slackware-current/patches/source/xorg-server-xwayland/CVE-2022-46344.patch

From 8f454b793e1f13c99872c15f0eed1d7f3b823fe8 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue, 29 Nov 2022 13:26:57 +1000
Subject: [PATCH] Xi: avoid integer truncation in length check of
 ProcXIChangeProperty

This fixes an OOB read and the resulting information disclosure.

Length calculation for the request was clipped to a 32-bit integer. With
the correct stuff->num_items value the expected request size was
truncated, passing the REQUEST_FIXED_SIZE check.

The server then proceeded with reading at least stuff->num_items bytes
(depending on stuff->format) from the request and stuffing whatever it
finds into the property. In the process it would also allocate at least
stuff->num_items bytes, i.e. 4GB.

The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty,
so let's fix that too.

CVE-2022-46344, ZDI-CAN 19405

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
---
 Xi/xiproperty.c | 4 ++--
 dix/property.c  | 3 ++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
index 68c362c62..066ba21fb 100644
--- a/Xi/xiproperty.c
+++ b/Xi/xiproperty.c
@@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client)
     REQUEST(xChangeDevicePropertyReq);
     DeviceIntPtr dev;
     unsigned long len;
-    int totalSize;
+    uint64_t totalSize;
     int rc;
 
     REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq);
@@ -1130,7 +1130,7 @@ ProcXIChangeProperty(ClientPtr client)
 {
     int rc;
     DeviceIntPtr dev;
-    int totalSize;
+    uint64_t totalSize;
     unsigned long len;
 
     REQUEST(xXIChangePropertyReq);
diff --git a/dix/property.c b/dix/property.c
index 94ef5a0ec..acce94b2c 100644
--- a/dix/property.c
+++ b/dix/property.c
@@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client)
     WindowPtr pWin;
     char format, mode;
     unsigned long len;
-    int sizeInBytes, totalSize, err;
+    int sizeInBytes, err;
+    uint64_t totalSize;
 
     REQUEST(xChangePropertyReq);
 
-- 
GitLab
Wed Dec 14 21:19:34 UTC 2022 patches/packages/mozilla-firefox-102.6.0esr-x86_64-1_slack15.0.txz: Upgraded. This update contains security fixes and improvements. For more information, see: https://www.mozilla.org/en-US/firefox/102.6.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2022-52/ https://www.cve.org/CVERecord?id=CVE-2022-46880 https://www.cve.org/CVERecord?id=CVE-2022-46872 https://www.cve.org/CVERecord?id=CVE-2022-46881 https://www.cve.org/CVERecord?id=CVE-2022-46874 https://www.cve.org/CVERecord?id=CVE-2022-46875 https://www.cve.org/CVERecord?id=CVE-2022-46882 https://www.cve.org/CVERecord?id=CVE-2022-46878 (* Security fix ) patches/packages/mozilla-thunderbird-102.6.0-x86_64-1_slack15.0.txz: Upgraded. This release contains security fixes and improvements. For more information, see: https://www.mozilla.org/en-US/thunderbird/102.6.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2022-53/ https://www.cve.org/CVERecord?id=CVE-2022-46880 https://www.cve.org/CVERecord?id=CVE-2022-46872 https://www.cve.org/CVERecord?id=CVE-2022-46881 https://www.cve.org/CVERecord?id=CVE-2022-46874 https://www.cve.org/CVERecord?id=CVE-2022-46875 https://www.cve.org/CVERecord?id=CVE-2022-46882 https://www.cve.org/CVERecord?id=CVE-2022-46878 ( Security fix ) patches/packages/xorg-server-1.20.14-x86_64-5_slack15.0.txz: Rebuilt. This release fixes 6 recently reported security vulnerabilities in various extensions. For more information, see: https://lists.x.org/archives/xorg-announce/2022-December/003302.html https://www.cve.org/CVERecord?id=CVE-2022-46340 https://www.cve.org/CVERecord?id=CVE-2022-46341 https://www.cve.org/CVERecord?id=CVE-2022-46342 https://www.cve.org/CVERecord?id=CVE-2022-46343 https://www.cve.org/CVERecord?id=CVE-2022-46344 https://www.cve.org/CVERecord?id=CVE-2022-4283 ( Security fix ) patches/packages/xorg-server-xephyr-1.20.14-x86_64-5_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xnest-1.20.14-x86_64-5_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xvfb-1.20.14-x86_64-5_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xwayland-21.1.4-x86_64-4_slack15.0.txz: Rebuilt. This release fixes 6 recently reported security vulnerabilities in various extensions. For more information, see: https://lists.x.org/archives/xorg-announce/2022-December/003302.html https://www.cve.org/CVERecord?id=CVE-2022-46340 https://www.cve.org/CVERecord?id=CVE-2022-46341 https://www.cve.org/CVERecord?id=CVE-2022-46342 https://www.cve.org/CVERecord?id=CVE-2022-46343 https://www.cve.org/CVERecord?id=CVE-2022-46344 https://www.cve.org/CVERecord?id=CVE-2022-4283 ( Security fix *) 2022-12-14 22:19:34 +01:00			`From 8f454b793e1f13c99872c15f0eed1d7f3b823fe8 Mon Sep 17 00:00:00 2001`
			`From: Peter Hutterer <peter.hutterer@who-t.net>`
			`Date: Tue, 29 Nov 2022 13:26:57 +1000`
			`Subject: [PATCH] Xi: avoid integer truncation in length check of`
			`ProcXIChangeProperty`

