- Update to version 23.2.4

* This release contains fixes for the issues reported in today's security advisory: https://lists.x.org/archives/xorg/2024-January/061525.html * CVE-2023-6816 (bsc#1218582) * CVE-2024-0229 (bsc#1218583) * CVE-2024-21885 (bsc#1218584) * CVE-2024-21886 (bsc#1218585) * CVE-2024-0408 * CVE-2024-0409 - supersedes the patches mentioned below: * U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch * U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xwayland?expand=0&rev=68
2024-01-16 13:24:49 +00:00 · 2024-01-16 13:24:49 +00:00 · 052ab588dd
commit 052ab588dd
parent 52070dd5da
9 changed files with 80 additions and 136 deletions
--- a/U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
+++ b/U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
@ -1,68 +0,0 @@
 From 924fbcb74ae5434afa7ce4603cd85ebcbdcccad5 Mon Sep 17 00:00:00 2001
 From: Peter Hutterer <peter.hutterer@who-t.net>
 Date: Tue, 28 Nov 2023 15:19:04 +1000
 Subject: [PATCH xserver] Xi: allocate enough XkbActions for our buttons
 button->xkb_acts is supposed to be an array sufficiently large for all
 our buttons, not just a single XkbActions struct. Allocating
 insufficient memory here means when we memcpy() later in
 XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
 leading to the usual security ooopsiedaisies.
 CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
 This vulnerability was discovered by:
 Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
 ---
 Xi/exevents.c | 12 ++++++------
 dix/devices.c | 10 ++++++++++
 2 files changed, 16 insertions(+), 6 deletions(-)
 --- a/Xi/exevents.c	
 +++ a/Xi/exevents.c	
@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
         }
         if (from->button->xkb_acts) {
 -            if (!to->button->xkb_acts) {
 -                to->button->xkb_acts = calloc(1, sizeof(XkbAction));
 -                if (!to->button->xkb_acts)
 -                    FatalError("[Xi] not enough memory for xkb_acts.\n");
 -            }
 +            size_t maxbuttons = max(to->button->numButtons, from->button->numButtons);
 +            to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
 +                                                   maxbuttons,
 +                                                   sizeof(XkbAction));
 +            memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
             memcpy(to->button->xkb_acts, from->button->xkb_acts,
 -                   sizeof(XkbAction));
 +                   from->button->numButtons * sizeof(XkbAction));
         }
         else {
             free(to->button->xkb_acts);
 --- a/dix/devices.c	
 +++ a/dix/devices.c	
@@ -2530,6 +2530,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
     if (master->button && master->button->numButtons != maxbuttons) {
         int i;
 +        int last_num_buttons = master->button->numButtons;
 +
         DeviceChangedEvent event = {
             .header = ET_Internal,
             .type = ET_DeviceChanged,
@@ -2540,6 +2542,14 @@ RecalculateMasterButtons(DeviceIntPtr slave)
         };
         master->button->numButtons = maxbuttons;
 +        if (last_num_buttons < maxbuttons) {
 +            master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
 +                                                       maxbuttons,
 +                                                       sizeof(XkbAction));
 +            memset(&master->button->xkb_acts[last_num_buttons],
 +                   0,
 +                   (maxbuttons - last_num_buttons) * sizeof(XkbAction));
 +        }
         memcpy(&event.buttons.names, master->button->labels, maxbuttons *
                sizeof(Atom));
 -- 
--- a/U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
+++ b/U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
@ -1,59 +0,0 @@
 From bd59316fe54b2bcad94c883e81fe7cae2a90cdd6 Mon Sep 17 00:00:00 2001
 From: Peter Hutterer <peter.hutterer@who-t.net>
 Date: Mon, 27 Nov 2023 16:27:49 +1000
 Subject: [PATCH xserver] randr: avoid integer truncation in length check of
 ProcRRChange*Property
 Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
 See also xserver@8f454b79 where this same bug was fixed for the core
 protocol and XI.
 This fixes an OOB read and the resulting information disclosure.
