author: Koop Mast <kwm@FreeBSD.org> 2017-10-09 19:30:27 +0000
committer: Koop Mast <kwm@FreeBSD.org> 2017-10-09 19:30:27 +0000
commit: 22f6dd2eed8e208f45d7fe0b9e4389b7b3fd7749 (patch)
tree: b81b789119e06a4cf2500ee736b984dc430811da /x11-servers
parent: f1243e8317ffc420452e0ed96c47e8e8c5b648a5 (diff)
download: ports-22f6dd2eed8e208f45d7fe0b9e4389b7b3fd7749.tar.gz
ports-22f6dd2eed8e208f45d7fe0b9e4389b7b3fd7749.zip
6 files changed, 154 insertions, 1 deletions
diff --git a/x11-servers/xorg-nestserver/Makefile b/x11-servers/xorg-nestserver/Makefile
index 2f5132fec5cc..717b4f3f4857 100644
--- a/x11-servers/xorg-nestserver/Makefile
+++ b/x11-servers/xorg-nestserver/Makefile
@@ -3,6 +3,7 @@
 
 PORTNAME=	xorg-nestserver
 PORTVERSION=	1.19.1
+PORTREVISION=	1
 PORTEPOCH=	2
 
 COMMENT=	Nesting X server from X.Org
@@ -26,6 +27,9 @@ CONFIGURE_ARGS+=--enable-xnest --disable-dmx --disable-xephyr --disable-xvfb \
 
 PLIST_FILES=	bin/Xnest man/man1/Xnest.1.gz
 
+EXTRA_PATCHES=	${MASTERDIR}/files/patch-CVE-2017-13721 \
+		${MASTERDIR}/files/patch-CVE-2017-13723
+
 do-install:
 	cd ${WRKSRC}/hw/xnest; DESTDIR=${STAGEDIR} ${MAKE} install
 
diff --git a/x11-servers/xorg-server/Makefile b/x11-servers/xorg-server/Makefile
index d24217b0bb26..eb62331dab11 100644
--- a/x11-servers/xorg-server/Makefile
+++ b/x11-servers/xorg-server/Makefile
@@ -3,7 +3,7 @@
 
 PORTNAME?=	xorg-server
 PORTVERSION?=	1.18.4
-PORTREVISION?=	3
+PORTREVISION?=	4
 PORTEPOCH?=	1
 CATEGORIES=	x11-servers
 MASTER_SITES=	XORG/individual/xserver
diff --git a/x11-servers/xorg-server/files/patch-CVE-2017-13721 b/x11-servers/xorg-server/files/patch-CVE-2017-13721
new file mode 100644
index 000000000000..68b3fcb5a5f9
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2017-13721
@@ -0,0 +1,26 @@
+From b95f25af141d33a65f6f821ea9c003f66a01e1f1 Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@suse.com>
+Date: Fri, 28 Jul 2017 16:27:10 +0200
+Subject: Xext/shm: Validate shmseg resource id (CVE-2017-13721)
+
+Otherwise it can belong to a non-existing client and abort X server with
+FatalError "client not in use", or overwrite existing segment of another
+existing client.
+
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+
+diff --git a/Xext/shm.c b/Xext/shm.c
+index 91ea90b..2f9a788 100644
+--- Xext/shm.c
++++ Xext/shm.c
+@@ -1238,6 +1238,7 @@ ProcShmCreateSegment(ClientPtr client)
+     };
+ 
+     REQUEST_SIZE_MATCH(xShmCreateSegmentReq);
++    LEGAL_NEW_RESOURCE(stuff->shmseg, client);
+     if ((stuff->readOnly != xTrue) && (stuff->readOnly != xFalse)) {
+         client->errorValue = stuff->readOnly;
+         return BadValue;
+-- 
+cgit v0.10.2
+
diff --git a/x11-servers/xorg-server/files/patch-CVE-2017-13723 b/x11-servers/xorg-server/files/patch-CVE-2017-13723
new file mode 100644
index 000000000000..c8952f28c6ae
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2017-13723
@@ -0,0 +1,115 @@
+From 94f11ca5cf011ef123bd222cabeaef6f424d76ac Mon Sep 17 00:00:00 2001
+From: Keith Packard <keithp@keithp.com>
+Date: Thu, 27 Jul 2017 10:08:32 -0700
+Subject: xkb: Handle xkb formated string output safely (CVE-2017-13723)
+
+Generating strings for XKB data used a single shared static buffer,
+which offered several opportunities for errors. Use a ring of
+resizable buffers instead, to avoid problems when strings end up
+longer than anticipated.
+
+Reviewed-by: Michal Srb <msrb@suse.com>
+Signed-off-by: Keith Packard <keithp@keithp.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+
+diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c
+index ead2b1a..d2a2567 100644
+--- xkb/xkbtext.c
++++ xkb/xkbtext.c
+@@ -47,23 +47,27 @@
+ 
+ /***====================================================================***/
+ 
+-#define	BUFFER_SIZE	512
+-
+-static char textBuffer[BUFFER_SIZE];
+-static int tbNext = 0;
++#define NUM_BUFFER      8
++static struct textBuffer {
++    int size;
++    char *buffer;
++} textBuffer[NUM_BUFFER];
++static int textBufferIndex;
+ 
+ static char *
+ tbGetBuffer(unsigned size)
+ {
+-    char *rtrn;
++    struct textBuffer *tb;
+ 
+-    if (size >= BUFFER_SIZE)
+-        return NULL;
+-    if ((BUFFER_SIZE - tbNext) <= size)
+-        tbNext = 0;
+-    rtrn = &textBuffer[tbNext];
+-    tbNext += size;
+-    return rtrn;
++    tb = &textBuffer[textBufferIndex];
++    textBufferIndex = (textBufferIndex + 1) % NUM_BUFFER;
++
++    if (size > tb->size) {
++        free(tb->buffer);
++        tb->buffer = xnfalloc(size);
++        tb->size = size;
++    }
++    return tb->buffer;
+ }
+ 
+ /***====================================================================***/
+@@ -79,8 +83,6 @@ XkbAtomText(Atom atm, unsigned format)
+         int len;
+ 
+         len = strlen(atmstr) + 1;
+-        if (len > BUFFER_SIZE)
+-            len = BUFFER_SIZE - 2;
+         rtrn = tbGetBuffer(len);
+         strlcpy(rtrn, atmstr, len);
+     }
+@@ -128,8 +130,6 @@ XkbVModIndexText(XkbDescPtr xkb, unsigned ndx, unsigned format)
+     len = strlen(tmp) + 1;
+     if (format == XkbCFile)
+         len += 4;
+-    if (len >= BUFFER_SIZE)
+-        len = BUFFER_SIZE - 1;
+     rtrn = tbGetBuffer(len);
+     if (format == XkbCFile) {
+         strcpy(rtrn, "vmod_");
+@@ -140,6 +140,8 @@ XkbVModIndexText(XkbDescPtr xkb, unsigned ndx, unsigned format)
+     return rtrn;
+ }
+ 
++#define VMOD_BUFFER_SIZE        512
++
+ char *
+ XkbVModMaskText(XkbDescPtr xkb,
+                 unsigned modMask, unsigned mask, unsigned format)
+@@ -147,7 +149,7 @@ XkbVModMaskText(XkbDescPtr xkb,
+     register int i, bit;
+     int len;
+     char *mm, *rtrn;
+-    char *str, buf[BUFFER_SIZE];
++    char *str, buf[VMOD_BUFFER_SIZE];
+ 
+     if ((modMask == 0) && (mask == 0)) {
+         rtrn = tbGetBuffer(5);
+@@ -173,7 +175,7 @@ XkbVModMaskText(XkbDescPtr xkb,
+                 len = strlen(tmp) + 1 + (str == buf ? 0 : 1);
+                 if (format == XkbCFile)
+                     len += 4;
+-                if ((str - (buf + len)) <= BUFFER_SIZE) {
++                if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) {
+                     if (str != buf) {
+                         if (format == XkbCFile)
+                             *str++ = '|';
+@@ -199,8 +201,6 @@ XkbVModMaskText(XkbDescPtr xkb,
+         len = 0;
+     if (str)
+         len += strlen(str) + (mm == NULL ? 0 : 1);
+-    if (len >= BUFFER_SIZE)
+-        len = BUFFER_SIZE - 1;
+     rtrn = tbGetBuffer(len + 1);
+     rtrn[0] = '\0';
+ 
+-- 
+cgit v0.10.2
+
diff --git a/x11-servers/xorg-vfbserver/Makefile b/x11-servers/xorg-vfbserver/Makefile
index edf861a908e6..cee1d3aebd7f 100644
--- a/x11-servers/xorg-vfbserver/Makefile
+++ b/x11-servers/xorg-vfbserver/Makefile
@@ -3,6 +3,7 @@
 
