Received: by mail.netbsd.org (Postfix, from userid 605) id C416E84D60; Fri, 28 Jul 2017 21:10:01 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 584A284D4A for ; Fri, 28 Jul 2017 21:10:01 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id zqwYKWpMyNzD for ; Fri, 28 Jul 2017 21:10:00 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.NetBSD.org [IPv6:2001:470:a085:999:28c:faff:fe03:5984]) by mail.netbsd.org (Postfix) with ESMTP id 9617184D3C for ; Fri, 28 Jul 2017 21:10:00 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id 8BE9EFACD; Fri, 28 Jul 2017 21:10:00 +0000 (UTC) Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_1501276200122970" MIME-Version: 1.0 Date: Fri, 28 Jul 2017 21:10:00 +0000 From: "Thomas Klausner" Subject: CVS commit: pkgsrc/x11/modular-xorg-server To: pkgsrc-changes@NetBSD.org Reply-To: wiz@netbsd.org X-Mailer: log_accum Message-Id: <20170728211000.8BE9EFACD@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk List-Unsubscribe: This is a multi-part message in MIME format. --_----------=_1501276200122970 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Module Name: pkgsrc Committed By: wiz Date: Fri Jul 28 21:10:00 UTC 2017 Modified Files: pkgsrc/x11/modular-xorg-server: Makefile distinfo Added Files: pkgsrc/x11/modular-xorg-server/patches: patch-Xi_sendexev.c patch-dix_events.c patch-dix_swapreq.c Log Message: CVE-2017-10971 and CVE-2017-10972: apply fixes to the event loop from https://cgit.freedesktop.org/xorg/xserver/commit/?id=ba336b24052122b136486961c82deac76bbde455 https://cgit.freedesktop.org/xorg/xserver/commit/?id=8caed4df36b1f802b4992edcfd282cbeeec35d9d https://cgit.freedesktop.org/xorg/xserver/commit/?id=215f894965df5fb0bb45b107d84524e700d2073c https://cgit.freedesktop.org/xorg/xserver/commit/?id=05442de962d3dc624f79fc1a00eca3ffc5489ced via xsrc patch from mrg@ at https://mail-index.netbsd.org/source-changes/2017/07/07/msg086134.html Bump PKGREVISION. To generate a diff of this commit: cvs rdiff -u -r1.112 -r1.113 pkgsrc/x11/modular-xorg-server/Makefile cvs rdiff -u -r1.82 -r1.83 pkgsrc/x11/modular-xorg-server/distinfo cvs rdiff -u -r0 -r1.3 \ pkgsrc/x11/modular-xorg-server/patches/patch-Xi_sendexev.c cvs rdiff -u -r0 -r1.1 \ pkgsrc/x11/modular-xorg-server/patches/patch-dix_events.c \ pkgsrc/x11/modular-xorg-server/patches/patch-dix_swapreq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. --_----------=_1501276200122970 Content-Disposition: inline Content-Length: 7649 Content-Transfer-Encoding: binary Content-Type: text/x-diff; charset=us-ascii Modified files: Index: pkgsrc/x11/modular-xorg-server/Makefile diff -u pkgsrc/x11/modular-xorg-server/Makefile:1.112 pkgsrc/x11/modular-xorg-server/Makefile:1.113 --- pkgsrc/x11/modular-xorg-server/Makefile:1.112 Fri Jul 7 12:12:34 2017 +++ pkgsrc/x11/modular-xorg-server/Makefile Fri Jul 28 21:10:00 2017 @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.112 2017/07/07 12:12:34 jperkin Exp $ +# $NetBSD: Makefile,v 1.113 2017/07/28 21:10:00 wiz Exp $ DISTNAME= xorg-server-${XORG_VERSION} PKGNAME= modular-${DISTNAME} -PKGREVISION= 1 +PKGREVISION= 2 MAINTAINER= pkgsrc-users@NetBSD.org COMMENT= Modular X11 server from modular X.org Index: pkgsrc/x11/modular-xorg-server/distinfo diff -u pkgsrc/x11/modular-xorg-server/distinfo:1.82 