diff options
Diffstat (limited to 'extra/source/tigervnc/patches/xorg-server/CVE-2024-0229.03.patch')
-rw-r--r-- | extra/source/tigervnc/patches/xorg-server/CVE-2024-0229.03.patch | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/extra/source/tigervnc/patches/xorg-server/CVE-2024-0229.03.patch b/extra/source/tigervnc/patches/xorg-server/CVE-2024-0229.03.patch new file mode 100644 index 000000000..1624ec161 --- /dev/null +++ b/extra/source/tigervnc/patches/xorg-server/CVE-2024-0229.03.patch @@ -0,0 +1,37 @@ +From df3c65706eb169d5938df0052059f3e0d5981b74 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Thu, 21 Dec 2023 13:48:10 +1000 +Subject: [PATCH] Xi: when creating a new ButtonClass, set the number of + buttons + +There's a racy sequence where a master device may copy the button class +from the slave, without ever initializing numButtons. This leads to a +device with zero buttons but a button class which is invalid. + +Let's copy the numButtons value from the source - by definition if we +don't have a button class yet we do not have any other slave devices +with more than this number of buttons anyway. + +CVE-2024-0229, ZDI-CAN-22678 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative +--- + Xi/exevents.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Xi/exevents.c b/Xi/exevents.c +index 54ea11a938..e161714682 100644 +--- a/Xi/exevents.c ++++ b/Xi/exevents.c +@@ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) + to->button = calloc(1, sizeof(ButtonClassRec)); + if (!to->button) + FatalError("[Xi] no memory for class shift.\n"); ++ to->button->numButtons = from->button->numButtons; + } + else + classes->button = NULL; +-- +GitLab + |