summaryrefslogtreecommitdiffstats
path: root/source
diff options
context:
space:
mode:
Diffstat (limited to 'source')
-rw-r--r--source/x/x11/build/xorg-server2
-rw-r--r--source/x/x11/patch/xorg-server.patch6
-rw-r--r--source/x/x11/patch/xorg-server/CVE-2022-3550.patch34
-rw-r--r--source/x/x11/patch/xorg-server/CVE-2022-3551.patch59
-rw-r--r--source/x/x11/patch/xorg-server/failed/0001-Always-install-vbe-and-int10-sdk-headers.patch37
-rw-r--r--source/x/xorg-server-xwayland/CVE-2022-3550.patch34
-rw-r--r--source/x/xorg-server-xwayland/CVE-2022-3551.patch59
-rwxr-xr-xsource/x/xorg-server-xwayland/xorg-server-xwayland.SlackBuild6
8 files changed, 198 insertions, 39 deletions
diff --git a/source/x/x11/build/xorg-server b/source/x/x11/build/xorg-server
index d00491fd7..0cfbf0888 100644
--- a/source/x/x11/build/xorg-server
+++ b/source/x/x11/build/xorg-server
@@ -1 +1 @@
-1
+2
diff --git a/source/x/x11/patch/xorg-server.patch b/source/x/x11/patch/xorg-server.patch
index 791dfe157..b0c4f28bc 100644
--- a/source/x/x11/patch/xorg-server.patch
+++ b/source/x/x11/patch/xorg-server.patch
@@ -20,3 +20,9 @@ zcat $CWD/patch/xorg-server/0001-xfree86-use-modesetting-driver-by-default-on-Ge
# Only use Intel DDX with pre-gen4 hardware. Newer hardware will the the modesetting driver by default:
zcat $CWD/patch/xorg-server/06_use-intel-only-on-pre-gen4.diff.gz | patch -p1 --verbose || { touch ${SLACK_X_BUILD_DIR}/${PKGNAME}.failed ; continue ; }
+
+# Patch some more security issues:
+zcat $CWD/patch/xorg-server/CVE-2022-3550.patch.gz | patch -p1 --verbose || { touch ${SLACK_X_BUILD_DIR}/${PKGNAME}.failed ; continue ; }
+zcat $CWD/patch/xorg-server/CVE-2022-3551.patch.gz | patch -p1 --verbose || { touch ${SLACK_X_BUILD_DIR}/${PKGNAME}.failed ; continue ; }
+# This one doesn't apply properly, but it's for OSX anyway :)
+#zcat $CWD/patch/xorg-server/CVE-2022-3553.patch.gz | patch -p1 --verbose || { touch ${SLACK_X_BUILD_DIR}/${PKGNAME}.failed ; continue ; }
diff --git a/source/x/x11/patch/xorg-server/CVE-2022-3550.patch b/source/x/x11/patch/xorg-server/CVE-2022-3550.patch
new file mode 100644
index 000000000..3461b0749
--- /dev/null
+++ b/source/x/x11/patch/xorg-server/CVE-2022-3550.patch
@@ -0,0 +1,34 @@
+From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 5 Jul 2022 12:06:20 +1000
+Subject: xkb: proof GetCountedString against request length attacks
+
+GetCountedString did a check for the whole string to be within the
+request buffer but not for the initial 2 bytes that contain the length
+field. A swapped client could send a malformed request to trigger a
+swaps() on those bytes, writing into random memory.
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ xkb/xkb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index f42f59ef3..1841cff26 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
+ CARD16 len;
+
+ wire = *wire_inout;
++
++ if (client->req_len <
++ bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
++ return BadValue;
++
+ len = *(CARD16 *) wire;
+ if (client->swapped) {
+ swaps(&len);
+--
+cgit v1.2.1
+
diff --git a/source/x/x11/patch/xorg-server/CVE-2022-3551.patch b/source/x/x11/patch/xorg-server/CVE-2022-3551.patch
new file mode 100644
index 000000000..e41db9286
--- /dev/null
+++ b/source/x/x11/patch/xorg-server/CVE-2022-3551.patch
@@ -0,0 +1,59 @@
+From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Wed, 13 Jul 2022 11:23:09 +1000
+Subject: xkb: fix some possible memleaks in XkbGetKbdByName
+
+GetComponentByName returns an allocated string, so let's free that if we
+fail somewhere.
