1
0

- Update to version 21.1.1

* This release fixes 4 recently reported security vulnerabilities and
    several regressions.
  * In particular, the real physical dimensions are no longer reported
    by the X server anymore as it was deemed to be a too disruptive
    change. X server will continue to report DPI as 96.
- supersedes U_hw-xfree86-Propagate-physical-dimensions-from-DRM-co.patch
- supersedes U_rendercompositeglyphs.patch
- supersedes U_xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch
- supersedes U_Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch
- supersedes U_record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch

OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=812
This commit is contained in:
Stefan Dirsch 2021-12-15 15:51:39 +00:00 committed by Git OBS Bridge
parent 97f1555e30
commit f2bfc1dfc5
9 changed files with 19 additions and 291 deletions

View File

@ -1,32 +0,0 @@
From 6c4c53010772e3cb4cb8acd54950c8eec9c00d21 Mon Sep 17 00:00:00 2001
From: Povilas Kanapickas <povilas@radix.lt>
Date: Tue, 14 Dec 2021 15:00:02 +0200
Subject: [PATCH] Xext: Fix out of bounds access in SProcScreenSaverSuspend()
ZDI-CAN-14951, CVE-2021-4010
This vulnerability was discovered and the fix was suggested by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
---
Xext/saver.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Xext/saver.c b/Xext/saver.c
index 1d7e3cadf..f813ba08d 100644
--- a/Xext/saver.c
+++ b/Xext/saver.c
@@ -1351,8 +1351,8 @@ SProcScreenSaverSuspend(ClientPtr client)
REQUEST(xScreenSaverSuspendReq);
swaps(&stuff->length);
- swapl(&stuff->suspend);
REQUEST_SIZE_MATCH(xScreenSaverSuspendReq);
+ swapl(&stuff->suspend);
return ProcScreenSaverSuspend(client);
}
--
2.26.2

