diff options
| author | Koop Mast <kwm@FreeBSD.org> | 2017-10-09 19:30:27 +0000 |
|---|---|---|
| committer | Koop Mast <kwm@FreeBSD.org> | 2017-10-09 19:30:27 +0000 |
| commit | 22f6dd2eed8e208f45d7fe0b9e4389b7b3fd7749 (patch) | |
| tree | b81b789119e06a4cf2500ee736b984dc430811da /x11-servers | |
| parent | f1243e8317ffc420452e0ed96c47e8e8c5b648a5 (diff) | |
| download | ports-22f6dd2eed8e208f45d7fe0b9e4389b7b3fd7749.tar.gz ports-22f6dd2eed8e208f45d7fe0b9e4389b7b3fd7749.zip | |
Fix security issues: CVE-2017-13721 and CVE-2017-13723 in xorg-server.
Bump all the slaves due to not being sure where the shared code is used.
MFH: 2017Q4
Security: 4f8ffb9c-f388-4fbd-b90f-b3131559d888
Notes
Notes:
svn path=/head/; revision=451632
Diffstat (limited to 'x11-servers')
| -rw-r--r-- | x11-servers/xorg-nestserver/Makefile | 4 | ||||
| -rw-r--r-- | x11-servers/xorg-server/Makefile | 2 | ||||
| -rw-r--r-- | x11-servers/xorg-server/files/patch-CVE-2017-13721 | 26 | ||||
| -rw-r--r-- | x11-servers/xorg-server/files/patch-CVE-2017-13723 | 115 | ||||
| -rw-r--r-- | x11-servers/xorg-vfbserver/Makefile | 4 | ||||
| -rw-r--r-- | x11-servers/xwayland/Makefile | 4 |
6 files changed, 154 insertions, 1 deletions
diff --git a/x11-servers/xorg-nestserver/Makefile b/x11-servers/xorg-nestserver/Makefile index 2f5132fec5cc..717b4f3f4857 100644 --- a/x11-servers/xorg-nestserver/Makefile +++ b/x11-servers/xorg-nestserver/Makefile @@ -3,6 +3,7 @@ PORTNAME= xorg-nestserver PORTVERSION= 1.19.1 +PORTREVISION= 1 PORTEPOCH= 2 COMMENT= Nesting X server from X.Org @@ -26,6 +27,9 @@ CONFIGURE_ARGS+=--enable-xnest --disable-dmx --disable-xephyr --disable-xvfb \ PLIST_FILES= bin/Xnest man/man1/Xnest.1.gz +EXTRA_PATCHES= ${MASTERDIR}/files/patch-CVE-2017-13721 \ + ${MASTERDIR}/files/patch-CVE-2017-13723 + do-install: cd ${WRKSRC}/hw/xnest; DESTDIR=${STAGEDIR} ${MAKE} install diff --git a/x11-servers/xorg-server/Makefile b/x11-servers/xorg-server/Makefile index d24217b0bb26..eb62331dab11 100644 --- a/x11-servers/xorg-server/Makefile +++ b/x11-servers/xorg-server/Makefile @@ -3,7 +3,7 @@ PORTNAME?= xorg-server PORTVERSION?= 1.18.4 -PORTREVISION?= 3 +PORTREVISION?= 4 PORTEPOCH?= 1 CATEGORIES= x11-servers MASTER_SITES= XORG/individual/xserver diff --git a/x11-servers/xorg-server/files/patch-CVE-2017-13721 b/x11-servers/xorg-server/files/patch-CVE-2017-13721 new file mode 100644 index 000000000000..68b3fcb5a5f9 --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2017-13721 @@ -0,0 +1,26 @@ +From b95f25af141d33a65f6f821ea9c003f66a01e1f1 Mon Sep 17 00:00:00 2001 +From: Michal Srb <msrb@suse.com> +Date: Fri, 28 Jul 2017 16:27:10 +0200 +Subject: Xext/shm: Validate shmseg resource id (CVE-2017-13721) + +Otherwise it can belong to a non-existing client and abort X server with +FatalError "client not in use", or overwrite existing segment of another +existing client. + +Signed-off-by: Julien Cristau <jcristau@debian.org> + +diff --git a/Xext/shm.c b/Xext/shm.c +index 91ea90b..2f9a788 100644 +--- Xext/shm.c ++++ Xext/shm.c +@@ -1238,6 +1238,7 @@ ProcShmCreateSegment(ClientPtr client) + }; + + REQUEST_SIZE_MATCH(xShmCreateSegmentReq); ++ LEGAL_NEW_RESOURCE(stuff->shmseg, client); + if ((stuff->readOnly != xTrue) && (stuff->readOnly != xFalse)) { + client->errorValue = stuff->readOnly; + return BadValue; +-- +cgit v0.10.2 + diff --git a/x11-servers/xorg-server/files/patch-CVE-2017-13723 b/x11-servers/xorg-server/files/patch-CVE-2017-13723 new file mode 100644 index 000000000000..c8952f28c6ae --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2017-13723 @@ -0,0 +1,115 @@ +From 94f11ca5cf011ef123bd222cabeaef6f424d76ac Mon Sep 17 00:00:00 2001 +From: Keith Packard <keithp@keithp.com> +Date: Thu, 27 Jul 2017 10:08:32 -0700 +Subject: xkb: Handle xkb formated string output safely (CVE-2017-13723) + +Generating strings for XKB data used a single shared static buffer, +which offered several opportunities for errors. Use a ring of +resizable buffers instead, to avoid