Mon Oct 17 19:31:45 UTC 202220221017193145_15.0

patches/packages/xorg-server-1.20.14-x86_64-4_slack15.0.txz: Rebuilt. xkb: proof GetCountedString against request length attacks. xkb: fix some possible memleaks in XkbGetKbdByName. xquartz: Fix a possible crash when editing the Application menu due to mutating immutable arrays. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3550 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3551 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3553 (* Security fix *) patches/packages/xorg-server-xephyr-1.20.14-x86_64-4_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xnest-1.20.14-x86_64-4_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xvfb-1.20.14-x86_64-4_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xwayland-21.1.4-x86_64-3_slack15.0.txz: Rebuilt. xkb: proof GetCountedString against request length attacks. xkb: fix some possible memleaks in XkbGetKbdByName. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3550 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3551 (* Security fix *)
author: Patrick J Volkerding <volkerdi@slackware.com> 2022-10-17 19:31:45 +0000
committer: Eric Hameleers <alien@slackware.com> 2022-10-18 13:30:33 +0200
commit: 2559feca78bc678c5bbf91419695174d3fcbdf14 (patch)
tree: efa4d497c6065d936916a39b23f638c6b277b7b4 /patches
parent: a37e7d6f03a8b559ab7c17eb42c13e7e06c2b9fc (diff)
download: current-2559feca78bc678c5bbf91419695174d3fcbdf14.tar.gz
current-2559feca78bc678c5bbf91419695174d3fcbdf14.tar.xz
13 files changed, 240 insertions, 2 deletions
diff --git a/patches/packages/xorg-server-1.20.14-x86_64-3_slack15.0.txt b/patches/packages/xorg-server-1.20.14-x86_64-4_slack15.0.txt
index ec0248ea9..ec0248ea9 100644
--- a/patches/packages/xorg-server-1.20.14-x86_64-3_slack15.0.txt
+++ b/patches/packages/xorg-server-1.20.14-x86_64-4_slack15.0.txt
diff --git a/patches/packages/xorg-server-xephyr-1.20.14-x86_64-3_slack15.0.txt b/patches/packages/xorg-server-xephyr-1.20.14-x86_64-4_slack15.0.txt
index 2ffb35f60..2ffb35f60 100644
--- a/patches/packages/xorg-server-xephyr-1.20.14-x86_64-3_slack15.0.txt
+++ b/patches/packages/xorg-server-xephyr-1.20.14-x86_64-4_slack15.0.txt
diff --git a/patches/packages/xorg-server-xnest-1.20.14-x86_64-3_slack15.0.txt b/patches/packages/xorg-server-xnest-1.20.14-x86_64-4_slack15.0.txt
index 9c7075278..9c7075278 100644
--- a/patches/packages/xorg-server-xnest-1.20.14-x86_64-3_slack15.0.txt
+++ b/patches/packages/xorg-server-xnest-1.20.14-x86_64-4_slack15.0.txt
diff --git a/patches/packages/xorg-server-xvfb-1.20.14-x86_64-3_slack15.0.txt b/patches/packages/xorg-server-xvfb-1.20.14-x86_64-4_slack15.0.txt
index 675c628db..675c628db 100644
--- a/patches/packages/xorg-server-xvfb-1.20.14-x86_64-3_slack15.0.txt
+++ b/patches/packages/xorg-server-xvfb-1.20.14-x86_64-4_slack15.0.txt
diff --git a/patches/packages/xorg-server-xwayland-21.1.4-x86_64-2_slack15.0.txt b/patches/packages/xorg-server-xwayland-21.1.4-x86_64-3_slack15.0.txt
index 44e18f2cf..44e18f2cf 100644
--- a/patches/packages/xorg-server-xwayland-21.1.4-x86_64-2_slack15.0.txt
+++ b/patches/packages/xorg-server-xwayland-21.1.4-x86_64-3_slack15.0.txt
diff --git a/patches/source/xorg-server-xwayland/CVE-2022-3550.patch b/patches/source/xorg-server-xwayland/CVE-2022-3550.patch
new file mode 100644
index 000000000..3461b0749
--- /dev/null
+++ b/patches/source/xorg-server-xwayland/CVE-2022-3550.patch
@@ -0,0 +1,34 @@
+From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 5 Jul 2022 12:06:20 +1000
+Subject: xkb: proof GetCountedString against request length attacks
+
+GetCountedString did a check for the whole string to be within the
+request buffer but not for the initial 2 bytes that contain the length
+field. A swapped client could send a malformed request to trigger a
+swaps() on those bytes, writing into random memory.
