diff --git a/u_xorg-server-oob-read-enqueue-event.patch b/u_xorg-server-oob-read-enqueue-event.patch new file mode 100644 index 0000000..d56d0d8 --- /dev/null +++ b/u_xorg-server-oob-read-enqueue-event.patch @@ -0,0 +1,29 @@ +From 2ef5ef57bd37a8bec2ac454053b283c6f87c3b40 Mon Sep 17 00:00:00 2001 +From: Mike Gorse +Date: Wed, 25 Jan 2023 02:02:48 +0000 +Subject: [PATCH] dix: Use CopyPartialInternalEvent in EnqueueEvent + +The event might be a DeviceEvent allocated on the stack, in +AccessXKeyboardEvent for instance. Fixes out-of-bounds read. + +Signed-off-by: Mike Gorse +--- + dix/events.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/dix/events.c b/dix/events.c +index 782ed35dc..86f5357e8 100644 +--- a/dix/events.c ++++ b/dix/events.c +@@ -1215,7 +1215,7 @@ EnqueueEvent(InternalEvent *ev, DeviceIntPtr device) + qe->pScreen = pSprite->hotPhys.pScreen; + qe->months = currentTime.months; + qe->event = (InternalEvent *) (qe + 1); +- memcpy(qe->event, event, eventlen); ++ CopyPartialInternalEvent(qe->event, (InternalEvent *)event); + xorg_list_append(&qe->next, &syncEvents.pending); + } + +-- +2.39.0 + diff --git a/xorg-x11-server.changes b/xorg-x11-server.changes index 56be4e0..9147bbc 100644 --- a/xorg-x11-server.changes +++ b/xorg-x11-server.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Jan 25 03:15:56 UTC 2023 - Michael Gorse + +- Add u_xorg-server-oob-read-enqueue-event.patch: fix an + out-of-bounds read in EnqueueEvent. + ------------------------------------------------------------------- Mon Dec 19 19:54:11 UTC 2022 - dmueller@suse.com diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index c904f6f..01c28bc 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -1,7 +1,7 @@ # # spec file for package xorg-x11-server # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -207,9 +207,8 @@ Patch11: n_xorg-wrapper-rename-Xorg.patch Patch12: n_xorg-wrapper-anybody.patch Patch100: u_01-Improved-ConfineToShape.patch Patch101: u_02-DIX-ConfineTo-Don-t-bother-about-the-bounding-box-when-grabbing-a-shaped-window.patch -# PATCH-FIX-UPSTREAM u_x86emu-include-order.patch schwab@suse.de -- Change include order to avoid conflict with system header, remove duplicate definitions - Patch104: u_xorg-server-xdmcp.patch +Patch105: u_xorg-server-oob-read-enqueue-event.patch Patch117: xorg-x11-server-byte-order.patch @@ -371,6 +370,7 @@ sh %{SOURCE92} --verify . %{SOURCE91} %patch100 -p1 #%patch101 -p1 %patch104 -p1 +%patch105 -p1 %patch117 -p1 %patch160 -p1 %patch208 -p1