problems when strings end up +longer than anticipated. + +Reviewed-by: Michal Srb <msrb@suse.com> +Signed-off-by: Keith Packard <keithp@keithp.com> +Signed-off-by: Julien Cristau <jcristau@debian.org> + +diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c +index ead2b1a..d2a2567 100644 +--- xkb/xkbtext.c ++++ xkb/xkbtext.c +@@ -47,23 +47,27 @@ + + /***====================================================================***/ + +-#define BUFFER_SIZE 512 +- +-static char textBuffer[BUFFER_SIZE]; +-static int tbNext = 0; ++#define NUM_BUFFER 8 ++static struct textBuffer { ++ int size; ++ char *buffer; ++} textBuffer[NUM_BUFFER]; ++static int textBufferIndex; + + static char * + tbGetBuffer(unsigned size) + { +- char *rtrn; ++ struct textBuffer *tb; + +- if (size >= BUFFER_SIZE) +- return NULL; +- if ((BUFFER_SIZE - tbNext) <= size) +- tbNext = 0; +- rtrn = &textBuffer[tbNext]; +- tbNext += size; +- return rtrn; ++ tb = &textBuffer[textBufferIndex]; ++ textBufferIndex = (textBufferIndex + 1) % NUM_BUFFER; ++ ++ if (size > tb->size) { ++ free(tb->buffer); ++ tb->buffer = xnfalloc(size); ++ tb->size = size; ++ } ++ return tb->buffer; + } + + /***====================================================================***/ +@@ -79,8 +83,6 @@ XkbAtomText(Atom atm, unsigned format) + int len; + + len = strlen(atmstr) + 1; +- if (len > BUFFER_SIZE) +- len = BUFFER_SIZE - 2; + rtrn = tbGetBuffer(len); + strlcpy(rtrn, atmstr, len); + } +@@ -128,8 +130,6 @@ XkbVModIndexText(XkbDescPtr xkb, unsigned ndx, unsigned format) + len = strlen(tmp) + 1; + if (format == XkbCFile) + len += 4; +- if (len >= BUFFER_SIZE) +- len = BUFFER_SIZE - 1; + rtrn = tbGetBuffer(len); + if (format == XkbCFile) { + strcpy(rtrn, "vmod_"); +@@ -140,6 +140,8 @@ XkbVModIndexText(XkbDescPtr xkb, unsigned ndx, unsigned format) + return rtrn; + } + ++#define VMOD_BUFFER_SIZE 512 ++ + char * + XkbVModMaskText(XkbDescPtr xkb, + unsigned modMask, unsigned mask, unsigned format) +@@ -147,7 +149,7 @@ XkbVModMaskText(XkbDescPtr xkb, + register int i, bit; + int len; + char *mm, *rtrn; +- char *str, buf[BUFFER_SIZE]; ++ char *str, buf[VMOD_BUFFER_SIZE]; + + if ((modMask == 0) && (mask == 0)) { + rtrn = tbGetBuffer(5); +@@ -173,7 +175,7 @@ XkbVModMaskText(XkbDescPtr xkb, + len = strlen(tmp) + 1 + (str == buf ? 0 : 1); + if (format == XkbCFile) + len += 4; +- if ((str - (buf + len)) <= BUFFER_SIZE) { ++ if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) { + if (str != buf) { + if (format == XkbCFile) + *str++ = '|'; +@@ -199,8 +201,6 @@ XkbVModMaskText(XkbDescPtr xkb, + len = 0; + if (str) + len += strlen(str) + (mm == NULL ? 0 : 1); +- if (len >= BUFFER_SIZE) +- len = BUFFER_SIZE - 1; + rtrn = tbGetBuffer(len + 1); + rtrn[0] = '\0'; + +-- +cgit v0.10.2 + diff --git a/x11-servers/xorg-vfbserver/Makefile b/x11-servers/xorg-vfbserver/Makefile index edf861a908e6..cee1d3aebd7f 100644 --- a/x11-servers/xorg-vfbserver/Makefile +++ b/x11-servers/xorg-vfbserver/Makefile @@ -3,6 +3,7 @@ PORTNAME= xorg-vfbserver PORTVERSION= 1.19.1 +PORTREVISION= 1 PORTEPOCH= 1 COMMENT= X virtual framebuffer server from X.Org @@ -24,6 +25,9 @@ CONFIGURE_ARGS+=--enable-xvfb --disable-dmx --disable-xephyr --disable-xnest \ PLIST_FILES= bin/Xvfb man/man1/Xvfb.1.gz +EXTRA_PATCHES= ${MASTERDIR}/files/patch-CVE-2017-13721 \ + ${MASTERDIR}/files/patch-CVE-2017-13723 + do-install: cd ${WRKSRC}/hw/vfb; DESTDIR=${STAGEDIR} ${MAKE} install diff --git a/x11-servers/xwayland/Makefile b/x11-servers/xwayland/Makefile index 4f6ab1879390..2887933a6dbb 100644 --- a/x11-servers/xwayland/Makefile +++ b/x11-servers/xwayland/Makefile @@ -2,6 +2,7 @@ PORTNAME= xwayland PORTVERSION= 1.19.1 +PORTREVISION= 1 COMMENT= X Clients under Wayland @@ -28,6 +29,9 @@ CONFIGURE_ARGS+= --disable-docs --disable-devel-docs \ PLIST_FILES= bin/Xwayland +EXTRA_PATCHES= ${MASTERDIR}/files/patch-CVE-2017-13721 \ + ${MASTERDIR}/files/patch-CVE-2017-13723 + do-install: cd ${WRKSRC}/hw/xwayland; DESTDIR=${STAGEDIR} ${MAKE_CMD} install |