diff options
author | Patrick J Volkerding <volkerdi@slackware.com> | 2024-01-21 20:50:08 +0000 |
---|---|---|
committer | Eric Hameleers <alien@slackware.com> | 2024-01-22 13:30:35 +0100 |
commit | 4e883273037a35e5e60bbbb34c2e8720dba2711f (patch) | |
tree | 11c2a4dfd229868bad285ff3ff4bab76f525ffec /extra/source/tigervnc/patches/xorg-server/CVE-2023-6377.patch | |
parent | 0a8de80c8a0d329636b02c3c2b80d949a9070224 (diff) | |
download | current-6af6f57b2a378c37017edbe16fea8f415b006612.tar.gz current-6af6f57b2a378c37017edbe16fea8f415b006612.tar.xz |
Sun Jan 21 20:50:08 UTC 202420240121205008_15.0
extra/tigervnc/tigervnc-1.12.0-x86_64-5_slack15.0.txz: Rebuilt.
Recompiled against xorg-server-1.20.14, including the latest patches for
several security issues. Thanks to marav.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-6377
https://www.cve.org/CVERecord?id=CVE-2023-6478
https://www.cve.org/CVERecord?id=CVE-2023-6816
https://www.cve.org/CVERecord?id=CVE-2024-0229
https://www.cve.org/CVERecord?id=CVE-2024-0408
https://www.cve.org/CVERecord?id=CVE-2024-0409
https://www.cve.org/CVERecord?id=CVE-2024-21885
https://www.cve.org/CVERecord?id=CVE-2024-21886
https://www.cve.org/CVERecord?id=CVE-2024-21886
(* Security fix *)
Diffstat (limited to 'extra/source/tigervnc/patches/xorg-server/CVE-2023-6377.patch')
-rw-r--r-- | extra/source/tigervnc/patches/xorg-server/CVE-2023-6377.patch | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/extra/source/tigervnc/patches/xorg-server/CVE-2023-6377.patch b/extra/source/tigervnc/patches/xorg-server/CVE-2023-6377.patch new file mode 100644 index 000000000..4e2fca615 --- /dev/null +++ b/extra/source/tigervnc/patches/xorg-server/CVE-2023-6377.patch @@ -0,0 +1,75 @@ +From 0c1a93d319558fe3ab2d94f51d174b4f93810afd Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Tue, 28 Nov 2023 15:19:04 +1000 +Subject: [PATCH] Xi: allocate enough XkbActions for our buttons + +button->xkb_acts is supposed to be an array sufficiently large for all +our buttons, not just a single XkbActions struct. Allocating +insufficient memory here means when we memcpy() later in +XkbSetDeviceInfo we write into memory that wasn't ours to begin with, +leading to the usual security ooopsiedaisies. + +CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative +--- + Xi/exevents.c | 12 ++++++------ + dix/devices.c | 10 ++++++++++ + 2 files changed, 16 insertions(+), 6 deletions(-) + +diff --git a/Xi/exevents.c b/Xi/exevents.c +index dcd4efb3bc..54ea11a938 100644 +--- a/Xi/exevents.c ++++ b/Xi/exevents.c +@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) + } + + if (from->button->xkb_acts) { +- if (!to->button->xkb_acts) { +- to->button->xkb_acts = calloc(1, sizeof(XkbAction)); +- if (!to->button->xkb_acts) +- FatalError("[Xi] not enough memory for xkb_acts.\n"); +- } ++ size_t maxbuttons = max(to->button->numButtons, from->button->numButtons); ++ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts, ++ maxbuttons, ++ sizeof(XkbAction)); ++ memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction)); + memcpy(to->button->xkb_acts, from->button->xkb_acts, +- sizeof(XkbAction)); ++ from->button->numButtons * sizeof(XkbAction)); + } + else { + free(to->button->xkb_acts); +diff --git a/dix/devices.c b/dix/devices.c +index b063128df0..3f3224d626 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -2539,6 +2539,8 @@ RecalculateMasterButtons(DeviceIntPtr slave) + + if (master->button && master->button->numButtons != maxbuttons) { + int i; ++ int last_num_buttons = master->button->numButtons; ++ + DeviceChangedEvent event = { + .header = ET_Internal, + .type = ET_DeviceChanged, +@@ -2549,6 +2551,14 @@ RecalculateMasterButtons(DeviceIntPtr slave) + }; + + master->button->numButtons = maxbuttons; ++ if (last_num_buttons < maxbuttons) { ++ master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts, ++ maxbuttons, ++ sizeof(XkbAction)); ++ memset(&master->button->xkb_acts[last_num_buttons], ++ 0, ++ (maxbuttons - last_num_buttons) * sizeof(XkbAction)); ++ } + + memcpy(&event.buttons.names, master->button->labels, maxbuttons * + sizeof(Atom)); +-- +GitLab + |