From 25c9c00ce4141ebcf31d9461ebeb34b1502e2f8b Mon Sep 17 00:00:00 2001
From: obarun <eric@obarun.org>
Date: Mon, 9 Oct 2017 12:40:11 +1100
Subject: [PATCH] upgpkg : 1.19.4-2
---
CVE-2017-10971.patch | 153 ------------------
CVE-2017-10972.patch | 35 ----
PKGBUILD | 26 +--
bug99708.patch | 33 ----
...et-correct-DRM-event-context-version.patch | 37 -----
5 files changed, 5 insertions(+), 279 deletions(-)
delete mode 100644 CVE-2017-10971.patch
delete mode 100644 CVE-2017-10972.patch
delete mode 100644 bug99708.patch
delete mode 100644 modesetting-Set-correct-DRM-event-context-version.patch
diff --git a/CVE-2017-10971.patch b/CVE-2017-10971.patch
deleted file mode 100644
index 2696033..0000000
--- a/CVE-2017-10971.patch
+++ /dev/null
@@ -1,153 +0,0 @@
-From 215f894965df5fb0bb45b107d84524e700d2073c Mon Sep 17 00:00:00 2001
-From: Michal Srb <msrb@suse.com>
-Date: Wed, 24 May 2017 15:54:40 +0300
-Subject: dix: Disallow GenericEvent in SendEvent request.
-
-The SendEvent request holds xEvent which is exactly 32 bytes long, no more,
-no less. Both ProcSendEvent and SProcSendEvent verify that the received data
-exactly match the request size. However nothing stops the client from passing
-in event with xEvent::type = GenericEvent and any value of
-xGenericEvent::length.
-
-In the case of ProcSendEvent, the event will be eventually passed to
-WriteEventsToClient which will see that it is Generic event and copy the
-arbitrary length from the receive buffer (and possibly past it) and send it to
-the other client. This allows clients to copy unitialized heap memory out of X
-server or to crash it.
-
-In case of SProcSendEvent, it will attempt to swap the incoming event by
-calling a swapping function from the EventSwapVector array. The swapped event
-is written to target buffer, which in this case is local xEvent variable. The
-xEvent variable is 32 bytes long, but the swapping functions for GenericEvents
-expect that the target buffer has size matching the size of the source
-GenericEvent. This allows clients to cause stack buffer overflows.
-
-Signed-off-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-
-diff --git a/dix/events.c b/dix/events.c
-index 3e3a01e..d3a33ea 100644
---- a/dix/events.c
-+++ b/dix/events.c
-@@ -5366,6 +5366,12 @@ ProcSendEvent(ClientPtr client)
- client->errorValue = stuff->event.u.u.type;
- return BadValue;
- }
-+ /* Generic events can have variable size, but SendEvent request holds
-+ exactly 32B of event data. */
-+ if (stuff->event.u.u.type == GenericEvent) {
-+ client->errorValue = stuff->event.u.u.type;
-+ return BadValue;
-+ }
- if (stuff->event.u.u.type == ClientMessage &&
- stuff->event.u.u.detail != 8 &&
- stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) {
-diff --git a/dix/swapreq.c b/dix/swapreq.c
-index 719e9b8..6785059 100644
---- a/dix/swapreq.c
-+++ b/dix/swapreq.c
-@@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client)
- swapl(&stuff->destination);
- swapl(&stuff->eventMask);
-
-+ /* Generic events can have variable size, but SendEvent request holds
-+ exactly 32B of event data. */
-+ if (stuff->event.u.u.type == GenericEvent) {
-+ client->errorValue = stuff->event.u.u.type;
-+ return BadValue;
-+ }
-+
- /* Swap event */
- proc = EventSwapVector[stuff->event.u.u.type & 0177];
- if (!proc || proc == NotImplemented) /* no swapping proc; invalid event type? */
---
-cgit v0.10.2
-
-From 8caed4df36b1f802b4992edcfd282cbeeec35d9d Mon Sep 17 00:00:00 2001
-From: Michal Srb <msrb@suse.com>
-Date: Wed, 24 May 2017 15:54:41 +0300
-Subject: Xi: Verify all events in ProcXSendExtensionEvent.
-
-The requirement is that events have type in range
-EXTENSION_EVENT_BASE..lastEvent, but it was tested
-only for first event of all.
