* Fix multiple security issues

+ CVE-2007-6427: XInput Extension Memory Corruption + CVE-2007-6428: TOG-CUP Extension Memory Corruption + CVE-2007-6429: EVI Extension Integer Overflow, MIT-SHM Extension Integer Overflow + CVE-2007-5760: XFree86-Misc Extension Invalid Array Index + CVE-2007-5958: file existence disclosure + CVE-2008-0006: PCF font parser buffer overflow
author: Julien Cristau <jcristau@debian.org> 2008-01-12 01:04:06 +0100
committer: Julien Cristau <jcristau@debian.org> 2008-01-17 00:21:26 +0100
commit: 7fe0a909cedc4ad55d3f7708fc98dd6986323d08 (patch)
tree: 37a50a95190650c2480ccef66f8ea07796e1f781
parent: 9c6275e7d4d25c62ad6d80433e7f1c1e98630d41 (diff)
9 files changed, 516 insertions, 10 deletions
diff --git a/debian/changelog b/debian/changelog
index f57f7f600..66a152d31 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,16 @@ xorg-server (2:1.4.1~git20080105-2) UNRELEASED; urgency=low
   * Grab upstream commit db9ae863536fff80b5463d99e71dc47ae587980d
     to set DEFAULT_DPI to 96 instead of 75.
 
+  [ Julien Cristau ]
+  * Fix multiple security issues
+    + CVE-2007-6427: XInput Extension Memory Corruption
+    + CVE-2007-6428: TOG-CUP Extension Memory Corruption
+    + CVE-2007-6429: EVI Extension Integer Overflow,
+                     MIT-SHM Extension Integer Overflow
+    + CVE-2007-5760: XFree86-Misc Extension Invalid Array Index
+    + CVE-2007-5958: file existence disclosure
+    + CVE-2008-0006: PCF font parser buffer overflow
+
  -- Brice Goglin <bgoglin@debian.org>  Sun, 13 Jan 2008 16:20:12 +0100
 
 xorg-server (2:1.4.1~git20080105-1) unstable; urgency=low
diff --git a/debian/patches/14_default_screen_section.diff b/debian/patches/14_default_screen_section.diff
index a3b6061df..709261b11 100644
--- a/debian/patches/14_default_screen_section.diff
+++ b/debian/patches/14_default_screen_section.diff
@@ -1,8 +1,6 @@
-Index: xorg-server/hw/xfree86/common/xf86Config.c
-===================================================================
---- xorg-server.orig/hw/xfree86/common/xf86Config.c	2007-12-12 19:43:59.000000000 -0500
-+++ xorg-server/hw/xfree86/common/xf86Config.c	2007-12-12 19:44:10.000000000 -0500
-@@ -1801,11 +1801,6 @@
+--- xorg-server.orig/hw/xfree86/common/xf86Config.c
++++ xorg-server/hw/xfree86/common/xf86Config.c
+@@ -1800,11 +1800,6 @@
      if (!servlayoutp)
  	return FALSE;
  
@@ -14,7 +12,7 @@ Index: xorg-server/hw/xfree86/common/xf86Config.c
      /*
       * which screen section is the active one?
