summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d0bb2ad)
raw | patch | inline | side by side (parent: d0bb2ad)
| author | Steve Beattie <sbeattie@ubuntu.com> | |
| Mon, 9 Jul 2012 22:24:55 +0000 (15:24 -0700) | ||
| committer | Xavier Boudet <x-boudet@ti.com> | |
| Thu, 12 Jul 2012 08:05:51 +0000 (10:05 +0200) |
| debian/changelog | patch | blob | history | |
| debian/patches/509_log-format-fix.patch | [new file with mode: 0644] | patch | blob |
| debian/patches/516-dix-dont-emulate-scroll-events-for-non-existing-axes.patch | [deleted file] | patch | blob | history |
| debian/patches/series | patch | blob | history |
diff --git a/debian/changelog b/debian/changelog
index 75b67e359009b58ecca4faf8d3aec009228e6252..c6ef57c1bba68e686472c1926bb5705ce027938d 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
-xorg-server (2:1.11.4-0ubuntu10.4) precise-proposed; urgency=low
+xorg-server (2:1.11.4-0ubuntu10.5) precise-security; urgency=low
- * Add 516-dix-dont-emulate-scroll-events-for-non-existing-axes.patch
- from upstream 1.12.2. Fixes the server from entering in an infinite
- loop in certain situations. (LP: #921236)
+ * SECURITY UPDATE: do not use input device names in logging format
+ strings (LP: #996250):
+ - debian/patches/509_log-format-fix.patch: backported upstream changes.
+ - CVE-2012-2118
- -- Timo Aaltonen <tjaalton@ubuntu.com> Thu, 05 Jul 2012 23:07:06 +0300
+ -- Steve Beattie <sbeattie@ubuntu.com> Mon, 09 Jul 2012 15:24:55 -0700
xorg-server (2:1.11.4-0ubuntu10.3) precise-proposed; urgency=low
diff --git a/debian/patches/509_log-format-fix.patch b/debian/patches/509_log-format-fix.patch
--- /dev/null
@@ -0,0 +1,441 @@
+Description: extreme backport of upstream log format fixes (CVE-2012-2118).
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/xorg-server/+bug/996250
+Origin: http://patchwork.freedesktop.org/patch/10001/
+
+Index: xorg-server-1.11.4/os/log.c
+===================================================================
+--- xorg-server-1.11.4.orig/os/log.c 2012-05-06 11:03:17.621808123 -0700
++++ xorg-server-1.11.4/os/log.c 2012-05-06 11:03:18.057814189 -0700
+@@ -167,6 +167,12 @@
+ #ifndef X_NOT_IMPLEMENTED_STRING
+ #define X_NOT_IMPLEMENTED_STRING "(NI)"
+ #endif
++#ifndef X_DEBUG_STRING
++#define X_DEBUG_STRING "(DB)"
++#endif
++#ifndef X_NONE_STRING
++#define X_NONE_STRING ""
++#endif
+
+ /*
+ * LogInit is called to start logging to a file. It is also called (with
+@@ -223,7 +229,7 @@
+ * needed.
+ */
+ if (saveBuffer && bufferSize > 0) {
+- free(saveBuffer); /* Must be free(), not free() */
++ free(saveBuffer);
+ saveBuffer = NULL;
+ bufferSize = 0;
+ }
+@@ -265,36 +271,19 @@
+ }
+
+ /* This function does the actual log message writes. */
+-
+-void
+-LogVWrite(int verb, const char *f, va_list args)
++static void
++LogSWrite(int verb, const char *buf, size_t len, Bool end_line)
+ {
+- static char tmpBuffer[1024];
+- int len = 0;
+ static Bool newline = TRUE;
+
+- if (newline) {
+- sprintf(tmpBuffer, "[%10.3f] ", GetTimeInMillis() / 1000.0);
+- len = strlen(tmpBuffer);
+- if (logFile)
+- fwrite(tmpBuffer, len, 1, logFile);
+- }
+-
+- /*
+- * Since a va_list can only be processed once, write the string to a
+- * buffer, and then write the buffer out to the appropriate output
+- * stream(s).
