Accepting request 1221609 from X11:XOrg

- 21.1.14 covers also * CVE-2024-31080 (bsc#1222309) * CVE-2024-31081 (bsc#1222310) * CVE-2024-31082 (bsc#1222311) * CVE-2024-31083 (bsc#1222312) - Security update 21.1.14 This release addresses the following security issue * CVE-2024-9632: Heap-based buffer overflow privilege escalation in _XkbSetCompatMap (bsc#1231565) - supersedes U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch - supersedes U_xorg-xserver-e89edec497ba.patch OBS-URL: https://build.opensuse.org/request/show/1221609 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/xorg-x11-server?expand=0&rev=435
2024-11-06 15:49:21 +00:00 · 2024-11-06 15:49:21 +00:00 · 5674b3a8fa
commit 5674b3a8fa
parent dd81c855e7 e8016ed6b3
8 changed files with 23 additions and 137 deletions
--- a/U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
+++ b/U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
@ -1,74 +0,0 @@
-From c3c2218ab797516e4d63a93a078d77c6ce872d03 Mon Sep 17 00:00:00 2001
-From: Olivier Fourdan <ofourdan@redhat.com>
-Date: Fri, 5 Apr 2024 15:24:49 +0200
-Subject: [PATCH] render: Avoid possible double-free in ProcRenderAddGlyphs()
-
-ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and
-then frees it using FreeGlyph() to decrease the reference count, after
-AddGlyph() has increased it.
-
-AddGlyph() however may chose to reuse an existing glyph if it's already
-in the glyphSet, and free the glyph that was given, in which case the
-caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an
-already freed glyph, as reported by ASan:
-
-  READ of size 4 thread T0
-    #0 in FreeGlyph xserver/render/glyph.c:252
-    #1 in ProcRenderAddGlyphs xserver/render/render.c:1174
-    #2 in Dispatch xserver/dix/dispatch.c:546
-    #3 in dix_main xserver/dix/main.c:271
-    #4 in main xserver/dix/stubmain.c:34
-    #5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
-    #6 in __libc_start_main_impl ../csu/libc-start.c:360
-    #7  (/usr/bin/Xwayland+0x44fe4)
-  Address is located 0 bytes inside of 64-byte region
-  freed by thread T0 here:
-    #0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52
-    #1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538
-    #2 in AddGlyph xserver/render/glyph.c:295
-    #3 in ProcRenderAddGlyphs xserver/render/render.c:1173
-    #4 in Dispatch xserver/dix/dispatch.c:546
-    #5 in dix_main xserver/dix/main.c:271
-    #6 in main xserver/dix/stubmain.c:34
-    #7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
-  previously allocated by thread T0 here:
-    #0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69
-    #1 in AllocateGlyph xserver/render/glyph.c:355
-    #2 in ProcRenderAddGlyphs xserver/render/render.c:1085
-    #3 in Dispatch xserver/dix/dispatch.c:546
-    #4 in dix_main xserver/dix/main.c:271
-    #5 in main xserver/dix/stubmain.c:34
-    #6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
-  SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph
-
-To avoid that, make sure not to free the given glyph in AddGlyph().
-
-v2: Simplify the test using the boolean returned from AddGlyph() (Michel)
-v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter)
-
-Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs
-Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659
-Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
-(cherry picked from commit 337d8d48b618d4fc0168a7b978be4c3447650b04)
-
-Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1478>
---
- render/glyph.c | 2 --
- 1 file changed, 2 deletions(-)
-
-diff --git a/render/glyph.c b/render/glyph.c
-index d5fc5f3c9..f5069d42f 100644
--- a/render/glyph.c
-+++ b/render/glyph.c
-@@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id)
-     gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature,
-                       TRUE, glyph->sha1);
-     if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) {
-        FreeGlyphPicture(glyph);
-        dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH);
-         glyph = gr->glyph;
-     }
-     else if (gr->glyph != glyph) {
-- 
-2.35.3
-
--- a/U_xorg-xserver-e89edec497ba.patch
+++ b/U_xorg-xserver-e89edec497ba.patch
@ -1,54 +0,0 @@
-From e89edec497bac581ca9b614fb00c25365580f045 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
-Date: Fri, 19 Jan 2024 13:05:51 +0100
-Subject: [PATCH] ephyr: Fix incompatible pointer type build error
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Fix a compilation error on 32 bits architectures with gcc 14:
-
