commit f0674232c0af431b95993cae20ec5d873296472b Author: Danny Rawlins <monster.romster@gmail.com> Date: Wed Oct 9 19:16:15 2013 +1100 [notify] xorg-server: update, Fixes CVE-2013-4396 diff --git a/xorg-server/.md5sum b/xorg-server/.md5sum index 9845351..41b8ecf 100644 --- a/xorg-server/.md5sum +++ b/xorg-server/.md5sum @@ -1 +1,2 @@ +77c48738460f0dfa426da46f98efb4b4 cve-2013-4396.patch 86abeb08d3f7ead3a2bd3d6a9ba6714e xorg-server-1.14.3.tar.bz2 diff --git a/xorg-server/Pkgfile b/xorg-server/Pkgfile index 0b48682..09d2b6a 100644 --- a/xorg-server/Pkgfile +++ b/xorg-server/Pkgfile @@ -5,12 +5,15 @@ name=xorg-server version=1.14.3 -release=1 -source=(http://xorg.freedesktop.org/releases/individual/xserver/$name-$version.tar.b...) +release=2 +source=(http://xorg.freedesktop.org/releases/individual/xserver/$name-$version.tar.b... + cve-2013-4396.patch) build() { cd $name-$version + patch -p1 -i $SRC/cve-2013-4396.patch + ./configure --prefix=/usr \ --mandir=/usr/man \ --localstatedir=/var \ diff --git a/xorg-server/cve-2013-4396.patch b/xorg-server/cve-2013-4396.patch new file mode 100644 index 0000000..b35fd6b --- /dev/null +++ b/xorg-server/cve-2013-4396.patch @@ -0,0 +1,77 @@ +From 7bddc2ba16a2a15773c2ea8947059afa27727764 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Mon, 16 Sep 2013 21:47:16 -0700 +Subject: [PATCH] Avoid use-after-free in dix/dixfonts.c: doImageText() + [CVE-2013-4396] + +Save a pointer to the passed in closure structure before copying it +and overwriting the *c pointer to point to our copy instead of the +original. If we hit an error, once we free(c), reset c to point to +the original structure before jumping to the cleanup code that +references *c. + +Since one of the errors being checked for is whether the server was +able to malloc(c->nChars * itemSize), the client can potentially pass +a number of characters chosen to cause the malloc to fail and the +error path to be taken, resulting in the read from freed memory. + +Since the memory is accessed almost immediately afterwards, and the +X server is mostly single threaded, the odds of the free memory having +invalid contents are low with most malloc implementations when not using +memory debugging features, but some allocators will definitely overwrite +the memory there, leading to a likely crash. + +Reported-by: Pedro Ribeiro <pedrib@gmail.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Julien Cristau <jcristau@debian.org> +--- + dix/dixfonts.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/dix/dixfonts.c b/dix/dixfonts.c +index feb765d..2e34d37 100644 +--- a/dix/dixfonts.c ++++ b/dix/dixfonts.c +@@ -1425,6 +1425,7 @@ doImageText(ClientPtr client, ITclosurePtr c) + GC *pGC; + unsigned char *data; + ITclosurePtr new_closure; ++ ITclosurePtr old_closure; + + /* We're putting the client to sleep. We need to + save some state. Similar problem to that handled +@@ -1436,12 +1437,14 @@ doImageText(ClientPtr client, ITclosurePtr c) + err = BadAlloc; + goto bail; + } ++ old_closure = c; + *new_closure = *c; + c = new_closure; + + data = malloc(c->nChars * itemSize); + if (!data) { + free(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1452,6 +1455,7 @@ doImageText(ClientPtr client, ITclosurePtr c) + if (!pGC) { + free(c->data); + free(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1464,6 +1468,7 @@ doImageText(ClientPtr client, ITclosurePtr c) + FreeScratchGC(pGC); + free(c->data); + free(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +-- +1.7.9.2 + +