aboutsummaryrefslogtreecommitdiff
path: root/debian/patches
diff options
context:
space:
mode:
authorMike Gabriel <mike.gabriel@das-netzwerkteam.de>2015-05-01 23:38:44 +0200
committerMihai Moldovan <ionic@ionic.de>2015-05-01 23:41:33 +0200
commit6b9df6cae0a8eca72005e14f370807816a704fcf (patch)
tree8c346bef736cb7c56e39ab1bd7fb8c2ce8f14302 /debian/patches
parenta17bd57efab94bd75aab0596b6f3aa7da677a8ec (diff)
downloadnx-libs-6b9df6cae0a8eca72005e14f370807816a704fcf.tar.gz
nx-libs-6b9df6cae0a8eca72005e14f370807816a704fcf.tar.bz2
nx-libs-6b9df6cae0a8eca72005e14f370807816a704fcf.zip
Security fixes: X.Org CVE-2015-3418:
v3: backport to 3.5.0.x branch. (Mihai Moldovan) Adds: - 1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch
Diffstat (limited to 'debian/patches')
-rw-r--r--debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch29
-rw-r--r--debian/patches/series1
2 files changed, 30 insertions, 0 deletions
diff --git a/debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch b/debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch
new file mode 100644
index 000000000..7b6f28c00
--- /dev/null
+++ b/debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch
@@ -0,0 +1,29 @@
+commit dba779d9f99ab2fc6bf05c78515dbdd82840cadd
+Author: Keith Packard <keithp@keithp.com>
+Date: Fri May 1 13:09:24 2015 +0200
+
+ dix: Allow zero-height PutImage requests (fix for X.Org's CVE-2015-3418).
+
+ The length checking code validates PutImage height and byte width by
+ making sure that byte-width >= INT32_MAX / height. If height is zero,
+ this generates a divide by zero exception. Allow zero height requests
+ explicitly, bypassing the INT32_MAX check.
+
+ Fix for regression introduced by fix for CVE-2014-8092.
+
+ v2: backports to nx-libs 3.6.x (Mike Gabriel)
+ Signed-off-by: Keith Packard <keithp@keithp.com>
+
+diff --git a/nx-X11/programs/Xserver/dix/dispatch.c b/nx-X11/programs/Xserver/dix/dispatch.c
+index 5ad2f5a..ab10640 100644
+--- a/nx-X11/programs/Xserver/dix/dispatch.c
++++ b/nx-X11/programs/Xserver/dix/dispatch.c
+@@ -2071,7 +2071,7 @@ ProcPutImage(register ClientPtr client)
+
+ tmpImage = (char *)&stuff[1];
+ lengthProto = length;
+- if (lengthProto >= (INT32_MAX / stuff->height))
++ if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height))
+ return BadLength;
+
+ if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) +
diff --git a/debian/patches/series b/debian/patches/series
index 2c7d970c7..763eb0547 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -132,5 +132,6 @@
1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input.full.patch
1104-xkb-Check-strings-length-against-request-size.full.patch
1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch
+1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch
0016_nx-X11_install-location.debian.patch
0102_xserver-xext_set-securitypolicy-path.debian.patch