[PULL v2 xserver] Fixes for X.Org Security Advisory: Dec. 9, 2014

Keith Packard keithp at keithp.com
Tue Dec 9 11:50:38 PST 2014


Alan Coopersmith <alan.coopersmith at oracle.com> writes:

> Adam Jackson (12):
>        glx: Be more paranoid about variable-length requests [CVE-2014-8093 1/6]
>        glx: Be more strict about rejecting invalid image sizes [CVE-2014-8093 2/6]
>        glx: Additional paranoia in __glXGetAnswerBuffer / 
> __GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6]
>        glx: Fix image size computation for EXT_texture_integer [CVE-2014-8098 1/8]
>        glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6]
>        glx: Integer overflow protection for non-generated render requests (v3) 
> [CVE-2014-8093 5/6]
>        glx: Length checking for RenderLarge requests (v2) [CVE-2014-8098 3/8]
>        glx: Top-level length checking for swapped VendorPrivate requests 
> [CVE-2014-8098 4/8]
>        glx: Request length checks for SetClientInfoARB [CVE-2014-8098 5/8]
>        glx: Length-checking for non-generated vendor private requests 
> [CVE-2014-8098 6/8]
>        glx: Length checking for non-generated single requests (v2) 
> [CVE-2014-8098 7/8]
>        glx: Pass remaining request length into ->varsize (v2) [CVE-2014-8098 8/8]
>
> Alan Coopersmith (18):
>        unchecked malloc may allow unauthed client to crash Xserver [CVE-2014-8091]
>        dix: integer overflow in ProcPutImage() [CVE-2014-8092 1/4]
>        dix: integer overflow in GetHosts() [CVE-2014-8092 2/4]
>        dix: integer overflow in RegionSizeof() [CVE-2014-8092 3/4]
>        dix: integer overflow in REQUEST_FIXED_SIZE() [CVE-2014-8092 4/4]
>        dri2: integer overflow in ProcDRI2GetBuffers() [CVE-2014-8094]
>        dbe: unvalidated lengths in DbeSwapBuffers calls [CVE-2014-8097]
>        Xi: unvalidated lengths in Xinput extension [CVE-2014-8095]
>        xcmisc: unvalidated length in SProcXCMiscGetXIDList() [CVE-2014-8096]
>        Xv: unvalidated lengths in XVideo extension swapped procs [CVE-2014-8099]
>        dri3: unvalidated lengths in DRI3 extension swapped procs [CVE-2014-8103 1/2]
>        present: unvalidated lengths in Present extension procs [CVE-2014-8103 2/2]
>        randr: unvalidated lengths in RandR extension swapped procs [CVE-2014-8101]
>        render: unvalidated lengths in Render extn. swapped procs [CVE-2014-8100 2/2]
>        xfixes: unvalidated length in SProcXFixesSelectSelectionInput [CVE-2014-8102]
>        Add request length checking test cases for some Xinput 1.x requests
>        Add request length checking test cases for some Xinput 2.x requests
>        Add REQUEST_FIXED_SIZE testcases to test/misc.c
>
> Julien Cristau (2):
>        render: check request size before reading it [CVE-2014-8100 1/2]
>        glx: Length checking for GLXRender requests (v2) [CVE-2014-8098 2/8]
>
> Keith Packard (4):
>        dbe: Call to DDX SwapBuffers requires address of int, not unsigned int 
> [CVE-2014-8097 pt. 2]
>        glx: Can't mix declarations and code in X.org sources [CVE-2014-8098 pt. 9]
>        Missing parens in REQUEST_FIXED_SIZE macro [CVE-2014-8092 pt. 5]
>        dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092 pt. 6]
>
> Robert Morell (1):
>        glx: Fix mask truncation in __glXGetAnswerBuffer [CVE-2014-8093 6/6]

Merged.
   8aa23f2..6704bb0  master -> master

-- 
keith.packard at intel.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 810 bytes
Desc: not available
URL: <http://lists.x.org/archives/xorg-devel/attachments/20141209/d72684a6/attachment.sig>


More information about the xorg-devel mailing list