diff options
| author | Mihai Moldovan <ionic@ionic.de> | 2015-04-26 23:32:32 +0200 |
|---|---|---|
| committer | Mihai Moldovan <ionic@ionic.de> | 2015-04-26 23:34:27 +0200 |
| commit | 96efadac50bf40bc502680072570a2950f132fe3 (patch) | |
| tree | acbd7103b5908636a97060581ba8bed01b5e83fa /debian/patches/1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch | |
| parent | 79a4ed92dbae5089d3ddfcc0acec427ff057ad9b (diff) | |
| download | nx-libs-96efadac50bf40bc502680072570a2950f132fe3.tar.gz nx-libs-96efadac50bf40bc502680072570a2950f132fe3.tar.bz2 nx-libs-96efadac50bf40bc502680072570a2950f132fe3.zip | |
CVE patches were previously not included in release tarballs.
Rename:
- 1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-lib-X.patch =>
1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-.full.patch
- 1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.-ups.patch =>
1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.full.patch
- 1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch =>
1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch
- 1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch =>
1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-.full.patch
- 1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch =>
1005-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch
- 1006-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch =>
1006-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch
- 1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch =>
1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_co.full.patch
- 1008-Don-t-crash-when-we-receive-an-FS_Error-from-the-fon.patch =>
1008-Don-t-crash-when-we-receive-an-FS_Error-from-th.full.patch
- 1009-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch =>
1009-CVE-2014-0210-unvalidated-lengths-when-reading-.full.patch
- 1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch =>
1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-.full.patch
- 1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch =>
1011-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch
- 1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch =>
1012-CVE-2014-0211-integer-overflow-in-fs_read_exten.full.patch
- 1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs-fr.patch =>
1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyp.full.patch
- 1014-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch =>
1014-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch
- 1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch =>
1015-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch
- 1016-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch =>
1016-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch
- 1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch =>
1017-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch
- 1018-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch =>
1018-unchecked-malloc-may-allow-unauthed-client-to-c.full.patch
- 1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch =>
1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch
- 1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch =>
1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-.full.patch
- 1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch =>
1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8.full.patch
- 1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch =>
1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-.full.patch
- 1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch =>
1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls.full.patch
- 1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch =>
1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-.full.patch
- 1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch =>
1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDL.full.patch
- 1026-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch =>
1026-Xv-unvalidated-lengths-in-XVideo-extension-swap.full.patch
- 1027-render-check-request-size-before-reading-it-CVE-2014.patch =>
1027-render-check-request-size-before-reading-it-CVE.full.patch
- 1028-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch =>
1028-render-unvalidated-lengths-in-Render-extn.-swap.full.patch
- 1029-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch =>
1029-xfixes-unvalidated-length-in-SProcXFixesSelectS.full.patch
- 1030-randr-unvalidated-lengths-in-RandR-extension-swapped.patch =>
1030-randr-unvalidated-lengths-in-RandR-extension-sw.full.patch
- 1031-glx-Be-more-paranoid-about-variable-length-requests-.patch =>
1031-glx-Be-more-paranoid-about-variable-length-requ.full.patch
- 1032-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch =>
1032-glx-Be-more-strict-about-rejecting-invalid-imag.full.patch
- 1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch =>
1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer.full.patch
- 1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-v4.patch =>
1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-.full.patch
- 1035-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch =>
1035-glx-Length-checking-for-GLXRender-requests-v2-C.full.patch
- 1036-glx-Integer-overflow-protection-for-non-generated-re.patch =>
1036-glx-Integer-overflow-protection-for-non-generat.full.patch
- 1037-glx-Top-level-length-checking-for-swapped-VendorPriv.patch =>
1037-glx-Top-level-length-checking-for-swapped-Vendo.full.patch
- 1038-glx-Length-checking-for-non-generated-single-request.patch =>
1038-glx-Length-checking-for-non-generated-single-re.full.patch
- 1039-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch =>