 Length calculation for the request was clipped to a 32-bit integer. With
 the correct stuff->nUnits value the expected request size was
 truncated, passing the REQUEST_FIXED_SIZE check.
 The server then proceeded with reading at least stuff->num_items bytes
 (depending on stuff->format) from the request and stuffing whatever it
 finds into the property. In the process it would also allocate at least
 stuff->nUnits bytes, i.e. 4GB.
 CVE-2023-XXXXX, ZDI-CAN-22561
 This vulnerability was discovered by:
 Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
 ---
 randr/rrproperty.c         | 2 +-
 randr/rrproviderproperty.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
 diff --git a/randr/rrproperty.c b/randr/rrproperty.c
 index 25469f57b2..c4fef8a1f6 100644
 --- a/randr/rrproperty.c
 +++ b/randr/rrproperty.c
@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client)
     char format, mode;
     unsigned long len;
     int sizeInBytes;
 -    int totalSize;
 +    uint64_t totalSize;
     int err;
     REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
 diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
 index b79c17f9bf..90c5a9a933 100644
 --- a/randr/rrproviderproperty.c
 +++ b/randr/rrproviderproperty.c
@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client)
     char format, mode;
     unsigned long len;
     int sizeInBytes;
 -    int totalSize;
 +    uint64_t totalSize;
     int err;
     REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
 -- 
 2.43.0
--- a/xwayland-23.2.2.tar.xz
+++ b/xwayland-23.2.2.tar.xz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:9f7c0938d2a41e941ffa04f99c35e5db2bcd3eec034afe8d35d5c810a22eb0a8
 size 1298400
--- a/xwayland-23.2.2.tar.xz.sig
+++ b/xwayland-23.2.2.tar.xz.sig
--- a/xwayland-23.2.4.tar.xz
+++ b/xwayland-23.2.4.tar.xz
--- a/xwayland-23.2.4.tar.xz.sig
+++ b/xwayland-23.2.4.tar.xz.sig
--- a/xwayland.changes
+++ b/xwayland.changes
@ -1,3 +1,21 @@
 -------------------------------------------------------------------
 Tue Jan 16 13:03:16 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
 - Update to version 23.2.4
  * This release contains fixes for the issues reported in today's
    security advisory: 
    https://lists.x.org/archives/xorg/2024-January/061525.html
  * CVE-2023-6816  (bsc#1218582)
  * CVE-2024-0229  (bsc#1218583)
  * CVE-2024-21885 (bsc#1218584)
  * CVE-2024-21886 (bsc#1218585)
  * CVE-2024-0408
  * CVE-2024-0409
