--- a/open-src/common/Makefile.init Tue Nov 26 18:54:46 2013 -0800
+++ b/open-src/common/Makefile.init Mon Dec 02 14:55:33 2013 -0800
@@ -395,7 +395,7 @@
# referenced in multiple places, so it's kept here for easy sharing.
#
# Current Xorg server source tarball to use sources from:
-XORGSERVER_VERS=1.14.1
+XORGSERVER_VERS=1.14.4
# Minimum Xorg server version that we expect to be ABI compatible with.
# Usually .99 of the previous minor release series, as that's the convention
# for the development snapshots of the next release series.
--- a/open-src/xserver/xorg/16794101.patch Tue Nov 26 18:54:46 2013 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,25 +0,0 @@
---- a/hw/xfree86/modes/xf86Crtc.c Tue Apr 16 23:07:39 2013
-+++ b/hw/xfree86/modes/xf86Crtc.c Wed May 15 09:54:30 2013
-@@ -2599,7 +2599,7 @@
- xf86CrtcConfigPtr config = XF86_CRTC_CONFIG_PTR(scrn);
- xf86CrtcPtr crtc = config->crtc[0];
- int c;
-- int enabled = 0;
-+ int enabled = 0, failed = 0;
-
- /* A driver with this hook will take care of this */
- if (!crtc->funcs->set_mode_major) {
-@@ -2659,11 +2659,12 @@
- if (config->output[o]->crtc == crtc)
- config->output[o]->crtc = NULL;
- crtc->enabled = FALSE;
-+ ++failed;
- }
- }
-
- xf86DisableUnusedFunctions(scrn);
-- return enabled != 0;
-+ return enabled != 0 || failed == 0;
- }
-
- /**
--- a/open-src/xserver/xorg/CVE-2013-4396.patch Tue Nov 26 18:54:46 2013 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,76 +0,0 @@
-From 7bddc2ba16a2a15773c2ea8947059afa27727764 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <[email protected]>
-Date: Mon, 16 Sep 2013 21:47:16 -0700
-Subject: [PATCH] Avoid use-after-free in dix/dixfonts.c: doImageText()
- [CVE-2013-4396]
-
-Save a pointer to the passed in closure structure before copying it
-and overwriting the *c pointer to point to our copy instead of the
-original. If we hit an error, once we free(c), reset c to point to
-the original structure before jumping to the cleanup code that
-references *c.
-
-Since one of the errors being checked for is whether the server was
-able to malloc(c->nChars * itemSize), the client can potentially pass
-a number of characters chosen to cause the malloc to fail and the
-error path to be taken, resulting in the read from freed memory.
-
-Since the memory is accessed almost immediately afterwards, and the
-X server is mostly single threaded, the odds of the free memory having
-invalid contents are low with most malloc implementations when not using
-memory debugging features, but some allocators will definitely overwrite
-the memory there, leading to a likely crash.
-
-Reported-by: Pedro Ribeiro <[email protected]>
-Signed-off-by: Alan Coopersmith <[email protected]>
-Reviewed-by: Julien Cristau <[email protected]>
----
- dix/dixfonts.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/dix/dixfonts.c b/dix/dixfonts.c
-index feb765d..2e34d37 100644
---- a/dix/dixfonts.c
-+++ b/dix/dixfonts.c
-@@ -1425,6 +1425,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
- GC *pGC;
- unsigned char *data;
- ITclosurePtr new_closure;
-+ ITclosurePtr old_closure;
-
- /* We're putting the client to sleep. We need to
- save some state. Similar problem to that handled
-@@ -1436,12 +1437,14 @@ doImageText(ClientPtr client, ITclosurePtr c)
- err = BadAlloc;
- goto bail;
- }
-+ old_closure = c;
- *new_closure = *c;
- c = new_closure;
-
- data = malloc(c->nChars * itemSize);
- if (!data) {
- free(c);
-+ c = old_closure;
- err = BadAlloc;
- goto bail;
- }
-@@ -1452,6 +1455,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
- if (!pGC) {
- free(c->data);
- free(c);
-+ c = old_closure;
- err = BadAlloc;
- goto bail;
- }
-@@ -1464,6 +1468,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
- FreeScratchGC(pGC);
- free(c->data);
- free(c);
-+ c = old_closure;
- err = BadAlloc;
- goto bail;
- }
---
-1.7.9.2
-
--- a/open-src/xserver/xorg/Makefile Tue Nov 26 18:54:46 2013 -0800
+++ b/open-src/xserver/xorg/Makefile Mon Dec 02 14:55:33 2013 -0800
@@ -35,9 +35,9 @@
MODULE_VERSION=$(XORGSERVER_VERS)
# Checksums for upstream tarball
-TARBALL_MD5 = 6a0f1a1639ada4b9da7e9582bc79252a
-TARBALL_SHA1 = f67a3a250216ab40f0e31648151ee1a457b70a3a
-TARBALL_SHA256= a5adb02571efb7d7459dde83286a3adb77dfd1a52a7348e75d2dc72d6f8d28aa
+TARBALL_MD5 = 9d68a30258c67faa3c036a4a85e8bf97
+TARBALL_SHA1 = 5ee112b52f0cec043aa68bd909457b2ea2a11380
+TARBALL_SHA256= 608ccfaafb845f6e559884a30f946d365209172416710d687b190e9e1ff65dc3
# Patches to apply to source after unpacking, in order
# *** Moved to patch-list file so they can be shared between Xorg & Xvnc builds
--- a/open-src/xserver/xorg/patch-list Tue Nov 26 18:54:46 2013 -0800
+++ b/open-src/xserver/xorg/patch-list Mon Dec 02 14:55:33 2013 -0800
@@ -1,4 +1,3 @@
-CVE-2013-4396.patch,-p1
osaudit.patch,-p1
sun-paths.patch,-p1
sun-extramodes.patch,-p1
@@ -27,7 +26,6 @@
cli-nolock.patch,-p1
16418361.patch,-p1
sparc-config-improv.patch,-p1
-16794101.patch,-p1
remove-sbus-probe.patch,-p1
17385060.patch,-p1
add-input-dev-in-multi-session.patch,-p1