diff options
author | Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org> | 2015-04-28 15:38:08 +0000 |
---|---|---|
committer | Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org> | 2015-04-28 15:38:08 +0000 |
commit | 20a673c4408271cb4535f714eb1a3d7443e6af34 (patch) | |
tree | cfdff0a37abe233ff205ac069ca4b9d947821c82 /x11-base/xorg-server | |
parent | Changing wxMaxima -> wxmaxima in new places, #547548 (diff) | |
download | gentoo-2-20a673c4408271cb4535f714eb1a3d7443e6af34.tar.gz gentoo-2-20a673c4408271cb4535f714eb1a3d7443e6af34.tar.bz2 gentoo-2-20a673c4408271cb4535f714eb1a3d7443e6af34.zip |
Add fix for security bug #548002.
(Portage version: 2.2.18/cvs/Linux x86_64, signed Manifest commit with key 0x2324E7B566DF2611!)
Diffstat (limited to 'x11-base/xorg-server')
-rw-r--r-- | x11-base/xorg-server/ChangeLog | 8 | ||||
-rw-r--r-- | x11-base/xorg-server/files/xorg-server-1.12-cve-2015-3418.patch | 29 | ||||
-rw-r--r-- | x11-base/xorg-server/xorg-server-1.12.4-r5.ebuild | 252 |
3 files changed, 288 insertions, 1 deletions
diff --git a/x11-base/xorg-server/ChangeLog b/x11-base/xorg-server/ChangeLog index 6ce91a7c3530..c91ed2327f2b 100644 --- a/x11-base/xorg-server/ChangeLog +++ b/x11-base/xorg-server/ChangeLog @@ -1,6 +1,12 @@ # ChangeLog for x11-base/xorg-server # Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/x11-base/xorg-server/ChangeLog,v 1.844 2015/03/31 18:08:58 ulm Exp $ +# $Header: /var/cvsroot/gentoo-x86/x11-base/xorg-server/ChangeLog,v 1.845 2015/04/28 15:38:07 chithanh Exp $ + +*xorg-server-1.12.4-r5 (28 Apr 2015) + + 28 Apr 2015; Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org> + +files/xorg-server-1.12-cve-2015-3418.patch, +xorg-server-1.12.4-r5.ebuild: + Add fix for security bug #548002. 31 Mar 2015; Ulrich Müller <ulm@gentoo.org> xorg-server-1.12.4-r4.ebuild, xorg-server-1.15.2-r2.ebuild, xorg-server-1.16.4.ebuild, diff --git a/x11-base/xorg-server/files/xorg-server-1.12-cve-2015-3418.patch b/x11-base/xorg-server/files/xorg-server-1.12-cve-2015-3418.patch new file mode 100644 index 000000000000..4b6a6aeab29e --- /dev/null +++ b/x11-base/xorg-server/files/xorg-server-1.12-cve-2015-3418.patch @@ -0,0 +1,29 @@ +From dc777c346d5d452a53b13b917c45f6a1bad2f20b Mon Sep 17 00:00:00 2001 +From: Keith Packard <keithp@keithp.com> +Date: Sat, 3 Jan 2015 08:46:45 -0800 +Subject: dix: Allow zero-height PutImage requests + +The length checking code validates PutImage height and byte width by +making sure that byte-width >= INT32_MAX / height. If height is zero, +this generates a divide by zero exception. Allow zero height requests +explicitly, bypassing the INT32_MAX check. + +Signed-off-by: Keith Packard <keithp@keithp.com> +Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> + +diff --git a/dix/dispatch.c b/dix/dispatch.c +index 55b978d..9044ac7 100644 +--- a/dix/dispatch.c ++++ b/dix/dispatch.c +@@ -2000,7 +2000,7 @@ ProcPutImage(ClientPtr client) + tmpImage = (char *) &stuff[1]; + lengthProto = length; + +- if (lengthProto >= (INT32_MAX / stuff->height)) ++ if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height)) + return BadLength; + + if ((bytes_to_int32(lengthProto * stuff->height) + +-- +cgit v0.10.2 + diff --git a/x11-base/xorg-server/xorg-server-1.12.4-r5.ebuild b/x11-base/xorg-server/xorg-server-1.12.4-r5.ebuild new file mode 100644 index 000000000000..32d08098a0b6 --- /dev/null +++ b/x11-base/xorg-server/xorg-server-1.12.4-r5.ebuild @@ -0,0 +1,252 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/x11-base/xorg-server/xorg-server-1.12.4-r5.ebuild,v 1.1 2015/04/28 15:38:07 chithanh Exp $ + +EAPI=5 + +XORG_DOC=doc +inherit xorg-2 multilib versionator flag-o-matic +EGIT_REPO_URI="git://anongit.freedesktop.org/git/xorg/xserver" + +DESCRIPTION="X.Org X servers" +SLOT="0/${PV}" +KEYWORDS="~alpha ~amd64 ~arm ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd" + +SRC_URI="${SRC_URI} mirror://gentoo/${PN}-1.12-cve-2014-8091..8103.patches.tar.xz" + +IUSE_SERVERS="dmx kdrive xnest xorg xvfb" +IUSE="${IUSE_SERVERS} ipv6 minimal nptl selinux tslib +udev" + +RDEPEND=">=app-eselect/eselect-opengl-1.0.8 + dev-libs/openssl + media-libs/freetype + >=x11-apps/iceauth-1.0.2 + >=x11-apps/rgb-1.0.3 + >=x11-apps/xauth-1.0.3 + x11-apps/xkbcomp + >=x11-libs/libpciaccess-0.12.901 + >=x11-libs/libXau-1.0.4 + >=x11-libs/libXdmcp-1.0.2 + >=x11-libs/libXfont-1.4.2 + <x11-libs/libXfont-1.5.0 + >=x11-libs/libxkbfile-1.0.4 + >=x11-libs/pixman-0.21.8 + >=x11-libs/xtrans-1.2.2 + >=x11-misc/xbitmaps-1.0.1 + >=x11-misc/xkeyboard-config-2.4.1-r3 + dmx? ( + x11-libs/libXt + >=x11-libs/libdmx-1.0.99.1 + >=x11-libs/libX11-1.1.5 + >=x11-libs/libXaw-1.0.4 + >=x11-libs/libXext-1.0.99.4 + >=x11-libs/libXfixes-5.0 + >=x11-libs/libXi-1.2.99.1 + >=x11-libs/libXmu-1.0.3 + x11-libs/libXrender + >=x11-libs/libXres-1.0.3 + >=x11-libs/libXtst-1.0.99.2 + ) + kdrive? ( + >=x11-libs/libXext-1.0.5 + x11-libs/libXv + ) + !minimal? ( + >=x11-libs/libX11-1.1.5 + >=x11-libs/libXext-1.0.5 + >=media-libs/mesa-7.8_rc[nptl=] + ) + tslib? ( >=x11-libs/tslib-1.0 ) + udev? ( >=virtual/udev-150 ) + >=x11-apps/xinit-1.3 + selinux? ( sec-policy/selinux-xserver )" + +DEPEND="${RDEPEND} + sys-devel/flex + >=x11-proto/bigreqsproto-1.1.0 + >=x11-proto/compositeproto-0.4 + >=x11-proto/damageproto-1.1 + >=x11-proto/fixesproto-5.0 + >=x11-proto/fontsproto-2.0.2 + <x11-proto/fontsproto-2.1.3 + >=x11-proto/glproto-1.4.14 + >=x11-proto/inputproto-2.1.99.3 + >=x11-proto/kbproto-1.0.3 + >=x11-proto/randrproto-1.2.99.3 + >=x11-proto/recordproto-1.13.99.1 + >=x11-proto/renderproto-0.11 + >=x11-proto/resourceproto-1.0.2 + >=x11-proto/scrnsaverproto-1.1 + >=x11-proto/trapproto-3.4.3 + >=x11-proto/videoproto-2.2.2 + >=x11-proto/xcmiscproto-1.2.0 + >=x11-proto/xextproto-7.1.99 + >=x11-proto/xf86dgaproto-2.0.99.1 + >=x11-proto/xf86rushproto-1.1.2 + >=x11-proto/xf86vidmodeproto-2.2.99.1 + >=x11-proto/xineramaproto-1.1.3 + >=x11-proto/xproto-7.0.22 + dmx? ( + >=x11-proto/dmxproto-2.2.99.1 + doc? ( + || ( + www-client/links + www-client/lynx + www-client/w3m + ) + ) + ) + !minimal? ( + >=x11-proto/xf86driproto-2.1.0 + >=x11-proto/dri2proto-2.6 + >=x11-libs/libdrm-2.4.20 + )" + +PDEPEND=" + xorg? ( >=x11-base/xorg-drivers-$(get_version_component_range 1-2) )" + +REQUIRED_USE="!minimal? ( + || ( ${IUSE_SERVERS} ) + )" + +# Security patches taken from Debian from their 1.12 package +UPSTREAMED_PATCHES=( + "${WORKDIR}"/patches/${PN}-1.12-cve-2014-8091..8103.patch +) + +PATCHES=( + "${UPSTREAMED_PATCHES[@]}" + "${FILESDIR}"/${PN}-1.12-disable-acpi.patch + "${FILESDIR}"/${PN}-1.12-cve-2013-1940.patch + "${FILESDIR}"/${PN}-1.12-cve-2013-4396.patch + "${FILESDIR}"/${PN}-1.17-cve-2015-0255-0.patch + "${FILESDIR}"/${PN}-1.17-cve-2015-0255-1.patch + "${FILESDIR}"/${PN}-1.12-cve-2015-3418.patch +) + +pkg_pretend() { + # older gcc is not supported + [[ "${MERGE_TYPE}" != "binary" && $(gcc-major-version) -lt 4 ]] && \ + die "Sorry, but gcc earlier than 4.0 wont work for xorg-server." +} + +src_configure() { + # localstatedir is used for the log location; we need to override the default + # from ebuild.sh + # sysconfdir is used for the xorg.conf location; same applies + # --enable-install-setuid needed because sparcs default