- Update to version 23.2.4

* This release contains fixes for the issues reported in today's
    security advisory: 
    https://lists.x.org/archives/xorg/2024-January/061525.html
  * CVE-2023-6816  (bsc#1218582)
  * CVE-2024-0229  (bsc#1218583)
  * CVE-2024-21885 (bsc#1218584)
  * CVE-2024-21886 (bsc#1218585)
  * CVE-2024-0408
  * CVE-2024-0409
- supersedes the patches mentioned below:
  * U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
  * U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch

OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xwayland?expand=0&rev=68

U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch

@@ -1,68 +0,0 @@
-From 924fbcb74ae5434afa7ce4603cd85ebcbdcccad5 Mon Sep 17 00:00:00 2001
-From: Peter Hutterer <peter.hutterer@who-t.net>
-Date: Tue, 28 Nov 2023 15:19:04 +1000
-Subject: [PATCH xserver] Xi: allocate enough XkbActions for our buttons
-
-button->xkb_acts is supposed to be an array sufficiently large for all
-our buttons, not just a single XkbActions struct. Allocating
-insufficient memory here means when we memcpy() later in
-XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
-leading to the usual security ooopsiedaisies.
-
-CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
-
-This vulnerability was discovered by:
-Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
----
- Xi/exevents.c | 12 ++++++------
- dix/devices.c | 10 ++++++++++
- 2 files changed, 16 insertions(+), 6 deletions(-)
---- a/Xi/exevents.c	
-+++ a/Xi/exevents.c	
-@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
-         }
- 
-         if (from->button->xkb_acts) {
--            if (!to->button->xkb_acts) {
--                to->button->xkb_acts = calloc(1, sizeof(XkbAction));
--                if (!to->button->xkb_acts)
--                    FatalError("[Xi] not enough memory for xkb_acts.\n");
--            }
-+            size_t maxbuttons = max(to->button->numButtons, from->button->numButtons);
-+            to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
-+                                                   maxbuttons,
-+                                                   sizeof(XkbAction));
-+            memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
-             memcpy(to->button->xkb_acts, from->button->xkb_acts,
--                   sizeof(XkbAction));
-+                   from->button->numButtons * sizeof(XkbAction));
-         }
-         else {
-             free(to->button->xkb_acts);
---- a/dix/devices.c	
-+++ a/dix/devices.c	
-@@ -2530,6 +2530,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
- 
-     if (master->button && master->button->numButtons != maxbuttons) {
-         int i;
-+        int last_num_buttons = master->button->numButtons;
-+
-         DeviceChangedEvent event = {
-             .header = ET_Internal,
-             .type = ET_DeviceChanged,
-@@ -2540,6 +2542,14 @@ RecalculateMasterButtons(DeviceIntPtr slave)
-         };
- 
-         master->button->numButtons = maxbuttons;
-+        if (last_num_buttons < maxbuttons) {
-+            master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
-+                                                       maxbuttons,
-+                                                       sizeof(XkbAction));
-+            memset(&master->button->xkb_acts[last_num_buttons],
-+                   0,
-+                   (maxbuttons - last_num_buttons) * sizeof(XkbAction));
-+        }
- 
-         memcpy(&event.buttons.names, master->button->labels, maxbuttons *
-                sizeof(Atom));
--- 

U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch

@@ -1,59 +0,0 @@
-From bd59316fe54b2bcad94c883e81fe7cae2a90cdd6 Mon Sep 17 00:00:00 2001
-From: Peter Hutterer <peter.hutterer@who-t.net>
-Date: Mon, 27 Nov 2023 16:27:49 +1000
-Subject: [PATCH xserver] randr: avoid integer truncation in length check of
- ProcRRChange*Property
-
-Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
-See also xserver@8f454b79 where this same bug was fixed for the core
-protocol and XI.
-
-This fixes an OOB read and the resulting information disclosure.
-
-Length calculation for the request was clipped to a 32-bit integer. With
-the correct stuff->nUnits value the expected request size was
-truncated, passing the REQUEST_FIXED_SIZE check.
-
-The server then proceeded with reading at least stuff->num_items bytes
-(depending on stuff->format) from the request and stuffing whatever it
-finds into the property. In the process it would also allocate at least
-stuff->nUnits bytes, i.e. 4GB.
-
-CVE-2023-XXXXX, ZDI-CAN-22561
-
-This vulnerability was discovered by:
-Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
----
- randr/rrproperty.c         | 2 +-
- randr/rrproviderproperty.c | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/randr/rrproperty.c b/randr/rrproperty.c
-index 25469f57b2..c4fef8a1f6 100644
---- a/randr/rrproperty.c
-+++ b/randr/rrproperty.c
-@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client)
-     char format, mode;
-     unsigned long len;
-     int sizeInBytes;
--    int totalSize;
-+    uint64_t totalSize;
-     int err;
- 
-     REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
-diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
-index b79c17f9bf..90c5a9a933 100644
---- a/randr/rrproviderproperty.c
-+++ b/randr/rrproviderproperty.c
-@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client)
-     char format, mode;
-     unsigned long len;
-     int sizeInBytes;
--    int totalSize;
-+    uint64_t totalSize;
-     int err;
- 
-     REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
--- 
-2.43.0
-

