x11-servers/xorg-server: Backport security fixes

Backport security fixes for CVE-2017-10971 and CVE-2017-10972 (yes, 2017).
For some reason this was not done when the vulnerabilities were documented
in VuXML, and a typo in the version range in VuXML meant that the entries
never matched.

This fixes a memory disclosure and a couple of buffer overruns.

PR:		220584
Reported by:	Vladimir Krstulja
MFH:		2018Q2
Security:	ab881a74-c016-4e6d-9f7d-68c8e7cedafb

3 files changed, 202 insertions, 1 deletions

diff --git a/x11-servers/xorg-server/Makefile b/x11-servers/xorg-server/Makefile
index 7b275af548a7..519675c16d7e 100644
--- a/x11-servers/xorg-server/Makefile
+++ b/x11-servers/xorg-server/Makefile
@@ -3,7 +3,7 @@
 
 PORTNAME?=	xorg-server
 PORTVERSION?=	1.18.4
-PORTREVISION?=	6
+PORTREVISION?=	7
 PORTEPOCH?=	1
 CATEGORIES=	x11-servers
 MASTER_SITES=	XORG/individual/xserver
diff --git a/x11-servers/xorg-server/files/patch-CVE-2017-10971 b/x11-servers/xorg-server/files/patch-CVE-2017-10971
new file mode 100644
index 000000000000..6eae9000fe40
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2017-10971
@@ -0,0 +1,163 @@
+From 215f894965df5fb0bb45b107d84524e700d2073c Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@suse.com>
+Date: Wed, 24 May 2017 15:54:40 +0300
+Subject: dix: Disallow GenericEvent in SendEvent request.
+
+The SendEvent request holds xEvent which is exactly 32 bytes long, no more,
+no less. Both ProcSendEvent and SProcSendEvent verify that the received data
+exactly match the request size. However nothing stops the client from passing
+in event with xEvent::type = GenericEvent and any value of
+xGenericEvent::length.
+
+In the case of ProcSendEvent, the event will be eventually passed to
+WriteEventsToClient which will see that it is Generic event and copy the
+arbitrary length from the receive buffer (and possibly past it) and send it to
+the other client. This allows clients to copy unitialized heap memory out of X
+server or to crash it.
+
+In case of SProcSendEvent, it will attempt to swap the incoming event by
+calling a swapping function from the EventSwapVector array. The swapped event
+is written to target buffer, which in this case is local xEvent variable. The
+xEvent variable is 32 bytes long, but the swapping functions for GenericEvents
+expect that the target buffer has size matching the size of the source
+GenericEvent. This allows clients to cause stack buffer overflows.
+
+Signed-off-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ dix/events.c  | 6 ++++++
+ dix/swapreq.c | 7 +++++++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/dix/events.c b/dix/events.c
+index 3e3a01e..d3a33ea 100644
+--- dix/events.c
++++ dix/events.c
+@@ -5366,6 +5366,12 @@ ProcSendEvent(ClientPtr client)
+         client->errorValue = stuff->event.u.u.type;
+         return BadValue;
+     }
++    /* Generic events can have variable size, but SendEvent request holds
++       exactly 32B of event data. */
++    if (stuff->event.u.u.type == GenericEvent) {
++        client->errorValue = stuff->event.u.u.type;
++        return BadValue;
++    }
+     if (stuff->event.u.u.type == ClientMessage &&
+         stuff->event.u.u.detail != 8 &&
+         stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) {
+diff --git a/dix/swapreq.c b/dix/swapreq.c
+index 719e9b8..6785059 100644
+--- dix/swapreq.c
++++ dix/swapreq.c
+@@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client)
+     swapl(&stuff->destination);
+     swapl(&stuff->eventMask);
+ 
++    /* Generic events can have variable size, but SendEvent request holds
++       exactly 32B of event data. */
++    if (stuff->event.u.u.type == GenericEvent) {
++        client->errorValue = stuff->event.u.u.type;
++        return BadValue;
++    }
++
+     /* Swap event */
+     proc = EventSwapVector[stuff->event.u.u.type & 0177];
+     if (!proc || proc == NotImplemented)        /* no swapping proc; invalid event type? */
+-- 
+cgit v1.1
+
+From 8caed4df36b1f802b4992edcfd282cbeeec35d9d Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@suse.com>
+Date: Wed, 24 May 2017 15:54:41 +0300
