diff options
author | Patrick J Volkerding <volkerdi@slackware.com> | 2022-10-17 19:31:45 +0000 |
---|---|---|
committer | Eric Hameleers <alien@slackware.com> | 2022-10-18 07:00:18 +0200 |
commit | 717971ecd65b6255712f5352cbd58ee028f32f1b (patch) | |
tree | 11aa384ad7f673c2d490c542ebed14f4334c8e78 /source/x | |
parent | 9b906307deaeeb6ceef5d5c11abdc1f0770dca02 (diff) | |
download | current-717971ecd65b6255712f5352cbd58ee028f32f1b.tar.gz current-717971ecd65b6255712f5352cbd58ee028f32f1b.tar.xz |
Mon Oct 17 19:31:45 UTC 202220221017193145
l/libqalculate-4.4.0-x86_64-1.txz: Upgraded.
l/netpbm-11.00.01-x86_64-1.txz: Upgraded.
x/xorg-server-21.1.4-x86_64-2.txz: Rebuilt.
xkb: proof GetCountedString against request length attacks.
xkb: fix some possible memleaks in XkbGetKbdByName.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3550
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3551
(* Security fix *)
x/xorg-server-xephyr-21.1.4-x86_64-2.txz: Rebuilt.
x/xorg-server-xnest-21.1.4-x86_64-2.txz: Rebuilt.
x/xorg-server-xvfb-21.1.4-x86_64-2.txz: Rebuilt.
x/xorg-server-xwayland-22.1.3-x86_64-2.txz: Rebuilt.
xkb: proof GetCountedString against request length attacks.
xkb: fix some possible memleaks in XkbGetKbdByName.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3550
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3551
(* Security fix *)
xap/blueman-2.3.4-x86_64-1.txz: Upgraded.
Diffstat (limited to 'source/x')
8 files changed, 198 insertions, 39 deletions
diff --git a/source/x/x11/build/xorg-server b/source/x/x11/build/xorg-server index d00491fd7..0cfbf0888 100644 --- a/source/x/x11/build/xorg-server +++ b/source/x/x11/build/xorg-server @@ -1 +1 @@ -1 +2 diff --git a/source/x/x11/patch/xorg-server.patch b/source/x/x11/patch/xorg-server.patch index 791dfe157..b0c4f28bc 100644 --- a/source/x/x11/patch/xorg-server.patch +++ b/source/x/x11/patch/xorg-server.patch @@ -20,3 +20,9 @@ zcat $CWD/patch/xorg-server/0001-xfree86-use-modesetting-driver-by-default-on-Ge # Only use Intel DDX with pre-gen4 hardware. Newer hardware will the the modesetting driver by default: zcat $CWD/patch/xorg-server/06_use-intel-only-on-pre-gen4.diff.gz | patch -p1 --verbose || { touch ${SLACK_X_BUILD_DIR}/${PKGNAME}.failed ; continue ; } + +# Patch some more security issues: +zcat $CWD/patch/xorg-server/CVE-2022-3550.patch.gz | patch -p1 --verbose || { touch ${SLACK_X_BUILD_DIR}/${PKGNAME}.failed ; continue ; } +zcat $CWD/patch/xorg-server/CVE-2022-3551.patch.gz | patch -p1 --verbose || { touch ${SLACK_X_BUILD_DIR}/${PKGNAME}.failed ; continue ; } +# This one doesn't apply properly, but it's for OSX anyway :) +#zcat $CWD/patch/xorg-server/CVE-2022-3553.patch.gz | patch -p1 --verbose || { touch ${SLACK_X_BUILD_DIR}/${PKGNAME}.failed ; continue ; } diff --git a/source/x/x11/patch/xorg-server/CVE-2022-3550.patch b/source/x/x11/patch/xorg-server/CVE-2022-3550.patch new file mode 100644 index 000000000..3461b0749 --- /dev/null +++ b/source/x/x11/patch/xorg-server/CVE-2022-3550.patch @@ -0,0 +1,34 @@ +From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Tue, 5 Jul 2022 12:06:20 +1000 +Subject: xkb: proof GetCountedString against request length attacks + +GetCountedString did a check for the whole string to be within the +request buffer but not for the initial 2 bytes that contain the length +field. A swapped client could send a malformed request to trigger a +swaps() on those bytes, writing into random memory. + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +--- + xkb/xkb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index f42f59ef3..1841cff26 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str) + CARD16 len; + + wire = *wire_inout; ++ ++ if (client->req_len < ++ bytes_to_int32(wire + 2 - (char *) client->requestBuffer)) ++ return BadValue; ++ + len = *(CARD16 *) wire; + if (client->swapped) { + swaps(&len); +-- +cgit v1.2.1 + diff --git a/source/x/x11/patch/xorg-server/CVE-2022-3551.patch b/source/x/x11/patch/xorg-server/CVE-2022-3551.patch new file mode 100644 index 000000000..e41db9286 --- /dev/null +++ b/source/x/x11/patch/xorg-server/CVE-2022-3551.patch @@ -0,0 +1,59 @@ +From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Wed, 13 Jul 2022 11:23:09 +1000 +Subject: xkb: fix some possible memleaks in XkbGetKbdByName + +GetComponentByName returns an allocated string, so let's free that if we +fail somewhere. + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +--- + xkb/xkb.c | 26 ++++++++++++++++++++------ + 1 file changed, 20 insertions(+), 6 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 4692895db..b79a269e3 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -5935,18 +5935,32 @@ ProcXkbGetKbdByName(ClientPtr client) + xkb = dev->key->xkbInfo->desc; + status = Success; + str = (unsigned char *) &stuff[1]; +- if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */ +- return BadMatch; ++ { ++ char *keymap = GetComponentSpec(&str, TRUE, &status); /* keymap, unsupported */ ++ if (keymap) { ++ free(keymap); ++ return BadMatch; ++ } ++ } + names.keycodes = GetComponentSpec(&str, TRUE, &status); + names.types = GetComponentSpec(&str, TRUE, &status); + names.compat = GetComponentSpec(&str, TRUE, &status); + names.symbols = GetComponentSpec(&str, TRUE, &status); + names.geometry = GetComponentSpec(&str, TRUE, &status); +- if (status != Success) ++ if (status == Success) { ++ len = str - ((unsigned char *) stuff); ++ if ((XkbPaddedSize(len) / 4) != stuff->length) ++ status = BadLength; ++ } ++ ++ if (status != Success) { ++ free(names.keycodes); ++ free(names.types); ++ free(names.compat); ++ free(names.symbols); ++ free(names.geometry); + return status; +- len = str - ((unsigned char *) stuff); +- if ((XkbPaddedSize(len) / 4) != stuff->length) +- return BadLength; ++ } + + CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask); + CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask); +-- +cgit v1.2.1 + diff --git a/source/x/x11/patch/xorg-server/failed/0001-Always-install-vbe-and-int10-sdk-headers.patch b/source/x/x11/patch/xorg-server/failed/0001-Always-install-vbe-and-int10-sdk-headers.patch deleted file mode 100644 index c613eb8f9..000000000 --- a/source/x/x11/patch/xorg-server/failed/0001-Always-install-vbe-and-int10-sdk-headers.patch +++ /dev/null @@ -1,37 +0,0 @@ -From e96a83d9b1b5a52a41213c7a4840dc96b4f5b06f Mon Sep 17 00:00:00 2001 -From: Adam Jackson <ajax@redhat.com> -Date: Wed, 15 Aug 2012 12:35:21 -0400 -Subject: [PATCH] Always install vbe and int10 sdk headers - -Signed-off-by: Adam Jackson <ajax@redhat.com> ---- - hw/xfree86/Makefile.am | 12 ++---------- - 1 file changed, 2 insertions(+), 10 deletions(-) - -diff --git a/hw/xfree86/Makefile.am b/hw/xfree86/Makefile.am -index b876b79..a170b58 100644 ---- a/hw/xfree86/Makefile.am -+++ b/hw/xfree86/Makefile.am -@@ -26,17 +26,9 @@ if VGAHW - VGAHW_SUBDIR = vgahw - endif - --if VBE --VBE_SUBDIR = vbe --endif -- --if INT10MODULE --INT10_SUBDIR = int10 --endif -- --SUBDIRS = common ddc x86emu $(INT10_SUBDIR) os-support parser \ -+SUBDIRS = common ddc x86emu int10 os-support parser \ - ramdac $(VGAHW_SUBDIR) loader modes $(DRI_SUBDIR) \ -- $(DRI2_SUBDIR) . $(VBE_SUBDIR) i2c dixmods xkb \ -+ $(DRI2_SUBDIR) . vbe i2c dixmods xkb \ - fbdevhw shadowfb exa $(XF86UTILS_SUBDIR) doc man \ - $(GLAMOR_EGL_SUBDIR) drivers - --- -2.13.6 - diff --git a/source/x/xorg-server-xwayland/CVE-2022-3550.patch b/source/x/xorg-server-xwayland/CVE-2022-3550.patch new file mode 100644 index 000000000..3461b0749 --- /dev/null +++ b/source/x/xorg-server-xwayland/CVE-2022-3550.patch @@ -0,0 +1,34 @@ +From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Tue, 5 Jul 2022 12:06:20 +1000 +Subject: xkb: proof GetCountedString against request length attacks + +GetCountedString did a check for the whole string to