01 Jul, 2019

1 commit


26 Jun, 2019

1 commit


16 Nov, 2018

2 commits


31 Oct, 2018

1 commit


25 Oct, 2018

1 commit


15 Oct, 2018

1 commit


15 Jun, 2018

2 commits


16 Oct, 2017

1 commit


13 Oct, 2017

16 commits

  • Julien Cristau
     
  • ProcRenderCreateRadialGradient and ProcRenderCreateConicalGradient must
    be protected against an integer overflow during length check. This is
    already included in ProcRenderCreateLinearGradient since the fix for
    CVE-2008-2362.
    
    This can only be successfully exploited on a 32 bit system for an
    out of boundary read later on. Validated by using ASAN.
    
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit ac15d4cecca377c5c31ab852c39bbd554ca48fe2)
    Tobias Stoeckmann
     
  • Julien Cristau
     
  • Reviewed-by: Julien Cristau <jcristau@debian.org>
    Signed-off-by: Nathan Kidd <nkidd@opentext.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>
    (cherry picked from commit b747da5e25be944337a9cd1415506fc06b70aa81)
    Nathan Kidd
     
  • v2: Protect against integer overflow (Alan Coopersmith)
    
    Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
    Reviewed-by: Julien Cristau <jcristau@debian.org>
    Signed-off-by: Nathan Kidd <nkidd@opentext.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>
    (cherry picked from commit 4ca68b878e851e2136c234f40a25008297d8d831)
    Nathan Kidd
     
  • Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
    Reviewed-by: Julien Cristau <jcristau@debian.org>
    Signed-off-by: Nathan Kidd <nkidd@opentext.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>
    (cherry picked from commit 859b08d523307eebde7724fd1a0789c44813e821)
    Nathan Kidd
     
  • [jcristau: originally this patch fixed the same issue as commit
     211e05ac85 "Xi: Test exact size of XIBarrierReleasePointer", with the
     addition of these checks]
    
    This addresses CVE-2017-12179
    
    Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
    Reviewed-by: Julien Cristau <jcristau@debian.org>
    Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
    Signed-off-by: Nathan Kidd <nkidd@opentext.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>
    (cherry picked from commit d088e3c1286b548a58e62afdc70bb40981cdb9e8)
    Nathan Kidd
     
  • This addresses:
    CVE-2017-12180 in XFree86-VidModeExtension
    CVE-2017-12181 in XFree86-DGA
    CVE-2017-12182 in XFree86-DRI
    
    Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
    Reviewed-by: Julien Cristau <jcristau@debian.org>
    Signed-off-by: Nathan Kidd <nkidd@opentext.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>
    (cherry picked from commit 1b1d4c04695dced2463404174b50b3581dbd857b)
    Nathan Kidd
     
  • v2: Use before swap (Jeremy Huddleston Sequoia)
    
    v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith)
    
    Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
    Reviewed-by: Julien Cristau <jcristau@debian.org>
    Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
    Signed-off-by: Nathan Kidd <nkidd@opentext.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>
    (cherry picked from commit 55caa8b08c84af2b50fbc936cf334a5a93dd7db5)
    Nathan Kidd
     
  • v2: Add overflow check and remove unnecessary check (Julien Cristau)
    
    This addresses:
    CVE-2017-12184 in XINERAMA
    CVE-2017-12185 in MIT-SCREEN-SAVER
    CVE-2017-12186 in X-Resource
    CVE-2017-12187 in RENDER
    
    Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
    Reviewed-by: Julien Cristau <jcristau@debian.org>
    Signed-off-by: Nathan Kidd <nkidd@opentext.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>
    (cherry picked from commit cad5a1050b7184d828aef9c1dd151c3ab649d37e)
    Nathan Kidd
     
  • A client can send a big request where the 32B "length" field has value
    0. When the big request header is removed and the length corrected,
    the value will underflow to 0xFFFFFFFF.  Functions processing the
    request later will think that the client sent much more data and may
    touch memory beyond the receive buffer.
    
