From 16df117e563e53a77410b7fd0719c2014eef6a16 Mon Sep 17 00:00:00 2001 From: Mihai Moldovan Date: Tue, 2 Jun 2015 18:38:59 +0200 Subject: Security fixes: X.Org CVE-2014-8099: v3: port to NXxvdisp.c rather than xvdisp.c (Mike DePaulo) v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) Changes: - 1026-Xv-unvalidated-lengths-in-XVideo-extension-swap.full.patch --- debian/changelog | 6 + ...ted-lengths-in-XVideo-extension-swap.full.patch | 169 ++++++++++++++++++++- 2 files changed, 170 insertions(+), 5 deletions(-) diff --git a/debian/changelog b/debian/changelog index 3201670e6..db7013727 100644 --- a/debian/changelog +++ b/debian/changelog @@ -181,6 +181,12 @@ nx-libs (2:3.5.0.32-0x2go1) UNRELEASED; urgency=low v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) Changes: + 1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch + * Security fixes: + - X.Org CVE-2014-8099: + v3: port to NXxvdisp.c rather than xvdisp.c (Mike DePaulo) + v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) + Changes: + + 1026-Xv-unvalidated-lengths-in-XVideo-extension-swap.full.patch [ Bernard Cafarelli ] * nx-X11: link to libdl to fix undefined references to 'dlopen' and 'dlsym'. diff --git a/debian/patches/1026-Xv-unvalidated-lengths-in-XVideo-extension-swap.full.patch b/debian/patches/1026-Xv-unvalidated-lengths-in-XVideo-extension-swap.full.patch index 1d458a7fe..f869da9ba 100644 --- a/debian/patches/1026-Xv-unvalidated-lengths-in-XVideo-extension-swap.full.patch +++ b/debian/patches/1026-Xv-unvalidated-lengths-in-XVideo-extension-swap.full.patch @@ -5,6 +5,8 @@ Subject: [PATCH 26/40] Xv: unvalidated lengths in XVideo extension swapped procs [CVE-2014-8099] v2: backport to nx-libs 3.6.x (Mike DePaulo) +v3: port to NXxvdisp.c rather than xvdisp.c (Mike DePaulo) +v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) Signed-off-by: Alan Coopersmith Reviewed-by: Peter Hutterer @@ -15,8 +17,6 @@ Conflicts: nx-X11/programs/Xserver/Xext/xvdisp.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) -diff --git a/nx-X11/programs/Xserver/Xext/xvdisp.c b/nx-X11/programs/Xserver/Xext/xvdisp.c -index 21ab0b6..b361c0f 100644 --- a/nx-X11/programs/Xserver/Xext/xvdisp.c +++ b/nx-X11/programs/Xserver/Xext/xvdisp.c @@ -1347,6 +1347,7 @@ SProcXvQueryExtension(ClientPtr client) @@ -179,6 +179,165 @@ index 21ab0b6..b361c0f 100644 swaps(&stuff->length, n); swapl(&stuff->port, n); return ProcXvListImageFormats(client); --- -2.1.4 - +--- a/nx-X11/programs/Xserver/hw/nxagent/NXxvdisp.c ++++ b/nx-X11/programs/Xserver/hw/nxagent/NXxvdisp.c +@@ -1401,6 +1401,7 @@ SProcXvQueryExtension(ClientPtr client) + { + register char n; + REQUEST(xvQueryExtensionReq); ++ REQUEST_SIZE_MATCH(xvQueryExtensionReq); + swaps(&stuff->length, n); + return ProcXvQueryExtension(client); + } +@@ -1410,6 +1411,7 @@ SProcXvQueryAdaptors(ClientPtr client) + { + register char n; + REQUEST(xvQueryAdaptorsReq); ++ REQUEST_SIZE_MATCH(xvQueryAdaptorsReq); + swaps(&stuff->length, n); + swapl(&stuff->window, n); + return ProcXvQueryAdaptors(client); +@@ -1420,6 +1422,7 @@ SProcXvQueryEncodings(ClientPtr client) + { + register char n; + REQUEST(xvQueryEncodingsReq); ++ REQUEST_SIZE_MATCH(xvQueryEncodingsReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + return ProcXvQueryEncodings(client); +@@ -1430,6 +1433,7 @@ SProcXvGrabPort(ClientPtr client) + { + register char n; + REQUEST(xvGrabPortReq); ++ REQUEST_SIZE_MATCH(xvGrabPortReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->time, n); +@@ -1441,6 +1445,7 @@ SProcXvUngrabPort(ClientPtr client) + { + register char n; + REQUEST(xvUngrabPortReq); ++ REQUEST_SIZE_MATCH(xvUngrabPortReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->time, n); +@@ -1452,6 +1457,7 @@ SProcXvPutVideo(ClientPtr client) + { + register char n; + REQUEST(xvPutVideoReq); ++ REQUEST_SIZE_MATCH(xvPutVideoReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->drawable, n); +@@ -1472,6 +1478,7 @@ SProcXvPutStill(ClientPtr client) + { + register char n; + REQUEST(xvPutStillReq); ++ REQUEST_SIZE_MATCH(xvPutStillReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->drawable, n); +@@ -1492,6 +1499,7 @@ SProcXvGetVideo(ClientPtr client) + { + register char n; + REQUEST(xvGetVideoReq); ++ REQUEST_SIZE_MATCH(xvGetVideoReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->drawable, n); +@@ -1512,6 +1520,7 @@ SProcXvGetStill(ClientPtr client) + { + register char n; + REQUEST(xvGetStillReq); ++ REQUEST_SIZE_MATCH(xvGetStillReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->drawable, n); +@@ -1532,6 +1541,7 @@ SProcXvPutImage(ClientPtr client) + { + register char n; + REQUEST(xvPutImageReq); ++ REQUEST_AT_LEAST_SIZE(xvPutImageReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->drawable, n); +@@ -1556,6 +1566,7 @@ SProcXvShmPutImage(ClientPtr client) + { + register char n; + REQUEST(xvShmPutImageReq); ++ REQUEST_SIZE_MATCH(xvShmPutImageReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->drawable, n); +@@ -1583,6 +1594,7 @@ SProcXvSelectVideoNotify(ClientPtr client) + { + register char n; + REQUEST(xvSelectVideoNotifyReq); ++ REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq); + swaps(&stuff->length, n); + swapl(&stuff->drawable, n); + return ProcXvSelectVideoNotify(client); +@@ -1593,6 +1605,7 @@ SProcXvSelectPortNotify(ClientPtr client) + { + register char n; + REQUEST(xvSelectPortNotifyReq); ++ REQUEST_SIZE_MATCH(xvSelectPortNotifyReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + return ProcXvSelectPortNotify(client); +@@ -1603,6 +1616,7 @@ SProcXvStopVideo(ClientPtr client) + { + register char n; + REQUEST(xvStopVideoReq); ++ REQUEST_SIZE_MATCH(xvStopVideoReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->drawable, n); +@@ -1614,6 +1628,7 @@ SProcXvSetPortAttribute(ClientPtr client) + { + register char n; + REQUEST(xvSetPortAttributeReq); ++ REQUEST_SIZE_MATCH(xvSetPortAttributeReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->attribute, n); +@@ -1625,6 +1640,7 @@ SProcXvGetPortAttribute(ClientPtr client) + { + register char n; + REQUEST(xvGetPortAttributeReq); ++ REQUEST_SIZE_MATCH(xvGetPortAttributeReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->attribute, n); +@@ -1636,6 +1652,7 @@ SProcXvQueryBestSize(ClientPtr client) + { + register char n; + REQUEST(xvQueryBestSizeReq); ++ REQUEST_SIZE_MATCH(xvQueryBestSizeReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swaps(&stuff->vid_w, n); +@@ -1650,6 +1667,7 @@ SProcXvQueryPortAttributes(ClientPtr client) + { + register char n; + REQUEST(xvQueryPortAttributesReq); ++ REQUEST_SIZE_MATCH(xvQueryPortAttributesReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + return ProcXvQueryPortAttributes(client); +@@ -1660,6 +1678,7 @@ SProcXvQueryImageAttributes(ClientPtr client) + { + register char n; + REQUEST(xvQueryImageAttributesReq); ++ REQUEST_SIZE_MATCH(xvQueryImageAttributesReq); + swaps(&stuff->length, n); + swapl(&stuff->id, n); + swaps(&stuff->width, n); +@@ -1672,6 +1691,7 @@ SProcXvListImageFormats(ClientPtr client) + { + register char n; + REQUEST(xvListImageFormatsReq); ++ REQUEST_SIZE_MATCH(xvListImageFormatsReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + return ProcXvListImageFormats(client); -- cgit v1.2.3