diff options
Diffstat (limited to 'patches/source/xorg-server-xwayland/CVE-2022-4283.patch')
-rw-r--r-- | patches/source/xorg-server-xwayland/CVE-2022-4283.patch | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/patches/source/xorg-server-xwayland/CVE-2022-4283.patch b/patches/source/xorg-server-xwayland/CVE-2022-4283.patch new file mode 100644 index 000000000..88dfea0af --- /dev/null +++ b/patches/source/xorg-server-xwayland/CVE-2022-4283.patch @@ -0,0 +1,35 @@ +From ccdd431cd8f1cabae9d744f0514b6533c438908c Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Mon, 5 Dec 2022 15:55:54 +1000 +Subject: [PATCH] xkb: reset the radio_groups pointer to NULL after freeing it + +Unlike other elements of the keymap, this pointer was freed but not +reset. On a subsequent XkbGetKbdByName request, the server may access +already freed memory. + +CVE-2022-4283, ZDI-CAN-19530 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +Acked-by: Olivier Fourdan <ofourdan@redhat.com> +--- + xkb/xkbUtils.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c +index dd089c204..3f5791a18 100644 +--- a/xkb/xkbUtils.c ++++ b/xkb/xkbUtils.c +@@ -1326,6 +1326,7 @@ _XkbCopyNames(XkbDescPtr src, XkbDescPtr dst) + } + else { + free(dst->names->radio_groups); ++ dst->names->radio_groups = NULL; + } + dst->names->num_rg = src->names->num_rg; + +-- +GitLab + |