* Fix multiple security issues

+ CVE-2007-6427: XInput Extension Memory Corruption + CVE-2007-6428: TOG-CUP Extension Memory Corruption + CVE-2007-6429: EVI Extension Integer Overflow, MIT-SHM Extension Integer Overflow + CVE-2007-5760: XFree86-Misc Extension Invalid Array Index + CVE-2007-5958: file existence disclosure + CVE-2008-0006: PCF font parser buffer overflow
author: Julien Cristau <jcristau@debian.org> 2008-01-12 01:04:06 +0100
committer: Julien Cristau <jcristau@debian.org> 2008-01-17 00:21:26 +0100
commit: 7fe0a909cedc4ad55d3f7708fc98dd6986323d08 (patch)
tree: 37a50a95190650c2480ccef66f8ea07796e1f781 /debian/patches/15_CVE-2007-6427.diff
parent: 9c6275e7d4d25c62ad6d80433e7f1c1e98630d41 (diff)
1 files changed, 241 insertions, 0 deletions
diff --git a/debian/patches/15_CVE-2007-6427.diff b/debian/patches/15_CVE-2007-6427.diff
new file mode 100644
index 000000000..da62c5ec6
--- /dev/null
+++ b/debian/patches/15_CVE-2007-6427.diff
@@ -0,0 +1,241 @@
+#
+# Updated but not checked in:
+#   (will commit)
+#
+#	modified: Xi/chgfctl.c
+#	modified: Xi/chgkmap.c
+#	modified: Xi/chgprop.c
+#	modified: Xi/grabdev.c
+#	modified: Xi/grabdevb.c
+#	modified: Xi/grabdevk.c
+#	modified: Xi/selectev.c
+#	modified: Xi/sendexev.c
+#
+--- xorg-server.orig/Xi/chgfctl.c
++++ xorg-server/Xi/chgfctl.c
+@@ -327,18 +327,13 @@
+ 		     xStringFeedbackCtl * f)
+ {
+     char n;
+-    long *p;
+     int i, j;
+     KeySym *syms, *sup_syms;
+ 
+     syms = (KeySym *) (f + 1);
+     if (client->swapped) {
+ 	swaps(&f->length, n);	/* swapped num_keysyms in calling proc */
+-	p = (long *)(syms);
+-	for (i = 0; i < f->num_keysyms; i++) {
+-	    swapl(p, n);
+-	    p++;
+-	}
++	SwapLongs((CARD32 *) syms, f->num_keysyms);
+     }
+ 
+     if (f->num_keysyms > s->ctrl.max_symbols) {
+--- xorg-server.orig/Xi/chgkmap.c
++++ xorg-server/Xi/chgkmap.c
+@@ -79,18 +79,14 @@
+ SProcXChangeDeviceKeyMapping(ClientPtr client)
+ {
+     char n;
+-    long *p;
+-    int i, count;
++    unsigned int count;
+ 
+     REQUEST(xChangeDeviceKeyMappingReq);
+     swaps(&stuff->length, n);
+     REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
+-    p = (long *)&stuff[1];
+     count = stuff->keyCodes * stuff->keySymsPerKeyCode;
+-    for (i = 0; i < count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++    REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
++    SwapLongs((CARD32 *) (&stuff[1]), count);
+     return (ProcXChangeDeviceKeyMapping(client));
+ }
+ 
+@@ -106,10 +102,14 @@
+     int ret;
+     unsigned len;
+     DeviceIntPtr dev;
++    unsigned int count;
+ 
+     REQUEST(xChangeDeviceKeyMappingReq);
+     REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
+ 
++    count = stuff->keyCodes * stuff->keySymsPerKeyCode;
++    REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
++    
+     dev = LookupDeviceIntRec(stuff->deviceid);
+     if (dev == NULL) {
+ 	SendErrorToClient(client, IReqCode, X_ChangeDeviceKeyMapping, 0,
+--- xorg-server.orig/Xi/chgprop.c
++++ xorg-server/Xi/chgprop.c
+@@ -81,19 +81,15 @@
+ SProcXChangeDeviceDontPropagateList(ClientPtr client)
+ {
+     char n;
+-    long *p;
+-    int i;
+ 
+     REQUEST(xChangeDeviceDontPropagateListReq);
+     swaps(&stuff->length, n);
+     REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq);
+     swapl(&stuff->window, n);
+     swaps(&stuff->count, n);
+-    p = (long *)&stuff[1];
+-    for (i = 0; i < stuff->count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++    REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq,
++		       stuff->count * sizeof(CARD32));
++    SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
+     return (ProcXChangeDeviceDontPropagateList(client));
+ }
+ 
+--- xorg-server.orig/Xi/grabdev.c
++++ xorg-server/Xi/grabdev.c
+@@ -82,8 +82,6 @@
+ SProcXGrabDevice(ClientPtr client)
+ {
+     char n;
+-    long *p;
+-    int i;
+ 
+     REQUEST(xGrabDeviceReq);
+     swaps(&stuff->length, n);