-
-Signed-off-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-
-diff --git a/Xi/sendexev.c b/Xi/sendexev.c
-index 1cf118a..5e63bfc 100644
---- a/Xi/sendexev.c
-+++ b/Xi/sendexev.c
-@@ -117,7 +117,7 @@ SProcXSendExtensionEvent(ClientPtr client)
- int
- ProcXSendExtensionEvent(ClientPtr client)
- {
-- int ret;
-+ int ret, i;
- DeviceIntPtr dev;
- xEvent *first;
- XEventClass *list;
-@@ -141,10 +141,12 @@ ProcXSendExtensionEvent(ClientPtr client)
- /* The client's event type must be one defined by an extension. */
-
- first = ((xEvent *) &stuff[1]);
-- if (!((EXTENSION_EVENT_BASE <= first->u.u.type) &&
-- (first->u.u.type < lastEvent))) {
-- client->errorValue = first->u.u.type;
-- return BadValue;
-+ for (i = 0; i < stuff->num_events; i++) {
-+ if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) &&
-+ (first[i].u.u.type < lastEvent))) {
-+ client->errorValue = first[i].u.u.type;
-+ return BadValue;
-+ }
- }
-
- list = (XEventClass *) (first + stuff->num_events);
---
-cgit v0.10.2
-
-From ba336b24052122b136486961c82deac76bbde455 Mon Sep 17 00:00:00 2001
-From: Michal Srb <msrb@suse.com>
-Date: Wed, 24 May 2017 15:54:42 +0300
-Subject: Xi: Do not try to swap GenericEvent.
-
-The SProcXSendExtensionEvent must not attempt to swap GenericEvent because
-it is assuming that the event has fixed size and gives the swapping function
-xEvent-sized buffer.
-
-A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway.
-
-Signed-off-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-
-diff --git a/Xi/sendexev.c b/Xi/sendexev.c
-index 5e63bfc..5c2e0fc 100644
---- a/Xi/sendexev.c
-+++ b/Xi/sendexev.c
-@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client)
-
- eventP = (xEvent *) &stuff[1];
- for (i = 0; i < stuff->num_events; i++, eventP++) {
-+ if (eventP->u.u.type == GenericEvent) {
-+ client->errorValue = eventP->u.u.type;
-+ return BadValue;
-+ }
-+
- proc = EventSwapVector[eventP->u.u.type & 0177];
-- if (proc == NotImplemented) /* no swapping proc; invalid event type? */
-+ /* no swapping proc; invalid event type? */
-+ if (proc == NotImplemented) {
-+ client->errorValue = eventP->u.u.type;
- return BadValue;
-+ }
- (*proc) (eventP, &eventT);
- *eventP = eventT;
- }
---
-cgit v0.10.2
-
diff --git a/CVE-2017-10972.patch b/CVE-2017-10972.patch
deleted file mode 100644
index f24e9c0..0000000
--- a/CVE-2017-10972.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 05442de962d3dc624f79fc1a00eca3ffc5489ced Mon Sep 17 00:00:00 2001
-From: Michal Srb <msrb@suse.com>
-Date: Wed, 24 May 2017 15:54:39 +0300
-Subject: Xi: Zero target buffer in SProcXSendExtensionEvent.
-
-Make sure that the xEvent eventT is initialized with zeros, the same way as
-in SProcSendEvent.
-
-Some event swapping functions do not overwrite all 32 bytes of xEvent
-structure, for example XSecurityAuthorizationRevoked. Two cooperating
-clients, one swapped and the other not, can send
-XSecurityAuthorizationRevoked event to each other to retrieve old stack data
-from X server. This can be potentialy misused to go around ASLR or
-stack-protector.
-
-Signed-off-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-
-diff --git a/Xi/sendexev.c b/Xi/sendexev.c
-index 11d8202..1cf118a 100644
---- a/Xi/sendexev.c
-+++ b/Xi/sendexev.c
-@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client)
- {
- CARD32 *p;
- int i;
-- xEvent eventT;
-+ xEvent eventT = { .u.u.type = 0 };
- xEvent *eventP;
- EventSwapPtr proc;
-
---
-cgit v0.10.2
-
diff --git a/PKGBUILD b/PKGBUILD
index 30c1035..4d9db4e 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -6,8 +6,8 @@
pkgbase=xorg-server
pkgname=('xorg-server' 'xorg-server-xephyr' 'xorg-server-xdmx' 'xorg-server-xvfb'
'xorg-server-xnest' 'xorg-server-xwayland' 'xorg-server-common' 'xorg-server-devel')
-pkgver=1.19.3
-pkgrel=4
+pkgver=1.19.4
+pkgrel=2
arch=('x86_64')
license=('custom')
groups=('xorg')
@@ -23,21 +23,13 @@ source=(https://xorg.freedesktop.org/releases/individual/xserver/${pkgbase}-${pk
xvfb-run
xvfb-run.1
nvidia-add-modulepath-support.patch
- xserver-autobind-hotplug.patch
- modesetting-Set-correct-DRM-event-context-version.patch
- CVE-2017-10971.patch
- CVE-2017-10972.patch
- bug99708.patch)
+ xserver-autobind-hotplug.patch)
