diff --git a/U_0001-Correct-bounds-checking-in-XkbSetNames.patch b/U_0001-Correct-bounds-checking-in-XkbSetNames.patch deleted file mode 100644 index 18ebe76..0000000 --- a/U_0001-Correct-bounds-checking-in-XkbSetNames.patch +++ /dev/null @@ -1,175 +0,0 @@ -From f7cd1276bbd4fe3a9700096dec33b52b8440788d Mon Sep 17 00:00:00 2001 -From: Matthieu Herrb -Date: Tue, 18 Aug 2020 14:46:32 +0200 -Subject: [PATCH 1/4] Correct bounds checking in XkbSetNames() - -CVE-2020-14345 / ZDI 11428 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Matthieu Herrb ---- - xkb/xkb.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 48 insertions(+) - -Index: xserver-1.20.8+0/xkb/xkb.c -=================================================================== ---- xserver-1.20.8+0.orig/xkb/xkb.c -+++ xserver-1.20.8+0/xkb/xkb.c -@@ -152,6 +152,19 @@ static RESTYPE RT_XKBCLIENT; - #define CHK_REQ_KEY_RANGE(err,first,num,r) \ - CHK_REQ_KEY_RANGE2(err,first,num,r,client->errorValue,BadValue) - -+static Bool -+_XkbCheckRequestBounds(ClientPtr client, void *stuff, void *from, void *to) { -+ char *cstuff = (char *)stuff; -+ char *cfrom = (char *)from; -+ char *cto = (char *)to; -+ -+ return cfrom < cto && -+ cfrom >= cstuff && -+ cfrom < cstuff + ((size_t)client->req_len << 2) && -+ cto >= cstuff && -+ cto <= cstuff + ((size_t)client->req_len << 2); -+} -+ - /***====================================================================***/ - - int -@@ -4045,6 +4058,8 @@ _XkbSetNamesCheck(ClientPtr client, Devi - client->errorValue = _XkbErrCode2(0x04, stuff->firstType); - return BadAccess; - } -+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nTypes)) -+ return BadLength; - old = tmp; - tmp = _XkbCheckAtoms(tmp, stuff->nTypes, client->swapped, &bad); - if (!tmp) { -@@ -4074,6 +4089,8 @@ _XkbSetNamesCheck(ClientPtr client, Devi - } - width = (CARD8 *) tmp; - tmp = (CARD32 *) (((char *) tmp) + XkbPaddedSize(stuff->nKTLevels)); -+ if (!_XkbCheckRequestBounds(client, stuff, width, tmp)) -+ return BadLength; - type = &xkb->map->types[stuff->firstKTLevel]; - for (i = 0; i < stuff->nKTLevels; i++, type++) { - if (width[i] == 0) -@@ -4083,6 +4100,8 @@ _XkbSetNamesCheck(ClientPtr client, Devi - type->num_levels, width[i]); - return BadMatch; - } -+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + width[i])) -+ return BadLength; - tmp = _XkbCheckAtoms(tmp, width[i], client->swapped, &bad); - if (!tmp) { - client->errorValue = bad; -@@ -4095,6 +4114,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi - client->errorValue = 0x08; - return BadMatch; - } -+ if (!_XkbCheckRequestBounds(client, stuff, tmp, -+ tmp + Ones(stuff->indicators))) -+ return BadLength; - tmp = _XkbCheckMaskedAtoms(tmp, XkbNumIndicators, stuff->indicators, - client->swapped, &bad); - if (!tmp) { -@@ -4107,6 +4129,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi - client->errorValue = 0x09; - return BadMatch; - } -+ if (!_XkbCheckRequestBounds(client, stuff, tmp, -+ tmp + Ones(stuff->virtualMods))) -+ return BadLength; - tmp = _XkbCheckMaskedAtoms(tmp, XkbNumVirtualMods, - (CARD32) stuff->virtualMods, - client->swapped, &bad); -@@ -4120,6 +4145,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi - client->errorValue = 0x0a; - return BadMatch; - } -+ if (!_XkbCheckRequestBounds(client, stuff, tmp, -+ tmp + Ones(stuff->groupNames))) -+ return BadLength; - tmp = _XkbCheckMaskedAtoms(tmp, XkbNumKbdGroups, - (CARD32) stuff->groupNames, - client->swapped, &bad); -@@ -4141,9 +4169,14 @@ _XkbSetNamesCheck(ClientPtr client, Devi - stuff->nKeys); - return BadValue; - } -+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nKeys)) -+ return BadLength; - tmp += stuff->nKeys; - } - if ((stuff->which & XkbKeyAliasesMask) && (stuff->nKeyAliases > 0)) { -+ if (!_XkbCheckRequestBounds(client, stuff, tmp, -+ tmp + (stuff->nKeyAliases * 2))) -+ return BadLength; - tmp += stuff->nKeyAliases * 2; - } - if (stuff->which & XkbRGNamesMask) { -@@ -4151,6 +4184,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi - client->errorValue = _XkbErrCode2(0x0d, stuff->nRadioGroups); - return BadValue; - } -+ if (!