			`This fixes an OOB read and the resulting information disclosure.`

			`Length calculation for the request was clipped to a 32-bit integer. With`
			`the correct stuff->num_items value the expected request size was`
			`truncated, passing the REQUEST_FIXED_SIZE check.`

			`The server then proceeded with reading at least stuff->num_items bytes`
			`(depending on stuff->format) from the request and stuffing whatever it`
			`finds into the property. In the process it would also allocate at least`
			`stuff->num_items bytes, i.e. 4GB.`

			`The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty,`
			`so let's fix that too.`

			`CVE-2022-46344, ZDI-CAN 19405`

			`This vulnerability was discovered by:`
			`Jan-Niklas Sohn working with Trend Micro Zero Day Initiative`

			`Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>`
			`Acked-by: Olivier Fourdan <ofourdan@redhat.com>`
			`---`
			`Xi/xiproperty.c \| 4 ++--`
			`dix/property.c \| 3 ++-`
			`2 files changed, 4 insertions(+), 3 deletions(-)`

			`diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c`
			`index 68c362c62..066ba21fb 100644`
			`--- a/Xi/xiproperty.c`
			`+++ b/Xi/xiproperty.c`
			`@@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client)`
			`REQUEST(xChangeDevicePropertyReq);`
			`DeviceIntPtr dev;`
			`unsigned long len;`
			`- int totalSize;`
			`+ uint64_t totalSize;`
			`int rc;`

			`REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq);`
			`@@ -1130,7 +1130,7 @@ ProcXIChangeProperty(ClientPtr client)`
			`{`
			`int rc;`
			`DeviceIntPtr dev;`
			`- int totalSize;`
			`+ uint64_t totalSize;`
			`unsigned long len;`

			`REQUEST(xXIChangePropertyReq);`
			`diff --git a/dix/property.c b/dix/property.c`
			`index 94ef5a0ec..acce94b2c 100644`
			`--- a/dix/property.c`
			`+++ b/dix/property.c`
			`@@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client)`
			`WindowPtr pWin;`
			`char format, mode;`
			`unsigned long len;`
			`- int sizeInBytes, totalSize, err;`
			`+ int sizeInBytes, err;`
			`+ uint64_t totalSize;`

			`REQUEST(xChangePropertyReq);`

			`--`
			`GitLab`