xwayland-23.2.2.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9f7c0938d2a41e941ffa04f99c35e5db2bcd3eec034afe8d35d5c810a22eb0a8
-size 1298400

xwayland.changes

@@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Tue Jan 16 13:03:16 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
+
+- Update to version 23.2.4
+  * This release contains fixes for the issues reported in today's
+    security advisory: 
+    https://lists.x.org/archives/xorg/2024-January/061525.html
+
+  * CVE-2023-6816  (bsc#1218582)
+  * CVE-2024-0229  (bsc#1218583)
+  * CVE-2024-21885 (bsc#1218584)
+  * CVE-2024-21886 (bsc#1218585)
+  * CVE-2024-0408
+  * CVE-2024-0409
+- supersedes the patches mentioned below:
+  * U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
+  * U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
+
 -------------------------------------------------------------------
 Mon Dec  4 18:33:56 UTC 2023 - Stefan Dirsch <sndirsch@suse.com>
 

xwayland.keyring

@@ -145,3 +145,60 @@ iEYEGBECAAYFAj8b0wgACgkQ4jt+cLRn8L+vIwCgg7y9oJK4NeDX1e6zXNOeytZy
 9hoAnigKVkYBlc2jpAKdD+bULpWgw+sz
 =Q/D0
 -----END PGP PUBLIC KEY BLOCK-----
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: Hostname: pgp.surf.nl
+Version: Hockeypuck 2.1.2
+
+xsDiBERd0h4RBACflXMwRMuZ/gICB7oM/SwnYMoDeRVaZHYT2RtI6iaNQpovoMas
+fbLX31icweQm9sMLQJR/bNABpp28Fs1S4yNt9SwAProigexyWl3fFE3uqoVRmglZ
+uQdyXl7nnPC7A3hxHPX88tsZS4UlLFRssTjNnrzzhSR3xyyIlOJnmG5pJwCg/yaH
+DECRtdWm9gIJZwfM6S+ANYUD/0s6FPCIdbDqCzNcMH7YZID+JjBOU3VlRdXfzGmx
+Iy2aPBpC9pkb0EUEL94QZ5Ysa1EGNnNUPq8dQWOr/NllCt2/l0HDLGoziBCpBTvG
+ZNnFaJoErG0kmCH2u0w9VmKKSBq6C0sI8rFW1JthKc/bu6ucBKKbpi4sFYAMyZHn
+sNbzA/9VYevyns5TmZeR7t+x8YRj6xZxWVNGm20gnBBhHVnq/EGIn4a/YN1NLFNc
+4EuarFnzl0w6L1IQHanM+ajBJgzL4oSYCufhTSXgA2utrpIRtKkRW9JH6zt3J5hk
+W8oIcEsY3YRKQ3iVKS3Kz8PgSwezNewFT6o3Juu//95O5qSm8s0iT2xpdmllciBG
+b3VyZGFuIDxmb3VyZGFuQHhmY2Uub3JnPsJ6BBMRAgA6AhsjBgsJCAcDAgQVAggD
+BBYCAwECHgECF4ACGQEWIQRn3IbyYj/F/Uu1Il0UcG2+HktFQAUCXx7jggAKCRAU
+cG2+HktFQMAMAJ4kmAtOA9YEazO+1TNxEvEDZbEDSwCfUVR27NAtNegGOMO7piF1
+KrurTenCaQQTEQIAKQIbIwYLCQgHAwIEFQIIAwQWAgMBAh4BAheABQkaVB3SBQJG
+o8t0AhkBAAoJEBRwbb4eS0VANIcAn39YcAnhLnB1pIRQDuBIiIhhFMScAKDZYHMB
+1WIaknrKZSOnjwKBHw2nOcJjBBMRAgAjBQJEXdIeBQkJZgGABgsJCAcDAgQVAggD
+BBYCAwECHgECF4AACgkQFHBtvh5LRUDz7ACgmLpkFGTjcUGnzXnjIw071JQi0HQA
+nisMFnp0kBQIqdv2lufZ9YxXZhD3wkYEEBECAAYFAkRm8GUACgkQLXYbC37EqKxO
+LQCeNE+A668Qj5DB2vmibAV5rn4pMhwAnjgUS/l03Ckfq7jCx1jc3DxSh9UQwkYE
+EBECAAYFAkUMKvkACgkQRR//0/1eDw85jgCfXsyjpqetxwwoyc6LVAdvAhljhF8A
+nAgKOMp8LG6DDrhRomp4kjv0SHegzSNPbGl2aWVyIEZvdXJkYW4gPGZvdXJkYW5A
+Z21haWwuY29tPsJ3BBMRAgA3AhsjBgsJCAcDAgQVAggDBBYCAwECHgECF4AWIQRn
+3IbyYj/F/Uu1Il0UcG2+HktFQAUCXx7jgwAKCRAUcG2+HktFQJ5GAJ9yYpsMZ5oW
+I8Kv1qGf0MlRRZgxTACeL0BZ4Ni2nm5Exuv2CJxeT/KpcJ3CZgQTEQIAJgIbIwYL
