[PULL: xserver] Fixes for X.Org Security Advisory: Dec. 9, 2014
Alan Coopersmith
alan.coopersmith at oracle.com
Tue Dec 9 08:05:46 PST 2014
Keith: kindly pull the following into the xserver master branch.
As you know, these are the fixes for today's security advisory which
have been reviewed on the xorg-security mailing list.
Julien: once Keith is done, please backport as appropriate into the
xorg-server-1.16 branch. Known issues for backporting include:
- the RegionSizeof patch is currently written to be applied after
commit 995ecfb51d4ab8197e from the 1.17 development timeframe
- the "Additional paranoia in __glXGetAnswerBuffer" patch causes
__glXGetAnswerBuffer to return NULL in more cases, which depends on
commit 61a292adf45405641d from the 1.17 development timeframe
to make sure callers check for possible NULL results.
----------------------------------------------------------------
The following changes since commit 3e7218a6c23354d66f508b18164cac98a346b3ee:
Merge remote-tracking branch 'jturney/indirect-glx-fixes' (2014-12-08 18:07:55 -0800)
are available in the git repository at:
git://people.freedesktop.org/~alanc/xserver master
for you to fetch changes up to 7e7630bbb775573eea2a2335adb9d190c3e1e971:
glx: Fix mask truncation in __glXGetAnswerBuffer [CVE-2014-8093 6/6] (2014-12-08 18:09:50 -0800)
----------------------------------------------------------------
Adam Jackson (12):
glx: Be more paranoid about variable-length requests [CVE-2014-8093 1/6]
glx: Be more strict about rejecting invalid image sizes [CVE-2014-8093 2/6]
glx: Additional paranoia in __glXGetAnswerBuffer / __GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6]
glx: Fix image size computation for EXT_texture_integer [CVE-2014-8098 1/8]
glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6]
glx: Integer overflow protection for non-generated render requests (v3) [CVE-2014-8093 5/6]
glx: Length checking for RenderLarge requests (v2) [CVE-2014-8098 3/8]
glx: Top-level length checking for swapped VendorPrivate requests [CVE-2014-8098 4/8]
glx: Request length checks for SetClientInfoARB [CVE-2014-8098 5/8]
glx: Length-checking for non-generated vendor private requests [CVE-2014-8098 6/8]
glx: Length checking for non-generated single requests (v2) [CVE-2014-8098 7/8]
glx: Pass remaining request length into ->varsize (v2) [CVE-2014-8098 8/8]
Alan Coopersmith (18):
unchecked malloc may allow unauthed client to crash Xserver [CVE-2014-8091]
dix: integer overflow in ProcPutImage() [CVE-2014-8092 1/4]
dix: integer overflow in GetHosts() [CVE-2014-8092 2/4]
dix: integer overflow in RegionSizeof() [CVE-2014-8092 3/4]
dix: integer overflow in REQUEST_FIXED_SIZE() [CVE-2014-8092 4/4]
dri2: integer overflow in ProcDRI2GetBuffers() [CVE-2014-8094]
dbe: unvalidated lengths in DbeSwapBuffers calls [CVE-2014-8097]
Xi: unvalidated lengths in Xinput extension [CVE-2014-8095]
xcmisc: unvalidated length in SProcXCMiscGetXIDList() [CVE-2014-8096]
Xv: unvalidated lengths in XVideo extension swapped procs [CVE-2014-8099]
dri3: unvalidated lengths in DRI3 extension swapped procs [CVE-2014-8103 1/2]
present: unvalidated lengths in Present extension procs [CVE-2014-8103 2/2]
randr: unvalidated lengths in RandR extension swapped procs [CVE-2014-8101]
render: unvalidated lengths in Render extn. swapped procs [CVE-2014-8100 2/2]
xfixes: unvalidated length in SProcXFixesSelectSelectionInput [CVE-2014-8102]
Add request length checking test cases for some Xinput 1.x requests
Add request length checking test cases for some Xinput 2.x requests
Add REQUEST_FIXED_SIZE testcases to test/misc.c
Julien Cristau (2):
render: check request size before reading it [CVE-2014-8100 1/2]
glx: Length checking for GLXRender requests (v2) [CVE-2014-8098 2/8]
Robert Morell (1):
glx: Fix mask truncation in __glXGetAnswerBuffer [CVE-2014-8093 6/6]
Xext/xcmisc.c | 1 +
Xext/xvdisp.c | 20 ++++
Xi/chgdctl.c | 8 +-
Xi/chgfctl.c | 2 +
Xi/sendexev.c | 3 +
Xi/xiallowev.c | 2 +
Xi/xichangecursor.c | 2 +-
Xi/xichangehierarchy.c | 35 +++++-
Xi/xigetclientpointer.c | 1 +
Xi/xigrabdev.c | 9 +-
Xi/xipassivegrab.c | 12 +-
Xi/xiproperty.c | 14 +--
Xi/xiquerydevice.c | 1 +
Xi/xiquerypointer.c | 2 +
Xi/xiselectev.c | 8 ++
Xi/xisetclientpointer.c | 3 +-
Xi/xisetdevfocus.c | 4 +
Xi/xiwarppointer.c | 2 +
configure.ac | 1 +
dbe/dbe.c | 11 +-
dix/dispatch.c | 3 +
dix/region.c | 20 ++--
dri3/dri3_request.c | 6 +
glx/clientinfo.c | 19 +++-
glx/glxcmds.c | 85 ++++++++------
glx/glxcmdsswap.c | 4 +
glx/glxserver.h | 43 ++++++-
glx/indirect_program.c | 2 +
glx/indirect_reqsize.c | 142 ++++++++++++-----------
glx/indirect_reqsize.h | 181 ++++++++++++++++++------------
glx/indirect_texture_compression.c | 4 +
glx/indirect_util.c | 9 +-
glx/rensize.c | 114 +++++++++++--------
glx/single2.c | 23 +++-
glx/single2swap.c | 19 +++-
glx/singlepix.c | 60 ++++++----
glx/singlepixswap.c | 50 ++++++---
glx/swap_interval.c | 2 +
glx/unpack.h | 3 +-
hw/xfree86/dri2/dri2ext.c | 3 +
include/dix.h | 7 +-
include/regionstr.h | 10 +-
os/access.c | 6 +
os/rpcauth.c | 4 +
present/present_request.c | 6 +
randr/rrsdispatch.c | 4 +
render/render.c | 20 +++-
test/Makefile.am | 2 +-
test/misc.c | 37 ++++++
test/xi1/Makefile.am | 34 ++++++
test/xi1/protocol-xchangedevicecontrol.c | 122 ++++++++++++++++++++
test/xi2/protocol-xigetclientpointer.c | 5 +
test/xi2/protocol-xipassivegrabdevice.c | 8 ++
test/xi2/protocol-xiquerypointer.c | 4 +
test/xi2/protocol-xiwarppointer.c | 3 +
xfixes/select.c | 1 +
56 files changed, 893 insertions(+), 313 deletions(-)
create mode 100644 test/xi1/Makefile.am
create mode 100644 test/xi1/protocol-xchangedevicecontrol.c
--
-Alan Coopersmith- alan.coopersmith at oracle.com
X.Org Security Response Team - xorg-security at lists.x.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.x.org/archives/xorg-devel/attachments/20141209/e14b60f5/attachment-0001.sig>
More information about the xorg-devel
mailing list