View File

@ -1,136 +0,0 @@
From 05b3c681ea2f478c0cb941c2f8279919cf78de6d Mon Sep 17 00:00:00 2001
From: Daniel Strnad <strnadda@gmail.com>
Date: Tue, 19 May 2020 15:52:35 +0200
Subject: [PATCH] hw/xfree86: Propagate physical dimensions from DRM connector
Physical dimmension of display can be obtained not just by configuration or
DDC, but also directly from kernel via drmModeGetConnector(). Until now
xserver silently discarded these values even when no configuration nor EDID
were present and fallbacked to default DPI.
---
hw/xfree86/common/xf86Helper.c | 30 ++++++++++++++++++------------
hw/xfree86/modes/xf86Crtc.c | 6 ++++--
hw/xfree86/modes/xf86RandR12.c | 6 ++++++
3 files changed, 28 insertions(+), 14 deletions(-)
diff --git a/hw/xfree86/common/xf86Helper.c b/hw/xfree86/common/xf86Helper.c
index 0389945a7..d03382d26 100644
--- a/hw/xfree86/common/xf86Helper.c
+++ b/hw/xfree86/common/xf86Helper.c
@@ -55,6 +55,7 @@
#include "xf86Xinput.h"
#include "xf86InPriv.h"
#include "mivalidate.h"
+#include "xf86Crtc.h"
/* For xf86GetClocks */
#if defined(CSRG_BASED) || defined(__GNU__)
@@ -851,8 +852,9 @@ xf86SetDpi(ScrnInfoPtr pScrn, int x, int y)
{
MessageType from = X_DEFAULT;
xf86MonPtr DDC = (xf86MonPtr) (pScrn->monitor->DDC);
- int ddcWidthmm, ddcHeightmm;
+ int probedWidthmm, probedHeightmm;
int widthErr, heightErr;
+ xf86OutputPtr compat = xf86CompatOutput(pScrn);
/* XXX Maybe there is no need for widthmm/heightmm in ScrnInfoRec */
pScrn->widthmm = pScrn->monitor->widthmm;
@@ -862,11 +864,15 @@ xf86SetDpi(ScrnInfoPtr pScrn, int x, int y)
/* DDC gives display size in mm for individual modes,
* but cm for monitor
*/
- ddcWidthmm = DDC->features.hsize * 10; /* 10mm in 1cm */
- ddcHeightmm = DDC->features.vsize * 10; /* 10mm in 1cm */
+ probedWidthmm = DDC->features.hsize * 10; /* 10mm in 1cm */
+ probedHeightmm = DDC->features.vsize * 10; /* 10mm in 1cm */
+ }
+ else if (compat && compat->mm_width > 0 && compat->mm_height > 0) {
+ probedWidthmm = compat->mm_width;
+ probedHeightmm = compat->mm_height;
}
else {
- ddcWidthmm = ddcHeightmm = 0;
+ probedWidthmm = probedHeightmm = 0;
}
if (monitorResolution > 0) {
@@ -892,15 +898,15 @@ xf86SetDpi(ScrnInfoPtr pScrn, int x, int y)
pScrn->widthmm, pScrn->heightmm);
/* Warn if config and probe disagree about display size */
- if (ddcWidthmm && ddcHeightmm) {
+ if (probedWidthmm && probedHeightmm) {
if (pScrn->widthmm > 0) {
- widthErr = abs(ddcWidthmm - pScrn->widthmm);
+ widthErr = abs(probedWidthmm - pScrn->widthmm);
}
else {
widthErr = 0;
}
if (pScrn->heightmm > 0) {
- heightErr = abs(ddcHeightmm - pScrn->heightmm);
+ heightErr = abs(probedHeightmm - pScrn->heightmm);
}
else {
heightErr = 0;
@@ -909,17 +915,17 @@ xf86SetDpi(ScrnInfoPtr pScrn, int x, int y)
/* Should include config file name for monitor here */
xf86DrvMsg(pScrn->scrnIndex, X_WARNING,
"Probed monitor is %dx%d mm, using Displaysize %dx%d mm\n",
- ddcWidthmm, ddcHeightmm, pScrn->widthmm,
+ probedWidthmm, probedHeightmm, pScrn->widthmm,
pScrn->heightmm);
}
}
}
- else if (ddcWidthmm && ddcHeightmm) {
+ else if (probedWidthmm && probedHeightmm) {
from = X_PROBED;
xf86DrvMsg(pScrn->scrnIndex, from, "Display dimensions: (%d, %d) mm\n",
- ddcWidthmm, ddcHeightmm);
- pScrn->widthmm = ddcWidthmm;
- pScrn->heightmm = ddcHeightmm;
+ probedWidthmm, probedHeightmm);
+ pScrn->widthmm = probedWidthmm;
+ pScrn->heightmm = probedHeightmm;
if (pScrn->widthmm > 0) {
pScrn->xDpi =
(int) ((double) pScrn->virtualX * MMPERINCH / pScrn->widthmm);
diff --git a/hw/xfree86/modes/xf86Crtc.c b/hw/xfree86/modes/xf86Crtc.c
index c6e89e66f..202791774 100644
--- a/hw/xfree86/modes/xf86Crtc.c
+++ b/hw/xfree86/modes/xf86Crtc.c
@@ -3256,8 +3256,10 @@ xf86OutputSetEDID(xf86OutputPtr output, xf86MonPtr edid_mon)
free(output->MonInfo);
output->MonInfo = edid_mon;
- output->mm_width = 0;
- output->mm_height = 0;
+ if (edid_mon) {
+ output->mm_width = 0;
+ output->mm_height = 0;
+ }
if (debug_modes) {
xf86DrvMsg(scrn->scrnIndex, X_INFO, "EDID for output %s\n",
diff --git a/hw/xfree86/modes/xf86RandR12.c b/hw/xfree86/modes/xf86RandR12.c
index 50cbd043e..d4651f4e8 100644
--- a/hw/xfree86/modes/xf86RandR12.c
+++ b/hw/xfree86/modes/xf86RandR12.c
@@ -806,6 +806,12 @@ xf86RandR12CreateScreenResources(ScreenPtr pScreen)
mmWidth = output->conf_monitor->mon_width;
mmHeight = output->conf_monitor->mon_height;
}
+ else if (output &&
+ (output->mm_width > 0 &&
+ output->mm_height > 0)) {
+ mmWidth = output->mm_width;
+ mmHeight = output->mm_height;
+ }
else {
/*
* Otherwise, just set the screen to DEFAULT_DPI
--
2.26.2

View File

@ -1,33 +0,0 @@
From e56f61c79fc3cee26d83cda0f84ae56d5979f768 Mon Sep 17 00:00:00 2001
From: Povilas Kanapickas <povilas@radix.lt>
Date: Tue, 14 Dec 2021 15:00:00 +0200
Subject: [PATCH] record: Fix out of bounds access in SwapCreateRegister()
ZDI-CAN-14952, CVE-2021-4011
This vulnerability was discovered and the fix was suggested by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
---
record/record.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/record/record.c b/record/record.c
index be154525d..e123867a7 100644
--- a/record/record.c
+++ b/record/record.c
@@ -2516,8 +2516,8 @@ SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
swapl(pClientID);
}
if (stuff->nRanges >
- client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
- - stuff->nClients)
+ (client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
+ - stuff->nClients) / bytes_to_int32(sz_xRecordRange))
return BadLength;
RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
return Success;
--
2.26.2

View File

@ -1,29 +0,0 @@
--- a/render/render.c
+++ a/render/render.c
@@ -2309,6 +2309,8 @@ SProcRenderCompositeGlyphs(ClientPtr client)
i = elt->len;
if (i == 0xff) {
+ if (buffer + 4 >= end)
+ return BadLength;
swapl((int *) buffer);
buffer += 4;
}
@@ -2320,12 +2322,16 @@ SProcRenderCompositeGlyphs(ClientPtr client)
break;
case 2:
while (i--) {
+ if (buffer + 2 >= end)
+ return BadLength;
swaps((short *) buffer);
buffer += 2;
}
break;
case 4:
while (i--) {
+ if (buffer + 4 >= end)
+ return BadLength;
swapl((int *) buffer);
buffer += 4;
}

