forked from pool/xorg-x11-server
- Update to version 21.1.1
* This release fixes 4 recently reported security vulnerabilities and several regressions. * In particular, the real physical dimensions are no longer reported by the X server anymore as it was deemed to be a too disruptive change. X server will continue to report DPI as 96. - supersedes U_hw-xfree86-Propagate-physical-dimensions-from-DRM-co.patch - supersedes U_rendercompositeglyphs.patch - supersedes U_xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch - supersedes U_Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch - supersedes U_record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=812
This commit is contained in:
parent
97f1555e30
commit
f2bfc1dfc5
@ -1,32 +0,0 @@
|
||||
From 6c4c53010772e3cb4cb8acd54950c8eec9c00d21 Mon Sep 17 00:00:00 2001
|
||||
From: Povilas Kanapickas <povilas@radix.lt>
|
||||
Date: Tue, 14 Dec 2021 15:00:02 +0200
|
||||
Subject: [PATCH] Xext: Fix out of bounds access in SProcScreenSaverSuspend()
|
||||
|
||||
ZDI-CAN-14951, CVE-2021-4010
|
||||
|
||||
This vulnerability was discovered and the fix was suggested by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
|
||||
---
|
||||
Xext/saver.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Xext/saver.c b/Xext/saver.c
|
||||
index 1d7e3cadf..f813ba08d 100644
|
||||
--- a/Xext/saver.c
|
||||
+++ b/Xext/saver.c
|
||||
@@ -1351,8 +1351,8 @@ SProcScreenSaverSuspend(ClientPtr client)
|
||||
REQUEST(xScreenSaverSuspendReq);
|
||||
|
||||
swaps(&stuff->length);
|
||||
- swapl(&stuff->suspend);
|
||||
REQUEST_SIZE_MATCH(xScreenSaverSuspendReq);
|
||||
+ swapl(&stuff->suspend);
|
||||
return ProcScreenSaverSuspend(client);
|
||||
}
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,136 +0,0 @@
|
||||
From 05b3c681ea2f478c0cb941c2f8279919cf78de6d Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Strnad <strnadda@gmail.com>
|
||||
Date: Tue, 19 May 2020 15:52:35 +0200
|
||||
Subject: [PATCH] hw/xfree86: Propagate physical dimensions from DRM connector
|
||||
|
||||
Physical dimmension of display can be obtained not just by configuration or
|
||||
DDC, but also directly from kernel via drmModeGetConnector(). Until now
|
||||
xserver silently discarded these values even when no configuration nor EDID
|
||||
were present and fallbacked to default DPI.
|
||||
---
|
||||
hw/xfree86/common/xf86Helper.c | 30 ++++++++++++++++++------------
|
||||
hw/xfree86/modes/xf86Crtc.c | 6 ++++--
|
||||
hw/xfree86/modes/xf86RandR12.c | 6 ++++++
|
||||
3 files changed, 28 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/hw/xfree86/common/xf86Helper.c b/hw/xfree86/common/xf86Helper.c
|
||||
index 0389945a7..d03382d26 100644
|
||||
--- a/hw/xfree86/common/xf86Helper.c
|
||||
+++ b/hw/xfree86/common/xf86Helper.c
|
||||
@@ -55,6 +55,7 @@
|
||||
#include "xf86Xinput.h"
|
||||
#include "xf86InPriv.h"
|
||||
#include "mivalidate.h"
|
||||
+#include "xf86Crtc.h"
|
||||
|
||||
/* For xf86GetClocks */
|
||||
#if defined(CSRG_BASED) || defined(__GNU__)
|
||||
@@ -851,8 +852,9 @@ xf86SetDpi(ScrnInfoPtr pScrn, int x, int y)
|
||||
{
|
||||
MessageType from = X_DEFAULT;
|
||||
xf86MonPtr DDC = (xf86MonPtr) (pScrn->monitor->DDC);
|
||||
- int ddcWidthmm, ddcHeightmm;
|
||||
+ int probedWidthmm, probedHeightmm;
|
||||
int widthErr, heightErr;
|
||||
+ xf86OutputPtr compat = xf86CompatOutput(pScrn);
|
||||
|
||||
/* XXX Maybe there is no need for widthmm/heightmm in ScrnInfoRec */
