67. When using BSD authentication in xdm, wipe out the password as soon as

      possible to prevent it from showing up in the address space of
      subsequently forked child processes (Matthieu Herrb).
  66. Ensure XVidModeGetMonitor() always returns dynamically allocated data, as
      documented in its man page (Marc La France).
  65. Fix potential crash in DBE (Dave Arlie).
  64. Import X.Org fixes for CVE-2008-1377, CVE-2008-1379, CVE-2008-2360 and
      CVE-2008-2361 security advisories.
  63. Various x86emu changes:
      - Fix various halfword overflow issues (Scitech).
      - Add RDTSC emulation (Aaron Plattner).
      - Fix JNL emulation (David Wong).
      - Add emulation of CPUID, levels 0 & 1.  If the host architecture
        supports CPUID, pass that implementation's results to the emulation.
        If running on a 386 or 486 that does not support CPUID, provide a
        reasonable simulation (instead of SIGILL'ing).  On all other host
        architectures, the emulator will report itself as a 486DX
        (Marc La France).
      - Add BTS emulation (Felix Kuehling).
      - Fix BSF & BSR emulations (Aaron Plattner).
      - Fix MUL and IMUL emulations in the 64-bit case (Matthias Hopf).
  62. xf86sym.c build fix when RandR is disabled (Pat Kane, Bugzilla #1693).
  61. Spruce up implementation of pthread_key_create(), pthread_key_delete()
      pthread_getspecific() and pthread_setspecific() stubs in libXThrStub
      library.  Inspired by a change found in OpenBSD repository
      (Marc La France).
  60. When opening display, if LOCALCONN fails, fall back to UNIXCOMM, then
      TCPCONN (Alex Chen).
  59. Improve uniqueness of XDM-AUTHORIZATION-1 cookies.  (Egbert Eich).
  58. Fix possible segfault when using XDM-AUTHORIZATION-1 keys for remote
      clients over IPv6.  (Christian Weisgerber)

8 files changed, 121 insertions, 53 deletions

diff --git a/programs/Xserver/dbe/dbe.c b/programs/Xserver/dbe/dbe.c
index 06c89aa51..6b43f0a04 100644
--- a/programs/Xserver/dbe/dbe.c
+++ b/programs/Xserver/dbe/dbe.c
@@ -1,3 +1,4 @@
+/* $XFree86: xc/programs/Xserver/dbe/dbe.c,v 3.16tsi Exp $ */
 /******************************************************************************
  * 
  * Copyright (c) 1994, 1995  Hewlett-Packard Company
@@ -29,7 +30,6 @@
  *     DIX DBE code
  *
  *****************************************************************************/
-/* $XFree86: xc/programs/Xserver/dbe/dbe.c,v 3.15tsi Exp $ */
 
 
 /* INCLUDES */
@@ -402,7 +402,7 @@ ProcDbeAllocateBackBufferName(ClientPtr client)
     xDbeSwapAction		swapAction;
     VisualID			visual;
     int				status;
-
+    int				add_index;
 
     REQUEST_SIZE_MATCH(xDbeAllocateBackBufferNameReq);
 
@@ -475,14 +475,6 @@ ProcDbeAllocateBackBufferName(ClientPtr client)
             return(BadAlloc);
         }
 
-        /* Make the window priv a DBE window priv resource. */
-        if (!AddResource(stuff->buffer, dbeWindowPrivResType,
-            (pointer)pDbeWindowPriv))
-        {
-            xfree(pDbeWindowPriv);
-            return(BadAlloc);
-        }
-
         /* Fill out window priv information. */
         pDbeWindowPriv->pWindow      = pWin;
         pDbeWindowPriv->width        = pWin->drawable.width;
@@ -496,13 +488,13 @@ ProcDbeAllocateBackBufferName(ClientPtr client)
 
         /* Initialize the buffer ID list. */ 
         pDbeWindowPriv->maxAvailableIDs = DBE_INIT_MAX_IDS;
-        pDbeWindowPriv->IDs[0] = stuff->buffer;
-        for (i = 1; i < DBE_INIT_MAX_IDS; i++)
-        {
+     
+	add_index = 0;
+	for (i = 1; i < DBE_INIT_MAX_IDS; i++)
+	{
             pDbeWindowPriv->IDs[i] = DBE_FREE_ID_ELEMENT;
         }
 
-
         /* Actually connect the window priv to the window. */
         pWin->devPrivates[dbeWindowPrivIndex].ptr = (pointer)pDbeWindowPriv;
 