+- */
+- if (verb < 0 || logFileVerbosity >= verb || logVerbosity >= verb) {
+- vsnprintf(tmpBuffer, sizeof(tmpBuffer), f, args);
+- len = strlen(tmpBuffer);
+- }
+- newline = (tmpBuffer[len-1] == '\n');
+- if ((verb < 0 || logVerbosity >= verb) && len > 0)
+- fwrite(tmpBuffer, len, 1, stderr);
+- if ((verb < 0 || logFileVerbosity >= verb) && len > 0) {
++ if (verb < 0 || logVerbosity >= verb)
++ fwrite(buf, len, 1, stderr);
++ if (verb < 0 || logFileVerbosity >= verb) {
+ if (logFile) {
+- fwrite(tmpBuffer, len, 1, logFile);
++ if (newline)
++ fprintf(logFile, "[%10.3f] ", GetTimeInMillis() / 1000.0);
++ newline = end_line;
++ fwrite(buf, len, 1, logFile);
+ if (logFlush) {
+ fflush(logFile);
+ #ifndef WIN32
+@@ -311,13 +300,19 @@
+ FatalError("realloc() failed while saving log messages\n");
+ }
+ bufferUnused -= len;
+- memcpy(saveBuffer + bufferPos, tmpBuffer, len);
++ memcpy(saveBuffer + bufferPos, buf, len);
+ bufferPos += len;
+ }
+ }
+ }
+
+ void
++LogVWrite(int verb, const char *f, va_list args)
++{
++ return LogVMessageVerb(X_NONE, verb, f, args);
++}
++
++void
+ LogWrite(int verb, const char *f, ...)
+ {
+ va_list args;
+@@ -327,60 +322,75 @@
+ va_end(args);
+ }
+
+-void
+-LogVMessageVerb(MessageType type, int verb, const char *format, va_list args)
++/* Returns the Message Type string to prepend to a logging message, or NULL
++ * if the message will be dropped due to insufficient verbosity. */
++static const char *
++LogMessageTypeVerbString(MessageType type, int verb)
+ {
+- const char *s = X_UNKNOWN_STRING;
+- char tmpBuf[1024];
++ if (type == X_ERROR)
++ verb = 0;
+
+- /* Ignore verbosity for X_ERROR */
+- if (logVerbosity >= verb || logFileVerbosity >= verb || type == X_ERROR) {
+- switch (type) {
+- case X_PROBED:
+- s = X_PROBE_STRING;
+- break;
+- case X_CONFIG:
+- s = X_CONFIG_STRING;
+- break;
+- case X_DEFAULT:
+- s = X_DEFAULT_STRING;
+- break;
+- case X_CMDLINE:
+- s = X_CMDLINE_STRING;
+- break;
+- case X_NOTICE:
+- s = X_NOTICE_STRING;
+- break;
+- case X_ERROR:
+- s = X_ERROR_STRING;
+- if (verb > 0)
+- verb = 0;
+- break;
+- case X_WARNING:
+- s = X_WARNING_STRING;
+- break;
+- case X_INFO:
+- s = X_INFO_STRING;
+- break;
+- case X_NOT_IMPLEMENTED:
+- s = X_NOT_IMPLEMENTED_STRING;
+- break;
+- case X_UNKNOWN:
+- s = X_UNKNOWN_STRING;
+- break;
+- case X_NONE:
+- s = NULL;
+- break;
+- }
++ if (logVerbosity < verb && logFileVerbosity < verb)
++ return NULL;
+
+- /* if s is not NULL we need a space before format */
+- snprintf(tmpBuf, sizeof(tmpBuf), "%s%s%s", s ? s : "",
+- s ? " " : "",
+- format);
+- LogVWrite(verb, tmpBuf, args);
++ switch (type) {
++ case X_PROBED:
++ return X_PROBE_STRING;
++ case X_CONFIG:
++ return X_CONFIG_STRING;
++ case X_DEFAULT:
++ return X_DEFAULT_STRING;
++ case X_CMDLINE:
++ return X_CMDLINE_STRING;
++ case X_NOTICE:
++ return X_NOTICE_STRING;
++ case X_ERROR:
++ return X_ERROR_STRING;
++ case X_WARNING:
++ return X_WARNING_STRING;
++ case X_INFO:
++ return X_INFO_STRING;
++ case X_NOT_IMPLEMENTED:
++ return X_NOT_IMPLEMENTED_STRING;
++ case X_UNKNOWN:
++ return X_UNKNOWN_STRING;
++ case X_NONE:
++ return X_NONE_STRING;
++ case X_DEBUG:
++ return X_DEBUG_STRING;
++ default:
++ return X_UNKNOWN_STRING;
+ }
+ }
+
++void
++LogVMessageVerb(MessageType type, int verb, const char *format, va_list args)
++{
++ const char *type_str;
++ char buf[1024];
++ const size_t size = sizeof(buf);
++ Bool newline;
++ size_t len = 0;
++
++ type_str = LogMessageTypeVerbString(type, verb);
++ if (!type_str)
++ return;
++
++ /* if type_str is not "", prepend it and ' ', to message */
++ if (type_str[0] != '\0')
++ len += Xscnprintf(&buf[len], size - len, "%s ", type_str);
++
++ if (size - len > 1)
++ len += Xvscnprintf(&buf[len], size - len, format, args);
++
++ /* Force '\n' at end of truncated line */
++ if (size - len == 1)
++ buf[len - 1] = '\n';
++
++ newline = (buf[len - 1] == '\n');
++ LogSWrite(verb, buf, len, newline);
++}
++
+ /* Log message with verbosity level specified. */
+ void
+ LogMessageVerb(MessageType type, int verb, const char *format, ...)
+@@ -404,6 +414,49 @@
+ }
+
+ void
++LogVHdrMessageVerb(MessageType type, int verb, const char *msg_format,
++ va_list msg_args, const char *hdr_format, va_list hdr_args)
++{
++ const char *type_str;
++ char buf[1024];
++ const size_t size = sizeof(buf);
++ Bool newline;
++ size_t len = 0;
++
++ type_str = LogMessageTypeVerbString(type, verb);
++ if (!type_str)
++ return;
++
++ /* if type_str is not "", prepend it and ' ', to message */
++ if (type_str[0] != '\0')
++ len += Xscnprintf(&buf[len], size - len, "%s ", type_str);
++
++ if (hdr_format && size - len > 1)
++ len += Xvscnprintf(&buf[len], size - len, hdr_format, hdr_args);
++
++ if (msg_format && size - len > 1)
++ len += Xvscnprintf(&buf[len], size - len, msg_format, msg_args);
++
++ /* Force '\n' at end of truncated line */
++ if (size - len == 1)
++ buf[len - 1] = '\n';
++
++ newline = (buf[len - 1] == '\n');
++ LogSWrite(verb, buf, len, newline);
++}
++
++void
++LogHdrMessageVerb(MessageType type, int verb, const char *msg_format,
++ va_list msg_args, const char *hdr_format, ...)
++{
++ va_list hdr_args;
++
++ va_start(hdr_args, hdr_format);
++ LogVHdrMessageVerb(type, verb, msg_format, msg_args, hdr_format, hdr_args);
++ va_end(hdr_args);
++}
++
++void
+ AbortServer(void) _X_NORETURN;
+ void
+ SigAbortServer(int signo) _X_NORETURN;
+Index: xorg-server-1.11.4/include/Xprintf.h
+===================================================================
+--- xorg-server-1.11.4.orig/include/Xprintf.h 2012-05-06 10:32:42.436348011 -0700
++++ xorg-server-1.11.4/include/Xprintf.h 2012-05-06 11:03:18.057814189 -0700
+@@ -66,4 +66,16 @@
+ # define vasprintf Xvasprintf
+ #endif
+
++/*
++ * These functions provide a portable implementation of the linux kernel
++ * scnprintf & vscnprintf routines that return the number of bytes actually
++ * copied during a snprintf, (excluding the final '\0').
++ */
++extern _X_EXPORT int
++Xscnprintf(char *s, int n, const char * _X_RESTRICT_KYWD fmt, ...)
++_X_ATTRIBUTE_PRINTF(3,4);
++extern _X_EXPORT int
++Xvscnprintf(char *s, int n, const char * _X_RESTRICT_KYWD fmt, va_list va)
++_X_ATTRIBUTE_PRINTF(3,0);
++
+ #endif /* XPRINTF_H */
+Index: xorg-server-1.11.4/os/xprintf.c
+===================================================================
+--- xorg-server-1.11.4.orig/os/xprintf.c 2012-05-06 10:32:42.472348510 -0700
++++ xorg-server-1.11.4/os/xprintf.c 2012-05-06 11:03:18.057814189 -0700
+@@ -182,6 +182,50 @@
+ return size;
+ }
+
++/**
++ * Varargs snprintf that returns the actual number of bytes (excluding final
++ * '\0') that were copied into the buffer.