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ xkb/xkb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index f42f59ef3..1841cff26 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
+     CARD16 len;
+ 
+     wire = *wire_inout;
++
++    if (client->req_len <
++        bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
++        return BadValue;
++
+     len = *(CARD16 *) wire;
+     if (client->swapped) {
+         swaps(&len);
+-- 
+cgit v1.2.1
+
diff --git a/patches/source/xorg-server-xwayland/CVE-2022-3551.patch b/patches/source/xorg-server-xwayland/CVE-2022-3551.patch
new file mode 100644
index 000000000..e41db9286
--- /dev/null
+++ b/patches/source/xorg-server-xwayland/CVE-2022-3551.patch
@@ -0,0 +1,59 @@
+From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Wed, 13 Jul 2022 11:23:09 +1000
+Subject: xkb: fix some possible memleaks in XkbGetKbdByName
+
+GetComponentByName returns an allocated string, so let's free that if we
+fail somewhere.
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ xkb/xkb.c | 26 ++++++++++++++++++++------
+ 1 file changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 4692895db..b79a269e3 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -5935,18 +5935,32 @@ ProcXkbGetKbdByName(ClientPtr client)
+     xkb = dev->key->xkbInfo->desc;
+     status = Success;
+     str = (unsigned char *) &stuff[1];
+-    if (GetComponentSpec(&str, TRUE, &status))  /* keymap, unsupported */
+-        return BadMatch;
++    {
++        char *keymap = GetComponentSpec(&str, TRUE, &status);  /* keymap, unsupported */
++        if (keymap) {
++            free(keymap);
++            return BadMatch;
++        }
++    }
+     names.keycodes = GetComponentSpec(&str, TRUE, &status);
+     names.types = GetComponentSpec(&str, TRUE, &status);
+     names.compat = GetComponentSpec(&str, TRUE, &status);
+     names.symbols = GetComponentSpec(&str, TRUE, &status);
+     names.geometry = GetComponentSpec(&str, TRUE, &status);
+-    if (status != Success)
++    if (status == Success) {
++        len = str - ((unsigned char *) stuff);
++        if ((XkbPaddedSize(len) / 4) != stuff->length)
++            status = BadLength;
++    }
++
++    if (status != Success) {
++        free(names.keycodes);
++        free(names.types);
++        free(names.compat);
++        free(names.symbols);
++        free(names.geometry);
+         return status;
+-    len = str - ((unsigned char *) stuff);
+-    if ((XkbPaddedSize(len) / 4) != stuff->length)
+-        return BadLength;
++    }
+ 
+     CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
+     CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
+-- 
+cgit v1.2.1
+
diff --git a/patches/source/xorg-server-xwayland/xorg-server-xwayland.SlackBuild b/patches/source/xorg-server-xwayland/xorg-server-xwayland.SlackBuild
index fb119aa22..8be825f3c 100755
--- a/patches/source/xorg-server-xwayland/xorg-server-xwayland.SlackBuild
+++ b/patches/source/xorg-server-xwayland/xorg-server-xwayland.SlackBuild
@@ -25,7 +25,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 PKGNAM=xorg-server-xwayland
 SRCNAM=xwayland
 VERSION=${VERSION:-$(echo $SRCNAM-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
-BUILD=${BUILD:-2_slack15.0}
+BUILD=${BUILD:-3_slack15.0}
 
 # Default font paths to be used by the X server:
 DEF_FONTPATH="/usr/share/fonts/misc,/usr/share/fonts/local,/usr/share/fonts/TTF,/usr/share/fonts/OTF,/usr/share/fonts/Type1,/usr/share/fonts/CID,/usr/share/fonts/75dpi/:unscaled,/usr/share/fonts/100dpi/:unscaled,/usr/share/fonts/75dpi,/usr/share/fonts/100dpi,/usr/share/fonts/cyrillic"
@@ -85,6 +85,10 @@ zcat $CWD/0001-f1070c01d616c5f21f939d5ebc533738779451ac.patch.gz | patch -p1 --v