       *
-@@ -1893,6 +1888,12 @@
+@@ -1892,6 +1887,12 @@
      XF86ConfAdaptorLinkPtr conf_adaptor;
      Bool defaultMonitor = FALSE;
  
@@ -27,10 +25,8 @@ Index: xorg-server/hw/xfree86/common/xf86Config.c
      xf86Msg(from, "|-->Screen \"%s\" (%d)\n", conf_screen->scrn_identifier,
  	    scrnum);
      /*
-Index: xorg-server/hw/xfree86/parser/Screen.c
-===================================================================
---- xorg-server.orig/hw/xfree86/parser/Screen.c	2007-12-12 19:43:02.000000000 -0500
-+++ xorg-server/hw/xfree86/parser/Screen.c	2007-12-12 19:44:10.000000000 -0500
+--- xorg-server.orig/hw/xfree86/parser/Screen.c
++++ xorg-server/hw/xfree86/parser/Screen.c
 @@ -498,12 +498,6 @@
  	XF86ConfDevicePtr device;
  	XF86ConfAdaptorLinkPtr adaptor;
diff --git a/debian/patches/15_CVE-2007-6427.diff b/debian/patches/15_CVE-2007-6427.diff
new file mode 100644
index 000000000..da62c5ec6
--- /dev/null
+++ b/debian/patches/15_CVE-2007-6427.diff
@@ -0,0 +1,241 @@
+#
+# Updated but not checked in:
+#   (will commit)
+#
+#	modified: Xi/chgfctl.c
+#	modified: Xi/chgkmap.c
+#	modified: Xi/chgprop.c
+#	modified: Xi/grabdev.c
+#	modified: Xi/grabdevb.c
+#	modified: Xi/grabdevk.c
+#	modified: Xi/selectev.c
+#	modified: Xi/sendexev.c
+#
+--- xorg-server.orig/Xi/chgfctl.c
++++ xorg-server/Xi/chgfctl.c
+@@ -327,18 +327,13 @@
+ 		     xStringFeedbackCtl * f)
+ {
+     char n;
+-    long *p;
+     int i, j;
+     KeySym *syms, *sup_syms;
+ 
+     syms = (KeySym *) (f + 1);
+     if (client->swapped) {
+ 	swaps(&f->length, n);	/* swapped num_keysyms in calling proc */
+-	p = (long *)(syms);
+-	for (i = 0; i < f->num_keysyms; i++) {
+-	    swapl(p, n);
+-	    p++;
+-	}
++	SwapLongs((CARD32 *) syms, f->num_keysyms);
+     }
+ 
+     if (f->num_keysyms > s->ctrl.max_symbols) {
+--- xorg-server.orig/Xi/chgkmap.c
++++ xorg-server/Xi/chgkmap.c
+@@ -79,18 +79,14 @@
+ SProcXChangeDeviceKeyMapping(ClientPtr client)
+ {
+     char n;
+-    long *p;
+-    int i, count;
++    unsigned int count;
+ 
+     REQUEST(xChangeDeviceKeyMappingReq);
+     swaps(&stuff->length, n);
+     REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
+-    p = (long *)&stuff[1];
+     count = stuff->keyCodes * stuff->keySymsPerKeyCode;
+-    for (i = 0; i < count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++    REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
++    SwapLongs((CARD32 *) (&stuff[1]), count);
+     return (ProcXChangeDeviceKeyMapping(client));
+ }
+ 
+@@ -106,10 +102,14 @@
+     int ret;
+     unsigned len;
+     DeviceIntPtr dev;
++    unsigned int count;
+ 
+     REQUEST(xChangeDeviceKeyMappingReq);
+     REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
+ 
++    count = stuff->keyCodes * stuff->keySymsPerKeyCode;
++    REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
++    
+     dev = LookupDeviceIntRec(stuff->deviceid);
+     if (dev == NULL) {
+ 	SendErrorToClient(client, IReqCode, X_ChangeDeviceKeyMapping, 0,
+--- xorg-server.orig/Xi/chgprop.c
++++ xorg-server/Xi/chgprop.c
+@@ -81,19 +81,15 @@
+ SProcXChangeDeviceDontPropagateList(ClientPtr client)
+ {
+     char n;
+-    long *p;
+-    int i;
+ 
+     REQUEST(xChangeDeviceDontPropagateListReq);
+     swaps(&stuff->length, n);
+     REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq);
+     swapl(&stuff->window, n);
+     swaps(&stuff->count, n);
+-    p = (long *)&stuff[1];
