diff -u xorg-server-hwe-16.04-1.19.3/debian/changelog xorg-server-hwe-16.04-1.19.3/debian/changelog --- xorg-server-hwe-16.04-1.19.3/debian/changelog +++ xorg-server-hwe-16.04-1.19.3/debian/changelog @@ -1,3 +1,48 @@ +xorg-server-hwe-16.04 (2:1.19.3-1ubuntu1~16.04.4) xenial-security; urgency=medium + + * SECURITY UPDATE: unvalidated extra length in ProcEstablishConnection + - debian/patches/CVE-2017-12176.patch: add check to dix/dispatch.c. + - CVE-2017-12176 + * SECURITY UPDATE: Unvalidated variable-length request in + ProcDbeGetVisualInfo + - debian/patches/CVE-2017-12177.patch: add check to dbe/dbe.c. + - CVE-2017-12177 + * SECURITY UPDATE: wrong extra length check in ProcXIChangeHierarchy + - debian/patches/CVE-2017-12178.patch: fix length check in + Xi/xichangehierarchy.c. + - CVE-2017-12178 + * SECURITY UPDATE: integer overflow and unvalidated length in + ProcXIBarrierReleasePointer + - debian/patches/CVE-2017-12179-1.patch: test exact size of + XIBarrierReleasePointer in Xi/xibarriers.c. + - debian/patches/CVE-2017-12179-2.patch: add checks to Xi/xibarriers.c. + - CVE-2017-12179 + * SECURITY UPDATE: various unvalidated lengths + - debian/patches/CVE-2017-12180-12182.patch: add more checks to + Xext/vidmode.c, hw/xfree86/common/xf86DGA.c, + hw/xfree86/dri/xf86dri.c. + - CVE-2017-12180 + - CVE-2017-12181 + - CVE-2017-12182 + * SECURITY UPDATE: more unvalidated lengths + - debian/patches/CVE-2017-12183.patch: add checks to xfixes/cursor.c, + xfixes/region.c, xfixes/saveset.c, xfixes/xfixes.c. + - CVE-2017-12183 + * SECURITY UPDATE: even more unvalidated lengths + - debian/patches/CVE-2017-12184-12187.patch: add more checks to + Xext/panoramiX.c, Xext/saver.c, Xext/xres.c, Xext/xvdisp.c, + hw/dmx/dmxpict.c, pseudoramiX/pseudoramiX.c, render/render.c. + - CVE-2017-12184 + - CVE-2017-12185 + - CVE-2017-12186 + - CVE-2017-12187 + * debian/patches/os_big_requests.patch: make sure big requests have + sufficient length in os/io.c. + * debian/patches/xkb_escape_fix.patch: escape non-printable characters + correctly in xkb/xkbtext.c. + + -- Marc Deslauriers Fri, 13 Oct 2017 09:00:49 -0400 + xorg-server-hwe-16.04 (2:1.19.3-1ubuntu1~16.04.3) xenial-security; urgency=medium * SECURITY UPDATE: DoS or segment overwrite via shmseg resource id diff -u xorg-server-hwe-16.04-1.19.3/debian/patches/series xorg-server-hwe-16.04-1.19.3/debian/patches/series --- xorg-server-hwe-16.04-1.19.3/debian/patches/series +++ xorg-server-hwe-16.04-1.19.3/debian/patches/series @@ -36,0 +37,10 @@ +CVE-2017-12176.patch +CVE-2017-12177.patch +CVE-2017-12178.patch +CVE-2017-12179-1.patch +CVE-2017-12179-2.patch +CVE-2017-12180-12182.patch +CVE-2017-12183.patch +CVE-2017-12184-12187.patch +os_big_requests.patch +xkb_escape_fix.patch only in patch2: unchanged: --- xorg-server-hwe-16.04-1.19.3.orig/debian/patches/CVE-2017-12176.patch +++ xorg-server-hwe-16.04-1.19.3/debian/patches/CVE-2017-12176.patch @@ -0,0 +1,27 @@ +From b747da5e25be944337a9cd1415506fc06b70aa81 Mon Sep 17 00:00:00 2001 +From: Nathan Kidd +Date: Fri, 9 Jan 2015 10:15:46 -0500 +Subject: Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176) + +Reviewed-by: Julien Cristau +Signed-off-by: Nathan Kidd +Signed-off-by: Julien Cristau + +Index: xorg-server-1.19.3/dix/dispatch.c +=================================================================== +--- xorg-server-1.19.3.orig/dix/dispatch.c 2017-10-13 08:15:29.224116021 -0400 ++++ xorg-server-1.19.3/dix/dispatch.c 2017-10-13 08:15:29.220115982 -0400 +@@ -3703,7 +3703,12 @@ ProcEstablishConnection(ClientPtr client + prefix = (xConnClientPrefix *) ((char *) stuff + sz_xReq); + auth_proto = (char *) prefix + sz_xConnClientPrefix; + auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto); +- if ((prefix->majorVersion != X_PROTOCOL) || ++ ++ if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix + ++ pad_to_int32(prefix->nbytesAuthProto) + ++ pad_to_int32(prefix->nbytesAuthString)) ++ reason = "Bad length"; ++ else if ((prefix->majorVersion != X_PROTOCOL) || + (prefix->minorVersion != X_PROTOCOL_REVISION)) + reason = "Protocol version mismatch"; + else only in patch2: unchanged: --- xorg-server-hwe-16.04-1.19.3.orig/debian/patches/CVE-2017-12177.patch +++ xorg-server-hwe-16.04-1.19.3/debian/patches/CVE-2017-12177.patch @@ -0,0 +1,40 @@ +From 4ca68b878e851e2136c234f40a25008297d8d831 Mon Sep 17 00:00:00 2001 +From: Nathan Kidd +Date: Fri, 9 Jan 2015 10:09:14 -0500 +Subject: dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo + (CVE-2017-12177) + +v2: Protect against integer