- Update to version 22.1.4

* xwayland: Aggregate scroll axis events to fix kinetic scrolling * Forbid server grabs by non-WM on *rootless* XWayland * xkb: Avoid length-check failure on empty strings. * ci: remove redundant slash in libxcvt repository url * dix: Skip more code in SetRootClip for ROOT_CLIP_INPUT_ONLY * dix: Fix overzealous caching of ResourceClientBits() * xwayland: Prevent Xserver grabs with rootless * xwayland: Delay wl_surface destruction * build: Bump wayland requirement to 1.18 * xwayland: set tag on our surfaces * xwayland: Clear the "xwl-window" tag on unrealize * xwayland: correct the type for the discrete scroll events * xkb: fix some possible memleaks in XkbGetKbdByName * xkb: length-check XkbGetKbdByName before accessing the fields * xkb: length-check XkbListComponents before accessing the fields * xkb: proof GetCountedString against request length attacks - supersedes security patches: * U_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch * U_xkb-proof-GetCountedString-against-request-length-at.patch OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xwayland?expand=0&rev=33
2022-10-20 12:00:58 +00:00 · 2022-10-20 12:00:58 +00:00 · c2484d7746
commit c2484d7746
parent e62daa6f30
8 changed files with 28 additions and 93 deletions
--- a/U_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch
+++ b/U_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch
@ -1,56 +0,0 @@
 From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001
 From: Peter Hutterer <peter.hutterer@who-t.net>
 Date: Wed, 13 Jul 2022 11:23:09 +1000
 Subject: [PATCH] xkb: fix some possible memleaks in XkbGetKbdByName
 GetComponentByName returns an allocated string, so let's free that if we
 fail somewhere.
 Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
 ---
 xkb/xkb.c | 26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)
 Index: xwayland-22.1.3/xkb/xkb.c
 ===================================================================
 --- xwayland-22.1.3.orig/xkb/xkb.c
 +++ xwayland-22.1.3/xkb/xkb.c
@@ -5941,18 +5941,32 @@ ProcXkbGetKbdByName(ClientPtr client)
     xkb = dev->key->xkbInfo->desc;
     status = Success;
     str = (unsigned char *) &stuff[1];
 -    if (GetComponentSpec(&str, TRUE, &status))  /* keymap, unsupported */
 -        return BadMatch;
 +    {
 +        char *keymap = GetComponentSpec(&str, TRUE, &status);  /* keymap, unsupported */
 +        if (keymap) {
 +            free(keymap);
 +            return BadMatch;
 +        }
 +    }
     names.keycodes = GetComponentSpec(&str, TRUE, &status);
     names.types = GetComponentSpec(&str, TRUE, &status);
     names.compat = GetComponentSpec(&str, TRUE, &status);
     names.symbols = GetComponentSpec(&str, TRUE, &status);
     names.geometry = GetComponentSpec(&str, TRUE, &status);
 -    if (status != Success)
 +    if (status == Success) {
 +        len = str - ((unsigned char *) stuff);
 +        if ((XkbPaddedSize(len) / 4) != stuff->length)
 +            status = BadLength;
 +    }
 +
 +    if (status != Success) {
 +        free(names.keycodes);
 +        free(names.types);
 +        free(names.compat);
 +        free(names.symbols);
 +        free(names.geometry);
         return status;
 -    len = str - ((unsigned char *) stuff);
 -    if ((XkbPaddedSize(len) / 4) != stuff->length)
 -        return BadLength;
 +    }
     CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
     CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
--- a/U_xkb-proof-GetCountedString-against-request-length-at.patch
+++ b/U_xkb-proof-GetCountedString-against-request-length-at.patch
@ -1,31 +0,0 @@
 From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001
 From: Peter Hutterer <peter.hutterer@who-t.net>
 Date: Tue, 5 Jul 2022 12:06:20 +1000
 Subject: [PATCH] xkb: proof GetCountedString against request length attacks
 GetCountedString did a check for the whole string to be within the
 request buffer but not for the initial 2 bytes that contain the length
 field. A swapped client could send a malformed request to trigger a
 swaps() on those bytes, writing into random memory.
 Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
 ---
 xkb/xkb.c | 5 +++++
 1 file changed, 5 insertions(+)
 Index: xwayland-22.1.3/xkb/xkb.c
 ===================================================================
 --- xwayland-22.1.3.orig/xkb/xkb.c
 +++ xwayland-22.1.3/xkb/xkb.c
@@ -5138,6 +5138,11 @@ _GetCountedString(char **wire_inout, Cli
     CARD16 len;
     wire = *wire_inout;
 +
 +    if (client->req_len <
 +        bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
 +        return BadValue;
 +
     len = *(CARD16 *) wire;
     if (client->swapped) {
         swaps(&len);
--- a/xwayland-22.1.3.tar.xz
+++ b/xwayland-22.1.3.tar.xz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:a712eb7bce32cd934df36814b5dd046aa670899c16fe98f2afb003578f86a1c5
 size 1272440
--- a/xwayland-22.1.3.tar.xz.sig
+++ b/xwayland-22.1.3.tar.xz.sig
--- a/xwayland-22.1.4.tar.xz
+++ b/xwayland-22.1.4.tar.xz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:5c39bdd77444c3fa7a0e2ef317ae69ddde89a901dc8914dbc8eac39a9313512a
 size 1273552
--- a/xwayland-22.1.4.tar.xz.sig
+++ b/xwayland-22.1.4.tar.xz.sig
--- a/xwayland.changes
+++ b/xwayland.changes
@ -1,3 +1,27 @@
 -------------------------------------------------------------------
 Thu Oct 20 11:50:17 UTC 2022 - Stefan Dirsch <sndirsch@suse.com>
 - Update to version 22.1.4
  * xwayland: Aggregate scroll axis events to fix kinetic scrolling
  * Forbid server grabs by non-WM on *rootless* XWayland
  * xkb: Avoid length-check failure on empty strings.
  * ci: remove redundant slash in libxcvt repository url
  * dix: Skip more code in SetRootClip for ROOT_CLIP_INPUT_ONLY
  * dix: Fix overzealous caching of ResourceClientBits()
  * xwayland: Prevent Xserver grabs with rootless
  * xwayland: Delay wl_surface destruction
  * build: Bump wayland requirement to 1.18
  * xwayland: set tag on our surfaces
  * xwayland: Clear the "xwl-window" tag on unrealize
  * xwayland: correct the type for the discrete scroll events
  * xkb: fix some possible memleaks in XkbGetKbdByName
  * xkb: length-check XkbGetKbdByName before accessing the fields
  * xkb: length-check XkbListComponents before accessing the fields
  * xkb: proof GetCountedString against request length attacks
 - supersedes security patches:
  * U_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch
  * U_xkb-proof-GetCountedString-against-request-length-at.patch
 -------------------------------------------------------------------
 Wed Oct 19 11:19:40 UTC 2022 - Stefan Dirsch <sndirsch@suse.com>
--- a/xwayland.spec
+++ b/xwayland.spec
@ -24,7 +24,7 @@
 %endif
 Name:           xwayland
-Version:        22.1.3
+Version:        22.1.4
 Release:        0
 URL:            http://xorg.freedesktop.org/
 Summary:        X
@ -33,8 +33,6 @@ Group:          System/X11/Servers/XF86_4
 Source0:        %{url}/archive/individual/xserver/%{name}-%{version}.tar.xz
 Source1:        %{url}/archive/individual/xserver/%{name}-%{version}.tar.xz.sig
 Source2:        xwayland.keyring
 Patch1204412:   U_xkb-proof-GetCountedString-against-request-length-at.patch
 Patch1204416:   U_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch
 BuildRequires:  meson
 BuildRequires:  ninja
 BuildRequires:  pkgconfig