diff options
| author | Kai Kang <kai.kang@windriver.com> | 2014-04-01 17:09:50 +0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-04-01 23:37:01 +0100 |
| commit | 377ce42a6a50da3e4de4bdd8936ce02b3c8c3d95 (patch) | |
| tree | a03707dc3c85568df1060b34d1ad86887bedcd0c | |
| parent | 30959dda952b602b75bbd58ef225bbe4558ce440 (diff) | |
| download | poky-377ce42a6a50da3e4de4bdd8936ce02b3c8c3d95.tar.gz | |
xorg: Fix for CVE-2013-6424
Integer underflow in the xTrapezoidValid macro in render/picture.h in X.Org
allows context-dependent attackers to cause a denial of service (crash) via
a negative bottom value.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6424
(From OE-Core rev: 059dc5f4ef9bcf49cb6520f5f2ab1e739f4d42de)
Signed-off-by: Baogen Shang <baogen.shang@windriver.com>
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/recipes-graphics/xorg-xserver/xserver-xorg/xorg-CVE-2013-6424.patch | 31 | ||||
| -rw-r--r-- | meta/recipes-graphics/xorg-xserver/xserver-xorg_1.15.0.bb | 1 |
2 files changed, 32 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/xorg-CVE-2013-6424.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/xorg-CVE-2013-6424.patch new file mode 100644 index 0000000000..7c6153022f --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/xorg-CVE-2013-6424.patch | |||
| @@ -0,0 +1,31 @@ | |||
| 1 | This patch comes from: | ||
| 2 | http://lists.x.org/archives/xorg-devel/2013-October/037996.html | ||
| 3 | |||
| 4 | Upstream-Status: Backport | ||
| 5 | |||
| 6 | Signed-off-by: Baogen shang <baogen.shang@windriver.com> | ||
| 7 | diff -Naur xorg-server-1.14.0-orig/exa/exa_render.c xorg-server-1.14.0/exa/exa_render.c | ||
| 8 | --- xorg-server-1.14.0-orig/exa/exa_render.c 2014-02-27 14:32:38.000000000 +0800 | ||
| 9 | +++ xorg-server-1.14.0/exa/exa_render.c 2014-02-27 15:46:59.000000000 +0800 | ||
| 10 | @@ -1141,7 +1141,8 @@ | ||
| 11 | |||
| 12 | exaPrepareAccess(pPicture->pDrawable, EXA_PREPARE_DEST); | ||
| 13 | for (; ntrap; ntrap--, traps++) | ||
| 14 | - (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1); | ||
| 15 | + if (xTrapezoidValid(traps)) | ||
| 16 | + (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1); | ||
| 17 | exaFinishAccess(pPicture->pDrawable, EXA_PREPARE_DEST); | ||
| 18 | |||
| 19 | xRel = bounds.x1 + xSrc - xDst; | ||
| 20 | diff -Naur xorg-server-1.14.0-orig/render/picture.h xorg-server-1.14.0/render/picture.h | ||
| 21 | --- xorg-server-1.14.0-orig/render/picture.h 2014-02-27 14:32:26.000000000 +0800 | ||
| 22 | +++ xorg-server-1.14.0/render/picture.h 2014-02-27 15:48:13.000000000 +0800 | ||
| 23 | @@ -211,7 +211,7 @@ | ||
| 24 | /* whether 't' is a well defined not obviously empty trapezoid */ | ||
| 25 | #define xTrapezoidValid(t) ((t)->left.p1.y != (t)->left.p2.y && \ | ||
| 26 | (t)->right.p1.y != (t)->right.p2.y && \ | ||
| 27 | - (int) ((t)->bottom - (t)->top) > 0) | ||
| 28 | + ((t)->bottom > (t)->top)) | ||
| 29 | |||
| 30 | /* | ||
| 31 | * Standard NTSC luminance conversions: | ||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.15.0.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.15.0.bb index a4dda4e7aa..1f9fa04c8d 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.15.0.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.15.0.bb | |||
| @@ -5,6 +5,7 @@ SRC_URI += "file://crosscompile.patch \ | |||
| 5 | file://fix_open_max_preprocessor_error.patch \ | 5 | file://fix_open_max_preprocessor_error.patch \ |
| 6 | file://mips64-compiler.patch \ | 6 | file://mips64-compiler.patch \ |
| 7 | file://aarch64.patch \ | 7 | file://aarch64.patch \ |
| 8 | file://xorg-CVE-2013-6424.patch \ | ||
| 8 | " | 9 | " |
| 9 | 10 | ||
| 10 | SRC_URI[md5sum] = "c2ace3697b32414094cf8c597c39d7d9" | 11 | SRC_URI[md5sum] = "c2ace3697b32414094cf8c597c39d7d9" |