From 51271c424a3cd68dd2a36d7248fc6e01fd2bd04933f47ee6c8e85ed4c8074fc8 Mon Sep 17 00:00:00 2001 From: Stefan Dirsch Date: Wed, 13 Jul 2022 13:01:53 +0000 Subject: [PATCH] - Update to version 21.1 * This release fixes 2 recently reported security vulnerabilities in xkb, several regressions since 1.20.x and a number of miscellaneous bugs. - supersedes the following security patches * U_boo1194181-001-xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch * U_boo1194179-001-xkb-rename-xkb_h-to-xkb-procs_h.patch * U_boo1194179-002-xkb-add-request-length-validation-for-XkbSetGeometry.patch - supersedes U_Fix-build-with-gcc-12.patch OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=829 --- U_Fix-build-with-gcc-12.patch | 89 ---------- ...-001-xkb-rename-xkb_h-to-xkb-procs_h.patch | 155 ----------------- ...length-validation-for-XkbSetGeometry.patch | 160 ------------------ ...DeviceInfo-and-XkbSetDeviceInfoCheck.patch | 138 --------------- xorg-server-21.1.3.tar.xz | 3 - xorg-server-21.1.4.tar.xz | 3 + xorg-x11-server.changes | 13 ++ xorg-x11-server.spec | 14 +- 8 files changed, 17 insertions(+), 558 deletions(-) delete mode 100644 U_Fix-build-with-gcc-12.patch delete mode 100644 U_boo1194179-001-xkb-rename-xkb_h-to-xkb-procs_h.patch delete mode 100644 U_boo1194179-002-xkb-add-request-length-validation-for-XkbSetGeometry.patch delete mode 100644 U_boo1194181-001-xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch delete mode 100644 xorg-server-21.1.3.tar.xz create mode 100644 xorg-server-21.1.4.tar.xz diff --git a/U_Fix-build-with-gcc-12.patch b/U_Fix-build-with-gcc-12.patch deleted file mode 100644 index 54af600..0000000 --- a/U_Fix-build-with-gcc-12.patch +++ /dev/null @@ -1,89 +0,0 @@ -From c6b0dcb82d4db07a2f32c09a8c09c85a5f57248e Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Thu, 20 Jan 2022 10:20:38 +0100 -Subject: [PATCH] render: Fix build with gcc 12 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The xserver fails to compile with the latest gcc 12: - - render/picture.c: In function ‘CreateSolidPicture’: - render/picture.c:874:26: error: array subscript ‘union _SourcePict[0]’ is partly outside array bounds of ‘unsigned char[16]’ [-Werror=array-bounds] - 874 | pPicture->pSourcePict->type = SourcePictTypeSolidFill; - | ^~ - render/picture.c:868:45: note: object of size 16 allocated by ‘malloc’ - 868 | pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(PictSolidFill)); - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - render/picture.c: In function ‘CreateLinearGradientPicture’: - render/picture.c:906:26: error: array subscript ‘union _SourcePict[0]’ is partly outside array bounds of ‘unsigned char[32]’ [-Werror=array-bounds] - 906 | pPicture->pSourcePict->linear.type = SourcePictTypeLinear; - | ^~ - render/picture.c:899:45: note: object of size 32 allocated by ‘malloc’ - 899 | pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(PictLinearGradient)); - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - render/picture.c: In function ‘CreateConicalGradientPicture’: - render/picture.c:989:26: error: array subscript ‘union _SourcePict[0]’ is partly outside array bounds of ‘unsigned char[32]’ [-Werror=array-bounds] - 989 | pPicture->pSourcePict->conical.type = SourcePictTypeConical; - | ^~ - render/picture.c:982:45: note: object of size 32 allocated by ‘malloc’ - 982 | pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(PictConicalGradient)); - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - cc1: some warnings being treated as errors - ninja: build stopped: subcommand failed. - -This is because gcc 12 has become stricter and raises a warning now. - -Fix the warning/error by allocating enough memory to store the union -struct. - -Signed-off-by: Olivier Fourdan -Acked-by: Michel Dänzer -Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1256 ---- - render/picture.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/render/picture.c b/render/picture.c -index afa0d258f..2be4b1954 100644 ---- a/render/picture.c -+++ b/render/picture.c -@@ -865,7 +865,7 @@ CreateSolidPicture(Picture pid, xRenderColor * color, int *error) - } - - pPicture->id = pid; -- pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(PictSolidFill)); -+ pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(SourcePict)); - if (!pPicture->pSourcePict) { - *error = BadAlloc; - free(pPicture); -@@ -896,7 +896,7 @@ CreateLinearGradientPicture(Picture pid, xPointFixed * p1, xPointFixed * p2, - } - - pPicture->id = pid; -- pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(PictLinearGradient)); -+ pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(SourcePict)); - if (!pPicture->pSourcePict) { - *error = BadAlloc; - free(pPicture); -@@ -936,7 +936,7 @@ CreateRadialGradientPicture(Picture pid, xPointFixed * inner, - } - - pPicture->id = pid; -- pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(PictRadialGradient)); -+ pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(SourcePict)); - if (!pPicture->pSourcePict) { - *error = BadAlloc; - free(pPicture); -@@ -979,7 +979,7 @@ CreateConicalGradientPicture(Picture pid, xPointFixed * center, xFixed angle, - } - - pPicture->id = pid; -- pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(PictConicalGradient)); -+ pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(SourcePict)); - if (!pPicture->pSourcePict) { - *error = BadAlloc; - free(pPicture); --- -GitLab - diff --git a/U_boo1194179-001-xkb-rename-xkb_h-to-xkb-procs_h.patch b/U_boo1194179-001-xkb-rename-xkb_h-to-xkb-procs_h.patch deleted file mode 100644 index f933406..0000000 --- a/U_boo1194179-001-xkb-rename-xkb_h-to-xkb-procs_h.patch +++ /dev/null @@ -1,155 +0,0 @@ -From 04a2689e96b42330718517b2a3950aa2bb1ca017 Mon Sep 17 00:00:00 2001 -From: Peter Hutterer -Date: Mon, 4 Jul 2022 09:42:53 +1000 -Subject: [PATCH] xkb: rename xkb.h to xkb-procs.h - -This header merely defines the various protocol request handlers, so -let's rename it to something less generic and remove its include from -all the files that don't actually need it (which is almost all of them). - -Signed-off-by: Peter Hutterer -Reviewed-by: Olivier Fourdan ---- - test/test_xkb.c | 1 - - xkb/ddxLoad.c | 1 - - xkb/{xkb.h => xkb-procs.h} | 0 - xkb/xkb.c | 2 +- - xkb/xkbActions.c | 1 - - xkb/xkbEvents.c | 1 - - xkb/xkbInit.c | 1 - - xkb/xkbLEDs.c | 1 - - xkb/xkbSwap.c | 2 +- - xkb/xkbUtils.c | 1 - - xkb/xkbfmisc.c | 1 - - 11 files changed, 2 insertions(+), 10 deletions(-) - rename