@@ -567,16 +559,7 @@ ProcDbeAllocateBackBufferName(ClientPtr client)
             pDbeWindowPriv->maxAvailableIDs += DBE_INCR_MAX_IDS;
         }
 
-        /* Finally, record the buffer ID in the array. */
-        pDbeWindowPriv->IDs[i] = stuff->buffer;
-
-        /* Associate the new ID with an existing window priv. */
-        if (!AddResource(stuff->buffer, dbeWindowPrivResType,
-                         (pointer)pDbeWindowPriv))
-        {
-            pDbeWindowPriv->IDs[i] = DBE_FREE_ID_ELEMENT;
-            return(BadAlloc);
-        }
+        add_index = i;
 
     } /* else -- A buffer is already associated with the window. */
 
@@ -585,13 +568,27 @@ ProcDbeAllocateBackBufferName(ClientPtr client)
     status = (*pDbeScreenPriv->AllocBackBufferName)(pWin, stuff->buffer,
                                                     stuff->swapAction);
 
-    if ((status != Success) && (pDbeWindowPriv->nBufferIDs == 0))
+    if (status == Success)
     {
+        pDbeWindowPriv->IDs[add_index] = stuff->buffer;
+        if (!AddResource(stuff->buffer, dbeWindowPrivResType,
+                         (pointer)pDbeWindowPriv))
+        {
+            pDbeWindowPriv->IDs[add_index] = DBE_FREE_ID_ELEMENT;
+
+            if (pDbeWindowPriv->nBufferIDs == 0) {
+                status = BadAlloc;
+                goto out_free;
+            }
+        }
+    } else {
         /* The DDX buffer allocation routine failed for the first buffer of
          * this window.
          */
-        xfree(pDbeWindowPriv);
-        return(status);
+
+        if (pDbeWindowPriv->nBufferIDs == 0) {
+            goto out_free;
+        }
     }
 
     /* Increment the number of buffers (XIDs) associated with this window. */
@@ -603,6 +600,11 @@ ProcDbeAllocateBackBufferName(ClientPtr client)
 
     return(status);
 
+out_free:
+    pWin->devPrivates[dbeWindowPrivIndex].ptr = NULL;
+    xfree(pDbeWindowPriv);
+    return(status);    
+
 } /* ProcDbeAllocateBackBufferName() */
 
 
diff --git a/programs/Xserver/hw/xfree86/CHANGELOG b/programs/Xserver/hw/xfree86/CHANGELOG
index 4e445b03b..0ecc0bebb 100644
--- a/programs/Xserver/hw/xfree86/CHANGELOG
+++ b/programs/Xserver/hw/xfree86/CHANGELOG
@@ -1,4 +1,35 @@
 XFree86 4.7.99.28 (xx October 2008)
+  67. When using BSD authentication in xdm, wipe out the password as soon as
+      possible to prevent it from showing up in the address space of
+      subsequently forked child processes (Matthieu Herrb).
+  66. Ensure XVidModeGetMonitor() always returns dynamically allocated data, as
+      documented in its man page (Marc La France).
+  65. Fix potential crash in DBE (Dave Arlie).
+  64. Import X.Org fixes for CVE-2008-1377, CVE-2008-1379, CVE-2008-2360 and
+      CVE-2008-2361 security advisories.
+  63. Various x86emu changes:
+      - Fix various halfword overflow issues (Scitech).
+      - Add RDTSC emulation (Aaron Plattner).
+      - Fix JNL emulation (David Wong).
+      - Add emulation of CPUID, levels 0 & 1.  If the host architecture
+        supports CPUID, pass that implementation's results to the emulation.
+        If running on a 386 or 486 that does not support CPUID, provide a
+        reasonable simulation (instead of SIGILL'ing).  On all other host
+        architectures, the emulator will report itself as a 486DX
+        (Marc La France).
+      - Add BTS emulation (Felix Kuehling).
+      - Fix BSF & BSR emulations (Aaron Plattner).
+      - Fix MUL and IMUL emulations in the 64-bit case (Matthias Hopf).
+  62. xf86sym.c build fix when RandR is disabled (Pat Kane, Bugzilla #1693).
+  61. Spruce up implementation of pthread_key_create(), pthread_key_delete()
+      pthread_getspecific() and pthread_setspecific() stubs in libXThrStub
+      library.  Inspired by a change found in OpenBSD repository
+      (Marc La France).
+  60. When opening display, if LOCALCONN fails, fall back to UNIXCOMM, then
+      TCPCONN (Alex Chen).
+  59. Improve uniqueness of XDM-AUTHORIZATION-1 cookies.  (Egbert Eich).
+  58. Fix possible segfault when using XDM-AUTHORIZATION-1 keys for remote
+      clients over IPv6.  (Christian Weisgerber)
 
