From 810aa51f71064d9027ba7c0c0bab93b1a6b16f20b1fdb5d41443de26255c0c60 Mon Sep 17 00:00:00 2001 From: Stefan Dirsch Date: Sat, 31 Dec 2022 12:48:22 +0000 Subject: [PATCH] Accepting request 1043805 from home:dirkmueller:Factory - Update to version xorg-server-21.1.6: * xserver 21.1.6 * Xext: fix invalid event type mask in XTestSwapFakeInput * xkb: fix some possible memleaks in XkbGetKbdByName * xkb: proof GetCountedString against request length attacks * xquartz: Fix some formatting * XQuartz: stub: Call LSOpenApplication instead of fork()/exec() - drop the following upstream patches: U_xkb-proof-GetCountedString-against-request-length-at.patch U_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch - Update to version xorg-server-21.1.5: * xkb: reset the radio_groups pointer to NULL after freeing it * Xi: avoid integer truncation in length check of ProcXIChangeProperty * Xi: return an error from XI property changes if verification failed * Xext: free the screen saver resource when replacing it * Xext: free the XvRTVideoNotify when turning off from the same client * Xi: disallow passive grabs with a detail > 255 * Xtest: disallow GenericEvents in XTestSwapFakeInput * meson: Don't build COMPOSITE for XQuartz * xquartz: Move default applications list outside of the main executable * xquartz: Remove unused macro (X11LIBDIR) - drop the following upstream patches: U_0007-xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch U_0002-Xi-return-an-error-from-XI-property-changes-if-verif.patch U_0003-Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch U_0004-Xi-disallow-passive-grabs-with-a-detail-255.patch U_0005-Xext-free-the-screen-saver-resource-when-replacing-i.patch U_0006-Xext-free-the-XvRTVideoNotify-when-turning-off-from-.patch U_0001-Xtest-disallow-GenericEvents-in-XTestSwapFakeInput.patch OBS-URL: https://build.opensuse.org/request/show/1043805 OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=845 --- ...-GenericEvents-in-XTestSwapFakeInput.patch | 51 ------------ ...or-from-XI-property-changes-if-verif.patch | 40 --------- ...-truncation-in-length-check-of-ProcX.patch | 70 ---------------- ...llow-passive-grabs-with-a-detail-255.patch | 81 ------------------- ...reen-saver-resource-when-replacing-i.patch | 47 ----------- ...RTVideoNotify-when-turning-off-from-.patch | 73 ----------------- ...dio_groups-pointer-to-NULL-after-fre.patch | 35 -------- ...possible-memleaks-in-XkbGetKbdByName.patch | 56 ------------- ...ntedString-against-request-length-at.patch | 34 -------- _service | 2 +- _servicedata | 2 +- xorg-server-21.1.4.tar.xz | 3 - xorg-x11-server.changes | 37 +++++++++ xorg-x11-server.spec | 28 +------ xserver-xorg-server-21.1.6.tar.xz | 3 + 15 files changed, 45 insertions(+), 517 deletions(-) delete mode 100644 U_0001-Xtest-disallow-GenericEvents-in-XTestSwapFakeInput.patch delete mode 100644 U_0002-Xi-return-an-error-from-XI-property-changes-if-verif.patch delete mode 100644 U_0003-Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch delete mode 100644 U_0004-Xi-disallow-passive-grabs-with-a-detail-255.patch delete mode 100644 U_0005-Xext-free-the-screen-saver-resource-when-replacing-i.patch delete mode 100644 U_0006-Xext-free-the-XvRTVideoNotify-when-turning-off-from-.patch delete mode 100644 U_0007-xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch delete mode 100644 U_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch delete mode 100644 U_xkb-proof-GetCountedString-against-request-length-at.patch delete mode 100644 xorg-server-21.1.4.tar.xz create mode 100644 xserver-xorg-server-21.1.6.tar.xz diff --git a/U_0001-Xtest-disallow-GenericEvents-in-XTestSwapFakeInput.patch b/U_0001-Xtest-disallow-GenericEvents-in-XTestSwapFakeInput.patch deleted file mode 100644 index 8df7a9b..0000000 --- a/U_0001-Xtest-disallow-GenericEvents-in-XTestSwapFakeInput.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 2e8916efe9a8566f97a4c2231891ad0f555fced1 Mon Sep 17 00:00:00 2001 -From: Peter Hutterer -Date: Tue, 29 Nov 2022 12:55:45 +1000 -Subject: [PATCH xserver 1/6] Xtest: disallow GenericEvents in - XTestSwapFakeInput - -XTestSwapFakeInput assumes all events in this request are -sizeof(xEvent) and iterates through these in 32-byte increments. -However, a GenericEvent may be of arbitrary length longer than 32 bytes, -so any GenericEvent in this list would result in subsequent events to be -misparsed. - -Additional, the swapped event is written into a stack-allocated struct -xEvent (size 32 bytes). For any GenericEvent longer than 32 bytes, -swapping the event may thus smash the stack like an avocado on toast. - -Catch this case early and return BadValue for any GenericEvent. -Which is what would happen in unswapped setups anyway since XTest -doesn't support GenericEvent. - -ZDI-CAN 19265 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Peter Hutterer ---- - Xext/xtest.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/Xext/xtest.c b/Xext/xtest.c -index bf27eb590b..2985a4ce6e 100644 ---- a/Xext/xtest.c -+++ b/Xext/xtest.c -@@ -502,10 +502,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req) - - nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent); - for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) { -+ int evtype = ev->u.u.type & 0x177; - /* Swap event */ -- proc = EventSwapVector[ev->u.u.type & 0177]; -+ proc = EventSwapVector[evtype]; - /* no swapping proc; invalid event type? */ -- if (!proc || proc == NotImplemented) { -+ if (!proc || proc == NotImplemented || evtype == GenericEvent) { - client->errorValue = ev->u.u.type; - return BadValue; - } --- -2.38.1 - diff --git a/U_0002-Xi-return-an-error-from-XI-property-changes-if-verif.patch b/U_0002-Xi-return-an-error-from-XI-property-changes-if-verif.patch deleted file mode 100644 index 4b8f312..0000000 --- a/U_0002-Xi-return-an-error-from-XI-property-changes-if-verif.patch +++ /dev/null @@ -1,40 +0,0 @@ -From bee46f23fbc2b2722753c3b7769c990b90c235a0 Mon Sep 17 00:00:00 2001 -From: Peter Hutterer -Date: Tue, 29 Nov 2022 13:24:00 +1000 -Subject: [PATCH xserver 2/6] Xi: return an error from XI property changes if - verification failed - -Both ProcXChangeDeviceProperty and ProcXIChangeProperty checked the -property for validity but didn't actually return the potential error. - -Signed-off-by: Peter Hutterer ---- - Xi/xiproperty.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c -index a36f7d61df..68c362c628 100644 ---- a/Xi/xiproperty.c -+++ b/Xi/xiproperty.c -@@ -902,6 +902,8 @@ ProcXChangeDeviceProperty(ClientPtr client) - - rc = check_change_property(client, stuff->property, stuff->type, - stuff->format, stuff->mode, stuff->nUnits); -+ if (rc != Success) -+ return rc; - - len = stuff->nUnits; - if (len > (bytes_to_int32(0xffffffff - sizeof(xChangeDevicePropertyReq)))) -@@ -1141,6 +1143,9 @@ ProcXIChangeProperty(ClientPtr client) - - rc = check_change_property(client, stuff->property, stuff->type, - stuff->format, stuff->mode, stuff->num_items); -+ if (rc != Success) -+ return rc; -+ - len = stuff->num_items; - if (len > bytes_to_int32(0xffffffff - sizeof(xXIChangePropertyReq))) - return BadLength; --- -2.38.1 - diff --git a/U_0003-Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch b/U_0003-Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch deleted file mode 100644 index a75deed..0000000 --- a/U_0003-Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 6f01a643c90724f32c19985e39de3bee9b14a310 Mon Sep 17 00:00:00 2001 -From: Peter Hutterer -Date: Tue, 29 Nov 2022 13:26:57 +1000 -Subject: [PATCH xserver 3/6] Xi: avoid integer truncation in length check of - ProcXIChangeProperty - -This fixes an OOB read and the resulting