[xorg-x11-server/f17] CVE-2013-1940: Fix xf86FlushInput() to drain evdev events
Peter Hutterer
whot at fedoraproject.org
Wed Apr 17 04:47:19 UTC 2013
commit 8daab39ab4129f003ad3a548cd183275c9ceeb17
Author: Peter Hutterer <peter.hutterer at who-t.net>
Date: Thu Apr 11 08:11:37 2013 +1000
CVE-2013-1940: Fix xf86FlushInput() to drain evdev events
(#950438, #952949)
...ush-input-to-work-with-Linux-evdev-device.patch | 38 ++++++++++++++++++++
xorg-x11-server.spec | 12 ++++++-
2 files changed, 49 insertions(+), 1 deletions(-)
---
diff --git a/0001-xf86-fix-flush-input-to-work-with-Linux-evdev-device.patch b/0001-xf86-fix-flush-input-to-work-with-Linux-evdev-device.patch
new file mode 100644
index 0000000..8d37032
--- /dev/null
+++ b/0001-xf86-fix-flush-input-to-work-with-Linux-evdev-device.patch
@@ -0,0 +1,38 @@
+From 8647ee8f422e1ea9212d84ae14ef2163793bcdc8 Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied at gmail.com>
+Date: Wed, 10 Apr 2013 16:09:01 +1000
+Subject: [PATCH] xf86: fix flush input to work with Linux evdev devices.
+
+So when we VT switch back and attempt to flush the input devices,
+we don't succeed because evdev won't return part of an event,
+since we were only asking for 4 bytes, we'd only get -EINVAL back.
+
+This could later cause events to be flushed that we shouldn't have
+gotten.
+
+This is a fix for CVE-2013-1940.
+
+Signed-off-by: Dave Airlie <airlied at redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
+---
+ hw/xfree86/os-support/shared/posix_tty.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/hw/xfree86/os-support/shared/posix_tty.c b/hw/xfree86/os-support/shared/posix_tty.c
+index ab3757a..4d08c1e 100644
+--- a/hw/xfree86/os-support/shared/posix_tty.c
++++ b/hw/xfree86/os-support/shared/posix_tty.c
+@@ -421,7 +421,8 @@ xf86FlushInput(int fd)
+ {
+ fd_set fds;
+ struct timeval timeout;
+- char c[4];
++ /* this needs to be big enough to flush an evdev event. */
++ char c[256];
+
+ DebugF("FlushingSerial\n");
+ if (tcflush(fd, TCIFLUSH) == 0)
+--
+1.8.1.4
+
diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec
index 7b822af..fbf1d68 100644
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@@ -48,7 +48,7 @@
Summary: X.Org X11 X server
Name: xorg-x11-server
Version: 1.12.4
-Release: 6%{?gitdate:.%{gitdate}}%{dist}
+Release: 7%{?gitdate:.%{gitdate}}%{dist}
URL: http://www.x.org
License: MIT
Group: User Interface/X
@@ -123,6 +123,12 @@ Patch7023: 0001-mieq-Bump-default-queue-size-to-512.patch
# Possibly Bug 862829 - [abrt] xorg-x11-server-Xorg-1.12.3-2.fc17: Xorg server
Patch7024: 0001-Sync-TouchListener-memory-allocation-with-population.patch
+# Bug 950438 - CVE-2013-1940 xorg-x11-server:
+# Information disclosure due enabling events from hot-plug devices despite
+# input from the device being momentarily disabled
+Patch7025: 0001-xf86-fix-flush-input-to-work-with-Linux-evdev-device.patch
+
+
%define moduledir %{_libdir}/xorg/modules
%define drimoduledir %{_libdir}/dri
%define sdkdir %{_includedir}/xorg
@@ -591,6 +597,10 @@ rm -rf $RPM_BUILD_ROOT
%{xserver_source_dir}
%changelog
+* Thu Apr 11 2013 Peter Hutterer <peter.hutterer at redhat.com> 1.12.4-7
+- CVE-2013-1940: Fix xf86FlushInput() to drain evdev events
+ (#950438, #952949)
+
* Thu Feb 14 2013 Peter Hutterer <peter.hutterer at redhat.com> 1.12.4-6
- Fix scrolling for Evoluent Vertical Mouse 3 (#612140#c20)
More information about the scm-commits
mailing list