Accepting request 1139223 from X11:XOrg

- Update to version 21.1.11 * This release contains fixes for the issues reported in today's security advisory: https://lists.x.org/archives/xorg/2024-January/061525.html * CVE-2023-6816 (bsc#1218582) * CVE-2024-0229 (bsc#1218583) * CVE-2024-21885 (bsc#1218584) * CVE-2024-21886 (bsc#1218585) * CVE-2024-0408 * CVE-2024-0409 - supersedes the following patches * U_xephyr-Don-t-check-for-SeatId-anymore.patch * U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch * U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch OBS-URL: https://build.opensuse.org/request/show/1139223 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/xorg-x11-server?expand=0&rev=424
2024-01-17 21:15:03 +00:00 · 2024-01-17 21:15:03 +00:00 · 9e7dfe9bf7
commit 9e7dfe9bf7
parent 4ac071937a eac62a3a3b
10 changed files with 81 additions and 205 deletions
--- a/U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
+++ b/U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
@ -1,68 +0,0 @@
-From 924fbcb74ae5434afa7ce4603cd85ebcbdcccad5 Mon Sep 17 00:00:00 2001
-From: Peter Hutterer <peter.hutterer@who-t.net>
-Date: Tue, 28 Nov 2023 15:19:04 +1000
-Subject: [PATCH xserver] Xi: allocate enough XkbActions for our buttons
-
-button->xkb_acts is supposed to be an array sufficiently large for all
-our buttons, not just a single XkbActions struct. Allocating
-insufficient memory here means when we memcpy() later in
-XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
-leading to the usual security ooopsiedaisies.
-
-CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
-
-This vulnerability was discovered by:
-Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
---
- Xi/exevents.c | 12 ++++++------
- dix/devices.c | 10 ++++++++++
- 2 files changed, 16 insertions(+), 6 deletions(-)
--- a/Xi/exevents.c	
-+++ a/Xi/exevents.c	
-@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
-         }
- 
-         if (from->button->xkb_acts) {
-            if (!to->button->xkb_acts) {
-                to->button->xkb_acts = calloc(1, sizeof(XkbAction));
-                if (!to->button->xkb_acts)
-                    FatalError("[Xi] not enough memory for xkb_acts.\n");
-            }
-+            size_t maxbuttons = max(to->button->numButtons, from->button->numButtons);
-+            to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
-+                                                   maxbuttons,
-+                                                   sizeof(XkbAction));
-+            memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
-             memcpy(to->button->xkb_acts, from->button->xkb_acts,
-                   sizeof(XkbAction));
-+                   from->button->numButtons * sizeof(XkbAction));
-         }
-         else {
-             free(to->button->xkb_acts);
--- a/dix/devices.c	
-+++ a/dix/devices.c	
-@@ -2530,6 +2530,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
- 
-     if (master->button && master->button->numButtons != maxbuttons) {
-         int i;
-+        int last_num_buttons = master->button->numButtons;
-+
-         DeviceChangedEvent event = {
-             .header = ET_Internal,
-             .type = ET_DeviceChanged,
-@@ -2540,6 +2542,14 @@ RecalculateMasterButtons(DeviceIntPtr slave)
-         };
- 
-         master->button->numButtons = maxbuttons;
-+        if (last_num_buttons < maxbuttons) {
-+            master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
-+                                                       maxbuttons,
-+                                                       sizeof(XkbAction));
-+            memset(&master->button->xkb_acts[last_num_buttons],
-+                   0,
-+                   (maxbuttons - last_num_buttons) * sizeof(XkbAction));
-+        }
- 
-         memcpy(&event.buttons.names, master->button->labels, maxbuttons *
-                sizeof(Atom));
-- 
--- a/U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
+++ b/U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
@ -1,59 +0,0 @@
-From bd59316fe54b2bcad94c883e81fe7cae2a90cdd6 Mon Sep 17 00:00:00 2001
-From: Peter Hutterer <peter.hutterer@who-t.net>
-Date: Mon, 27 Nov 2023 16:27:49 +1000
-Subject: [PATCH xserver] randr: avoid integer truncation in length check of
- ProcRRChange*Property
-
-Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
-See also xserver@8f454b79 where this same bug was fixed for the core
-protocol and XI.
-
-This fixes an OOB read and the resulting information disclosure.
-
-Length calculation for the request was clipped to a 32-bit integer. With
-the correct stuff->nUnits value the expected request size was
-truncated, passing the REQUEST_FIXED_SIZE check.
-
-The server then proceeded with reading at least stuff->num_items bytes
