Accepting request 1221609 from X11:XOrg

- 21.1.14 covers also * CVE-2024-31080 (bsc#1222309) * CVE-2024-31081 (bsc#1222310) * CVE-2024-31082 (bsc#1222311) * CVE-2024-31083 (bsc#1222312) - Security update 21.1.14 This release addresses the following security issue * CVE-2024-9632: Heap-based buffer overflow privilege escalation in _XkbSetCompatMap (bsc#1231565) - supersedes U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch - supersedes U_xorg-xserver-e89edec497ba.patch OBS-URL: https://build.opensuse.org/request/show/1221609 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/xorg-x11-server?expand=0&rev=435
2024-11-06 15:49:21 +00:00 · 2024-11-06 15:49:21 +00:00 · 5674b3a8fa
commit 5674b3a8fa
parent dd81c855e7 e8016ed6b3
8 changed files with 23 additions and 137 deletions
--- a/U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
+++ b/U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
@ -1,74 +0,0 @@
 From c3c2218ab797516e4d63a93a078d77c6ce872d03 Mon Sep 17 00:00:00 2001
 From: Olivier Fourdan <ofourdan@redhat.com>
 Date: Fri, 5 Apr 2024 15:24:49 +0200
 Subject: [PATCH] render: Avoid possible double-free in ProcRenderAddGlyphs()
 ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and
 then frees it using FreeGlyph() to decrease the reference count, after
 AddGlyph() has increased it.
 AddGlyph() however may chose to reuse an existing glyph if it's already
 in the glyphSet, and free the glyph that was given, in which case the
 caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an
 already freed glyph, as reported by ASan:
  READ of size 4 thread T0
    #0 in FreeGlyph xserver/render/glyph.c:252
    #1 in ProcRenderAddGlyphs xserver/render/render.c:1174
    #2 in Dispatch xserver/dix/dispatch.c:546
    #3 in dix_main xserver/dix/main.c:271
    #4 in main xserver/dix/stubmain.c:34
    #5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #6 in __libc_start_main_impl ../csu/libc-start.c:360
    #7  (/usr/bin/Xwayland+0x44fe4)
  Address is located 0 bytes inside of 64-byte region
  freed by thread T0 here:
    #0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538
    #2 in AddGlyph xserver/render/glyph.c:295
    #3 in ProcRenderAddGlyphs xserver/render/render.c:1173
    #4 in Dispatch xserver/dix/dispatch.c:546
    #5 in dix_main xserver/dix/main.c:271
    #6 in main xserver/dix/stubmain.c:34
    #7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
  previously allocated by thread T0 here:
    #0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 in AllocateGlyph xserver/render/glyph.c:355
    #2 in ProcRenderAddGlyphs xserver/render/render.c:1085
    #3 in Dispatch xserver/dix/dispatch.c:546
    #4 in dix_main xserver/dix/main.c:271
    #5 in main xserver/dix/stubmain.c:34
    #6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
  SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph
 To avoid that, make sure not to free the given glyph in AddGlyph().
 v2: Simplify the test using the boolean returned from AddGlyph() (Michel)
 v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter)
 Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs
 Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659
 Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
 (cherry picked from commit 337d8d48b618d4fc0168a7b978be4c3447650b04)
 Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1478>
 ---
 render/glyph.c | 2 --
 1 file changed, 2 deletions(-)
 diff --git a/render/glyph.c b/render/glyph.c
 index d5fc5f3c9..f5069d42f 100644
 --- a/render/glyph.c
 +++ b/render/glyph.c
@@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id)
     gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature,
                       TRUE, glyph->sha1);
     if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) {
 -        FreeGlyphPicture(glyph);
 -        dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH);
         glyph = gr->glyph;
     }
     else if (gr->glyph != glyph) {
 -- 
 2.35.3
--- a/U_xorg-xserver-e89edec497ba.patch
+++ b/U_xorg-xserver-e89edec497ba.patch
@ -1,54 +0,0 @@
 From e89edec497bac581ca9b614fb00c25365580f045 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
 Date: Fri, 19 Jan 2024 13:05:51 +0100
 Subject: [PATCH] ephyr: Fix incompatible pointer type build error
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Fix a compilation error on 32 bits architectures with gcc 14:
  ephyr_glamor_xv.c: In function ‘ephyr_glamor_xv_init’:
  ephyr_glamor_xv.c:154:31: error: assignment to ‘SetPortAttributeFuncPtr’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int,  int,  void *)’} from incompatible pointer type ‘int (*)(KdScreenInfo *, Atom,  INT32,  void *)’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int,  long int,  void *)’} [-Wincompatible-pointer-types]
    154 |     adaptor->SetPortAttribute = ephyr_glamor_xv_set_port_attribute;
        |                               ^
  ephyr_glamor_xv.c:155:31: error: assignment to ‘GetPortAttributeFuncPtr’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int,  int *, void *)’} from incompatible pointer type ‘int (*)(KdScreenInfo *, Atom,  INT32 *, void *)’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int,  long int *, void *)’} [-Wincompatible-pointer-types]
    155 |     adaptor->GetPortAttribute = ephyr_glamor_xv_get_port_attribute;
        |                               ^
 Build error logs:
 https://koji.fedoraproject.org/koji/taskinfo?taskID=111964273
 Signed-off-by: José Expósito <jexposit@redhat.com>
 ---
 hw/kdrive/ephyr/ephyr_glamor_xv.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
 diff --git a/hw/kdrive/ephyr/ephyr_glamor_xv.c b/hw/kdrive/ephyr/ephyr_glamor_xv.c
 index 4dd15cf417..b5eae48c85 100644
 --- a/hw/kdrive/ephyr/ephyr_glamor_xv.c
 +++ b/hw/kdrive/ephyr/ephyr_glamor_xv.c
@@ -50,16 +50,16 @@ ephyr_glamor_xv_stop_video(KdScreenInfo *screen, void *data, Bool cleanup)
 static int
 ephyr_glamor_xv_set_port_attribute(KdScreenInfo *screen,
 -                                   Atom attribute, INT32 value, void *data)
 +                                   Atom attribute, int value, void *data)
 {
 -    return glamor_xv_set_port_attribute(data, attribute, value);
 +    return glamor_xv_set_port_attribute(data, attribute, (INT32)value);
 }
 static int
 ephyr_glamor_xv_get_port_attribute(KdScreenInfo *screen,
 -                                   Atom attribute, INT32 *value, void *data)
 +                                   Atom attribute, int *value, void *data)
 {
 -    return glamor_xv_get_port_attribute(data, attribute, value);
 +    return glamor_xv_get_port_attribute(data, attribute, (INT32 *)value);
 }
 static void
 -- 
 GitLab
--- a/xorg-server-21.1.12.tar.xz
+++ b/xorg-server-21.1.12.tar.xz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:1e016e2be1b5ccdd65eac3ea08e54bd13ce8f4f6c3fb32ad6fdac4e71729a90f
 size 4957972
--- a/xorg-server-21.1.12.tar.xz.sig
+++ b/xorg-server-21.1.12.tar.xz.sig
--- a/xorg-server-21.1.14.tar.xz
+++ b/xorg-server-21.1.14.tar.xz
--- a/xorg-server-21.1.14.tar.xz.sig
+++ b/xorg-server-21.1.14.tar.xz.sig
--- a/xorg-x11-server.changes
+++ b/xorg-x11-server.changes
@ -1,3 +1,22 @@
 -------------------------------------------------------------------
 Tue Oct 29 19:08:32 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
 - 21.1.14 covers also
  * CVE-2024-31080 (bsc#1222309)
  * CVE-2024-31081 (bsc#1222310) 
  * CVE-2024-31082 (bsc#1222311)
  * CVE-2024-31083 (bsc#1222312)
 -------------------------------------------------------------------
 Tue Oct 29 19:00:06 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
 - Security update 21.1.14
  This release addresses the following security issue
  * CVE-2024-9632: Heap-based buffer overflow privilege escalation
    in _XkbSetCompatMap (bsc#1231565)
 - supersedes U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
 - supersedes U_xorg-xserver-e89edec497ba.patch
 -------------------------------------------------------------------
 Tue Sep 24 11:20:23 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@ -36,7 +36,7 @@
 %endif
 Name:           xorg-x11-server
-Version:        21.1.12
+Version:        21.1.14
 Release:        0
 URL:            http://xorg.freedesktop.org/
 Summary:        X
@ -244,8 +244,6 @@ Patch1960:      u_sync-pci-ids-with-Mesa.patch
 Patch2000:      u_fbdevhw_kernel6.9_break_fbdev_open.patch
 Patch1218176:   u_miCloseScreen_check_for_null_pScreen_dev_private.patch
 Patch1222442:   U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
 Patch1222443:   U_xorg-xserver-e89edec497ba.patch
 %description
 This package contains the X.Org Server.
@ -407,9 +405,6 @@ sh %{SOURCE92} --verify . %{SOURCE91}
 %patch -P 1218176 -p1
 %patch -P 1222442 -p1
 %patch -P 1222443 -p1
 %build
 # We have some -z now related errors during X default startup (boo#1197994):
 # - when loading modesetting: gbm_bo_get_plane_count