+Subject: Xi: Verify all events in ProcXSendExtensionEvent.
+
+The requirement is that events have type in range
+EXTENSION_EVENT_BASE..lastEvent, but it was tested
+only for first event of all.
+
+Signed-off-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ Xi/sendexev.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/Xi/sendexev.c b/Xi/sendexev.c
+index 1cf118a..5e63bfc 100644
+--- Xi/sendexev.c
++++ Xi/sendexev.c
+@@ -117,7 +117,7 @@ SProcXSendExtensionEvent(ClientPtr client)
+ int
+ ProcXSendExtensionEvent(ClientPtr client)
+ {
+-    int ret;
++    int ret, i;
+     DeviceIntPtr dev;
+     xEvent *first;
+     XEventClass *list;
+@@ -141,10 +141,12 @@ ProcXSendExtensionEvent(ClientPtr client)
+     /* The client's event type must be one defined by an extension. */
+ 
+     first = ((xEvent *) &stuff[1]);
+-    if (!((EXTENSION_EVENT_BASE <= first->u.u.type) &&
+-          (first->u.u.type < lastEvent))) {
+-        client->errorValue = first->u.u.type;
+-        return BadValue;
++    for (i = 0; i < stuff->num_events; i++) {
++        if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) &&
++            (first[i].u.u.type < lastEvent))) {
++            client->errorValue = first[i].u.u.type;
++            return BadValue;
++        }
+     }
+ 
+     list = (XEventClass *) (first + stuff->num_events);
+-- 
+cgit v1.1
+
+From ba336b24052122b136486961c82deac76bbde455 Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@suse.com>
+Date: Wed, 24 May 2017 15:54:42 +0300
+Subject: Xi: Do not try to swap GenericEvent.
+
+The SProcXSendExtensionEvent must not attempt to swap GenericEvent because
+it is assuming that the event has fixed size and gives the swapping function
+xEvent-sized buffer.
+
+A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway.
+
+Signed-off-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ Xi/sendexev.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/Xi/sendexev.c b/Xi/sendexev.c
+index 5e63bfc..5c2e0fc 100644
+--- Xi/sendexev.c
++++ Xi/sendexev.c
+@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client)
+ 
+     eventP = (xEvent *) &stuff[1];
+     for (i = 0; i < stuff->num_events; i++, eventP++) {
++        if (eventP->u.u.type == GenericEvent) {
++            client->errorValue = eventP->u.u.type;
++            return BadValue;
++        }
++
+         proc = EventSwapVector[eventP->u.u.type & 0177];
+-        if (proc == NotImplemented)     /* no swapping proc; invalid event type? */
++        /* no swapping proc; invalid event type? */
++        if (proc == NotImplemented) {
++            client->errorValue = eventP->u.u.type;
+             return BadValue;
++        }
+         (*proc) (eventP, &eventT);
+         *eventP = eventT;
+     }
+-- 
+cgit v1.1
+
diff --git a/x11-servers/xorg-server/files/patch-CVE-2017-10972 b/x11-servers/xorg-server/files/patch-CVE-2017-10972
new file mode 100644
index 000000000000..444d0d2c5d2a
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2017-10972
@@ -0,0 +1,38 @@
+From 05442de962d3dc624f79fc1a00eca3ffc5489ced Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@suse.com>
+Date: Wed, 24 May 2017 15:54:39 +0300
+Subject: Xi: Zero target buffer in SProcXSendExtensionEvent.
+
+Make sure that the xEvent eventT is initialized with zeros, the same way as
+in SProcSendEvent.
+
+Some event swapping functions do not overwrite all 32 bytes of xEvent
+structure, for example XSecurityAuthorizationRevoked. Two cooperating
+clients, one swapped and the other not, can send
+XSecurityAuthorizationRevoked event to each other to retrieve old stack data
+from X server. This can be potentialy misused to go around ASLR or
+stack-protector.
+
+Signed-off-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ Xi/sendexev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Xi/sendexev.c b/Xi/sendexev.c
+index 11d8202..1cf118a 100644
+--- Xi/sendexev.c
++++ Xi/sendexev.c
+@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client)
+ {
+     CARD32 *p;
+     int i;
+-    xEvent eventT;
++    xEvent eventT = { .u.u.type = 0 };
+     xEvent *eventP;
+     EventSwapPtr proc;
+ 
+-- 
+cgit v1.1
+