From f2bfc1dfc50b3ff5c3edd1dc6d0398b1b7b510ba7358e4ede2b337e780cf9794 Mon Sep 17 00:00:00 2001 From: Stefan Dirsch Date: Wed, 15 Dec 2021 15:51:39 +0000 Subject: [PATCH] - Update to version 21.1.1 * This release fixes 4 recently reported security vulnerabilities and several regressions. * In particular, the real physical dimensions are no longer reported by the X server anymore as it was deemed to be a too disruptive change. X server will continue to report DPI as 96. - supersedes U_hw-xfree86-Propagate-physical-dimensions-from-DRM-co.patch - supersedes U_rendercompositeglyphs.patch - supersedes U_xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch - supersedes U_Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch - supersedes U_record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=812 --- ...bounds-access-in-SProcScreenSaverSus.patch | 32 ----- ...gate-physical-dimensions-from-DRM-co.patch | 136 ------------------ ...f-bounds-access-in-SwapCreateRegiste.patch | 33 ----- U_rendercompositeglyphs.patch | 29 ---- ...f-bounds-access-in-ProcXFixesCreateP.patch | 43 ------ xorg-server-21.1.1.tar.xz | 3 - xorg-server-21.1.2.tar.xz | 3 + xorg-x11-server.changes | 15 ++ xorg-x11-server.spec | 16 +-- 9 files changed, 19 insertions(+), 291 deletions(-) delete mode 100644 U_Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch delete mode 100644 U_hw-xfree86-Propagate-physical-dimensions-from-DRM-co.patch delete mode 100644 U_record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch delete mode 100644 U_rendercompositeglyphs.patch delete mode 100644 U_xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch delete mode 100644 xorg-server-21.1.1.tar.xz create mode 100644 xorg-server-21.1.2.tar.xz diff --git a/U_Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch b/U_Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch deleted file mode 100644 index 33205f7..0000000 --- a/U_Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 6c4c53010772e3cb4cb8acd54950c8eec9c00d21 Mon Sep 17 00:00:00 2001 -From: Povilas Kanapickas -Date: Tue, 14 Dec 2021 15:00:02 +0200 -Subject: [PATCH] Xext: Fix out of bounds access in SProcScreenSaverSuspend() - -ZDI-CAN-14951, CVE-2021-4010 - -This vulnerability was discovered and the fix was suggested by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Povilas Kanapickas ---- - Xext/saver.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Xext/saver.c b/Xext/saver.c -index 1d7e3cadf..f813ba08d 100644 ---- a/Xext/saver.c -+++ b/Xext/saver.c -@@ -1351,8 +1351,8 @@ SProcScreenSaverSuspend(ClientPtr client) - REQUEST(xScreenSaverSuspendReq); - - swaps(&stuff->length); -- swapl(&stuff->suspend); - REQUEST_SIZE_MATCH(xScreenSaverSuspendReq); -+ swapl(&stuff->suspend); - return ProcScreenSaverSuspend(client); - } - --- -2.26.2 - diff --git a/U_hw-xfree86-Propagate-physical-dimensions-from-DRM-co.patch b/U_hw-xfree86-Propagate-physical-dimensions-from-DRM-co.patch deleted file mode 100644 index bbaa418..0000000 --- a/U_hw-xfree86-Propagate-physical-dimensions-from-DRM-co.patch +++ /dev/null @@ -1,136 +0,0 @@ -From 05b3c681ea2f478c0cb941c2f8279919cf78de6d Mon Sep 17 00:00:00 2001 -From: Daniel Strnad -Date: Tue, 19 May 2020 15:52:35 +0200 -Subject: [PATCH] hw/xfree86: Propagate physical dimensions from DRM connector - -Physical dimmension of display can be obtained not just by configuration or -DDC, but also directly from kernel via drmModeGetConnector(). Until now -xserver silently discarded these values even when no configuration nor EDID -were present and fallbacked to default DPI. ---- - hw/xfree86/common/xf86Helper.c | 30 ++++++++++++++++++------------ - hw/xfree86/modes/xf86Crtc.c | 6 ++++-- - hw/xfree86/modes/xf86RandR12.c | 6 ++++++ - 3 files changed, 28 insertions(+), 14 deletions(-) - -diff --git a/hw/xfree86/common/xf86Helper.c b/hw/xfree86/common/xf86Helper.c -index 0389945a7..d03382d26 100644 ---- a/hw/xfree86/common/xf86Helper.c -+++ b/hw/xfree86/common/xf86Helper.c -@@ -55,6 +55,7 @@ - #include "xf86Xinput.h" - #include "xf86InPriv.h" - #include "mivalidate.h" -+#include "xf86Crtc.h" - - /* For xf86GetClocks */ - #if defined(CSRG_BASED) || defined(__GNU__) -@@ -851,8 +852,9 @@ xf86SetDpi(ScrnInfoPtr pScrn, int x, int y) - { - MessageType from = X_DEFAULT; - xf86MonPtr DDC = (xf86MonPtr) (pScrn->monitor->DDC); -- int ddcWidthmm, ddcHeightmm; -+ int probedWidthmm, probedHeightmm; - int widthErr, heightErr; -+ xf86OutputPtr compat = xf86CompatOutput(pScrn); - - /* XXX Maybe there is no need for widthmm/heightmm in ScrnInfoRec */ - pScrn->widthmm = pScrn->monitor->widthmm; -@@ -862,11 +864,15 @@ xf86SetDpi(ScrnInfoPtr pScrn, int x, int y) - /* DDC gives display size in mm for individual modes, - * but cm for monitor - */ -- ddcWidthmm = DDC->features.hsize * 10; /* 10mm in 1cm */ -- ddcHeightmm = DDC->features.vsize * 10; /* 10mm in 1cm */ -+ probedWidthmm = DDC->features.hsize * 10; /* 10mm in 1cm */ -+ probedHeightmm = DDC->features.vsize * 10; /* 10mm in 1cm */ -+ } -+ else if (compat && compat->mm_width > 0 && compat->mm_height > 0) { -+ probedWidthmm = compat->mm_width; -+ probedHeightmm = compat->mm_height; - } - else { -- ddcWidthmm = ddcHeightmm = 0; -+ probedWidthmm = probedHeightmm = 0; - } - - if (monitorResolution > 0) { -@@ -892,15 +898,15 @@ xf86SetDpi(ScrnInfoPtr pScrn, int x, int y) - pScrn->widthmm, pScrn->heightmm); - - /* Warn if config and probe disagree about display size */ -- if (ddcWidthmm && ddcHeightmm) { -+ if (probedWidthmm && probedHeightmm) { - if (pScrn->widthmm > 0) { -- widthErr = abs(ddcWidthmm - pScrn->widthmm); -+ widthErr = abs(probedWidthmm - pScrn->widthmm); - } - else { - widthErr = 0; - } - if (pScrn->heightmm > 0) { -- heightErr = abs(ddcHeightmm - pScrn->heightmm); -+ heightErr = abs(probedHeightmm - pScrn->heightmm); - } - else { - heightErr = 0; -@@ -909,17 +915,17 @@ xf86SetDpi(ScrnInfoPtr pScrn, int x, int y) - /* Should include config file name for monitor here */ - xf86DrvMsg(pScrn->scrnIndex, X_WARNING, - "Probed monitor is %dx%d mm, using Displaysize %dx%d mm\n", -- ddcWidthmm, ddcHeightmm, pScrn->widthmm, -+ probedWidthmm, probedHeightmm, pScrn->widthmm, - pScrn->heightmm); - } - } - } -- else if (ddcWidthmm && ddcHeightmm) { -+ else if (probedWidthmm && probedHeightmm) { - from = X_PROBED; - xf86DrvMsg(pScrn->scrnIndex, from, "Display dimensions: (%d, %d) mm\n", -- ddcWidthmm, ddcHeightmm); -- pScrn->widthmm = ddcWidthmm; -- pScrn->heightmm = ddcHeightmm; -+ probedWidthmm, probedHeightmm); -+ pScrn->widthmm = probedWidthmm; -+ pScrn->heightmm = probedHeightmm; - if (pScrn->widthmm > 0) { - pScrn->xDpi = - (int) ((double) pScrn->virtualX * MMPERINCH / pScrn->widthmm); -diff --git a/hw/xfree86/modes/xf86Crtc.c b/hw/xfree86/modes/xf86Crtc.c -index c6e89e66f..202791774 100644 ---- a/hw/xfree86/modes/xf86Crtc.c -+++ b/hw/xfree86/modes/xf86Crtc.c -@@ -3256,8 +3256,10 @@ xf86OutputSetEDID(xf86OutputPtr output, xf86MonPtr edid_mon) - free(output->MonInfo); - - output->MonInfo = edid_mon; -- output->mm_width = 0; -- output->mm_height = 0; -+ if (edid_mon) { -+ output->mm_width = 0; -+ output->mm_height = 0; -+ } - - if (debug_modes) { - xf86DrvMsg(scrn->scrnIndex, X_INFO, "EDID for output %s\n", -diff --git a/hw/xfree86/modes/xf86RandR12.c b/hw/xfree86/modes/xf86RandR12.c -index 50cbd043e..d4651f4e8 