xkb/{xkb.h => xkb-procs.h} (100%) - -diff --git a/test/test_xkb.c b/test/test_xkb.c -index f81a7ed65..a13107390 100644 ---- a/test/test_xkb.c -+++ b/test/test_xkb.c -@@ -48,7 +48,6 @@ - #include "../xkb/xkbgeom.h" - #include - #include "xkbfile.h" --#include "../xkb/xkb.h" - #include - - #include "tests-common.h" -diff --git a/xkb/ddxLoad.c b/xkb/ddxLoad.c -index f9b7b06d9..2d203ce11 100644 ---- a/xkb/ddxLoad.c -+++ b/xkb/ddxLoad.c -@@ -43,7 +43,6 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. - #define XKBSRV_NEED_FILE_FUNCS - #include - #include --#include "xkb.h" - - #define PRE_ERROR_MSG "\"The XKEYBOARD keymap compiler (xkbcomp) reports:\"" - #define ERROR_PREFIX "\"> \"" -diff --git a/xkb/xkb.h b/xkb/xkb-procs.h -similarity index 100% -rename from xkb/xkb.h -rename to xkb/xkb-procs.h -diff --git a/xkb/xkb.c b/xkb/xkb.c -index 820cd7166..21c046913 100644 ---- a/xkb/xkb.c -+++ b/xkb/xkb.c -@@ -38,7 +38,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. - #include "extnsionst.h" - #include "extinit.h" - #include "xace.h" --#include "xkb.h" -+#include "xkb-procs.h" - #include "protocol-versions.h" - - #include -diff --git a/xkb/xkbActions.c b/xkb/xkbActions.c -index db29091e7..5e9a6b6d6 100644 ---- a/xkb/xkbActions.c -+++ b/xkb/xkbActions.c -@@ -38,7 +38,6 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. - #include "exevents.h" - #include "eventstr.h" - #include --#include "xkb.h" - #include - #include "mi.h" - #include "mipointer.h" -diff --git a/xkb/xkbEvents.c b/xkb/xkbEvents.c -index 0bbd66186..f8f65d4a7 100644 ---- a/xkb/xkbEvents.c -+++ b/xkb/xkbEvents.c -@@ -39,7 +39,6 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. - #include "exglobals.h" - #include "windowstr.h" - #include --#include "xkb.h" - - /***====================================================================***/ - -diff --git a/xkb/xkbInit.c b/xkb/xkbInit.c -index 4108e1b26..de1dd3fe3 100644 ---- a/xkb/xkbInit.c -+++ b/xkb/xkbInit.c -@@ -49,7 +49,6 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. - #include "xkbgeom.h" - #include - #include "xkbfile.h" --#include "xkb.h" - - #define CREATE_ATOM(s) MakeAtom(s,sizeof(s)-1,1) - -diff --git a/xkb/xkbLEDs.c b/xkb/xkbLEDs.c -index 5792d9fb7..d4690dad9 100644 ---- a/xkb/xkbLEDs.c -+++ b/xkb/xkbLEDs.c -@@ -38,7 +38,6 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. - - #include - #include --#include "xkb.h" - - /***====================================================================***/ - -diff --git a/xkb/xkbSwap.c b/xkb/xkbSwap.c -index 50cabb90e..efbdb81c1 100644 ---- a/xkb/xkbSwap.c -+++ b/xkb/xkbSwap.c -@@ -36,7 +36,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. - #include - #include "xkbstr.h" - #include "extnsionst.h" --#include "xkb.h" -+#include "xkb-procs.h" - - /* - * REQUEST SWAPPING -diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c -index 8975ade8d..dd089c204 100644 ---- a/xkb/xkbUtils.c -+++ b/xkb/xkbUtils.c -@@ -67,7 +67,6 @@ DEALINGS IN THE SOFTWARE. - #define XKBSRV_NEED_FILE_FUNCS - #include - #include "xkbgeom.h" --#include "xkb.h" - - /***====================================================================***/ - -diff --git a/xkb/xkbfmisc.c b/xkb/xkbfmisc.c -index 2ecdcd555..fc9197f2d 