 XFree86 4.7.99.27 (9 October 2008)
 
@@ -20787,4 +20818,4 @@ XFree86 3.0a (28 April 1994)
 XFree86 3.0 (26 April 1994)
 
 
-$XFree86: xc/programs/Xserver/hw/xfree86/CHANGELOG,v 3.3978 2008/09/23 11:07:32 dawes Exp $
+$XFree86: xc/programs/Xserver/hw/xfree86/CHANGELOG,v 3.3979tsi Exp $
diff --git a/programs/Xserver/hw/xfree86/loader/xf86sym.c b/programs/Xserver/hw/xfree86/loader/xf86sym.c
index 8e0846e21..ff3c1f6d4 100644
--- a/programs/Xserver/hw/xfree86/loader/xf86sym.c
+++ b/programs/Xserver/hw/xfree86/loader/xf86sym.c
@@ -1,4 +1,4 @@
-/* $XFree86: xc/programs/Xserver/hw/xfree86/loader/xf86sym.c,v 1.266tsi Exp $ */
+/* $XFree86: xc/programs/Xserver/hw/xfree86/loader/xf86sym.c,v 1.267tsi Exp $ */
 
 /*
  *
@@ -629,7 +629,9 @@ LOOKUP xfree86LookupTab[] = {
     SYMFUNC(xf86CommonSpecialKey)
     SYMFUNC(xf86IsPc98)
     SYMFUNC(xf86DisableRandR)
+#ifdef RANDR
     SYMFUNC(xf86GetRotation)
+#endif
     SYMFUNC(xf86GetVersion)
     SYMFUNC(xf86GetModuleVersion)
     SYMFUNC(xf86GetSubModuleByName)
diff --git a/programs/Xserver/record/record.c b/programs/Xserver/record/record.c
index 2c6cf62f1..83b240e5f 100644
--- a/programs/Xserver/record/record.c
+++ b/programs/Xserver/record/record.c
@@ -1,3 +1,4 @@
+/* $XFree86: xc/programs/Xserver/record/record.c,v 1.15tsi Exp $ */
 /*
 
 Copyright 1995, 1998  The Open Group
@@ -30,7 +31,6 @@ This work benefited from earlier work done by Martha Zimet of NCD
 and Jim Haggerty of Metheus.
 
 */
-/* $XFree86: xc/programs/Xserver/record/record.c,v 1.14tsi Exp $ */
 
 #define NEED_EVENTS
 #include "dixstruct.h"
@@ -2662,7 +2662,7 @@ SProcRecordQueryVersion(ClientPtr client)
 } /* SProcRecordQueryVersion */
 
 
-static void
+static int
 SwapCreateRegister(xRecordRegisterClientsReq *stuff)
 {
     register char n;
@@ -2673,11 +2673,19 @@ SwapCreateRegister(xRecordRegisterClientsReq *stuff)
     swapl(&stuff->nClients, n);
     swapl(&stuff->nRanges, n);
     pClientID = (XID *)&stuff[1];
+    if (stuff->nClients >
+	(stuff->length - (sz_xRecordRegisterClientsReq >> 2)))
+	return BadLength;
     for (i = 0; i < stuff->nClients; i++, pClientID++)
     {
 	swapl(pClientID, n);
     }
+    if (stuff->nRanges >
+	(stuff->length - stuff->nClients -
+	 (sz_xRecordRegisterClientsReq >> 2)))
+	return BadLength;
     RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges);
+    return Success;
 } /* SwapCreateRegister */
 
 
@@ -2685,11 +2693,13 @@ static int
 SProcRecordCreateContext(ClientPtr client)
 {
     REQUEST(xRecordCreateContextReq);
+    int			status;
     register char 	n;
 
     swaps(&stuff->length, n);
     REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
-    SwapCreateRegister((pointer)stuff);
+    if ((status = SwapCreateRegister((pointer)stuff)) != Success)
+	return status;
     return ProcRecordCreateContext(client);
 } /* SProcRecordCreateContext */
 