+-    for (i = 0; i < stuff->count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++    REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq,
++		       stuff->count * sizeof(CARD32));
++    SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
+     return (ProcXChangeDeviceDontPropagateList(client));
+ }
+ 
+--- xorg-server.orig/Xi/grabdev.c
++++ xorg-server/Xi/grabdev.c
+@@ -82,8 +82,6 @@
+ SProcXGrabDevice(ClientPtr client)
+ {
+     char n;
+-    long *p;
+-    int i;
+ 
+     REQUEST(xGrabDeviceReq);
+     swaps(&stuff->length, n);
+@@ -91,11 +89,11 @@
+     swapl(&stuff->grabWindow, n);
+     swapl(&stuff->time, n);
+     swaps(&stuff->event_count, n);
+-    p = (long *)&stuff[1];
+-    for (i = 0; i < stuff->event_count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++
++    if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count)
++	return BadLength;
++    
++    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
+ 
+     return (ProcXGrabDevice(client));
+ }
+--- xorg-server.orig/Xi/grabdevb.c
++++ xorg-server/Xi/grabdevb.c
+@@ -80,8 +80,6 @@
+ SProcXGrabDeviceButton(ClientPtr client)
+ {
+     char n;
+-    long *p;
+-    int i;
+ 
+     REQUEST(xGrabDeviceButtonReq);
+     swaps(&stuff->length, n);
+@@ -89,11 +87,9 @@
+     swapl(&stuff->grabWindow, n);
+     swaps(&stuff->modifiers, n);
+     swaps(&stuff->event_count, n);
+-    p = (long *)&stuff[1];
+-    for (i = 0; i < stuff->event_count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++    REQUEST_FIXED_SIZE(xGrabDeviceButtonReq,
++		       stuff->event_count * sizeof(CARD32));
++    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
+ 
+     return (ProcXGrabDeviceButton(client));
+ }
+--- xorg-server.orig/Xi/grabdevk.c
++++ xorg-server/Xi/grabdevk.c
+@@ -80,8 +80,6 @@
+ SProcXGrabDeviceKey(ClientPtr client)
+ {
+     char n;
+-    long *p;
+-    int i;
+ 
+     REQUEST(xGrabDeviceKeyReq);
+     swaps(&stuff->length, n);
+@@ -89,11 +87,8 @@
+     swapl(&stuff->grabWindow, n);
+     swaps(&stuff->modifiers, n);
+     swaps(&stuff->event_count, n);
+-    p = (long *)&stuff[1];
+-    for (i = 0; i < stuff->event_count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++    REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32));
++    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
+     return (ProcXGrabDeviceKey(client));
+ }
+ 
+--- xorg-server.orig/Xi/selectev.c
++++ xorg-server/Xi/selectev.c
+@@ -131,19 +131,16 @@
+ SProcXSelectExtensionEvent(ClientPtr client)
+ {
+     char n;
+-    long *p;
+-    int i;
+ 
+     REQUEST(xSelectExtensionEventReq);
+     swaps(&stuff->length, n);
+     REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq);
+     swapl(&stuff->window, n);
+     swaps(&stuff->count, n);
+-    p = (long *)&stuff[1];
+-    for (i = 0; i < stuff->count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++    REQUEST_FIXED_SIZE(xSelectExtensionEventReq,
++		       stuff->count * sizeof(CARD32));
++    SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
++
+     return (ProcXSelectExtensionEvent(client));
+ }
+ 
+--- xorg-server.orig/Xi/sendexev.c
++++ xorg-server/Xi/sendexev.c
+@@ -83,7 +83,7 @@
+ SProcXSendExtensionEvent(ClientPtr client)
+ {
+     char n;
+-    long *p;
++    CARD32 *p;
+     int i;
+     xEvent eventT;
+     xEvent *eventP;
+@@ -94,6 +94,11 @@
+     REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
+     swapl(&stuff->destination, n);
+     swaps(&stuff->count, n);
++
