diff options
author | 2023-11-13 19:20:40 +0000 | |
---|---|---|
committer | 2023-11-14 13:30:39 +0100 | |
commit | 3dc24700978e64080d22e59b31a6099bddbdf2d2 (patch) | |
tree | c418101646ef36d871a8b065c01fa743a4e0befd /extra/source/tigervnc/patches/xorg-server/CVE-2022-46340.patch | |
parent | 048a0f1ff7a9c4a0fe0e65de1e84447e798ef04e (diff) | |
download | current-3dc24700978e64080d22e59b31a6099bddbdf2d2.tar.gz current-3dc24700978e64080d22e59b31a6099bddbdf2d2.tar.xz |
Mon Nov 13 19:20:40 UTC 202320231113192040_15.0
extra/tigervnc/tigervnc-1.12.0-x86_64-4_slack15.0.txz: Rebuilt.
Recompiled against xorg-server-1.20.14, including patches for several
security issues. Thanks to marav.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-3550
https://www.cve.org/CVERecord?id=CVE-2022-3551
https://www.cve.org/CVERecord?id=CVE-2022-3553
https://www.cve.org/CVERecord?id=CVE-2022-4283
https://www.cve.org/CVERecord?id=CVE-2022-46340
https://www.cve.org/CVERecord?id=CVE-2022-46341
https://www.cve.org/CVERecord?id=CVE-2022-46342
https://www.cve.org/CVERecord?id=CVE-2022-46343
https://www.cve.org/CVERecord?id=CVE-2022-46344
https://www.cve.org/CVERecord?id=CVE-2023-0494
https://www.cve.org/CVERecord?id=CVE-2023-1393
https://www.cve.org/CVERecord?id=CVE-2023-5367
https://www.cve.org/CVERecord?id=CVE-2023-5380
(* Security fix *)
Diffstat (limited to 'extra/source/tigervnc/patches/xorg-server/CVE-2022-46340.patch')
-rw-r--r-- | extra/source/tigervnc/patches/xorg-server/CVE-2022-46340.patch | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/extra/source/tigervnc/patches/xorg-server/CVE-2022-46340.patch b/extra/source/tigervnc/patches/xorg-server/CVE-2022-46340.patch new file mode 100644 index 000000000..c9bf7bc9f --- /dev/null +++ b/extra/source/tigervnc/patches/xorg-server/CVE-2022-46340.patch @@ -0,0 +1,51 @@ +From b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Tue, 29 Nov 2022 12:55:45 +1000 +Subject: [PATCH] Xtest: disallow GenericEvents in XTestSwapFakeInput + +XTestSwapFakeInput assumes all events in this request are +sizeof(xEvent) and iterates through these in 32-byte increments. +However, a GenericEvent may be of arbitrary length longer than 32 bytes, +so any GenericEvent in this list would result in subsequent events to be +misparsed. + +Additional, the swapped event is written into a stack-allocated struct +xEvent (size 32 bytes). For any GenericEvent longer than 32 bytes, +swapping the event may thus smash the stack like an avocado on toast. + +Catch this case early and return BadValue for any GenericEvent. +Which is what would happen in unswapped setups anyway since XTest +doesn't support GenericEvent. + +CVE-2022-46340, ZDI-CAN 19265 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +Acked-by: Olivier Fourdan <ofourdan@redhat.com> +--- + Xext/xtest.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/Xext/xtest.c b/Xext/xtest.c +index bf27eb590..2985a4ce6 100644 +--- a/Xext/xtest.c ++++ b/Xext/xtest.c +@@ -502,10 +502,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req) + + nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent); + for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) { ++ int evtype = ev->u.u.type & 0x177; + /* Swap event */ +- proc = EventSwapVector[ev->u.u.type & 0177]; ++ proc = EventSwapVector[evtype]; + /* no swapping proc; invalid event type? */ +- if (!proc || proc == NotImplemented) { ++ if (!proc || proc == NotImplemented || evtype == GenericEvent) { + client->errorValue = ev->u.u.type; + return BadValue; + } +-- +GitLab + |