be within the +request buffer but not for the initial 2 bytes that contain the length +field. A swapped client could send a malformed request to trigger a +swaps() on those bytes, writing into random memory. + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +--- + xkb/xkb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index f42f59ef3..1841cff26 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str) + CARD16 len; + + wire = *wire_inout; ++ ++ if (client->req_len < ++ bytes_to_int32(wire + 2 - (char *) client->requestBuffer)) ++ return BadValue; ++ + len = *(CARD16 *) wire; + if (client->swapped) { + swaps(&len); +-- +cgit v1.2.1 + diff --git a/source/x/xorg-server-xwayland/CVE-2022-3551.patch b/source/x/xorg-server-xwayland/CVE-2022-3551.patch new file mode 100644 index 000000000..e41db9286 --- /dev/null +++ b/source/x/xorg-server-xwayland/CVE-2022-3551.patch @@ -0,0 +1,59 @@ +From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Wed, 13 Jul 2022 11:23:09 +1000 +Subject: xkb: fix some possible memleaks in XkbGetKbdByName + +GetComponentByName returns an allocated string, so let's free that if we +fail somewhere. + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +--- + xkb/xkb.c | 26 ++++++++++++++++++++------ + 1 file changed, 20 insertions(+), 6 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 4692895db..b79a269e3 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -5935,18 +5935,32 @@ ProcXkbGetKbdByName(ClientPtr client) + xkb = dev->key->xkbInfo->desc; + status = Success; + str = (unsigned char *) &stuff[1]; +- if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */ +- return BadMatch; ++ { ++ char *keymap = GetComponentSpec(&str, TRUE, &status); /* keymap, unsupported */ ++ if (keymap) { ++ free(keymap); ++ return BadMatch; ++ } ++ } + names.keycodes = GetComponentSpec(&str, TRUE, &status); + names.types = GetComponentSpec(&str, TRUE, &status); + names.compat = GetComponentSpec(&str, TRUE, &status); + names.symbols = GetComponentSpec(&str, TRUE, &status); + names.geometry = GetComponentSpec(&str, TRUE, &status); +- if (status != Success) ++ if (status == Success) { ++ len = str - ((unsigned char *) stuff); ++ if ((XkbPaddedSize(len) / 4) != stuff->length) ++ status = BadLength; ++ } ++ ++ if (status != Success) { ++ free(names.keycodes); ++ free(names.types); ++ free(names.compat); ++ free(names.symbols); ++ free(names.geometry); + return status; +- len = str - ((unsigned char *) stuff); +- if ((XkbPaddedSize(len) / 4) != stuff->length) +- return BadLength; ++ } + + CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask); + CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask); +-- +cgit v1.2.1 + diff --git a/source/x/xorg-server-xwayland/xorg-server-xwayland.SlackBuild b/source/x/xorg-server-xwayland/xorg-server-xwayland.SlackBuild index 6365e0c41..b0da0fe1d 100755 --- a/source/x/xorg-server-xwayland/xorg-server-xwayland.SlackBuild +++ b/source/x/xorg-server-xwayland/xorg-server-xwayland.SlackBuild @@ -25,7 +25,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=xorg-server-xwayland SRCNAM=xwayland VERSION=${VERSION:-$(echo $SRCNAM-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-1} +BUILD=${BUILD:-2} # Default font paths to be used by the X server: DEF_FONTPATH="/usr/share/fonts/misc,/usr/share/fonts/local,/usr/share/fonts/TTF,/usr/share/fonts/OTF,/usr/share/fonts/Type1,/usr/share/fonts/CID,/usr/share/fonts/75dpi/:unscaled,/usr/share/fonts/100dpi/:unscaled,/usr/share/fonts/75dpi,/usr/share/fonts/100dpi,/usr/share/fonts/cyrillic" @@ -80,6 +80,10 @@ find . \ \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ -exec chmod 644 {} \+ +# Patch more security issues: +zcat $CWD/CVE-2022-3550.patch.gz | patch -p1 --verbose || exit 1 +zcat $CWD/CVE-2022-3551.patch.gz | patch -p1 --verbose || exit 1 + # Configure, build, and install: export CFLAGS="$SLKCFLAGS" export CXXFLAGS="$SLKCFLAGS" |