[PULL: xserver] Fixes for X.Org Security Advisory: Dec. 9, 2014

Alan Coopersmith alan.coopersmith at oracle.com
Tue Dec 9 08:05:46 PST 2014


Keith: kindly pull the following into the xserver master branch.
As you know, these are the fixes for today's security advisory which
have been reviewed on the xorg-security mailing list.

Julien: once Keith is done, please backport as appropriate into the
xorg-server-1.16 branch.  Known issues for backporting include:
 - the RegionSizeof patch is currently written to be applied after
   commit 995ecfb51d4ab8197e from the 1.17 development timeframe
 - the "Additional paranoia in __glXGetAnswerBuffer" patch causes
   __glXGetAnswerBuffer to return NULL in more cases, which depends on
   commit 61a292adf45405641d from the 1.17 development timeframe
   to make sure callers check for possible NULL results.

----------------------------------------------------------------

The following changes since commit 3e7218a6c23354d66f508b18164cac98a346b3ee:

  Merge remote-tracking branch 'jturney/indirect-glx-fixes' (2014-12-08 18:07:55 -0800)

are available in the git repository at:


  git://people.freedesktop.org/~alanc/xserver master

for you to fetch changes up to 7e7630bbb775573eea2a2335adb9d190c3e1e971:

  glx: Fix mask truncation in __glXGetAnswerBuffer [CVE-2014-8093 6/6] (2014-12-08 18:09:50 -0800)

----------------------------------------------------------------
Adam Jackson (12):
      glx: Be more paranoid about variable-length requests [CVE-2014-8093 1/6]
      glx: Be more strict about rejecting invalid image sizes [CVE-2014-8093 2/6]
      glx: Additional paranoia in __glXGetAnswerBuffer / __GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6]
      glx: Fix image size computation for EXT_texture_integer [CVE-2014-8098 1/8]
      glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6]
      glx: Integer overflow protection for non-generated render requests (v3) [CVE-2014-8093 5/6]
      glx: Length checking for RenderLarge requests (v2) [CVE-2014-8098 3/8]
      glx: Top-level length checking for swapped VendorPrivate requests [CVE-2014-8098 4/8]
      glx: Request length checks for SetClientInfoARB [CVE-2014-8098 5/8]
      glx: Length-checking for non-generated vendor private requests [CVE-2014-8098 6/8]
      glx: Length checking for non-generated single requests (v2) [CVE-2014-8098 7/8]
      glx: Pass remaining request length into ->varsize (v2) [CVE-2014-8098 8/8]

Alan Coopersmith (18):
      unchecked malloc may allow unauthed client to crash Xserver [CVE-2014-8091]
      dix: integer overflow in ProcPutImage() [CVE-2014-8092 1/4]
      dix: integer overflow in GetHosts() [CVE-2014-8092 2/4]
      dix: integer overflow in RegionSizeof() [CVE-2014-8092 3/4]
      dix: integer overflow in REQUEST_FIXED_SIZE() [CVE-2014-8092 4/4]
      dri2: integer overflow in ProcDRI2GetBuffers() [CVE-2014-8094]
      dbe: unvalidated lengths in DbeSwapBuffers calls [CVE-2014-8097]
      Xi: unvalidated lengths in Xinput extension [CVE-2014-8095]
      xcmisc: unvalidated length in SProcXCMiscGetXIDList() [CVE-2014-8096]
      Xv: unvalidated lengths in XVideo extension swapped procs [CVE-2014-8099]
      dri3: unvalidated lengths in DRI3 extension swapped procs [CVE-2014-8103 1/2]
      present: unvalidated lengths in Present extension procs [CVE-2014-8103 2/2]
      randr: unvalidated lengths in RandR extension swapped procs [CVE-2014-8101]
      render: unvalidated lengths in Render extn. swapped procs [CVE-2014-8100 2/2]
      xfixes: unvalidated length in SProcXFixesSelectSelectionInput [CVE-2014-8102]
      Add request length checking test cases for some Xinput 1.x requests
      Add request length checking test cases for some Xinput 2.x requests
      Add REQUEST_FIXED_SIZE testcases to test/misc.c

