Projects
openEuler:24.03:SP1:Everything:64G
xorg-x11-server
_service:tar_scm:backport-CVE-2024-9632.patch
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:backport-CVE-2024-9632.patch of Package xorg-x11-server
From 85b776571487f52e756f68a069c768757369bfe3 Mon Sep 17 00:00:00 2001 From: Matthieu Herrb <matthieu@herrb.eu> Date: Thu, 10 Oct 2024 10:37:28 +0200 Subject: [PATCH] xkb: Fix buffer overflow in _XkbSetCompatMap() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit origin: https://gitlab.freedesktop.org/xorg/xserver/-/commit/85b776571487f52e756f68a069c768757369bfe3 The _XkbSetCompatMap() function attempts to resize the `sym_interpret` buffer. However, It didn't update its size properly. It updated `num_si` only, without updating `size_si`. This may lead to local privilege escalation if the server is run as root or remote code execution (e.g. x11 over ssh). CVE-2024-9632, ZDI-CAN-24756 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Tested-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: José Expósito <jexposit@redhat.com> Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1733> --- xkb/xkb.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/xkb/xkb.c b/xkb/xkb.c index 868d7c1e64..aaf9716b36 100644 --- a/xkb/xkb.c +++ b/xkb/xkb.c @@ -2990,13 +2990,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev, XkbSymInterpretPtr sym; unsigned int skipped = 0; - if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) { - compat->num_si = req->firstSI + req->nSI; + if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) { + compat->num_si = compat->size_si = req->firstSI + req->nSI; compat->sym_interpret = reallocarray(compat->sym_interpret, - compat->num_si, + compat->size_si, sizeof(XkbSymInterpretRec)); if (!compat->sym_interpret) { - compat->num_si = 0; + compat->num_si = compat->size_si = 0; return BadAlloc; } } -- GitLab
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2