overflow (Alan Coopersmith) + +Reviewed-by: Alan Coopersmith +Reviewed-by: Jeremy Huddleston Sequoia +Reviewed-by: Julien Cristau +Signed-off-by: Nathan Kidd +Signed-off-by: Julien Cristau + +diff --git a/dbe/dbe.c b/dbe/dbe.c +index 9a0c7a7..292a223 100644 +--- a/dbe/dbe.c ++++ b/dbe/dbe.c +@@ -574,6 +574,9 @@ ProcDbeGetVisualInfo(ClientPtr client) + XdbeScreenVisualInfo *pScrVisInfo; + + REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq); ++ if (stuff->n > UINT32_MAX / sizeof(CARD32)) ++ return BadLength; ++ REQUEST_FIXED_SIZE(xDbeGetVisualInfoReq, stuff->n * sizeof(CARD32)); + + if (stuff->n > UINT32_MAX / sizeof(DrawablePtr)) + return BadAlloc; +@@ -924,7 +927,7 @@ SProcDbeSwapBuffers(ClientPtr client) + + swapl(&stuff->n); + if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec)) +- return BadAlloc; ++ return BadLength; + REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo)); + + if (stuff->n != 0) { +-- +cgit v0.10.2 + only in patch2: unchanged: --- xorg-server-hwe-16.04-1.19.3.orig/debian/patches/CVE-2017-12178.patch +++ xorg-server-hwe-16.04-1.19.3/debian/patches/CVE-2017-12178.patch @@ -0,0 +1,28 @@ +From 859b08d523307eebde7724fd1a0789c44813e821 Mon Sep 17 00:00:00 2001 +From: Nathan Kidd +Date: Wed, 24 Dec 2014 16:22:18 -0500 +Subject: Xi: fix wrong extra length check in ProcXIChangeHierarchy + (CVE-2017-12178) + +Reviewed-by: Alan Coopersmith +Reviewed-by: Jeremy Huddleston Sequoia +Reviewed-by: Julien Cristau +Signed-off-by: Nathan Kidd +Signed-off-by: Julien Cristau + +diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c +index 87f191f..cbdd912 100644 +--- a/Xi/xichangehierarchy.c ++++ b/Xi/xichangehierarchy.c +@@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client) + if (!stuff->num_changes) + return rc; + +- len = ((size_t)stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo); ++ len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq); + + any = (xXIAnyHierarchyChangeInfo *) &stuff[1]; + while (stuff->num_changes--) { +-- +cgit v0.10.2 + only in patch2: unchanged: --- xorg-server-hwe-16.04-1.19.3.orig/debian/patches/CVE-2017-12179-1.patch +++ xorg-server-hwe-16.04-1.19.3/debian/patches/CVE-2017-12179-1.patch @@ -0,0 +1,41 @@ +From 211e05ac85a294ef361b9f80d689047fa52b9076 Mon Sep 17 00:00:00 2001 +From: Michal Srb +Date: Fri, 7 Jul 2017 17:21:46 +0200 +Subject: Xi: Test exact size of XIBarrierReleasePointer + +Otherwise a client can send any value of num_barriers and cause reading or swapping of values on heap behind the receive buffer. + +Signed-off-by: Peter Hutterer + +diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c +index af1562e..d82ecb6 100644 +--- a/Xi/xibarriers.c ++++ b/Xi/xibarriers.c +@@ -830,10 +830,13 @@ SProcXIBarrierReleasePointer(ClientPtr client) + REQUEST(xXIBarrierReleasePointerReq); + int i; + +- info = (xXIBarrierReleasePointerInfo*) &stuff[1]; +- + swaps(&stuff->length); ++ REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq); ++ + swapl(&stuff->num_barriers); ++ REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo)); ++ ++ info = (xXIBarrierReleasePointerInfo*) &stuff[1]; + for (i = 0; i < stuff->num_barriers; i++, info++) { + swaps(&info->deviceid); + swapl(&info->barrier); +@@ -853,7 +856,7 @@ ProcXIBarrierReleasePointer(ClientPtr client) + xXIBarrierReleasePointerInfo *info; + + REQUEST(xXIBarrierReleasePointerReq); +- REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq); ++ REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo)); + + info = (xXIBarrierReleasePointerInfo*) &stuff[1]; + for (i = 0; i < stuff->num_barriers; i++, info++) { +-- +cgit v0.10.2 + only in patch2: unchanged: --- xorg-server-hwe-16.04-1.19.3.orig/debian/patches/CVE-2017-12179-2.patch +++ xorg-server-hwe-16.04-1.19.3/debian/patches/CVE-2017-12179-2.patch @@ -0,0 +1,45 @@ +From d088e3c1286b548a58e62afdc70bb40981cdb9e8 Mon Sep 17 00:00:00 2001 +From: Nathan Kidd +Date: Fri, 9 Jan 2015 10:04:41 -0500 +Subject: Xi: integer overflow and unvalidated length in + (S)ProcXIBarrierReleasePointer + +[jcristau: originally this patch fixed the same issue as commit + 211e05ac85 "Xi: Test exact size of XIBarrierReleasePointer", with the + addition of these checks] + +This addresses CVE-2017-12179 + +Reviewed-by: Alan Coopersmith +Reviewed-by: Jeremy Huddleston Sequoia +Reviewed-by: Julien Cristau +Signed-off-by: Jeremy Huddleston Sequoia +Signed-off-by: Nathan Kidd +Signed-off-by: Julien Cristau + +diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c +index d82ecb6..d0be701 100644 +--- a/Xi/xibarriers.c ++++ b/Xi/xibarriers.c +@@ -834,6 +834,8 @@ SProcXIBarrierReleasePointer(ClientPtr client) + REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq); + + swapl(&stuff->num_barriers); ++ if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo)) ++ return BadLength; + REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo)); + + info = (xXIBarrierReleasePointerInfo*) &stuff[1]; +@@ -856,6 +858,9 @@ ProcXIBarrierReleasePointer(ClientPtr client) + xXIBarrierReleasePointerInfo *info; + + REQUEST(xXIBarrierReleasePointerReq); ++ REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq); ++ if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo)) ++ return BadLength; + REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo)); + + info = (xXIBarrierReleasePointerInfo*) &stuff[1]; +-- +cgit v0.10.2 + only in patch2: unchanged: --- xorg-server-hwe-16.04-1.19.3.orig/debian/patches/CVE-2017-12180-12182.patch +++ xorg-server-hwe-16.04-1.19.3/debian/patches/CVE-2017-12180-12182.patch @@ -0,0 +1,600 @@ +From 1b1d4c04695dced2463404174b50b3581dbd857b Mon Sep 17 00:00:00 2001 +From: Nathan Kidd +Date: Sun, 21 Dec 2014 01:10:03 -0500 +Subject: hw/xfree86: unvalidated lengths + +This addresses: +CVE-2017-12180 in XFree86-VidModeExtension +CVE-2017-12181 in XFree86-DGA +CVE-2017-12182 in XFree86-DRI + +Reviewed-by: Jeremy Huddleston Sequoia +Reviewed-by: Julien Cristau +Signed-off-by: Nathan Kidd +Signed-off-by: Julien Cristau + +diff --git a/Xext/vidmode.c b/Xext/vidmode.c +index 8ba919a..6e4a7c7 100644 +--- a/Xext/vidmode.c ++++ b/Xext/vidmode.c +@@ -454,6 +454,20 @@ ProcVidModeAddModeLine(ClientPtr client) + DEBUG_P("XF86VidModeAddModeline"); + + ver = ClientMajorVersion(client); ++ ++ if (ver < 2) { ++ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeAddModeLineReq); ++ len = ++ client->req_len - ++ bytes_to_int32(sizeof(xXF86OldVidModeAddModeLineReq)); ++ } ++ else { ++ REQUEST_AT_LEAST_SIZE(xXF86VidModeAddModeLineReq); ++ len = ++ client->req_len - ++ bytes_to_int32(sizeof(xXF86VidModeAddModeLineReq)); ++ } ++ + if (ver < 2) { + /* convert from old format */ + stuff = &newstuff; +@@ -501,18 +515,6 @@ ProcVidModeAddModeLine(ClientPtr client) + stuff->after_vsyncend, stuff->after_vtotal, + (unsigned long) stuff->after_flags); + +- if (ver < 2) { +- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeAddModeLineReq); +- len = +- client->req_len - +- bytes_to_int32(sizeof(xXF86OldVidModeAddModeLineReq)); +- } +- else { +- REQUEST_AT_LEAST_SIZE(xXF86VidModeAddModeLineReq); +- len = +- client->req_len - +- bytes_to_int32(sizeof(xXF86VidModeAddModeLineReq)); +- } + if (len != stuff->privsize) + return BadLength; + +@@ -622,6 +624,20 @@ ProcVidModeDeleteModeLine(ClientPtr client) + DEBUG_P("XF86VidModeDeleteModeline"); + + ver = ClientMajorVersion(client); ++ ++ if (ver < 2) { ++ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeDeleteModeLineReq); ++ len = ++ client->req_len - ++ bytes_to_int32(sizeof(xXF86OldVidModeDeleteModeLineReq)); ++ } ++ else { ++ REQUEST_AT_LEAST_SIZE(xXF86VidModeDeleteModeLineReq); ++ len = ++ client->req_len - ++ bytes_to_int32(sizeof(xXF86VidModeDeleteModeLineReq)); ++ } ++ + if (ver < 2) { + /* convert from old format */ + stuff = &newstuff; +@@ -649,18 +665,6 @@ ProcVidModeDeleteModeLine(ClientPtr client) + stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal, + (unsigned long) stuff->flags); + +- if (ver < 2) { +- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeDeleteModeLineReq); +- len = +- client->req_len - +- bytes_to_int32(sizeof(xXF86OldVidModeDeleteModeLineReq)); +- } +- else { +- REQUEST_AT_LEAST_SIZE(xXF86VidModeDeleteModeLineReq); +- len = +- client->req_len - +- bytes_to_int32(sizeof(xXF86VidModeDeleteModeLineReq)); +- } + if (len != stuff->privsize) { + DebugF("req_len = %ld, sizeof(Req) = %d, privsize = %ld, " + "len = %d, length = %d\n", +@@ -744,6 +748,20 @@ ProcVidModeModModeLine(ClientPtr client) + DEBUG_P("XF86VidModeModModeline"); + + ver = ClientMajorVersion(client); ++ ++ if (ver < 2) { ++ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeModModeLineReq); ++ len = ++ client->req_len - ++ bytes_to_int32(sizeof(xXF86OldVidModeModModeLineReq)); ++ } ++ else { ++ REQUEST_AT_LEAST_SIZE(xXF86VidModeModModeLineReq); ++ len = ++ client->req_len - ++ bytes_to_int32(sizeof(xXF86VidModeModModeLineReq)); ++ } ++ + if (ver < 2) { + /* convert from old format */ + stuff = &newstuff; +@@ -768,18 +786,6 @@ ProcVidModeModModeLine(ClientPtr client) + stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, + stuff->vtotal, (unsigned