@@ -2698,11 +2708,13 @@ static int
 SProcRecordRegisterClients(ClientPtr client)
 {
     REQUEST(xRecordRegisterClientsReq);
+    int			status;
     register char 	n;
 
     swaps(&stuff->length, n);
     REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
-    SwapCreateRegister((pointer)stuff);
+    if ((status = SwapCreateRegister((pointer)stuff)) != Success)
+	return status;
     return ProcRecordRegisterClients(client);
 } /* SProcRecordRegisterClients */
 
diff --git a/programs/Xserver/render/glyph.c b/programs/Xserver/render/glyph.c
index 47b78f4b0..7becdd554 100644
--- a/programs/Xserver/render/glyph.c
+++ b/programs/Xserver/render/glyph.c
@@ -1,5 +1,5 @@
 /*
- * $XFree86: xc/programs/Xserver/render/glyph.c,v 1.6 2001/10/28 03:34:19 tsi Exp $
+ * $XFree86: xc/programs/Xserver/render/glyph.c,v 1.7tsi Exp $
  *
  * Copyright © 2000 SuSE, Inc.
  *
@@ -74,9 +74,9 @@ static GlyphHashSetRec glyphHashSets[] = {
 
 #define NGLYPHHASHSETS	(sizeof(glyphHashSets)/sizeof(glyphHashSets[0]))
 
-const CARD8	glyphDepths[GlyphFormatNum] = { 1, 4, 8, 16, 32 };
+static const CARD8	glyphDepths[GlyphFormatNum] = { 1, 4, 8, 16, 32 };
 
-GlyphHashRec	globalGlyphs[GlyphFormatNum];
+static GlyphHashRec	globalGlyphs[GlyphFormatNum];
 
 GlyphHashSetPtr
 FindGlyphHashSet (CARD32 filled)
@@ -328,10 +328,14 @@ FindGlyph (GlyphSetPtr glyphSet, Glyph id)
 GlyphPtr
 AllocateGlyph (xGlyphInfo *gi, int fdepth)
 {
-    int		size;
+    int		size, padded_width;
     GlyphPtr	glyph;
 
-    size = gi->height * PixmapBytePad (gi->width, glyphDepths[fdepth]);
+    padded_width = PixmapBytePad(gi->width, glyphDepths[fdepth]);
+    if (gi->height && (padded_width >
+	 ((((unsigned int)(-1)) - sizeof(GlyphRec)) / gi->height)))
+	return 0;
+    size = gi->height * padded_width;
     glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec));
     if (!glyph)
 	return 0;
diff --git a/programs/Xserver/render/glyphstr.h b/programs/Xserver/render/glyphstr.h
index 638b80c5b..3e74cff09 100644
--- a/programs/Xserver/render/glyphstr.h
+++ b/programs/Xserver/render/glyphstr.h
@@ -1,5 +1,5 @@
 /*
- * $XFree86: xc/programs/Xserver/render/glyphstr.h,v 1.5tsi Exp $
+ * $XFree86: xc/programs/Xserver/render/glyphstr.h,v 1.6tsi Exp $
  *
  * Copyright © 2000 SuSE, Inc.
  *
@@ -89,8 +89,6 @@ typedef struct _GlyphList {
     PictFormatPtr   format;
 } GlyphListRec, *GlyphListPtr;
 
-extern GlyphHashRec	globalGlyphs[GlyphFormatNum];
-
 GlyphHashSetPtr
 FindGlyphHashSet (CARD32 filled);
 
diff --git a/programs/Xserver/render/render.c b/programs/Xserver/render/render.c
index d0816662c..862228f99 100644
--- a/programs/Xserver/render/render.c
+++ b/programs/Xserver/render/render.c
@@ -1,5 +1,5 @@
 /*
- * $XFree86: xc/programs/Xserver/render/render.c,v 1.35tsi Exp $
+ * $XFree86: xc/programs/Xserver/render/render.c,v 1.36tsi Exp $
  *
  * Copyright © 2000 SuSE, Inc.
  *
@@ -1457,8 +1457,9 @@ ProcRenderCreateCursor (ClientPtr client)
     pScreen = pSrc->pDrawable->pScreen;
     width = pSrc->pDrawable->width;
     height = pSrc->pDrawable->height;
-    if ( stuff->x > width 
-      || stuff->y > height )
+    if (height && width > ((unsigned int)(-1) / (height * sizeof(CARD32))))
+	return (BadAlloc);
+    if ((stuff->x > width) || (stuff->y > height))
 	return (BadMatch);
     argbbits = xalloc (width * height * sizeof (CARD32));
     if (!argbbits)
diff --git a/programs/xdm/greeter/verify.c b/programs/xdm/greeter/verify.c
index a8e8439bd..f6cf25d5d 100644
--- a/programs/xdm/greeter/verify.c
+++ b/programs/xdm/greeter/verify.c
@@ -1,3 +1,4 @@
+/* $XFree86: xc/programs/xdm/greeter/verify.c,v 3.29tsi Exp $ */
 /*
 
 Copyright 1988, 1998  The Open Group
@@ -25,7 +26,6 @@ other dealings in this Software without prior written authorization
 from The Open Group.
 