-(depending on stuff->format) from the request and stuffing whatever it
-finds into the property. In the process it would also allocate at least
-stuff->nUnits bytes, i.e. 4GB.
-
-CVE-2023-XXXXX, ZDI-CAN-22561
-
-This vulnerability was discovered by:
-Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
---
- randr/rrproperty.c         | 2 +-
- randr/rrproviderproperty.c | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/randr/rrproperty.c b/randr/rrproperty.c
-index 25469f57b2..c4fef8a1f6 100644
--- a/randr/rrproperty.c
-+++ b/randr/rrproperty.c
-@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client)
-     char format, mode;
-     unsigned long len;
-     int sizeInBytes;
-    int totalSize;
-+    uint64_t totalSize;
-     int err;
- 
-     REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
-diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
-index b79c17f9bf..90c5a9a933 100644
--- a/randr/rrproviderproperty.c
-+++ b/randr/rrproviderproperty.c
-@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client)
-     char format, mode;
-     unsigned long len;
-     int sizeInBytes;
-    int totalSize;
-+    uint64_t totalSize;
-     int err;
- 
-     REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
-- 
-2.43.0
-
--- a/U_xephyr-Don-t-check-for-SeatId-anymore.patch
+++ b/U_xephyr-Don-t-check-for-SeatId-anymore.patch
@ -1,63 +0,0 @@
-From 4c03b67d334b05b814239420776f2fdd4c4a98ac Mon Sep 17 00:00:00 2001
-From: nerdopolis <bluescreen_avenger@verizon.net>
-Date: Tue, 11 Jan 2022 18:41:42 -0500
-Subject: [PATCH] xephyr: Don't check for SeatId anymore
-
-After a change for the xserver to automatically determine the seat
-based on the XDG_SEAT variable, xephyr stopped working. This was
-because of an old feature where xephyr used to handle evdev
-directly. This was dropped some time ago, and now this check is
-not needed
---
- hw/kdrive/ephyr/ephyrinit.c | 34 ++++++++++++++++------------------
- 1 file changed, 16 insertions(+), 18 deletions(-)
-
-diff --git a/hw/kdrive/ephyr/ephyrinit.c b/hw/kdrive/ephyr/ephyrinit.c
-index 020461db2..09cd28cb3 100644
--- a/hw/kdrive/ephyr/ephyrinit.c
-+++ b/hw/kdrive/ephyr/ephyrinit.c
-@@ -70,25 +70,23 @@ InitInput(int argc, char **argv)
-     KdKeyboardInfo *ki;
-     KdPointerInfo *pi;
- 
-    if (!SeatId) {
-        KdAddKeyboardDriver(&EphyrKeyboardDriver);
-        KdAddPointerDriver(&EphyrMouseDriver);
-
-        if (!kdHasKbd) {
-            ki = KdNewKeyboard();
-            if (!ki)
-                FatalError("Couldn't create Xephyr keyboard\n");
-            ki->driver = &EphyrKeyboardDriver;
-            KdAddKeyboard(ki);
-        }
-+    KdAddKeyboardDriver(&EphyrKeyboardDriver);
-+    KdAddPointerDriver(&EphyrMouseDriver);
-+
-+    if (!kdHasKbd) {
-+        ki = KdNewKeyboard();
-+        if (!ki)
-+            FatalError("Couldn't create Xephyr keyboard\n");
-+        ki->driver = &EphyrKeyboardDriver;
-+        KdAddKeyboard(ki);
-+    }
- 
-        if (!kdHasPointer) {
-            pi = KdNewPointer();
-            if (!pi)
-                FatalError("Couldn't create Xephyr pointer\n");
-            pi->driver = &EphyrMouseDriver;
-            KdAddPointer(pi);
-        }
-+    if (!kdHasPointer) {
-+        pi = KdNewPointer();
-+        if (!pi)
-+            FatalError("Couldn't create Xephyr pointer\n");
-+        pi->driver = &EphyrMouseDriver;
-+        KdAddPointer(pi);
-     }
- 
-     KdInitInput();
-- 
-2.34.1
-
--- a/xorg-server-21.1.11.tar.gz
+++ b/xorg-server-21.1.11.tar.gz
--- a/xorg-server-21.1.11.tar.gz.sig
+++ b/xorg-server-21.1.11.tar.gz.sig
--- a/xorg-server-21.1.9.tar.xz
+++ b/xorg-server-21.1.9.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ff697be2011b4c4966b7806929e51b7a08e9d33800d505305d26d9ccde4b533a
-size 4935860
--- a/xorg-server-21.1.9.tar.xz.sig
+++ b/xorg-server-21.1.9.tar.xz.sig
--- a/xorg-x11-server.changes
+++ b/xorg-x11-server.changes
@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Tue Jan 16 13:41:43 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
+
+- Update to version 21.1.11
+  * This release contains fixes for the issues reported in today's security
+    advisory: https://lists.x.org/archives/xorg/2024-January/061525.html
+
+  * CVE-2023-6816  (bsc#1218582)
+  * CVE-2024-0229  (bsc#1218583)
+  * CVE-2024-21885 (bsc#1218584)
+  * CVE-2024-21886 (bsc#1218585)
+  * CVE-2024-0408
+  * CVE-2024-0409
+- supersedes the following patches
+  * U_xephyr-Don-t-check-for-SeatId-anymore.patch
+  * U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
+  * U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
+
 -------------------------------------------------------------------
 Sat Jan  6 20:01:20 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>

