summary refs log tree commit diff
path: root/gnu
diff options
context:
space:
mode:
Diffstat (limited to 'gnu')
-rw-r--r--gnu/local.mk2
-rw-r--r--gnu/packages/patches/xorg-server-CVE-2017-10971.patch153
-rw-r--r--gnu/packages/patches/xorg-server-CVE-2017-10972.patch35
-rw-r--r--gnu/packages/xorg.scm10
4 files changed, 4 insertions, 196 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index ad8b02a082..6db176b767 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1124,8 +1124,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/xinetd-fix-fd-leak.patch			\
   %D%/packages/patches/xinetd-CVE-2013-4342.patch		\
   %D%/packages/patches/xmodmap-asprintf.patch 			\
-  %D%/packages/patches/xorg-server-CVE-2017-10971.patch		\
-  %D%/packages/patches/xorg-server-CVE-2017-10972.patch 	\
   %D%/packages/patches/libyaml-CVE-2014-9130.patch 		\
   %D%/packages/patches/zathura-plugindir-environment-variable.patch	\
   %D%/packages/patches/zziplib-CVE-2017-5974.patch		\
diff --git a/gnu/packages/patches/xorg-server-CVE-2017-10971.patch b/gnu/packages/patches/xorg-server-CVE-2017-10971.patch
deleted file mode 100644
index 2696033e58..0000000000
--- a/gnu/packages/patches/xorg-server-CVE-2017-10971.patch
+++ /dev/null
@@ -1,153 +0,0 @@
-From 215f894965df5fb0bb45b107d84524e700d2073c Mon Sep 17 00:00:00 2001
-From: Michal Srb <msrb@suse.com>
-Date: Wed, 24 May 2017 15:54:40 +0300
-Subject: dix: Disallow GenericEvent in SendEvent request.
-
-The SendEvent request holds xEvent which is exactly 32 bytes long, no more,
-no less. Both ProcSendEvent and SProcSendEvent verify that the received data
-exactly match the request size. However nothing stops the client from passing
-in event with xEvent::type = GenericEvent and any value of
-xGenericEvent::length.
-
-In the case of ProcSendEvent, the event will be eventually passed to
-WriteEventsToClient which will see that it is Generic event and copy the
-arbitrary length from the receive buffer (and possibly past it) and send it to
-the other client. This allows clients to copy unitialized heap memory out of X
-server or to crash it.
-
-In case of SProcSendEvent, it will attempt to swap the incoming event by
-calling a swapping function from the EventSwapVector array. The swapped event
-is written to target buffer, which in this case is local xEvent variable. The
-xEvent variable is 32 bytes long, but the swapping functions for GenericEvents
-expect that the target buffer has size matching the size of the source
-GenericEvent. This allows clients to cause stack buffer overflows.
-
-Signed-off-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-
-diff --git a/dix/events.c b/dix/events.c
-index 3e3a01e..d3a33ea 100644
---- a/dix/events.c
-+++ b/dix/events.c
-@@ -5366,6 +5366,12 @@ ProcSendEvent(ClientPtr client)
-         client->errorValue = stuff->event.u.u.type;
-         return BadValue;
-     }
-+    /* Generic events can have variable size, but SendEvent request holds
-+       exactly 32B of event data. */
-+    if (stuff->event.u.u.type == GenericEvent) {
-+        client->errorValue = stuff->event.u.u.type;
-+        return BadValue;
-+    }
-     if (stuff->event.u.u.type == ClientMessage &&
-         stuff->event.u.u.detail != 8 &&
-         stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) {
-diff --git a/dix/swapreq.c b/dix/swapreq.c
-index 719e9b8..6785059 100644
---- a/dix/swapreq.c
-+++ b/dix/swapreq.c
-@@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client)
-     swapl(&stuff->destination);
-     swapl(&stuff->eventMask);
- 
-+    /* Generic events can have variable size, but SendEvent request holds
-+       exactly 32B of event data. */
-+    if (stuff->event.u.u.type == GenericEvent) {
-+        client->errorValue = stuff->event.u.u.type;
-+        return BadValue;
-+    }
-+
-     /* Swap event */
-     proc = EventSwapVector[stuff->event.u.u.type & 0177];
-     if (!proc || proc == NotImplemented)        /* no swapping proc; invalid event type? */
--- 
-cgit v0.10.2
-
-From 8caed4df36b1f802b4992edcfd282cbeeec35d9d Mon Sep 17 00:00:00 2001
-From: Michal Srb <msrb@suse.com>
-Date: Wed, 24 May 2017 15:54:41 +0300
-Subject: Xi: Verify all events in ProcXSendExtensionEvent.
-
-The requirement is that events have type in range
-EXTENSION_EVENT_BASE..lastEvent, but it was tested
-only for first event of all.