_XkbCheckRequestBounds(client, stuff, tmp, -+ tmp + stuff->nRadioGroups)) -+ return BadLength; - tmp = _XkbCheckAtoms(tmp, stuff->nRadioGroups, client->swapped, &bad); - if (!tmp) { - client->errorValue = bad; -@@ -4344,6 +4380,8 @@ ProcXkbSetNames(ClientPtr client) - /* check device-independent stuff */ - tmp = (CARD32 *) &stuff[1]; - -+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) -+ return BadLength; - if (stuff->which & XkbKeycodesNameMask) { - tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); - if (!tmp) { -@@ -4351,6 +4389,8 @@ ProcXkbSetNames(ClientPtr client) - return BadAtom; - } - } -+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) -+ return BadLength; - if (stuff->which & XkbGeometryNameMask) { - tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); - if (!tmp) { -@@ -4358,6 +4398,8 @@ ProcXkbSetNames(ClientPtr client) - return BadAtom; - } - } -+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) -+ return BadLength; - if (stuff->which & XkbSymbolsNameMask) { - tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); - if (!tmp) { -@@ -4365,6 +4407,8 @@ ProcXkbSetNames(ClientPtr client) - return BadAtom; - } - } -+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) -+ return BadLength; - if (stuff->which & XkbPhysSymbolsNameMask) { - tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); - if (!tmp) { -@@ -4372,6 +4416,8 @@ ProcXkbSetNames(ClientPtr client) - return BadAtom; - } - } -+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) -+ return BadLength; - if (stuff->which & XkbTypesNameMask) { - tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); - if (!tmp) { -@@ -4379,6 +4425,8 @@ ProcXkbSetNames(ClientPtr client) - return BadAtom; - } - } -+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) -+ return BadLength; - if (stuff->which & XkbCompatNameMask) { - tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); - if (!tmp) { diff --git a/U_0002-Fix-XIChangeHierarchy-integer-underflow.patch b/U_0002-Fix-XIChangeHierarchy-integer-underflow.patch deleted file mode 100644 index 8256628..0000000 --- a/U_0002-Fix-XIChangeHierarchy-integer-underflow.patch +++ /dev/null @@ -1,31 +0,0 @@ -From c940cc8b6c0a2983c1ec974f1b3f019795dd4cff Mon Sep 17 00:00:00 2001 -From: Matthieu Herrb -Date: Tue, 18 Aug 2020 14:49:04 +0200 -Subject: [PATCH 2/4] Fix XIChangeHierarchy() integer underflow - -CVE-2020-14346 / ZDI-CAN-11429 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Matthieu Herrb ---- - Xi/xichangehierarchy.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c -index cbdd91258..504defe56 100644 ---- a/Xi/xichangehierarchy.c -+++ b/Xi/xichangehierarchy.c -@@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client) - if (!stuff->num_changes) - return rc; - -- len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq); -+ len = ((size_t)client->req_len << 2) - sizeof(xXIChangeHierarchyReq); - - any = (xXIAnyHierarchyChangeInfo *) &stuff[1]; - while (stuff->num_changes--) { --- -2.16.4 - diff --git a/U_0003-Fix-XkbSelectEvents-integer-underflow.patch b/U_0003-Fix-XkbSelectEvents-integer-underflow.patch deleted file mode 100644 index e691065..0000000 --- a/U_0003-Fix-XkbSelectEvents-integer-underflow.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 144849ea27230962227e62a943b399e2ab304787 Mon Sep 17 00:00:00 2001 -From: Matthieu Herrb -Date: Tue, 18 Aug 2020 14:52:29 +0200 -Subject: [PATCH 3/4] Fix XkbSelectEvents() integer underflow - -CVE-2020-14361 ZDI-CAN 11573 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Matthieu Herrb ---- - xkb/xkbSwap.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/xkb/xkbSwap.c b/xkb/xkbSwap.c -index 1c1ed5ff4..50cabb90e 100644 ---- a/xkb/xkbSwap.c -+++ b/xkb/xkbSwap.c -@@ -76,7 +76,7 @@ SProcXkbSelectEvents(ClientPtr client) - register unsigned bit, ndx, maskLeft, dataLeft, size; - - from.c8 = (CARD8 *) &stuff[1]; -- dataLeft = (stuff->length * 4) - SIZEOF(xkbSelectEventsReq); -+ dataLeft = (client->req_len * 4) - SIZEOF(xkbSelectEventsReq); - maskLeft = (stuff->affectWhich & (~XkbMapNotifyMask)); - for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) { - if (((bit & maskLeft) == 0) || (ndx == XkbMapNotify)) --- -2.16.4 - diff --git a/U_0004-Fix-XRecordRegisterClients-Integer-underflow.patch b/U_0004-Fix-XRecordRegisterClients-Integer-underflow.patch deleted file mode 100644 index 8df3dcd..0000000 --- a/U_0004-Fix-XRecordRegisterClients-Integer-underflow.