100644 ---- a/xkb/xkbfmisc.c -+++ b/xkb/xkbfmisc.c -@@ -46,7 +46,6 @@ - #define XKBSRV_NEED_FILE_FUNCS 1 - #include - #include "xkbgeom.h" --#include "xkb.h" - - unsigned - _XkbKSCheckCase(KeySym ks) --- -GitLab - diff --git a/U_boo1194179-002-xkb-add-request-length-validation-for-XkbSetGeometry.patch b/U_boo1194179-002-xkb-add-request-length-validation-for-XkbSetGeometry.patch deleted file mode 100644 index db3bd4c..0000000 --- a/U_boo1194179-002-xkb-add-request-length-validation-for-XkbSetGeometry.patch +++ /dev/null @@ -1,160 +0,0 @@ -@@ -, +, @@ ---- - xkb/xkb.c | 43 ++++++++++++++++++++++++++++++++++++++----- - 1 file changed, 38 insertions(+), 5 deletions(-) -Index: xorg-server-21.1.3/xkb/xkb.c -=================================================================== ---- xorg-server-21.1.3.orig/xkb/xkb.c -+++ xorg-server-21.1.3/xkb/xkb.c -@@ -5157,7 +5157,7 @@ _GetCountedString(char **wire_inout, Cli - } - - static Status --_CheckSetDoodad(char **wire_inout, -+_CheckSetDoodad(char **wire_inout, xkbSetGeometryReq *req, - XkbGeometryPtr geom, XkbSectionPtr section, ClientPtr client) - { - char *wire; -@@ -5168,6 +5168,9 @@ _CheckSetDoodad(char **wire_inout, - Status status; - - dWire = (xkbDoodadWireDesc *) (*wire_inout); -+ if (!_XkbCheckRequestBounds(client, req, dWire, dWire + 1)) -+ return BadLength; -+ - any = dWire->any; - wire = (char *) &dWire[1]; - if (client->swapped) { -@@ -5270,7 +5273,7 @@ _CheckSetDoodad(char **wire_inout, - } - - static Status --_CheckSetOverlay(char **wire_inout, -+_CheckSetOverlay(char **wire_inout, xkbSetGeometryReq *req, - XkbGeometryPtr geom, XkbSectionPtr section, ClientPtr client) - { - register int r; -@@ -5281,6 +5284,9 @@ _CheckSetOverlay(char **wire_inout, - - wire = *wire_inout; - olWire = (xkbOverlayWireDesc *) wire; -+ if (!_XkbCheckRequestBounds(client, req, olWire, olWire + 1)) -+ return BadLength; -+ - if (client->swapped) { - swapl(&olWire->name); - } -@@ -5292,6 +5298,9 @@ _CheckSetOverlay(char **wire_inout, - xkbOverlayKeyWireDesc *kWire; - XkbOverlayRowPtr row; - -+ if (!_XkbCheckRequestBounds(client, req, rWire, rWire + 1)) -+ return BadLength; -+ - if (rWire->rowUnder > section->num_rows) { - client->errorValue = _XkbErrCode4(0x20, r, section->num_rows, - rWire->rowUnder); -@@ -5300,6 +5309,9 @@ _CheckSetOverlay(char **wire_inout, - row = XkbAddGeomOverlayRow(ol, rWire->rowUnder, rWire->nKeys); - kWire = (xkbOverlayKeyWireDesc *) &rWire[1]; - for (k = 0; k < rWire->nKeys; k++, kWire++) { -+ if (!_XkbCheckRequestBounds(client, req, kWire, kWire + 1)) -+ return BadLength; -+ - if (XkbAddGeomOverlayKey(ol, row, - (char *) kWire->over, - (char *) kWire->under) == NULL) { -@@ -5333,6 +5345,9 @@ _CheckSetSections(XkbGeometryPtr geom, - register int r; - xkbRowWireDesc *rWire; - -+ if (!_XkbCheckRequestBounds(client, req, sWire, sWire + 1)) -+ return BadLength; -+ - if (client->swapped) { - swapl(&sWire->name); - swaps(&sWire->top); -@@ -5358,6 +5373,9 @@ _CheckSetSections(XkbGeometryPtr geom, - XkbRowPtr row; - xkbKeyWireDesc *kWire; - -+ if (!_XkbCheckRequestBounds(client, req, rWire, rWire + 1)) -+ return BadLength; -+ - if (client->swapped) { - swaps(&rWire->top); - swaps(&rWire->left); -@@ -5372,6 +5390,9 @@ _CheckSetSections(XkbGeometryPtr geom, - for (k = 0; k < rWire->nKeys; k++) { - XkbKeyPtr key; - -+ if (!