diff --git a/U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch b/U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch deleted file mode 100644 index 94c4b69..0000000 --- a/U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 924fbcb74ae5434afa7ce4603cd85ebcbdcccad5 Mon Sep 17 00:00:00 2001 -From: Peter Hutterer -Date: Tue, 28 Nov 2023 15:19:04 +1000 -Subject: [PATCH xserver] Xi: allocate enough XkbActions for our buttons - -button->xkb_acts is supposed to be an array sufficiently large for all -our buttons, not just a single XkbActions struct. Allocating -insufficient memory here means when we memcpy() later in -XkbSetDeviceInfo we write into memory that wasn't ours to begin with, -leading to the usual security ooopsiedaisies. - -CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative ---- - Xi/exevents.c | 12 ++++++------ - dix/devices.c | 10 ++++++++++ - 2 files changed, 16 insertions(+), 6 deletions(-) ---- a/Xi/exevents.c -+++ a/Xi/exevents.c -@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) - } - - if (from->button->xkb_acts) { -- if (!to->button->xkb_acts) { -- to->button->xkb_acts = calloc(1, sizeof(XkbAction)); -- if (!to->button->xkb_acts) -- FatalError("[Xi] not enough memory for xkb_acts.\n"); -- } -+ size_t maxbuttons = max(to->button->numButtons, from->button->numButtons); -+ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts, -+ maxbuttons, -+ sizeof(XkbAction)); -+ memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction)); - memcpy(to->button->xkb_acts, from->button->xkb_acts, -- sizeof(XkbAction)); -+ from->button->numButtons * sizeof(XkbAction)); - } - else { - free(to->button->xkb_acts); ---- a/dix/devices.c -+++ a/dix/devices.c -@@ -2530,6 +2530,8 @@ RecalculateMasterButtons(DeviceIntPtr slave) - - if (master->button && master->button->numButtons != maxbuttons) { - int i; -+ int last_num_buttons = master->button->numButtons; -+ - DeviceChangedEvent event = { - .header = ET_Internal, - .type = ET_DeviceChanged, -@@ -2540,6 +2542,14 @@ RecalculateMasterButtons(DeviceIntPtr slave) - }; - - master->button->numButtons = maxbuttons; -+ if (last_num_buttons < maxbuttons) { -+ master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts, -+ maxbuttons, -+ sizeof(XkbAction)); -+ memset(&master->button->xkb_acts[last_num_buttons], -+ 0, -+ (maxbuttons - last_num_buttons) * sizeof(XkbAction)); -+ } - - memcpy(&event.buttons.names, master->button->labels, maxbuttons * - sizeof(Atom)); --- diff --git a/U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch b/U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch deleted file mode 100644 index 3a74787..0000000 --- a/U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch +++ /dev/null @@ -1,59 +0,0 @@ -From