- Jun 26, 2019
-
-
Colomban Wendling authored
-
- Nov 16, 2018
-
-
Samuel Thibault authored
-
Samuel Thibault authored
-
- Oct 31, 2018
-
-
Andreas Boll authored
Fixes various blending issues with kwin and Mesa >= 18.0 (i.e. Mesa from stretch-backports) (Closes: #908601). Thanks to Nicholas D Steeves and Robert Trebula for testing!
-
- Oct 25, 2018
-
-
Julien Cristau authored
-
- Oct 15, 2018
-
-
Julien Cristau authored
-
- Jun 15, 2018
-
-
Samuel Thibault authored
Fixes grab in qemu&virtualbox.
-
Samuel Thibault authored
-
- Oct 16, 2017
-
-
Julien Cristau authored
-
- Oct 13, 2017
-
-
Julien Cristau authored
-
ProcRenderCreateRadialGradient and ProcRenderCreateConicalGradient must be protected against an integer overflow during length check. This is already included in ProcRenderCreateLinearGradient since the fix for CVE-2008-2362. This can only be successfully exploited on a 32 bit system for an out of boundary read later on. Validated by using ASAN. Reviewed-by: Adam Jackson <ajax@redhat.com> (cherry picked from commit ac15d4ce)
-
Julien Cristau authored
-
Reviewed-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Nathan Kidd <nkidd@opentext.com> Signed-off-by: Julien Cristau <jcristau@debian.org> (cherry picked from commit b747da5e)
-
v2: Protect against integer overflow (Alan Coopersmith) Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Nathan Kidd <nkidd@opentext.com> Signed-off-by: Julien Cristau <jcristau@debian.org> (cherry picked from commit 4ca68b87)
-
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Nathan Kidd <nkidd@opentext.com> Signed-off-by: Julien Cristau <jcristau@debian.org> (cherry picked from commit 859b08d5)
-
[jcristau: originally this patch fixed the same issue as commit 211e05ac "Xi: Test exact size of XIBarrierReleasePointer", with the addition of these checks] This addresses CVE-2017-12179 Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> Signed-off-by: Nathan Kidd <nkidd@opentext.com> Signed-off-by: Julien Cristau <jcristau@debian.org> (cherry picked from commit d088e3c1)
-
This addresses: CVE-2017-12180 in XFree86-VidModeExtension CVE-2017-12181 in XFree86-DGA CVE-2017-12182 in XFree86-DRI Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Nathan Kidd <nkidd@opentext.com> Signed-off-by: Julien Cristau <jcristau@debian.org> (cherry picked from commit 1b1d4c04)
-
v2: Use before swap (Jeremy Huddleston Sequoia) v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith) Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> Signed-off-by: Nathan Kidd <nkidd@opentext.com> Signed-off-by: Julien Cristau <jcristau@debian.org> (cherry picked from commit 55caa8b0)
-
v2: Add overflow check and remove unnecessary check (Julien Cristau) This addresses: CVE-2017-12184 in XINERAMA CVE-2017-12185 in MIT-SCREEN-SAVER CVE-2017-12186 in X-Resource CVE-2017-12187 in RENDER Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Nathan Kidd <nkidd@opentext.com> Signed-off-by: Julien Cristau <jcristau@debian.org> (cherry picked from commit cad5a105)
-
A client can send a big request where the 32B "length" field has value 0. When the big request header is removed and the length corrected, the value will underflow to 0xFFFFFFFF. Functions processing the request later will think that the client sent much more data and may touch memory beyond the receive buffer. Signed-off-by: Eric Anholt <eric@anholt.net> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit 9c236850)
-
Generating strings for XKB data used a single shared static buffer, which offered several opportunities for errors. Use a ring of resizable buffers instead, to avoid problems when strings end up longer than anticipated. Reviewed-by: Michal Srb <msrb@suse.com> Signed-off-by: Keith Packard <keithp@keithp.com> Signed-off-by: Julien Cristau <jcristau@debian.org> (cherry picked from commit 94f11ca5)