Julien Cristau (2):
      render: check request size before reading it [CVE-2014-8100 1/2]
      glx: Length checking for GLXRender requests (v2) [CVE-2014-8098 2/8]

Robert Morell (1):
      glx: Fix mask truncation in __glXGetAnswerBuffer [CVE-2014-8093 6/6]

 Xext/xcmisc.c                            |    1 +
 Xext/xvdisp.c                            |   20 ++++
 Xi/chgdctl.c                             |    8 +-
 Xi/chgfctl.c                             |    2 +
 Xi/sendexev.c                            |    3 +
 Xi/xiallowev.c                           |    2 +
 Xi/xichangecursor.c                      |    2 +-
 Xi/xichangehierarchy.c                   |   35 +++++-
 Xi/xigetclientpointer.c                  |    1 +
 Xi/xigrabdev.c                           |    9 +-
 Xi/xipassivegrab.c                       |   12 +-
 Xi/xiproperty.c                          |   14 +--
 Xi/xiquerydevice.c                       |    1 +
 Xi/xiquerypointer.c                      |    2 +
 Xi/xiselectev.c                          |    8 ++
 Xi/xisetclientpointer.c                  |    3 +-
 Xi/xisetdevfocus.c                       |    4 +
 Xi/xiwarppointer.c                       |    2 +
 configure.ac                             |    1 +
 dbe/dbe.c                                |   11 +-
 dix/dispatch.c                           |    3 +
 dix/region.c                             |   20 ++--
 dri3/dri3_request.c                      |    6 +
 glx/clientinfo.c                         |   19 +++-
 glx/glxcmds.c                            |   85 ++++++++------
 glx/glxcmdsswap.c                        |    4 +
 glx/glxserver.h                          |   43 ++++++-
 glx/indirect_program.c                   |    2 +
 glx/indirect_reqsize.c                   |  142 ++++++++++++-----------
 glx/indirect_reqsize.h                   |  181 ++++++++++++++++++------------
 glx/indirect_texture_compression.c       |    4 +
 glx/indirect_util.c                      |    9 +-
 glx/rensize.c                            |  114 +++++++++++--------
 glx/single2.c                            |   23 +++-
 glx/single2swap.c                        |   19 +++-
 glx/singlepix.c                          |   60 ++++++----
 glx/singlepixswap.c                      |   50 ++++++---
 glx/swap_interval.c                      |    2 +
 glx/unpack.h                             |    3 +-
 hw/xfree86/dri2/dri2ext.c                |    3 +
 include/dix.h                            |    7 +-
 include/regionstr.h                      |   10 +-
 os/access.c                              |    6 +
 os/rpcauth.c                             |    4 +
 present/present_request.c                |    6 +
 randr/rrsdispatch.c                      |    4 +
 render/render.c                          |   20 +++-
 test/Makefile.am                         |    2 +-
 test/misc.c                              |   37 ++++++
 test/xi1/Makefile.am                     |   34 ++++++
 test/xi1/protocol-xchangedevicecontrol.c |  122 ++++++++++++++++++++
 test/xi2/protocol-xigetclientpointer.c   |    5 +
 test/xi2/protocol-xipassivegrabdevice.c  |    8 ++
 test/xi2/protocol-xiquerypointer.c       |    4 +
 test/xi2/protocol-xiwarppointer.c        |    3 +
 xfixes/select.c                          |    1 +
 56 files changed, 893 insertions(+), 313 deletions(-)
 create mode 100644 test/xi1/Makefile.am
 create mode 100644 test/xi1/protocol-xchangedevicecontrol.c

-- 
	-Alan Coopersmith-              alan.coopersmith at oracle.com
	  X.Org Security Response Team - xorg-security at lists.x.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.x.org/archives/xorg-devel/attachments/20141209/e14b60f5/attachment-0001.sig>


More information about the xorg-devel mailing list