|
||||
pScrn->widthmm = pScrn->monitor->widthmm;
|
||||
@@ -862,11 +864,15 @@ xf86SetDpi(ScrnInfoPtr pScrn, int x, int y)
|
||||
/* DDC gives display size in mm for individual modes,
|
||||
* but cm for monitor
|
||||
*/
|
||||
- ddcWidthmm = DDC->features.hsize * 10; /* 10mm in 1cm */
|
||||
- ddcHeightmm = DDC->features.vsize * 10; /* 10mm in 1cm */
|
||||
+ probedWidthmm = DDC->features.hsize * 10; /* 10mm in 1cm */
|
||||
+ probedHeightmm = DDC->features.vsize * 10; /* 10mm in 1cm */
|
||||
+ }
|
||||
+ else if (compat && compat->mm_width > 0 && compat->mm_height > 0) {
|
||||
+ probedWidthmm = compat->mm_width;
|
||||
+ probedHeightmm = compat->mm_height;
|
||||
}
|
||||
else {
|
||||
- ddcWidthmm = ddcHeightmm = 0;
|
||||
+ probedWidthmm = probedHeightmm = 0;
|
||||
}
|
||||
|
||||
if (monitorResolution > 0) {
|
||||
@@ -892,15 +898,15 @@ xf86SetDpi(ScrnInfoPtr pScrn, int x, int y)
|
||||
pScrn->widthmm, pScrn->heightmm);
|
||||
|
||||
/* Warn if config and probe disagree about display size */
|
||||
- if (ddcWidthmm && ddcHeightmm) {
|
||||
+ if (probedWidthmm && probedHeightmm) {
|
||||
if (pScrn->widthmm > 0) {
|
||||
- widthErr = abs(ddcWidthmm - pScrn->widthmm);
|
||||
+ widthErr = abs(probedWidthmm - pScrn->widthmm);
|
||||
}
|
||||
else {
|
||||
widthErr = 0;
|
||||
}
|
||||
if (pScrn->heightmm > 0) {
|
||||
- heightErr = abs(ddcHeightmm - pScrn->heightmm);
|
||||
+ heightErr = abs(probedHeightmm - pScrn->heightmm);
|
||||
}
|
||||
else {
|
||||
heightErr = 0;
|
||||
@@ -909,17 +915,17 @@ xf86SetDpi(ScrnInfoPtr pScrn, int x, int y)
|
||||
/* Should include config file name for monitor here */
|
||||
xf86DrvMsg(pScrn->scrnIndex, X_WARNING,
|
||||
"Probed monitor is %dx%d mm, using Displaysize %dx%d mm\n",
|
||||
- ddcWidthmm, ddcHeightmm, pScrn->widthmm,
|
||||
+ probedWidthmm, probedHeightmm, pScrn->widthmm,
|
||||
pScrn->heightmm);
|
||||
}
|
||||
}
|
||||
}
|
||||
- else if (ddcWidthmm && ddcHeightmm) {
|
||||
+ else if (probedWidthmm && probedHeightmm) {
|
||||
from = X_PROBED;
|
||||
xf86DrvMsg(pScrn->scrnIndex, from, "Display dimensions: (%d, %d) mm\n",
|
||||
- ddcWidthmm, ddcHeightmm);
|
||||
- pScrn->widthmm = ddcWidthmm;
|
||||
- pScrn->heightmm = ddcHeightmm;
|
||||
+ probedWidthmm, probedHeightmm);
|
||||
+ pScrn->widthmm = probedWidthmm;
|
||||
+ pScrn->heightmm = probedHeightmm;
|
||||
if (pScrn->widthmm > 0) {
|
||||
pScrn->xDpi =
|
||||
(int) ((double) pScrn->virtualX * MMPERINCH / pScrn->widthmm);
|
||||
diff --git a/hw/xfree86/modes/xf86Crtc.c b/hw/xfree86/modes/xf86Crtc.c
|
||||
index c6e89e66f..202791774 100644
|
||||
--- a/hw/xfree86/modes/xf86Crtc.c
|
||||
+++ b/hw/xfree86/modes/xf86Crtc.c
|
||||
@@ -3256,8 +3256,10 @@ xf86OutputSetEDID(xf86OutputPtr output, xf86MonPtr edid_mon)
|
||||
free(output->MonInfo);
|
||||
|
||||
output->MonInfo = edid_mon;
|
||||
- output->mm_width = 0;
|
||||
- output->mm_height = 0;
|
||||
+ if (edid_mon) {
|
||||
+ output->mm_width = 0;
|
||||
+ output->mm_height = 0;
|
||||
+ }
|
||||
|
||||
if (debug_modes) {
|
||||
xf86DrvMsg(scrn->scrnIndex, X_INFO, "EDID for output %s\n",
|
||||
diff --git a/hw/xfree86/modes/xf86RandR12.c b/hw/xfree86/modes/xf86RandR12.c
|
||||
index 50cbd043e..d4651f4e8 100644
|
||||
--- a/hw/xfree86/modes/xf86RandR12.c
|
||||
+++ b/hw/xfree86/modes/xf86RandR12.c
|
||||
@@ -806,6 +806,12 @@ xf86RandR12CreateScreenResources(ScreenPtr pScreen)
|
||||
mmWidth = output->conf_monitor->mon_width;
|
||||
