diff options
| author | Vladimír Čunát <vcunat@gmail.com> | 2013-11-06 20:07:35 +0100 |
|---|---|---|
| committer | Vladimír Čunát <vcunat@gmail.com> | 2013-11-06 20:07:35 +0100 |
| commit | feb778507fe715c6537322c28c2ed1769a794d23 (patch) | |
| tree | 746e418e43a20ee9e754b519215c059630b40722 /pkgs/servers/x11/xorg | |
| parent | 834af9c90508f8bec6e43b8b2d38aae9e1070cdc (diff) | |
| download | nixpkgs-feb778507fe715c6537322c28c2ed1769a794d23.tar nixpkgs-feb778507fe715c6537322c28c2ed1769a794d23.tar.gz nixpkgs-feb778507fe715c6537322c28c2ed1769a794d23.tar.bz2 nixpkgs-feb778507fe715c6537322c28c2ed1769a794d23.tar.lz nixpkgs-feb778507fe715c6537322c28c2ed1769a794d23.tar.xz nixpkgs-feb778507fe715c6537322c28c2ed1769a794d23.tar.zst nixpkgs-feb778507fe715c6537322c28c2ed1769a794d23.zip | |
xorg-server: remove now-upstreamed patch
I'm sorry I completely forgot to test the previous commit. Also remove some long unused patch.
Diffstat (limited to 'pkgs/servers/x11/xorg')
| -rw-r--r-- | pkgs/servers/x11/xorg/overrides.nix | 1 | ||||
| -rw-r--r-- | pkgs/servers/x11/xorg/xorgserver-cve-2013-4396.patch | 75 | ||||
| -rw-r--r-- | pkgs/servers/x11/xorg/xorgserver12-CVE-1940.patch | 34 |
3 files changed, 0 insertions, 110 deletions
diff --git a/pkgs/servers/x11/xorg/overrides.nix b/pkgs/servers/x11/xorg/overrides.nix index fb8b5856ecb..8c073c29c12 100644 --- a/pkgs/servers/x11/xorg/overrides.nix +++ b/pkgs/servers/x11/xorg/overrides.nix @@ -188,7 +188,6 @@ in patches = [ ./xorgserver-dri-path.patch ./xorgserver-xkbcomp-path.patch - ./xorgserver-cve-2013-4396.patch ]; buildInputs = attrs.buildInputs ++ [ xtrans ]; propagatedBuildInputs = diff --git a/pkgs/servers/x11/xorg/xorgserver-cve-2013-4396.patch b/pkgs/servers/x11/xorg/xorgserver-cve-2013-4396.patch deleted file mode 100644 index 4b6727e61c0..00000000000 --- a/pkgs/servers/x11/xorg/xorgserver-cve-2013-4396.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 7bddc2ba16a2a15773c2ea8947059afa27727764 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Mon, 16 Sep 2013 21:47:16 -0700 -Subject: [PATCH] Avoid use-after-free in dix/dixfonts.c: doImageText() - [CVE-2013-4396] - -Save a pointer to the passed in closure structure before copying it -and overwriting the *c pointer to point to our copy instead of the -original. If we hit an error, once we free(c), reset c to point to -the original structure before jumping to the cleanup code that -references *c. - -Since one of the errors being checked for is whether the server was -able to malloc(c->nChars * itemSize), the client can potentially pass -a number of characters chosen to cause the malloc to fail and the -error path to be taken, resulting in the read from freed memory. - -Since the memory is accessed almost immediately afterwards, and the -X server is mostly single threaded, the odds of the free memory having -invalid contents are low with most malloc implementations when not using -memory debugging features, but some allocators will definitely overwrite -the memory there, leading to a likely crash. - -Reported-by: Pedro Ribeiro <pedrib@gmail.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Reviewed-by: Julien Cristau <jcristau@debian.org> ---- - dix/dixfonts.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/dix/dixfonts.c b/dix/dixfonts.c -index feb765d..2e34d37 100644 ---- a/dix/dixfonts.c -+++ b/dix/dixfonts.c -@@ -1425,6 +1425,7 @@ doImageText(ClientPtr client, ITclosurePtr c) - GC *pGC; - unsigned char *data; - ITclosurePtr new_closure; -+ ITclosurePtr old_closure; - - /* We're putting the client to sleep. We need to - save some state. Similar problem to that handled -@@ -1436,12 +1437,14 @@ doImageText(ClientPtr client, ITclosurePtr c) - err = BadAlloc; - goto bail; - } -+ old_closure = c; - *new_closure = *c; - c = new_closure; - - data = malloc(c->nChars * itemSize); - if (!data) { - free(c); -+ c = old_closure; - err = BadAlloc; - goto bail; - } -@@ -1452,6 +1455,7 @@ doImageText(ClientPtr client, ITclosurePtr c) - if (!pGC) { - free(c->data); - free(c); -+ c = old_closure; - err = BadAlloc; - goto bail; - } -@@ -1464,6 +1468,7 @@ doImageText(ClientPtr client, ITclosurePtr c) - FreeScratchGC(pGC); - free(c->data); - free(c); -+ c = old_closure; - err = BadAlloc; - goto bail; - } --- -1.7.9.2 diff --git a/pkgs/servers/x11/xorg/xorgserver12-CVE-1940.patch b/pkgs/servers/x11/xorg/xorgserver12-CVE-1940.patch deleted file mode 100644 index d85494f9029..00000000000 --- a/pkgs/servers/x11/xorg/xorgserver12-CVE-1940.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 6ca03b9161d33b1d2b55a3a1a913cf88deb2343f Mon Sep 17 00:00:00 2001 -From: Dave Airlie <airlied@gmail.com> -Date: Wed, 10 Apr 2013 06:09:01 +0000 -Subject: xf86: fix flush input to work with Linux evdev devices. - -So when we VT switch back and attempt to flush the input devices, -we don't succeed because evdev won't return part of an event, -since we were only asking for 4 bytes, we'd only get -EINVAL back. - -This could later cause events to be flushed that we shouldn't have -gotten. - -This is a fix for CVE-2013-1940. - -Signed-off-by: Dave Airlie <airlied@redhat.com> -Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> -Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> ---- -diff --git a/hw/xfree86/os-support/shared/posix_tty.c b/hw/xfree86/os-support/shared/posix_tty.c -index ab3757a..4d08c1e 100644 ---- a/hw/xfree86/os-support/shared/posix_tty.c -+++ b/hw/xfree86/os-support/shared/posix_tty.c -@@ -421,7 +421,8 @@ xf86FlushInput(int fd) - { - fd_set fds; - struct timeval timeout; -- char c[4]; -+ /* this needs to be big enough to flush an evdev event. */ -+ char c[256]; - - DebugF("FlushingSerial\n"); - if (tcflush(fd, TCIFLUSH) == 0) --- -cgit v0.9.0.2-2-gbebe |