long) stuff->flags); + +- if (ver < 2) { +- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeModModeLineReq); +- len = +- client->req_len - +- bytes_to_int32(sizeof(xXF86OldVidModeModModeLineReq)); +- } +- else { +- REQUEST_AT_LEAST_SIZE(xXF86VidModeModModeLineReq); +- len = +- client->req_len - +- bytes_to_int32(sizeof(xXF86VidModeModModeLineReq)); +- } + if (len != stuff->privsize) + return BadLength; + +@@ -877,6 +883,19 @@ ProcVidModeValidateModeLine(ClientPtr client) + DEBUG_P("XF86VidModeValidateModeline"); + + ver = ClientMajorVersion(client); ++ ++ if (ver < 2) { ++ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeValidateModeLineReq); ++ len = client->req_len - ++ bytes_to_int32(sizeof(xXF86OldVidModeValidateModeLineReq)); ++ } ++ else { ++ REQUEST_AT_LEAST_SIZE(xXF86VidModeValidateModeLineReq); ++ len = ++ client->req_len - ++ bytes_to_int32(sizeof(xXF86VidModeValidateModeLineReq)); ++ } ++ + if (ver < 2) { + /* convert from old format */ + stuff = &newstuff; +@@ -905,17 +924,6 @@ ProcVidModeValidateModeLine(ClientPtr client) + stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal, + (unsigned long) stuff->flags); + +- if (ver < 2) { +- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeValidateModeLineReq); +- len = client->req_len - +- bytes_to_int32(sizeof(xXF86OldVidModeValidateModeLineReq)); +- } +- else { +- REQUEST_AT_LEAST_SIZE(xXF86VidModeValidateModeLineReq); +- len = +- client->req_len - +- bytes_to_int32(sizeof(xXF86VidModeValidateModeLineReq)); +- } + if (len != stuff->privsize) + return BadLength; + +@@ -1027,6 +1035,20 @@ ProcVidModeSwitchToMode(ClientPtr client) + DEBUG_P("XF86VidModeSwitchToMode"); + + ver = ClientMajorVersion(client); ++ ++ if (ver < 2) { ++ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeSwitchToModeReq); ++ len = ++ client->req_len - ++ bytes_to_int32(sizeof(xXF86OldVidModeSwitchToModeReq)); ++ } ++ else { ++ REQUEST_AT_LEAST_SIZE(xXF86VidModeSwitchToModeReq); ++ len = ++ client->req_len - ++ bytes_to_int32(sizeof(xXF86VidModeSwitchToModeReq)); ++ } ++ + if (ver < 2) { + /* convert from old format */ + stuff = &newstuff; +@@ -1055,18 +1077,6 @@ ProcVidModeSwitchToMode(ClientPtr client) + stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal, + (unsigned long) stuff->flags); + +- if (ver < 2) { +- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeSwitchToModeReq); +- len = +- client->req_len - +- bytes_to_int32(sizeof(xXF86OldVidModeSwitchToModeReq)); +- } +- else { +- REQUEST_AT_LEAST_SIZE(xXF86VidModeSwitchToModeReq); +- len = +- client->req_len - +- bytes_to_int32(sizeof(xXF86VidModeSwitchToModeReq)); +- } + if (len != stuff->privsize) + return BadLength; + +@@ -1457,6 +1467,7 @@ ProcVidModeSetGammaRamp(ClientPtr client) + VidModePtr pVidMode; + + REQUEST(xXF86VidModeSetGammaRampReq); ++ REQUEST_AT_LEAST_SIZE(xXF86VidModeSetGammaRampReq); + + if (stuff->screen >= screenInfo.numScreens) + return BadValue; +diff --git a/hw/xfree86/common/xf86DGA.c b/hw/xfree86/common/xf86DGA.c +index 95434e8..505b019 100644 +--- a/hw/xfree86/common/xf86DGA.c ++++ b/hw/xfree86/common/xf86DGA.c +@@ -1272,13 +1272,14 @@ ProcXDGAOpenFramebuffer(ClientPtr client) + char *deviceName; + int nameSize; + ++ REQUEST_SIZE_MATCH(xXDGAOpenFramebufferReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (!DGAAvailable(stuff->screen)) + return DGAErrorBase + XF86DGANoDirectVideoMode; + +- REQUEST_SIZE_MATCH(xXDGAOpenFramebufferReq); + rep.type = X_Reply; + rep.length = 0; + rep.sequenceNumber = client->sequence; +@@ -1305,14 +1306,14 @@ ProcXDGACloseFramebuffer(ClientPtr client) + { + REQUEST(xXDGACloseFramebufferReq); + ++ REQUEST_SIZE_MATCH(xXDGACloseFramebufferReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (!DGAAvailable(stuff->screen)) + return DGAErrorBase + XF86DGANoDirectVideoMode; + +- REQUEST_SIZE_MATCH(xXDGACloseFramebufferReq); +- + DGACloseFramebuffer(stuff->screen); + + return Success; +@@ -1328,10 +1329,11 @@ ProcXDGAQueryModes(ClientPtr client) + xXDGAModeInfo info; + XDGAModePtr mode; + ++ REQUEST_SIZE_MATCH(xXDGAQueryModesReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + +- REQUEST_SIZE_MATCH(xXDGAQueryModesReq); + rep.type = X_Reply; + rep.length = 0; + rep.number = 0; +@@ -1443,11 +1445,12 @@ ProcXDGASetMode(ClientPtr client) + ClientPtr owner; + int size; + ++ REQUEST_SIZE_MATCH(xXDGASetModeReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + owner = DGA_GETCLIENT(stuff->screen); + +- REQUEST_SIZE_MATCH(xXDGASetModeReq); + rep.type = X_Reply; + rep.length = 0; + rep.offset = 0; +@@ -1533,14 +1536,14 @@ ProcXDGASetViewport(ClientPtr client) + { + REQUEST(xXDGASetViewportReq); + ++ REQUEST_SIZE_MATCH(xXDGASetViewportReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXDGASetViewportReq); +- + DGASetViewport(stuff->screen, stuff->x, stuff->y, stuff->flags); + + return Success; +@@ -1554,14 +1557,14 @@ ProcXDGAInstallColormap(ClientPtr client) + + REQUEST(xXDGAInstallColormapReq); + ++ REQUEST_SIZE_MATCH(xXDGAInstallColormapReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXDGAInstallColormapReq); +- + rc = dixLookupResourceByType((void **) &cmap, stuff->cmap, RT_COLORMAP, + client, DixInstallAccess); + if (rc != Success) +@@ -1575,14 +1578,14 @@ ProcXDGASelectInput(ClientPtr client) + { + REQUEST(xXDGASelectInputReq); + ++ REQUEST_SIZE_MATCH(xXDGASelectInputReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXDGASelectInputReq); +- + if (DGA_GETCLIENT(stuff->screen) == client) + DGASelectInput(stuff->screen, client, stuff->mask); + +@@ -1594,14 +1597,14 @@ ProcXDGAFillRectangle(ClientPtr client) + { + REQUEST(xXDGAFillRectangleReq); + ++ REQUEST_SIZE_MATCH(xXDGAFillRectangleReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXDGAFillRectangleReq); +- + if (Success != DGAFillRect(stuff->screen, stuff->x, stuff->y, + stuff->width, stuff->height, stuff->color)) + return BadMatch; +@@ -1614,14 +1617,14 @@ ProcXDGACopyArea(ClientPtr client) + { + REQUEST(xXDGACopyAreaReq); + ++ REQUEST_SIZE_MATCH(xXDGACopyAreaReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXDGACopyAreaReq); +- + if (Success != DGABlitRect(stuff->screen, stuff->srcx, stuff->srcy, + stuff->width, stuff->height, stuff->dstx, + stuff->dsty)) +@@ -1635,14 +1638,14 @@ ProcXDGACopyTransparentArea(ClientPtr client) + { + REQUEST(xXDGACopyTransparentAreaReq); + ++ REQUEST_SIZE_MATCH(xXDGACopyTransparentAreaReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXDGACopyTransparentAreaReq); +- + if (Success != DGABlitTransRect(stuff->screen, stuff->srcx, stuff->srcy, + stuff->width, stuff->height, stuff->dstx, + stuff->dsty, stuff->key)) +@@ -1657,13 +1660,14 @@ ProcXDGAGetViewportStatus(ClientPtr client) + REQUEST(xXDGAGetViewportStatusReq); + xXDGAGetViewportStatusReply rep; + ++ REQUEST_SIZE_MATCH(xXDGAGetViewportStatusReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXDGAGetViewportStatusReq); + rep.type = X_Reply; + rep.length = 0; + rep.sequenceNumber = client->sequence; +@@ -1680,13 +1684,14 @@ ProcXDGASync(ClientPtr client) + REQUEST(xXDGASyncReq); + xXDGASyncReply rep; + ++ REQUEST_SIZE_MATCH(xXDGASyncReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXDGASyncReq); + rep.type = X_Reply; + rep.length = 0; + rep.sequenceNumber = client->sequence; +@@ -1725,13 +1730,14 @@ ProcXDGAChangePixmapMode(ClientPtr client) + xXDGAChangePixmapModeReply rep; + int x, y; + ++ REQUEST_SIZE_MATCH(xXDGAChangePixmapModeReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXDGAChangePixmapModeReq); + rep.type = X_Reply; + rep.length = 0; + rep.sequenceNumber = client->sequence; +@@ -1755,14 +1761,14 @@ ProcXDGACreateColormap(ClientPtr client) + REQUEST(xXDGACreateColormapReq); + int result; + ++ REQUEST_SIZE_MATCH(xXDGACreateColormapReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXDGACreateColormapReq); +- + if (!stuff->mode) + return BadValue; + +@@ -1791,10 +1797,11 @@ ProcXF86DGAGetVideoLL(ClientPtr client) + int num, offset, flags; + char *name; + ++ REQUEST_SIZE_MATCH(xXF86DGAGetVideoLLReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + +- REQUEST_SIZE_MATCH(xXF86DGAGetVideoLLReq); + rep.type = X_Reply; + rep.length = 0; + rep.sequenceNumber = client->sequence; +@@ -1831,9 +1838,10 @@ ProcXF86DGADirectVideo(ClientPtr client) + + REQUEST(xXF86DGADirectVideoReq); + ++ REQUEST_SIZE_MATCH(xXF86DGADirectVideoReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; +- REQUEST_SIZE_MATCH(xXF86DGADirectVideoReq); + + if (!DGAAvailable(stuff->screen)) + return DGAErrorBase + XF86DGANoDirectVideoMode; +@@ -1889,10 +1897,11 @@ ProcXF86DGAGetViewPortSize(ClientPtr client) + REQUEST(xXF86DGAGetViewPortSizeReq); + xXF86DGAGetViewPortSizeReply rep; + ++ REQUEST_SIZE_MATCH(xXF86DGAGetViewPortSizeReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + +- REQUEST_SIZE_MATCH(xXF86DGAGetViewPortSizeReq); + rep.type = X_Reply; + rep.length = 0; + rep.sequenceNumber = client->sequence; +@@ -1917,14 +1926,14 @@ ProcXF86DGASetViewPort(ClientPtr client) + { + REQUEST(xXF86DGASetViewPortReq); + ++ REQUEST_SIZE_MATCH(xXF86DGASetViewPortReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXF86DGASetViewPortReq); +- + if (!DGAAvailable(stuff->screen)) + return DGAErrorBase + XF86DGANoDirectVideoMode; + +@@ -1944,10 +1953,11 @@ ProcXF86DGAGetVidPage(ClientPtr client) + REQUEST(xXF86DGAGetVidPageReq); + xXF86DGAGetVidPageReply rep; + ++ REQUEST_SIZE_MATCH(xXF86DGAGetVidPageReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + +- REQUEST_SIZE_MATCH(xXF86DGAGetVidPageReq); + rep.type = X_Reply; + rep.length = 0; + rep.sequenceNumber = client->sequence; +@@ -1962,11 +1972,11 @@ ProcXF86DGASetVidPage(ClientPtr client) + { + REQUEST(xXF86DGASetVidPageReq); + ++ REQUEST_SIZE_MATCH(xXF86DGASetVidPageReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + +- REQUEST_SIZE_MATCH(xXF86DGASetVidPageReq); +- + /* silently fail */ + + return Success; +@@ -1980,14 +1990,14 @@ ProcXF86DGAInstallColormap(ClientPtr client) + + REQUEST(xXF86DGAInstallColormapReq); + ++ REQUEST_SIZE_MATCH(xXF86DGAInstallColormapReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXF86DGAInstallColormapReq); +- + if (!DGAActive(stuff->screen)) + return DGAErrorBase + XF86DGADirectNotActivated; + +@@ -2008,10 +2018,11 @@ ProcXF86DGAQueryDirectVideo(ClientPtr client) + REQUEST(xXF86DGAQueryDirectVideoReq); + xXF86DGAQueryDirectVideoReply rep; + ++ REQUEST_SIZE_MATCH(xXF86DGAQueryDirectVideoReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + +- REQUEST_SIZE_MATCH(xXF86DGAQueryDirectVideoReq); + rep.type = X_Reply; + rep.length = 0; + rep.sequenceNumber = client->sequence; +@@ -2030,14 +2041,14 @@ ProcXF86DGAViewPortChanged(ClientPtr client) + REQUEST(xXF86DGAViewPortChangedReq); + xXF86DGAViewPortChangedReply rep; + ++ REQUEST_SIZE_MATCH(xXF86DGAViewPortChangedReq); ++ + if (stuff->screen >= screenInfo.numScreens) + return BadValue; + + if (DGA_GETCLIENT(stuff->screen) != client) + return DGAErrorBase + XF86DGADirectNotActivated; + +- REQUEST_SIZE_MATCH(xXF86DGAViewPortChangedReq); +- + if (!DGAActive(stuff->screen)) + return DGAErrorBase + XF86DGADirectNotActivated; + +diff --git a/hw/xfree86/dri/xf86dri.c b/hw/xfree86/dri/xf86dri.c +index 8f3c2d6..d356db9 100644 +--- a/hw/xfree86/dri/xf86dri.c ++++ b/hw/xfree86/dri/xf86dri.c +@@ -570,6 +570,7 @@ static int _X_COLD + SProcXF86DRIQueryDirectRenderingCapable(register ClientPtr client) + { + REQUEST(xXF86DRIQueryDirectRenderingCapableReq); ++ REQUEST_SIZE_MATCH(xXF86DRIQueryDirectRenderingCapableReq); + swaps(&stuff->length); + swapl(&stuff->screen); + return ProcXF86DRIQueryDirectRenderingCapable(client); +-- +cgit v0.10.2 + only in patch2: unchanged: --- xorg-server-hwe-16.04-1.19.3.orig/debian/patches/CVE-2017-12183.patch +++ xorg-server-hwe-16.04-1.19.3/debian/patches/CVE-2017-12183.patch @@ -0,0 +1,94 @@ +From 55caa8b08c84af2b50fbc936cf334a5a93dd7db5 Mon Sep 17 00:00:00 2001 +From: Nathan Kidd +Date: Fri, 9 Jan 2015 11:43:05 -0500 +Subject: xfixes: unvalidated lengths (CVE-2017-12183) + +v2: Use before swap (Jeremy Huddleston Sequoia) + +v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith) + +Reviewed-by: Alan Coopersmith +Reviewed-by: Jeremy Huddleston Sequoia +Reviewed-by: Julien Cristau +Signed-off-by: Jeremy Huddleston Sequoia +Signed-off-by: Nathan Kidd +Signed-off-by: Julien Cristau + +diff --git a/xfixes/cursor.c b/xfixes/cursor.c +index c1ab3be..dc447ed 100644 +--- a/xfixes/cursor.c ++++ b/xfixes/cursor.c +@@ -281,6 +281,7 @@ int _X_COLD + SProcXFixesSelectCursorInput(ClientPtr client) + { + REQUEST(xXFixesSelectCursorInputReq); ++ REQUEST_SIZE_MATCH(xXFixesSelectCursorInputReq); + + swaps(&stuff->length); + swapl(&stuff->window); +@@ -414,7 +415,7 @@ ProcXFixesSetCursorName(ClientPtr client) + REQUEST(xXFixesSetCursorNameReq); + Atom atom; + +- REQUEST_AT_LEAST_SIZE(xXFixesSetCursorNameReq); ++ REQUEST_FIXED_SIZE(xXFixesSetCursorNameReq, stuff->nbytes); + VERIFY_CURSOR(pCursor, stuff->cursor, client, DixSetAttrAccess); + tchar = (char *) &stuff[1]; + atom = MakeAtom(tchar, stuff->nbytes, TRUE); +@@ -1007,6 +1008,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client) + int i; + CARD16 *in_devices = (CARD16 *) &stuff[1]; + ++ REQUEST_AT_LEAST_SIZE(xXFixesCreatePointerBarrierReq); ++ + swaps(&stuff->length); + swaps(&stuff->num_devices); + REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices)); +diff --git a/xfixes/region.c b/xfixes/region.c +index e773701..7c0a7d2 100644 +--- a/xfixes/region.c ++++ b/xfixes/region.c +@@ -359,6 +359,7 @@ ProcXFixesCopyRegion(ClientPtr client) + RegionPtr