Projects
Mega:24.03:SP1:Everything
xorg-x11-server
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 2
View file
_service:tar_scm:xorg-x11-server.spec
Changed
@@ -16,7 +16,7 @@ Name: xorg-x11-server Version: 1.20.11 -Release: 32 +Release: 34 Summary: X.Org X11 X server License: MIT and GPLv2 URL: https://www.x.org @@ -127,6 +127,10 @@ Patch6041: backport-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch Patch6042: backport-dix-Fix-use-after-free-in-input-device-shutdown.patch Patch6043: backport-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch +Patch6044: backport-0001-CVE-2023-5574.patch +Patch6045: backport-0002-CVE-2023-5574.patch +Patch6046: backport-0003-CVE-2023-5574.patch +Patch6047: backport-CVE-2024-9632.patch BuildRequires: audit-libs-devel autoconf automake bison dbus-devel flex git gcc BuildRequires: systemtap-sdt-devel libtool pkgconfig @@ -468,6 +472,15 @@ %{_mandir}/man*/* %changelog +* Mon Nov 04 2024 wangkai <13474090681@163.com> - 1.20.11-34 +- Fix CVE-2024-9632 + +* Thu Oct 24 2024 lingsheng <lingsheng1@h-partners.com> - 1.20.11-33 +- Type:CVE +- CVE:CVE-2023-5574 +- SUG:NA +- DESC:fix CVE-2023-5574 + * Thu May 30 2024 shuaijiakun <shuaijiakun1288@phytium.com.cn> -1.20.11-32 - Type:feature - CVE:NA
View file
_service:tar_scm:backport-0001-CVE-2023-5574.patch
Added
@@ -0,0 +1,109 @@ +From 1953f460b9ad1a9cdf0fcce70f6ad3310b713d5f Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Thu, 12 Oct 2023 12:44:13 +1000 +Subject: PATCH fb: properly wrap/unwrap CloseScreen + +fbCloseScreen assumes that it overrides miCloseScreen (which just +calls FreePixmap(screen->devPrivates)) and emulates that instead of +wrapping it. + +This is a wrong assumption, we may have ShmCloseScreen in the mix too, +resulting in leaks (see below). Fix this by properly setting up the +CloseScreen wrapper. + +This means we no longer need the manual DestroyPixmap call in +vfbCloseScreen, reverting d348ab06aae21c153ecbc3511aeafc8ab66d8303 + +CVE-2023-5574, ZDI-CAN-21213 + +This vulnerability was discovered by: +Sri working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +Reviewed-by: Adam Jackson <ajax@redhat.com> +--- + fb/fb.h | 1 + + fb/fbscreen.c | 14 ++++++++++---- + hw/vfb/InitOutput.c | 7 ------- + 3 files changed, 11 insertions(+), 11 deletions(-) + +diff --git a/fb/fb.h b/fb/fb.h +index d157b6956d..cd7bd05d21 100644 +--- a/fb/fb.h ++++ b/fb/fb.h +@@ -410,6 +410,7 @@ typedef struct { + #endif + DevPrivateKeyRec gcPrivateKeyRec; + DevPrivateKeyRec winPrivateKeyRec; ++ CloseScreenProcPtr CloseScreen; + } FbScreenPrivRec, *FbScreenPrivPtr; + + #define fbGetScreenPrivate(pScreen) ((FbScreenPrivPtr) \ +diff --git a/fb/fbscreen.c b/fb/fbscreen.c +index 4ab807ab50..c481033f98 100644 +--- a/fb/fbscreen.c ++++ b/fb/fbscreen.c +@@ -29,6 +29,7 @@ + Bool + fbCloseScreen(ScreenPtr pScreen) + { ++ FbScreenPrivPtr screen_priv = fbGetScreenPrivate(pScreen); + int d; + DepthPtr depths = pScreen->allowedDepths; + +@@ -37,9 +38,10 @@ fbCloseScreen(ScreenPtr pScreen) + free(depthsd.vids); + free(depths); + free(pScreen->visuals); +- if (pScreen->devPrivate) +- FreePixmap((PixmapPtr)pScreen->devPrivate); +- return TRUE; ++ ++ pScreen->CloseScreen = screen_priv->CloseScreen; ++ ++ return pScreen->CloseScreen(pScreen); + } + + Bool +@@ -144,6 +146,7 @@ fbFinishScreenInit(ScreenPtr pScreen, void *pbits, int xsize, int ysize, + int dpix, int dpiy, int width, int bpp) + #endif + { ++ FbScreenPrivPtr screen_priv; + VisualPtr visuals; + DepthPtr depths; + int nvisuals; +@@ -177,8 +180,11 @@ fbFinishScreenInit(ScreenPtr pScreen, void *pbits, int xsize, int ysize, + rootdepth, ndepths, depths, + defaultVisual, nvisuals, visuals)) + return FALSE; +- /* overwrite miCloseScreen with our own */ ++ ++ screen_priv = fbGetScreenPrivate(pScreen); ++ screen_priv->CloseScreen = pScreen->CloseScreen; + pScreen->CloseScreen = fbCloseScreen; ++ + return TRUE; + } + +diff --git a/hw/vfb/InitOutput.c b/hw/vfb/InitOutput.c +index 48efb61b2f..076fb7defa 100644 +--- a/hw/vfb/InitOutput.c ++++ b/hw/vfb/InitOutput.c +@@ -720,13 +720,6 @@ vfbCloseScreen(ScreenPtr pScreen) + + pScreen->CloseScreen = pvfb->closeScreen; + +- /* +- * fb overwrites miCloseScreen, so do this here +- */ +- if (pScreen->devPrivate) +- (*pScreen->DestroyPixmap) (pScreen->devPrivate); +- pScreen->devPrivate = NULL; +- + return pScreen->CloseScreen(pScreen); + } + +-- +GitLab +
View file
_service:tar_scm:backport-0002-CVE-2023-5574.patch
Added