 PORTNAME=	xorg-vfbserver
 PORTVERSION=	1.19.1
+PORTREVISION=	1
 PORTEPOCH=	1
 
 COMMENT=	X virtual framebuffer server from X.Org
@@ -24,6 +25,9 @@ CONFIGURE_ARGS+=--enable-xvfb --disable-dmx --disable-xephyr --disable-xnest \
 
 PLIST_FILES=	bin/Xvfb man/man1/Xvfb.1.gz
 
+EXTRA_PATCHES=	${MASTERDIR}/files/patch-CVE-2017-13721 \
+		${MASTERDIR}/files/patch-CVE-2017-13723
+
 do-install:
 	cd ${WRKSRC}/hw/vfb; DESTDIR=${STAGEDIR} ${MAKE} install
 
diff --git a/x11-servers/xwayland/Makefile b/x11-servers/xwayland/Makefile
index 4f6ab1879390..2887933a6dbb 100644
--- a/x11-servers/xwayland/Makefile
+++ b/x11-servers/xwayland/Makefile
@@ -2,6 +2,7 @@
 
 PORTNAME=	xwayland
 PORTVERSION=	1.19.1
+PORTREVISION=	1
 
 COMMENT=	X Clients under Wayland
 
@@ -28,6 +29,9 @@ CONFIGURE_ARGS+=	--disable-docs --disable-devel-docs \
 
 PLIST_FILES=	bin/Xwayland
 
+EXTRA_PATCHES=	${MASTERDIR}/files/patch-CVE-2017-13721 \
+		${MASTERDIR}/files/patch-CVE-2017-13723
+
 do-install:
 	cd ${WRKSRC}/hw/xwayland; DESTDIR=${STAGEDIR} ${MAKE_CMD} install
author	Koop Mast <kwm@FreeBSD.org>	2017-10-09 19:30:27 +0000
committer	Koop Mast <kwm@FreeBSD.org>	2017-10-09 19:30:27 +0000
commit	22f6dd2eed8e208f45d7fe0b9e4389b7b3fd7749 (patch)
tree	b81b789119e06a4cf2500ee736b984dc430811da /x11-servers
parent	f1243e8317ffc420452e0ed96c47e8e8c5b648a5 (diff)
download	ports-22f6dd2eed8e208f45d7fe0b9e4389b7b3fd7749.tar.gz ports-22f6dd2eed8e208f45d7fe0b9e4389b7b3fd7749.zip