Apply patch for security bug #487360.

(Portage version: 2.2.1/cvs/Linux x86_64, unsigned Manifest commit)
author: Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org> 2013-10-10 11:54:58 +0000
committer: Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org> 2013-10-10 11:54:58 +0000
commit: 3dd5c0c9302cd0fdc6498b35dd556ec7b0d99ccd (patch)
tree: 5f2925ce6f4f0cf5b78578abe7bdab95a9e651b3 /x11-base/xorg-server/files
parent: Stable for amd64, wrt bug #480908 (diff)
download: gentoo-2-3dd5c0c9302cd0fdc6498b35dd556ec7b0d99ccd.tar.gz
gentoo-2-3dd5c0c9302cd0fdc6498b35dd556ec7b0d99ccd.tar.bz2
gentoo-2-3dd5c0c9302cd0fdc6498b35dd556ec7b0d99ccd.zip
2 files changed, 118 insertions, 0 deletions
diff --git a/x11-base/xorg-server/files/xorg-server-1.12-cve-2013-4396.patch b/x11-base/xorg-server/files/xorg-server-1.12-cve-2013-4396.patch
new file mode 100644
index 000000000000..4b6727e61c05
--- /dev/null
+++ b/x11-base/xorg-server/files/xorg-server-1.12-cve-2013-4396.patch
@@ -0,0 +1,75 @@
+From 7bddc2ba16a2a15773c2ea8947059afa27727764 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Mon, 16 Sep 2013 21:47:16 -0700
+Subject: [PATCH] Avoid use-after-free in dix/dixfonts.c: doImageText()
+ [CVE-2013-4396]
+
+Save a pointer to the passed in closure structure before copying it
+and overwriting the *c pointer to point to our copy instead of the
+original.  If we hit an error, once we free(c), reset c to point to
+the original structure before jumping to the cleanup code that
+references *c.
+
+Since one of the errors being checked for is whether the server was
+able to malloc(c->nChars * itemSize), the client can potentially pass
+a number of characters chosen to cause the malloc to fail and the
+error path to be taken, resulting in the read from freed memory.
+
+Since the memory is accessed almost immediately afterwards, and the
+X server is mostly single threaded, the odds of the free memory having
+invalid contents are low with most malloc implementations when not using
+memory debugging features, but some allocators will definitely overwrite
+the memory there, leading to a likely crash.
+
+Reported-by: Pedro Ribeiro <pedrib@gmail.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+---
+ dix/dixfonts.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/dix/dixfonts.c b/dix/dixfonts.c
+index feb765d..2e34d37 100644
+--- a/dix/dixfonts.c
++++ b/dix/dixfonts.c
+@@ -1425,6 +1425,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
+             GC *pGC;
+             unsigned char *data;
+             ITclosurePtr new_closure;
++            ITclosurePtr old_closure;
+ 
+             /* We're putting the client to sleep.  We need to
+                save some state.  Similar problem to that handled
+@@ -1436,12 +1437,14 @@ doImageText(ClientPtr client, ITclosurePtr c)
+                 err = BadAlloc;
+                 goto bail;
+             }
++            old_closure = c;
+             *new_closure = *c;
+             c = new_closure;
+ 
+             data = malloc(c->nChars * itemSize);
+             if (!data) {
+                 free(c);
++                c = old_closure;
+                 err = BadAlloc;
+                 goto bail;
+             }
+@@ -1452,6 +1455,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
+             if (!pGC) {
+                 free(c->data);
+                 free(c);
++                c = old_closure;
+                 err = BadAlloc;
+                 goto bail;
+             }
+@@ -1464,6 +1468,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
+                 FreeScratchGC(pGC);
+                 free(c->data);
+                 free(c);
++                c = old_closure;
+                 err = BadAlloc;
+                 goto bail;
+             }
+-- 
+1.7.9.2
diff --git a/x11-base/xorg-server/files/xorg-server-1.9-cve-2013-4396.patch b/x11-base/xorg-server/files/xorg-server-1.9-cve-2013-4396.patch
new file mode 100644
index 000000000000..fa8b4825f7e4
--- /dev/null
+++ b/x11-base/xorg-server/files/xorg-server-1.9-cve-2013-4396.patch
@@ -0,0 +1,43 @@
+diff -ur a/dix/dixfonts.c b/dix/dixfonts.c
+--- a/dix/dixfonts.c	2011-12-18 05:44:54.000000000 +0100
++++ b/dix/dixfonts.c	2013-10-10 12:06:44.579225694 +0200
+@@ -1479,6 +1479,7 @@
+ 	    GC *pGC;
+ 	    unsigned char *data;
+ 	    ITclosurePtr new_closure;
++	    ITclosurePtr old_closure;
+ 
+ 	    /* We're putting the client to sleep.  We need to
+ 	       save some state.  Similar problem to that handled
+@@ -1491,6 +1492,7 @@
+ 		err = BadAlloc;
+ 		goto bail;
+ 	    }
++	    old_closure = c;
+ 	    *new_closure = *c;
+ 	    c = new_closure;
+ 
+@@ -1498,6 +1500,7 @@
+ 	    if (!data)
+ 	    {
+ 		free(c);
++		c = old_closure;
+ 		err = BadAlloc;
+ 		goto bail;
+ 	    }
+@@ -1509,6 +1512,7 @@
+ 	    {
+ 		free(c->data);
+ 		free(c);
++		c = old_closure;
+ 		err = BadAlloc;
+ 		goto bail;
+ 	    }
+@@ -1522,6 +1526,7 @@
+ 		FreeScratchGC(pGC);
+ 		free(c->data);
+ 		free(c);
++		c = old_closure;
+ 		err = BadAlloc;
+ 		goto bail;
+ 	    }
author	Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org>	2013-10-10 11:54:58 +0000
committer	Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org>	2013-10-10 11:54:58 +0000
commit	3dd5c0c9302cd0fdc6498b35dd556ec7b0d99ccd (patch)
tree	5f2925ce6f4f0cf5b78578abe7bdab95a9e651b3 /x11-base/xorg-server/files
parent	Stable for amd64, wrt bug #480908 (diff)
download	gentoo-2-3dd5c0c9302cd0fdc6498b35dd556ec7b0d99ccd.tar.gz gentoo-2-3dd5c0c9302cd0fdc6498b35dd556ec7b0d99ccd.tar.bz2 gentoo-2-3dd5c0c9302cd0fdc6498b35dd556ec7b0d99ccd.zip