 zcat $CWD/0002-dd8caf39e9e15d8f302e54045dd08d8ebf1025dc.patch.gz | patch -p1 --verbose || exit 1
 zcat $CWD/0003-6907b6ea2b4ce949cb07271f5b678d5966d9df42.patch.gz | patch -p1 --verbose || exit 1
 
+# Patch more security issues:
+zcat $CWD/CVE-2022-3550.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/CVE-2022-3551.patch.gz | patch -p1 --verbose || exit 1
+
 # Configure, build, and install:
 export CFLAGS="$SLKCFLAGS"
 export CXXFLAGS="$SLKCFLAGS"
diff --git a/patches/source/xorg-server/build/xorg-server b/patches/source/xorg-server/build/xorg-server
index ce80d7ec1..56dc1348a 100644
--- a/patches/source/xorg-server/build/xorg-server
+++ b/patches/source/xorg-server/build/xorg-server
@@ -1 +1 @@
-3_slack15.0
+4_slack15.0
diff --git a/patches/source/xorg-server/patch/xorg-server.patch b/patches/source/xorg-server/patch/xorg-server.patch
index 52169835e..770ff67d4 100644
--- a/patches/source/xorg-server/patch/xorg-server.patch
+++ b/patches/source/xorg-server/patch/xorg-server.patch
@@ -33,3 +33,8 @@ zcat $CWD/patch/xorg-server/06_use-intel-only-on-pre-gen4.diff.gz | patch -p1 --
 zcat $CWD/patch/xorg-server/0001-f1070c01d616c5f21f939d5ebc533738779451ac.patch.gz | patch -p1 --verbose || { touch ${SLACK_X_BUILD_DIR}/${PKGNAME}.failed ; continue ; }
 zcat $CWD/patch/xorg-server/0002-dd8caf39e9e15d8f302e54045dd08d8ebf1025dc.patch.gz | patch -p1 --verbose || { touch ${SLACK_X_BUILD_DIR}/${PKGNAME}.failed ; continue ; }
 zcat $CWD/patch/xorg-server/0003-6907b6ea2b4ce949cb07271f5b678d5966d9df42.patch.gz | patch -p1 --verbose || { touch ${SLACK_X_BUILD_DIR}/${PKGNAME}.failed ; continue ; }
+
+# Patch some more security issues:
+zcat $CWD/patch/xorg-server/CVE-2022-3550.patch.gz | patch -p1 --verbose || { touch ${SLACK_X_BUILD_DIR}/${PKGNAME}.failed ; continue ; }
+zcat $CWD/patch/xorg-server/CVE-2022-3551.patch.gz | patch -p1 --verbose || { touch ${SLACK_X_BUILD_DIR}/${PKGNAME}.failed ; continue ; }
+zcat $CWD/patch/xorg-server/CVE-2022-3553.patch.gz | patch -p1 --verbose || { touch ${SLACK_X_BUILD_DIR}/${PKGNAME}.failed ; continue ; }
diff --git a/patches/source/xorg-server/patch/xorg-server/CVE-2022-3550.patch b/patches/source/xorg-server/patch/xorg-server/CVE-2022-3550.patch
new file mode 100644
index 000000000..3461b0749
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/CVE-2022-3550.patch
@@ -0,0 +1,34 @@
+From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 5 Jul 2022 12:06:20 +1000
+Subject: xkb: proof GetCountedString against request length attacks
+
+GetCountedString did a check for the whole string to be within the
+request buffer but not for the initial 2 bytes that contain the length
+field. A swapped client could send a malformed request to trigger a
+swaps() on those bytes, writing into random memory.
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ xkb/xkb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index f42f59ef3..1841cff26 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
+     CARD16 len;
+ 
+     wire = *wire_inout;
++
++    if (client->req_len <
++        bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
++        return BadValue;
++
+     len = *(CARD16 *) wire;
+     if (client->swapped) {
+         swaps(&len);
+-- 
+cgit v1.2.1
+
diff --git a/patches/source/xorg-server/patch/xorg-server/CVE-2022-3551.patch b/patches/source/xorg-server/patch/xorg-server/CVE-2022-3551.patch
new file mode 100644
index 000000000..e41db9286
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/CVE-2022-3551.patch
@@ -0,0 +1,59 @@
+From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Wed, 13 Jul 2022 11:23:09 +1000
+Subject: xkb: fix some possible memleaks in XkbGetKbdByName
+
+GetComponentByName returns an allocated string, so let's free that if we
+fail somewhere.