_XkbCheckRequestBounds(client, req, kWire, kWire + 1)) -+ return BadLength; -+ - key = XkbAddGeomKey(row); - if (!key) - return BadAlloc; -@@ -5397,7 +5418,7 @@ _CheckSetSections(XkbGeometryPtr geom, - register int d; - - for (d = 0; d < sWire->nDoodads; d++) { -- status = _CheckSetDoodad(&wire, geom, section, client); -+ status = _CheckSetDoodad(&wire, req, geom, section, client); - if (status != Success) - return status; - } -@@ -5406,7 +5427,7 @@ _CheckSetSections(XkbGeometryPtr geom, - register int o; - - for (o = 0; o < sWire->nOverlays; o++) { -- status = _CheckSetOverlay(&wire, geom, section, client); -+ status = _CheckSetOverlay(&wire, req, geom, section, client); - if (status != Success) - return status; - } -@@ -5440,6 +5461,9 @@ _CheckSetShapes(XkbGeometryPtr geom, - xkbOutlineWireDesc *olWire; - XkbOutlinePtr ol; - -+ if (!_XkbCheckRequestBounds(client, req, shapeWire, shapeWire + 1)) -+ return BadLength; -+ - shape = - XkbAddGeomShape(geom, shapeWire->name, shapeWire->nOutlines); - if (!shape) -@@ -5450,12 +5474,18 @@ _CheckSetShapes(XkbGeometryPtr geom, - XkbPointPtr pt; - xkbPointWireDesc *ptWire; - -+ if (!_XkbCheckRequestBounds(client, req, olWire, olWire + 1)) -+ return BadLength; -+ - ol = XkbAddGeomOutline(shape, olWire->nPoints); - if (!ol) - return BadAlloc; - ol->corner_radius = olWire->cornerRadius; - ptWire = (xkbPointWireDesc *) &olWire[1]; - for (p = 0, pt = ol->points; p < olWire->nPoints; p++, pt++) { -+ if (!_XkbCheckRequestBounds(client, req, ptWire, ptWire + 1)) -+ return BadLength; -+ - pt->x = ptWire[p].x; - pt->y = ptWire[p].y; - if (client->swapped) { -@@ -5561,12 +5591,15 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSe - return status; - - for (i = 0; i < req->nDoodads; i++) { -- status = _CheckSetDoodad(&wire, geom, NULL, client); -+ status = _CheckSetDoodad(&wire, req, geom, NULL, client); - if (status != Success) - return status; - } - - for (i = 0; i < req->nKeyAliases; i++) { -+ if (!_XkbCheckRequestBounds(client, req, wire, wire + XkbKeyNameLength)) -+ return BadLength; -+ - if (XkbAddGeomKeyAlias(geom, &wire[XkbKeyNameLength], wire) == NULL) - return BadAlloc; - wire += 2 * XkbKeyNameLength; diff --git a/U_boo1194181-001-xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch b/U_boo1194181-001-xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch deleted file mode 100644 index e1ab922..0000000 --- a/U_boo1194181-001-xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch +++ /dev/null @@ -1,138 +0,0 @@ -Index: xorg-server-21.1.3/xkb/xkb.c -=================================================================== ---- xorg-server-21.1.3.orig/xkb/xkb.c -+++ xorg-server-21.1.3/xkb/xkb.c -@@ -6551,7 +6551,8 @@ ProcXkbGetDeviceInfo(ClientPtr client) - static char * - CheckSetDeviceIndicators(char *wire, - DeviceIntPtr dev, -- int num, int *status_rtrn, ClientPtr client) -+ int num, int *status_rtrn, ClientPtr client, -+ xkbSetDeviceInfoReq * stuff) - { - xkbDeviceLedsWireDesc *ledWire; - int i; -@@ -6559,6 +6560,11 @@ CheckSetDeviceIndicators(char *wire, - - ledWire = (xkbDeviceLedsWireDesc *) wire; - for (i = 0; i < num; i++) { -+ if (!