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ xkb/xkb.c | 26 ++++++++++++++++++++------
+ 1 file changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 4692895db..b79a269e3 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -5935,18 +5935,32 @@ ProcXkbGetKbdByName(ClientPtr client)
+ xkb = dev->key->xkbInfo->desc;
+ status = Success;
+ str = (unsigned char *) &stuff[1];
+- if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */
+- return BadMatch;
++ {
++ char *keymap = GetComponentSpec(&str, TRUE, &status); /* keymap, unsupported */
++ if (keymap) {
++ free(keymap);
++ return BadMatch;
++ }
++ }
+ names.keycodes = GetComponentSpec(&str, TRUE, &status);
+ names.types = GetComponentSpec(&str, TRUE, &status);
+ names.compat = GetComponentSpec(&str, TRUE, &status);
+ names.symbols = GetComponentSpec(&str, TRUE, &status);
+ names.geometry = GetComponentSpec(&str, TRUE, &status);
+- if (status != Success)
++ if (status == Success) {
++ len = str - ((unsigned char *) stuff);
++ if ((XkbPaddedSize(len) / 4) != stuff->length)
++ status = BadLength;
++ }
++
++ if (status != Success) {
++ free(names.keycodes);
++ free(names.types);
++ free(names.compat);
++ free(names.symbols);
++ free(names.geometry);
+ return status;
+- len = str - ((unsigned char *) stuff);
+- if ((XkbPaddedSize(len) / 4) != stuff->length)
+- return BadLength;
++ }
+
+ CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
+ CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
+--
+cgit v1.2.1
+
diff --git a/source/x/x11/patch/xorg-server/failed/0001-Always-install-vbe-and-int10-sdk-headers.patch b/source/x/x11/patch/xorg-server/failed/0001-Always-install-vbe-and-int10-sdk-headers.patch
deleted file mode 100644
index c613eb8f9..000000000
--- a/source/x/x11/patch/xorg-server/failed/0001-Always-install-vbe-and-int10-sdk-headers.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From e96a83d9b1b5a52a41213c7a4840dc96b4f5b06f Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax@redhat.com>
-Date: Wed, 15 Aug 2012 12:35:21 -0400
-Subject: [PATCH] Always install vbe and int10 sdk headers
-
-Signed-off-by: Adam Jackson <ajax@redhat.com>
----
- hw/xfree86/Makefile.am | 12 ++----------
- 1 file changed, 2 insertions(+), 10 deletions(-)
-
-diff --git a/hw/xfree86/Makefile.am b/hw/xfree86/Makefile.am
-index b876b79..a170b58 100644
---- a/hw/xfree86/Makefile.am
-+++ b/hw/xfree86/Makefile.am
-@@ -26,17 +26,9 @@ if VGAHW
- VGAHW_SUBDIR = vgahw
- endif
-
--if VBE
--VBE_SUBDIR = vbe
--endif
--
--if INT10MODULE
--INT10_SUBDIR = int10
--endif
--
--SUBDIRS = common ddc x86emu $(INT10_SUBDIR) os-support parser \
-+SUBDIRS = common ddc x86emu int10 os-support parser \
- ramdac $(VGAHW_SUBDIR) loader modes $(DRI_SUBDIR) \
-- $(DRI2_SUBDIR) . $(VBE_SUBDIR) i2c dixmods xkb \
-+ $(DRI2_SUBDIR) . vbe i2c dixmods xkb \
- fbdevhw shadowfb exa $(XF86UTILS_SUBDIR) doc man \
- $(GLAMOR_EGL_SUBDIR) drivers
-
---
-2.13.6
-
diff --git a/source/x/xorg-server-xwayland/CVE-2022-3550.patch b/source/x/xorg-server-xwayland/CVE-2022-3550.patch
new file mode 100644
index 000000000..3461b0749
--- /dev/null
+++ b/source/x/xorg-server-xwayland/CVE-2022-3550.patch
@@ -0,0 +1,34 @@
+From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 5 Jul 2022 12:06:20 +1000
+Subject: xkb: proof GetCountedString against request length attacks
+
+GetCountedString did a check for the whole string to be within the
+request buffer but not for the initial 2 bytes that contain the length
+field. A swapped client could send a malformed request to trigger a
+swaps() on those bytes, writing into random memory.
