From ac6d09dc196524684b43ac41b232eaf11bff0bd3ef6bec1e6f3a057e77c16b09 Mon Sep 17 00:00:00 2001 From: Stefan Dirsch Date: Tue, 7 Feb 2023 02:58:41 +0000 Subject: [PATCH 1/2] - U_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch * DeepCopyPointerClasses use-after-free (CVE-2023-0494, ZDI-CAN-19596, bsc#1207783) OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=851 --- ...-use-after-free-in-DeepCopyPointerCl.patch | 20 +++++++++++++++++++ xorg-x11-server.changes | 7 +++++++ xorg-x11-server.spec | 3 +++ 3 files changed, 30 insertions(+) create mode 100644 U_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch diff --git a/U_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch b/U_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch new file mode 100644 index 0000000..a19074e --- /dev/null +++ b/U_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch @@ -0,0 +1,20 @@ +@@ -, +, @@ + DeepCopyPointerClasses +--- + Xi/exevents.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) +--- a/Xi/exevents.c ++++ a/Xi/exevents.c +@@ -619,8 +619,10 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) + memcpy(to->button->xkb_acts, from->button->xkb_acts, + sizeof(XkbAction)); + } +- else ++ else { + free(to->button->xkb_acts); ++ to->button->xkb_acts = NULL; ++ } + + memcpy(to->button->labels, from->button->labels, + from->button->numButtons * sizeof(Atom)); +-- diff --git a/xorg-x11-server.changes b/xorg-x11-server.changes index 19c7aa5..dda2736 100644 --- a/xorg-x11-server.changes +++ b/xorg-x11-server.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Feb 1 10:18:32 UTC 2023 - Stefan Dirsch + +- U_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch + * DeepCopyPointerClasses use-after-free (CVE-2023-0494, + ZDI-CAN-19596, bsc#1207783) + ------------------------------------------------------------------- Wed Jan 25 16:02:23 UTC 2023 - Stefan Dirsch diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 6e54b45..7bc7fd7 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -243,6 +243,8 @@ Patch1940: U_xephyr-Don-t-check-for-SeatId-anymore.patch Patch1960: u_sync-pci-ids-with-Mesa.patch +Patch1207783: U_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch + %description This package contains the X.Org Server. @@ -401,6 +403,7 @@ sh %{SOURCE92} --verify . %{SOURCE91} %patch1930 -p1 %patch1940 -p1 %patch1960 -p1 +%patch1207783 -p1 %build # We have some -z now related errors during X default startup (boo#1197994): From 8832186295ef987e6b22b7701adbf01d5eada75f51a0580fad7b35be37e5c647 Mon Sep 17 00:00:00 2001 From: Stefan Dirsch Date: Tue, 7 Feb 2023 14:51:52 +0000 Subject: [PATCH 2/2] - Update to version xorg-server-21.1.7: * This release contains the fix for CVE-2023-0494 in today's security advisory: https://lists.x.org/archives/xorg-announce/2023-February/003320.html It also fixes a second possible OOB access during EnqueueEvent and a crasher caused by ResourceClientBits not correctly honouring the MaxClients value in the configuration file. - supersedes U_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch, U_xorg-server-oob-read-enqueue-event.patch OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=852 --- ...-use-after-free-in-DeepCopyPointerCl.patch | 20 ------------- U_xorg-server-oob-read-enqueue-event.patch | 29 ------------------- xorg-server-21.1.7.tar.xz | 3 ++ xorg-x11-server.changes | 13 +++++++++ xorg-x11-server.spec | 11 ++----- xserver-xorg-server-21.1.6.tar.xz | 3 -- 6 files changed, 19 insertions(+), 60 deletions(-) delete mode 100644 U_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch delete mode 100644 U_xorg-server-oob-read-enqueue-event.patch create mode 100644 xorg-server-21.1.7.tar.xz delete mode 100644 xserver-xorg-server-21.1.6.tar.xz diff --git a/U_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch b/U_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch deleted file mode 100644 index a19074e..0000000 --- a/U_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch +++ /dev/null @@ -1,20 +0,0 @@ -@@ -, +, @@ - DeepCopyPointerClasses ---- - Xi/exevents.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) ---- a/Xi/exevents.c -+++ a/Xi/exevents.c -@@ -619,8 +619,10 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) - memcpy(to->button->xkb_acts, from->button->xkb_acts, - sizeof(XkbAction)); - } -- else -+ else { - free(to->button->xkb_acts); -+ to->button->xkb_acts = NULL; -+ } - - memcpy(to->button->labels, from->button->labels, - from->button->numButtons * sizeof(Atom)); --- diff --git a/U_xorg-server-oob-read-enqueue-event.patch b/U_xorg-server-oob-read-enqueue-event.patch deleted file mode 100644 index d56d0d8..0000000 --- a/U_xorg-server-oob-read-enqueue-event.