++ * This is opposed to the normal sprintf() usually returns the number of bytes
++ * that would have been written.
++ *
++ * @param s buffer to copy into
++ * @param n size of buffer s
++ * @param format printf style format string
++ * @param va variable argument list
++ * @return number of bytes actually copied, excluding final '\0'
++ */
++int
++Xvscnprintf(char *s, int n, const char *format, va_list args)
++{
++ int x;
++ if (n == 0)
++ return 0;
++ x = vsnprintf(s, n , format, args);
++ return (x >= n) ? (n - 1) : x;
++}
++
++/**
++ * snprintf that returns the actual number of bytes (excluding final '\0') that
++ * were copied into the buffer.
++ * This is opposed to the normal sprintf() usually returns the number of bytes
++ * that would have been written.
++ *
++ * @param s buffer to copy into
++ * @param n size of buffer s
++ * @param format printf style format string
++ * @param ... arguments for specified format
++ * @return number of bytes actually copied, excluding final '\0'
++ */
++int Xscnprintf(char *s, int n, const char *format, ...)
++{
++ int x;
++ va_list ap;
++ va_start(ap, format);
++ x = Xvscnprintf(s, n, format, ap);
++ va_end(ap);
++ return x;
++}
++
+ /* Old api, now deprecated, may be removed in the future */
+ char *
+ Xvprintf(const char *format, va_list va)
+Index: xorg-server-1.11.4/hw/xfree86/common/xf86Helper.c
+===================================================================
+--- xorg-server-1.11.4.orig/hw/xfree86/common/xf86Helper.c 2012-05-06 10:32:42.488348731 -0700
++++ xorg-server-1.11.4/hw/xfree86/common/xf86Helper.c 2012-05-06 11:03:18.057814189 -0700
+@@ -1036,25 +1036,13 @@
+ xf86VDrvMsgVerb(int scrnIndex, MessageType type, int verb, const char *format,
+ va_list args)
+ {
+- char *tmpFormat;
+-
+ /* Prefix the scrnIndex name to the format string. */
+ if (scrnIndex >= 0 && scrnIndex < xf86NumScreens &&
+- xf86Screens[scrnIndex]->name) {
+- tmpFormat = malloc(strlen(format) +
+- strlen(xf86Screens[scrnIndex]->name) +
+- PREFIX_SIZE + 1);
+- if (!tmpFormat)
+- return;
+-
+- snprintf(tmpFormat, PREFIX_SIZE + 1, "%s(%d): ",
+- xf86Screens[scrnIndex]->name, scrnIndex);
+-
+- strcat(tmpFormat, format);
+- LogVMessageVerb(type, verb, tmpFormat, args);
+- free(tmpFormat);
+- } else
+- LogVMessageVerb(type, verb, format, args);
++ xf86Screens[scrnIndex]->name)
++ LogHdrMessageVerb(type, verb, format, args, "%s(%d): ",
++ xf86Screens[scrnIndex]->name, scrnIndex);
++ else
++ LogVMessageVerb(type, verb, format, args);
+ }
+ #undef PREFIX_SIZE
+
+@@ -1087,15 +1075,18 @@
+ xf86VIDrvMsgVerb(InputInfoPtr dev, MessageType type, int verb, const char *format,
+ va_list args)
+ {
+- char *msg;
++ const char *driverName = NULL;
++ const char *deviceName = NULL;
+
+- if (asprintf(&msg, "%s: %s: %s", dev->drv->driverName, dev->name, format)
+- == -1) {
+- LogVMessageVerb(type, verb, "%s", args);
+- } else {
+- LogVMessageVerb(type, verb, msg, args);
+- free(msg);
++ /* Prefix driver and device names to formatted message. */
++ if (dev) {
++ deviceName = dev->name;
++ if (dev->drv)
++ driverName = dev->drv->driverName;
+ }
++
++ LogHdrMessageVerb(type, verb, format, args, "%s: %s: ", driverName,
++ deviceName);
+ }
+
+ /* Print input driver message, with verbose level specified directly */
+Index: xorg-server-1.11.4/include/os.h
+===================================================================
+--- xorg-server-1.11.4.orig/include/os.h 2012-05-06 11:03:17.621808123 -0700
++++ xorg-server-1.11.4/include/os.h 2012-05-06 11:03:29.353971366 -0700
+@@ -514,6 +514,7 @@
+ X_INFO, /* Informational message */
+ X_NONE, /* No prefix */
+ X_NOT_IMPLEMENTED, /* Not implemented */
++ X_DEBUG, /* Debug message */
+ X_UNKNOWN = -1 /* unknown -- this must always be last */
+ } MessageType;
+
+@@ -528,6 +529,20 @@
+ ...) _X_ATTRIBUTE_PRINTF(3,4);
+ extern _X_EXPORT void LogMessage(MessageType type, const char *format, ...)
+ _X_ATTRIBUTE_PRINTF(2,3);
++
++extern _X_EXPORT void
++LogVHdrMessageVerb(MessageType type, int verb,
++ const char *msg_format, va_list msg_args,
++ const char *hdr_format, va_list hdr_args)
++_X_ATTRIBUTE_PRINTF(3, 0)
++_X_ATTRIBUTE_PRINTF(5, 0);
++extern _X_EXPORT void
++LogHdrMessageVerb(MessageType type, int verb,
++ const char *msg_format, va_list msg_args,
++ const char *hdr_format, ...)
++_X_ATTRIBUTE_PRINTF(3, 0)
++_X_ATTRIBUTE_PRINTF(5, 6);
++
+ extern _X_EXPORT void FreeAuditTimer(void);
+ extern _X_EXPORT void AuditF(const char *f, ...) _X_ATTRIBUTE_PRINTF(1,2);
+ extern _X_EXPORT void VAuditF(const char *f, va_list args) _X_ATTRIBUTE_PRINTF(1,0);
diff --git a/debian/patches/516-dix-dont-emulate-scroll-events-for-non-existing-axes.patch b/debian/patches/516-dix-dont-emulate-scroll-events-for-non-existing-axes.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-commit b53cdf4c53f0787ed41281278877e0405fcb2674
-Author: Peter Hutterer <peter.hutterer@who-t.net>
-Date: Fri Apr 27 16:31:17 2012 +1000
-
- dix: don't emulate scroll events for non-existing axes (#47281)
-
- Test case:
- - create a device with REL_HWHEEL and ABS_X and ABS_Y. evdev 2.7.0 will set
- that up as device with 1 relative axis
- - move pointer to VGA1
- - xrandr --output VGA1 --off
-
- Warps the pointer to the new spot and calls GPE with the x/y mask bits set.
- When running through the loop to check for scroll event, this overruns the
- axes and may try to emulate scroll events based on random garbage in the
- memory. If that memory contained non-zero for the scroll type but near-zero
- for the increment field, the server would hang in an infinite loop.
-
- This was the trigger for this suggested, never-merged, patch here:
- http://patchwork.freedesktop.org/patch/9543/
-
- X.Org Bug 47281 <http://bugs.freedesktop.org/show_bug.cgi?id=47281>
-
- Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
- Reviewed-by: Chase Douglas <chase.douglas@canonical.com>
- (cherry picked from commit af88b43f9e604157b74270d609c08bdfa256a792)
-
---- a/dix/getevents.c
-+++ b/dix/getevents.c
-@@ -1593,6 +1593,9 @@
- /* Now turn the smooth-scrolling axes back into emulated button presses
- * for legacy clients, based on the integer delta between before and now */
- for (i = 0; i < valuator_mask_size(&mask); i++) {
-+ if (i >= pDev->valuator->numAxes)
-+ break;
-+
- if (!valuator_mask_isset(&mask, i))
- continue;
-
diff --git a/debian/patches/series b/debian/patches/series
index c6e059f6ede72663269c54a0a2f8c5c2174cf85a..833c0a32668e811ac4c14e0767939b65fcd4fbac 100644 (file)
--- a/debian/patches/series
+++ b/debian/patches/series
506_touchscreen_pointer_emulation_checks.patch
507_touchscreen_fixes.patch
508_device_off_release_buttons.patch
+509_log-format-fix.patch
# Upstream patches
510-dix-return-early-from-DisableDevice-if-the-device-is.patch
513-dix-disable-non-sprite-owners-first-when-disabling-p.patch
514-Xi-drop-forced-unpairing-when-changing-the-hierarchy.patch
515-dix-disable-all-devices-before-shutdown.patch
-516-dix-dont-emulate-scroll-events-for-non-existing-axes.patch