xserver: Changes to 'refs/tags/xorg-server-1.16.2.901'
Julien Cristau
jcristau at kemper.freedesktop.org
Tue Dec 9 12:12:37 PST 2014
Tag 'xorg-server-1.16.2.901' created by Julien Cristau <jcristau at debian.org> at 2014-12-09 20:09 -0800
xorg-server-1.16.2.901
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIbBAABCAAGBQJUh1cJAAoJEDEBgAUJBeQMpNIP902aO2hwoEzS/hkeK5cCy7H5
+l+IEyfMib8pWHVAqbd+1kCNDIdfcJkRbX6Rbjkz422RoYP+lM3UZxU/jcxZjz+W
E7sUF5CnAjjr6HpRpmVAb4bYWz54Xx251TSixaVV2BWyB+Sq9U0PZtG5TGke7k0U
Ryy7GH59H8zyEA3d1HDXPSb89+nNDYNI4TEd/aOx3aG78diudZkXWo3w6QT2aChU
Ru60fdT0j67IAjcet/wBX68QRNgACQbh4q214KXf2hSSNlU2oeOINZDN6WSYK6TF
bzjeGkoHfv62aHnosHKiVjgYidh9BT8MMkZeVWB6K2Hi3etjlwnppfTICzrlLUT+
lEZwoSWNwC0sihfVg/GDop6cKVTa2qir7fS4L5srzxQMbTQiiEXnwo8oV0RRbNNg
AzRoeil0TZdtIXPHzZsfWF5QE3JYuvR8tS7cOoMnwXZMbrUQXkJ1p4tzKr03z8t3
+d96sHoMGsaRNmkTUMbDQFATtbmBsxSWA7XIOMMnNeEA4P9vrrxpAN6GCcZBafg9
8+AzT79Bv+S3wnKCGsoBuUcbcF6+1F46iIZ1cydMv8N+JkNrJay3qvuXG8gBekz/
WL74dDeGMB7gKzvGh95SPvFmUvN40BLk9pYy5BtpgRYgVwsKnL45T2nc2RZ/6DTl
5tXXz3POuoaHUpaDH1M=
=jyNG
-----END PGP SIGNATURE-----
Changes since xorg-server-1.16.2:
Adam Jackson (12):
glx: Be more paranoid about variable-length requests [CVE-2014-8093 1/6]
glx: Be more strict about rejecting invalid image sizes [CVE-2014-8093 2/6]
glx: Additional paranoia in __glXGetAnswerBuffer / __GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6]
glx: Fix image size computation for EXT_texture_integer [CVE-2014-8098 1/8]
glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6]
glx: Integer overflow protection for non-generated render requests (v3) [CVE-2014-8093 5/6]
glx: Length checking for RenderLarge requests (v2) [CVE-2014-8098 3/8]
glx: Top-level length checking for swapped VendorPrivate requests [CVE-2014-8098 4/8]
glx: Request length checks for SetClientInfoARB [CVE-2014-8098 5/8]
glx: Length-checking for non-generated vendor private requests [CVE-2014-8098 6/8]
glx: Length checking for non-generated single requests (v2) [CVE-2014-8098 7/8]
glx: Pass remaining request length into ->varsize (v2) [CVE-2014-8098 8/8]
Alan Coopersmith (19):
Add -iglx & +iglx to Xserver.man
unchecked malloc may allow unauthed client to crash Xserver [CVE-2014-8091]
dix: integer overflow in ProcPutImage() [CVE-2014-8092 1/4]
dix: integer overflow in GetHosts() [CVE-2014-8092 2/4]
dix: integer overflow in RegionSizeof() [CVE-2014-8092 3/4]
dix: integer overflow in REQUEST_FIXED_SIZE() [CVE-2014-8092 4/4]
dri2: integer overflow in ProcDRI2GetBuffers() [CVE-2014-8094]
dbe: unvalidated lengths in DbeSwapBuffers calls [CVE-2014-8097]
Xi: unvalidated lengths in Xinput extension [CVE-2014-8095]
xcmisc: unvalidated length in SProcXCMiscGetXIDList() [CVE-2014-8096]
Xv: unvalidated lengths in XVideo extension swapped procs [CVE-2014-8099]
dri3: unvalidated lengths in DRI3 extension swapped procs [CVE-2014-8103 1/2]
present: unvalidated lengths in Present extension procs [CVE-2014-8103 2/2]
randr: unvalidated lengths in RandR extension swapped procs [CVE-2014-8101]
render: unvalidated lengths in Render extn. swapped procs [CVE-2014-8100 2/2]
xfixes: unvalidated length in SProcXFixesSelectSelectionInput [CVE-2014-8102]
Add request length checking test cases for some Xinput 1.x requests
Add request length checking test cases for some Xinput 2.x requests
Add REQUEST_FIXED_SIZE testcases to test/misc.c
Alex Orange (1):
fb: Fix Bresenham algorithms for commonly used small segments.