-sha256sums=('677a8166e03474719238dfe396ce673c4234735464d6dadf2959b600d20e5a98'
+sha256sums=('aa758acea91deaf1f95069ddc5ea3818e13675fb14fef40ad1b3d0b2bf03c9a8'
'ff0156309470fc1d378fd2e104338020a884295e285972cc88e250e031cc35b9'
'2460adccd3362fefd4cdc5f1c70f332d7b578091fb9167bf88b5f91265bbd776'
'23f2fd69a53ef70c267becf7d2a9e7e07b739f8ec5bec10adb219bc6465099c7'
- '67aaf8668c5fb3c94b2569df28e64bfa1dc97ce429cbbc067c309113caff6369'
- 'acb0357acf54073eda30b4014a9f402448dc65b5e465ae5b5c5b807914b43da2'
- '3950d5d64822b4a34ca0358389216eed25e159751006d674e7cb491aa3b54d0b'
- '700af48c541f613b376eb7a7e567d13c0eba7a835d0aaa9d4b0431ebdd9f397c'
- '67013743ba8ff1663b233f50fae88989d36504de83fca5f93af5623f2bef6920')
+ '67aaf8668c5fb3c94b2569df28e64bfa1dc97ce429cbbc067c309113caff6369')
validpgpkeys=('6DD4217456569BA711566AC7F06E8FDE7B45DAAC') # Eric Vidal
prepare() {
@@ -49,14 +41,6 @@ prepare() {
# patch from Fedora, not yet merged
patch -Np1 -i ../xserver-autobind-hotplug.patch
- # merged in trunk
- patch -Np1 -i ../modesetting-Set-correct-DRM-event-context-version.patch
- patch -Np1 -i ../CVE-2017-10971.patch
- patch -Np1 -i ../CVE-2017-10972.patch
-
- # https://bugs.archlinux.org/task/53404
- patch -Np1 -i ../bug99708.patch
-
autoreconf -vfi
}
diff --git a/bug99708.patch b/bug99708.patch
deleted file mode 100644
index f9ab520..0000000
--- a/bug99708.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From fe0b297420fc1de8a7fab28457d0864b3182e967 Mon Sep 17 00:00:00 2001
-From: Eric Anholt <eric@anholt.net>
-Date: Wed, 15 Mar 2017 17:51:46 -0700
-Subject: glamor: Fix dashed line rendering.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-We were binding the screen pixmap as the dash and sampling its alpha,
-which is usually just 1.0 (no dashing at all).
-
-Please cherry-pick this to active stable branches.
-
-Signed-off-by: Eric Anholt <eric@anholt.net>
-Reviewed-by: Keith Packard <keithp@keithp.com>
-Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
-
-diff --git a/glamor/glamor_dash.c b/glamor/glamor_dash.c
-index 78a4fa3..b53ce5c 100644
---- a/glamor/glamor_dash.c
-+++ b/glamor/glamor_dash.c
-@@ -147,7 +147,7 @@ glamor_dash_setup(DrawablePtr drawable, GCPtr gc)
- goto bail;
-
- dash_pixmap = glamor_get_dash_pixmap(gc);
-- dash_priv = glamor_get_pixmap_private(pixmap);
-+ dash_priv = glamor_get_pixmap_private(dash_pixmap);
-
- if (!GLAMOR_PIXMAP_PRIV_HAS_FBO(dash_priv))
- goto bail;
---
-cgit v0.10.2
-
diff --git a/modesetting-Set-correct-DRM-event-context-version.patch b/modesetting-Set-correct-DRM-event-context-version.patch
deleted file mode 100644
index 234e0cd..0000000
--- a/modesetting-Set-correct-DRM-event-context-version.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 0c8e6ed85810e96d84173a52d628863802a78d82 Mon Sep 17 00:00:00 2001
-From: Daniel Stone <daniels@collabora.com>
-Date: Fri, 7 Apr 2017 14:27:58 +0100
-Subject: [PATCH] modesetting: Set correct DRM event context version
-
-DRM_EVENT_CONTEXT_VERSION is the latest context version supported by
-whatever version of libdrm is present. modesetting was blindly asserting
-it supported whatever version that may be, even if it actually didn't.
-
-With libdrm 2.4.78, setting a higher context version than 2 will attempt
-to call the page_flip_handler2 vfunc if it was non-NULL, which being a
-random chunk of stack memory, it might well have been.
-
-Set the version as 2, which should be bumped only with the appropriate
-version checks.
-
-Reviewed-by: Adam Jackson <ajax@redhat.com>
-Signed-off-by: Daniel Stone <daniels@collabora.com>
----
- hw/xfree86/drivers/modesetting/vblank.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/xfree86/drivers/modesetting/vblank.c b/hw/xfree86/drivers/modesetting/vblank.c
-index 04a8952..8682f4d 100644
---- a/hw/xfree86/drivers/modesetting/vblank.c
-+++ b/hw/xfree86/drivers/modesetting/vblank.c
-@@ -402,7 +402,7 @@ ms_vblank_screen_init(ScreenPtr screen)
- modesettingEntPtr ms_ent = ms_ent_priv(scrn);
- xorg_list_init(&ms_drm_queue);
-
-- ms->event_context.version = DRM_EVENT_CONTEXT_VERSION;
-+ ms->event_context.version = 2;
- ms->event_context.vblank_handler = ms_drm_handler;
- ms->event_context.page_flip_handler = ms_drm_handler;
-
---
-2.12.2
--
GitLab