information disclosure. - -Length calculation for the request was clipped to a 32-bit integer. With -the correct stuff->num_items value the expected request size was -truncated, passing the REQUEST_FIXED_SIZE check. - -The server then proceeded with reading at least stuff->num_items bytes -(depending on stuff->format) from the request and stuffing whatever it -finds into the property. In the process it would also allocate at least -stuff->num_items bytes, i.e. 4GB. - -The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty, -so let's fix that too. - -ZDI-CAN 19405 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Peter Hutterer ---- - Xi/xiproperty.c | 4 ++-- - dix/property.c | 3 ++- - 2 files changed, 4 insertions(+), 3 deletions(-) - -diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c -index 68c362c628..066ba21fba 100644 ---- a/Xi/xiproperty.c -+++ b/Xi/xiproperty.c -@@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client) - REQUEST(xChangeDevicePropertyReq); - DeviceIntPtr dev; - unsigned long len; -- int totalSize; -+ uint64_t totalSize; - int rc; - - REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq); -@@ -1130,7 +1130,7 @@ ProcXIChangeProperty(ClientPtr client) - { - int rc; - DeviceIntPtr dev; -- int totalSize; -+ uint64_t totalSize; - unsigned long len; - - REQUEST(xXIChangePropertyReq); -diff --git a/dix/property.c b/dix/property.c -index 94ef5a0ec0..acce94b2c6 100644 ---- a/dix/property.c -+++ b/dix/property.c -@@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client) - WindowPtr pWin; - char format, mode; - unsigned long len; -- int sizeInBytes, totalSize, err; -+ int sizeInBytes, err; -+ uint64_t totalSize; - - REQUEST(xChangePropertyReq); - --- -2.38.1 - diff --git a/U_0004-Xi-disallow-passive-grabs-with-a-detail-255.patch b/U_0004-Xi-disallow-passive-grabs-with-a-detail-255.patch deleted file mode 100644 index 59d0b4b..0000000 --- a/U_0004-Xi-disallow-passive-grabs-with-a-detail-255.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 9dc018a5a1a183e0a2cb945572454779b499430c Mon Sep 17 00:00:00 2001 -From: Peter Hutterer -Date: Tue, 29 Nov 2022 13:55:32 +1000 -Subject: [PATCH xserver 4/6] Xi: disallow passive grabs with a detail > 255 - -The XKB protocol effectively prevents us from ever using keycodes above -255. For buttons it's theoretically possible but realistically too niche -to worry about. For all other passive grabs, the detail must be zero -anyway. - -This fixes an OOB write: - -ProcXIPassiveUngrabDevice() calls DeletePassiveGrabFromList with a -temporary grab struct which contains tempGrab->detail.exact = stuff->detail. -For matching existing grabs, DeleteDetailFromMask is called with the -stuff->detail value. This function creates a new mask with the one bit -representing stuff->detail cleared. - -However, the array size for the new mask is 8 * sizeof(CARD32) bits, -thus any detail above 255 results in an OOB array write. - -ZDI-CAN 19381 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Peter Hutterer ---- - Xi/xipassivegrab.c | 22 ++++++++++++++-------- - 1 file changed, 14 insertions(+), 8 deletions(-) - -diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c -index 2769fb7c94..c9ac2f8553 100644 ---- a/Xi/xipassivegrab.c -+++ b/Xi/xipassivegrab.c -@@ -137,6 +137,12 @@ ProcXIPassiveGrabDevice(ClientPtr client) - return BadValue; - } - -+ /* XI2 allows 32-bit keycodes but thanks to XKB we can never -+ * implement this. Just return an error for all keycodes that -+ * cannot work anyway, same for buttons > 255. */ -+ if (stuff->detail > 255) -+ return XIAlreadyGrabbed; -+ - if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1], - stuff->mask_len * 4) != Success) - return BadValue; -@@ -207,14 +213,8 @@ ProcXIPassiveGrabDevice(ClientPtr client) - ¶m, XI2, &mask); - break; - case XIGrabtypeKeycode: -- /* XI2 