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ xkb/xkb.c | 26 ++++++++++++++++++++------
+ 1 file changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 4692895db..b79a269e3 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -5935,18 +5935,32 @@ ProcXkbGetKbdByName(ClientPtr client)
+     xkb = dev->key->xkbInfo->desc;
+     status = Success;
+     str = (unsigned char *) &stuff[1];
+-    if (GetComponentSpec(&str, TRUE, &status))  /* keymap, unsupported */
+-        return BadMatch;
++    {
++        char *keymap = GetComponentSpec(&str, TRUE, &status);  /* keymap, unsupported */
++        if (keymap) {
++            free(keymap);
++            return BadMatch;
++        }
++    }
+     names.keycodes = GetComponentSpec(&str, TRUE, &status);
+     names.types = GetComponentSpec(&str, TRUE, &status);
+     names.compat = GetComponentSpec(&str, TRUE, &status);
+     names.symbols = GetComponentSpec(&str, TRUE, &status);
+     names.geometry = GetComponentSpec(&str, TRUE, &status);
+-    if (status != Success)
++    if (status == Success) {
++        len = str - ((unsigned char *) stuff);
++        if ((XkbPaddedSize(len) / 4) != stuff->length)
++            status = BadLength;
++    }
++
++    if (status != Success) {
++        free(names.keycodes);
++        free(names.types);
++        free(names.compat);
++        free(names.symbols);
++        free(names.geometry);
+         return status;
+-    len = str - ((unsigned char *) stuff);
+-    if ((XkbPaddedSize(len) / 4) != stuff->length)
+-        return BadLength;
++    }
+ 
+     CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
+     CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
+-- 
+cgit v1.2.1
+
diff --git a/patches/source/xorg-server/patch/xorg-server/CVE-2022-3553.patch b/patches/source/xorg-server/patch/xorg-server/CVE-2022-3553.patch
new file mode 100644
index 000000000..593545d03
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/CVE-2022-3553.patch
@@ -0,0 +1,43 @@
+From dfd057996b26420309c324ec844a5ba6dd07eda3 Mon Sep 17 00:00:00 2001
+From: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Date: Sat, 2 Jul 2022 14:17:18 -0700
+Subject: xquartz: Fix a possible crash when editing the Application menu due
+ to mutaing immutable arrays
+
+Crashing on exception: -[__NSCFArray replaceObjectAtIndex:withObject:]: mutating method sent to immutable object
+
+Application Specific Backtrace 0:
+0   CoreFoundation                      0x00007ff80d2c5e9b __exceptionPreprocess + 242
+1   libobjc.A.dylib                     0x00007ff80d027e48 objc_exception_throw + 48
+2   CoreFoundation                      0x00007ff80d38167b _CFThrowFormattedException + 194
+3   CoreFoundation                      0x00007ff80d382a25 -[__NSCFArray removeObjectAtIndex:].cold.1 + 0
+4   CoreFoundation                      0x00007ff80d2e6c0b -[__NSCFArray replaceObjectAtIndex:withObject:] + 119
+5   X11.bin                             0x00000001003180f9 -[X11Controller tableView:setObjectValue:forTableColumn:row:] + 169
+
+Fixes: https://github.com/XQuartz/XQuartz/issues/267
+Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+---
+ hw/xquartz/X11Controller.m | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/hw/xquartz/X11Controller.m b/hw/xquartz/X11Controller.m
+index 3b55bb6a5..e9a939312 100644
+--- a/hw/xquartz/X11Controller.m
++++ b/hw/xquartz/X11Controller.m
+@@ -469,8 +469,11 @@ extern char *bundle_id_prefix;
+     self.table_apps = table_apps;
+ 
+     NSArray * const apps = self.apps;
+-    if (apps != nil)
+-        [table_apps addObjectsFromArray:apps];
++    if (apps != nil) {
++        for (NSArray <NSString *> * row in apps) {
++            [table_apps addObject:row.mutableCopy];
++        }
++    }
+ 
+     columns = [apps_table tableColumns];
+     [[columns objectAtIndex:0] setIdentifier:@"0"];
+-- 
+cgit v1.2.1
+
author	Patrick J Volkerding <volkerdi@slackware.com>	2022-10-17 19:31:45 +0000
committer	Eric Hameleers <alien@slackware.com>	2022-10-18 13:30:33 +0200
commit	2559feca78bc678c5bbf91419695174d3fcbdf14 (patch)
tree	efa4d497c6065d936916a39b23f638c6b277b7b4 /patches
parent	a37e7d6f03a8b559ab7c17eb42c13e7e06c2b9fc (diff)
download	current-2559feca78bc678c5bbf91419695174d3fcbdf14.tar.gz current-2559feca78bc678c5bbf91419695174d3fcbdf14.tar.xz