slackware-current/patches/source/xorg-server-xwayland/CVE-2024-0408.patch

From e5e8586a12a3ec915673edffa10dc8fe5e15dac3 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Wed, 6 Dec 2023 12:09:41 +0100
Subject: [PATCH] glx: Call XACE hooks on the GLX buffer

The XSELINUX code will label resources at creation by checking the
access mode. When the access mode is DixCreateAccess, it will call the
function to label the new resource SELinuxLabelResource().

However, GLX buffers do not go through the XACE hooks when created,
hence leaving the resource actually unlabeled.

When, later, the client tries to create another resource using that
drawable (like a GC for example), the XSELINUX code would try to use
the security ID of that object which has never been labeled, get a NULL
pointer and crash when checking whether the requested permissions are
granted for subject security ID.

To avoid the issue, make sure to call the XACE hooks when creating the
GLX buffers.

Credit goes to Donn Seeley <donn@xmission.com> for providing the patch.

CVE-2024-0408

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 glx/glxcmds.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index fc26a2e345..1e46d0c723 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -48,6 +48,7 @@
 #include "indirect_util.h"
 #include "protocol-versions.h"
 #include "glxvndabi.h"
+#include "xace.h"
 
 static char GLXServerVendorName[] = "SGI";
 
@@ -1392,6 +1393,13 @@ DoCreatePbuffer(ClientPtr client, int screenNum, XID fbconfigId,
     if (!pPixmap)
         return BadAlloc;
 
+    err = XaceHook(XACE_RESOURCE_ACCESS, client, glxDrawableId, RT_PIXMAP,
+                   pPixmap, RT_NONE, NULL, DixCreateAccess);
+    if (err != Success) {
+        (*pGlxScreen->pScreen->DestroyPixmap) (pPixmap);
+        return err;
+    }
+
     /* Assign the pixmap the same id as the pbuffer and add it as a
      * resource so it and the DRI2 drawable will be reclaimed when the
      * pbuffer is destroyed. */
-- 
GitLab
Tue Jan 16 20:49:28 UTC 2024 patches/packages/gnutls-3.8.3-x86_64-1_slack15.0.txz: Upgraded. This update fixes two medium severity security issues: Fix more timing side-channel inside RSA-PSK key exchange. Fix assertion failure when verifying a certificate chain with a cycle of cross signatures. For more information, see: https://www.cve.org/CVERecord?id=CVE-2024-0553 https://www.cve.org/CVERecord?id=CVE-2024-0567 (* Security fix ) patches/packages/xorg-server-1.20.14-x86_64-11_slack15.0.txz: Rebuilt. This update fixes security issues: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer. Reattaching to different master device may lead to out-of-bounds memory access. Heap buffer overflow in XISendDeviceHierarchyEvent. Heap buffer overflow in DisableDevice. SELinux context corruption. SELinux unlabeled GLX PBuffer. For more information, see: https://lists.x.org/archives/xorg/2024-January/061525.html https://www.cve.org/CVERecord?id=CVE-2023-6816 https://www.cve.org/CVERecord?id=CVE-2024-0229 https://www.cve.org/CVERecord?id=CVE-2024-21885 https://www.cve.org/CVERecord?id=CVE-2024-21886 https://www.cve.org/CVERecord?id=CVE-2024-0408 https://www.cve.org/CVERecord?id=CVE-2024-0409 ( Security fix ) patches/packages/xorg-server-xephyr-1.20.14-x86_64-11_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xnest-1.20.14-x86_64-11_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xvfb-1.20.14-x86_64-11_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xwayland-21.1.4-x86_64-10_slack15.0.txz: Rebuilt. This update fixes security issues: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer. Reattaching to different master device may lead to out-of-bounds memory access. Heap buffer overflow in XISendDeviceHierarchyEvent. Heap buffer overflow in DisableDevice. SELinux unlabeled GLX PBuffer. For more information, see: https://lists.x.org/archives/xorg/2024-January/061525.html https://www.cve.org/CVERecord?id=CVE-2023-6816 https://www.cve.org/CVERecord?id=CVE-2024-0229 https://www.cve.org/CVERecord?id=CVE-2024-21885 https://www.cve.org/CVERecord?id=CVE-2024-21886 https://www.cve.org/CVERecord?id=CVE-2024-0408 ( Security fix *) 2024-01-16 21:49:28 +01:00			`From e5e8586a12a3ec915673edffa10dc8fe5e15dac3 Mon Sep 17 00:00:00 2001`
			`From: Olivier Fourdan <ofourdan@redhat.com>`
			`Date: Wed, 6 Dec 2023 12:09:41 +0100`
			`Subject: [PATCH] glx: Call XACE hooks on the GLX buffer`

			`The XSELINUX code will label resources at creation by checking the`
			`access mode. When the access mode is DixCreateAccess, it will call the`
			`function to label the new resource SELinuxLabelResource().`

			`However, GLX buffers do not go through the XACE hooks when created,`
			`hence leaving the resource actually unlabeled.`

			`When, later, the client tries to create another resource using that`
			`drawable (like a GC for example), the XSELINUX code would try to use`
			`the security ID of that object which has never been labeled, get a NULL`
			`pointer and crash when checking whether the requested permissions are`
			`granted for subject security ID.`

			`To avoid the issue, make sure to call the XACE hooks when creating the`
			`GLX buffers.`

			`Credit goes to Donn Seeley <donn@xmission.com> for providing the patch.`

			`CVE-2024-0408`

			`Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>`
			`Acked-by: Peter Hutterer <peter.hutterer@who-t.net>`
			`---`
			`glx/glxcmds.c \| 8 ++++++++`
			`1 file changed, 8 insertions(+)`

			`diff --git a/glx/glxcmds.c b/glx/glxcmds.c`
			`index fc26a2e345..1e46d0c723 100644`
			`--- a/glx/glxcmds.c`
			`+++ b/glx/glxcmds.c`
			`@@ -48,6 +48,7 @@`
			`#include "indirect_util.h"`
			`#include "protocol-versions.h"`
			`#include "glxvndabi.h"`
			`+#include "xace.h"`

			`static char GLXServerVendorName[] = "SGI";`

			`@@ -1392,6 +1393,13 @@ DoCreatePbuffer(ClientPtr client, int screenNum, XID fbconfigId,`
			`if (!pPixmap)`
			`return BadAlloc;`

			`+ err = XaceHook(XACE_RESOURCE_ACCESS, client, glxDrawableId, RT_PIXMAP,`
			`+ pPixmap, RT_NONE, NULL, DixCreateAccess);`
			`+ if (err != Success) {`
			`+ (*pGlxScreen->pScreen->DestroyPixmap) (pPixmap);`
			`+ return err;`
			`+ }`
			`+`
			`/* Assign the pixmap the same id as the pbuffer and add it as a`
			`* resource so it and the DRI2 drawable will be reclaimed when the`
			`* pbuffer is destroyed. */`
			`--`
			`GitLab`