Julien Cristau (3):
render: check request size before reading it [CVE-2014-8100 1/2]
glx: Length checking for GLXRender requests (v2) [CVE-2014-8098 2/8]
Bump to 1.16.2.901
Keith Packard (6):
present: Support PresentOptionCopy
glx: check return from __glXGetAnswerBuffer
dbe: Call to DDX SwapBuffers requires address of int, not unsigned int [CVE-2014-8097 pt. 2]
glx: Can't mix declarations and code in X.org sources [CVE-2014-8098 pt. 9]
Missing parens in REQUEST_FIXED_SIZE macro [CVE-2014-8092 pt. 5]
dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092 pt. 6]
Mario Kleiner (2):
present: Avoid crashes in DebugPresent(), a bit more info.
present: Fix use of vsynced pageflips and honor PresentOptionAsync. (v4)
Robert Morell (1):
glx: Fix mask truncation in __glXGetAnswerBuffer [CVE-2014-8093 6/6]
---
Xext/xcmisc.c | 1
Xext/xvdisp.c | 20 +++
Xi/chgdctl.c | 8 +
Xi/chgfctl.c | 2
Xi/sendexev.c | 3
Xi/xiallowev.c | 2
Xi/xichangecursor.c | 2
Xi/xichangehierarchy.c | 35 +++++
Xi/xigetclientpointer.c | 1
Xi/xigrabdev.c | 9 +
Xi/xipassivegrab.c | 12 +-
Xi/xiproperty.c | 14 +-
Xi/xiquerydevice.c | 1
Xi/xiquerypointer.c | 2
Xi/xiselectev.c | 8 +
Xi/xisetclientpointer.c | 3
Xi/xisetdevfocus.c | 4
Xi/xiwarppointer.c | 2
configure.ac | 5
dbe/dbe.c | 17 ++
dix/dispatch.c | 3
dix/region.c | 20 ++-
dri3/dri3_request.c | 6 +
fb/fbseg.c | 20 +--
glx/clientinfo.c | 20 ++-
glx/glxcmds.c | 85 ++++++++------
glx/glxcmdsswap.c | 4
glx/glxserver.h | 43 +++++++
glx/indirect_dispatch.c | 25 ++++
glx/indirect_dispatch_swap.c | 26 ++++
glx/indirect_program.c | 2
glx/indirect_reqsize.c | 142 +++++++++++-------------
glx/indirect_reqsize.h | 181 +++++++++++++++++++------------
glx/indirect_texture_compression.c | 4
glx/indirect_util.c | 9 +
glx/rensize.c | 114 +++++++++++--------
glx/single2.c | 23 +++
glx/single2swap.c | 19 ++-
glx/singlepix.c | 60 ++++++----
glx/singlepixswap.c | 50 ++++++--
glx/swap_interval.c | 2
glx/unpack.h | 3
hw/xfree86/dri2/dri2ext.c | 3
include/dix.h | 7 +
include/regionstr.h | 10 +
man/Xserver.man | 10 +
os/access.c | 6 +
os/rpcauth.c | 4
present/present.c | 18 ++-
present/present_request.c | 6 +
randr/rrsdispatch.c | 4
render/render.c | 20 ++-
test/Makefile.am | 2
test/misc.c | 37 ++++++
test/xi1/Makefile.am | 34 +++++
test/xi1/protocol-xchangedevicecontrol.c | 122 ++++++++++++++++++++
test/xi2/protocol-xigetclientpointer.c | 5
test/xi2/protocol-xipassivegrabdevice.c | 8 +
test/xi2/protocol-xiquerypointer.c | 4
test/xi2/protocol-xiwarppointer.c | 3
xfixes/select.c | 1
61 files changed, 984 insertions(+), 332 deletions(-)
---
More information about the xorg-commit
mailing list