allows 32-bit keycodes but thanks to XKB we can never -- * implement this. Just return an error for all keycodes that -- * cannot work anyway */ -- if (stuff->detail > 255) -- status = XIAlreadyGrabbed; -- else -- status = GrabKey(client, dev, mod_dev, stuff->detail, -- ¶m, XI2, &mask); -+ status = GrabKey(client, dev, mod_dev, stuff->detail, -+ ¶m, XI2, &mask); - break; - case XIGrabtypeEnter: - case XIGrabtypeFocusIn: -@@ -334,6 +334,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client) - return BadValue; - } - -+ /* We don't allow passive grabs for details > 255 anyway */ -+ if (stuff->detail > 255) { -+ client->errorValue = stuff->detail; -+ return BadValue; -+ } -+ - rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess); - if (rc != Success) - return rc; --- -2.38.1 - diff --git a/U_0005-Xext-free-the-screen-saver-resource-when-replacing-i.patch b/U_0005-Xext-free-the-screen-saver-resource-when-replacing-i.patch deleted file mode 100644 index 5fb3eda..0000000 --- a/U_0005-Xext-free-the-screen-saver-resource-when-replacing-i.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 06eb55528bb62f7418f740152642f2066d593bbf Mon Sep 17 00:00:00 2001 -From: Peter Hutterer -Date: Tue, 29 Nov 2022 14:53:07 +1000 -Subject: [PATCH xserver 5/6] Xext: free the screen saver resource when - replacing it - -This fixes a use-after-free bug: - -When a client first calls ScreenSaverSetAttributes(), a struct -ScreenSaverAttrRec is allocated and added to the client's -resources. - -When the same client calls ScreenSaverSetAttributes() again, a new -struct ScreenSaverAttrRec is allocated, replacing the old struct. The -old struct was freed but not removed from the clients resources. - -Later, when the client is destroyed the resource system invokes -ScreenSaverFreeAttr and attempts to clean up the already freed struct. - -Fix this by letting the resource system free the old attrs instead. - -ZDI-CAN 19404 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Peter Hutterer ---- - Xext/saver.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Xext/saver.c b/Xext/saver.c -index f813ba08d1..fd6153c313 100644 ---- a/Xext/saver.c -+++ b/Xext/saver.c -@@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client) - pVlist++; - } - if (pPriv->attr) -- FreeScreenAttr(pPriv->attr); -+ FreeResource(pPriv->attr->resource, AttrType); - pPriv->attr = pAttr; - pAttr->resource = FakeClientID(client->index); - if (!AddResource(pAttr->resource, AttrType, (void *) pAttr)) --- -2.38.1 - diff --git a/U_0006-Xext-free-the-XvRTVideoNotify-when-turning-off-from-.patch b/U_0006-Xext-free-the-XvRTVideoNotify-when-turning-off-from-.patch deleted file mode 100644 index cc3e9e4..0000000 --- a/U_0006-Xext-free-the-XvRTVideoNotify-when-turning-off-from-.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 4ca304326d3b222a446aca82ec3c28ee8adf8446 Mon Sep 17 00:00:00 2001 -From: Peter Hutterer -Date: Wed, 30 Nov 2022 11:20:40 +1000 -Subject: [PATCH xserver 6/6] Xext: free the XvRTVideoNotify when turning off - from the same client - -This fixes a use-after-free bug: - -When a client first calls XvdiSelectVideoNotify() on a drawable with a -TRUE onoff argument, a struct XvVideoNotifyRec is allocated. This struct -is added twice to the resources: - - as the drawable's XvRTVideoNotifyList. This happens only once per - drawable, subsequent calls append to this list. - - as the client's XvRTVideoNotify. This happens for every client. - -The struct keeps the ClientPtr around once it has been added for a -client. The idea, presumably, is that if the client disconnects we can remove -all structs from the drawable's list that match the client (by resetting -the ClientPtr to NULL), but if the drawable is destroyed we can remove -and free the whole list. - -However, if the same client then calls XvdiSelectVideoNotify() on