View File

@ -1,43 +0,0 @@
From b5196750099ae6ae582e1f46bd0a6dad29550e02 Mon Sep 17 00:00:00 2001
From: Povilas Kanapickas <povilas@radix.lt>
Date: Tue, 14 Dec 2021 15:00:01 +0200
Subject: [PATCH] xfixes: Fix out of bounds access in
*ProcXFixesCreatePointerBarrier()
ZDI-CAN-14950, CVE-2021-4009
This vulnerability was discovered and the fix was suggested by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
---
xfixes/cursor.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/xfixes/cursor.c b/xfixes/cursor.c
index 60580b88f..c5d4554b2 100644
--- a/xfixes/cursor.c
+++ b/xfixes/cursor.c
@@ -1010,7 +1010,8 @@ ProcXFixesCreatePointerBarrier(ClientPtr client)
{
REQUEST(xXFixesCreatePointerBarrierReq);
- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
+ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
+ pad_to_int32(stuff->num_devices * sizeof(CARD16)));
LEGAL_NEW_RESOURCE(stuff->barrier, client);
return XICreatePointerBarrier(client, stuff);
@@ -1027,7 +1028,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
swaps(&stuff->length);
swaps(&stuff->num_devices);
- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
+ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
+ pad_to_int32(stuff->num_devices * sizeof(CARD16)));
swapl(&stuff->barrier);
swapl(&stuff->window);
--
2.26.2

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:782e7fef2ca0c7cbe60a937b8bf42dac69c904fb841950fd0363e1c2346ea755
size 4958508

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c20bf46a9fe8e74bf4e75430637e58d49a02d806609dc161462bceb1ef7e8db0
size 4967784

View File

@ -1,3 +1,18 @@
-------------------------------------------------------------------
Wed Dec 15 15:08:07 UTC 2021 - Stefan Dirsch <sndirsch@suse.com>
- Update to version 21.1.1
* This release fixes 4 recently reported security vulnerabilities and
several regressions.
* In particular, the real physical dimensions are no longer reported
by the X server anymore as it was deemed to be a too disruptive
change. X server will continue to report DPI as 96.
- supersedes U_hw-xfree86-Propagate-physical-dimensions-from-DRM-co.patch
- supersedes U_rendercompositeglyphs.patch
- supersedes U_xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch
- supersedes U_Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch
- supersedes U_record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Dec 14 20:21:19 UTC 2021 - Stefan Dirsch <sndirsch@suse.com> Tue Dec 14 20:21:19 UTC 2021 - Stefan Dirsch <sndirsch@suse.com>

View File

@ -36,7 +36,7 @@
%endif %endif
Name: xorg-x11-server Name: xorg-x11-server
Version: 21.1.1 Version: 21.1.2
Release: 0 Release: 0
URL: http://xorg.freedesktop.org/ URL: http://xorg.freedesktop.org/
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -199,7 +199,6 @@ Patch1: N_default-module-path.diff
Patch2: N_zap_warning_xserver.diff Patch2: N_zap_warning_xserver.diff
Patch3: N_driver-autoconfig.diff Patch3: N_driver-autoconfig.diff
Patch4: N_fix_fglrx_screendepth_issue.patch Patch4: N_fix_fglrx_screendepth_issue.patch
Patch5: U_hw-xfree86-Propagate-physical-dimensions-from-DRM-co.patch
Patch6: N_fix-dpi-values.diff Patch6: N_fix-dpi-values.diff
Patch7: N_Install-Avoid-failure-on-wrapper-installation.patch Patch7: N_Install-Avoid-failure-on-wrapper-installation.patch
Patch8: u_xorg-wrapper-Drop-supplemental-group-IDs.patch Patch8: u_xorg-wrapper-Drop-supplemental-group-IDs.patch
@ -241,12 +240,6 @@ Patch1910: u_modesetting-Fix-dirty-updates-for-sw-rotation.patch
Patch1920: u_xf86-Accept-devices-with-the-hyperv_drm-driver.patch Patch1920: u_xf86-Accept-devices-with-the-hyperv_drm-driver.patch
Patch1193030: U_rendercompositeglyphs.patch
Patch1190487: U_xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch
Patch1190488: U_Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch
Patch1190489: U_record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch
%description %description
This package contains the X.Org Server. This package contains the X.Org Server.
@ -362,8 +355,6 @@ sh %{SOURCE92} --verify . %{SOURCE91}
%patch2 -p1 %patch2 -p1
%patch3 -p0 %patch3 -p0
%patch4 -p0 %patch4 -p0
# back to 96 dpi fix
%patch5 -p1 -R
%patch6 -p0 %patch6 -p0
%patch7 -p1 %patch7 -p1
%patch8 -p1 %patch8 -p1
@ -402,11 +393,6 @@ sh %{SOURCE92} --verify . %{SOURCE91}
%patch1900 -p1 %patch1900 -p1
%patch1910 -p1 %patch1910 -p1
%patch1920 -p1 %patch1920 -p1
%patch1193030 -p1
%patch1190487 -p1
%patch1190488 -p1
%patch1190489 -p1
%build %build
%global _lto_cflags %{?_lto_cflags} -ffat-lto-objects %global _lto_cflags %{?_lto_cflags} -ffat-lto-objects