pSource, pDestination; + + REQUEST(xXFixesCopyRegionReq); ++ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq); + + VERIFY_REGION(pSource, stuff->source, client, DixReadAccess); + VERIFY_REGION(pDestination, stuff->destination, client, DixWriteAccess); +@@ -375,7 +376,7 @@ SProcXFixesCopyRegion(ClientPtr client) + REQUEST(xXFixesCopyRegionReq); + + swaps(&stuff->length); +- REQUEST_AT_LEAST_SIZE(xXFixesCopyRegionReq); ++ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq); + swapl(&stuff->source); + swapl(&stuff->destination); + return (*ProcXFixesVector[stuff->xfixesReqType]) (client); +diff --git a/xfixes/saveset.c b/xfixes/saveset.c +index 2043153..fd9c7a1 100644 +--- a/xfixes/saveset.c ++++ b/xfixes/saveset.c +@@ -62,6 +62,7 @@ int _X_COLD + SProcXFixesChangeSaveSet(ClientPtr client) + { + REQUEST(xXFixesChangeSaveSetReq); ++ REQUEST_SIZE_MATCH(xXFixesChangeSaveSetReq); + + swaps(&stuff->length); + swapl(&stuff->window); +diff --git a/xfixes/xfixes.c b/xfixes/xfixes.c +index 77efd64..248bf02 100644 +--- a/xfixes/xfixes.c ++++ b/xfixes/xfixes.c +@@ -160,6 +160,7 @@ static _X_COLD int + SProcXFixesQueryVersion(ClientPtr client) + { + REQUEST(xXFixesQueryVersionReq); ++ REQUEST_SIZE_MATCH(xXFixesQueryVersionReq); + + swaps(&stuff->length); + swapl(&stuff->majorVersion); +-- +cgit v0.10.2 + only in patch2: unchanged: --- xorg-server-hwe-16.04-1.19.3.orig/debian/patches/CVE-2017-12184-12187.patch +++ xorg-server-hwe-16.04-1.19.3/debian/patches/CVE-2017-12184-12187.patch @@ -0,0 +1,135 @@ +From cad5a1050b7184d828aef9c1dd151c3ab649d37e Mon Sep 17 00:00:00 2001 +From: Nathan Kidd +Date: Fri, 9 Jan 2015 09:57:23 -0500 +Subject: Unvalidated lengths + +v2: Add overflow check and remove unnecessary check (Julien Cristau) + +This addresses: +CVE-2017-12184 in XINERAMA +CVE-2017-12185 in MIT-SCREEN-SAVER +CVE-2017-12186 in X-Resource +CVE-2017-12187 in RENDER + +Reviewed-by: Jeremy Huddleston Sequoia +Reviewed-by: Julien Cristau +Signed-off-by: Nathan Kidd +Signed-off-by: Julien Cristau + +Index: xorg-server-1.19.3/Xext/panoramiX.c +=================================================================== +--- xorg-server-1.19.3.orig/Xext/panoramiX.c 2017-10-13 08:23:12.684603981 -0400 ++++ xorg-server-1.19.3/Xext/panoramiX.c 2017-10-13 08:23:12.680603943 -0400 +@@ -988,10 +988,11 @@ ProcPanoramiXGetScreenSize(ClientPtr cli + xPanoramiXGetScreenSizeReply rep; + int rc; + ++ REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq); ++ + if (stuff->screen >= PanoramiXNumScreens) + return BadMatch; + +- REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq); + rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess); + if (rc != Success) + return rc; +Index: xorg-server-1.19.3/Xext/saver.c +=================================================================== +--- xorg-server-1.19.3.orig/Xext/saver.c 2017-10-13 08:23:12.684603981 -0400 ++++ xorg-server-1.19.3/Xext/saver.c 2017-10-13 08:23:12.680603943 -0400 +@@ -1185,6 +1185,8 @@ ProcScreenSaverUnsetAttributes(ClientPtr + PanoramiXRes *draw; + int rc, i; + ++ REQUEST_SIZE_MATCH(xScreenSaverUnsetAttributesReq); ++ + rc = dixLookupResourceByClass((void **) &draw, stuff->drawable, + XRC_DRAWABLE, client, DixWriteAccess); + if (rc != Success) +Index: xorg-server-1.19.3/Xext/xres.c +=================================================================== +--- xorg-server-1.19.3.orig/Xext/xres.c 2017-10-13 08:23:12.684603981 -0400 ++++ xorg-server-1.19.3/Xext/xres.c 2017-10-13 08:23:12.680603943 -0400 +@@ -947,6 +947,8 @@ ProcXResQueryResourceBytes (ClientPtr cl + ConstructResourceBytesCtx ctx; + + REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq); ++ if (stuff->numSpecs > UINT32_MAX / sizeof(ctx.specs[0])) ++ return BadLength; + REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq, + stuff->numSpecs * sizeof(ctx.specs[0])); + +@@ -1052,8 +1054,8 @@ SProcXResQueryResourceBytes (ClientPtr c + int c; + xXResResourceIdSpec *specs = (void*) ((char*) stuff + sizeof(*stuff)); + +- swapl(&stuff->numSpecs); + REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq); ++ swapl(&stuff->numSpecs); + REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq, + stuff->numSpecs * sizeof(specs[0])); + +Index: xorg-server-1.19.3/Xext/xvdisp.c +=================================================================== +--- xorg-server-1.19.3.orig/Xext/xvdisp.c 2017-10-13 08:23:12.684603981 -0400 ++++ xorg-server-1.19.3/Xext/xvdisp.c 2017-10-13 08:23:12.680603943 -0400 +@@ -1493,12 +1493,14 @@ XineramaXvShmPutImage(ClientPtr client) + { + REQUEST(xvShmPutImageReq); + PanoramiXRes *draw, *gc, *port; +- Bool send_event = stuff->send_event; ++ Bool send_event; + Bool isRoot; + int result, i, x, y; + + REQUEST_SIZE_MATCH(xvShmPutImageReq); + ++ send_event = stuff->send_event; ++ + result = dixLookupResourceByClass((void **) &draw, stuff->drawable, + XRC_DRAWABLE, client, DixWriteAccess); + if (result != Success) +Index: xorg-server-1.19.3/hw/dmx/dmxpict.c +=================================================================== +--- xorg-server-1.19.3.orig/hw/dmx/dmxpict.c 2017-10-13 08:23:12.684603981 -0400 ++++ xorg-server-1.19.3/hw/dmx/dmxpict.c 2017-10-13 08:23:12.680603943 -0400 +@@ -716,6 +716,8 @@ dmxProcRenderSetPictureFilter(ClientPtr + filter = (char *) (stuff + 1); + params = (XFixed *) (filter + ((stuff->nbytes + 3) & ~3)); + nparams = ((XFixed *) stuff + client->req_len) - params; ++ if (nparams < 0) ++ return BadLength; + + XRenderSetPictureFilter(dmxScreen->beDisplay, + pPictPriv->pict, filter, params, nparams); +Index: xorg-server-1.19.3/pseudoramiX/pseudoramiX.c +=================================================================== +--- xorg-server-1.19.3.orig/pseudoramiX/pseudoramiX.c 2017-10-13 08:23:12.684603981 -0400 ++++ xorg-server-1.19.3/pseudoramiX/pseudoramiX.c 2017-10-13 08:23:12.680603943 -0400 +@@ -297,10 +297,11 @@ ProcPseudoramiXGetScreenSize(ClientPtr c + + TRACE; + ++ REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq); ++ + if (stuff->screen >= pseudoramiXNumScreens) + return BadMatch; + +- REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq); + rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess); + if (rc != Success) + return rc; +Index: xorg-server-1.19.3/render/render.c +=================================================================== +--- xorg-server-1.19.3.orig/render/render.c 2017-10-13 08:23:12.684603981 -0400 ++++ xorg-server-1.19.3/render/render.c 2017-10-13 08:23:12.684603981 -0400 +@@ -1757,6 +1757,9 @@ ProcRenderSetPictureFilter(ClientPtr cli + name = (char *) (stuff + 1); + params = (xFixed *) (name + pad_to_int32(stuff->nbytes)); + nparams = ((xFixed *) stuff + client->req_len) - params; ++ if (nparams < 0) ++ return BadLength; ++ + result = SetPictureFilter(pPicture, name, stuff->nbytes, params, nparams); + return result; + } only in patch2: unchanged: --- xorg-server-hwe-16.04-1.19.3.orig/debian/patches/os_big_requests.patch +++ xorg-server-hwe-16.04-1.19.3/debian/patches/os_big_requests.patch @@ -0,0 +1,33 @@ +From 9c23685009aa96f4b861dcc5d2e01dbee00c4dd9 Mon Sep 17 00:00:00 2001 +From: Michal Srb +Date: Fri, 7 Jul 2017 17:04:03 +0200 +Subject: os: Make sure big requests have sufficient length. + +A client can send a big request where the 32B "length" field has value +0. When the big request header is removed and the length corrected, +the value will underflow to 0xFFFFFFFF. Functions processing the +request later will think that the client sent much more data and may +touch memory beyond the receive buffer. + +Signed-off-by: Eric Anholt +Reviewed-by: Peter Hutterer + +diff --git a/os/io.c b/os/io.c +index b040291..955c249 100644 +--- a/os/io.c ++++ b/os/io.c +@@ -441,6 +441,11 @@ ReadRequestFromClient(ClientPtr client) + if (!gotnow) + AvailableInput = oc; + if (move_header) { ++ if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) { ++ YieldControlDeath(); ++ return -1; ++ } ++ + request = (xReq *) oci->bufptr; + oci->bufptr += (sizeof(xBigReq) - sizeof(xReq)); + *(xReq *) oci->bufptr = *request; +-- +cgit v0.10.2 + only in patch2: unchanged: --- xorg-server-hwe-16.04-1.19.3.orig/debian/patches/xkb_escape_fix.patch +++ xorg-server-hwe-16.04-1.19.3/debian/patches/xkb_escape_fix.patch @@ -0,0 +1,29 @@ +From eaf1f72ed8994b708d94ec2de7b1a99f5c4a39b8 Mon Sep 17 00:00:00 2001 +From: Michal Srb +Date: Thu, 27 Jul 2017 11:54:26 +0200 +Subject: xkb: Escape non-printable characters correctly. + +XkbStringText escapes non-printable characters using octal numbers. Such escape +sequence would be at most 5 characters long ("\0123"), so it reserves 5 bytes +in the buffer. Due to char->unsigned int conversion, it would print much longer +string for negative numbers. + +Reviewed-by: Keith Packard +Signed-off-by: Julien Cristau + +diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c +index ffbc546..ead2b1a 100644 +--- a/xkb/xkbtext.c ++++ b/xkb/xkbtext.c +@@ -603,7 +603,7 @@ XkbStringText(char *str, unsigned format) + } + else { + *out++ = '0'; +- sprintf(out, "%o", *in); ++ sprintf(out, "%o", (unsigned char) *in); + while (*out != '\0') + out++; + } +-- +cgit v0.10.2 +