the -same drawable with a FALSE onoff argument, only the ClientPtr on the -existing struct was set to NULL. The struct itself remained in the -client's resources. - -If the drawable is now destroyed, the resource system invokes -XvdiDestroyVideoNotifyList which frees the whole list for this drawable -- including our struct. This function however does not free the resource -for the client since our ClientPtr is NULL. - -Later, when the client is destroyed and the resource system invokes -XvdiDestroyVideoNotify, we unconditionally set the ClientPtr to NULL. On -a struct that has been freed previously. This is generally frowned upon. - -Fix this by calling FreeResource() on the second call instead of merely -setting the ClientPtr to NULL. This removes the struct from the client -resources (but not from the list), ensuring that it won't be accessed -again when the client quits. - -Note that the assignment tpn->client = NULL; is superfluous since the -XvdiDestroyVideoNotify function will do this anyway. But it's left for -clarity and to match a similar invocation in XvdiSelectPortNotify. - -ZDI-CAN 19400 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Peter Hutterer ---- - Xext/xvmain.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/Xext/xvmain.c b/Xext/xvmain.c -index f627471938..2a08f8744a 100644 ---- a/Xext/xvmain.c -+++ b/Xext/xvmain.c -@@ -811,8 +811,10 @@ XvdiSelectVideoNotify(ClientPtr client, DrawablePtr pDraw, BOOL onoff) - tpn = pn; - while (tpn) { - if (tpn->client == client) { -- if (!onoff) -+ if (!onoff) { - tpn->client = NULL; -+ FreeResource(tpn->id, XvRTVideoNotify); -+ } - return Success; - } - if (!tpn->client) --- -2.38.1 - diff --git a/U_0007-xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch b/U_0007-xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch deleted file mode 100644 index 02d96f7..0000000 --- a/U_0007-xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 79916ec4eed724b481d24d97686d3ed05a939859 Mon Sep 17 00:00:00 2001 -From: Peter Hutterer -Date: Mon, 5 Dec 2022 15:55:54 +1000 -Subject: [PATCH xserver] xkb: reset the radio_groups pointer to NULL after - freeing it - -Unlike other elements of the keymap, this pointer was freed but not -reset. On a subsequent XkbGetKbdByName request, the server may access -already freed memory. - -ZDI-CAN-19530 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Peter Hutterer ---- - xkb/xkbUtils.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c -index dd089c2046..3f5791a183 100644 ---- a/xkb/xkbUtils.c -+++ b/xkb/xkbUtils.c -@@ -1326,6 +1326,7 @@ _XkbCopyNames(XkbDescPtr src, XkbDescPtr dst) - } - else { - free(dst->names->radio_groups); -+ dst->names->radio_groups = NULL; - } - dst->names->num_rg = src->names->num_rg; - --- -2.38.1 - diff --git a/U_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch b/U_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch deleted file mode 100644 index fb7816b..0000000 --- a/U_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001 -From: Peter Hutterer -Date: Wed, 13 Jul 2022 11:23:09 +1000 -Subject: [PATCH] xkb: fix some possible memleaks in XkbGetKbdByName - -GetComponentByName returns an allocated string, so let's free that if we -fail somewhere. - -Signed-off-by: Peter Hutterer ---- - xkb/xkb.c | 26 ++++++++++++++++++++------ - 1 file changed, 20 insertions(+), 6 deletions(-) - -Index: xorg-server-21.1.4/xkb/xkb.c -=================================================================== ---- xorg-server-21.1.4.orig/xkb/xkb.c -+++ xorg-server-21.1.4/xkb/xkb.c -@@ -5940,18 +5940,32 @@ ProcXkbGetKbdByName(ClientPtr client) - xkb = dev->key->xkbInfo->desc; - status = Success; - str = (unsigned char *) &stuff[1]; -- if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */ -- return BadMatch; -+ { -+ char *keymap = GetComponentSpec(&str, TRUE, &status); /* keymap, unsupported */ -+ if (keymap) { -+ free(keymap); -+ return BadMatch; -+ } -+ } - names.keycodes = GetComponentSpec(&str, TRUE, &status); - names.types = GetComponentSpec(&str, TRUE, &status); - names.compat = GetComponentSpec(&str, TRUE, &status); - names.symbols = GetComponentSpec(&str, TRUE, &status); - names.geometry = GetComponentSpec(&str, TRUE, &status); -- if (status != Success) -+ if (status == Success) { -+ len = str - ((unsigned char *) stuff); -+ if ((XkbPaddedSize(len) / 4) != stuff->length) -+ status = BadLength; -+ } -+ -+ if (status != Success) { -+ free(names.keycodes); -+ free(names.types); -+ free(names.compat); -+ free(names.symbols); -+ free(names.geometry); - return status; -- len = str - ((unsigned char *) stuff); -- if ((XkbPaddedSize(len) / 4) != stuff->length) -- return BadLength; -+ } - - CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask); - CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask); diff --git a/U_xkb-proof-GetCountedString-against-request-length-at.patch b/U_xkb-proof-GetCountedString-against-request-length-at.patch deleted file mode 100644 index e28a6bb..0000000 --- a/U_xkb-proof-GetCountedString-against-request-length-at.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001 -From: Peter Hutterer -Date: Tue, 5 Jul 2022 12:06:20 +1000 -Subject: [PATCH] xkb: proof GetCountedString against request length attacks - -GetCountedString did a check for the whole string to be within the -request buffer but not for the initial 2 bytes that contain the length -field. A swapped client could send a malformed request to trigger a -swaps() on those bytes, writing into random memory. - -Signed-off-by: Peter Hutterer ---- - xkb/xkb.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/xkb/xkb.c b/xkb/xkb.c -index f42f59ef3..1841cff26 100644 ---- a/xkb/xkb.c -+++ b/xkb/xkb.c -@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str) - CARD16 len; - - wire = *wire_inout; -+ -+ if (client->req_len < -+ bytes_to_int32(wire + 2 - (char *) client->requestBuffer)) -+ return BadValue; -+ - len = *(CARD16 *) wire; - if (client->swapped) { - swaps(&len); --- -2.35.3 - diff --git a/_service b/_service index 3883664..a0597dd 100644 --- a/_service +++ b/_service @@ -2,7 +2,7 @@ https://gitlab.freedesktop.org/xorg/xserver.git git - bc111a2e + xorg-server-21.1.6 @PARENT_TAG@ xorgserver(.*) enable diff --git a/_servicedata b/_servicedata index a779754..bd0d02a 100644 --- a/_servicedata +++ b/_servicedata @@ -1,4 +1,4 @@ https://gitlab.freedesktop.org/xorg/xserver.git - bc111a2e67e16d4e6d4f3196ab86c22c1e278c45 \ No newline at end of file + 59b6fc88ed9f4b22397a568c2483e4c558856ffa \ No newline at end of file diff --git a/xorg-server-21.1.4.tar.xz b/xorg-server-21.1.4.tar.xz deleted file mode 100644 index c07a9f0..0000000 --- a/xorg-server-21.1.4.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5cc4be8ee47edb58d4a90e603a59d56b40291ad38371b0bd2471fc3cbee1c587 -size 4940176 diff --git a/xorg-x11-server.changes b/xorg-x11-server.changes index f94e224..56be4e0 100644 --- a/xorg-x11-server.changes +++ b/xorg-x11-server.changes @@ -1,3 +1,40 @@ +------------------------------------------------------------------- +Mon Dec 19 19:54:11 UTC 2022 - dmueller@suse.com + +- Update to version xorg-server-21.1.6: + * xserver 21.1.6 + * Xext: fix invalid event type mask in XTestSwapFakeInput + * xkb: fix some possible memleaks in XkbGetKbdByName + * xkb: proof GetCountedString against request length attacks + * xquartz: Fix some formatting + * XQuartz: stub: Call LSOpenApplication instead of fork()/exec() +- drop the following upstream patches: + U_xkb-proof-GetCountedString-against-request-length-at.patch + U_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch + +------------------------------------------------------------------- +Sat