[PATCH 0/5] integer overflows in Xdmx & Xephyr

Alan Coopersmith alan.coopersmith at oracle.com
Thu May 23 09:27:25 PDT 2013

As part of the report of the security bugs announced this morning, the same
researcher also reported similar issues in the client-side GLX & DRI code in
the Xdmx & Xephyr X servers.   Since these are not normally installed setuid
or otherwise with higher privileges than the underlying X servers that they
connect to, the X.Org security team agreed to treat these as simple bug fixes,
not security issues.

These are candidates for stable releases as they do fix server crashes, but
only in rare cases when malformed protocol is sent by the X server they 
display onto.

Alan Coopersmith (5):
  Xdmx: integer overflow in GetGLXVisualConfigs()
  Xdmx: integer overflow in GetGLXFBConfigs()
  Xephyr: integer overflow in ephyrHostGLXGetStringFromServer()
  Xephyr: integer overflow in XF86DRIOpenConnection()
  Xephyr: integer overflow in XF86DRIGetClientDriverName()

 hw/dmx/dmx_glxvisuals.c        |   25 +++++++++++++++++--------
 hw/kdrive/ephyr/XF86dri.c      |   14 ++++++++++----
 hw/kdrive/ephyr/ephyrhostglx.c |   40 +++++++++++++++++++++++-----------------
 3 files changed, 50 insertions(+), 29 deletions(-)


More information about the xorg-devel mailing list