pkgsrc/x11/modular-xorg-server/distinfo:1.83 --- pkgsrc/x11/modular-xorg-server/distinfo:1.82 Thu Mar 16 11:56:46 2017 +++ pkgsrc/x11/modular-xorg-server/distinfo Fri Jul 28 21:10:00 2017 @@ -1,10 +1,13 @@ -$NetBSD: distinfo,v 1.82 2017/03/16 11:56:46 wiz Exp $ +$NetBSD: distinfo,v 1.83 2017/07/28 21:10:00 wiz Exp $ SHA1 (xorg-server-1.19.3.tar.bz2) = 77f580ffa22a8bbcc3536e74e19114e446417a9c RMD160 (xorg-server-1.19.3.tar.bz2) = afa8708054016d4fa3632bf1db0bc462731717b4 SHA512 (xorg-server-1.19.3.tar.bz2) = b988897418399e1361fdcca9465a781f55f8f6fbfdc5a59edfaee9046a0c6ad7a76f348d88b6004ce3d3fb3966b4c5af0b854f6549c32b2b8d7a43758809f669 Size (xorg-server-1.19.3.tar.bz2) = 6050221 bytes +SHA1 (patch-Xi_sendexev.c) = 46a165049d4b15c472736d3863aa4efad39418bc SHA1 (patch-configure) = 9e9f497f14d563ef66f25c637a14b0bea2243c3f +SHA1 (patch-dix_events.c) = a7ede761198583f1d59c4def49db48725a46bd21 +SHA1 (patch-dix_swapreq.c) = 66643fbd396d0b4222ba4a3f09c4bbe3f0083a33 SHA1 (patch-hw_xfree86_common_xf86pciBus.c) = 896825ba12646431cba603938d118acbdde305dd SHA1 (patch-hw_xfree86_common_xf86sbusBus.h) = f56f87336b2f669413ebb1005a2b64568a111f92 SHA1 (patch-hw_xfree86_dri2_dri2.c) = 0bf58305059321e10f6f58186301dbb7cb858c2a Added files: Index: pkgsrc/x11/modular-xorg-server/patches/patch-Xi_sendexev.c diff -u /dev/null pkgsrc/x11/modular-xorg-server/patches/patch-Xi_sendexev.c:1.3 --- /dev/null Fri Jul 28 21:10:00 2017 +++ pkgsrc/x11/modular-xorg-server/patches/patch-Xi_sendexev.c Fri Jul 28 21:10:00 2017 @@ -0,0 +1,65 @@ +$NetBSD: patch-Xi_sendexev.c,v 1.3 2017/07/28 21:10:00 wiz Exp $ + +CVE-2017-10971 and CVE-2017-10972: apply fixes to the event loop from + + https://cgit.freedesktop.org/xorg/xserver/commit/?id=ba336b24052122b136486961c82deac76bbde455 + https://cgit.freedesktop.org/xorg/xserver/commit/?id=8caed4df36b1f802b4992edcfd282cbeeec35d9d + https://cgit.freedesktop.org/xorg/xserver/commit/?id=215f894965df5fb0bb45b107d84524e700d2073c + https://cgit.freedesktop.org/xorg/xserver/commit/?id=05442de962d3dc624f79fc1a00eca3ffc5489ced + +--- Xi/sendexev.c.orig 2017-03-15 18:05:25.000000000 +0000 ++++ Xi/sendexev.c +@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr clien + { + CARD32 *p; + int i; +- xEvent eventT; ++ xEvent eventT = { .u.u.type = 0 }; + xEvent *eventP; + EventSwapPtr proc; + +@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr clien + + eventP = (xEvent *) &stuff[1]; + for (i = 0; i < stuff->num_events; i++, eventP++) { ++ if (eventP->u.u.type == GenericEvent) { ++ client->errorValue = eventP->u.u.type; ++ return BadValue; ++ } ++ + proc = EventSwapVector[eventP->u.u.type & 0177]; +- if (proc == NotImplemented) /* no swapping proc; invalid event type? */ ++ /* no swapping proc; invalid event type? */ ++ if (proc == NotImplemented) { ++ client->errorValue = eventP->u.u.type; + return BadValue; ++ } + (*proc) (eventP, &eventT); + *eventP = eventT; + } +@@ -117,7 +125,7 @@ SProcXSendExtensionEvent(ClientPtr clien + int + ProcXSendExtensionEvent(ClientPtr client) + { +- int ret; ++ int ret, i; + DeviceIntPtr dev; + xEvent *first; + XEventClass *list; +@@ -141,10 +149,12 @@ ProcXSendExtensionEvent(ClientPtr client + /* The client's event type must be one defined by an extension. */ + + first = ((xEvent *) &stuff[1]); +- if (!