summaryrefslogtreecommitdiffstats
path: root/source/x/x11/patch/xorg-server/0003-6907b6ea2b4ce949cb07271f5b678d5966d9df42.patch
diff options
context:
space:
mode:
author Patrick J Volkerding <volkerdi@slackware.com>2022-07-13 19:56:59 +0000
committer Eric Hameleers <alien@slackware.com>2022-07-14 09:00:16 +0200
commit8db980621c64bad4de1a42f9c5d110eef12758b8 (patch)
tree2e89d361204a545b9abcdb5a7035c8ca4a9cabde /source/x/x11/patch/xorg-server/0003-6907b6ea2b4ce949cb07271f5b678d5966d9df42.patch
parentbee3d6c81b37e0eb578c0aaf4dca8202b62ab3c0 (diff)
downloadcurrent-8db980621c64bad4de1a42f9c5d110eef12758b8.tar.gz
current-8db980621c64bad4de1a42f9c5d110eef12758b8.tar.xz
Wed Jul 13 19:56:59 UTC 202220220713195659
a/inih-56-x86_64-1.txz: Upgraded. a/kernel-firmware-20220710_dfa2931-noarch-1.txz: Upgraded. a/kernel-generic-5.18.11-x86_64-1.txz: Upgraded. a/kernel-huge-5.18.11-x86_64-1.txz: Upgraded. a/kernel-modules-5.18.11-x86_64-1.txz: Upgraded. ap/mpg123-1.30.1-x86_64-1.txz: Upgraded. d/git-2.37.1-x86_64-1.txz: Upgraded. d/kernel-headers-5.18.11-x86-1.txz: Upgraded. d/mercurial-6.2-x86_64-1.txz: Upgraded. k/kernel-source-5.18.11-noarch-1.txz: Upgraded. kde/bluedevil-5.25.3-x86_64-1.txz: Upgraded. kde/breeze-5.25.3-x86_64-1.txz: Upgraded. kde/breeze-grub-5.25.3-x86_64-1.txz: Upgraded. kde/breeze-gtk-5.25.3-x86_64-1.txz: Upgraded. kde/drkonqi-5.25.3-x86_64-1.txz: Upgraded. kde/kactivitymanagerd-5.25.3-x86_64-1.txz: Upgraded. kde/kde-cli-tools-5.25.3-x86_64-1.txz: Upgraded. kde/kde-gtk-config-5.25.3-x86_64-1.txz: Upgraded. kde/kdecoration-5.25.3-x86_64-1.txz: Upgraded. kde/kdeplasma-addons-5.25.3-x86_64-1.txz: Upgraded. kde/kgamma5-5.25.3-x86_64-1.txz: Upgraded. kde/khotkeys-5.25.3-x86_64-1.txz: Upgraded. kde/kinfocenter-5.25.3-x86_64-1.txz: Upgraded. kde/kmenuedit-5.25.3-x86_64-1.txz: Upgraded. kde/kscreen-5.25.3-x86_64-1.txz: Upgraded. kde/kscreenlocker-5.25.3-x86_64-1.txz: Upgraded. kde/ksshaskpass-5.25.3-x86_64-1.txz: Upgraded. kde/ksystemstats-5.25.3-x86_64-1.txz: Upgraded. kde/kwallet-pam-5.25.3-x86_64-1.txz: Upgraded. kde/kwayland-integration-5.25.3-x86_64-1.txz: Upgraded. kde/kwin-5.25.3-x86_64-1.txz: Upgraded. kde/kwrited-5.25.3-x86_64-1.txz: Upgraded. kde/layer-shell-qt-5.25.3-x86_64-1.txz: Upgraded. kde/libkscreen-5.25.3-x86_64-1.txz: Upgraded. kde/libksysguard-5.25.3-x86_64-1.txz: Upgraded. kde/milou-5.25.3-x86_64-1.txz: Upgraded. kde/oxygen-5.25.3-x86_64-1.txz: Upgraded. kde/oxygen-sounds-5.25.3-x86_64-1.txz: Upgraded. kde/plasma-browser-integration-5.25.3-x86_64-1.txz: Upgraded. kde/plasma-desktop-5.25.3-x86_64-1.txz: Upgraded. kde/plasma-disks-5.25.3-x86_64-1.txz: Upgraded. kde/plasma-firewall-5.25.3-x86_64-1.txz: Upgraded. kde/plasma-integration-5.25.3-x86_64-1.txz: Upgraded. kde/plasma-nm-5.25.3-x86_64-1.txz: Upgraded. kde/plasma-pa-5.25.3-x86_64-1.txz: Upgraded. kde/plasma-sdk-5.25.3-x86_64-1.txz: Upgraded. kde/plasma-systemmonitor-5.25.3-x86_64-1.txz: Upgraded. kde/plasma-vault-5.25.3-x86_64-1.txz: Upgraded. kde/plasma-workspace-5.25.3.1-x86_64-1.txz: Upgraded. kde/plasma-workspace-wallpapers-5.25.3-x86_64-1.txz: Upgraded. kde/polkit-kde-agent-1-5.25.3-x86_64-1.txz: Upgraded. kde/powerdevil-5.25.3-x86_64-1.txz: Upgraded. kde/qqc2-breeze-style-5.25.3-x86_64-1.txz: Upgraded. kde/sddm-kcm-5.25.3-x86_64-1.txz: Upgraded. kde/systemsettings-5.25.3-x86_64-1.txz: Upgraded. kde/xdg-desktop-portal-kde-5.25.3-x86_64-1.txz: Upgraded. l/SDL2_mixer-2.6.1-x86_64-1.txz: Upgraded. l/gtk4-4.6.6-x86_64-2.txz: Rebuilt. Drop embedded pango library and use "unshare -n" to prevent the issue from happening again. l/libuv-1.44.2-x86_64-1.txz: Upgraded. l/pango-1.50.8-x86_64-1.txz: Upgraded. l/pipewire-0.3.55-x86_64-1.txz: Upgraded. x/font-util-1.3.3-x86_64-1.txz: Upgraded. x/xorg-server-1.20.14-x86_64-4.txz: Rebuilt. xkb: switch to array index loops to moving pointers. xkb: add request length validation for XkbSetGeometry. xkb: swap XkbSetDeviceInfo and XkbSetDeviceInfoCheck. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2319 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2320 (* Security fix *) x/xorg-server-xephyr-1.20.14-x86_64-4.txz: Rebuilt. x/xorg-server-xnest-1.20.14-x86_64-4.txz: Rebuilt. x/xorg-server-xvfb-1.20.14-x86_64-4.txz: Rebuilt. xap/mozilla-thunderbird-102.0.2-x86_64-1.txz: Upgraded. This is a bugfix release. For more information, see: https://www.mozilla.org/en-US/thunderbird/102.0.2/releasenotes/ xfce/xfce4-settings-4.16.3-x86_64-1.txz: Upgraded. isolinux/initrd.img: Rebuilt. kernels/*: Upgraded. usb-and-pxe-installers/usbboot.img: Rebuilt.
Diffstat (limited to 'source/x/x11/patch/xorg-server/0003-6907b6ea2b4ce949cb07271f5b678d5966d9df42.patch')
-rw-r--r--source/x/x11/patch/xorg-server/0003-6907b6ea2b4ce949cb07271f5b678d5966d9df42.patch181
1 files changed, 181 insertions, 0 deletions
diff --git a/source/x/x11/patch/xorg-server/0003-6907b6ea2b4ce949cb07271f5b678d5966d9df42.patch b/source/x/x11/patch/xorg-server/0003-6907b6ea2b4ce949cb07271f5b678d5966d9df42.patch
new file mode 100644
index 000000000..11121070b
--- /dev/null
+++ b/source/x/x11/patch/xorg-server/0003-6907b6ea2b4ce949cb07271f5b678d5966d9df42.patch
@@ -0,0 +1,181 @@
+From 6907b6ea2b4ce949cb07271f5b678d5966d9df42 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 5 Jul 2022 11:11:06 +1000
+Subject: [PATCH] xkb: add request length validation for XkbSetGeometry
+
+No validation of the various fields on that report were done, so a
+malicious client could send a short request that claims it had N
+sections, or rows, or keys, and the server would process the request for
+N sections, running out of bounds of the actual request data.
+
+Fix this by adding size checks to ensure our data is valid.
+
+ZDI-CAN 16062, CVE-2022-2319.
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ xkb/xkb.c | 43 ++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 38 insertions(+), 5 deletions(-)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 34b2c290b..4692895db 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -5156,7 +5156,7 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
+ }
+
+ static Status
+-_CheckSetDoodad(char **wire_inout,
++_CheckSetDoodad(char **wire_inout, xkbSetGeometryReq *req,
+ XkbGeometryPtr geom, XkbSectionPtr section, ClientPtr client)
+ {
+ char *wire;
+@@ -5167,6 +5167,9 @@ _CheckSetDoodad(char **wire_inout,
+ Status status;
+
+ dWire = (xkbDoodadWireDesc *) (*wire_inout);
++ if (!_XkbCheckRequestBounds(client, req, dWire, dWire + 1))
++ return BadLength;
++
+ any = dWire->any;
+ wire = (char *) &dWire[1];
+ if (client->swapped) {
+@@ -5269,7 +5272,7 @@ _CheckSetDoodad(char **wire_inout,
+ }
+
+ static Status
+-_CheckSetOverlay(char **wire_inout,
++_CheckSetOverlay(char **wire_inout, xkbSetGeometryReq *req,
+ XkbGeometryPtr geom, XkbSectionPtr section, ClientPtr client)
+ {
+ register int r;
+@@ -5280,6 +5283,9 @@ _CheckSetOverlay(char **wire_inout,
+
+ wire = *wire_inout;
+ olWire = (xkbOverlayWireDesc *) wire;
++ if (!_XkbCheckRequestBounds(client, req, olWire, olWire + 1))
++ return BadLength;
++
+ if (client->swapped) {
+ swapl(&olWire->name);
+ }
+@@ -5291,6 +5297,9 @@ _CheckSetOverlay(char **wire_inout,
