forked from pool/xorg-x11-server
- Update to version 1.20.11
* bugfix release - supersedes U_Fix-XChangeFeedbackControl-request-underflow.patch, U_xkb-Fix-heap-overflow-caused-by-optimized-away-min.patch OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=790
This commit is contained in:
parent
1d3b9358c6
commit
5e64abe9ab
@ -1,33 +0,0 @@
|
||||
From 00f8ce4dbeeb99ff8e5e9211d08058b11a1ac3c0 Mon Sep 17 00:00:00 2001
|
||||
From: Matthieu Herrb <matthieu@herrb.eu>
|
||||
Date: Sun, 21 Mar 2021 18:38:57 +0100
|
||||
Subject: [PATCH xserver] Fix XChangeFeedbackControl() request underflow
|
||||
|
||||
CVE-2021-3472 / ZDI-CAN-1259
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
|
||||
---
|
||||
Xi/chgfctl.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git Xi/chgfctl.c Xi/chgfctl.c
|
||||
index 1de4da9ef..7a597e43d 100644
|
||||
--- Xi/chgfctl.c
|
||||
+++ Xi/chgfctl.c
|
||||
@@ -464,8 +464,11 @@ ProcXChangeFeedbackControl(ClientPtr client)
|
||||
break;
|
||||
case StringFeedbackClass:
|
||||
{
|
||||
- xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]);
|
||||
+ xStringFeedbackCtl *f;
|
||||
|
||||
+ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeFeedbackControlReq,
|
||||
+ sizeof(xStringFeedbackCtl));
|
||||
+ f = ((xStringFeedbackCtl *) &stuff[1]);
|
||||
if (client->swapped) {
|
||||
if (len < bytes_to_int32(sizeof(xStringFeedbackCtl)))
|
||||
return BadLength;
|
||||
|
@ -1,60 +0,0 @@
|
||||
Git-commit: ba1e6eaea84b73e6ccd5f73acb93110eadb1a640
|
||||
Author: Michal Srb <msrb@suse.com>
|
||||
Subject: xkb: Fix heap overflow caused by optimized away min.
|
||||
Patch-mainline: Upstream
|
||||
References: boo#1099113
|
||||
|
||||
Calling strlen on char[4] that does not need to contain '\0' is wrong and X
|
||||
server may end up running into invalid memory.
|
||||
|
||||
In addition GCC 8 is clever enough that it knows that strlen on char[4] can
|
||||
return 0, 1, 2, 3 or cause undefined behavior. With this knowledge it can
|
||||
optimize away the min(..., 4). When the undefined behavior happens, any long
|
||||
value can be passed as size to the memcpy which will overflow the destination
|
||||
buffer.
|
||||
|
||||
Fixes: 83913de25d35 (xkb: Silence some compiler warnings)
|
||||
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=86259
|
||||
---
|
||||
xkb/XKBGAlloc.c | 11 +++++------
|
||||
1 file changed, 5 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/xkb/XKBGAlloc.c b/xkb/XKBGAlloc.c
|
||||
index 8958b0c52..f0cda24fe 100644
|
||||
--- a/xkb/XKBGAlloc.c
|
||||
+++ b/xkb/XKBGAlloc.c
|
||||
@@ -588,8 +588,7 @@ XkbAddGeomKeyAlias(XkbGeometryPtr geom, char *aliasStr, char *realStr)
|
||||
i++, alias++) {
|
||||
if (strncmp(alias->alias, aliasStr, XkbKeyNameLength) == 0) {
|
||||
memset(alias->real, 0, XkbKeyNameLength);
|
||||
- memcpy(alias->real, realStr,
|
||||
- min(XkbKeyNameLength, strlen(realStr)));
|
||||
+ memcpy(alias->real, realStr, strnlen(realStr, XkbKeyNameLength));
|
||||
return alias;
|
||||
}
|
||||
}
|
||||
@@ -599,8 +598,8 @@ XkbAddGeomKeyAlias(XkbGeometryPtr geom, char *aliasStr, char *realStr)
|
||||
}
|
||||
alias = &geom->key_aliases[geom->num_key_aliases];
|
||||
memset(alias, 0, sizeof(XkbKeyAliasRec));
|
||||
- memcpy(alias->alias, aliasStr, min(XkbKeyNameLength, strlen(aliasStr)));
|
||||
- memcpy(alias->real, realStr, min(XkbKeyNameLength, strlen(realStr)));
|
||||
+ memcpy(alias->alias, aliasStr, strnlen(aliasStr, XkbKeyNameLength));
|
||||
+ memcpy(alias->real, realStr, strnlen(realStr, XkbKeyNameLength));
|
||||
geom->num_key_aliases++;
|
||||
return alias;
|
||||
}
|
||||
@@ -815,8 +814,8 @@ XkbAddGeomOverlayKey(XkbOverlayPtr overlay,
|
||||
(_XkbAllocOverlayKeys(row, 1) != Success))
|
||||
return NULL;
|
||||
key = &row->keys[row->num_keys];
|
||||
- memcpy(key->under.name, under, min(XkbKeyNameLength, strlen(under)));
|
||||
- memcpy(key->over.name, over, min(XkbKeyNameLength, strlen(over)));
|
||||
+ memcpy(key->under.name, under, strnlen(under, XkbKeyNameLength));
|
||||
+ memcpy(key->over.name, over, strnlen(over, XkbKeyNameLength));
|
||||
row->num_keys++;
|
||||
return key;
|
||||
}
|
||||
--
|
||||
2.13.6
|
||||
|
3
xorg-server-1.20.11.tar.bz2
Normal file
3
xorg-server-1.20.11.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:914c796e3ffabe1af48071d40ccc85e92117c97a9082ed1df29e4d64e3c34c49
|
||||
size 6476116
|
@ -1,3 +1,11 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Apr 13 15:32:45 UTC 2021 - Stefan Dirsch <sndirsch@suse.com>
|
||||
|
||||
- Update to version 1.20.11
|
||||
* bugfix release
|
||||
- supersedes U_Fix-XChangeFeedbackControl-request-underflow.patch,
|
||||
U_xkb-Fix-heap-overflow-caused-by-optimized-away-min.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Apr 12 10:46:33 UTC 2021 - Stefan Dirsch <sndirsch@suse.com>
|
||||
|
||||
|
@ -41,7 +41,7 @@
|
||||
%endif
|
||||
|
||||
Name: xorg-x11-server
|
||||
Version: 1.20.10
|
||||
Version: 1.20.11
|
||||
Release: 0
|
||||
URL: http://xorg.freedesktop.org/
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
@ -50,7 +50,7 @@ Summary: X
|
||||
# Source URL: http://xorg.freedesktop.org/archive/individual/xserver/
|
||||
License: MIT
|
||||
Group: System/X11/Servers/XF86_4
|
||||
Source0: xserver-%{version}.tar.xz
|
||||
Source0: xorg-server-%{version}.tar.bz2
|
||||
Source1: sysconfig.displaymanager.template
|
||||
Source2: README.updates
|
||||
Source3: xorgcfg.tar.bz2
|
||||
@ -242,8 +242,6 @@ Patch1222: b_sync-fix.patch
|
||||
|
||||
Patch1401: u_randr-Do-not-crash-if-slave-screen-does-not-have-pro.patch
|
||||
|
||||
Patch1501: U_xkb-Fix-heap-overflow-caused-by-optimized-away-min.patch
|
||||
|
||||
Patch1502: U_dix-window-Use-ConfigureWindow-instead-of-MoveWindow.patch
|
||||
|
||||
Patch1503: u_xfree86-Do-not-claim-pci-slots-if-fb-slot-is-already.patch
|
||||
@ -256,8 +254,6 @@ Patch1801: U_Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch
|
||||
|
||||
Patch1900: u_no-lto-for-tests.patch
|
||||
|
||||
Patch1180128: U_Fix-XChangeFeedbackControl-request-underflow.patch
|
||||
|
||||
%description
|
||||
This package contains the X.Org Server.
|
||||
|
||||
@ -363,7 +359,7 @@ Group: Development/Sources
|
||||
This package contains patched sources of X.Org Server.
|
||||
|
||||
%prep
|
||||
%setup -q -n xserver-%{version} -a3
|
||||
%setup -q -n xorg-server-%{version} -a3
|
||||
# Early verification if the ABI Defines are correct. Let's not waste build cycles if the Provides are wrong at the end.
|
||||
sh %{SOURCE92} --verify . %{SOURCE91}
|
||||
|
||||
@ -402,14 +398,12 @@ sh %{SOURCE92} --verify . %{SOURCE91}
|
||||
### patch222 might not be applicable anymore
|
||||
#%patch1222 -p1
|
||||
%patch1401 -p1
|
||||
%patch1501 -p1
|
||||
%patch1502 -p1
|
||||
%patch1503 -p1
|
||||
%patch1505 -p1
|
||||
%patch1600 -p1
|
||||
%patch1801 -p1
|
||||
%patch1900 -p1
|
||||
%patch1180128 -p0
|
||||
|
||||
%build
|
||||
%global _lto_cflags %{?_lto_cflags} -ffat-lto-objects
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:a6006d1ece16284ff782ac7a13907c304b1760319cf4678c85a02a9dca6bac85
|
||||
size 3112104
|
Loading…
Reference in New Issue
Block a user