-
XkbStringText escapes non-printable characters using octal numbers. Such escape sequence would be at most 5 characters long ("\0123"), so it reserves 5 bytes in the buffer. Due to char->unsigned int conversion, it would print much longer string for negative numbers. Reviewed-by: Keith Packard <keithp@keithp.com> Signed-off-by: Julien Cristau <jcristau@debian.org> (cherry picked from commit eaf1f72e)
-
Otherwise it can belong to a non-existing client and abort X server with FatalError "client not in use", or overwrite existing segment of another existing client. Signed-off-by: Julien Cristau <jcristau@debian.org> (cherry picked from commit b95f25af) (cherry picked from commit a510fb81) (cherry picked from commit 268c56c197b2cba46347e85312b601250d93f969)
-
Otherwise a client can send any value of num_barriers and cause reading or swapping of values on heap behind the receive buffer. Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit 211e05ac)
-
Julien Cristau authored
-
- Mar 03, 2017
-
-
Emilio Pozuelo Monfort authored
-
Emilio Pozuelo Monfort authored
-
Emilio Pozuelo Monfort authored
-
Emilio Pozuelo Monfort authored
-
- Mar 02, 2017
-
-
Adam Jackson authored
Signed-off-by: Adam Jackson <ajax@redhat.com>
-
Adam Jackson authored
Signed-off-by: Adam Jackson <ajax@redhat.com>
-
Adam Jackson authored
timingsafe_memcmp.c:21:1: warning: no previous prototype for ‘timingsafe_memcmp’ [-Wmissing-prototypes] timingsafe_memcmp(const void *b1, const void *b2, size_t len) Signed-off-by: Adam Jackson <ajax@redhat.com> (cherry picked from commit 5c44169c)
-
Adam Jackson authored
Apparently I need to fight make distcheck some more, so let's not pretend this is released yet. This reverts commit 0b4112bc.
-
Adam Jackson authored
Signed-off-by: Adam Jackson <ajax@redhat.com>
-
Olivier Fourdan authored
keyboard_check_repeat() fetches the XWayland seat from the dev->public.devicePrivate do do its thing. If a key event is sent programmatically through Xtest, our device is the virtual core keyboard and that has a dev->public.devicePrivate of NULL, leading to a segfault in keyboard_check_repeat(). This is the case with "antimicro" which sends key events based on the joystick buttons. Don't set the checkRepeat handler on the VCK since it cannot possibly work anyway and it has no effect on the actual checkRepeat intended functionality. Bugzilla: https://bugzilla.redhat.com/1416244 Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit fe5c3400)
-
Olivier Fourdan authored
During the InitInput() phase, the wayland events get dequeued so we can possibly end up calling dispatch_pointer_motion_event(). If this occurs before xwl_seat->focus_window is set, it leads to a NULL pointer derefence and a segfault. Check for xwl_seat->focus_window in both pointer_handle_frame() and relative_pointer_handle_relative_motion() prior to calling dispatch_pointer_motion_event() like it's done in pointer_handle_motion(). Bugzilla: https://bugzilla.redhat.com/1410804 Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit 8c9909a9)
-
- Mar 01, 2017
-
-
Matthieu Herrb authored
- typo in #ifdef check - also need to add AC_CHECK_FUNCS([arc4random_buf]) Reported-by Eric Engestrom. Thanks Reviewed-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> (cherry picked from commit 386fbbe4)
-
- Feb 28, 2017
-
-
Matthieu Herrb authored
And the current code for MitToId has a use-after-free() issue. [Also remove the actual implementations - ajax] Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit 2855f759)
-
Matthieu Herrb authored
Reviewed-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> (cherry picked from commit 957e8db3)
-
Matthieu Herrb authored
Provide the function definition for systems that don't have it. Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit d7ac755f)
-