mirror/freebsd-ports
1
0
Fork 0
mirror of https://git.FreeBSD.org/ports.git synced 2025-01-02 06:03:50 +00:00
Code Issues Releases Activity

Document xorg-server use after free CVE.

Browse Source 
Reviewed by:	zeising@
This commit is contained in:
Koop Mast 2013-10-24 13:05:10 +00:00
parent 4b9525041e
commit 785722b1cf
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=331484
4 changed files with 119 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
security/vuxml/vuln.xml
View File

@ -51,6 +51,36 @@ Note: Please add new entries to the beginning of this file.
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
<vuln vid="9a57c607-3cab-11e3-b4d9-bcaec565249c">
<topic>xorg-server -- use after free</topic>
<affects>
<package>
<name>xorg-server</name>
<range><ge>1.7.0</ge><lt>1.7.7_11</lt></range>
<range><ge>1.12.0</ge><lt>1.12.4_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Alan Coopersmith reports:</p>
<blockquote cite="http://lists.x.org/archives/xorg-announce/2013-October/002332.html">
<p>Pedro Ribeiro (pedrib at gmail.com) reported an issue to the X.Org
security team in which an authenticated X client can cause an X
server to use memory after it was freed, potentially leading to
crash and/or memory corruption.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4396</cvename>
<url>http://lists.x.org/archives/xorg-announce/2013-October/002332.html</url>
</references>
<dates>
<discovery>2013-10-08</discovery>
<entry>2013-10-24</entry>
</dates>
</vuln>
<vuln vid="c0f122e2-3897-11e3-a084-3c970e169bc2">
<topic>pycrypto -- PRNG reseed race condition</topic>
<affects>

10
x11-servers/xorg-server/Makefile
View File

@ -35,20 +35,22 @@ OPTIONS_EXCLUDE_sparc64= HAL
.if defined(WITH_NEW_XORG)
XORG_VERSION= 1.12.4
XORG_REVISION= 3
XORG_REVISION= 4
PLIST_SUB+= OLD="@comment " NEW=""
EXTRA_PATCHES+= ${FILESDIR}/extra-clang \
${FILESDIR}/extra-configure
${FILESDIR}/extra-configure \
${FILESDIR}/extra-new-dix_dixfonts.c
.else
XORG_VERSION= 1.7.7
XORG_REVISION= 10
XORG_REVISION= 11
PLIST_SUB+= OLD="" NEW="@comment "
EXTRA_PATCHES+= ${FILESDIR}/extra-Xext-xace.c \
${FILESDIR}/extra-Xserver-os-xprintf.c \
${FILESDIR}/extra-include_eventstr.h \
${FILESDIR}/extra-os-utils.c \
${FILESDIR}/extra-dix_events.c \
${FILESDIR}/extra-Xserver-hw-xfree86-common-xf86Config.c
${FILESDIR}/extra-Xserver-hw-xfree86-common-xf86Config.c \
${FILESDPR}/extra-old-dix_dixfonts.c
.endif
USE_BZIP2= yes

41
x11-servers/xorg-server/files/extra-new-dix_dixfonts.c Normal file
View File

@ -0,0 +1,41 @@
--- dix/dixfonts.c.orig 2012-05-17 19:09:01.000000000 +0200
+++ dix/dixfonts.c 2013-10-09 10:49:38.158284440 +0200
@@ -1414,6 +1414,7 @@
GC *pGC;
unsigned char *data;
ITclosurePtr new_closure;
+ ITclosurePtr old_closure;
/* We're putting the client to sleep. We need to
save some state. Similar problem to that handled
@@ -1425,12 +1426,14 @@
err = BadAlloc;
goto bail;
}
+ old_closure = c;
*new_closure = *c;
c = new_closure;
data = malloc(c->nChars * itemSize);
if (!data) {
free(c);
+ c = old_closure;
err = BadAlloc;
goto bail;
}
@@ -1441,6 +1444,7 @@
if (!pGC) {
free(c->data);
free(c);
+ c = old_closure;
err = BadAlloc;
goto bail;
}
@@ -1453,6 +1457,7 @@
FreeScratchGC(pGC);
free(c->data);
free(c);
+ c = old_closure;
err = BadAlloc;
goto bail;
}

42
x11-servers/xorg-server/files/extra-old-dix_dixfonts.c Normal file
View File

@ -0,0 +1,42 @@
--- dix/dixfonts.c.orig 2010-05-04 02:47:57.000000000 +0200
+++ dix/dixfonts.c 2013-10-09 10:54:40.488267646 +0200
@@ -1508,6 +1508,7 @@
GC *pGC;
unsigned char *data;
ITclosurePtr new_closure;
+ ITclosurePtr old_closure;
/* We're putting the client to sleep. We need to
save some state. Similar problem to that handled
@@ -1520,6 +1521,7 @@
err = BadAlloc;
goto bail;
}
+ old_closure = c;
*new_closure = *c;
c = new_closure;
@@ -1527,6 +1529,7 @@
if (!data)
{
xfree(c);
+ c = old_closure;
err = BadAlloc;
goto bail;
}
@@ -1538,6 +1541,7 @@
{
xfree(c->data);
xfree(c);
+ c = old_closure;
err = BadAlloc;
goto bail;
}
@@ -1551,6 +1555,7 @@
FreeScratchGC(pGC);
xfree(c->data);
xfree(c);
+ c = old_closure;
err = BadAlloc;
goto bail;
}