-
-Signed-off-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-
-diff --git a/Xi/sendexev.c b/Xi/sendexev.c
-index 1cf118a..5e63bfc 100644
---- a/Xi/sendexev.c
-+++ b/Xi/sendexev.c
-@@ -117,7 +117,7 @@ SProcXSendExtensionEvent(ClientPtr client)
- int
- ProcXSendExtensionEvent(ClientPtr client)
- {
--    int ret;
-+    int ret, i;
-     DeviceIntPtr dev;
-     xEvent *first;
-     XEventClass *list;
-@@ -141,10 +141,12 @@ ProcXSendExtensionEvent(ClientPtr client)
-     /* The client's event type must be one defined by an extension. */
- 
-     first = ((xEvent *) &stuff[1]);
--    if (!((EXTENSION_EVENT_BASE <= first->u.u.type) &&
--          (first->u.u.type < lastEvent))) {
--        client->errorValue = first->u.u.type;
--        return BadValue;
-+    for (i = 0; i < stuff->num_events; i++) {
-+        if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) &&
-+            (first[i].u.u.type < lastEvent))) {
-+            client->errorValue = first[i].u.u.type;
-+            return BadValue;
-+        }
-     }
- 
-     list = (XEventClass *) (first + stuff->num_events);
--- 
-cgit v0.10.2
-
-From ba336b24052122b136486961c82deac76bbde455 Mon Sep 17 00:00:00 2001
-From: Michal Srb <msrb@suse.com>
-Date: Wed, 24 May 2017 15:54:42 +0300
-Subject: Xi: Do not try to swap GenericEvent.
-
-The SProcXSendExtensionEvent must not attempt to swap GenericEvent because
-it is assuming that the event has fixed size and gives the swapping function
-xEvent-sized buffer.
-
-A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway.
-
-Signed-off-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-
-diff --git a/Xi/sendexev.c b/Xi/sendexev.c
-index 5e63bfc..5c2e0fc 100644
---- a/Xi/sendexev.c
-+++ b/Xi/sendexev.c
-@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client)
- 
-     eventP = (xEvent *) &stuff[1];
-     for (i = 0; i < stuff->num_events; i++, eventP++) {
-+        if (eventP->u.u.type == GenericEvent) {
-+            client->errorValue = eventP->u.u.type;
-+            return BadValue;
-+        }
-+
-         proc = EventSwapVector[eventP->u.u.type & 0177];
--        if (proc == NotImplemented)     /* no swapping proc; invalid event type? */
-+        /* no swapping proc; invalid event type? */
-+        if (proc == NotImplemented) {
-+            client->errorValue = eventP->u.u.type;
-             return BadValue;
-+        }
-         (*proc) (eventP, &eventT);
-         *eventP = eventT;
-     }
--- 
-cgit v0.10.2
-
diff --git a/gnu/packages/patches/xorg-server-CVE-2017-10972.patch b/gnu/packages/patches/xorg-server-CVE-2017-10972.patch
deleted file mode 100644
index f24e9c0ae6..0000000000
--- a/gnu/packages/patches/xorg-server-CVE-2017-10972.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 05442de962d3dc624f79fc1a00eca3ffc5489ced Mon Sep 17 00:00:00 2001
-From: Michal Srb <msrb@suse.com>
-Date: Wed, 24 May 2017 15:54:39 +0300
-Subject: Xi: Zero target buffer in SProcXSendExtensionEvent.
-
-Make sure that the xEvent eventT is initialized with zeros, the same way as
-in SProcSendEvent.
-
-Some event swapping functions do not overwrite all 32 bytes of xEvent
-structure, for example XSecurityAuthorizationRevoked. Two cooperating
-clients, one swapped and the other not, can send
-XSecurityAuthorizationRevoked event to each other to retrieve old stack data
-from X server. This can be potentialy misused to go around ASLR or
-stack-protector.
-
-Signed-off-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-
-diff --git a/Xi/sendexev.c b/Xi/sendexev.c
-index 11d8202..1cf118a 100644
---- a/Xi/sendexev.c
-+++ b/Xi/sendexev.c
-@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client)
- {
-     CARD32 *p;
-     int i;
--    xEvent eventT;
-+    xEvent eventT = { .u.u.type = 0 };
-     xEvent *eventP;
-     EventSwapPtr proc;
- 
--- 
-cgit v0.10.2
-
diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index d66cf417f6..f3d415c096 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -5067,7 +5067,7 @@ over Xlib, including:
 (define-public xorg-server
   (package
     (name "xorg-server")
-    (version "1.19.3")
+    (version "1.19.4")
     (source
       (origin
         (method url-fetch)
@@ -5076,9 +5076,9 @@ over Xlib, including:
               name "-" version ".tar.bz2"))
         (sha256
          (base32
-          "162s1v901djr57gxmmk4airk8hiwcz79dqyz72972x1lw1k82yk7"))
+          "1a690fzv5l5ks45g9zhlzdskdq8q73mcbpb9a3wz3shxm778lxda"))
         (patches
-         (cons
+         (list
           ;; See:
           ;;   https://lists.fedoraproject.org/archives/list/devel@lists.
           ;;      fedoraproject.org/message/JU655YB7AM4OOEQ4MOMCRHJTYJ76VFOK/
@@ -5090,9 +5090,7 @@ over Xlib, including:
             (sha256
              (base32
               "0mm70y058r8s9y9jiv7q2myv0ycnaw3iqzm7d274410s0ik38w7q"))
-            (file-name "xorg-server-use-intel-only-on-pre-gen4.diff"))
-          (search-patches "xorg-server-CVE-2017-10971.patch"
-                          "xorg-server-CVE-2017-10972.patch")))))
+            (file-name "xorg-server-use-intel-only-on-pre-gen4.diff"))))))
     (build-system gnu-build-system)
     (propagated-inputs
       `(("dri2proto" ,dri2proto)