summaryrefslogtreecommitdiff
path: root/source/x/x11/patch/xorg-server
diff options
context:
space:
mode:
authorPatrick J Volkerding <volkerdi@slackware.com>2016-06-30 20:26:57 +0000
committerEric Hameleers <alien@slackware.com>2018-05-31 23:31:18 +0200
commitd31c50870d0bee042ce660e445c9294a59a3a65b (patch)
tree6bfc0de3c95267b401b620c2c67859557dc60f97 /source/x/x11/patch/xorg-server
parent76fc4757ac91ac7947a01fb7b53dddf9a78a01d1 (diff)
downloadcurrent-d31c50870d0bee042ce660e445c9294a59a3a65b.tar.gz
Slackware 14.2slackware-14.2
Thu Jun 30 20:26:57 UTC 2016 Slackware 14.2 x86_64 stable is released! The long development cycle (the Linux community has lately been living in "interesting times", as they say) is finally behind us, and we're proud to announce the release of Slackware 14.2. The new release brings many updates and modern tools, has switched from udev to eudev (no systemd), and adds well over a hundred new packages to the system. Thanks to the team, the upstream developers, the dedicated Slackware community, and everyone else who pitched in to help make this release a reality. The ISOs are off to be replicated, a 6 CD-ROM 32-bit set and a dual-sided 32-bit/64-bit x86/x86_64 DVD. Please consider supporting the Slackware project by picking up a copy from store.slackware.com. We're taking pre-orders now, and offer a discount if you sign up for a subscription. Have fun! :-)
Diffstat (limited to 'source/x/x11/patch/xorg-server')
-rw-r--r--source/x/x11/patch/xorg-server/xorg-server.CVE-2013-4396.diff73
-rw-r--r--source/x/x11/patch/xorg-server/xorg-server.combo.mouse.keyboard.layout.patch49
2 files changed, 49 insertions, 73 deletions
diff --git a/source/x/x11/patch/xorg-server/xorg-server.CVE-2013-4396.diff b/source/x/x11/patch/xorg-server/xorg-server.CVE-2013-4396.diff
deleted file mode 100644
index 14c31782..00000000
--- a/source/x/x11/patch/xorg-server/xorg-server.CVE-2013-4396.diff
+++ /dev/null
@@ -1,73 +0,0 @@
-From 7bddc2ba16a2a15773c2ea8947059afa27727764 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Mon, 16 Sep 2013 21:47:16 -0700
-Subject: [PATCH] Avoid use-after-free in dix/dixfonts.c: doImageText()
- [CVE-2013-4396]
-
-Save a pointer to the passed in closure structure before copying it
-and overwriting the *c pointer to point to our copy instead of the
-original. If we hit an error, once we free(c), reset c to point to
-the original structure before jumping to the cleanup code that
-references *c.
-
-Since one of the errors being checked for is whether the server was
-able to malloc(c->nChars * itemSize), the client can potentially pass
-a number of characters chosen to cause the malloc to fail and the
-error path to be taken, resulting in the read from freed memory.
-
-Since the memory is accessed almost immediately afterwards, and the
-X server is mostly single threaded, the odds of the free memory having
-invalid contents are low with most malloc implementations when not using
-memory debugging features, but some allocators will definitely overwrite
-the memory there, leading to a likely crash.