 */
-/* $XFree86: xc/programs/xdm/greeter/verify.c,v 3.28 2004/10/21 06:06:43 herrb Exp $ */
 
 /*
  * xdm - display manager daemon
@@ -160,7 +160,7 @@ static int PAM_conv (int num_msg,
 			/* PAM frees resp */
 			break;
 		case PAM_TEXT_INFO:
-			/* ignore the informational mesage */
+			/* ignore the informational message */
 			break;
 		default:
 			/* unknown or PAM_ERROR_MSG */
@@ -189,7 +189,7 @@ Verify (struct display *d, struct greet_info *greet, struct verify_info *verify)
 	auth_session_t	*as;
 	char		*style, *shell, *home, *s, **argv;
 	char		path[MAXPATHLEN];
-	int		authok;
+	int		authok, password_length;
 
 	/* User may have specified an authentication style. */
 	if ((style = strchr(greet->name, ':')) != NULL)
@@ -230,10 +230,20 @@ Verify (struct display *d, struct greet_info *greet, struct verify_info *verify)
 		return 0;
 	}
 
+	password_length = strlen(greet->password);
+
 	/* Set up state for no challenge, just check a response. */
 	auth_setstate(as, 0);
 	auth_setdata(as, "", 1);
-	auth_setdata(as, greet->password, strlen(greet->password) + 1);
+	auth_setdata(as, greet->password, password_length + 1);
+
+	/*
+	 * Zap password now, unless still needed by StartClient().  Otherwise,
+	 * unzapped copies will end up in our forked children.
+	 */
+#if !defined(SECURE_RPC) && !defined(K5AUTH)
+	bzero(greet->password, password_length);
+#endif
 
 	/* Build path of the auth script and call it */
 	snprintf(path, sizeof(path), _PATH_AUTHPROG "%s", style);
@@ -243,7 +253,9 @@ Verify (struct display *d, struct greet_info *greet, struct verify_info *verify)
 
 	if ((authok & AUTH_ALLOW) == 0) {
 		Debug("password verify failed\n");
-		bzero(greet->password, strlen(greet->password));
+#if defined(SECURE_RPC) || defined(K5AUTH)
+		bzero(greet->password, password_length);
+#endif
 		auth_close(as);
 		login_close(lc);
 		return 0;
@@ -251,7 +263,9 @@ Verify (struct display *d, struct greet_info *greet, struct verify_info *verify)
 	/* Run the approval script */
 	if (!auth_approval(as, lc, greet->name, "auth-xdm")) {
 		Debug("login not approved\n");
-		bzero(greet->password, strlen(greet->password));
+#if defined(SECURE_RPC) || defined(K5AUTH)
+		bzero(greet->password, password_length);
+#endif
 		auth_close(as);
 		login_close(lc);
 		return 0;
@@ -259,14 +273,16 @@ Verify (struct display *d, struct greet_info *greet, struct verify_info *verify)
 	auth_close(as);
 	login_close(lc);
 	/* Check empty passwords against allowNullPasswd */
-	if (!greet->allow_null_passwd && strlen(greet->password) == 0) {
+	if (!greet->allow_null_passwd && password_length == 0) {
 		Debug("empty password not allowed\n");
 		return 0;
 	}
 	/* Only accept root logins if allowRootLogin resource is set */
 	if (p->pw_uid == 0 && !greet->allow_root_login) {
 		Debug("root logins not allowed\n");
-		bzero(greet->password, strlen(greet->password));
+#if defined(SECURE_RPC) || defined(K5AUTH)
+		bzero(greet->password, password_length);
+#endif
 		return 0;
 	}
 
@@ -279,7 +295,9 @@ Verify (struct display *d, struct greet_info *greet, struct verify_info *verify)
 			/* did not found the shell in /etc/shells 
 			   -> failure */
 			Debug("shell not in /etc/shells\n");
-			bzero(greet->password, strlen(greet->password));
+#if defined(SECURE_RPC) || defined(K5AUTH)
+			bzero(greet->password, password_length);
+#endif
 			endusershell();
 			return 0;
 		}