1
0

- Update to version 1.20.11

* bugfix release
- supersedes U_Fix-XChangeFeedbackControl-request-underflow.patch,
  U_xkb-Fix-heap-overflow-caused-by-optimized-away-min.patch

OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=790
This commit is contained in:
Stefan Dirsch 2021-04-13 15:47:41 +00:00 committed by Git OBS Bridge
parent 1d3b9358c6
commit 5e64abe9ab
6 changed files with 14 additions and 105 deletions

View File

@ -1,33 +0,0 @@
From 00f8ce4dbeeb99ff8e5e9211d08058b11a1ac3c0 Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@herrb.eu>
Date: Sun, 21 Mar 2021 18:38:57 +0100
Subject: [PATCH xserver] Fix XChangeFeedbackControl() request underflow
CVE-2021-3472 / ZDI-CAN-1259
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
---
Xi/chgfctl.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git Xi/chgfctl.c Xi/chgfctl.c
index 1de4da9ef..7a597e43d 100644
--- Xi/chgfctl.c
+++ Xi/chgfctl.c
@@ -464,8 +464,11 @@ ProcXChangeFeedbackControl(ClientPtr client)
break;
case StringFeedbackClass:
{
- xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]);
+ xStringFeedbackCtl *f;
+ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeFeedbackControlReq,
+ sizeof(xStringFeedbackCtl));
+ f = ((xStringFeedbackCtl *) &stuff[1]);
if (client->swapped) {
if (len < bytes_to_int32(sizeof(xStringFeedbackCtl)))
return BadLength;

View File

@ -1,60 +0,0 @@
Git-commit: ba1e6eaea84b73e6ccd5f73acb93110eadb1a640
Author: Michal Srb <msrb@suse.com>
Subject: xkb: Fix heap overflow caused by optimized away min.
Patch-mainline: Upstream
References: boo#1099113
Calling strlen on char[4] that does not need to contain '\0' is wrong and X
server may end up running into invalid memory.
In addition GCC 8 is clever enough that it knows that strlen on char[4] can
return 0, 1, 2, 3 or cause undefined behavior. With this knowledge it can
optimize away the min(..., 4). When the undefined behavior happens, any long
value can be passed as size to the memcpy which will overflow the destination
buffer.
Fixes: 83913de25d35 (xkb: Silence some compiler warnings)
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=86259
---
xkb/XKBGAlloc.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/xkb/XKBGAlloc.c b/xkb/XKBGAlloc.c
index 8958b0c52..f0cda24fe 100644
--- a/xkb/XKBGAlloc.c
+++ b/xkb/XKBGAlloc.c
@@ -588,8 +588,7 @@ XkbAddGeomKeyAlias(XkbGeometryPtr geom, char *aliasStr, char *realStr)
i++, alias++) {
if (strncmp(alias->alias, aliasStr, XkbKeyNameLength) == 0) {
memset(alias->real, 0, XkbKeyNameLength);
- memcpy(alias->real, realStr,
- min(XkbKeyNameLength, strlen(realStr)));
+ memcpy(alias->real, realStr, strnlen(realStr, XkbKeyNameLength));
return alias;
}
}
@@ -599,8 +598,8 @@ XkbAddGeomKeyAlias(XkbGeometryPtr geom, char *aliasStr, char *realStr)
}
alias = &geom->key_aliases[geom->num_key_aliases];
memset(alias, 0, sizeof(XkbKeyAliasRec));
- memcpy(alias->alias, aliasStr, min(XkbKeyNameLength, strlen(aliasStr)));
- memcpy(alias->real, realStr, min(XkbKeyNameLength, strlen(realStr)));
+ memcpy(alias->alias, aliasStr, strnlen(aliasStr, XkbKeyNameLength));
+ memcpy(alias->real, realStr, strnlen(realStr, XkbKeyNameLength));
geom->num_key_aliases++;
return alias;
}
@@ -815,8 +814,8 @@ XkbAddGeomOverlayKey(XkbOverlayPtr overlay,
(_XkbAllocOverlayKeys(row, 1) != Success))
return NULL;
key = &row->keys[row->num_keys];
- memcpy(key->under.name, under, min(XkbKeyNameLength, strlen(under)));
- memcpy(key->over.name, over, min(XkbKeyNameLength, strlen(over)));
+ memcpy(key->under.name, under, strnlen(under, XkbKeyNameLength));
+ memcpy(key->over.name, over, strnlen(over, XkbKeyNameLength));
row->num_keys++;
return key;
}
--
2.13.6

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:914c796e3ffabe1af48071d40ccc85e92117c97a9082ed1df29e4d64e3c34c49
size 6476116

View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Tue Apr 13 15:32:45 UTC 2021 - Stefan Dirsch <sndirsch@suse.com>
- Update to version 1.20.11
* bugfix release
- supersedes U_Fix-XChangeFeedbackControl-request-underflow.patch,
U_xkb-Fix-heap-overflow-caused-by-optimized-away-min.patch
-------------------------------------------------------------------
Mon Apr 12 10:46:33 UTC 2021 - Stefan Dirsch <sndirsch@suse.com>

View File

@ -41,7 +41,7 @@
%endif
Name: xorg-x11-server
Version: 1.20.10
Version: 1.20.11
Release: 0
URL: http://xorg.freedesktop.org/
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -50,7 +50,7 @@ Summary: X
# Source URL: http://xorg.freedesktop.org/archive/individual/xserver/
License: MIT
Group: System/X11/Servers/XF86_4
Source0: xserver-%{version}.tar.xz
Source0: xorg-server-%{version}.tar.bz2
Source1: sysconfig.displaymanager.template
Source2: README.updates
Source3: xorgcfg.tar.bz2
@ -242,8 +242,6 @@ Patch1222: b_sync-fix.patch
Patch1401: u_randr-Do-not-crash-if-slave-screen-does-not-have-pro.patch
Patch1501: U_xkb-Fix-heap-overflow-caused-by-optimized-away-min.patch
Patch1502: U_dix-window-Use-ConfigureWindow-instead-of-MoveWindow.patch
Patch1503: u_xfree86-Do-not-claim-pci-slots-if-fb-slot-is-already.patch
@ -256,8 +254,6 @@ Patch1801: U_Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch
Patch1900: u_no-lto-for-tests.patch
Patch1180128: U_Fix-XChangeFeedbackControl-request-underflow.patch
%description
This package contains the X.Org Server.
@ -363,7 +359,7 @@ Group: Development/Sources
This package contains patched sources of X.Org Server.
%prep
%setup -q -n xserver-%{version} -a3
%setup -q -n xorg-server-%{version} -a3
# Early verification if the ABI Defines are correct. Let's not waste build cycles if the Provides are wrong at the end.
sh %{SOURCE92} --verify . %{SOURCE91}
@ -402,14 +398,12 @@ sh %{SOURCE92} --verify . %{SOURCE91}
### patch222 might not be applicable anymore
#%patch1222 -p1
%patch1401 -p1
%patch1501 -p1
%patch1502 -p1
%patch1503 -p1
%patch1505 -p1
%patch1600 -p1
%patch1801 -p1
%patch1900 -p1
%patch1180128 -p0
%build
%global _lto_cflags %{?_lto_cflags} -ffat-lto-objects

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a6006d1ece16284ff782ac7a13907c304b1760319cf4678c85a02a9dca6bac85
size 3112104