1039-glx-Length-checking-for-RenderLarge-requests-v2.full.patch
- 1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch =>
1040-glx-Pass-remaining-request-length-into-varsize-.full.patch
- 1041-nx-X11-lib-font-fc-fserve.c-initialize-remaining-buf.patch =>
1041-nx-X11-lib-font-fc-fserve.c-initialize-remainin.full.patch
- 1042-Do-proper-input-validation-to-fix-for-CVE-2011-2895.patch =>
1042-Do-proper-input-validation-to-fix-for-CVE-2011-.full.patch
- 1101-Coverity-844-845-846-Fix-memory-leaks.patch =>
1101-Coverity-844-845-846-Fix-memory-leaks.full.patch
- 1102-include-introduce-byte-counting-functions.patch =>
1102-include-introduce-byte-counting-functions.full.patch
- 1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch =>
1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input.full.patch
- 1104-xkb-Check-strings-length-against-request-size.patch =>
1104-xkb-Check-strings-length-against-request-size.full.patch
Diffstat (limited to 'debian/patches/1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch')
| -rw-r--r-- | debian/patches/1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch | 141 |
1 files changed, 0 insertions, 141 deletions
diff --git a/debian/patches/1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch b/debian/patches/1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch deleted file mode 100644 index 9d0f3f875..000000000 --- a/debian/patches/1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch +++ /dev/null @@ -1,141 +0,0 @@ -From e29bbd5bf0565eaf7c02f85a57b87f66531fa6b3 Mon Sep 17 00:00:00 2001 -From: Mike DePaulo <mikedep333@gmail.com> -Date: Sun, 8 Feb 2015 22:08:09 -0500 -Subject: [PATCH 11/40] CVE-2014-0210: unvalidated length fields in - fs_read_query_info() from xorg/lib/libXfont commit - 491291cabf78efdeec8f18b09e14726a9030cc8f - -fs_read_query_info() parses a reply from the font server. The reply -contains embedded length fields, none of which are validated. This -can cause out of bound reads in either fs_read_query_info() or in -_fs_convert_props() which it calls to parse the fsPropInfo in the reply. - -v2: apply correctly on nx-libs 3.6.x (Mihai Moldovan) ---- - nx-X11/lib/font/fc/fsconvert.c | 19 ++++++++++++++----- - nx-X11/lib/font/fc/fserve.c | 43 +++++++++++++++++++++++++++++++++++++++--- - 2 files changed, 54 insertions(+), 8 deletions(-) - -diff --git a/nx-X11/lib/font/fc/fsconvert.c b/nx-X11/lib/font/fc/fsconvert.c -index 9a5e194..afa2c32 100644 ---- a/nx-X11/lib/font/fc/fsconvert.c -+++ b/nx-X11/lib/font/fc/fsconvert.c -@@ -123,6 +123,10 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd, - for (i = 0; i < nprops; i++, dprop++, is_str++) - { - memcpy(&local_off, off_adr, SIZEOF(fsPropOffset)); -+ if ((local_off.name.position >= pi->data_len) || -+ (local_off.name.length > -+ (pi->data_len - local_off.name.position))) -+ goto bail; - dprop->name = MakeAtom(&pdc[local_off.name.position], - local_off.name.length, 1); - if (local_off.type != PropTypeString) { -@@ -130,15 +134,20 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd, - dprop->value = local_off.value.position; - } else { - *is_str = TRUE; -+ if ((local_off.value.position >= pi->data_len) || -+ (local_off.value.length > -+ (pi->data_len - local_off.value.position))) -+ goto bail; - dprop->value = (INT32) MakeAtom(&pdc[local_off.value.position], - local_off.value.length, 1); - if (dprop->value == BAD_RESOURCE) - { -- xfree (pfi->props); -- pfi->nprops = 0; -- pfi->props = 0; -- pfi->isStringProp = 0; -- return -1; -+ bail: -+ xfree (pfi->props); -+ pfi->nprops = 0; -+ pfi->props = 0; -+ pfi->isStringProp = 0; -+ return -1; - } - } - off_adr += SIZEOF(fsPropOffset); -diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c -index 9e652d2..75cabdd 100644 ---- a/nx-X11/lib/font/fc/fserve.c -+++ b/nx-X11/lib/font/fc/fserve.c -@@ -866,6 +866,7 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - FSFpePtr conn = (FSFpePtr) fpe->private; - fsQueryXInfoReply *rep; - char *buf; -+ long bufleft = 0; /* length of reply left to use */ - fsPropInfo *pi; - fsPropOffset *po; - pointer pd; -@@ -896,7 +897,10 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - - buf = (char *) rep; - buf += SIZEOF(fsQueryXInfoReply); -- -+ -+ bufleft = rep->length << 2; -+ bufleft -= SIZEOF(fsQueryXInfoReply); -+ - /* move the data over */ - fsUnpack_XFontInfoHeader(rep, pInfo); - -@@ -904,19 +908,52 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - _fs_init_fontinfo(conn, pInfo); - - /* Compute offsets into the reply */ -+ if (bufleft < SIZEOF(fsPropInfo)) -+ { -+ ret = -1; -+#ifdef DEBUG -+ fprintf(stderr, "fsQueryXInfo: bufleft (%ld) < SIZEOF(fsPropInfo)\n", -+ bufleft); -+#endif -+ goto bail; -+ } - pi = (fsPropInfo *) buf; - buf += SIZEOF (fsPropInfo); -- -+ bufleft -= SIZEOF (fsPropInfo); -+ -+ if ((bufleft / SIZEOF (fsPropOffset)) < pi->num_offsets) -+ { -+ ret = -1; -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsQueryXInfo: (bufleft / SIZEOF (fsPropOffset)) (%ld) < pi->num_offsets (%d)\n", -+ bufleft / SIZEOF (fsPropOffset), pi->num_offsets); -+#endif -+ goto bail; -+ } - po = (fsPropOffset *) buf; - buf += pi->num_offsets * SIZEOF(fsPropOffset); -+ bufleft -= pi->num_offsets * SIZEOF(fsPropOffset); - -+ if (bufleft < pi->data_len) -+ { -+ ret = -1; -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsQueryXInfo: bufleft (%ld) < data_len (%d)\n", -+ bufleft, pi->data_len); -+#endif -+ goto bail; -+ } - pd = (pointer) buf; - buf += pi->data_len; -+ bufleft -= pi->data_len; - - /* convert the properties and step over the reply */ - ret = _fs_convert_props(pi, po, pd, pInfo); -+ bail: - _fs_done_read (conn, rep->length << 2); -- -+ - if (ret == -1) - { - fs_cleanup_bfont (bfont); --- -2.1.4 - |