100644 ---- a/hw/xfree86/modes/xf86RandR12.c -+++ b/hw/xfree86/modes/xf86RandR12.c -@@ -806,6 +806,12 @@ xf86RandR12CreateScreenResources(ScreenPtr pScreen) - mmWidth = output->conf_monitor->mon_width; - mmHeight = output->conf_monitor->mon_height; - } -+ else if (output && -+ (output->mm_width > 0 && -+ output->mm_height > 0)) { -+ mmWidth = output->mm_width; -+ mmHeight = output->mm_height; -+ } - else { - /* - * Otherwise, just set the screen to DEFAULT_DPI --- -2.26.2 - diff --git a/U_record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch b/U_record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch deleted file mode 100644 index d4d03be..0000000 --- a/U_record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch +++ /dev/null @@ -1,33 +0,0 @@ -From e56f61c79fc3cee26d83cda0f84ae56d5979f768 Mon Sep 17 00:00:00 2001 -From: Povilas Kanapickas -Date: Tue, 14 Dec 2021 15:00:00 +0200 -Subject: [PATCH] record: Fix out of bounds access in SwapCreateRegister() - -ZDI-CAN-14952, CVE-2021-4011 - -This vulnerability was discovered and the fix was suggested by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Povilas Kanapickas ---- - record/record.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/record/record.c b/record/record.c -index be154525d..e123867a7 100644 ---- a/record/record.c -+++ b/record/record.c -@@ -2516,8 +2516,8 @@ SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff) - swapl(pClientID); - } - if (stuff->nRanges > -- client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) -- - stuff->nClients) -+ (client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) -+ - stuff->nClients) / bytes_to_int32(sz_xRecordRange)) - return BadLength; - RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges); - return Success; --- -2.26.2 - diff --git a/U_rendercompositeglyphs.patch b/U_rendercompositeglyphs.patch deleted file mode 100644 index 7e59fa2..0000000 --- a/U_rendercompositeglyphs.patch +++ /dev/null @@ -1,29 +0,0 @@ ---- a/render/render.c -+++ a/render/render.c -@@ -2309,6 +2309,8 @@ SProcRenderCompositeGlyphs(ClientPtr client) - - i = elt->len; - if (i == 0xff) { -+ if (buffer + 4 >= end) -+ return BadLength; - swapl((int *) buffer); - buffer += 4; - } -@@ -2320,12 +2322,16 @@ SProcRenderCompositeGlyphs(ClientPtr client) - break; - case 2: - while (i--) { -+ if (buffer + 2 >= end) -+ return BadLength; - swaps((short *) buffer); - buffer += 2; - } - break; - case 4: - while (i--) { -+ if (buffer + 4 >= end) -+ return BadLength; - swapl((int *) buffer); - buffer += 4; - } - diff --git a/U_xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch b/U_xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch deleted file mode 100644 index eb188ed..0000000 --- a/U_xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch +++ /dev/null @@ -1,43 +0,0 @@ -From b5196750099ae6ae582e1f46bd0a6dad29550e02 Mon Sep 17 00:00:00 2001 -From: Povilas Kanapickas -Date: Tue, 14 Dec 2021 15:00:01 +0200 -Subject: [PATCH] xfixes: Fix out of bounds access in - *ProcXFixesCreatePointerBarrier() - -ZDI-CAN-14950, CVE-2021-4009 - -This vulnerability was discovered and the fix was suggested by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Povilas Kanapickas ---- - xfixes/cursor.