bd59316fe54b2bcad94c883e81fe7cae2a90cdd6 Mon Sep 17 00:00:00 2001 -From: Peter Hutterer -Date: Mon, 27 Nov 2023 16:27:49 +1000 -Subject: [PATCH xserver] randr: avoid integer truncation in length check of - ProcRRChange*Property - -Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty. -See also xserver@8f454b79 where this same bug was fixed for the core -protocol and XI. - -This fixes an OOB read and the resulting information disclosure. - -Length calculation for the request was clipped to a 32-bit integer. With -the correct stuff->nUnits value the expected request size was -truncated, passing the REQUEST_FIXED_SIZE check. - -The server then proceeded with reading at least stuff->num_items bytes -(depending on stuff->format) from the request and stuffing whatever it -finds into the property. In the process it would also allocate at least -stuff->nUnits bytes, i.e. 4GB. - -CVE-2023-XXXXX, ZDI-CAN-22561 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative ---- - randr/rrproperty.c | 2 +- - randr/rrproviderproperty.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/randr/rrproperty.c b/randr/rrproperty.c -index 25469f57b2..c4fef8a1f6 100644 ---- a/randr/rrproperty.c -+++ b/randr/rrproperty.c -@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client) - char format, mode; - unsigned long len; - int sizeInBytes; -- int totalSize; -+ uint64_t totalSize; - int err; - - REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq); -diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c -index b79c17f9bf..90c5a9a933 100644 ---- a/randr/rrproviderproperty.c -+++ b/randr/rrproviderproperty.c -@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client) - char format, mode; - unsigned long len; - int sizeInBytes; -- int totalSize; -+ uint64_t totalSize; - int err; - - REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq); --- -2.43.0 - diff --git a/xwayland-23.2.2.tar.xz b/xwayland-23.2.2.tar.xz deleted file mode 100644 index e6442f8..0000000 --- a/xwayland-23.2.2.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9f7c0938d2a41e941ffa04f99c35e5db2bcd3eec034afe8d35d5c810a22eb0a8 -size 1298400 diff --git a/xwayland-23.2.2.tar.xz.sig b/xwayland-23.2.2.tar.xz.sig deleted file mode 100644 index 087933e..0000000 Binary files a/xwayland-23.2.2.tar.xz.sig and /dev/null differ diff --git a/xwayland-23.2.4.tar.xz b/xwayland-23.2.4.tar.xz new file mode 100644 index 0000000..2af7f35 --- /dev/null +++ b/xwayland-23.2.4.