X-Git-Url: https://git.piment-noir.org/?p=deb_xorg-server.git;a=blobdiff_plain;f=debian%2Fpatches%2FCVE-2014-8xxx%2F0001-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch;fp=debian%2Fpatches%2FCVE-2014-8xxx%2F0001-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch;h=b5fbb7dd5e88be230a8474156ed884c22b9903e8;hp=0000000000000000000000000000000000000000;hb=7217e0ca50bba73dad94782e67980aeeb24ab693;hpb=a09e091a5c996d46a398abb27b06fe504591673f diff --git a/debian/patches/CVE-2014-8xxx/0001-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch b/debian/patches/CVE-2014-8xxx/0001-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch new file mode 100644 index 0000000..b5fbb7d --- /dev/null +++ b/debian/patches/CVE-2014-8xxx/0001-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch @@ -0,0 +1,40 @@ +From d2f5bd2c3e3cbe4778749d457550355d344ca62a Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 17 Jan 2014 18:54:03 -0800 +Subject: [PATCH 01/33] unchecked malloc may allow unauthed client to crash + Xserver [CVE-2014-8091] + +authdes_ezdecode() calls malloc() using a length provided by the +connection handshake sent by a newly connected client in order +to authenticate to the server, so should be treated as untrusted. + +It didn't check if malloc() failed before writing to the newly +allocated buffer, so could lead to a server crash if the server +fails to allocate memory (up to UINT16_MAX bytes, since the len +field is a CARD16 in the X protocol). + +Reported-by: Ilja Van Sprundel +Signed-off-by: Alan Coopersmith +Reviewed-by: Peter Hutterer +--- + os/rpcauth.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/os/rpcauth.c b/os/rpcauth.c +index d60ea35..413cc61 100644 +--- a/os/rpcauth.c ++++ b/os/rpcauth.c +@@ -66,6 +66,10 @@ authdes_ezdecode(const char *inmsg, int len) + SVCXPRT xprt; + + temp_inmsg = malloc(len); ++ if (temp_inmsg == NULL) { ++ why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */ ++ return NULL; ++ } + memmove(temp_inmsg, inmsg, len); + + memset((char *) &msg, 0, sizeof(msg)); +-- +1.7.9.2 +