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 2902b78535ecc6821cc027351818b28a5c7fdbdc Mon Sep 17 00:00:00 2001 -From: Matthieu Herrb -Date: Tue, 18 Aug 2020 14:55:01 +0200 -Subject: [PATCH 4/4] Fix XRecordRegisterClients() Integer underflow - -CVE-2020-14362 ZDI-CAN-11574 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Matthieu Herrb ---- - record/record.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -Index: xserver-1.20.8+0/record/record.c -=================================================================== ---- xserver-1.20.8+0.orig/record/record.c -+++ xserver-1.20.8+0/record/record.c -@@ -2499,7 +2499,7 @@ SProcRecordQueryVersion(ClientPtr client - } /* SProcRecordQueryVersion */ - - static int _X_COLD --SwapCreateRegister(xRecordRegisterClientsReq * stuff) -+SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff) - { - int i; - XID *pClientID; -@@ -2509,13 +2509,13 @@ SwapCreateRegister(xRecordRegisterClient - swapl(&stuff->nRanges); - pClientID = (XID *) &stuff[1]; - if (stuff->nClients > -- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)) -+ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)) - return BadLength; - for (i = 0; i < stuff->nClients; i++, pClientID++) { - swapl(pClientID); - } - if (stuff->nRanges > -- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq) -+ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) - - stuff->nClients) - return BadLength; - RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges); -@@ -2530,7 +2530,7 @@ SProcRecordCreateContext(ClientPtr clien - - swaps(&stuff->length); - REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq); -- if ((status = SwapCreateRegister((void *) stuff)) != Success) -+ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success) - return status; - return ProcRecordCreateContext(client); - } /* SProcRecordCreateContext */ -@@ -2543,7 +2543,7 @@ SProcRecordRegisterClients(ClientPtr cli - - swaps(&stuff->length); - REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq); -- if ((status = SwapCreateRegister((void *) stuff)) != Success) -+ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success) - return status; - return ProcRecordRegisterClients(client); - } /* SProcRecordRegisterClients */ diff --git a/U_FixForZDI-11426.patch b/U_FixForZDI-11426.patch deleted file mode 100644 index 5cfe3a9..0000000 --- a/U_FixForZDI-11426.patch +++ /dev/null @@ -1,23 +0,0 @@ -Avoid leaking un-initalized memory to clients by zeroing the -whole pixmap on initial allocation. - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Matthieu Herrb ---- - dix/pixmap.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/dix/pixmap.c b/dix/pixmap.c -index 1186d7dbb..5a0146bbb 100644 ---- a/dix/pixmap.c -+++ b/dix/pixmap.c -@@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pixDataSize) - if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize) - return NullPixmap; - -- pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize); -+ pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize); - if (!pPixmap) - return NullPixmap; diff --git a/_service b/_service index 4ea1bd9..8cc51e2 100644 --- a/_service +++ b/_service @@ -2,8 +2,8 @@ https://gitlab.freedesktop.org/xorg/xserver.git git - f84ad082 - @PARENT_TAG@+@TAG_OFFSET@ + afb77415 + @PARENT_TAG@ xorgserver(.