOCATE_LOCAL(pDrawables);
++            Xfree(pDrawables);
+         }
+ 
+         return(BadAlloc);
+@@ -953,7 +962,7 @@
+             /* Free pDrawables if we needed to allocate it above. */
+             if (pDrawables)
+             {
+-                DEALLOCATE_LOCAL(pDrawables);
++                Xfree(pDrawables);
+             }
+ 
+             return(BadAlloc);
+@@ -1034,7 +1043,7 @@
+ 
+     if (pDrawables)
+     {
+-        DEALLOCATE_LOCAL(pDrawables);
++        Xfree(pDrawables);
+     }
+ 
+     return(client->noClientException);
+Index: render/render.c
+===================================================================
+RCS file: /cvs/xorg/xc/programs/Xserver/render/render.c,v
+retrieving revision 1.12
+diff -u -u -r1.12 render.c
+--- programs/Xserver/render/render.c	28 Aug 2005 19:47:39 -0000	1.12
++++ programs/Xserver/render/render.c	9 Jan 2007 12:45:55 -0000
+@@ -52,6 +52,10 @@
+ #include "xf86_ansic.h"
+ #endif
+ 
++#if !defined(UINT32_MAX)
++#define UINT32_MAX 0xffffffffU
++#endif
++
+ static int ProcRenderQueryVersion (ClientPtr pClient);
+ static int ProcRenderQueryPictFormats (ClientPtr pClient);
+ static int ProcRenderQueryPictIndexValues (ClientPtr pClient);
+@@ -1108,11 +1112,14 @@
+     }
+ 
+     nglyphs = stuff->nglyphs;
++    if (nglyphs > UINT32_MAX / sizeof(GlyphNewRec))
++	    return BadAlloc;
++
+     if (nglyphs <= NLOCALGLYPH)
+ 	glyphsBase = glyphsLocal;
+     else
+     {
+-	glyphsBase = (GlyphNewPtr) ALLOCATE_LOCAL (nglyphs * sizeof (GlyphNewRec));
++	glyphsBase = (GlyphNewPtr) Xalloc (nglyphs * sizeof (GlyphNewRec));
+ 	if (!glyphsBase)
+ 	    return BadAlloc;
+     }
+@@ -1169,7 +1176,7 @@
+     }
+ 
+     if (glyphsBase != glyphsLocal)
+-	DEALLOCATE_LOCAL (glyphsBase);
++	Xfree (glyphsBase);
+     return client->noClientException;
+ bail:
+     while (glyphs != glyphsBase)
+@@ -1178,7 +1185,7 @@
+ 	xfree (glyphs->glyph);
+     }
+     if (glyphsBase != glyphsLocal)
+-	DEALLOCATE_LOCAL (glyphsBase);
++	Xfree (glyphsBase);
+     return err;
+ }
+ 
--- CVE-2006-3739-3740-6102-6103-6104.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:



More information about the freebsd-ports-bugs mailing list