+@@ -91,11 +89,11 @@
+     swapl(&stuff->grabWindow, n);
+     swapl(&stuff->time, n);
+     swaps(&stuff->event_count, n);
+-    p = (long *)&stuff[1];
+-    for (i = 0; i < stuff->event_count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++
++    if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count)
++	return BadLength;
++    
++    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
+ 
+     return (ProcXGrabDevice(client));
+ }
+--- xorg-server.orig/Xi/grabdevb.c
++++ xorg-server/Xi/grabdevb.c
+@@ -80,8 +80,6 @@
+ SProcXGrabDeviceButton(ClientPtr client)
+ {
+     char n;
+-    long *p;
+-    int i;
+ 
+     REQUEST(xGrabDeviceButtonReq);
+     swaps(&stuff->length, n);
+@@ -89,11 +87,9 @@
+     swapl(&stuff->grabWindow, n);
+     swaps(&stuff->modifiers, n);
+     swaps(&stuff->event_count, n);
+-    p = (long *)&stuff[1];
+-    for (i = 0; i < stuff->event_count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++    REQUEST_FIXED_SIZE(xGrabDeviceButtonReq,
++		       stuff->event_count * sizeof(CARD32));
++    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
+ 
+     return (ProcXGrabDeviceButton(client));
+ }
+--- xorg-server.orig/Xi/grabdevk.c
++++ xorg-server/Xi/grabdevk.c
+@@ -80,8 +80,6 @@
+ SProcXGrabDeviceKey(ClientPtr client)
+ {
+     char n;
+-    long *p;
+-    int i;
+ 
+     REQUEST(xGrabDeviceKeyReq);
+     swaps(&stuff->length, n);
+@@ -89,11 +87,8 @@
+     swapl(&stuff->grabWindow, n);
+     swaps(&stuff->modifiers, n);
+     swaps(&stuff->event_count, n);
+-    p = (long *)&stuff[1];
+-    for (i = 0; i < stuff->event_count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++    REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32));
++    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
+     return (ProcXGrabDeviceKey(client));
+ }
+ 
+--- xorg-server.orig/Xi/selectev.c
++++ xorg-server/Xi/selectev.c
+@@ -131,19 +131,16 @@
+ SProcXSelectExtensionEvent(ClientPtr client)
+ {
+     char n;
+-    long *p;
+-    int i;
+ 
+     REQUEST(xSelectExtensionEventReq);
+     swaps(&stuff->length, n);
+     REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq);
+     swapl(&stuff->window, n);
+     swaps(&stuff->count, n);
+-    p = (long *)&stuff[1];
+-    for (i = 0; i < stuff->count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++    REQUEST_FIXED_SIZE(xSelectExtensionEventReq,
++		       stuff->count * sizeof(CARD32));
++    SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
++
+     return (ProcXSelectExtensionEvent(client));
+ }
+ 
+--- xorg-server.orig/Xi/sendexev.c
++++ xorg-server/Xi/sendexev.c
+@@ -83,7 +83,7 @@
+ SProcXSendExtensionEvent(ClientPtr client)
+ {
+     char n;
+-    long *p;
++    CARD32 *p;
+     int i;
+     xEvent eventT;
+     xEvent *eventP;
+@@ -94,6 +94,11 @@
+     REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
+     swapl(&stuff->destination, n);
+     swaps(&stuff->count, n);
++
++    if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count +
++	(stuff->num_events * (sizeof(xEvent) >> 2)))
++	return BadLength;
++    
+     eventP = (xEvent *) & stuff[1];
+     for (i = 0; i < stuff->num_events; i++, eventP++) {
+ 	proc = EventSwapVector[eventP->u.u.type & 0177];
+@@ -103,11 +108,8 @@
+ 	*eventP = eventT;
+     }
+ 
+-    p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events);
+-    for (i = 0; i < stuff->count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++    p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events);
++    SwapLongs(p, stuff->count);
+     return (ProcXSendExtensionEvent(client));
+ }
+
author	Julien Cristau <jcristau@debian.org>	2008-01-12 01:04:06 +0100
committer	Julien Cristau <jcristau@debian.org>	2008-01-17 00:21:26 +0100
commit	7fe0a909cedc4ad55d3f7708fc98dd6986323d08 (patch)
tree	37a50a95190650c2480ccef66f8ea07796e1f781 /debian/patches/15_CVE-2007-6427.diff
parent	9c6275e7d4d25c62ad6d80433e7f1c1e98630d41 (diff)