_XkbCheckRequestBounds(client, stuff, ledWire, ledWire + 1)) { -+ *status_rtrn = BadLength; -+ return (char *) ledWire; -+ } -+ - if (client->swapped) { - swaps(&ledWire->ledClass); - swaps(&ledWire->ledID); -@@ -6586,6 +6592,11 @@ CheckSetDeviceIndicators(char *wire, - atomWire = (CARD32 *) &ledWire[1]; - if (nNames > 0) { - for (n = 0; n < nNames; n++) { -+ if (!_XkbCheckRequestBounds(client, stuff, atomWire, atomWire + 1)) { -+ *status_rtrn = BadLength; -+ return (char *) atomWire; -+ } -+ - if (client->swapped) { - swapl(atomWire); - } -@@ -6597,6 +6608,10 @@ CheckSetDeviceIndicators(char *wire, - mapWire = (xkbIndicatorMapWireDesc *) atomWire; - if (nMaps > 0) { - for (n = 0; n < nMaps; n++) { -+ if (!_XkbCheckRequestBounds(client, stuff, mapWire, mapWire + 1)) { -+ *status_rtrn = BadLength; -+ return (char *) mapWire; -+ } - if (client->swapped) { - swaps(&mapWire->virtualMods); - swapl(&mapWire->ctrls); -@@ -6648,11 +6663,6 @@ SetDeviceIndicators(char *wire, - xkbIndicatorMapWireDesc *mapWire; - XkbSrvLedInfoPtr sli; - -- if (!_XkbCheckRequestBounds(client, stuff, ledWire, ledWire + 1)) { -- *status_rtrn = BadLength; -- return (char *) ledWire; -- } -- - namec = mapc = statec = 0; - sli = XkbFindSrvLedInfo(dev, ledWire->ledClass, ledWire->ledID, - XkbXI_IndicatorMapsMask); -@@ -6671,10 +6681,6 @@ SetDeviceIndicators(char *wire, - memset((char *) sli->names, 0, XkbNumIndicators * sizeof(Atom)); - for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) { - if (ledWire->namesPresent & bit) { -- if (!_XkbCheckRequestBounds(client, stuff, atomWire, atomWire + 1)) { -- *status_rtrn = BadLength; -- return (char *) atomWire; -- } - sli->names[n] = (Atom) *atomWire; - if (sli->names[n] == None) - ledWire->namesPresent &= ~bit; -@@ -6692,10 +6698,6 @@ SetDeviceIndicators(char *wire, - if (ledWire->mapsPresent) { - for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) { - if (ledWire->mapsPresent & bit) { -- if (!_XkbCheckRequestBounds(client, stuff, mapWire, mapWire + 1)) { -- *status_rtrn = BadLength; -- return (char *) mapWire; -- } - sli->maps[n].flags = mapWire->flags; - sli->maps[n].which_groups = mapWire->whichGroups; - sli->maps[n].groups = mapWire->groups; -@@ -6731,13 +6733,17 @@ SetDeviceIndicators(char *wire, - } - - static int --_XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev, -+_XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev, - xkbSetDeviceInfoReq * stuff) - { - char *wire; - - wire = (char *) &stuff[1]; - if (stuff->change & XkbXI_ButtonActionsMask) { -+ int sz = stuff->nBtns * SIZEOF(xkbActionWireDesc); -+ if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz)) -+ return BadLength; -+ - if (!dev->button) { - client->errorValue = _XkbErrCode2(XkbErr_BadClass, ButtonClass); - return XkbKeyboardErrorCode; -@@ -6748,13 +6754,13 @@ _XkbSetDeviceInfo(ClientPtr client, Devi - dev->button->numButtons); - return BadMatch; - } -- wire += (stuff->nBtns * SIZEOF(xkbActionWireDesc)); -+ wire += sz; - } - if (stuff->change & XkbXI_IndicatorsMask) { - int status = Success; - - wire = CheckSetDeviceIndicators(wire, dev, stuff->nDeviceLedFBs, -- &status, client); -+ &status, client, stuff); - if (status != Success) - return status; - } -@@ -6765,8 +6771,8 @@ _XkbSetDeviceInfo(ClientPtr client, Devi - } - - static int --_XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev, -- xkbSetDeviceInfoReq * stuff) -+_XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev, -+ xkbSetDeviceInfoReq * stuff) - { - char *wire; - xkbExtensionDeviceNotify ed; -@@ -6790,8 +6796,6 @@ _XkbSetDeviceInfoCheck(ClientPtr client, - if (stuff->firstBtn + stuff->nBtns > nBtns) - return BadValue; - sz = stuff->nBtns * SIZEOF(xkbActionWireDesc); -- if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz)) -- return BadLength; - memcpy((char *) &acts[stuff->firstBtn], (char *) wire, sz); - wire += sz; - ed.reason |= XkbXI_ButtonActionsMask; diff --git a/xorg-server-21.1.3.tar.xz b/xorg-server-21.1.3.tar.xz deleted file mode 100644 index bf42509..0000000 --- a/xorg-server-21.1.3.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:61d6aad5b6b47a116b960bd7f0cba4ee7e6da95d6bb0b127bde75d7d1acdebe5 -size 4955948 diff --git a/xorg-server-21.1.4.tar.xz b/xorg-server-21.1.4.tar.xz new file mode 100644 index 0000000..c07a9f0 --- /dev/null +++ b/xorg-server-21.1.4.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5cc4be8ee47edb58d4a90e603a59d56b40291ad38371b0bd2471fc3cbee1c587 +size 4940176 diff --git a/xorg-x11-server.changes b/xorg-x11-server.changes index 09e65fb..9049bdc 100644 --- a/xorg-x11-server.changes +++ b/xorg-x11-server.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Wed Jul 13 12:38:05 UTC 2022 - Stefan Dirsch + +- Update to version 21.1 + * This release fixes 2 recently reported security vulnerabilities + in xkb, several regressions since 1.20.x and a number of + miscellaneous bugs. +- supersedes the following security patches + * U_boo1194181-001-xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch + * U_boo1194179-001-xkb-rename-xkb_h-to-xkb-procs_h.patch + * U_boo1194179-002-xkb-add-request-length-validation-for-XkbSetGeometry.patch +- supersedes U_Fix-build-with-gcc-12.patch + ------------------------------------------------------------------- Wed Jul 6 12:21:11 UTC 2022 - Stefan Dirsch diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 464607f..cf82126 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -36,7 +36,7 @@ %endif Name: xorg-x11-server -Version: 21.1.3 +Version: 21.1.4 Release: 0 URL: http://xorg.freedesktop.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -245,16 +245,8 @@ Patch1930: u_xfree86-activate-GPU-screens-on-autobind.patch Patch1940: U_xephyr-Don-t-check-for-SeatId-anymore.patch -Patch1950: U_Fix-build-with-gcc-12.patch - Patch1960: u_sync-pci-ids-with-Mesa-22.0.0.patch -#CVE-2022-2320, ZDI-CAN-16070, bsc#1194181 -Patch2001: U_boo1194181-001-xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch -#CVE-2022-2319, ZDI-CAN-16062, bsc#1194179 -Patch2101: U_boo1194179-001-xkb-rename-xkb_h-to-xkb-procs_h.patch -Patch2102: U_boo1194179-002-xkb-add-request-length-validation-for-XkbSetGeometry.patch - %description This package contains the X.Org Server. @@ -411,11 +403,7 @@ sh %{SOURCE92} --verify . %{SOURCE91} %patch1920 -p1 %patch1930 -p1 %patch1940 -p1 -%patch1950 -p1 %patch1960 -p1 -%patch2001 -p1 -%patch2101 -p1 -%patch2102 -p1 %build # We have some -z now related errors during X default startup (boo#1197994):