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 2ef5ef57bd37a8bec2ac454053b283c6f87c3b40 Mon Sep 17 00:00:00 2001 -From: Mike Gorse -Date: Wed, 25 Jan 2023 02:02:48 +0000 -Subject: [PATCH] dix: Use CopyPartialInternalEvent in EnqueueEvent - -The event might be a DeviceEvent allocated on the stack, in -AccessXKeyboardEvent for instance. Fixes out-of-bounds read. - -Signed-off-by: Mike Gorse ---- - dix/events.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/dix/events.c b/dix/events.c -index 782ed35dc..86f5357e8 100644 ---- a/dix/events.c -+++ b/dix/events.c -@@ -1215,7 +1215,7 @@ EnqueueEvent(InternalEvent *ev, DeviceIntPtr device) - qe->pScreen = pSprite->hotPhys.pScreen; - qe->months = currentTime.months; - qe->event = (InternalEvent *) (qe + 1); -- memcpy(qe->event, event, eventlen); -+ CopyPartialInternalEvent(qe->event, (InternalEvent *)event); - xorg_list_append(&qe->next, &syncEvents.pending); - } - --- -2.39.0 - diff --git a/xorg-server-21.1.7.tar.xz b/xorg-server-21.1.7.tar.xz new file mode 100644 index 0000000..b15421e --- /dev/null +++ b/xorg-server-21.1.7.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d9c60b2dd0ec52326ca6ab20db0e490b1ff4f566f59ca742d6532e92795877bb +size 4933292 diff --git a/xorg-x11-server.changes b/xorg-x11-server.changes index dda2736..ce32787 100644 --- a/xorg-x11-server.changes +++ b/xorg-x11-server.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Tue Feb 7 14:35:33 UTC 2023 - Stefan Dirsch + +- Update to version xorg-server-21.1.7: + * This release contains the fix for CVE-2023-0494 in today's security + advisory: + https://lists.x.org/archives/xorg-announce/2023-February/003320.html + It also fixes a second possible OOB access during EnqueueEvent and a + crasher caused by ResourceClientBits not correctly honouring the + MaxClients value in the configuration file. +- supersedes U_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch, + U_xorg-server-oob-read-enqueue-event.patch + ------------------------------------------------------------------- Wed Feb 1 10:18:32 UTC 2023 - Stefan Dirsch diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 7bc7fd7..f5ab1ec 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -36,14 +36,14 @@ %endif Name: xorg-x11-server -Version: 21.1.6 +Version: 21.1.7 Release: 0 URL: http://xorg.freedesktop.org/ Summary: X # Source URL: http://xorg.freedesktop.org/archive/individual/xserver/ License: MIT Group: System/X11/Servers/XF86_4 -Source0: xserver-xorg-server-%{version}.tar.xz +Source0: xorg-server-%{version}.tar.xz Source1: sysconfig.displaymanager.template Source2: README.updates Source3: xorgcfg.tar.bz2 @@ -208,7 +208,6 @@ Patch12: n_xorg-wrapper-anybody.patch Patch100: u_01-Improved-ConfineToShape.patch Patch101: u_02-DIX-ConfineTo-Don-t-bother-about-the-bounding-box-when-grabbing-a-shaped-window.patch Patch104: u_xorg-server-xdmcp.patch -Patch105: U_xorg-server-oob-read-enqueue-event.patch Patch117: xorg-x11-server-byte-order.patch @@ -243,8 +242,6 @@ Patch1940: U_xephyr-Don-t-check-for-SeatId-anymore.patch Patch1960: u_sync-pci-ids-with-Mesa.patch -Patch1207783: U_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch - %description This package contains the X.Org Server. @@ -350,7 +347,7 @@ Group: Development/Sources This package contains patched sources of X.Org Server. %prep -%setup -q -n xserver-xorg-server-%{version} -a3 +%setup -q -n xorg-server-%{version} -a3 # Early verification if the ABI Defines are correct. Let's not waste build cycles if the Provides are wrong at the end. sh %{SOURCE92} --verify . %{SOURCE91} @@ -372,7 +369,6 @@ sh %{SOURCE92} --verify . %{SOURCE91} %patch100 -p1 #%patch101 -p1 %patch104 -p1 -%patch105 -p1 %patch117 -p1 %patch160 -p1 %patch208 -p1 @@ -403,7 +399,6 @@ sh %{SOURCE92} --verify . %{SOURCE91} %patch1930 -p1 %patch1940 -p1 %patch1960 -p1 -%patch1207783 -p1 %build # We have some -z now related errors during X default startup (boo#1197994): diff --git a/xserver-xorg-server-21.1.6.tar.xz b/xserver-xorg-server-21.1.6.tar.xz deleted file mode 100644 index 2580b14..0000000 --- a/xserver-xorg-server-21.1.6.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a06a5c27d9ec99ee9673d9f173e2d8dc36ded69817c8cd4395b9de22375fcf2f -size 2929780