--- a/xorg-x11-server.keyring
+++ b/xorg-x11-server.keyring
@ -145,3 +145,60 @@ iEYEGBECAAYFAj8b0wgACgkQ4jt+cLRn8L+vIwCgg7y9oJK4NeDX1e6zXNOeytZy
 9hoAnigKVkYBlc2jpAKdD+bULpWgw+sz
 =Q/D0
 -----END PGP PUBLIC KEY BLOCK-----
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: Hostname: pgp.surf.nl
+Version: Hockeypuck 2.1.2
+
+xsDiBERd0h4RBACflXMwRMuZ/gICB7oM/SwnYMoDeRVaZHYT2RtI6iaNQpovoMas
+fbLX31icweQm9sMLQJR/bNABpp28Fs1S4yNt9SwAProigexyWl3fFE3uqoVRmglZ
+uQdyXl7nnPC7A3hxHPX88tsZS4UlLFRssTjNnrzzhSR3xyyIlOJnmG5pJwCg/yaH
+DECRtdWm9gIJZwfM6S+ANYUD/0s6FPCIdbDqCzNcMH7YZID+JjBOU3VlRdXfzGmx
+Iy2aPBpC9pkb0EUEL94QZ5Ysa1EGNnNUPq8dQWOr/NllCt2/l0HDLGoziBCpBTvG
+ZNnFaJoErG0kmCH2u0w9VmKKSBq6C0sI8rFW1JthKc/bu6ucBKKbpi4sFYAMyZHn
+sNbzA/9VYevyns5TmZeR7t+x8YRj6xZxWVNGm20gnBBhHVnq/EGIn4a/YN1NLFNc
+4EuarFnzl0w6L1IQHanM+ajBJgzL4oSYCufhTSXgA2utrpIRtKkRW9JH6zt3J5hk
+W8oIcEsY3YRKQ3iVKS3Kz8PgSwezNewFT6o3Juu//95O5qSm8s0iT2xpdmllciBG
+b3VyZGFuIDxmb3VyZGFuQHhmY2Uub3JnPsJ6BBMRAgA6AhsjBgsJCAcDAgQVAggD
+BBYCAwECHgECF4ACGQEWIQRn3IbyYj/F/Uu1Il0UcG2+HktFQAUCXx7jggAKCRAU
+cG2+HktFQMAMAJ4kmAtOA9YEazO+1TNxEvEDZbEDSwCfUVR27NAtNegGOMO7piF1
+KrurTenCaQQTEQIAKQIbIwYLCQgHAwIEFQIIAwQWAgMBAh4BAheABQkaVB3SBQJG
+o8t0AhkBAAoJEBRwbb4eS0VANIcAn39YcAnhLnB1pIRQDuBIiIhhFMScAKDZYHMB
+1WIaknrKZSOnjwKBHw2nOcJjBBMRAgAjBQJEXdIeBQkJZgGABgsJCAcDAgQVAggD
+BBYCAwECHgECF4AACgkQFHBtvh5LRUDz7ACgmLpkFGTjcUGnzXnjIw071JQi0HQA
+nisMFnp0kBQIqdv2lufZ9YxXZhD3wkYEEBECAAYFAkRm8GUACgkQLXYbC37EqKxO
+LQCeNE+A668Qj5DB2vmibAV5rn4pMhwAnjgUS/l03Ckfq7jCx1jc3DxSh9UQwkYE
+EBECAAYFAkUMKvkACgkQRR//0/1eDw85jgCfXsyjpqetxwwoyc6LVAdvAhljhF8A
+nAgKOMp8LG6DDrhRomp4kjv0SHegzSNPbGl2aWVyIEZvdXJkYW4gPGZvdXJkYW5A
+Z21haWwuY29tPsJ3BBMRAgA3AhsjBgsJCAcDAgQVAggDBBYCAwECHgECF4AWIQRn
+3IbyYj/F/Uu1Il0UcG2+HktFQAUCXx7jgwAKCRAUcG2+HktFQJ5GAJ9yYpsMZ5oW
+I8Kv1qGf0MlRRZgxTACeL0BZ4Ni2nm5Exuv2CJxeT/KpcJ3CZgQTEQIAJgIbIwYL
+CQgHAwIEFQIIAwQWAgMBAh4BAheABQJGo8tYBQkaVB3SAAoJEBRwbb4eS0VAhKgA