*) enable diff --git a/_servicedata b/_servicedata index 56b177c..ef5c388 100644 --- a/_servicedata +++ b/_servicedata @@ -1,4 +1,4 @@ https://gitlab.freedesktop.org/xorg/xserver.git - f84ad082557f9cde6b8faa373eca6a0a89ba7d56 + afb77415e1fb862c322754230f63bb70fd596943 \ No newline at end of file diff --git a/xorg-x11-server.changes b/xorg-x11-server.changes index 4c41f79..fdd6c64 100644 --- a/xorg-x11-server.changes +++ b/xorg-x11-server.changes @@ -1,3 +1,47 @@ +------------------------------------------------------------------- +Thu Aug 27 19:29:29 UTC 2020 - bjorn.lie@gmail.com + +- Update to version 1.20.9: + * Fix XRecordRegisterClients() Integer underflow + * Fix XkbSelectEvents() integer underflow + * Fix XIChangeHierarchy() integer underflow + * Correct bounds checking in XkbSetNames() + * linux: Fix platform device probe for DT-based PCI + * linux: Fix platform device PCI detection for complex bus topologies + * linux: Make platform device probe less fragile + * fix for ZDI-11426 + * xfree86: add drm modes on non-GTF panels + * present: Check valid region in window mode flips + * xwayland: Handle NULL xwl_seat in xwl_seat_can_emulate_pointer_warp + * xwayland: Propagate damage x1/y1 coordinates in xwl_present_flip + * doc: Update URLs in Xserver-DTrace.xml + * xwayland: Use a fixed DPI value for core protocol + * xwayland: only use linux-dmabuf if format/modifier was advertised + * hw/xfree86: Avoid cursor use after free + * Update URL's in man pages + * xwayland: Disable the MIT-SCREEN-SAVER extension when rootless + * xwayland: Hold a pixmap reference in struct xwl_present_event + * randr: Check rrPrivKey in RRHasScanoutPixmap() + * modesetting: Fix front_bo leak at drmmode_xf86crtc_resize on XRandR rotation + * xwayland: Store xwl_tablet_pad in its own private key + * xwayland: Initialise values in xwlVidModeGetGamma() + * xwayland: Fix crashes when there is no pointer + * xwayland: Clear private on device removal + * xwayland: Free all remaining events in xwl_present_cleanup + * xwayland: Always use xwl_present_free_event for freeing Present events + * present/wnmd: Free flip_queue entries in present_wnmd_clear_window_flip + * present/wnmd: Keep pixmap pointer in present_wnmd_clear_window_flip + * xwayland: import DMA-BUFs with GBM_BO_USE_RENDERING only + * xwayland: Fix infinite loop at startup + * modesetting: Disable pageflipping when using a swcursor + * dix: do not send focus event when grab actually does not change +- Drop patches fixed upstream: + * U_0001-Correct-bounds-checking-in-XkbSetNames.patch + * U_0002-Fix-XIChangeHierarchy-integer-underflow.patch + * U_0003-Fix-XkbSelectEvents-integer-underflow.patch + * U_0004-Fix-XRecordRegisterClients-Integer-underflow.patch + * U_FixForZDI-11426.patch + ------------------------------------------------------------------- Tue Aug 25 15:46:49 UTC 2020 - Stefan Dirsch diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 4f2bccf..6fc7de0 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -42,7 +42,7 @@ %endif Name: xorg-x11-server -Version: 1.20.8+0 +Version: 1.20.9 Release: 0 URL: http://xorg.freedesktop.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -250,13 +250,6 @@ Patch1505: U_xwayland-Allow-passing-a-fd.patch Patch1600: U_glamor_egl-Reject-OpenGL-2.1-early-on.patch -Patch1701: U_0001-Correct-bounds-checking-in-XkbSetNames.patch -Patch1702: U_0002-Fix-XIChangeHierarchy-integer-underflow.patch -Patch1703: U_0003-Fix-XkbSelectEvents-integer-underflow.patch -Patch1704: U_0004-Fix-XRecordRegisterClients-Integer-underflow.patch - -Patch1174633: U_FixForZDI-11426.patch - %description This package contains the X.Org Server. @@ -406,13 +399,6 @@ sh %{SOURCE92} --verify . %{SOURCE91} %patch1505 -p1 %patch1600 -p1 -%patch1701 -p1 -%patch1702 -p1 -%patch1703 -p1 -%patch1704 -p1 - -%patch1174633 -p1 - %build %define _lto_cflags %{nil} test -e source-file-list || \ diff --git a/xserver-1.20.8+0.tar.xz b/xserver-1.20.8+0.tar.xz deleted file mode 100644 index b7b146f..0000000 --- a/xserver-1.20.8+0.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:efb62209676b8ea466573a2c1eca80a17eff5eb575915926ce80b96e02507ec2 -size 3109600 diff --git a/xserver-1.20.9.tar.xz b/xserver-1.20.9.tar.xz new file mode 100644 index 0000000..d35217d --- /dev/null +++ b/xserver-1.20.9.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1a5cabab6e8affa957bf12bb1704334a12bd00cff9f76d66a7f0998959de55a7 +size 3130696