slackware-current/patches/source/xorg-server-xwayland/CVE-2024-21886.02.patch

From 26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Fri, 5 Jan 2024 09:40:27 +1000
Subject: [PATCH] dix: when disabling a master, float disabled slaved devices
 too

Disabling a master device floats all slave devices but we didn't do this
to already-disabled slave devices. As a result those devices kept their
reference to the master device resulting in access to already freed
memory if the master device was removed before the corresponding slave
device.

And to match this behavior, also forcibly reset that pointer during
CloseDownDevices().

Related to CVE-2024-21886, ZDI-CAN-22840
---
 dix/devices.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/dix/devices.c b/dix/devices.c
index 389d28a23c..84a6406d13 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -483,6 +483,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
                 flags[other->id] |= XISlaveDetached;
             }
         }
+
+        for (other = inputInfo.off_devices; other; other = other->next) {
+            if (!IsMaster(other) && GetMaster(other, MASTER_ATTACHED) == dev) {
+                AttachDevice(NULL, other, NULL);
+                flags[other->id] |= XISlaveDetached;
+            }
+        }
     }
     else {
         for (other = inputInfo.devices; other; other = other->next) {
@@ -1088,6 +1095,11 @@ CloseDownDevices(void)
             dev->master = NULL;
     }
 
+    for (dev = inputInfo.off_devices; dev; dev = dev->next) {
+        if (!IsMaster(dev) && !IsFloating(dev))
+            dev->master = NULL;
+    }
+
     CloseDeviceList(&inputInfo.devices);
     CloseDeviceList(&inputInfo.off_devices);
 
-- 
GitLab
Tue Jan 16 20:49:28 UTC 2024 patches/packages/gnutls-3.8.3-x86_64-1_slack15.0.txz: Upgraded. This update fixes two medium severity security issues: Fix more timing side-channel inside RSA-PSK key exchange. Fix assertion failure when verifying a certificate chain with a cycle of cross signatures. For more information, see: https://www.cve.org/CVERecord?id=CVE-2024-0553 https://www.cve.org/CVERecord?id=CVE-2024-0567 (* Security fix ) patches/packages/xorg-server-1.20.14-x86_64-11_slack15.0.txz: Rebuilt. This update fixes security issues: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer. Reattaching to different master device may lead to out-of-bounds memory access. Heap buffer overflow in XISendDeviceHierarchyEvent. Heap buffer overflow in DisableDevice. SELinux context corruption. SELinux unlabeled GLX PBuffer. For more information, see: https://lists.x.org/archives/xorg/2024-January/061525.html https://www.cve.org/CVERecord?id=CVE-2023-6816 https://www.cve.org/CVERecord?id=CVE-2024-0229 https://www.cve.org/CVERecord?id=CVE-2024-21885 https://www.cve.org/CVERecord?id=CVE-2024-21886 https://www.cve.org/CVERecord?id=CVE-2024-0408 https://www.cve.org/CVERecord?id=CVE-2024-0409 ( Security fix ) patches/packages/xorg-server-xephyr-1.20.14-x86_64-11_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xnest-1.20.14-x86_64-11_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xvfb-1.20.14-x86_64-11_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xwayland-21.1.4-x86_64-10_slack15.0.txz: Rebuilt. This update fixes security issues: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer. Reattaching to different master device may lead to out-of-bounds memory access. Heap buffer overflow in XISendDeviceHierarchyEvent. Heap buffer overflow in DisableDevice. SELinux unlabeled GLX PBuffer. For more information, see: https://lists.x.org/archives/xorg/2024-January/061525.html https://www.cve.org/CVERecord?id=CVE-2023-6816 https://www.cve.org/CVERecord?id=CVE-2024-0229 https://www.cve.org/CVERecord?id=CVE-2024-21885 https://www.cve.org/CVERecord?id=CVE-2024-21886 https://www.cve.org/CVERecord?id=CVE-2024-0408 ( Security fix *) 2024-01-16 20:49:28 +00:00			`From 26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 Mon Sep 17 00:00:00 2001`
			`From: Peter Hutterer <peter.hutterer@who-t.net>`
			`Date: Fri, 5 Jan 2024 09:40:27 +1000`
			`Subject: [PATCH] dix: when disabling a master, float disabled slaved devices`
			`too`

			`Disabling a master device floats all slave devices but we didn't do this`
			`to already-disabled slave devices. As a result those devices kept their`
			`reference to the master device resulting in access to already freed`
			`memory if the master device was removed before the corresponding slave`
			`device.`

			`And to match this behavior, also forcibly reset that pointer during`
			`CloseDownDevices().`

			`Related to CVE-2024-21886, ZDI-CAN-22840`
			`---`
			`dix/devices.c \| 12 ++++++++++++`
			`1 file changed, 12 insertions(+)`

			`diff --git a/dix/devices.c b/dix/devices.c`
			`index 389d28a23c..84a6406d13 100644`
			`--- a/dix/devices.c`
			`+++ b/dix/devices.c`
			`@@ -483,6 +483,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)`
			`flags[other->id] \|= XISlaveDetached;`
			`}`
			`}`
			`+`
			`+ for (other = inputInfo.off_devices; other; other = other->next) {`
			`+ if (!IsMaster(other) && GetMaster(other, MASTER_ATTACHED) == dev) {`
			`+ AttachDevice(NULL, other, NULL);`
			`+ flags[other->id] \|= XISlaveDetached;`
			`+ }`
			`+ }`
			`}`
			`else {`
			`for (other = inputInfo.devices; other; other = other->next) {`
			`@@ -1088,6 +1095,11 @@ CloseDownDevices(void)`
			`dev->master = NULL;`
			`}`

			`+ for (dev = inputInfo.off_devices; dev; dev = dev->next) {`
			`+ if (!IsMaster(dev) && !IsFloating(dev))`
			`+ dev->master = NULL;`
			`+ }`
			`+`
			`CloseDeviceList(&inputInfo.devices);`
			`CloseDeviceList(&inputInfo.off_devices);`

			`--`
			`GitLab`