+n3Js4UVMHITK3bgpcECV6xfuoEiUAKCZa2BJbdnOgbAlcbSScRGpI8MMPMJmBBMR
+AgAmBQJGo8gKAhsjBQkJZgGABgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQFHBt
+vh5LRUBydACfba08blV5kvAdN/mSKD1NgAHsiIcAoPbpCWW3IUiZ/1T9v8YTuDbt
+LWkLzSVPbGl2aWVyIEZvdXJkYW4gPG9mb3VyZGFuQHJlZGhhdC5jb20+wncEExEC
+ADcCGyMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgBYhBGfchvJiP8X9S7UiXRRwbb4e
+S0VABQJfHuODAAoJEBRwbb4eS0VAwOoAn1jPsEMWv/z9pqvw2We5FDLbi0ncAJ9W
+bA5E1fHh8m31NdSyFy2tXt8wfcJmBBMRAgAmAhsjBgsJCAcDAgQVAggDBBYCAwEC
+HgECF4AFAkajy1gFCRpUHdIACgkQFHBtvh5LRUCnMwCg3qt90PZGBCjwC+RXRQH1
+RznWzEAoKydVzIVeRC2vkGIRUx+k5jX333owmYEExECACYFAkajyDkCGyMFCQlm
+AYAGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAUcG2+HktFQAsZAKCa9lmgwpkL
+zUpX4caWZi/L8KSK8ACePisjM/gv90AVd+0Br0G98yhLD9LOwU0ERF3SSRAIAI0c
+lctVOjdLUtE1ZRYS7Reu/oXSPns8duS4CLHmknF3kgn8uN6L6fptwFzh3yizCMGv
+Td4YA4/NimzsQxXmar9fDRg/VHEPsaHrWanE3VPMxBoRyPtnNeQtQXrRb8XCZllo
+GvmYQ/CZ8N9IaUq/Q8bbpqyr+dJy/gy+gc0aCxPdZhghxvOKrcJZg7zks52cQegz
+Tne6rjU0o/eTeySkWgboL4RaLQndUVX7LJ1UgL3mxr30fgv6JxmN8YkD6lSbb8+i
+vXhHX8LNuY8wmX+tCIrlm+20hpWtLEyB3HSnqgyC7Y1v0ZPYmQaRm1AQcafikFml
+9CieH9DaV6avfPQLkgsAAwUH/2BX9xYtFY85fSKP7Kz0ClcCHpuweIkmTbPWDT91
+HQmf2dRbzI88CV3ZzawJMJHHL1Nua7CGNX1Z+cFJz4QTkyAOXXNlbHaVRXF2Epnw
+FfjF5UM/D5j3YiUhXoam1LKz8/VRw3ZDDdc349jKPJEWNEmqs9NeGhSC2YsL2TsO
+BaBzWPvRXS1otPCaKOTuDa9h2T8om2SEvqvJjd0jdC0o4khJ8zsYtE3vZBXbyfdf
+cn5ktWedyEt6lcRMI04bvu2+j6B68GwtVDNr/RHaDPd+UkbZSHwiRoxGkRUQttYv
+Lh/NrtLo8a6NQFWAePMM8nU2P7n6AcRf357nqbwnQWJ/TyvCXQQYEQIAHRYhBGfc
+hvJiP8X9S7UiXRRwbb4eS0VABQJfHuPcAAoJEBRwbb4eS0VAnL4Anim4vNYyrDc8
+NTdS3mgWGtdXVjWdAKCjUhzkN3uCaYNJR6h0Y1thYuPEJMJMBBgRAgAMBQJGo8tj
+BQkaVB2nAAoJEBRwbb4eS0VA5e0AoO/nFK4k4fsAgsLMs02kk3plifoAAJ4iK85P
+2PawnJlnupv80Q8b7w2UVcJMBBgRAgAMBQJEXdJJBQkJZgGAAAoJEBRwbb4eS0VA
+ugQAoOlJ2NPM8mRqRCA2ZKXPqz7TGm64AKCTLcYRDmqX4aZcgK4yRBbe8GXhDA==
+=rEW/
+-----END PGP PUBLIC KEY BLOCK-----
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@ -36,14 +36,14 @@
 %endif

