Wed Mar 29 20:56:21 UTC 202320230329205621_15.0

patches/packages/glibc-zoneinfo-2023c-noarch-1_slack15.0.txz:  Upgraded.
  This package provides the latest timezone updates.
patches/packages/mozilla-thunderbird-102.9.1-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/102.9.1/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2023-12/
    https://www.cve.org/CVERecord?id=CVE-2023-28427
  (* Security fix *)
patches/packages/xorg-server-1.20.14-x86_64-8_slack15.0.txz:  Rebuilt.
  [PATCH] composite: Fix use-after-free of the COW.
  Fix use-after-free that can lead to local privileges elevation on systems
  where the X server is running privileged and remote code execution for ssh
  X forwarding sessions.
  For more information, see:
    https://lists.x.org/archives/xorg-announce/2023-March/003374.html
    https://www.cve.org/CVERecord?id=CVE-2023-1393
  (* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-8_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-8_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-8_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-7_slack15.0.txz:  Rebuilt.
  [PATCH] composite: Fix use-after-free of the COW.
  Fix use-after-free that can lead to local privileges elevation on systems
  where the X server is running privileged and remote code execution for ssh
  X forwarding sessions.
  For more information, see:
    https://lists.x.org/archives/xorg-announce/2023-March/003374.html
    https://www.cve.org/CVERecord?id=CVE-2023-1393
  (* Security fix *)

12 files changed, 92 insertions, 2 deletions

diff --git a/patches/packages/glibc-zoneinfo-2023b-noarch-1_slack15.0.txt b/patches/packages/glibc-zoneinfo-2023c-noarch-1_slack15.0.txt
index c6e7a698e..c6e7a698e 100644
--- a/patches/packages/glibc-zoneinfo-2023b-noarch-1_slack15.0.txt
+++ b/patches/packages/glibc-zoneinfo-2023c-noarch-1_slack15.0.txt
diff --git a/patches/packages/mozilla-thunderbird-102.9.0-x86_64-1_slack15.0.txt b/patches/packages/mozilla-thunderbird-102.9.1-x86_64-1_slack15.0.txt
index 5acb7b92e..5acb7b92e 100644
--- a/patches/packages/mozilla-thunderbird-102.9.0-x86_64-1_slack15.0.txt
+++ b/patches/packages/mozilla-thunderbird-102.9.1-x86_64-1_slack15.0.txt
diff --git a/patches/packages/xorg-server-1.20.14-x86_64-7_slack15.0.txt b/patches/packages/xorg-server-1.20.14-x86_64-8_slack15.0.txt
index ec0248ea9..ec0248ea9 100644
--- a/patches/packages/xorg-server-1.20.14-x86_64-7_slack15.0.txt
+++ b/patches/packages/xorg-server-1.20.14-x86_64-8_slack15.0.txt
diff --git a/patches/packages/xorg-server-xephyr-1.20.14-x86_64-7_slack15.0.txt b/patches/packages/xorg-server-xephyr-1.20.14-x86_64-8_slack15.0.txt
index 2ffb35f60..2ffb35f60 100644
--- a/patches/packages/xorg-server-xephyr-1.20.14-x86_64-7_slack15.0.txt
+++ b/patches/packages/xorg-server-xephyr-1.20.14-x86_64-8_slack15.0.txt
diff --git a/patches/packages/xorg-server-xnest-1.20.14-x86_64-7_slack15.0.txt b/patches/packages/xorg-server-xnest-1.20.14-x86_64-8_slack15.0.txt
index 9c7075278..9c7075278 100644
--- a/patches/packages/xorg-server-xnest-1.20.14-x86_64-7_slack15.0.txt
+++ b/patches/packages/xorg-server-xnest-1.20.14-x86_64-8_slack15.0.txt
diff --git a/patches/packages/xorg-server-xvfb-1.20.14-x86_64-7_slack15.0.txt b/patches/packages/xorg-server-xvfb-1.20.14-x86_64-8_slack15.0.txt
index 675c628db..675c628db 100644
--- a/patches/packages/xorg-server-xvfb-1.20.14-x86_64-7_slack15.0.txt
+++ b/patches/packages/xorg-server-xvfb-1.20.14-x86_64-8_slack15.0.txt
diff --git a/patches/packages/xorg-server-xwayland-21.1.4-x86_64-6_slack15.0.txt b/patches/packages/xorg-server-xwayland-21.1.4-x86_64-7_slack15.0.txt
index 44e18f2cf..44e18f2cf 100644
--- a/patches/packages/xorg-server-xwayland-21.1.4-x86_64-6_slack15.0.txt
+++ b/patches/packages/xorg-server-xwayland-21.1.4-x86_64-7_slack15.0.txt
diff --git a/patches/source/xorg-server-xwayland/CVE-2023-1393.patch b/patches/source/xorg-server-xwayland/CVE-2023-1393.patch
new file mode 100644
index 000000000..0d859d6c1
--- /dev/null
+++ b/patches/source/xorg-server-xwayland/CVE-2023-1393.patch
@@ -0,0 +1,42 @@
+From 26ef545b3502f61ca722a7a3373507e88ef64110 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 13 Mar 2023 11:08:47 +0100
+Subject: [PATCH] composite: Fix use-after-free of the COW
+
+ZDI-CAN-19866/CVE-2023-1393
+
+If a client explicitly destroys the compositor overlay window (aka COW),
+we would leave a dangling pointer to that window in the CompScreen
+structure, which will trigger a use-after-free later.
+
+Make sure to clear the CompScreen pointer to the COW when the latter gets
+destroyed explicitly by the client.
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+---
+ composite/compwindow.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/composite/compwindow.c b/composite/compwindow.c
+index 4e2494b86b..b30da589e9 100644
+--- a/composite/compwindow.c
++++ b/composite/compwindow.c
+@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin)
+     ret = (*pScreen->DestroyWindow) (pWin);
+     cs->DestroyWindow = pScreen->DestroyWindow;
+     pScreen->DestroyWindow = compDestroyWindow;
++
++    /* Did we just destroy the overlay window? */
++    if (pWin == cs->pOverlayWin)
++        cs->pOverlayWin = NULL;
++
+ /*    compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
+     return ret;
+ }
+-- 
+GitLab
+
diff --git a/patches/source/xorg-server-xwayland/xorg-server-xwayland.SlackBuild b/patches/source/xorg-server-xwayland/xorg-server-xwayland.SlackBuild
index 47e83e8ff..7d7d88d20 100755
--- a/patches/source/xorg-server-xwayland/xorg-server-xwayland.SlackBuild
+++ b/patches/source/xorg-server-xwayland/xorg-server-xwayland.SlackBuild
@@ -25,7 +25,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 PKGNAM=xorg-server-xwayland
 SRCNAM=xwayland
 VERSION=${VERSION:-$(echo $SRCNAM-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
-BUILD=${BUILD:-6_slack15.0}
+BUILD=${BUILD:-7_slack15.0}
 