@@ -0,0 +1,39 @@ +From b6fe3f924aecac6d6e311673511ce61aa2f7a81f Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Thu, 12 Oct 2023 12:42:06 +1000 +Subject: PATCH mi: fix CloseScreen initialization order + +If SHM is enabled it will set the CloseScreen pointer, only to be +overridden by the hardcoded miCloseScreen pointer. Do this the other way +round, miCloseScreen is the bottom of our stack. + +Direct leak of 48 byte(s) in 2 object(s) allocated from: + #0 0x7f5ea3ad8cc7 in calloc (/lib64/libasan.so.8+0xd8cc7) (BuildId: d8f3addefe29e892d775c30eb364afd3c2484ca5)) + #1 0x70adfb in ShmInitScreenPriv ../Xext/shm.c:213 + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +Reviewed-by: Adam Jackson <ajax@redhat.com> + +--- + mi/miscrinit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mi/miscrinit.c b/mi/miscrinit.c +index 264622d..907e46a 100644 +--- a/mi/miscrinit.c ++++ b/mi/miscrinit.c +@@ -242,10 +242,10 @@ miScreenInit(ScreenPtr pScreen, void *pbits, /* pointer to screen bits */ + pScreen->numVisuals = numVisuals; + pScreen->visuals = visuals; + if (width) { ++ pScreen->CloseScreen = miCloseScreen; + #ifdef MITSHM + ShmRegisterFbFuncs(pScreen); + #endif +- pScreen->CloseScreen = miCloseScreen; + } + /* else CloseScreen */ + /* QueryBestSize, SaveScreen, GetImage, GetSpans */ +-- +2.27.0 +
View file
_service:tar_scm:backport-0003-CVE-2023-5574.patch
Added
@@ -0,0 +1,50 @@ +From ab2c58ba4719fc31c19c7829b06bdba8a88bd586 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Tue, 24 Oct 2023 12:09:36 +1000 +Subject: PATCH dix: always initialize pScreen->CloseScreen + +CloseScreen is wrapped by the various modules, many of which do not +check if they're the last ones unwrapping. This is fine if the order of +those modules never changes but when it does we might get a NULL-pointer +dereference by some naive code doing a + + pScreen->CloseScreen = priv->CloseScreen; + free(priv); + return (*pScreen->CloseScreen)(pScreen); + +To avoid this set it to a default function that just returns TRUE that's +guaranteed to be the last one. +--- + dix/dispatch.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/dix/dispatch.c b/dix/dispatch.c +index eaac39b7c9..cd092fd409 100644 +--- a/dix/dispatch.c ++++ b/dix/dispatch.c +@@ -3890,6 +3890,12 @@ static int indexForScanlinePad65 = { + 3 /* 64 bits per scanline pad unit */ + }; + ++static Bool ++DefaultCloseScreen(ScreenPtr screen) ++{ ++ return TRUE; ++} ++ + /* + grow the array of screenRecs if necessary. + call the device-supplied initialization procedure +@@ -3949,6 +3955,9 @@ static int init_screen(ScreenPtr pScreen, int i, Bool gpu) + PixmapWidthPaddingInfodepth.notPower2 = 0; + } + } ++ ++ pScreen->CloseScreen = DefaultCloseScreen; ++ + return 0; + } + +-- +GitLab +
View file
_service:tar_scm:backport-CVE-2024-9632.patch
Added
@@ -0,0 +1,57 @@ +From 85b776571487f52e756f68a069c768757369bfe3 Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb <matthieu@herrb.eu> +Date: Thu, 10 Oct 2024 10:37:28 +0200 +Subject: PATCH xkb: Fix buffer overflow in _XkbSetCompatMap() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +origin: https://gitlab.freedesktop.org/xorg/xserver/-/commit/85b776571487f52e756f68a069c768757369bfe3 + +The _XkbSetCompatMap() function attempts to resize the `sym_interpret` +buffer. + +However, It didn't update its size properly. It updated `num_si` only, +without updating `size_si`. + +This may lead to local privilege escalation if the server is run as root +or remote code execution (e.g. x11 over ssh). + +CVE-2024-9632, ZDI-CAN-24756 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +Tested-by: Peter Hutterer <peter.hutterer@who-t.net> +Reviewed-by: José Expósito <jexposit@redhat.com> +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1733> +--- + xkb/xkb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 868d7c1e64..aaf9716b36 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -2990,13 +2990,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev, + XkbSymInterpretPtr sym; + unsigned int skipped = 0; + +- if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) { +- compat->num_si = req->firstSI + req->nSI; ++ if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) { ++ compat->num_si = compat->size_si = req->firstSI + req->nSI; + compat->sym_interpret = reallocarray(compat->sym_interpret, +- compat->num_si, ++ compat->size_si, + sizeof(XkbSymInterpretRec)); + if (!compat->sym_interpret) { +- compat->num_si = 0; ++ compat->num_si = compat->size_si = 0; + return BadAlloc; + } + } +-- +GitLab +
View file
_service
Changed
@@ -2,7 +2,7 @@ <service name="tar_scm"> <param name="scm">git</param> <param name="url">git@gitee.com:src-openeuler/xorg-x11-server.git</param> - <param name="revision">openEuler-24.03-LTS-Next</param> + <param name="revision">openEuler-24.03-LTS-SP1</param> <param name="exclude">*</param> <param name="extract">*</param> </service>
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2