From b5eac9957be4752168e21dd2ff7c280a05d7e76f Mon Sep 17 00:00:00 2001
From: Patrick J Volkerding <volkerdi@slackware.com>
Date: Wed, 14 Dec 2022 21:19:34 +0000
Subject: Wed Dec 14 21:19:34 UTC 2022

patches/packages/mozilla-firefox-102.6.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/102.6.0/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2022-52/
    https://www.cve.org/CVERecord?id=CVE-2022-46880
    https://www.cve.org/CVERecord?id=CVE-2022-46872
    https://www.cve.org/CVERecord?id=CVE-2022-46881
    https://www.cve.org/CVERecord?id=CVE-2022-46874
    https://www.cve.org/CVERecord?id=CVE-2022-46875
    https://www.cve.org/CVERecord?id=CVE-2022-46882
    https://www.cve.org/CVERecord?id=CVE-2022-46878
  (* Security fix *)
patches/packages/mozilla-thunderbird-102.6.0-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/102.6.0/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2022-53/
    https://www.cve.org/CVERecord?id=CVE-2022-46880
    https://www.cve.org/CVERecord?id=CVE-2022-46872
    https://www.cve.org/CVERecord?id=CVE-2022-46881
    https://www.cve.org/CVERecord?id=CVE-2022-46874
    https://www.cve.org/CVERecord?id=CVE-2022-46875
    https://www.cve.org/CVERecord?id=CVE-2022-46882
    https://www.cve.org/CVERecord?id=CVE-2022-46878
  (* Security fix *)
patches/packages/xorg-server-1.20.14-x86_64-5_slack15.0.txz:  Rebuilt.
  This release fixes 6 recently reported security vulnerabilities in
  various extensions.
  For more information, see:
    https://lists.x.org/archives/xorg-announce/2022-December/003302.html
    https://www.cve.org/CVERecord?id=CVE-2022-46340
    https://www.cve.org/CVERecord?id=CVE-2022-46341
    https://www.cve.org/CVERecord?id=CVE-2022-46342
    https://www.cve.org/CVERecord?id=CVE-2022-46343
    https://www.cve.org/CVERecord?id=CVE-2022-46344
    https://www.cve.org/CVERecord?id=CVE-2022-4283
  (* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-5_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-5_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-5_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-4_slack15.0.txz:  Rebuilt.
  This release fixes 6 recently reported security vulnerabilities in
  various extensions.
  For more information, see:
    https://lists.x.org/archives/xorg-announce/2022-December/003302.html
    https://www.cve.org/CVERecord?id=CVE-2022-46340
    https://www.cve.org/CVERecord?id=CVE-2022-46341
    https://www.cve.org/CVERecord?id=CVE-2022-46342
    https://www.cve.org/CVERecord?id=CVE-2022-46343
    https://www.cve.org/CVERecord?id=CVE-2022-46344
    https://www.cve.org/CVERecord?id=CVE-2022-4283
  (* Security fix *)
---
 .../xorg-server-xwayland/CVE-2022-46340.patch      | 51 ++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 patches/source/xorg-server-xwayland/CVE-2022-46340.patch

(limited to 'patches/source/xorg-server-xwayland/CVE-2022-46340.patch')

diff --git a/patches/source/xorg-server-xwayland/CVE-2022-46340.patch b/patches/source/xorg-server-xwayland/CVE-2022-46340.patch
new file mode 100644
index 000000000..c9bf7bc9f
--- /dev/null
+++ b/patches/source/xorg-server-xwayland/CVE-2022-46340.patch
@@ -0,0 +1,51 @@
+From b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 29 Nov 2022 12:55:45 +1000
+Subject: [PATCH] Xtest: disallow GenericEvents in XTestSwapFakeInput
+
+XTestSwapFakeInput assumes all events in this request are
+sizeof(xEvent) and iterates through these in 32-byte increments.
+However, a GenericEvent may be of arbitrary length longer than 32 bytes,
+so any GenericEvent in this list would result in subsequent events to be
+misparsed.
+
+Additional, the swapped event is written into a stack-allocated struct
+xEvent (size 32 bytes). For any GenericEvent longer than 32 bytes,
+swapping the event may thus smash the stack like an avocado on toast.
+
+Catch this case early and return BadValue for any GenericEvent.
+Which is what would happen in unswapped setups anyway since XTest
+doesn't support GenericEvent.
+
+CVE-2022-46340, ZDI-CAN 19265
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Acked-by: Olivier Fourdan <ofourdan@redhat.com>
+---
+ Xext/xtest.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/Xext/xtest.c b/Xext/xtest.c
+index bf27eb590..2985a4ce6 100644
+--- a/Xext/xtest.c
++++ b/Xext/xtest.c
+@@ -502,10 +502,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req)
+ 
+     nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent);
+     for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) {
++        int evtype = ev->u.u.type & 0x177;
+         /* Swap event */
+-        proc = EventSwapVector[ev->u.u.type & 0177];
++        proc = EventSwapVector[evtype];
+         /* no swapping proc; invalid event type? */
+-        if (!proc || proc == NotImplemented) {
++        if (!proc || proc == NotImplemented || evtype == GenericEvent) {
+             client->errorValue = ev->u.u.type;
+             return BadValue;
+         }
+-- 
+GitLab
+
-- 
cgit v1.2.3-79-gdb01