slackware-current/patches/source/xorg-server-xwayland/CVE-2024-0229.03.patch

From df3c65706eb169d5938df0052059f3e0d5981b74 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Thu, 21 Dec 2023 13:48:10 +1000
Subject: [PATCH] Xi: when creating a new ButtonClass, set the number of
 buttons

There's a racy sequence where a master device may copy the button class
from the slave, without ever initializing numButtons. This leads to a
device with zero buttons but a button class which is invalid.

Let's copy the numButtons value from the source - by definition if we
don't have a button class yet we do not have any other slave devices
with more than this number of buttons anyway.

CVE-2024-0229, ZDI-CAN-22678

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
---
 Xi/exevents.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Xi/exevents.c b/Xi/exevents.c
index 54ea11a938..e161714682 100644
--- a/Xi/exevents.c
+++ b/Xi/exevents.c
@@ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
                 to->button = calloc(1, sizeof(ButtonClassRec));
                 if (!to->button)
                     FatalError("[Xi] no memory for class shift.\n");
+                to->button->numButtons = from->button->numButtons;
             }
             else
                 classes->button = NULL;
-- 
GitLab
Tue Jan 16 20:49:28 UTC 2024 patches/packages/gnutls-3.8.3-x86_64-1_slack15.0.txz: Upgraded. This update fixes two medium severity security issues: Fix more timing side-channel inside RSA-PSK key exchange. Fix assertion failure when verifying a certificate chain with a cycle of cross signatures. For more information, see: https://www.cve.org/CVERecord?id=CVE-2024-0553 https://www.cve.org/CVERecord?id=CVE-2024-0567 (* Security fix ) patches/packages/xorg-server-1.20.14-x86_64-11_slack15.0.txz: Rebuilt. This update fixes security issues: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer. Reattaching to different master device may lead to out-of-bounds memory access. Heap buffer overflow in XISendDeviceHierarchyEvent. Heap buffer overflow in DisableDevice. SELinux context corruption. SELinux unlabeled GLX PBuffer. For more information, see: https://lists.x.org/archives/xorg/2024-January/061525.html https://www.cve.org/CVERecord?id=CVE-2023-6816 https://www.cve.org/CVERecord?id=CVE-2024-0229 https://www.cve.org/CVERecord?id=CVE-2024-21885 https://www.cve.org/CVERecord?id=CVE-2024-21886 https://www.cve.org/CVERecord?id=CVE-2024-0408 https://www.cve.org/CVERecord?id=CVE-2024-0409 ( Security fix ) patches/packages/xorg-server-xephyr-1.20.14-x86_64-11_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xnest-1.20.14-x86_64-11_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xvfb-1.20.14-x86_64-11_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xwayland-21.1.4-x86_64-10_slack15.0.txz: Rebuilt. This update fixes security issues: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer. Reattaching to different master device may lead to out-of-bounds memory access. Heap buffer overflow in XISendDeviceHierarchyEvent. Heap buffer overflow in DisableDevice. SELinux unlabeled GLX PBuffer. For more information, see: https://lists.x.org/archives/xorg/2024-January/061525.html https://www.cve.org/CVERecord?id=CVE-2023-6816 https://www.cve.org/CVERecord?id=CVE-2024-0229 https://www.cve.org/CVERecord?id=CVE-2024-21885 https://www.cve.org/CVERecord?id=CVE-2024-21886 https://www.cve.org/CVERecord?id=CVE-2024-0408 ( Security fix *) 2024-01-16 20:49:28 +00:00			`From df3c65706eb169d5938df0052059f3e0d5981b74 Mon Sep 17 00:00:00 2001`
			`From: Peter Hutterer <peter.hutterer@who-t.net>`
			`Date: Thu, 21 Dec 2023 13:48:10 +1000`
			`Subject: [PATCH] Xi: when creating a new ButtonClass, set the number of`
			`buttons`

			`There's a racy sequence where a master device may copy the button class`
			`from the slave, without ever initializing numButtons. This leads to a`
			`device with zero buttons but a button class which is invalid.`

			`Let's copy the numButtons value from the source - by definition if we`
			`don't have a button class yet we do not have any other slave devices`
			`with more than this number of buttons anyway.`

			`CVE-2024-0229, ZDI-CAN-22678`

			`This vulnerability was discovered by:`
			`Jan-Niklas Sohn working with Trend Micro Zero Day Initiative`
			`---`
			`Xi/exevents.c \| 1 +`
			`1 file changed, 1 insertion(+)`

			`diff --git a/Xi/exevents.c b/Xi/exevents.c`
			`index 54ea11a938..e161714682 100644`
			`--- a/Xi/exevents.c`
			`+++ b/Xi/exevents.c`
			`@@ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)`
			`to->button = calloc(1, sizeof(ButtonClassRec));`
			`if (!to->button)`
			`FatalError("[Xi] no memory for class shift.\n");`
			`+ to->button->numButtons = from->button->numButtons;`
			`}`
			`else`
			`classes->button = NULL;`
			`--`
			`GitLab`