diff options
author | Jaka Kranjc | 2007-01-11 09:43:48 +0100 |
---|---|---|
committer | Jaka Kranjc | 2007-01-11 09:45:06 +0100 |
commit | 194cc86b862143bb2ac6c7a3d2e38d68a5ca3061 (patch) | |
tree | b18cd0139d7c61822575055f7e8939abbaf2a339 | |
parent | a1347d253bf9694a2725663e97c3af56a9286c8c (diff) |
xorg: Updated for CVE-2006-3739/3740. Bug 13115.
Conflicts:
x11-libs/xorg/DETAILS
x11-libs/xorg/HISTORY
-rwxr-xr-x | x11-libs/xorg/DETAILS | 2 | ||||
-rw-r--r-- | x11-libs/xorg/HISTORY | 5 | ||||
-rwxr-xr-x | x11-libs/xorg/PRE_BUILD | 3 | ||||
-rw-r--r-- | x11-libs/xorg/x11r6.9.0-cidfonts.diff | 96 |
4 files changed, 104 insertions, 2 deletions
diff --git a/x11-libs/xorg/DETAILS b/x11-libs/xorg/DETAILS index d527a2449f..86a1d39174 100755 --- a/x11-libs/xorg/DETAILS +++ b/x11-libs/xorg/DETAILS @@ -15,7 +15,7 @@ SOURCE_DIRECTORY=$BUILD_DIRECTORY/xc SOURCE_URL[1]=ftp://ftp.x.org/pub/${XVERSION}/src-single/$SOURCE # SOURCE_HASH=sha512:8fe05f9e4ca1eb44fd344ce226c023a5904c0d94af9e769f8d24ea64f4695ed6904b2238acc16bea00637852de7cbd3241cb59f1af66e1d147dc4897308419bb SOURCE_GPG=gurus.gpg:$SOURCE.sig:WORKS_FOR_ME - SECURITY_PATCH=2 + SECURITY_PATCH=3 fi WEB_SITE=http://xorg.freedesktop.org/ ENTERED=20040407 diff --git a/x11-libs/xorg/HISTORY b/x11-libs/xorg/HISTORY index 98e92c19b9..58f6d53f6d 100644 --- a/x11-libs/xorg/HISTORY +++ b/x11-libs/xorg/HISTORY @@ -1,3 +1,8 @@ +2007-01-02 George Sherwood <george@beernabeer.com> + * DETAILS: SECURITY_PATCH++. Bug 13115. + * PRE_BUILD: Added patch. + * x11r6.9.0-cidfonts.diff: Added for CVE-2006-3739/3740 + 2006-06-30 Florian Franzmann <siflfran@hawo.stw.uni-erlangen.de> * init.d/xfs, init.d/xfs.conf: added init script for the font server diff --git a/x11-libs/xorg/PRE_BUILD b/x11-libs/xorg/PRE_BUILD index a003b7945d..d56fc377ed 100755 --- a/x11-libs/xorg/PRE_BUILD +++ b/x11-libs/xorg/PRE_BUILD @@ -4,7 +4,8 @@ cd $SOURCE_DIRECTORY && if [[ $X_LATEST != y ]]; then patch -p0 < $SCRIPT_DIRECTORY/x11r6.9.0-geteuid.diff && - patch -p0 < $SCRIPT_DIRECTORY/x11r6.9.0-mitri.diff + patch -p0 < $SCRIPT_DIRECTORY/x11r6.9.0-mitri.diff && + patch -p0 < $SCRIPT_DIRECTORY/x11r6.9.0-cidfonts.diff fi && cp $SOURCE_DIRECTORY/config/cf/xorgsite.def \ diff --git a/x11-libs/xorg/x11r6.9.0-cidfonts.diff b/x11-libs/xorg/x11r6.9.0-cidfonts.diff new file mode 100644 index 0000000000..035328e612 --- /dev/null +++ b/x11-libs/xorg/x11r6.9.0-cidfonts.diff @@ -0,0 +1,96 @@ +Index: lib/font/Type1/afm.c +=================================================================== +RCS file: /cvs/xorg/xc/lib/font/Type1/afm.c,v +retrieving revision 1.5 +diff -u -u -r1.5 afm.c +--- lib/font/Type1/afm.c 9 Jul 2005 23:30:06 -0000 1.5 ++++ lib/font/Type1/afm.c 12 Sep 2006 07:49:46 -0000 +@@ -29,6 +29,7 @@ + #include <stdio.h> + #include <string.h> + #include <stdlib.h> ++#include <limits.h> + #else + #include "Xmd.h" /* For INT32 declaration */ + #include "Xdefs.h" /* For Bool */ +@@ -118,6 +119,11 @@ + + fi->nChars = atoi(p); + ++ if (fi->nChars < 0 || fi->nChars > INT_MAX / sizeof(Metrics)) { ++ xfree(afmbuf); ++ xfree(fi); ++ return(1); ++ } + fi->metrics = (Metrics *)xalloc(fi->nChars * + sizeof(Metrics)); + if (fi->metrics == NULL) { +Index: lib/font/Type1/scanfont.c +=================================================================== +RCS file: /cvs/xorg/xc/lib/font/Type1/scanfont.c,v +retrieving revision 1.5 +diff -u -u -r1.5 scanfont.c +--- lib/font/Type1/scanfont.c 9 Jul 2005 23:30:06 -0000 1.5 ++++ lib/font/Type1/scanfont.c 12 Sep 2006 07:49:46 -0000 +@@ -57,6 +57,7 @@ + + #ifndef FONTMODULE + #include <string.h> ++#include <limits.h> + #else + #include "Xdefs.h" /* Bool declaration */ + #include "Xmd.h" /* INT32 declaration */ +@@ -654,6 +655,7 @@ + arrayP->data.valueP = tokenStartP; + + /* allocate FDArray */ ++ /* No integer overflow since arrayP->len is unsigned short */ + FDArrayP = (psfont *)vm_alloc(arrayP->len*(sizeof(psfont))); + if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY); + +@@ -850,7 +852,8 @@ + } + return(SCAN_OK); + } +- ++ if (N > INT_MAX / sizeof(psobj)) ++ return (SCAN_ERROR); + arrayP = (psobj *)vm_alloc(N*sizeof(psobj)); + if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY); + FontP->Subrs.len = N; +@@ -911,7 +914,7 @@ + } + else return(rc); /* if next token was not an Int */ + } +- if (N<=0) return(SCAN_ERROR); ++ if (N<=0 || N > INT_MAX / sizeof(psdict)) return(SCAN_ERROR); + /* save number of entries in the dictionary */ + + dictP = (psdict *)vm_alloc((N+1)*sizeof(psdict)); +@@ -1719,6 +1722,10 @@ + if (tokenType == TOKEN_INTEGER) + rangecnt = tokenValue.integer; + ++ if (rangecnt < 0 || rangecnt > INT_MAX / sizeof(spacerangecode)) { ++ rc = SCAN_ERROR; ++ break; ++ } + /* ==> tokenLength, tokenTooLong, tokenType, and */ + /* tokenValue are now set */ + +Index: lib/font/Type1/util.c +=================================================================== +RCS file: /cvs/xorg/xc/lib/font/Type1/util.c,v +retrieving revision 1.5 +diff -u -u -r1.5 util.c +--- lib/font/Type1/util.c 9 Jul 2005 23:30:07 -0000 1.5 ++++ lib/font/Type1/util.c 12 Sep 2006 07:49:46 -0000 +@@ -104,7 +104,7 @@ + bytes = (bytes + 7) & ~7; + + /* Allocate the space, if it is available */ +- if (bytes <= vm_free) { ++ if (bytes > 0 && bytes <= vm_free) { + answer = vm_next; + vm_free -= bytes; + vm_next += bytes; |