summaryrefslogtreecommitdiffstats
path: root/extra/source/tigervnc/patches/xorg-server/CVE-2022-46341.patch
diff options
context:
space:
mode:
author Patrick J Volkerding <volkerdi@slackware.com>2023-11-13 19:20:40 +0000
committer Eric Hameleers <alien@slackware.com>2023-11-14 13:30:39 +0100
commit3dc24700978e64080d22e59b31a6099bddbdf2d2 (patch)
treec418101646ef36d871a8b065c01fa743a4e0befd /extra/source/tigervnc/patches/xorg-server/CVE-2022-46341.patch
parent048a0f1ff7a9c4a0fe0e65de1e84447e798ef04e (diff)
downloadcurrent-3dc24700978e64080d22e59b31a6099bddbdf2d2.tar.gz
current-3dc24700978e64080d22e59b31a6099bddbdf2d2.tar.xz
Mon Nov 13 19:20:40 UTC 202320231113192040_15.0
extra/tigervnc/tigervnc-1.12.0-x86_64-4_slack15.0.txz: Rebuilt. Recompiled against xorg-server-1.20.14, including patches for several security issues. Thanks to marav. For more information, see: https://www.cve.org/CVERecord?id=CVE-2022-3550 https://www.cve.org/CVERecord?id=CVE-2022-3551 https://www.cve.org/CVERecord?id=CVE-2022-3553 https://www.cve.org/CVERecord?id=CVE-2022-4283 https://www.cve.org/CVERecord?id=CVE-2022-46340 https://www.cve.org/CVERecord?id=CVE-2022-46341 https://www.cve.org/CVERecord?id=CVE-2022-46342 https://www.cve.org/CVERecord?id=CVE-2022-46343 https://www.cve.org/CVERecord?id=CVE-2022-46344 https://www.cve.org/CVERecord?id=CVE-2023-0494 https://www.cve.org/CVERecord?id=CVE-2023-1393 https://www.cve.org/CVERecord?id=CVE-2023-5367 https://www.cve.org/CVERecord?id=CVE-2023-5380 (* Security fix *)
Diffstat (limited to 'extra/source/tigervnc/patches/xorg-server/CVE-2022-46341.patch')
-rw-r--r--extra/source/tigervnc/patches/xorg-server/CVE-2022-46341.patch82
1 files changed, 82 insertions, 0 deletions
diff --git a/extra/source/tigervnc/patches/xorg-server/CVE-2022-46341.patch b/extra/source/tigervnc/patches/xorg-server/CVE-2022-46341.patch
new file mode 100644
index 000000000..d68fad74d
--- /dev/null
+++ b/extra/source/tigervnc/patches/xorg-server/CVE-2022-46341.patch
@@ -0,0 +1,82 @@
+From 51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 29 Nov 2022 13:55:32 +1000
+Subject: [PATCH] Xi: disallow passive grabs with a detail > 255
+
+The XKB protocol effectively prevents us from ever using keycodes above
+255. For buttons it's theoretically possible but realistically too niche
+to worry about. For all other passive grabs, the detail must be zero
+anyway.
+
+This fixes an OOB write:
+
+ProcXIPassiveUngrabDevice() calls DeletePassiveGrabFromList with a
+temporary grab struct which contains tempGrab->detail.exact = stuff->detail.
+For matching existing grabs, DeleteDetailFromMask is called with the
+stuff->detail value. This function creates a new mask with the one bit
+representing stuff->detail cleared.
+
+However, the array size for the new mask is 8 * sizeof(CARD32) bits,
+thus any detail above 255 results in an OOB array write.
+
+CVE-2022-46341, ZDI-CAN 19381
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Acked-by: Olivier Fourdan <ofourdan@redhat.com>
+---
+ Xi/xipassivegrab.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
+index 2769fb7c9..c9ac2f855 100644
+--- a/Xi/xipassivegrab.c
++++ b/Xi/xipassivegrab.c
+@@ -137,6 +137,12 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+ return BadValue;
+ }
+
++ /* XI2 allows 32-bit keycodes but thanks to XKB we can never
++ * implement this. Just return an error for all keycodes that
++ * cannot work anyway, same for buttons > 255. */
++ if (stuff->detail > 255)
++ return XIAlreadyGrabbed;
++
+ if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1],
+ stuff->mask_len * 4) != Success)
+ return BadValue;
+@@ -207,14 +213,8 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+ &param, XI2, &mask);
+ break;
+ case XIGrabtypeKeycode:
+- /* XI2 allows 32-bit keycodes but thanks to XKB we can never
+- * implement this. Just return an error for all keycodes that
+- * cannot work anyway */
+- if (stuff->detail > 255)
+- status = XIAlreadyGrabbed;
+- else
+- status = GrabKey(client, dev, mod_dev, stuff->detail,
+- &param, XI2, &mask);
++ status = GrabKey(client, dev, mod_dev, stuff->detail,
++ &param, XI2, &mask);
+ break;
+ case XIGrabtypeEnter:
+ case XIGrabtypeFocusIn:
+@@ -334,6 +334,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client)
+ return BadValue;
+ }
+
++ /* We don't allow passive grabs for details > 255 anyway */
++ if (stuff->detail > 255) {
++ client->errorValue = stuff->detail;
++ return BadValue;
++ }
++
+ rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess);
+ if (rc != Success)
+ return rc;
+--
+GitLab
+