| Age | Commit message (Collapse) | Author |
|---|
|
*and* window.) of mousefunc.c. When a client destroys itself while we are
moving or resizing it, XWindowEvent() blocks. Found the hard way by Anton
Lazarov, and Lea°hNeukirchen found the right bit to revert - thanks! Reverting
since the reason to switch from XMaskEvent was unclear.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
from upstreams commits.
Tested by many. Thanks.
|
|
|
|
|
|
|
|
The latter is an obsolete non-standard, Linux only synonym for the
former. This caused syndaemon(1) to enter an an infinite loop whenever
it receives a SIGINT signal. Patch from Luca Castagnini. Thanks.
|
|
|
|
|
|
ok sthen@ who will take care of the ports tree. Also ok espie@
|
|
"looks sane" guenther@.
|
|
|
|
|
|
|
|
Not yet linked to the build
|
|
No actual change since individual commits were already merged.
|
|
|
|
|
|
|
|
|
|
ProcDbeGetVisualInfo (CVE-2017-12177)
v2: Protect against integer overflow (Alan Coopersmith)
|
|
(CVE-2017-12178)
|
|
(S)ProcXIBarrierReleasePointer
[jcristau: originally this patch fixed the same issue as commit
211e05ac85 "Xi: Test exact size of XIBarrierReleasePointer", with the
addition of these checks]
This addresses CVE-2017-12179
|
|
Otherwise a client can send any value of num_barriers and cause
reading or swapping of values on heap behind the receive buffer.
|
|
This addresses:
CVE-2017-12180 in XFree86-VidModeExtension
CVE-2017-12181 in XFree86-DGA
CVE-2017-12182 in XFree86-DRI
|
|
v2: Use before swap (Jeremy Huddleston Sequoia)
v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith)
|
|
v2: Add overflow check and remove unnecessary check (Julien Cristau)
This addresses:
CVE-2017-12184 in XINERAMA
CVE-2017-12185 in MIT-SCREEN-SAVER
CVE-2017-12186 in X-Resource
CVE-2017-12187 in RENDER
|
|
A client can send a big request where the 32B "length" field has value
0. When the big request header is removed and the length corrected,
the value will underflow to 0xFFFFFFFF. Functions processing the
request later will think that the client sent much more data and may
touch memory beyond the receive buffer.
|
|
Generating strings for XKB data used a single shared static buffer,
which offered several opportunities for errors. Use a ring of
resizable buffers instead, to avoid problems when strings end up
longer than anticipated.
|
|
XkbStringText escapes non-printable characters using octal numbers.
Such escape sequence would be at most 5 characters long ("\0123"), so
it reserves 5 bytes in the buffer. Due to char->unsigned int
conversion, it would print much longer string for negative numbers.
|
|
Otherwise it can belong to a non-existing client and abort X server with
FatalError "client not in use", or overwrite existing segment of another
existing client.
|
|
Without the checks a malformed PCF file can cause the library to make
atom from random heap memory that was behind the `strings` buffer.
This may crash the process or leak information.
|
|
If a pattern contains '?' character, any character in the string is skipped,
even if it is '\0'. The rest of the matching then reads invalid memory.
|
|
|
|
This prevents a malicious user logging out from calling
chmod while still owning /dev/console and thus by-passing
the '622' mode that is set here.
Issue reported by Tim Chase. Thanks.
Merged from xdm upstreams
|
|
|
|
stsp@ reported that modesetting(4) has been reported unreliable
on his laptop, while intel(4) works.
XXXX to be removed after 6.2 to figure out and fix the issue.
ok kettenis@, also discussed briefly with deraadt@ during EuroBSDCon.
|
|
|
|
|
|
particular no justification for why the current behaviour is wrong
|
|
|
|
ok matthieu@
|
|
manual.
ok dcoppa@
|