-  ephyr_glamor_xv.c: In function ‘ephyr_glamor_xv_init’:
-  ephyr_glamor_xv.c:154:31: error: assignment to ‘SetPortAttributeFuncPtr’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int,  int,  void *)’} from incompatible pointer type ‘int (*)(KdScreenInfo *, Atom,  INT32,  void *)’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int,  long int,  void *)’} [-Wincompatible-pointer-types]
-    154 |     adaptor->SetPortAttribute = ephyr_glamor_xv_set_port_attribute;
-        |                               ^
-  ephyr_glamor_xv.c:155:31: error: assignment to ‘GetPortAttributeFuncPtr’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int,  int *, void *)’} from incompatible pointer type ‘int (*)(KdScreenInfo *, Atom,  INT32 *, void *)’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int,  long int *, void *)’} [-Wincompatible-pointer-types]
-    155 |     adaptor->GetPortAttribute = ephyr_glamor_xv_get_port_attribute;
-        |                               ^
-
-Build error logs:
-https://koji.fedoraproject.org/koji/taskinfo?taskID=111964273
-
-Signed-off-by: José Expósito <jexposit@redhat.com>
---
- hw/kdrive/ephyr/ephyr_glamor_xv.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/hw/kdrive/ephyr/ephyr_glamor_xv.c b/hw/kdrive/ephyr/ephyr_glamor_xv.c
-index 4dd15cf417..b5eae48c85 100644
--- a/hw/kdrive/ephyr/ephyr_glamor_xv.c
-+++ b/hw/kdrive/ephyr/ephyr_glamor_xv.c
-@@ -50,16 +50,16 @@ ephyr_glamor_xv_stop_video(KdScreenInfo *screen, void *data, Bool cleanup)
- 
- static int
- ephyr_glamor_xv_set_port_attribute(KdScreenInfo *screen,
-                                   Atom attribute, INT32 value, void *data)
-+                                   Atom attribute, int value, void *data)
- {
-    return glamor_xv_set_port_attribute(data, attribute, value);
-+    return glamor_xv_set_port_attribute(data, attribute, (INT32)value);
- }
- 
- static int
- ephyr_glamor_xv_get_port_attribute(KdScreenInfo *screen,
-                                   Atom attribute, INT32 *value, void *data)
-+                                   Atom attribute, int *value, void *data)
- {
-    return glamor_xv_get_port_attribute(data, attribute, value);
-+    return glamor_xv_get_port_attribute(data, attribute, (INT32 *)value);
- }
- 
- static void
-- 
-GitLab
-
--- a/xorg-server-21.1.12.tar.xz
+++ b/xorg-server-21.1.12.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:1e016e2be1b5ccdd65eac3ea08e54bd13ce8f4f6c3fb32ad6fdac4e71729a90f
-size 4957972
--- a/xorg-server-21.1.12.tar.xz.sig
+++ b/xorg-server-21.1.12.tar.xz.sig
--- a/xorg-server-21.1.14.tar.xz
+++ b/xorg-server-21.1.14.tar.xz
--- a/xorg-server-21.1.14.tar.xz.sig
+++ b/xorg-server-21.1.14.tar.xz.sig
--- a/xorg-x11-server.changes
+++ b/xorg-x11-server.changes
@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Tue Oct 29 19:08:32 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
+
+- 21.1.14 covers also
+  * CVE-2024-31080 (bsc#1222309)
+  * CVE-2024-31081 (bsc#1222310) 
+  * CVE-2024-31082 (bsc#1222311)
+  * CVE-2024-31083 (bsc#1222312)
+
+-------------------------------------------------------------------
+Tue Oct 29 19:00:06 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
+
+- Security update 21.1.14
+  This release addresses the following security issue
+  * CVE-2024-9632: Heap-based buffer overflow privilege escalation
+    in _XkbSetCompatMap (bsc#1231565)
+- supersedes U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
+- supersedes U_xorg-xserver-e89edec497ba.patch
+
 -------------------------------------------------------------------
 Tue Sep 24 11:20:23 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>

--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@ -36,7 +36,7 @@
 %endif

 Name:           xorg-x11-server
-Version:        21.1.12
+Version:        21.1.14
 Release:        0
 URL:            http://xorg.freedesktop.org/
 Summary:        X
@ -244,8 +244,6 @@ Patch1960:      u_sync-pci-ids-with-Mesa.patch
 Patch2000:      u_fbdevhw_kernel6.9_break_fbdev_open.patch

 Patch1218176:   u_miCloseScreen_check_for_null_pScreen_dev_private.patch
-Patch1222442:   U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
-Patch1222443:   U_xorg-xserver-e89edec497ba.patch

 %description
 This package contains the X.Org Server.
@ -407,9 +405,6 @@ sh %{SOURCE92} --verify . %{SOURCE91}

 %patch -P 1218176 -p1

-%patch -P 1222442 -p1
-%patch -P 1222443 -p1
-
 %build
 # We have some -z now related errors during X default startup (boo#1197994):
 # - when loading modesetting: gbm_bo_get_plane_count