 # Default font paths to be used by the X server:
 DEF_FONTPATH="/usr/share/fonts/misc,/usr/share/fonts/local,/usr/share/fonts/TTF,/usr/share/fonts/OTF,/usr/share/fonts/Type1,/usr/share/fonts/CID,/usr/share/fonts/75dpi/:unscaled,/usr/share/fonts/100dpi/:unscaled,/usr/share/fonts/75dpi,/usr/share/fonts/100dpi,/usr/share/fonts/cyrillic"
@@ -103,6 +103,9 @@ zcat $CWD/CVE-2022-46340.correction.patch.gz | patch -p1 --verbose || exit 1
 # Patch another security issue:
 zcat $CWD/CVE-2023-0494.patch.gz | patch -p1 --verbose || exit 1
 
+# Patch another security issue:
+zcat $CWD/CVE-2023-1393.patch.gz | patch -p1 --verbose || exit 1
+
 # [PATCH] present: Check for NULL to prevent crash.
 # This prevents a crash with recent NVIDIA drivers.
 zcat $CWD/857.patch.gz | patch -p1 --verbose || exit 1
diff --git a/patches/source/xorg-server/build/xorg-server b/patches/source/xorg-server/build/xorg-server
index 7952b0566..05965f95a 100644
--- a/patches/source/xorg-server/build/xorg-server
+++ b/patches/source/xorg-server/build/xorg-server
@@ -1 +1 @@
-7_slack15.0
+8_slack15.0
diff --git a/patches/source/xorg-server/patch/xorg-server.patch b/patches/source/xorg-server/patch/xorg-server.patch
index c0a9b1426..e95f8b86f 100644
--- a/patches/source/xorg-server/patch/xorg-server.patch
+++ b/patches/source/xorg-server/patch/xorg-server.patch
@@ -56,3 +56,6 @@ zcat $CWD/patch/xorg-server/CVE-2023-0494.patch.gz | patch -p1 --verbose || { to
 # [PATCH] present: Check for NULL to prevent crash.
 # This prevents a crash with recent NVIDIA drivers.
 zcat $CWD/patch/xorg-server/857.patch.gz | patch -p1 --verbose || { touch ${SLACK_X_BUILD_DIR}/${PKGNAME}.failed ; continue ; }
+
+# Patch another security issue:
+zcat $CWD/patch/xorg-server/CVE-2023-1393.patch.gz | patch -p1 --verbose || { touch ${SLACK_X_BUILD_DIR}/${PKGNAME}.failed ; continue ; }
diff --git a/patches/source/xorg-server/patch/xorg-server/CVE-2023-1393.patch b/patches/source/xorg-server/patch/xorg-server/CVE-2023-1393.patch
new file mode 100644
index 000000000..0d859d6c1
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/CVE-2023-1393.patch
@@ -0,0 +1,42 @@
+From 26ef545b3502f61ca722a7a3373507e88ef64110 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 13 Mar 2023 11:08:47 +0100
+Subject: [PATCH] composite: Fix use-after-free of the COW
+
+ZDI-CAN-19866/CVE-2023-1393
+
+If a client explicitly destroys the compositor overlay window (aka COW),
+we would leave a dangling pointer to that window in the CompScreen
+structure, which will trigger a use-after-free later.
+
+Make sure to clear the CompScreen pointer to the COW when the latter gets
+destroyed explicitly by the client.
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+---
+ composite/compwindow.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/composite/compwindow.c b/composite/compwindow.c
+index 4e2494b86b..b30da589e9 100644
+--- a/composite/compwindow.c
++++ b/composite/compwindow.c
+@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin)
+     ret = (*pScreen->DestroyWindow) (pWin);
+     cs->DestroyWindow = pScreen->DestroyWindow;
+     pScreen->DestroyWindow = compDestroyWindow;
++
++    /* Did we just destroy the overlay window? */
++    if (pWin == cs->pOverlayWin)
++        cs->pOverlayWin = NULL;
++
+ /*    compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
+     return ret;
+ }
+-- 
+GitLab
+