diff -u xorg-server-1.14.3/debian/changelog xorg-server-1.14.3/debian/changelog --- xorg-server-1.14.3/debian/changelog +++ xorg-server-1.14.3/debian/changelog @@ -1,3 +1,9 @@ +xorg-server (2:1.14.3-3ubuntu2) saucy-proposed; urgency=low + + * avoid-use-after-free.diff: Fix CVE-2013-4396. + + -- Timo Aaltonen Tue, 15 Oct 2013 12:05:48 +0300 + xorg-server (2:1.14.3-3ubuntu1) saucy; urgency=low * Merge from unreleased debian git. diff -u xorg-server-1.14.3/debian/patches/series xorg-server-1.14.3/debian/patches/series --- xorg-server-1.14.3/debian/patches/series +++ xorg-server-1.14.3/debian/patches/series @@ -63,0 +64 @@ +avoid-use-after-free.diff only in patch2: unchanged: --- xorg-server-1.14.3.orig/debian/patches/avoid-use-after-free.diff +++ xorg-server-1.14.3/debian/patches/avoid-use-after-free.diff @@ -0,0 +1,70 @@ +commit 3afbfc4913db988b29f9aa6879b7501321e448d4 +Author: Alan Coopersmith +Date: Mon Sep 16 21:47:16 2013 -0700 + + Avoid use-after-free in dix/dixfonts.c: doImageText() + + Save a pointer to the passed in closure structure before copying it + and overwriting the *c pointer to point to our copy instead of the + original. If we hit an error, once we free(c), reset c to point to + the original structure before jumping to the cleanup code that + references *c. + + Since one of the errors being checked for is whether the server was + able to malloc(c->nChars * itemSize), the client can potentially pass + a number of characters chosen to cause the malloc to fail and the + error path to be taken, resulting in the read from freed memory. + + Since the memory is accessed almost immediately afterwards, and the + X server is mostly single threaded, the odds of the free memory having + invalid contents are low with most malloc implementations when not using + memory debugging features, but some allocators will definitely overwrite + the memory there, leading to a likely crash. + + Reported-by: Pedro Ribeiro + Signed-off-by: Alan Coopersmith + Reviewed-by: Julien Cristau + +diff --git a/dix/dixfonts.c b/dix/dixfonts.c +index feb765d..2e34d37 100644 +--- a/dix/dixfonts.c ++++ b/dix/dixfonts.c +@@ -1425,6 +1425,7 @@ doImageText(ClientPtr client, ITclosurePtr c) + GC *pGC; + unsigned char *data; + ITclosurePtr new_closure; ++ ITclosurePtr old_closure; + + /* We're putting the client to sleep. We need to + save some state. Similar problem to that handled +@@ -1436,12 +1437,14 @@ doImageText(ClientPtr client, ITclosurePtr c) + err = BadAlloc; + goto bail; + } ++ old_closure = c; + *new_closure = *c; + c = new_closure; + + data = malloc(c->nChars * itemSize); + if (!data) { + free(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1452,6 +1455,7 @@ doImageText(ClientPtr client, ITclosurePtr c) + if (!pGC) { + free(c->data); + free(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1464,6 +1468,7 @@ doImageText(ClientPtr client, ITclosurePtr c) + FreeScratchGC(pGC); + free(c->data); + free(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + }