From 89ed3b3595c7c0c33c2fb76af006f296e2a6e4db4ae31fbbaac58b108e876358 Mon Sep 17 00:00:00 2001 From: Stefan Dirsch Date: Wed, 19 Oct 2022 11:46:42 +0000 Subject: [PATCH] - U_xkb-proof-GetCountedString-against-request-length-at.patch * security update for CVE-2022-3550 (bsc#1204412) - U_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch * security update for CVE-2022-3551 (bsc#1204416) OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=833 --- ...possible-memleaks-in-XkbGetKbdByName.patch | 56 +++++++++++++++++++ ...ntedString-against-request-length-at.patch | 34 +++++++++++ xorg-x11-server.changes | 8 +++ xorg-x11-server.spec | 5 ++ 4 files changed, 103 insertions(+) create mode 100644 U_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch create mode 100644 U_xkb-proof-GetCountedString-against-request-length-at.patch diff --git a/U_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch b/U_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch new file mode 100644 index 0000000..fb7816b --- /dev/null +++ b/U_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch @@ -0,0 +1,56 @@ +From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Wed, 13 Jul 2022 11:23:09 +1000 +Subject: [PATCH] xkb: fix some possible memleaks in XkbGetKbdByName + +GetComponentByName returns an allocated string, so let's free that if we +fail somewhere. + +Signed-off-by: Peter Hutterer +--- + xkb/xkb.c | 26 ++++++++++++++++++++------ + 1 file changed, 20 insertions(+), 6 deletions(-) + +Index: xorg-server-21.1.4/xkb/xkb.c +=================================================================== +--- xorg-server-21.1.4.orig/xkb/xkb.c ++++ xorg-server-21.1.4/xkb/xkb.c +@@ -5940,18 +5940,32 @@ ProcXkbGetKbdByName(ClientPtr client) + xkb = dev->key->xkbInfo->desc; + status = Success; + str = (unsigned char *) &stuff[1]; +- if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */ +- return BadMatch; ++ { ++ char *keymap = GetComponentSpec(&str, TRUE, &status); /* keymap, unsupported */ ++ if (keymap) { ++ free(keymap); ++ return BadMatch; ++ } ++ } + names.keycodes = GetComponentSpec(&str, TRUE, &status); + names.types = GetComponentSpec(&str, TRUE, &status); + names.compat = GetComponentSpec(&str, TRUE, &status); + names.symbols = GetComponentSpec(&str, TRUE, &status); + names.geometry = GetComponentSpec(&str, TRUE, &status); +- if (status != Success) ++ if (status == Success) { ++ len = str - ((unsigned char *) stuff); ++ if ((XkbPaddedSize(len) / 4) != stuff->length) ++ status = BadLength; ++ } ++ ++ if (status != Success) { ++ free(names.keycodes); ++ free(names.types); ++ free(names.compat); ++ free(names.symbols); ++ free(names.geometry); + return status; +- len = str - ((unsigned char *) stuff); +- if ((XkbPaddedSize(len) / 4) != stuff->length) +- return BadLength; ++ } + + CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask); + CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask); diff --git a/U_xkb-proof-GetCountedString-against-request-length-at.patch b/U_xkb-proof-GetCountedString-against-request-length-at.patch new file mode 100644 index 0000000..e28a6bb --- /dev/null +++ b/U_xkb-proof-GetCountedString-against-request-length-at.patch @@ -0,0 +1,34 @@ +From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Tue, 5 Jul 2022 12:06:20 +1000 +Subject: [PATCH] xkb: proof GetCountedString against request length attacks + +GetCountedString did a check for the whole string to be within the +request buffer but not for the initial 2 bytes that contain the length +field. A swapped client could send a malformed request to trigger a +swaps() on those bytes, writing into random memory. + +Signed-off-by: Peter Hutterer +--- + xkb/xkb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index f42f59ef3..1841cff26 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str) + CARD16 len; + + wire = *wire_inout; ++ ++ if (client->req_len < ++ bytes_to_int32(wire + 2 - (char *) client->requestBuffer)) ++ return BadValue; ++ + len = *(CARD16 *) wire; + if (client->swapped) { + swaps(&len); +-- +2.35.3 + diff --git a/xorg-x11-server.changes b/xorg-x11-server.changes index cfc12fa..ec0305e 100644 --- a/xorg-x11-server.changes +++ b/xorg-x11-server.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Oct 19 11:06:46 UTC 2022 - Stefan Dirsch + +- U_xkb-proof-GetCountedString-against-request-length-at.patch + * security update for CVE-2022-3550 (bsc#1204412) +- U_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch + * security update for CVE-2022-3551 (bsc#1204416) + ------------------------------------------------------------------- Wed Jul 13 14:02:51 UTC 2022 - Stefan Dirsch diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 27bb608..f3b9ed2 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -247,6 +247,9 @@ Patch1940: U_xephyr-Don-t-check-for-SeatId-anymore.patch Patch1960: u_sync-pci-ids-with-Mesa.patch +Patch1204412: U_xkb-proof-GetCountedString-against-request-length-at.patch +Patch1204416: U_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch + %description This package contains the X.Org Server. @@ -404,6 +407,8 @@ sh %{SOURCE92} --verify . %{SOURCE91} %patch1930 -p1 %patch1940 -p1 %patch1960 -p1 +%patch1204412 -p1 +%patch1204416 -p1 %build # We have some -z now related errors during X default startup (boo#1197994):