mmHeight = output->conf_monitor->mon_height;
|
||||
}
|
||||
+ else if (output &&
|
||||
+ (output->mm_width > 0 &&
|
||||
+ output->mm_height > 0)) {
|
||||
+ mmWidth = output->mm_width;
|
||||
+ mmHeight = output->mm_height;
|
||||
+ }
|
||||
else {
|
||||
/*
|
||||
* Otherwise, just set the screen to DEFAULT_DPI
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,33 +0,0 @@
|
||||
From e56f61c79fc3cee26d83cda0f84ae56d5979f768 Mon Sep 17 00:00:00 2001
|
||||
From: Povilas Kanapickas <povilas@radix.lt>
|
||||
Date: Tue, 14 Dec 2021 15:00:00 +0200
|
||||
Subject: [PATCH] record: Fix out of bounds access in SwapCreateRegister()
|
||||
|
||||
ZDI-CAN-14952, CVE-2021-4011
|
||||
|
||||
This vulnerability was discovered and the fix was suggested by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
|
||||
---
|
||||
record/record.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/record/record.c b/record/record.c
|
||||
index be154525d..e123867a7 100644
|
||||
--- a/record/record.c
|
||||
+++ b/record/record.c
|
||||
@@ -2516,8 +2516,8 @@ SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
|
||||
swapl(pClientID);
|
||||
}
|
||||
if (stuff->nRanges >
|
||||
- client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
|
||||
- - stuff->nClients)
|
||||
+ (client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
|
||||
+ - stuff->nClients) / bytes_to_int32(sz_xRecordRange))
|
||||
return BadLength;
|
||||
RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
|
||||
return Success;
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,29 +0,0 @@
|
||||
--- a/render/render.c
|
||||
+++ a/render/render.c
|
||||
@@ -2309,6 +2309,8 @@ SProcRenderCompositeGlyphs(ClientPtr client)
|
||||
|
||||
i = elt->len;
|
||||
if (i == 0xff) {
|
||||
+ if (buffer + 4 >= end)
|
||||
+ return BadLength;
|
||||
swapl((int *) buffer);
|
||||
buffer += 4;
|
||||
}
|
||||
@@ -2320,12 +2322,16 @@ SProcRenderCompositeGlyphs(ClientPtr client)
|
||||
break;
|
||||
case 2:
|
||||
while (i--) {
|
||||
+ if (buffer + 2 >= end)
|
||||
+ return BadLength;
|
||||
swaps((short *) buffer);
|
||||
buffer += 2;
|
||||
}
|
||||
break;
|
||||
case 4:
|
||||
while (i--) {
|
||||
+ if (buffer + 4 >= end)
|
||||
+ return BadLength;
|
||||
swapl((int *) buffer);
|
||||
buffer += 4;
|
||||
}
|
||||
|
@ -1,43 +0,0 @@
|
||||
From b5196750099ae6ae582e1f46bd0a6dad29550e02 Mon Sep 17 00:00:00 2001
|
||||
From: Povilas Kanapickas <povilas@radix.lt>
|
||||
Date: Tue, 14 Dec 2021 15:00:01 +0200
|
||||
Subject: [PATCH] xfixes: Fix out of bounds access in
|
||||
*ProcXFixesCreatePointerBarrier()
|
||||
|
||||
ZDI-CAN-14950, CVE-2021-4009
|
||||
|
||||
This vulnerability was discovered and the fix was suggested by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
|
||||
---
|
||||
xfixes/cursor.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/xfixes/cursor.c b/xfixes/cursor.c
|
||||
index 60580b88f..c5d4554b2 100644
|
||||
--- a/xfixes/cursor.c
|
||||
+++ b/xfixes/cursor.c
|
||||
@@ -1010,7 +1010,8 @@ ProcXFixesCreatePointerBarrier(ClientPtr client)
|
||||
{
|
||||
REQUEST(xXFixesCreatePointerBarrierReq);
|
||||
|
||||
- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
|
||||
+ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
|
||||
+ pad_to_int32(stuff->num_devices * sizeof(CARD16)));
|
||||
LEGAL_NEW_RESOURCE(stuff->barrier, client);
|
||||
|
||||
return XICreatePointerBarrier(client, stuff);
|
||||
@@ -1027,7 +1028,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
