[PULL v2 xserver] Fixes for X.Org Security Advisory: Dec. 9, 2014
Alan Coopersmith
alan.coopersmith at oracle.com
Tue Dec 9 11:38:40 PST 2014
Changes since v1: added 4 more patches from Keith to the end to fix issues
found by compiler warnings - these were not squashed in to the prior patches
so that distros who applied the earlier patches can just add these on top.
The following changes since commit 3e7218a6c23354d66f508b18164cac98a346b3ee:
Merge remote-tracking branch 'jturney/indirect-glx-fixes' (2014-12-08
18:07:55 -0800)
are available in the git repository at:
git://people.freedesktop.org/~alanc/xserver master
for you to fetch changes up to 1559a94395258fd73e369f1a2c98a44bfe21a486:
dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092 pt. 6]
(2014-12-09 11:30:52 -0800)
----------------------------------------------------------------
Adam Jackson (12):
glx: Be more paranoid about variable-length requests [CVE-2014-8093 1/6]
glx: Be more strict about rejecting invalid image sizes [CVE-2014-8093 2/6]
glx: Additional paranoia in __glXGetAnswerBuffer /
__GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6]
glx: Fix image size computation for EXT_texture_integer [CVE-2014-8098 1/8]
glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6]
glx: Integer overflow protection for non-generated render requests (v3)
[CVE-2014-8093 5/6]
glx: Length checking for RenderLarge requests (v2) [CVE-2014-8098 3/8]
glx: Top-level length checking for swapped VendorPrivate requests
[CVE-2014-8098 4/8]
glx: Request length checks for SetClientInfoARB [CVE-2014-8098 5/8]
glx: Length-checking for non-generated vendor private requests
[CVE-2014-8098 6/8]
glx: Length checking for non-generated single requests (v2)
[CVE-2014-8098 7/8]
glx: Pass remaining request length into ->varsize (v2) [CVE-2014-8098 8/8]
Alan Coopersmith (18):
unchecked malloc may allow unauthed client to crash Xserver [CVE-2014-8091]
dix: integer overflow in ProcPutImage() [CVE-2014-8092 1/4]
dix: integer overflow in GetHosts() [CVE-2014-8092 2/4]
dix: integer overflow in RegionSizeof() [CVE-2014-8092 3/4]
dix: integer overflow in REQUEST_FIXED_SIZE() [CVE-2014-8092 4/4]
dri2: integer overflow in ProcDRI2GetBuffers() [CVE-2014-8094]
dbe: unvalidated lengths in DbeSwapBuffers calls [CVE-2014-8097]
Xi: unvalidated lengths in Xinput extension [CVE-2014-8095]
xcmisc: unvalidated length in SProcXCMiscGetXIDList() [CVE-2014-8096]
Xv: unvalidated lengths in XVideo extension swapped procs [CVE-2014-8099]
dri3: unvalidated lengths in DRI3 extension swapped procs [CVE-2014-8103 1/2]
present: unvalidated lengths in Present extension procs [CVE-2014-8103 2/2]
randr: unvalidated lengths in RandR extension swapped procs [CVE-2014-8101]
render: unvalidated lengths in Render extn. swapped procs [CVE-2014-8100 2/2]
xfixes: unvalidated length in SProcXFixesSelectSelectionInput [CVE-2014-8102]
Add request length checking test cases for some Xinput 1.x requests
Add request length checking test cases for some Xinput 2.x requests
Add REQUEST_FIXED_SIZE testcases to test/misc.c
Julien Cristau (2):
render: check request size before reading it [CVE-2014-8100 1/2]
glx: Length checking for GLXRender requests (v2) [CVE-2014-8098 2/8]
Keith Packard (4):
dbe: Call to DDX SwapBuffers requires address of int, not unsigned int
[CVE-2014-8097 pt. 2]
glx: Can't mix declarations and code in X.org sources [CVE-2014-8098 pt. 9]
Missing parens in REQUEST_FIXED_SIZE macro [CVE-2014-8092 pt. 5]
dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092 pt. 6]
Robert Morell (1):
glx: Fix mask truncation in __glXGetAnswerBuffer [CVE-2014-8093 6/6]
Xext/xcmisc.c | 1 +
Xext/xvdisp.c | 20 ++++
Xi/chgdctl.c | 8 +-
Xi/chgfctl.c | 2 +
Xi/sendexev.c | 3 +
Xi/xiallowev.c | 2 +
Xi/xichangecursor.c | 2 +-
Xi/xichangehierarchy.c | 35 +++++-
Xi/xigetclientpointer.c | 1 +
Xi/xigrabdev.c | 9 +-
Xi/xipassivegrab.c | 12 +-
Xi/xiproperty.c | 14 +--
Xi/xiquerydevice.c | 1 +
Xi/xiquerypointer.c | 2 +
Xi/xiselectev.c | 8 ++
Xi/xisetclientpointer.c | 3 +-
Xi/xisetdevfocus.c | 4 +
Xi/xiwarppointer.c | 2 +
configure.ac | 1 +
dbe/dbe.c | 17 ++-
dix/dispatch.c | 3 +
dix/region.c | 20 ++--
dri3/dri3_request.c | 6 +
glx/clientinfo.c | 20 +++-
glx/glxcmds.c | 85 ++++++++------
glx/glxcmdsswap.c | 4 +
glx/glxserver.h | 43 ++++++-
glx/indirect_program.c | 2 +
glx/indirect_reqsize.c | 142 ++++++++++++-----------
glx/indirect_reqsize.h | 181 ++++++++++++++++++------------
glx/indirect_texture_compression.c | 4 +
glx/indirect_util.c | 9 +-
glx/rensize.c | 114 +++++++++++--------
glx/single2.c | 23 +++-
glx/single2swap.c | 19 +++-
glx/singlepix.c | 60 ++++++----
glx/singlepixswap.c | 50 ++++++---
glx/swap_interval.c | 2 +
glx/unpack.h | 3 +-
hw/xfree86/dri2/dri2ext.c | 3 +
include/dix.h | 7 +-
include/regionstr.h | 10 +-
os/access.c | 6 +
os/rpcauth.c | 4 +
present/present_request.c | 6 +
randr/rrsdispatch.c | 4 +
render/render.c | 20 +++-
test/Makefile.am | 2 +-
test/misc.c | 37 ++++++
test/xi1/Makefile.am | 34 ++++++
test/xi1/protocol-xchangedevicecontrol.c | 122 ++++++++++++++++++++
test/xi2/protocol-xigetclientpointer.c | 5 +
test/xi2/protocol-xipassivegrabdevice.c | 8 ++
test/xi2/protocol-xiquerypointer.c | 4 +
test/xi2/protocol-xiwarppointer.c | 3 +
xfixes/select.c | 1 +
56 files changed, 898 insertions(+), 315 deletions(-)
create mode 100644 test/xi1/Makefile.am
create mode 100644 test/xi1/protocol-xchangedevicecontrol.c
--
-Alan Coopersmith- alan.coopersmith at oracle.com
Oracle Solaris Engineering - http://blogs.oracle.com/alanc
More information about the xorg-devel
mailing list