-
-Reported-by: Pedro Ribeiro <pedrib at gmail.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Reviewed-by: Julien Cristau <jcristau at debian.org>
----
- dix/dixfonts.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/dix/dixfonts.c b/dix/dixfonts.c
-index feb765d..2e34d37 100644
---- a/dix/dixfonts.c
-+++ b/dix/dixfonts.c
-@@ -1425,6 +1425,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
- GC *pGC;
- unsigned char *data;
- ITclosurePtr new_closure;
-+ ITclosurePtr old_closure;
-
- /* We're putting the client to sleep. We need to
- save some state. Similar problem to that handled
-@@ -1436,12 +1437,14 @@ doImageText(ClientPtr client, ITclosurePtr c)
- err = BadAlloc;
- goto bail;
- }
-+ old_closure = c;
- *new_closure = *c;
- c = new_closure;
-
- data = malloc(c->nChars * itemSize);
- if (!data) {
- free(c);
-+ c = old_closure;
- err = BadAlloc;
- goto bail;
- }
-@@ -1452,6 +1455,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
- if (!pGC) {
- free(c->data);
- free(c);
-+ c = old_closure;
- err = BadAlloc;
- goto bail;
- }
-@@ -1464,6 +1468,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
- FreeScratchGC(pGC);
- free(c->data);
- free(c);
-+ c = old_closure;
- err = BadAlloc;
- goto bail;
- }
diff --git a/source/x/x11/patch/xorg-server/xorg-server.combo.mouse.keyboard.layout.patch b/source/x/x11/patch/xorg-server/xorg-server.combo.mouse.keyboard.layout.patch
new file mode 100644
index 00000000..83f67303
--- /dev/null
+++ b/source/x/x11/patch/xorg-server/xorg-server.combo.mouse.keyboard.layout.patch
@@ -0,0 +1,49 @@
+--- b/Xi/exevents.c 2013-12-27 19:38:52.000000000 +0200
++++ a/Xi/exevents.c 2014-03-04 19:44:15.228721619 +0200
+@@ -665,7 +665,8 @@
+ DeepCopyFeedbackClasses(from, to);
+
+ if ((dce->flags & DEVCHANGE_KEYBOARD_EVENT))
+- DeepCopyKeyboardClasses(from, to);
++ /* We need to copy to MASTER_KEYBOARD. Didn't worked with 'to'. */
++ DeepCopyKeyboardClasses(from, GetMaster(from, MASTER_KEYBOARD));
+ if ((dce->flags & DEVCHANGE_POINTER_EVENT))
+ DeepCopyPointerClasses(from, to);
+ }
+--- b/dix/getevents.c 2013-12-27 19:38:52.000000000 +0200
++++ a/dix/getevents.c 2014-03-04 19:46:50.126336327 +0200
+@@ -706,12 +706,19 @@
+ {
+ DeviceIntPtr master;
+
+- master =
+- GetMaster(dev,
+- (type & DEVCHANGE_POINTER_EVENT) ? MASTER_POINTER :
+- MASTER_KEYBOARD);
++ /* Don't guess the master upon the event type. Use MASTER_ATTACHED,
++ * otherwise we'll never get a DeviceChangedEvent(reason:SlaveSwith). */
++ master = GetMaster(dev, MASTER_ATTACHED);
++ /* Need to track the slave event type. Other we'le never get a
++ * DeviceChangedEvent(reason:SlaveSwith) for the 'keyboard' if the
++ * 'pointer' has been touched before. */
++ int slave_type = (type & DEVCHANGE_KEYBOARD_EVENT) |
++ (type & DEVCHANGE_POINTER_EVENT);
+
+- if (master && master->last.slave != dev) {
++ if (master &&
++ ((master->last.slave != dev) ||
++ (master->last.slave == dev && master->last.slave_type != slave_type))) {
++ master->last.slave_type = slave_type;
+ CreateClassesChangedEvent(events, master, dev,
+ type | DEVCHANGE_SLAVE_SWITCH);
+ if (IsPointerDevice(master)) {
+--- b/include/inputstr.h 2013-12-27 19:38:52.000000000 +0200
++++ a/include/inputstr.h 2014-03-04 19:47:28.074051116 +0200
+@@ -577,6 +577,7 @@
+ double valuators[MAX_VALUATORS];
+ int numValuators;
+ DeviceIntPtr slave;
++ int slave_type;
+ ValuatorMask *scroll;
+ int num_touches; /* size of the touches array */
+ DDXTouchPointInfoPtr touches;