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a99e159b6d0d33098b3b6ab22a88bfcece23c8b9d0ca72c535c55dcb0681b46b +size 1299748 diff --git a/xwayland-23.2.4.tar.xz.sig b/xwayland-23.2.4.tar.xz.sig new file mode 100644 index 0000000..c3c5449 Binary files /dev/null and b/xwayland-23.2.4.tar.xz.sig differ diff --git a/xwayland.changes b/xwayland.changes index c13382a..f5a63b9 100644 --- a/xwayland.changes +++ b/xwayland.changes @@ -1,3 +1,21 @@ +------------------------------------------------------------------- +Tue Jan 16 13:03:16 UTC 2024 - Stefan Dirsch + +- Update to version 23.2.4 + * This release contains fixes for the issues reported in today's + security advisory: + https://lists.x.org/archives/xorg/2024-January/061525.html + + * CVE-2023-6816 (bsc#1218582) + * CVE-2024-0229 (bsc#1218583) + * CVE-2024-21885 (bsc#1218584) + * CVE-2024-21886 (bsc#1218585) + * CVE-2024-0408 + * CVE-2024-0409 +- supersedes the patches mentioned below: + * U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch + * U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch + ------------------------------------------------------------------- Mon Dec 4 18:33:56 UTC 2023 - Stefan Dirsch diff --git a/xwayland.keyring b/xwayland.keyring index ec70e44..f511049 100644 --- a/xwayland.keyring +++ b/xwayland.keyring @@ -145,3 +145,60 @@ iEYEGBECAAYFAj8b0wgACgkQ4jt+cLRn8L+vIwCgg7y9oJK4NeDX1e6zXNOeytZy 9hoAnigKVkYBlc2jpAKdD+bULpWgw+sz =Q/D0 -----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: Hostname: pgp.surf.nl +Version: Hockeypuck 2.1.2 + +xsDiBERd0h4RBACflXMwRMuZ/gICB7oM/SwnYMoDeRVaZHYT2RtI6iaNQpovoMas +fbLX31icweQm9sMLQJR/bNABpp28Fs1S4yNt9SwAProigexyWl3fFE3uqoVRmglZ +uQdyXl7nnPC7A3hxHPX88tsZS4UlLFRssTjNnrzzhSR3xyyIlOJnmG5pJwCg/yaH +DECRtdWm9gIJZwfM6S+ANYUD/0s6FPCIdbDqCzNcMH7YZID+JjBOU3VlRdXfzGmx +Iy2aPBpC9pkb0EUEL94QZ5Ysa1EGNnNUPq8dQWOr/NllCt2/l0HDLGoziBCpBTvG +ZNnFaJoErG0kmCH2u0w9VmKKSBq6C0sI8rFW1JthKc/bu6ucBKKbpi4sFYAMyZHn +sNbzA/9VYevyns5TmZeR7t+x8YRj6xZxWVNGm20gnBBhHVnq/EGIn4a/YN1NLFNc +4EuarFnzl0w6L1IQHanM+ajBJgzL4oSYCufhTSXgA2utrpIRtKkRW9JH6zt3J5hk +W8oIcEsY3YRKQ3iVKS3Kz8PgSwezNewFT6o3Juu//95O5qSm8s0iT2xpdmllciBG +b3VyZGFuIDxmb3VyZGFuQHhmY2Uub3JnPsJ6BBMRAgA6AhsjBgsJCAcDAgQVAggD +BBYCAwECHgECF4ACGQEWIQRn3IbyYj/F/Uu1Il0UcG2+HktFQAUCXx7jggAKCRAU +cG2+HktFQMAMAJ4kmAtOA9YEazO+1TNxEvEDZbEDSwCfUVR27NAtNegGOMO7piF1 +KrurTenCaQQTEQIAKQIbIwYLCQgHAwIEFQIIAwQWAgMBAh4BAheABQkaVB3SBQJG +o8t0AhkBAAoJEBRwbb4eS0VANIcAn39YcAnhLnB1pIRQDuBIiIhhFMScAKDZYHMB +1WIaknrKZSOnjwKBHw2nOcJjBBMRAgAjBQJEXdIeBQkJZgGABgsJCAcDAgQVAggD +BBYCAwECHgECF4AACgkQFHBtvh5LRUDz7ACgmLpkFGTjcUGnzXnjIw071JQi0HQA +nisMFnp0kBQIqdv2lufZ9YxXZhD3wkYEEBECAAYFAkRm8GUACgkQLXYbC37EqKxO +LQCeNE+A668Qj5DB2vmibAV5rn4pMhwAnjgUS/l03Ckfq7jCx1jc3DxSh9UQwkYE +EBECAAYFAkUMKvkACgkQRR//0/1eDw85jgCfXsyjpqetxwwoyc6LVAdvAhljhF8A +nAgKOMp8LG6DDrhRomp4kjv0SHegzSNPbGl2aWVyIEZvdXJkYW4gPGZvdXJkYW5A +Z21haWwuY29tPsJ3BBMRAgA3AhsjBgsJCAcDAgQVAggDBBYCAwECHgECF4AWIQRn +3IbyYj/F/Uu1Il0UcG2+HktFQAUCXx7jgwAKCRAUcG2+HktFQJ5GAJ9yYpsMZ5oW +I8Kv1qGf0MlRRZgxTACeL0BZ4Ni2nm5Exuv2CJxeT/KpcJ3CZgQTEQIAJgIbIwYL +CQgHAwIEFQIIAwQWAgMBAh4BAheABQJGo8tYBQkaVB3SAAoJEBRwbb4eS0VAhKgA +n3Js4UVMHITK3bgpcECV6xfuoEiUAKCZa2BJbdnOgbAlcbSScRGpI8MMPMJmBBMR +AgAmBQJGo8gKAhsjBQkJZgGABgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQFHBt +vh5LRUBydACfba08blV5kvAdN/mSKD1NgAHsiIcAoPbpCWW3IUiZ/1T9v8YTuDbt +LWkLzSVPbGl2aWVyIEZvdXJkYW4gPG9mb3VyZGFuQHJlZGhhdC5jb20+wncEExEC +ADcCGyMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgBYhBGfchvJiP8X9S7UiXRRwbb4e +S0VABQJfHuODAAoJEBRwbb4eS0VAwOoAn1jPsEMWv/z9pqvw2We5FDLbi0ncAJ9W +bA5E1fHh8m31NdSyFy2tXt8wfcJmBBMRAgAmAhsjBgsJCAcDAgQVAggDBBYCAwEC +HgECF4AFAkajy1gFCRpUHdIACgkQFHBtvh5LRUCnMwCg3qt90PZGBCjwC+RXRQH1 ++RznWzEAoKydVzIVeRC2vkGIRUx+k5jX333owmYEExECACYFAkajyDkCGyMFCQlm +AYAGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAUcG2+HktFQAsZAKCa9lmgwpkL +zUpX4caWZi/L8KSK8ACePisjM/gv90AVd+0Br0G98yhLD9LOwU0ERF3SSRAIAI0c +lctVOjdLUtE1ZRYS7Reu/oXSPns8duS4CLHmknF3kgn8uN6L6fptwFzh3yizCMGv +Td4YA4/NimzsQxXmar9fDRg/VHEPsaHrWanE3VPMxBoRyPtnNeQtQXrRb8XCZllo +GvmYQ/CZ8N9IaUq/Q8bbpqyr+dJy/gy+gc0aCxPdZhghxvOKrcJZg7zks52cQegz +Tne6rjU0o/eTeySkWgboL4RaLQndUVX7LJ1UgL3mxr30fgv6JxmN8YkD6lSbb8+i +vXhHX8LNuY8wmX+tCIrlm+20hpWtLEyB3HSnqgyC7Y1v0ZPYmQaRm1AQcafikFml +9CieH9DaV6avfPQLkgsAAwUH/2BX9xYtFY85fSKP7Kz0ClcCHpuweIkmTbPWDT91 +HQmf2dRbzI88CV3ZzawJMJHHL1Nua7CGNX1Z+cFJz4QTkyAOXXNlbHaVRXF2Epnw +FfjF5UM/D5j3YiUhXoam1LKz8/VRw3ZDDdc349jKPJEWNEmqs9NeGhSC2YsL2TsO +BaBzWPvRXS1otPCaKOTuDa9h2T8om2SEvqvJjd0jdC0o4khJ8zsYtE3vZBXbyfdf +cn5ktWedyEt6lcRMI04bvu2+j6B68GwtVDNr/RHaDPd+UkbZSHwiRoxGkRUQttYv +Lh/NrtLo8a6NQFWAePMM8nU2P7n6AcRf357nqbwnQWJ/TyvCXQQYEQIAHRYhBGfc +hvJiP8X9S7UiXRRwbb4eS0VABQJfHuPcAAoJEBRwbb4eS0VAnL4Anim4vNYyrDc8 +NTdS3mgWGtdXVjWdAKCjUhzkN3uCaYNJR6h0Y1thYuPEJMJMBBgRAgAMBQJGo8tj +BQkaVB2nAAoJEBRwbb4eS0VA5e0AoO/nFK4k4fsAgsLMs02kk3plifoAAJ4iK85P +2PawnJlnupv80Q8b7w2UVcJMBBgRAgAMBQJEXdJJBQkJZgGAAAoJEBRwbb4eS0VA +ugQAoOlJ2NPM8mRqRCA2ZKXPqz7TGm64AKCTLcYRDmqX4aZcgK4yRBbe8GXhDA== +=rEW/ +-----END PGP PUBLIC KEY BLOCK----- diff --git a/xwayland.spec b/xwayland.spec index b1756e1..661441c 100644 --- a/xwayland.spec +++ b/xwayland.spec @@ -1,7 +1,7 @@ # # spec file for package xwayland # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,7 +24,7 @@ %endif Name: xwayland -Version: 23.2.2 +Version: 23.2.4 Release: 0 URL: http://xorg.freedesktop.org Summary: Xwayland Xserver @@ -33,10 +33,6 @@ Group: System/X11/Servers/XF86_4 Source0: %{url}/archive/individual/xserver/%{name}-%{version}.tar.xz Source1: %{url}/archive/individual/xserver/%{name}-%{version}.tar.xz.sig Source2: xwayland.keyring - -Patch1217765: U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch -Patch1217766: U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch - BuildRequires: meson BuildRequires: ninja BuildRequires: pkgconfig