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/xfixes/cursor.c b/xfixes/cursor.c -index 60580b88f..c5d4554b2 100644 ---- a/xfixes/cursor.c -+++ b/xfixes/cursor.c -@@ -1010,7 +1010,8 @@ ProcXFixesCreatePointerBarrier(ClientPtr client) - { - REQUEST(xXFixesCreatePointerBarrierReq); - -- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices)); -+ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, -+ pad_to_int32(stuff->num_devices * sizeof(CARD16))); - LEGAL_NEW_RESOURCE(stuff->barrier, client); - - return XICreatePointerBarrier(client, stuff); -@@ -1027,7 +1028,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client) - - swaps(&stuff->length); - swaps(&stuff->num_devices); -- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices)); -+ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, -+ pad_to_int32(stuff->num_devices * sizeof(CARD16))); - - swapl(&stuff->barrier); - swapl(&stuff->window); --- -2.26.2 - diff --git a/xorg-server-21.1.1.tar.xz b/xorg-server-21.1.1.tar.xz deleted file mode 100644 index f8c7dbb..0000000 --- a/xorg-server-21.1.1.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:782e7fef2ca0c7cbe60a937b8bf42dac69c904fb841950fd0363e1c2346ea755 -size 4958508 diff --git a/xorg-server-21.1.2.tar.xz b/xorg-server-21.1.2.tar.xz new file mode 100644 index 0000000..28c64cd --- /dev/null +++ b/xorg-server-21.1.2.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c20bf46a9fe8e74bf4e75430637e58d49a02d806609dc161462bceb1ef7e8db0 +size 4967784 diff --git a/xorg-x11-server.changes b/xorg-x11-server.changes index 8a7ebe0..fd77b44 100644 --- a/xorg-x11-server.changes +++ b/xorg-x11-server.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Wed Dec 15 15:08:07 UTC 2021 - Stefan Dirsch + +- Update to version 21.1.1 + * This release fixes 4 recently reported security vulnerabilities and + several regressions. + * In particular, the real physical dimensions are no longer reported + by the X server anymore as it was deemed to be a too disruptive + change. X server will continue to report DPI as 96. +- supersedes U_hw-xfree86-Propagate-physical-dimensions-from-DRM-co.patch +- supersedes U_rendercompositeglyphs.patch +- supersedes U_xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch +- supersedes U_Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch +- supersedes U_record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch + ------------------------------------------------------------------- Tue Dec 14 20:21:19 UTC 2021 - Stefan Dirsch diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 54ecc99..a11fccc 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -36,7 +36,7 @@ %endif Name: xorg-x11-server -Version: 21.1.1 +Version: 21.1.2 Release: 0 URL: http://xorg.freedesktop.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -199,7 +199,6 @@ Patch1: N_default-module-path.diff Patch2: N_zap_warning_xserver.diff Patch3: N_driver-autoconfig.diff Patch4: N_fix_fglrx_screendepth_issue.patch -Patch5: U_hw-xfree86-Propagate-physical-dimensions-from-DRM-co.patch Patch6: N_fix-dpi-values.diff Patch7: N_Install-Avoid-failure-on-wrapper-installation.patch Patch8: u_xorg-wrapper-Drop-supplemental-group-IDs.patch @@ -241,12 +240,6 @@ Patch1910: u_modesetting-Fix-dirty-updates-for-sw-rotation.patch Patch1920: u_xf86-Accept-devices-with-the-hyperv_drm-driver.patch -Patch1193030: U_rendercompositeglyphs.patch - -Patch1190487: U_xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch -Patch1190488: U_Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch -Patch1190489: U_record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch - %description This package contains the X.Org Server. @@ -362,8 +355,6 @@ sh %{SOURCE92} --verify . %{SOURCE91} %patch2 -p1 %patch3 -p0 %patch4 -p0 -# back to 96 dpi fix -%patch5 -p1 -R %patch6 -p0 %patch7 -p1 %patch8 -p1 @@ -402,11 +393,6 @@ sh %{SOURCE92} --verify . %{SOURCE91} %patch1900 -p1 %patch1910 -p1 %patch1920 -p1 -%patch1193030 -p1 - -%patch1190487 -p1 -%patch1190488 -p1 -%patch1190489 -p1 %build %global _lto_cflags %{?_lto_cflags} -ffat-lto-objects