 - supersedes the patches mentioned below:
  * U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
  * U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
 -------------------------------------------------------------------
 Mon Dec  4 18:33:56 UTC 2023 - Stefan Dirsch <sndirsch@suse.com>
--- a/xwayland.keyring
+++ b/xwayland.keyring
@ -145,3 +145,60 @@ iEYEGBECAAYFAj8b0wgACgkQ4jt+cLRn8L+vIwCgg7y9oJK4NeDX1e6zXNOeytZy
 9hoAnigKVkYBlc2jpAKdD+bULpWgw+sz
 =Q/D0
 -----END PGP PUBLIC KEY BLOCK-----
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Comment: Hostname: pgp.surf.nl
 Version: Hockeypuck 2.1.2
 xsDiBERd0h4RBACflXMwRMuZ/gICB7oM/SwnYMoDeRVaZHYT2RtI6iaNQpovoMas
 fbLX31icweQm9sMLQJR/bNABpp28Fs1S4yNt9SwAProigexyWl3fFE3uqoVRmglZ
 uQdyXl7nnPC7A3hxHPX88tsZS4UlLFRssTjNnrzzhSR3xyyIlOJnmG5pJwCg/yaH
 DECRtdWm9gIJZwfM6S+ANYUD/0s6FPCIdbDqCzNcMH7YZID+JjBOU3VlRdXfzGmx
 Iy2aPBpC9pkb0EUEL94QZ5Ysa1EGNnNUPq8dQWOr/NllCt2/l0HDLGoziBCpBTvG
 ZNnFaJoErG0kmCH2u0w9VmKKSBq6C0sI8rFW1JthKc/bu6ucBKKbpi4sFYAMyZHn
 sNbzA/9VYevyns5TmZeR7t+x8YRj6xZxWVNGm20gnBBhHVnq/EGIn4a/YN1NLFNc
 4EuarFnzl0w6L1IQHanM+ajBJgzL4oSYCufhTSXgA2utrpIRtKkRW9JH6zt3J5hk
 W8oIcEsY3YRKQ3iVKS3Kz8PgSwezNewFT6o3Juu//95O5qSm8s0iT2xpdmllciBG
 b3VyZGFuIDxmb3VyZGFuQHhmY2Uub3JnPsJ6BBMRAgA6AhsjBgsJCAcDAgQVAggD
 BBYCAwECHgECF4ACGQEWIQRn3IbyYj/F/Uu1Il0UcG2+HktFQAUCXx7jggAKCRAU
 cG2+HktFQMAMAJ4kmAtOA9YEazO+1TNxEvEDZbEDSwCfUVR27NAtNegGOMO7piF1
 KrurTenCaQQTEQIAKQIbIwYLCQgHAwIEFQIIAwQWAgMBAh4BAheABQkaVB3SBQJG
 o8t0AhkBAAoJEBRwbb4eS0VANIcAn39YcAnhLnB1pIRQDuBIiIhhFMScAKDZYHMB
 1WIaknrKZSOnjwKBHw2nOcJjBBMRAgAjBQJEXdIeBQkJZgGABgsJCAcDAgQVAggD
 BBYCAwECHgECF4AACgkQFHBtvh5LRUDz7ACgmLpkFGTjcUGnzXnjIw071JQi0HQA
 nisMFnp0kBQIqdv2lufZ9YxXZhD3wkYEEBECAAYFAkRm8GUACgkQLXYbC37EqKxO
 LQCeNE+A668Qj5DB2vmibAV5rn4pMhwAnjgUS/l03Ckfq7jCx1jc3DxSh9UQwkYE
 EBECAAYFAkUMKvkACgkQRR//0/1eDw85jgCfXsyjpqetxwwoyc6LVAdvAhljhF8A
 nAgKOMp8LG6DDrhRomp4kjv0SHegzSNPbGl2aWVyIEZvdXJkYW4gPGZvdXJkYW5A
 Z21haWwuY29tPsJ3BBMRAgA3AhsjBgsJCAcDAgQVAggDBBYCAwECHgECF4AWIQRn
 3IbyYj/F/Uu1Il0UcG2+HktFQAUCXx7jgwAKCRAUcG2+HktFQJ5GAJ9yYpsMZ5oW
 I8Kv1qGf0MlRRZgxTACeL0BZ4Ni2nm5Exuv2CJxeT/KpcJ3CZgQTEQIAJgIbIwYL
 CQgHAwIEFQIIAwQWAgMBAh4BAheABQJGo8tYBQkaVB3SAAoJEBRwbb4eS0VAhKgA
 n3Js4UVMHITK3bgpcECV6xfuoEiUAKCZa2BJbdnOgbAlcbSScRGpI8MMPMJmBBMR
 AgAmBQJGo8gKAhsjBQkJZgGABgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQFHBt
 vh5LRUBydACfba08blV5kvAdN/mSKD1NgAHsiIcAoPbpCWW3IUiZ/1T9v8YTuDbt