++    if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count +
++	(stuff->num_events * (sizeof(xEvent) >> 2)))
++	return BadLength;
++    
+     eventP = (xEvent *) & stuff[1];
+     for (i = 0; i < stuff->num_events; i++, eventP++) {
+ 	proc = EventSwapVector[eventP->u.u.type & 0177];
+@@ -103,11 +108,8 @@
+ 	*eventP = eventT;
+     }
+ 
+-    p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events);
+-    for (i = 0; i < stuff->count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++    p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events);
++    SwapLongs(p, stuff->count);
+     return (ProcXSendExtensionEvent(client));
+ }
+ 
diff --git a/debian/patches/16_CVE-2007-6428.diff b/debian/patches/16_CVE-2007-6428.diff
new file mode 100644
index 000000000..4068315ef
--- /dev/null
+++ b/debian/patches/16_CVE-2007-6428.diff
@@ -0,0 +1,12 @@
+--- xorg-server.orig/Xext/cup.c
++++ xorg-server/Xext/cup.c
+@@ -196,6 +196,9 @@
+ 
+     REQUEST_SIZE_MATCH (xXcupGetReservedColormapEntriesReq);
+ 
++    if (stuff->screen >= screenInfo.numScreens)
++	return BadValue;
++
+ #ifndef HAVE_SPECIAL_DESKTOP_COLORS
+     citems[CUP_BLACK_PIXEL].pixel = 
+ 	screenInfo.screens[stuff->screen]->blackPixel;
diff --git a/debian/patches/17_CVE-2007-6429.diff b/debian/patches/17_CVE-2007-6429.diff
new file mode 100644
index 000000000..5c6d54895
--- /dev/null
+++ b/debian/patches/17_CVE-2007-6429.diff
@@ -0,0 +1,190 @@
+--- xorg-server.orig/Xext/EVI.c
++++ xorg-server/Xext/EVI.c
+@@ -34,6 +34,7 @@
+ #include <X11/extensions/XEVIstr.h>
+ #include "EVIstruct.h"
+ #include "modinit.h"
++#include "scrnintstr.h"
+ 
+ #if 0
+ static unsigned char XEVIReqCode = 0;
+@@ -87,10 +88,22 @@
+ {
+     REQUEST(xEVIGetVisualInfoReq);
+     xEVIGetVisualInfoReply rep;
+-    int n, n_conflict, n_info, sz_info, sz_conflict;
++    int i, n, n_conflict, n_info, sz_info, sz_conflict;
+     VisualID32 *conflict;
++    unsigned int total_visuals = 0;
+     xExtendedVisualInfo *eviInfo;
+     int status;
++
++    /*
++     * do this first, otherwise REQUEST_FIXED_SIZE can overflow.  we assume
++     * here that you don't have more than 2^32 visuals over all your screens;
++     * this seems like a safe assumption.
++     */
++    for (i = 0; i < screenInfo.numScreens; i++)
++	total_visuals += screenInfo.screens[i]->numVisuals;
++    if (stuff->n_visual > total_visuals)
++	return BadValue;
++
+     REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
+     status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual,
+ 		&eviInfo, &n_info, &conflict, &n_conflict);
+--- xorg-server.orig/Xext/sampleEVI.c
++++ xorg-server/Xext/sampleEVI.c
+@@ -34,6 +34,13 @@
+ #include <X11/extensions/XEVIstr.h>
+ #include "EVIstruct.h"
+ #include "scrnintstr.h"
++
++#if HAVE_STDINT_H
++#include <stdint.h>
++#elif !defined(INT_MAX)
++#define UINT32_MAX 0xffffffffU
++#endif
++
+ static int sampleGetVisualInfo(
+     VisualID32 *visual,
+     int n_visual,
+@@ -42,24 +49,36 @@
+     VisualID32 **conflict_rn,
+     int *n_conflict_rn)
+ {
+-    int max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens;
++    unsigned int max_sz_evi;
+     VisualID32 *temp_conflict;
+     xExtendedVisualInfo *evi;
+-    int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
++    unsigned int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
+     register int visualI, scrI, sz_evi = 0, conflictI, n_conflict;
+-    *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi);