 Name:           xorg-x11-server
-Version:        21.1.9
+Version:        21.1.11
 Release:        0
 URL:            http://xorg.freedesktop.org/
 Summary:        X
 License:        MIT
 Group:          System/X11/Servers/XF86_4
-Source0:        https://xorg.freedesktop.org/archive/individual/xserver/xorg-server-%{version}.tar.xz
-Source10:       https://xorg.freedesktop.org/archive/individual/xserver/xorg-server-%{version}.tar.xz.sig
+Source0:        https://xorg.freedesktop.org/archive/individual/xserver/xorg-server-%{version}.tar.gz
+Source10:       https://xorg.freedesktop.org/archive/individual/xserver/xorg-server-%{version}.tar.gz.sig
 Source11:       xorg-x11-server.keyring
 Source1:        sysconfig.displaymanager.template
 Source2:        README.updates
@ -239,13 +239,8 @@ Patch1921:      u_xf86-Accept-devices-with-the-kernels-ofdrm-driver.patch

 Patch1930:      u_xfree86-activate-GPU-screens-on-autobind.patch

-Patch1940:      U_xephyr-Don-t-check-for-SeatId-anymore.patch
-
 Patch1960:      u_sync-pci-ids-with-Mesa.patch

-Patch1217765:   U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
-Patch1217766:   U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
-
 Patch1218176:   u_miCloseScreen_check_for_null_pScreen_dev_private.patch

 %description
@ -403,12 +398,8 @@ sh %{SOURCE92} --verify . %{SOURCE91}
 %patch1920 -p1
 %patch1921 -p1
 %patch1930 -p1
-%patch1940 -p1
 %patch1960 -p1

-%patch1217765 -p1
-%patch1217766 -p1
-
 %patch1218176 -p1

 %build