From 32122d96f3056f03a88facdb5acfec2debc35ce6 Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Thu, 22 Dec 2011 13:36:16 +0000
Subject: main/xorg-server: security fix (CVE-2011-4029)

fixes #883
---
 main/xorg-server/APKBUILD            |  7 ++++---
 main/xorg-server/cve-2011-4029.patch | 27 +++++++++++++++++++++++++++
 2 files changed, 31 insertions(+), 3 deletions(-)
 create mode 100644 main/xorg-server/cve-2011-4029.patch

(limited to 'main/xorg-server')

diff --git a/main/xorg-server/APKBUILD b/main/xorg-server/APKBUILD
index d6b2cd33d79..821c4493a90 100644
--- a/main/xorg-server/APKBUILD
+++ b/main/xorg-server/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=xorg-server
 pkgver=1.10.4
-pkgrel=0
+pkgrel=1
 pkgdesc="X.Org X servers"
 url="http://xorg.freedesktop.org"
 arch="all"
@@ -62,7 +62,7 @@ source="http://xorg.freedesktop.org/releases/individual/xserver/$pkgname-$pkgver
 	xorg-redhat-die-ugly-pattern-die-die-die.patch
 	bg-none-revert.patch
 	xserver-1.10-pointer-barriers.patch
-
+	cve-2011-4029.patch
 "
 
 depends_dev="pixman-dev libpciaccess-dev xproto randrproto renderproto
@@ -154,4 +154,5 @@ xephyr() {
 md5sums="94f23d30a77d63e27dd209a57fccfebf  xorg-server-1.10.4.tar.bz2
 222de594206d1148a90eddfda4f7a11a  xorg-redhat-die-ugly-pattern-die-die-die.patch
 030dd3ec221b895de3057d7513d8c1d7  bg-none-revert.patch
-db48cea655c7bccec9171c5df1558a64  xserver-1.10-pointer-barriers.patch"
+db48cea655c7bccec9171c5df1558a64  xserver-1.10-pointer-barriers.patch
+09ecdf3b4e49bd2490946ac15b464535  cve-2011-4029.patch"
diff --git a/main/xorg-server/cve-2011-4029.patch b/main/xorg-server/cve-2011-4029.patch
new file mode 100644
index 00000000000..aa75f607915
--- /dev/null
+++ b/main/xorg-server/cve-2011-4029.patch
@@ -0,0 +1,27 @@
+From b67581cf825940fdf52bf2e0af4330e695d724a4 Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu.herrb@laas.fr>
+Date: Mon, 17 Oct 2011 20:27:35 +0000
+Subject: Fix CVE-2011-4029: File permission change vulnerability.
+
+Use fchmod() to change permissions of the lock file instead
+of chmod(), thus avoid the race that can be exploited to set
+a symbolic link to any file or directory in the system.
+
+Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+diff --git a/os/utils.c b/os/utils.c
+index fe49254..07cf4c2 100644
+--- a/os/utils.c
++++ b/os/utils.c
+@@ -297,7 +297,7 @@ LockServer(void)
+     FatalError("Could not create lock file in %s\n", tmp);
+   (void) sprintf(pid_str, "%10ld\n", (long)getpid());
+   (void) write(lfd, pid_str, 11);
+-  (void) chmod(tmp, 0444);
++  (void) fchmod(lfd, 0444);
+   (void) close(lfd);
+ 
+   /*
+--
+cgit v0.9.0.2-2-gbebe
-- 
cgit v1.2.3