    Signed-off-by: Eric Anholt <eric@anholt.net>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit 9c23685009aa96f4b861dcc5d2e01dbee00c4dd9)
    Michal Srb
     
  • Generating strings for XKB data used a single shared static buffer,
    which offered several opportunities for errors. Use a ring of
    resizable buffers instead, to avoid problems when strings end up
    longer than anticipated.
    
    Reviewed-by: Michal Srb <msrb@suse.com>
    Signed-off-by: Keith Packard <keithp@keithp.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>
    (cherry picked from commit 94f11ca5cf011ef123bd222cabeaef6f424d76ac)
    Keith Packard
     
  • XkbStringText escapes non-printable characters using octal numbers. Such escape
    sequence would be at most 5 characters long ("\0123"), so it reserves 5 bytes
    in the buffer. Due to char->unsigned int conversion, it would print much longer
    string for negative numbers.
    
    Reviewed-by: Keith Packard <keithp@keithp.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>
    (cherry picked from commit eaf1f72ed8994b708d94ec2de7b1a99f5c4a39b8)
    Michal Srb
     
  • Otherwise it can belong to a non-existing client and abort X server with
    FatalError "client not in use", or overwrite existing segment of another
    existing client.
    
    Signed-off-by: Julien Cristau <jcristau@debian.org>
    (cherry picked from commit b95f25af141d33a65f6f821ea9c003f66a01e1f1)
    (cherry picked from commit a510fb811100bc27f0bfafe5d073998551161819)
    (cherry picked from commit 268c56c197b2cba46347e85312b601250d93f969)
    Michal Srb
     
  • Otherwise a client can send any value of num_barriers and cause reading or swapping of values on heap behind the receive buffer.
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit 211e05ac85a294ef361b9f80d689047fa52b9076)
    Michal Srb
     
  • Julien Cristau
     

03 Mar, 2017

4 commits


02 Mar, 2017

7 commits

  • Signed-off-by: Adam Jackson <ajax@redhat.com>
    Adam Jackson
     
  • Signed-off-by: Adam Jackson <ajax@redhat.com>
    Adam Jackson
     
  • timingsafe_memcmp.c:21:1: warning: no previous prototype for ‘timingsafe_memcmp’ [-Wmissing-prototypes]
     timingsafe_memcmp(const void *b1, const void *b2, size_t len)
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit 5c44169caed811e59a65ba346de1cadb46d266ec)
    Adam Jackson
     
  • Apparently I need to fight make distcheck some more, so let's not
    pretend this is released yet.
    
    This reverts commit 0b4112bc753a5bd5306f0c67e13e26e3f1c72211.
    Adam Jackson
     
  • Signed-off-by: Adam Jackson <ajax@redhat.com>
    Adam Jackson
     
  • keyboard_check_repeat() fetches the XWayland seat from the
    dev->public.devicePrivate do do its thing.
    
    If a key event is sent programmatically through Xtest, our device is the
    virtual core keyboard and that has a dev->public.devicePrivate of NULL,
    leading to a segfault in keyboard_check_repeat().
    
    This is the case with "antimicro" which sends key events based on the
    joystick buttons.
    
    Don't set the checkRepeat handler on the VCK since it cannot possibly work
    anyway and it has no effect on the actual checkRepeat intended functionality.
    
    Bugzilla: https://bugzilla.redhat.com/1416244
    Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit fe5c340046c8cf755b92763a49b2dc475e856a76)
    Olivier Fourdan
     
  • During the InitInput() phase, the wayland events get dequeued so we
    can possibly end up calling dispatch_pointer_motion_event().
    
    If this occurs before xwl_seat->focus_window is set, it leads to a NULL
    pointer derefence and a segfault.
    
    Check for xwl_seat->focus_window in both pointer_handle_frame() and
    relative_pointer_handle_relative_motion() prior to calling
    dispatch_pointer_motion_event()  like it's done in
    pointer_handle_motion().
    
    Bugzilla: https://bugzilla.redhat.com/1410804
    Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    (cherry picked from commit 8c9909a99292b2fb4a86de694bb0029f61e35662)
    Olivier Fourdan
     

01 Mar, 2017

1 commit


28 Feb, 2017

2 commits