off + # NOTE: fop is used for doc generating ; and i have no idea if gentoo + # package it somewhere + XORG_CONFIGURE_OPTIONS=( + $(use_enable ipv6) + $(use_enable dmx) + $(use_enable kdrive) + $(use_enable kdrive kdrive-kbd) + $(use_enable kdrive kdrive-mouse) + $(use_enable kdrive kdrive-evdev) + $(use_enable tslib) + $(use_enable !minimal record) + $(use_enable !minimal xfree86-utils) + $(use_enable !minimal install-libxf86config) + $(use_enable !minimal dri) + $(use_enable !minimal dri2) + $(use_enable !minimal glx) + $(use_enable xnest) + $(use_enable xorg) + $(use_enable xvfb) + $(use_enable nptl glx-tls) + $(use_enable udev config-udev) + $(use_with doc doxygen) + $(use_with doc xmlto) + --sysconfdir=/etc/X11 + --localstatedir=/var + --enable-install-setuid + --with-fontrootdir=/usr/share/fonts + --with-xkb-output=/var/lib/xkb + --disable-config-hal + --without-dtrace + --without-fop + --with-os-vendor=Gentoo + ) + + # Xorg-server requires includes from OS mesa which are not visible for + # users of binary drivers. + mkdir -p "${T}/mesa-symlinks/GL" + for i in gl glx glxmd glxproto glxtokens; do + ln -s "${EROOT}usr/$(get_libdir)/opengl/xorg-x11/include/$i.h" "${T}/mesa-symlinks/GL/$i.h" || die + done + for i in glext glxext; do + ln -s "${EROOT}usr/$(get_libdir)/opengl/global/include/$i.h" "${T}/mesa-symlinks/GL/$i.h" || die + done + append-cppflags "-I${T}/mesa-symlinks" + + xorg-2_src_configure +} + +src_install() { + xorg-2_src_install + + dynamic_libgl_install + + server_based_install + + if ! use minimal && use xorg; then + # Install xorg.conf.example into docs + dodoc "${AUTOTOOLS_BUILD_DIR}"/hw/xfree86/xorg.conf.example + fi + + newinitd "${FILESDIR}"/xdm-setup.initd-1 xdm-setup + newinitd "${FILESDIR}"/xdm.initd-9 xdm + newconfd "${FILESDIR}"/xdm.confd-4 xdm + + # install the @x11-module-rebuild set for Portage + insinto /usr/share/portage/config/sets + newins "${FILESDIR}"/xorg-sets.conf xorg.conf +} + +pkg_postinst() { + # sets up libGL and DRI2 symlinks if needed (ie, on a fresh install) + eselect opengl set xorg-x11 --use-old + + if [[ ${PV} != 9999 && $(get_version_component_range 2 ${REPLACING_VERSIONS}) != $(get_version_component_range 2 ${PV}) ]]; then + ewarn "You must rebuild all drivers if upgrading from <xorg-server-$(get_version_component_range 1-2)" + ewarn "because the ABI changed. If you cannot start X because" + ewarn "of module version mismatch errors, this is your problem." + + echo + ewarn "You can generate a list of all installed packages in the x11-drivers" + ewarn "category using this command:" + ewarn " emerge portage-utils; qlist -I -C x11-drivers/" + ewarn "or using sets from portage-2.2:" + ewarn " emerge @x11-module-rebuild" + fi +} + +pkg_postrm() { + # Get rid of module dir to ensure opengl-update works properly + if [[ -z ${REPLACED_BY_VERSION} && -e ${ROOT}/usr/$(get_libdir)/xorg/modules ]]; then + rm -rf "${ROOT}"/usr/$(get_libdir)/xorg/modules + fi +} + +dynamic_libgl_install() { + # next section is to setup the dynamic libGL stuff + ebegin "Moving GL files for dynamic switching" + dodir /usr/$(get_libdir)/opengl/xorg-x11/extensions + local x="" + for x in "${D}"/usr/$(get_libdir)/xorg/modules/extensions/lib{glx,dri,dri2}*; do + if [ -f ${x} -o -L ${x} ]; then + mv -f ${x} "${D}"/usr/$(get_libdir)/opengl/xorg-x11/extensions + fi + done + eend 0 +} + +server_based_install() { + if ! use xorg; then + rm "${D}"/usr/share/man/man1/Xserver.1x \ + "${D}"/usr/$(get_libdir)/xserver/SecurityPolicy \ + "${D}"/usr/$(get_libdir)/pkgconfig/xorg-server.pc \ + "${D}"/usr/share/man/man1/Xserver.1x + fi +} |