diff options
| author | Koop Mast <kwm@FreeBSD.org> | 2014-12-10 21:35:13 +0000 |
|---|---|---|
| committer | Koop Mast <kwm@FreeBSD.org> | 2014-12-10 21:35:13 +0000 |
| commit | 1ef33079b39900dcc3d50c5e019eb2f8901c525b (patch) | |
| tree | 49084ca45edd067095895911788343ae39bf660b /x11-servers/xorg-server/files/patch-CVE-2014-8100-1-2 | |
| parent | Document xserver security advisories. (diff) | |
Fix multiple xserver security advisories in the 1.12.4 xserver.
The patches where not ported to 1.7.7 so mark it forbidden. This version
is not default anymore and will be removed in the 1.14 update that currently
being tested.
Obtained from: xserver upstream
MFH: 2014Q4
Security: 27b9b2f0-8081-11e4-b4ca-bcaec565249c
Notes
Notes:
svn path=/head/; revision=374489
Diffstat (limited to 'x11-servers/xorg-server/files/patch-CVE-2014-8100-1-2')
| -rw-r--r-- | x11-servers/xorg-server/files/patch-CVE-2014-8100-1-2 | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8100-1-2 b/x11-servers/xorg-server/files/patch-CVE-2014-8100-1-2 new file mode 100644 index 000000000000..a2ae0541e95e --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8100-1-2 @@ -0,0 +1,30 @@ +From b5f9ef03df6a650571b29d3d1c1d2b67c6e84336 Mon Sep 17 00:00:00 2001 +From: Julien Cristau <jcristau@debian.org> +Date: Tue, 28 Oct 2014 10:30:04 +0100 +Subject: [PATCH 13/40] render: check request size before reading it + [CVE-2014-8100 1/2] + +Otherwise we may be reading outside of the client request. + +Signed-off-by: Julien Cristau <jcristau@debian.org> +Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + render/render.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- render/render.c.orig 2014-12-10 16:06:01.737046585 +0100 ++++ render/render.c 2014-12-10 16:07:49.285040265 +0100 +@@ -271,10 +271,11 @@ + + REQUEST(xRenderQueryVersionReq); + ++ REQUEST_SIZE_MATCH(xRenderQueryVersionReq); ++ + pRenderClient->major_version = stuff->majorVersion; + pRenderClient->minor_version = stuff->minorVersion; + +- REQUEST_SIZE_MATCH(xRenderQueryVersionReq); + memset(&rep, 0, sizeof(xRenderQueryVersionReply)); + rep.type = X_Reply; + rep.length = 0; |