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ xkb/xkb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index f42f59ef3..1841cff26 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
+ CARD16 len;
+
+ wire = *wire_inout;
++
++ if (client->req_len <
++ bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
++ return BadValue;
++
+ len = *(CARD16 *) wire;
+ if (client->swapped) {
+ swaps(&len);
+--
+cgit v1.2.1
+
diff --git a/source/x/xorg-server-xwayland/CVE-2022-3551.patch b/source/x/xorg-server-xwayland/CVE-2022-3551.patch
new file mode 100644
index 000000000..e41db9286
--- /dev/null
+++ b/source/x/xorg-server-xwayland/CVE-2022-3551.patch
@@ -0,0 +1,59 @@
+From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Wed, 13 Jul 2022 11:23:09 +1000
+Subject: xkb: fix some possible memleaks in XkbGetKbdByName
+
+GetComponentByName returns an allocated string, so let's free that if we
+fail somewhere.
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ xkb/xkb.c | 26 ++++++++++++++++++++------
+ 1 file changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 4692895db..b79a269e3 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -5935,18 +5935,32 @@ ProcXkbGetKbdByName(ClientPtr client)
+ xkb = dev->key->xkbInfo->desc;
+ status = Success;
+ str = (unsigned char *) &stuff[1];
+- if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */
+- return BadMatch;
++ {
++ char *keymap = GetComponentSpec(&str, TRUE, &status); /* keymap, unsupported */
++ if (keymap) {
++ free(keymap);
++ return BadMatch;
++ }
++ }
+ names.keycodes = GetComponentSpec(&str, TRUE, &status);
+ names.types = GetComponentSpec(&str, TRUE, &status);
+ names.compat = GetComponentSpec(&str, TRUE, &status);
+ names.symbols = GetComponentSpec(&str, TRUE, &status);
+ names.geometry = GetComponentSpec(&str, TRUE, &status);
+- if (status != Success)
++ if (status == Success) {
++ len = str - ((unsigned char *) stuff);
++ if ((XkbPaddedSize(len) / 4) != stuff->length)
++ status = BadLength;
++ }
++
++ if (status != Success) {
++ free(names.keycodes);
++ free(names.types);
++ free(names.compat);
++ free(names.symbols);
++ free(names.geometry);
+ return status;
+- len = str - ((unsigned char *) stuff);
+- if ((XkbPaddedSize(len) / 4) != stuff->length)
+- return BadLength;
++ }
+
+ CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
+ CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
+--
+cgit v1.2.1
+
diff --git a/source/x/xorg-server-xwayland/xorg-server-xwayland.SlackBuild b/source/x/xorg-server-xwayland/xorg-server-xwayland.SlackBuild
index 6365e0c41..b0da0fe1d 100755
--- a/source/x/xorg-server-xwayland/xorg-server-xwayland.SlackBuild
+++ b/source/x/xorg-server-xwayland/xorg-server-xwayland.SlackBuild
@@ -25,7 +25,7 @@ cd $(dirname $0) ; CWD=$(pwd)
PKGNAM=xorg-server-xwayland
SRCNAM=xwayland
VERSION=${VERSION:-$(echo $SRCNAM-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
-BUILD=${BUILD:-1}
+BUILD=${BUILD:-2}
# Default font paths to be used by the X server:
DEF_FONTPATH="/usr/share/fonts/misc,/usr/share/fonts/local,/usr/share/fonts/TTF,/usr/share/fonts/OTF,/usr/share/fonts/Type1,/usr/share/fonts/CID,/usr/share/fonts/75dpi/:unscaled,/usr/share/fonts/100dpi/:unscaled,/usr/share/fonts/75dpi,/usr/share/fonts/100dpi,/usr/share/fonts/cyrillic"
@@ -80,6 +80,10 @@ find . \
\( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
-exec chmod 644 {} \+
+# Patch more security issues:
+zcat $CWD/CVE-2022-3550.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/CVE-2022-3551.patch.gz | patch -p1 --verbose || exit 1
+
# Configure, build, and install:
export CFLAGS="$SLKCFLAGS"
export CXXFLAGS="$SLKCFLAGS"
generated by cgit v1.2.3-65-gdbad (git 2.45.1) at 2024-06-13 00:55:34 +0000