Dec 17 17:40:15 UTC 2022 - Dirk Müller + +- Update to version xorg-server-21.1.5: + * xkb: reset the radio_groups pointer to NULL after freeing it + * Xi: avoid integer truncation in length check of ProcXIChangeProperty + * Xi: return an error from XI property changes if verification failed + * Xext: free the screen saver resource when replacing it + * Xext: free the XvRTVideoNotify when turning off from the same client + * Xi: disallow passive grabs with a detail > 255 + * Xtest: disallow GenericEvents in XTestSwapFakeInput + * meson: Don't build COMPOSITE for XQuartz + * xquartz: Move default applications list outside of the main executable + * xquartz: Remove unused macro (X11LIBDIR) +- drop the following upstream patches: + U_0007-xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch + U_0002-Xi-return-an-error-from-XI-property-changes-if-verif.patch + U_0003-Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch + U_0004-Xi-disallow-passive-grabs-with-a-detail-255.patch + U_0005-Xext-free-the-screen-saver-resource-when-replacing-i.patch + U_0006-Xext-free-the-XvRTVideoNotify-when-turning-off-from-.patch + U_0001-Xtest-disallow-GenericEvents-in-XTestSwapFakeInput.patch + ------------------------------------------------------------------- Tue Dec 6 14:26:07 UTC 2022 - Stefan Dirsch diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index e0ce34d..c904f6f 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -36,16 +36,14 @@ %endif Name: xorg-x11-server -Version: 21.1.4 +Version: 21.1.6 Release: 0 URL: http://xorg.freedesktop.org/ -BuildRoot: %{_tmppath}/%{name}-%{version}-build - Summary: X # Source URL: http://xorg.freedesktop.org/archive/individual/xserver/ License: MIT Group: System/X11/Servers/XF86_4 -Source0: xorg-server-%{version}.tar.xz +Source0: xserver-xorg-server-%{version}.tar.xz Source1: sysconfig.displaymanager.template Source2: README.updates Source3: xorgcfg.tar.bz2 @@ -246,17 +244,6 @@ Patch1940: U_xephyr-Don-t-check-for-SeatId-anymore.patch Patch1960: u_sync-pci-ids-with-Mesa.patch -Patch1204412: U_xkb-proof-GetCountedString-against-request-length-at.patch -Patch1204416: U_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch - -Patch1205874: U_0001-Xtest-disallow-GenericEvents-in-XTestSwapFakeInput.patch -Patch1205875: U_0002-Xi-return-an-error-from-XI-property-changes-if-verif.patch -Patch1205876: U_0003-Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch -Patch1205877: U_0004-Xi-disallow-passive-grabs-with-a-detail-255.patch -Patch1205878: U_0005-Xext-free-the-screen-saver-resource-when-replacing-i.patch -Patch1205879: U_0006-Xext-free-the-XvRTVideoNotify-when-turning-off-from-.patch -Patch1206017: U_0007-xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch - %description This package contains the X.Org Server. @@ -362,7 +349,7 @@ Group: Development/Sources This package contains patched sources of X.Org Server. %prep -%setup -q -n xorg-server-%{version} -a3 +%setup -q -n xserver-xorg-server-%{version} -a3 # Early verification if the ABI Defines are correct. Let's not waste build cycles if the Provides are wrong at the end. sh %{SOURCE92} --verify . %{SOURCE91} @@ -414,15 +401,6 @@ sh %{SOURCE92} --verify . %{SOURCE91} %patch1930 -p1 %patch1940 -p1 %patch1960 -p1 -%patch1204412 -p1 -%patch1204416 -p1 -%patch1205874 -p1 -%patch1205875 -p1 -%patch1205876 -p1 -%patch1205877 -p1 -%patch1205878 -p1 -%patch1205879 -p1 -%patch1206017 -p1 %build # We have some -z now related errors during X default startup (boo#1197994): diff --git a/xserver-xorg-server-21.1.6.tar.xz b/xserver-xorg-server-21.1.6.tar.xz new file mode 100644 index 0000000..2580b14 --- /dev/null +++ b/xserver-xorg-server-21.1.6.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a06a5c27d9ec99ee9673d9f173e2d8dc36ded69817c8cd4395b9de22375fcf2f +size 2929780