diff options
| author | Peter Simons <simons@cryp.to> | 2013-10-18 18:57:24 +0200 |
|---|---|---|
| committer | Peter Simons <simons@cryp.to> | 2013-10-18 18:57:24 +0200 |
| commit | 6be8ad3392d87e277804ddec364377b5341430b7 (patch) | |
| tree | ce8a334fb3611b27336e9602bd248682931016b8 /pkgs/servers/x11 | |
| parent | ea6f711e8ec7208626a084edb81a78ee455a0b67 (diff) | |
| parent | 06d6c3ed5d061e95d1db92f7eff08d5c1a2181d8 (diff) | |
| download | nixlib-6be8ad3392d87e277804ddec364377b5341430b7.tar nixlib-6be8ad3392d87e277804ddec364377b5341430b7.tar.gz nixlib-6be8ad3392d87e277804ddec364377b5341430b7.tar.bz2 nixlib-6be8ad3392d87e277804ddec364377b5341430b7.tar.lz nixlib-6be8ad3392d87e277804ddec364377b5341430b7.tar.xz nixlib-6be8ad3392d87e277804ddec364377b5341430b7.tar.zst nixlib-6be8ad3392d87e277804ddec364377b5341430b7.zip | |
Merge branch 'origin/master' into stdenv-updates.
There was a minor conflict in 'stumpwm'. The package needs texinfo version 4.x. At least is used to, I'm not sure whether it still does.
Diffstat (limited to 'pkgs/servers/x11')
| -rw-r--r-- | pkgs/servers/x11/xorg/overrides.nix | 6 | ||||
| -rw-r--r-- | pkgs/servers/x11/xorg/xorgserver-cve-2013-4396.patch | 75 |
2 files changed, 80 insertions, 1 deletions
diff --git a/pkgs/servers/x11/xorg/overrides.nix b/pkgs/servers/x11/xorg/overrides.nix index 099283afedd6..c8e20f1f0b99 100644 --- a/pkgs/servers/x11/xorg/overrides.nix +++ b/pkgs/servers/x11/xorg/overrides.nix @@ -198,7 +198,11 @@ in "--with-default-font-path= " # there were only paths containing "${prefix}", # and there are no fonts in this package anyway ]; - patches = [./xorgserver-dri-path.patch ./xorgserver-xkbcomp-path.patch]; + patches = + [ ./xorgserver-dri-path.patch + ./xorgserver-xkbcomp-path.patch + ./xorgserver-cve-2013-4396.patch + ]; buildInputs = attrs.buildInputs ++ [ xtrans ]; propagatedBuildInputs = [ args.zlib args.udev args.mesa args.dbus.libs diff --git a/pkgs/servers/x11/xorg/xorgserver-cve-2013-4396.patch b/pkgs/servers/x11/xorg/xorgserver-cve-2013-4396.patch new file mode 100644 index 000000000000..4b6727e61c05 --- /dev/null +++ b/pkgs/servers/x11/xorg/xorgserver-cve-2013-4396.patch @@ -0,0 +1,75 @@ +From 7bddc2ba16a2a15773c2ea8947059afa27727764 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Mon, 16 Sep 2013 21:47:16 -0700 +Subject: [PATCH] Avoid use-after-free in dix/dixfonts.c: doImageText() + [CVE-2013-4396] + +Save a pointer to the passed in closure structure before copying it +and overwriting the *c pointer to point to our copy instead of the +original. If we hit an error, once we free(c), reset c to point to +the original structure before jumping to the cleanup code that +references *c. + +Since one of the errors being checked for is whether the server was +able to malloc(c->nChars * itemSize), the client can potentially pass +a number of characters chosen to cause the malloc to fail and the +error path to be taken, resulting in the read from freed memory. + +Since the memory is accessed almost immediately afterwards, and the +X server is mostly single threaded, the odds of the free memory having +invalid contents are low with most malloc implementations when not using +memory debugging features, but some allocators will definitely overwrite +the memory there, leading to a likely crash. + +Reported-by: Pedro Ribeiro <pedrib@gmail.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Julien Cristau <jcristau@debian.org> +--- + dix/dixfonts.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/dix/dixfonts.c b/dix/dixfonts.c +index feb765d..2e34d37 100644 +--- a/dix/dixfonts.c ++++ b/dix/dixfonts.c +@@ -1425,6 +1425,7 @@ doImageText(ClientPtr client, ITclosurePtr c) + GC *pGC; + unsigned char *data; + ITclosurePtr new_closure; ++ ITclosurePtr old_closure; + + /* We're putting the client to sleep. We need to + save some state. Similar problem to that handled +@@ -1436,12 +1437,14 @@ doImageText(ClientPtr client, ITclosurePtr c) + err = BadAlloc; + goto bail; + } ++ old_closure = c; + *new_closure = *c; + c = new_closure; + + data = malloc(c->nChars * itemSize); + if (!data) { + free(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1452,6 +1455,7 @@ doImageText(ClientPtr client, ITclosurePtr c) + if (!pGC) { + free(c->data); + free(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1464,6 +1468,7 @@ doImageText(ClientPtr client, ITclosurePtr c) + FreeScratchGC(pGC); + free(c->data); + free(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +-- +1.7.9.2 |