+CQgHAwIEFQIIAwQWAgMBAh4BAheABQJGo8tYBQkaVB3SAAoJEBRwbb4eS0VAhKgA
+n3Js4UVMHITK3bgpcECV6xfuoEiUAKCZa2BJbdnOgbAlcbSScRGpI8MMPMJmBBMR
+AgAmBQJGo8gKAhsjBQkJZgGABgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQFHBt
+vh5LRUBydACfba08blV5kvAdN/mSKD1NgAHsiIcAoPbpCWW3IUiZ/1T9v8YTuDbt
+LWkLzSVPbGl2aWVyIEZvdXJkYW4gPG9mb3VyZGFuQHJlZGhhdC5jb20+wncEExEC
+ADcCGyMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgBYhBGfchvJiP8X9S7UiXRRwbb4e
+S0VABQJfHuODAAoJEBRwbb4eS0VAwOoAn1jPsEMWv/z9pqvw2We5FDLbi0ncAJ9W
+bA5E1fHh8m31NdSyFy2tXt8wfcJmBBMRAgAmAhsjBgsJCAcDAgQVAggDBBYCAwEC
+HgECF4AFAkajy1gFCRpUHdIACgkQFHBtvh5LRUCnMwCg3qt90PZGBCjwC+RXRQH1
++RznWzEAoKydVzIVeRC2vkGIRUx+k5jX333owmYEExECACYFAkajyDkCGyMFCQlm
+AYAGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAUcG2+HktFQAsZAKCa9lmgwpkL
+zUpX4caWZi/L8KSK8ACePisjM/gv90AVd+0Br0G98yhLD9LOwU0ERF3SSRAIAI0c
+lctVOjdLUtE1ZRYS7Reu/oXSPns8duS4CLHmknF3kgn8uN6L6fptwFzh3yizCMGv
+Td4YA4/NimzsQxXmar9fDRg/VHEPsaHrWanE3VPMxBoRyPtnNeQtQXrRb8XCZllo
+GvmYQ/CZ8N9IaUq/Q8bbpqyr+dJy/gy+gc0aCxPdZhghxvOKrcJZg7zks52cQegz
+Tne6rjU0o/eTeySkWgboL4RaLQndUVX7LJ1UgL3mxr30fgv6JxmN8YkD6lSbb8+i
+vXhHX8LNuY8wmX+tCIrlm+20hpWtLEyB3HSnqgyC7Y1v0ZPYmQaRm1AQcafikFml
+9CieH9DaV6avfPQLkgsAAwUH/2BX9xYtFY85fSKP7Kz0ClcCHpuweIkmTbPWDT91
+HQmf2dRbzI88CV3ZzawJMJHHL1Nua7CGNX1Z+cFJz4QTkyAOXXNlbHaVRXF2Epnw
+FfjF5UM/D5j3YiUhXoam1LKz8/VRw3ZDDdc349jKPJEWNEmqs9NeGhSC2YsL2TsO
+BaBzWPvRXS1otPCaKOTuDa9h2T8om2SEvqvJjd0jdC0o4khJ8zsYtE3vZBXbyfdf
+cn5ktWedyEt6lcRMI04bvu2+j6B68GwtVDNr/RHaDPd+UkbZSHwiRoxGkRUQttYv
+Lh/NrtLo8a6NQFWAePMM8nU2P7n6AcRf357nqbwnQWJ/TyvCXQQYEQIAHRYhBGfc
+hvJiP8X9S7UiXRRwbb4eS0VABQJfHuPcAAoJEBRwbb4eS0VAnL4Anim4vNYyrDc8
+NTdS3mgWGtdXVjWdAKCjUhzkN3uCaYNJR6h0Y1thYuPEJMJMBBgRAgAMBQJGo8tj
+BQkaVB2nAAoJEBRwbb4eS0VA5e0AoO/nFK4k4fsAgsLMs02kk3plifoAAJ4iK85P
+2PawnJlnupv80Q8b7w2UVcJMBBgRAgAMBQJEXdJJBQkJZgGAAAoJEBRwbb4eS0VA
+ugQAoOlJ2NPM8mRqRCA2ZKXPqz7TGm64AKCTLcYRDmqX4aZcgK4yRBbe8GXhDA==
+=rEW/
+-----END PGP PUBLIC KEY BLOCK-----

xwayland.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package xwayland
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -24,7 +24,7 @@
 %endif
 
 Name:           xwayland
-Version:        23.2.2
+Version:        23.2.4
 Release:        0
 URL:            http://xorg.freedesktop.org
 Summary:        Xwayland Xserver
@@ -33,10 +33,6 @@ Group:          System/X11/Servers/XF86_4
 Source0:        %{url}/archive/individual/xserver/%{name}-%{version}.tar.xz
 Source1:        %{url}/archive/individual/xserver/%{name}-%{version}.tar.xz.sig
 Source2:        xwayland.keyring
-
-Patch1217765:   U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
-Patch1217766:   U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
-
 BuildRequires:  meson
 BuildRequires:  ninja
 BuildRequires:  pkgconfig