1 files changed, 115 insertions, 0 deletions

diff --git a/debian/patches/1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch b/debian/patches/1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch
new file mode 100644
index 000000000..328853a2c
--- /dev/null
+++ b/debian/patches/1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch
@@ -0,0 +1,115 @@
+From 9308c79ba2757cb1a64e0040176b8290b435544f Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Fri, 16 Jan 2015 20:08:59 +0100
+Subject: [PATCH 3/4] xkb: Don't swap XkbSetGeometry data in the input buffer
+
+The XkbSetGeometry request embeds data which needs to be swapped when the
+server and the client have different endianess.
+
+_XkbSetGeometry() invokes functions that swap these data directly in the
+input buffer.
+
+However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once
+(if there is more than one keyboard), thus causing on swapped clients the
+same data to be swapped twice in memory, further causing a server crash
+because the strings lengths on the second time are way off bounds.
+
+To allow _XkbSetGeometry() to run reliably more than once with swapped
+clients, do not swap the data in the buffer, use variables instead.
+
+v3: backport to nx-libs 3.6.x as a prereq for
+the CVE-2015-0255 fix (Mike DePaulo)
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit 81c90dc8f0aae3b65730409b1b615b5fa7280ebd)
+(cherry picked from commit 29be310c303914090298ddda93a5bd5d00a94945)
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+index 2405090..7db0959 100644
+---
+ nx-X11/programs/Xserver/xkb/xkb.c | 35 +++++++++++++++++++----------------
+ 1 file changed, 19 insertions(+), 16 deletions(-)
+
+diff --git a/nx-X11/programs/Xserver/xkb/xkb.c b/nx-X11/programs/Xserver/xkb/xkb.c
+index 2561c89..d8b5b2c 100644
+--- a/nx-X11/programs/Xserver/xkb/xkb.c
++++ b/nx-X11/programs/Xserver/xkb/xkb.c
+@@ -4441,15 +4441,14 @@ static char *
+ _GetCountedString(char **wire_inout,Bool swap)
+ {
+ char *	wire,*str;
+-CARD16	len,*plen;
++CARD16	len;
+ 
+     wire= *wire_inout;
+-    plen= (CARD16 *)wire;
++    len= (CARD16 *)wire;
+     if (swap) {
+ 	register int n;
+-	swaps(plen,n);
++	swaps(&len, n);
+     }
+-    len= *plen;
+     str= (char *)_XkbAlloc(len+1);
+     if (str) {
+ 	memcpy(str,&wire[2],len);
+@@ -4468,26 +4467,29 @@ _CheckSetDoodad(	char **		wire_inout,
+ {
+ char *			wire;
+ xkbDoodadWireDesc *	dWire;
++xkbAnyDoodadWireDesc	any;
++xkbTextDoodadWireDesc	text;
+ XkbDoodadPtr		doodad;
+ 
+     dWire= (xkbDoodadWireDesc *)(*wire_inout);
++    any = dWire->any;
+     wire= (char *)&dWire[1];
+     if (client->swapped) {
+ 	register int n;
+-	swapl(&dWire->any.name,n);
+-	swaps(&dWire->any.top,n);
+-	swaps(&dWire->any.left,n);
+-	swaps(&dWire->any.angle,n);
++	swapl(&any.name, n);
++	swaps(&any.top, n);
++	swaps(&any.left, n);
++	swaps(&any.angle, n);
+     }
+     CHK_ATOM_ONLY(dWire->any.name);
+-    doodad= XkbAddGeomDoodad(geom,section,dWire->any.name);
++    doodad = XkbAddGeomDoodad(geom, section, any.name);
+     if (!doodad)
+ 	return BadAlloc;
+     doodad->any.type= dWire->any.type;
+     doodad->any.priority= dWire->any.priority;
+-    doodad->any.top= dWire->any.top;
+-    doodad->any.left= dWire->any.left;
+-    doodad->any.angle= dWire->any.angle;
++    doodad->any.top = any.top;
++    doodad->any.left = any.left;
++    doodad->any.angle = any.angle;
+     switch (doodad->any.type) {
+ 	case XkbOutlineDoodad:
+ 	case XkbSolidDoodad:
+@@ -4510,13 +4512,14 @@ XkbDoodadPtr		doodad;
+ 							dWire->text.colorNdx);
+ 		return BadMatch;
+ 	    }
++	    text = dWire->text;
+ 	    if (client->swapped) {
+ 		register int n;
+-		swaps(&dWire->text.width,n);
+-		swaps(&dWire->text.height,n);
++		swaps(&text.width, n);
++		swaps(&text.height, n);
+ 	    }
+-	    doodad->text.width= dWire->text.width;
+-	    doodad->text.height= dWire->text.height;
++	    doodad->text.width= text.width;
++	    doodad->text.height= text.height;
+ 	    doodad->text.color_ndx= dWire->text.colorNdx;
+ 	    doodad->text.text= _GetCountedString(&wire,client->swapped);
+ 	    doodad->text.font= _GetCountedString(&wire,client->swapped);
+-- 
+1.9.1
+