 LWkLzSVPbGl2aWVyIEZvdXJkYW4gPG9mb3VyZGFuQHJlZGhhdC5jb20+wncEExEC
 ADcCGyMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgBYhBGfchvJiP8X9S7UiXRRwbb4e
 S0VABQJfHuODAAoJEBRwbb4eS0VAwOoAn1jPsEMWv/z9pqvw2We5FDLbi0ncAJ9W
 bA5E1fHh8m31NdSyFy2tXt8wfcJmBBMRAgAmAhsjBgsJCAcDAgQVAggDBBYCAwEC
 HgECF4AFAkajy1gFCRpUHdIACgkQFHBtvh5LRUCnMwCg3qt90PZGBCjwC+RXRQH1
 +RznWzEAoKydVzIVeRC2vkGIRUx+k5jX333owmYEExECACYFAkajyDkCGyMFCQlm
 AYAGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAUcG2+HktFQAsZAKCa9lmgwpkL
 zUpX4caWZi/L8KSK8ACePisjM/gv90AVd+0Br0G98yhLD9LOwU0ERF3SSRAIAI0c
 lctVOjdLUtE1ZRYS7Reu/oXSPns8duS4CLHmknF3kgn8uN6L6fptwFzh3yizCMGv
 Td4YA4/NimzsQxXmar9fDRg/VHEPsaHrWanE3VPMxBoRyPtnNeQtQXrRb8XCZllo
 GvmYQ/CZ8N9IaUq/Q8bbpqyr+dJy/gy+gc0aCxPdZhghxvOKrcJZg7zks52cQegz
 Tne6rjU0o/eTeySkWgboL4RaLQndUVX7LJ1UgL3mxr30fgv6JxmN8YkD6lSbb8+i
 vXhHX8LNuY8wmX+tCIrlm+20hpWtLEyB3HSnqgyC7Y1v0ZPYmQaRm1AQcafikFml
 9CieH9DaV6avfPQLkgsAAwUH/2BX9xYtFY85fSKP7Kz0ClcCHpuweIkmTbPWDT91
 HQmf2dRbzI88CV3ZzawJMJHHL1Nua7CGNX1Z+cFJz4QTkyAOXXNlbHaVRXF2Epnw
 FfjF5UM/D5j3YiUhXoam1LKz8/VRw3ZDDdc349jKPJEWNEmqs9NeGhSC2YsL2TsO
 BaBzWPvRXS1otPCaKOTuDa9h2T8om2SEvqvJjd0jdC0o4khJ8zsYtE3vZBXbyfdf
 cn5ktWedyEt6lcRMI04bvu2+j6B68GwtVDNr/RHaDPd+UkbZSHwiRoxGkRUQttYv
 Lh/NrtLo8a6NQFWAePMM8nU2P7n6AcRf357nqbwnQWJ/TyvCXQQYEQIAHRYhBGfc
 hvJiP8X9S7UiXRRwbb4eS0VABQJfHuPcAAoJEBRwbb4eS0VAnL4Anim4vNYyrDc8
 NTdS3mgWGtdXVjWdAKCjUhzkN3uCaYNJR6h0Y1thYuPEJMJMBBgRAgAMBQJGo8tj
 BQkaVB2nAAoJEBRwbb4eS0VA5e0AoO/nFK4k4fsAgsLMs02kk3plifoAAJ4iK85P
 2PawnJlnupv80Q8b7w2UVcJMBBgRAgAMBQJEXdJJBQkJZgGAAAoJEBRwbb4eS0VA
 ugQAoOlJ2NPM8mRqRCA2ZKXPqz7TGm64AKCTLcYRDmqX4aZcgK4yRBbe8GXhDA==
 =rEW/
 -----END PGP PUBLIC KEY BLOCK-----
--- a/xwayland.spec
+++ b/xwayland.spec
@ -1,7 +1,7 @@
 #
 # spec file for package xwayland
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -24,7 +24,7 @@
 %endif
 Name:           xwayland
-Version:        23.2.2
+Version:        23.2.4
 Release:        0
 URL:            http://xorg.freedesktop.org
 Summary:        Xwayland Xserver
@ -33,10 +33,6 @@ Group:          System/X11/Servers/XF86_4
 Source0:        %{url}/archive/individual/xserver/%{name}-%{version}.tar.xz
 Source1:        %{url}/archive/individual/xserver/%{name}-%{version}.tar.xz.sig
 Source2:        xwayland.keyring
 Patch1217765:   U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
 Patch1217766:   U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
 BuildRequires:  meson
 BuildRequires:  ninja
 BuildRequires:  pkgconfig