xorg-server: fix CVE-1940

http://lists.x.org/archives/xorg-devel/2013-April/036014.html
It's a low-priority issue, but it should cause almost no rebuilds.
This commit is contained in:
Vladimír Čunát 2013-04-18 12:49:28 +02:00
parent fd76a89bcb
commit a40e825474
2 changed files with 35 additions and 1 deletions

View File

@ -221,7 +221,7 @@ in
xorgserver = attrs: attrs // { xorgserver = attrs: attrs // {
configureFlags = "--enable-xcsecurity"; # enable SECURITY extension configureFlags = "--enable-xcsecurity"; # enable SECURITY extension
patches = [./xorgserver-dri-path.patch ./xorgserver-xkbcomp-path.patch]; patches = [./xorgserver-dri-path.patch ./xorgserver-xkbcomp-path.patch ./xorgserver12-CVE-1940.patch];
buildInputs = attrs.buildInputs ++ buildInputs = attrs.buildInputs ++
[ args.zlib args.udev args.mesa args.dbus.libs [ args.zlib args.udev args.mesa args.dbus.libs
xorg.xf86bigfontproto xorg.glproto xorg.xf86driproto xorg.xf86bigfontproto xorg.glproto xorg.xf86driproto

View File

@ -0,0 +1,34 @@
From 6ca03b9161d33b1d2b55a3a1a913cf88deb2343f Mon Sep 17 00:00:00 2001
From: Dave Airlie <airlied@gmail.com>
Date: Wed, 10 Apr 2013 06:09:01 +0000
Subject: xf86: fix flush input to work with Linux evdev devices.
So when we VT switch back and attempt to flush the input devices,
we don't succeed because evdev won't return part of an event,
since we were only asking for 4 bytes, we'd only get -EINVAL back.
This could later cause events to be flushed that we shouldn't have
gotten.
This is a fix for CVE-2013-1940.
Signed-off-by: Dave Airlie <airlied@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
---
diff --git a/hw/xfree86/os-support/shared/posix_tty.c b/hw/xfree86/os-support/shared/posix_tty.c
index ab3757a..4d08c1e 100644
--- a/hw/xfree86/os-support/shared/posix_tty.c
+++ b/hw/xfree86/os-support/shared/posix_tty.c
@@ -421,7 +421,8 @@ xf86FlushInput(int fd)
{
fd_set fds;
struct timeval timeout;
- char c[4];
+ /* this needs to be big enough to flush an evdev event. */
+ char c[256];
DebugF("FlushingSerial\n");
if (tcflush(fd, TCIFLUSH) == 0)
--
cgit v0.9.0.2-2-gbebe