diff --git a/U_Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch b/U_Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch new file mode 100644 index 0000000..33205f7 --- /dev/null +++ b/U_Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch @@ -0,0 +1,32 @@ +From 6c4c53010772e3cb4cb8acd54950c8eec9c00d21 Mon Sep 17 00:00:00 2001 +From: Povilas Kanapickas +Date: Tue, 14 Dec 2021 15:00:02 +0200 +Subject: [PATCH] Xext: Fix out of bounds access in SProcScreenSaverSuspend() + +ZDI-CAN-14951, CVE-2021-4010 + +This vulnerability was discovered and the fix was suggested by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Povilas Kanapickas +--- + Xext/saver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Xext/saver.c b/Xext/saver.c +index 1d7e3cadf..f813ba08d 100644 +--- a/Xext/saver.c ++++ b/Xext/saver.c +@@ -1351,8 +1351,8 @@ SProcScreenSaverSuspend(ClientPtr client) + REQUEST(xScreenSaverSuspendReq); + + swaps(&stuff->length); +- swapl(&stuff->suspend); + REQUEST_SIZE_MATCH(xScreenSaverSuspendReq); ++ swapl(&stuff->suspend); + return ProcScreenSaverSuspend(client); + } + +-- +2.26.2 + diff --git a/U_record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch b/U_record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch new file mode 100644 index 0000000..d4d03be --- /dev/null +++ b/U_record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch @@ -0,0 +1,33 @@ +From e56f61c79fc3cee26d83cda0f84ae56d5979f768 Mon Sep 17 00:00:00 2001 +From: Povilas Kanapickas +Date: Tue, 14 Dec 2021 15:00:00 +0200 +Subject: [PATCH] record: Fix out of bounds access in SwapCreateRegister() + +ZDI-CAN-14952, CVE-2021-4011 + +This vulnerability was discovered and the fix was suggested by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Povilas Kanapickas +--- + record/record.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/record/record.c b/record/record.c +index be154525d..e123867a7 100644 +--- a/record/record.c ++++ b/record/record.c +@@ -2516,8 +2516,8 @@ SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff) + swapl(pClientID); + } + if (stuff->nRanges > +- client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) +- - stuff->nClients) ++ (client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) ++ - stuff->nClients) / bytes_to_int32(sz_xRecordRange)) + return BadLength; + RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges); + return Success; +-- +2.26.2 + diff --git a/U_xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch b/U_xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch new file mode 100644 index 0000000..eb188ed --- /dev/null +++ b/U_xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch @@ -0,0 +1,43 @@ +From b5196750099ae6ae582e1f46bd0a6dad29550e02 Mon Sep 17 00:00:00 2001 +From: Povilas Kanapickas +Date: Tue, 14 Dec 2021 15:00:01 +0200 +Subject: [PATCH] xfixes: Fix out of bounds access in + *ProcXFixesCreatePointerBarrier() + +ZDI-CAN-14950, CVE-2021-4009 + +This vulnerability was discovered and the fix was suggested by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Povilas Kanapickas +--- + xfixes/cursor.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/xfixes/cursor.c b/xfixes/cursor.c +index 60580b88f..c5d4554b2 100644 +--- a/xfixes/cursor.c ++++ b/xfixes/cursor.c +@@ -1010,7 +1010,8 @@ ProcXFixesCreatePointerBarrier(ClientPtr client) + { + REQUEST(xXFixesCreatePointerBarrierReq); + +- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices)); ++ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, ++ pad_to_int32(stuff->num_devices * sizeof(CARD16))); + LEGAL_NEW_RESOURCE(stuff->barrier, client); + + return XICreatePointerBarrier(client, stuff); +@@ -1027,7 +1028,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client) + + swaps(&stuff->length); + swaps(&stuff->num_devices); +- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices)); ++ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, ++ pad_to_int32(stuff->num_devices * sizeof(CARD16))); + + swapl(&stuff->barrier); + swapl(&stuff->window); +-- +2.26.2 + diff --git a/xorg-x11-server.changes b/xorg-x11-server.changes index d8da6f8..8a7ebe0 100644 --- a/xorg-x11-server.changes +++ b/xorg-x11-server.changes @@ -1,3 +1,22 @@ +------------------------------------------------------------------- +Tue Dec 14 20:21:19 UTC 2021 - Stefan Dirsch + +- U_xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch + * CVE-2021-4009/ZDI-CAN-14950 (bsc#1190487) + The handler for the CreatePointerBarrier request of the XFixes + extension does not properly validate the request length leading + to out of bounds memory write. +- U_Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch + * CVE-2021-4010/ZDI-CAN-14951 (bsc#1190488) + The handler for the Suspend request of the Screen Saver extension + does not properly validate the request length leading to out of + bounds memory write. +- U_record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch + * CVE-2021-4011/ZDI-CAN-14952 (bsc#1190489) + The handlers for the RecordCreateContext and RecordRegisterClients + requests of the Record extension do not properly validate the request + length leading to out of bounds memory write. + ------------------------------------------------------------------- Tue Dec 14 15:31:41 UTC 2021 - Stefan Dirsch diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index eb9a9dc..54ecc99 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -243,6 +243,10 @@ Patch1920: u_xf86-Accept-devices-with-the-hyperv_drm-driver.patch Patch1193030: U_rendercompositeglyphs.patch +Patch1190487: U_xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch +Patch1190488: U_Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch +Patch1190489: U_record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch + %description This package contains the X.Org Server. @@ -400,6 +404,10 @@ sh %{SOURCE92} --verify . %{SOURCE91} %patch1920 -p1 %patch1193030 -p1 +%patch1190487 -p1 +%patch1190488 -p1 +%patch1190489 -p1 + %build %global _lto_cflags %{?_lto_cflags} -ffat-lto-objects test -e source-file-list || \