((EXTENSION_EVENT_BASE <= first->u.u.type) && +- (first->u.u.type < lastEvent))) { +- client->errorValue = first->u.u.type; +- return BadValue; ++ for (i = 0; i < stuff->num_events; i++) { ++ if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) && ++ (first[i].u.u.type < lastEvent))) { ++ client->errorValue = first[i].u.u.type; ++ return BadValue; ++ } + } + + list = (XEventClass *) (first + stuff->num_events); Index: pkgsrc/x11/modular-xorg-server/patches/patch-dix_events.c diff -u /dev/null pkgsrc/x11/modular-xorg-server/patches/patch-dix_events.c:1.1 --- /dev/null Fri Jul 28 21:10:00 2017 +++ pkgsrc/x11/modular-xorg-server/patches/patch-dix_events.c Fri Jul 28 21:10:00 2017 @@ -0,0 +1,24 @@ +$NetBSD: patch-dix_events.c,v 1.1 2017/07/28 21:10:00 wiz Exp $ + +CVE-2017-10971 and CVE-2017-10972: apply fixes to the event loop from + + https://cgit.freedesktop.org/xorg/xserver/commit/?id=ba336b24052122b136486961c82deac76bbde455 + https://cgit.freedesktop.org/xorg/xserver/commit/?id=8caed4df36b1f802b4992edcfd282cbeeec35d9d + https://cgit.freedesktop.org/xorg/xserver/commit/?id=215f894965df5fb0bb45b107d84524e700d2073c + https://cgit.freedesktop.org/xorg/xserver/commit/?id=05442de962d3dc624f79fc1a00eca3ffc5489ced + +--- dix/events.c.orig 2017-03-15 18:05:25.000000000 +0000 ++++ dix/events.c +@@ -5366,6 +5366,12 @@ ProcSendEvent(ClientPtr client) + client->errorValue = stuff->event.u.u.type; + return BadValue; + } ++ /* Generic events can have variable size, but SendEvent request holds ++ exactly 32B of event data. */ ++ if (stuff->event.u.u.type == GenericEvent) { ++ client->errorValue = stuff->event.u.u.type; ++ return BadValue; ++ } + if (stuff->event.u.u.type == ClientMessage && + stuff->event.u.u.detail != 8 && + stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) { Index: pkgsrc/x11/modular-xorg-server/patches/patch-dix_swapreq.c diff -u /dev/null pkgsrc/x11/modular-xorg-server/patches/patch-dix_swapreq.c:1.1 --- /dev/null Fri Jul 28 21:10:00 2017 +++ pkgsrc/x11/modular-xorg-server/patches/patch-dix_swapreq.c Fri Jul 28 21:10:00 2017 @@ -0,0 +1,25 @@ +$NetBSD: patch-dix_swapreq.c,v 1.1 2017/07/28 21:10:00 wiz Exp $ + +CVE-2017-10971 and CVE-2017-10972: apply fixes to the event loop from + + https://cgit.freedesktop.org/xorg/xserver/commit/?id=ba336b24052122b136486961c82deac76bbde455 + https://cgit.freedesktop.org/xorg/xserver/commit/?id=8caed4df36b1f802b4992edcfd282cbeeec35d9d + https://cgit.freedesktop.org/xorg/xserver/commit/?id=215f894965df5fb0bb45b107d84524e700d2073c + https://cgit.freedesktop.org/xorg/xserver/commit/?id=05442de962d3dc624f79fc1a00eca3ffc5489ced + +--- dix/swapreq.c.orig 2017-03-15 18:05:25.000000000 +0000 ++++ dix/swapreq.c +@@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client) + swapl(&stuff->destination); + swapl(&stuff->eventMask); + ++ /* Generic events can have variable size, but SendEvent request holds ++ exactly 32B of event data. */ ++ if (stuff->event.u.u.type == GenericEvent) { ++ client->errorValue = stuff->event.u.u.type; ++ return BadValue; ++ } ++ + /* Swap event */ + proc = EventSwapVector[stuff->event.u.u.type & 0177]; + if (!proc || proc == NotImplemented) /* no swapping proc; invalid event type? */ --_----------=_1501276200122970--