diff options
author | Patrick J Volkerding <volkerdi@slackware.com> | 2016-06-30 20:26:57 +0000 |
---|---|---|
committer | Eric Hameleers <alien@slackware.com> | 2018-05-31 23:31:18 +0200 |
commit | d31c50870d0bee042ce660e445c9294a59a3a65b (patch) | |
tree | 6bfc0de3c95267b401b620c2c67859557dc60f97 /source/x/x11/patch/xorg-server | |
parent | 76fc4757ac91ac7947a01fb7b53dddf9a78a01d1 (diff) | |
download | current-d31c50870d0bee042ce660e445c9294a59a3a65b.tar.gz |
Slackware 14.2slackware-14.2
Thu Jun 30 20:26:57 UTC 2016
Slackware 14.2 x86_64 stable is released!
The long development cycle (the Linux community has lately been living in
"interesting times", as they say) is finally behind us, and we're proud to
announce the release of Slackware 14.2. The new release brings many updates
and modern tools, has switched from udev to eudev (no systemd), and adds
well over a hundred new packages to the system. Thanks to the team, the
upstream developers, the dedicated Slackware community, and everyone else
who pitched in to help make this release a reality.
The ISOs are off to be replicated, a 6 CD-ROM 32-bit set and a dual-sided
32-bit/64-bit x86/x86_64 DVD. Please consider supporting the Slackware
project by picking up a copy from store.slackware.com. We're taking
pre-orders now, and offer a discount if you sign up for a subscription.
Have fun! :-)
Diffstat (limited to 'source/x/x11/patch/xorg-server')
-rw-r--r-- | source/x/x11/patch/xorg-server/xorg-server.CVE-2013-4396.diff | 73 | ||||
-rw-r--r-- | source/x/x11/patch/xorg-server/xorg-server.combo.mouse.keyboard.layout.patch | 49 |
2 files changed, 49 insertions, 73 deletions
diff --git a/source/x/x11/patch/xorg-server/xorg-server.CVE-2013-4396.diff b/source/x/x11/patch/xorg-server/xorg-server.CVE-2013-4396.diff deleted file mode 100644 index 14c31782..00000000 --- a/source/x/x11/patch/xorg-server/xorg-server.CVE-2013-4396.diff +++ /dev/null @@ -1,73 +0,0 @@ -From 7bddc2ba16a2a15773c2ea8947059afa27727764 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith at oracle.com> -Date: Mon, 16 Sep 2013 21:47:16 -0700 -Subject: [PATCH] Avoid use-after-free in dix/dixfonts.c: doImageText() - [CVE-2013-4396] - -Save a pointer to the passed in closure structure before copying it -and overwriting the *c pointer to point to our copy instead of the -original. If we hit an error, once we free(c), reset c to point to -the original structure before jumping to the cleanup code that -references *c. - -Since one of the errors being checked for is whether the server was -able to malloc(c->nChars * itemSize), the client can potentially pass -a number of characters chosen to cause the malloc to fail and the -error path to be taken, resulting in the read from freed memory. - -Since the memory is accessed almost immediately afterwards, and the -X server is mostly single threaded, the odds of the free memory having -invalid contents are low with most malloc implementations when not using -memory debugging features, but some allocators will definitely overwrite -the memory there, leading to a likely crash. - -Reported-by: Pedro Ribeiro <pedrib at gmail.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com> -Reviewed-by: Julien Cristau <jcristau at debian.org> ---- - dix/dixfonts.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/dix/dixfonts.c b/dix/dixfonts.c -index feb765d..2e34d37 100644 ---- a/dix/dixfonts.c -+++ b/dix/dixfonts.c -@@ -1425,6 +1425,7 @@ doImageText(ClientPtr client, ITclosurePtr c) - GC *pGC; - unsigned char *data; - ITclosurePtr new_closure; -+ ITclosurePtr old_closure; - - /* We're putting the client to sleep. We need to - save some state. Similar problem to that handled -@@ -1436,12 +1437,14 @@ doImageText(ClientPtr client, ITclosurePtr c) - err = BadAlloc; - goto bail; - } -+ old_closure = c; - *new_closure = *c; - c = new_closure; - - data = malloc(c->nChars * itemSize); - if (!data) { - free(c); -+ c = old_closure; - err = BadAlloc; - goto bail; - } -@@ -1452,6 +1455,7 @@ doImageText(ClientPtr client, ITclosurePtr c) - if (!pGC) { - free(c->data); - free(c); -+ c = old_closure; - err = BadAlloc; - goto bail; - } -@@ -1464,6 +1468,7 @@ doImageText(ClientPtr client, ITclosurePtr c) - FreeScratchGC(pGC); - free(c->data); - free(c); -+ c = old_closure; - err = BadAlloc; - goto bail; - } diff --git a/source/x/x11/patch/xorg-server/xorg-server.combo.mouse.keyboard.layout.patch b/source/x/x11/patch/xorg-server/xorg-server.combo.mouse.keyboard.layout.patch new file mode 100644 index 00000000..83f67303 --- /dev/null +++ b/source/x/x11/patch/xorg-server/xorg-server.combo.mouse.keyboard.layout.patch @@ -0,0 +1,49 @@ +--- b/Xi/exevents.c 2013-12-27 19:38:52.000000000 +0200 ++++ a/Xi/exevents.c 2014-03-04 19:44:15.228721619 +0200 +@@ -665,7 +665,8 @@ + DeepCopyFeedbackClasses(from, to); + + if ((dce->flags & DEVCHANGE_KEYBOARD_EVENT)) +- DeepCopyKeyboardClasses(from, to); ++ /* We need to copy to MASTER_KEYBOARD. Didn't worked with 'to'. */ ++ DeepCopyKeyboardClasses(from, GetMaster(from, MASTER_KEYBOARD)); + if ((dce->flags & DEVCHANGE_POINTER_EVENT)) + DeepCopyPointerClasses(from, to); + } +--- b/dix/getevents.c 2013-12-27 19:38:52.000000000 +0200 ++++ a/dix/getevents.c 2014-03-04 19:46:50.126336327 +0200 +@@ -706,12 +706,19 @@ + { + DeviceIntPtr master; + +- master = +- GetMaster(dev, +- (type & DEVCHANGE_POINTER_EVENT) ? MASTER_POINTER : +- MASTER_KEYBOARD); ++ /* Don't guess the master upon the event type. Use MASTER_ATTACHED, ++ * otherwise we'll never get a DeviceChangedEvent(reason:SlaveSwith). */ ++ master = GetMaster(dev, MASTER_ATTACHED); ++ /* Need to track the slave event type. Other we'le never get a ++ * DeviceChangedEvent(reason:SlaveSwith) for the 'keyboard' if the ++ * 'pointer' has been touched before. */ ++ int slave_type = (type & DEVCHANGE_KEYBOARD_EVENT) | ++ (type & DEVCHANGE_POINTER_EVENT); + +- if (master && master->last.slave != dev) { ++ if (master && ++ ((master->last.slave != dev) || ++ (master->last.slave == dev && master->last.slave_type != slave_type))) { ++ master->last.slave_type = slave_type; + CreateClassesChangedEvent(events, master, dev, + type | DEVCHANGE_SLAVE_SWITCH); + if (IsPointerDevice(master)) { +--- b/include/inputstr.h 2013-12-27 19:38:52.000000000 +0200 ++++ a/include/inputstr.h 2014-03-04 19:47:28.074051116 +0200 +@@ -577,6 +577,7 @@ + double valuators[MAX_VALUATORS]; + int numValuators; + DeviceIntPtr slave; ++ int slave_type; + ValuatorMask *scroll; + int num_touches; /* size of the touches array */ + DDXTouchPointInfoPtr touches; |