+-    if (!*evi_rn)
+-         return BadAlloc;
++
++    if (n_visual > UINT32_MAX/(sz_xExtendedVisualInfo * screenInfo.numScreens))
++	return BadAlloc;
++    max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens;
++    
+     for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
+         if (screenInfo.screens[scrI]->numVisuals > max_visuals)
+             max_visuals = screenInfo.screens[scrI]->numVisuals;
+     }
++
++    if (n_visual > UINT32_MAX/(sz_VisualID32 * screenInfo.numScreens 
++			       * max_visuals)) 
++	return BadAlloc;
+     max_sz_conflict = n_visual * sz_VisualID32 * screenInfo.numScreens * max_visuals;
++
++    *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi);
++    if (!*evi_rn)
++         return BadAlloc;
++
+     temp_conflict = (VisualID32 *)xalloc(max_sz_conflict);
+     if (!temp_conflict) {
+         xfree(*evi_rn);
+         return BadAlloc;
+     }
++
+     for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
+         for (visualI = 0; visualI < n_visual; visualI++) {
+ 	    evi[sz_evi].core_visual_id = visual[visualI];
+--- xorg-server.orig/Xext/shm.c
++++ xorg-server/Xext/shm.c
+@@ -711,6 +711,8 @@
+     int i, j, result, rc;
+     ShmDescPtr shmdesc;
+     REQUEST(xShmCreatePixmapReq);
++    unsigned int width, height, depth;
++    unsigned long size;
+     PanoramiXRes *newPix;
+ 
+     REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
+@@ -724,11 +726,26 @@
+ 	return rc;
+ 
+     VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
+-    if (!stuff->width || !stuff->height)
++
++    width = stuff->width;
++    height = stuff->height;
++    depth = stuff->depth;
++    if (!width || !height || !depth)
+     {
+ 	client->errorValue = 0;
+         return BadValue;
+     }
++    if (width > 32767 || height > 32767)
++        return BadAlloc;
++    size = PixmapBytePad(width, depth) * height;
++    if (sizeof(size) == 4) {
++        if (size < width * height)
++            return BadAlloc;
++        /* thankfully, offset is unsigned */
++        if (stuff->offset + size < size)
++            return BadAlloc;
++    }
++
+     if (stuff->depth != 1)
+     {
+         pDepth = pDraw->pScreen->allowedDepths;
+@@ -739,9 +756,7 @@
+         return BadValue;
+     }
+ CreatePmap:
+-    VERIFY_SHMSIZE(shmdesc, stuff->offset,
+-		   PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
+-		   client);
++    VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
+ 
+     if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
+ 	return BadAlloc;
+@@ -1040,6 +1055,8 @@
+     register int i, rc;
+     ShmDescPtr shmdesc;
+     REQUEST(xShmCreatePixmapReq);
++    unsigned int width, height, depth;
++    unsigned long size;
+ 
+     REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
+     client->errorValue = stuff->pid;
+@@ -1052,11 +1069,26 @@
+ 	return rc;
+ 
+     VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
+-    if (!stuff->width || !stuff->height)
++    
++    width = stuff->width;
++    height = stuff->height;
++    depth = stuff->depth;
++    if (!width || !height || !depth)
+     {
+ 	client->errorValue = 0;
+         return BadValue;
+     }
++    if (width > 32767 || height > 32767)
++	return BadAlloc;
++    size = PixmapBytePad(width, depth) * height;
++    if (sizeof(size) == 4) {
++	if (size < width * height)
++	    return BadAlloc;
++	/* thankfully, offset is unsigned */