+ xkbOverlayKeyWireDesc *kWire;
+ XkbOverlayRowPtr row;
+
++ if (!_XkbCheckRequestBounds(client, req, rWire, rWire + 1))
++ return BadLength;
++
+ if (rWire->rowUnder > section->num_rows) {
+ client->errorValue = _XkbErrCode4(0x20, r, section->num_rows,
+ rWire->rowUnder);
+@@ -5299,6 +5308,9 @@ _CheckSetOverlay(char **wire_inout,
+ row = XkbAddGeomOverlayRow(ol, rWire->rowUnder, rWire->nKeys);
+ kWire = (xkbOverlayKeyWireDesc *) &rWire[1];
+ for (k = 0; k < rWire->nKeys; k++, kWire++) {
++ if (!_XkbCheckRequestBounds(client, req, kWire, kWire + 1))
++ return BadLength;
++
+ if (XkbAddGeomOverlayKey(ol, row,
+ (char *) kWire->over,
+ (char *) kWire->under) == NULL) {
+@@ -5332,6 +5344,9 @@ _CheckSetSections(XkbGeometryPtr geom,
+ register int r;
+ xkbRowWireDesc *rWire;
+
++ if (!_XkbCheckRequestBounds(client, req, sWire, sWire + 1))
++ return BadLength;
++
+ if (client->swapped) {
+ swapl(&sWire->name);
+ swaps(&sWire->top);
+@@ -5357,6 +5372,9 @@ _CheckSetSections(XkbGeometryPtr geom,
+ XkbRowPtr row;
+ xkbKeyWireDesc *kWire;
+
++ if (!_XkbCheckRequestBounds(client, req, rWire, rWire + 1))
++ return BadLength;
++
+ if (client->swapped) {
+ swaps(&rWire->top);
+ swaps(&rWire->left);
+@@ -5371,6 +5389,9 @@ _CheckSetSections(XkbGeometryPtr geom,
+ for (k = 0; k < rWire->nKeys; k++, kWire++) {
+ XkbKeyPtr key;
+
++ if (!_XkbCheckRequestBounds(client, req, kWire, kWire + 1))
++ return BadLength;
++
+ key = XkbAddGeomKey(row);
+ if (!key)
+ return BadAlloc;
+@@ -5396,7 +5417,7 @@ _CheckSetSections(XkbGeometryPtr geom,
+ register int d;
+
+ for (d = 0; d < sWire->nDoodads; d++) {
+- status = _CheckSetDoodad(&wire, geom, section, client);
++ status = _CheckSetDoodad(&wire, req, geom, section, client);
+ if (status != Success)
+ return status;
+ }
+@@ -5405,7 +5426,7 @@ _CheckSetSections(XkbGeometryPtr geom,
+ register int o;
+
+ for (o = 0; o < sWire->nOverlays; o++) {
+- status = _CheckSetOverlay(&wire, geom, section, client);
++ status = _CheckSetOverlay(&wire, req, geom, section, client);
+ if (status != Success)
+ return status;
+ }
+@@ -5439,6 +5460,9 @@ _CheckSetShapes(XkbGeometryPtr geom,
+ xkbOutlineWireDesc *olWire;
+ XkbOutlinePtr ol;
+
++ if (!_XkbCheckRequestBounds(client, req, shapeWire, shapeWire + 1))
++ return BadLength;
++
+ shape =
+ XkbAddGeomShape(geom, shapeWire->name, shapeWire->nOutlines);
+ if (!shape)
+@@ -5449,12 +5473,18 @@ _CheckSetShapes(XkbGeometryPtr geom,
+ XkbPointPtr pt;
+ xkbPointWireDesc *ptWire;
+
++ if (!_XkbCheckRequestBounds(client, req, olWire, olWire + 1))
++ return BadLength;
++
+ ol = XkbAddGeomOutline(shape, olWire->nPoints);
+ if (!ol)
+ return BadAlloc;
+ ol->corner_radius = olWire->cornerRadius;
+ ptWire = (xkbPointWireDesc *) &olWire[1];
+ for (p = 0, pt = ol->points; p < olWire->nPoints; p++, pt++, ptWire++) {
++ if (!_XkbCheckRequestBounds(client, req, ptWire, ptWire + 1))
++ return BadLength;
++
+ pt->x = ptWire->x;
+ pt->y = ptWire->y;
+ if (client->swapped) {
+@@ -5560,12 +5590,15 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client)
+ return status;
+
+ for (i = 0; i < req->nDoodads; i++) {
+- status = _CheckSetDoodad(&wire, geom, NULL, client);
++ status = _CheckSetDoodad(&wire, req, geom, NULL, client);
+ if (status != Success)
+ return status;
+ }
+
+ for (i = 0; i < req->nKeyAliases; i++) {
++ if (!_XkbCheckRequestBounds(client, req, wire, wire + XkbKeyNameLength))
++ return BadLength;
++
+ if (XkbAddGeomKeyAlias(geom, &wire[XkbKeyNameLength], wire) == NULL)
+ return BadAlloc;
+ wire += 2 * XkbKeyNameLength;
+--
+GitLab
+