|
||||
|
||||
swaps(&stuff->length);
|
||||
swaps(&stuff->num_devices);
|
||||
- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
|
||||
+ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
|
||||
+ pad_to_int32(stuff->num_devices * sizeof(CARD16)));
|
||||
|
||||
swapl(&stuff->barrier);
|
||||
swapl(&stuff->window);
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:782e7fef2ca0c7cbe60a937b8bf42dac69c904fb841950fd0363e1c2346ea755
|
||||
size 4958508
|
3
xorg-server-21.1.2.tar.xz
Normal file
3
xorg-server-21.1.2.tar.xz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:c20bf46a9fe8e74bf4e75430637e58d49a02d806609dc161462bceb1ef7e8db0
|
||||
size 4967784
|
@ -1,3 +1,18 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Dec 15 15:08:07 UTC 2021 - Stefan Dirsch <sndirsch@suse.com>
|
||||
|
||||
- Update to version 21.1.1
|
||||
* This release fixes 4 recently reported security vulnerabilities and
|
||||
several regressions.
|
||||
* In particular, the real physical dimensions are no longer reported
|
||||
by the X server anymore as it was deemed to be a too disruptive
|
||||
change. X server will continue to report DPI as 96.
|
||||
- supersedes U_hw-xfree86-Propagate-physical-dimensions-from-DRM-co.patch
|
||||
- supersedes U_rendercompositeglyphs.patch
|
||||
- supersedes U_xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch
|
||||
- supersedes U_Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch
|
||||
- supersedes U_record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Dec 14 20:21:19 UTC 2021 - Stefan Dirsch <sndirsch@suse.com>
|
||||
|
||||
|
@ -36,7 +36,7 @@
|
||||
%endif
|
||||
|
||||
Name: xorg-x11-server
|
||||
Version: 21.1.1
|
||||
Version: 21.1.2
|
||||
Release: 0
|
||||
URL: http://xorg.freedesktop.org/
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
@ -199,7 +199,6 @@ Patch1: N_default-module-path.diff
|
||||
Patch2: N_zap_warning_xserver.diff
|
||||
Patch3: N_driver-autoconfig.diff
|
||||
Patch4: N_fix_fglrx_screendepth_issue.patch
|
||||
Patch5: U_hw-xfree86-Propagate-physical-dimensions-from-DRM-co.patch
|
||||
Patch6: N_fix-dpi-values.diff
|
||||
Patch7: N_Install-Avoid-failure-on-wrapper-installation.patch
|
||||
Patch8: u_xorg-wrapper-Drop-supplemental-group-IDs.patch
|
||||
@ -241,12 +240,6 @@ Patch1910: u_modesetting-Fix-dirty-updates-for-sw-rotation.patch
|
||||
|
||||
Patch1920: u_xf86-Accept-devices-with-the-hyperv_drm-driver.patch
|
||||
|
||||
Patch1193030: U_rendercompositeglyphs.patch
|
||||
|
||||
Patch1190487: U_xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch
|
||||
Patch1190488: U_Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch
|
||||
Patch1190489: U_record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch
|
||||
|
||||
%description
|
||||
This package contains the X.Org Server.
|
||||
|
||||
@ -362,8 +355,6 @@ sh %{SOURCE92} --verify . %{SOURCE91}
|
||||
%patch2 -p1
|
||||
%patch3 -p0
|
||||
%patch4 -p0
|
||||
# back to 96 dpi fix
|
||||
%patch5 -p1 -R
|
||||
%patch6 -p0
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
@ -402,11 +393,6 @@ sh %{SOURCE92} --verify . %{SOURCE91}
|
||||
%patch1900 -p1
|
||||
%patch1910 -p1
|
||||
%patch1920 -p1
|
||||
%patch1193030 -p1
|
||||
|
||||
%patch1190487 -p1
|
||||
%patch1190488 -p1
|
||||
%patch1190489 -p1
|
||||
|
||||
%build
|
||||
%global _lto_cflags %{?_lto_cflags} -ffat-lto-objects
|
||||
|
Loading…
Reference in New Issue
Block a user