slackware-current/patches/source/xorg-server-xwayland/CVE-2022-46343.patch

From 842ca3ccef100ce010d1d8f5f6d6cc1915055900 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue, 29 Nov 2022 14:53:07 +1000
Subject: [PATCH] Xext: free the screen saver resource when replacing it

This fixes a use-after-free bug:

When a client first calls ScreenSaverSetAttributes(), a struct
ScreenSaverAttrRec is allocated and added to the client's
resources.

When the same client calls ScreenSaverSetAttributes() again, a new
struct ScreenSaverAttrRec is allocated, replacing the old struct. The
old struct was freed but not removed from the clients resources.

Later, when the client is destroyed the resource system invokes
ScreenSaverFreeAttr and attempts to clean up the already freed struct.

Fix this by letting the resource system free the old attrs instead.

CVE-2022-46343, ZDI-CAN 19404

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
---
 Xext/saver.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Xext/saver.c b/Xext/saver.c
index f813ba08d..fd6153c31 100644
--- a/Xext/saver.c
+++ b/Xext/saver.c
@@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client)
         pVlist++;
     }
     if (pPriv->attr)
-        FreeScreenAttr(pPriv->attr);
+        FreeResource(pPriv->attr->resource, AttrType);
     pPriv->attr = pAttr;
     pAttr->resource = FakeClientID(client->index);
     if (!AddResource(pAttr->resource, AttrType, (void *) pAttr))
-- 
GitLab
Wed Dec 14 21:19:34 UTC 2022 patches/packages/mozilla-firefox-102.6.0esr-x86_64-1_slack15.0.txz: Upgraded. This update contains security fixes and improvements. For more information, see: https://www.mozilla.org/en-US/firefox/102.6.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2022-52/ https://www.cve.org/CVERecord?id=CVE-2022-46880 https://www.cve.org/CVERecord?id=CVE-2022-46872 https://www.cve.org/CVERecord?id=CVE-2022-46881 https://www.cve.org/CVERecord?id=CVE-2022-46874 https://www.cve.org/CVERecord?id=CVE-2022-46875 https://www.cve.org/CVERecord?id=CVE-2022-46882 https://www.cve.org/CVERecord?id=CVE-2022-46878 (* Security fix ) patches/packages/mozilla-thunderbird-102.6.0-x86_64-1_slack15.0.txz: Upgraded. This release contains security fixes and improvements. For more information, see: https://www.mozilla.org/en-US/thunderbird/102.6.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2022-53/ https://www.cve.org/CVERecord?id=CVE-2022-46880 https://www.cve.org/CVERecord?id=CVE-2022-46872 https://www.cve.org/CVERecord?id=CVE-2022-46881 https://www.cve.org/CVERecord?id=CVE-2022-46874 https://www.cve.org/CVERecord?id=CVE-2022-46875 https://www.cve.org/CVERecord?id=CVE-2022-46882 https://www.cve.org/CVERecord?id=CVE-2022-46878 ( Security fix ) patches/packages/xorg-server-1.20.14-x86_64-5_slack15.0.txz: Rebuilt. This release fixes 6 recently reported security vulnerabilities in various extensions. For more information, see: https://lists.x.org/archives/xorg-announce/2022-December/003302.html https://www.cve.org/CVERecord?id=CVE-2022-46340 https://www.cve.org/CVERecord?id=CVE-2022-46341 https://www.cve.org/CVERecord?id=CVE-2022-46342 https://www.cve.org/CVERecord?id=CVE-2022-46343 https://www.cve.org/CVERecord?id=CVE-2022-46344 https://www.cve.org/CVERecord?id=CVE-2022-4283 ( Security fix ) patches/packages/xorg-server-xephyr-1.20.14-x86_64-5_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xnest-1.20.14-x86_64-5_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xvfb-1.20.14-x86_64-5_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xwayland-21.1.4-x86_64-4_slack15.0.txz: Rebuilt. This release fixes 6 recently reported security vulnerabilities in various extensions. For more information, see: https://lists.x.org/archives/xorg-announce/2022-December/003302.html https://www.cve.org/CVERecord?id=CVE-2022-46340 https://www.cve.org/CVERecord?id=CVE-2022-46341 https://www.cve.org/CVERecord?id=CVE-2022-46342 https://www.cve.org/CVERecord?id=CVE-2022-46343 https://www.cve.org/CVERecord?id=CVE-2022-46344 https://www.cve.org/CVERecord?id=CVE-2022-4283 ( Security fix *) 2022-12-14 22:19:34 +01:00			`From 842ca3ccef100ce010d1d8f5f6d6cc1915055900 Mon Sep 17 00:00:00 2001`
			`From: Peter Hutterer <peter.hutterer@who-t.net>`
			`Date: Tue, 29 Nov 2022 14:53:07 +1000`
			`Subject: [PATCH] Xext: free the screen saver resource when replacing it`

			`This fixes a use-after-free bug:`

			`When a client first calls ScreenSaverSetAttributes(), a struct`
			`ScreenSaverAttrRec is allocated and added to the client's`
			`resources.`

			`When the same client calls ScreenSaverSetAttributes() again, a new`
			`struct ScreenSaverAttrRec is allocated, replacing the old struct. The`
			`old struct was freed but not removed from the clients resources.`

			`Later, when the client is destroyed the resource system invokes`
			`ScreenSaverFreeAttr and attempts to clean up the already freed struct.`

			`Fix this by letting the resource system free the old attrs instead.`

			`CVE-2022-46343, ZDI-CAN 19404`

			`This vulnerability was discovered by:`
			`Jan-Niklas Sohn working with Trend Micro Zero Day Initiative`

			`Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>`
			`Acked-by: Olivier Fourdan <ofourdan@redhat.com>`
			`---`
			`Xext/saver.c \| 2 +-`
			`1 file changed, 1 insertion(+), 1 deletion(-)`

			`diff --git a/Xext/saver.c b/Xext/saver.c`
			`index f813ba08d..fd6153c31 100644`
			`--- a/Xext/saver.c`
			`+++ b/Xext/saver.c`
			`@@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client)`
			`pVlist++;`
			`}`
			`if (pPriv->attr)`
			`- FreeScreenAttr(pPriv->attr);`
			`+ FreeResource(pPriv->attr->resource, AttrType);`
			`pPriv->attr = pAttr;`
			`pAttr->resource = FakeClientID(client->index);`
			`if (!AddResource(pAttr->resource, AttrType, (void *) pAttr))`
			`--`
			`GitLab`