diff options
Diffstat (limited to 'debian/patches/1016-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch')
| -rw-r--r-- | debian/patches/1016-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch | 56 |
1 files changed, 0 insertions, 56 deletions
diff --git a/debian/patches/1016-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch b/debian/patches/1016-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch deleted file mode 100644 index 339f03de7..000000000 --- a/debian/patches/1016-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch +++ /dev/null @@ -1,56 +0,0 @@ -From ef439da38d3a4c00a4e03e7d8f83cb359cd9a230 Mon Sep 17 00:00:00 2001 -From: Mike DePaulo <mikedep333@gmail.com> -Date: Sun, 8 Feb 2015 22:35:21 -0500 -Subject: [PATCH 16/40] CVE-2014-0210: unvalidated length fields in - fs_read_list() from xorg/lib/libXfont commit - 5fa73ac18474be3032ee7af9c6e29deab163ea39 - -fs_read_list() parses a reply from the font server. The reply -contains a list of strings with embedded length fields, none of -which are validated. This can cause out of bound reads when looping -over the strings in the reply. ---- - nx-X11/lib/font/fc/fserve.c | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - ---- a/nx-X11/lib/font/fc/fserve.c -+++ b/nx-X11/lib/font/fc/fserve.c -@@ -2366,6 +2366,7 @@ fs_read_list(FontPathElementPtr fpe, FSB - FSBlockedListPtr blist = (FSBlockedListPtr) blockrec->data; - fsListFontsReply *rep; - char *data; -+ long dataleft; /* length of reply left to use */ - int length, - i, - ret; -@@ -2383,16 +2384,30 @@ fs_read_list(FontPathElementPtr fpe, FSB - return AllocError; - } - data = (char *) rep + SIZEOF (fsListFontsReply); -+ dataleft = (rep->length << 2) - SIZEOF (fsListFontsReply); - - err = Successful; - /* copy data into FontPathRecord */ - for (i = 0; i < rep->nFonts; i++) - { -+ if (dataleft < 1) -+ break; - length = *(unsigned char *)data++; -+ dataleft--; /* used length byte */ -+ if (length > dataleft) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsListFonts: name length (%d) > dataleft (%ld)\n", -+ length, dataleft); -+#endif -+ err = BadFontName; -+ break; -+ } - err = AddFontNamesName(blist->names, data, length); - if (err != Successful) - break; - data += length; -+ dataleft -= length; - } - _fs_done_read (conn, rep->length << 2); - return err; |