++	if (stuff->offset + size < size)
++	    return BadAlloc;
++    }
++
+     if (stuff->depth != 1)
+     {
+         pDepth = pDraw->pScreen->allowedDepths;
+@@ -1067,9 +1099,7 @@
+         return BadValue;
+     }
+ CreatePmap:
+-    VERIFY_SHMSIZE(shmdesc, stuff->offset,
+-		   PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
+-		   client);
++    VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
+     pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
+ 			    pDraw->pScreen, stuff->width,
+ 			    stuff->height, stuff->depth,
diff --git a/debian/patches/18_CVE-2007-5760.diff b/debian/patches/18_CVE-2007-5760.diff
new file mode 100644
index 000000000..6df89ae20
--- /dev/null
+++ b/debian/patches/18_CVE-2007-5760.diff
@@ -0,0 +1,13 @@
+--- xorg-server.orig/hw/xfree86/common/xf86MiscExt.c
++++ xorg-server/hw/xfree86/common/xf86MiscExt.c
+@@ -548,6 +548,10 @@
+ {
+     ScrnInfoPtr pScr = xf86Screens[scrnIndex];
+ 
++    /* should check this in the protocol, but xf86NumScreens isn't exported */
++    if (scrnIndex > xf86NumScreens)
++	return BadValue;
++
+     if (*pScr->HandleMessage == NULL)
+ 	    return BadImplementation;
+     return (*pScr->HandleMessage)(scrnIndex, msgtype, msgval, retstr);
diff --git a/debian/patches/19_CVE-2007-5958.diff b/debian/patches/19_CVE-2007-5958.diff
new file mode 100644
index 000000000..44b88e59f
--- /dev/null
+++ b/debian/patches/19_CVE-2007-5958.diff
@@ -0,0 +1,20 @@
+--- xorg-server.orig/Xext/security.c
++++ xorg-server/Xext/security.c
+@@ -1563,7 +1563,7 @@
+     if (!SecurityPolicyFile)
+ 	return;
+ 
+-    f = fopen(SecurityPolicyFile, "r");
++    f = Fopen(SecurityPolicyFile, "r");
+     if (!f)
+     {
+ 	ErrorF("error opening security policy file %s\n",
+@@ -1646,7 +1646,7 @@
+     }
+ #endif /* PROPDEBUG */
+ 
+-    fclose(f);
++    Fclose(f);
+ } /* SecurityLoadPropertyAccessList */
+ 
+ 
diff --git a/debian/patches/20_CVE-2008-0006.diff b/debian/patches/20_CVE-2008-0006.diff
new file mode 100644
index 000000000..d16694a34
--- /dev/null
+++ b/debian/patches/20_CVE-2008-0006.diff
@@ -0,0 +1,18 @@
+diff --git a/dix/dixfonts.c b/dix/dixfonts.c
+index c21b3ec..7bb2404 100644
+--- a/dix/dixfonts.c
++++ b/dix/dixfonts.c
+@@ -325,6 +325,13 @@ doOpenFont(ClientPtr client, OFclosurePtr c)
+ 	err = BadFontName;
+ 	goto bail;
+     }
++    /* check values for firstCol, lastCol, firstRow, and lastRow */
++    if (pfont->info.firstCol > pfont->info.lastCol ||
++       pfont->info.firstRow > pfont->info.lastRow ||
++       pfont->info.lastCol - pfont->info.firstCol > 255) {
++       err = AllocError;
++       goto bail;
++    }
+     if (!pfont->fpe)
+ 	pfont->fpe = fpe;
+     pfont->refcnt++;
diff --git a/debian/patches/series b/debian/patches/series
index 2e363d12c..baafbbed6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,6 +9,12 @@
 10_dont_look_in_home_for_config.diff -p0
 13_debian_add_xkbpath_env_variable.diff
 14_default_screen_section.diff
+15_CVE-2007-6427.diff
+16_CVE-2007-6428.diff
+17_CVE-2007-6429.diff
+18_CVE-2007-5760.diff
+19_CVE-2007-5958.diff
+20_CVE-2008-0006.diff
 21_glx_align_fixes.patch
 40_default_dpi_96.patch
 41_vbe_filter_less.diff
author	Julien Cristau <jcristau@debian.org>	2008-01-12 01:04:06 +0100
committer	Julien Cristau <jcristau@debian.org>	2008-01-17 00:21:26 +0100
commit	7fe0a909cedc4ad55d3f7708fc98dd6986323d08 (patch)
tree	37a50a95190650c2480ccef66f8ea07796e1f781
parent	9c6275e7d4d25c62ad6d80433e7f1c1e98630d41 (diff)