slackware-current/source/x/x11/patch/xorg-server/xorg-server.CVE-2021-4009.b5196750099ae6ae582e1f46bd0a6dad29550e02.patch

From b5196750099ae6ae582e1f46bd0a6dad29550e02 Mon Sep 17 00:00:00 2001
From: Povilas Kanapickas <povilas@radix.lt>
Date: Tue, 14 Dec 2021 15:00:01 +0200
Subject: [PATCH] xfixes: Fix out of bounds access in
 *ProcXFixesCreatePointerBarrier()

ZDI-CAN-14950, CVE-2021-4009

This vulnerability was discovered and the fix was suggested by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
---
 xfixes/cursor.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/xfixes/cursor.c b/xfixes/cursor.c
index 60580b88f..c5d4554b2 100644
--- a/xfixes/cursor.c
+++ b/xfixes/cursor.c
@@ -1010,7 +1010,8 @@ ProcXFixesCreatePointerBarrier(ClientPtr client)
 {
     REQUEST(xXFixesCreatePointerBarrierReq);
 
-    REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
+    REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
+                       pad_to_int32(stuff->num_devices * sizeof(CARD16)));
     LEGAL_NEW_RESOURCE(stuff->barrier, client);
 
     return XICreatePointerBarrier(client, stuff);
@@ -1027,7 +1028,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
 
     swaps(&stuff->length);
     swaps(&stuff->num_devices);
-    REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
+    REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
+                       pad_to_int32(stuff->num_devices * sizeof(CARD16)));
 
     swapl(&stuff->barrier);
     swapl(&stuff->window);
-- 
GitLab
Wed Dec 15 04:34:02 UTC 2021 a/dialog-1.3_20211214-x86_64-1.txz: Upgraded. a/kernel-generic-5.15.8-x86_64-1.txz: Upgraded. a/kernel-huge-5.15.8-x86_64-1.txz: Upgraded. a/kernel-modules-5.15.8-x86_64-1.txz: Upgraded. a/sysvinit-3.01-x86_64-1.txz: Upgraded. d/kernel-headers-5.15.8-x86-1.txz: Upgraded. d/patchelf-0.14.3-x86_64-1.txz: Upgraded. k/kernel-source-5.15.8-noarch-1.txz: Upgraded. l/oniguruma-6.9.7.1-x86_64-1.txz: Upgraded. l/pipewire-0.3.41-x86_64-1.txz: Upgraded. x/libinput-1.19.3-x86_64-1.txz: Upgraded. x/xorg-server-1.20.13-x86_64-2.txz: Rebuilt. Fixes for multiple input validation failures in X server extensions: render: Fix out of bounds access in SProcRenderCompositeGlyphs() xfixes: Fix out of bounds access in ProcXFixesCreatePointerBarrier() Xext: Fix out of bounds access in SProcScreenSaverSuspend() record: Fix out of bounds access in SwapCreateRegister() For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4008 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4009 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4010 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4011 ( Security fix ) x/xorg-server-xephyr-1.20.13-x86_64-2.txz: Rebuilt. x/xorg-server-xnest-1.20.13-x86_64-2.txz: Rebuilt. x/xorg-server-xvfb-1.20.13-x86_64-2.txz: Rebuilt. x/xorg-server-xwayland-21.1.4-x86_64-1.txz: Upgraded. Fixes for multiple input validation failures in X server extensions: render: Fix out of bounds access in SProcRenderCompositeGlyphs() xfixes: Fix out of bounds access in ProcXFixesCreatePointerBarrier() Xext: Fix out of bounds access in SProcScreenSaverSuspend() record: Fix out of bounds access in SwapCreateRegister() For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4008 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4009 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4010 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4011 (* Security fix ) xap/xsnow-3.4.1-x86_64-1.txz: Upgraded. isolinux/initrd.img: Rebuilt. kernels/: Upgraded. usb-and-pxe-installers/usbboot.img: Rebuilt. 2021-12-15 04:34:02 +00:00			`From b5196750099ae6ae582e1f46bd0a6dad29550e02 Mon Sep 17 00:00:00 2001`
			`From: Povilas Kanapickas <povilas@radix.lt>`
			`Date: Tue, 14 Dec 2021 15:00:01 +0200`
			`Subject: [PATCH] xfixes: Fix out of bounds access in`
			`*ProcXFixesCreatePointerBarrier()`

			`ZDI-CAN-14950, CVE-2021-4009`

			`This vulnerability was discovered and the fix was suggested by:`
			`Jan-Niklas Sohn working with Trend Micro Zero Day Initiative`

			`Signed-off-by: Povilas Kanapickas <povilas@radix.lt>`
			`---`
			`xfixes/cursor.c \| 6 ++++--`
			`1 file changed, 4 insertions(+), 2 deletions(-)`

			`diff --git a/xfixes/cursor.c b/xfixes/cursor.c`
			`index 60580b88f..c5d4554b2 100644`
			`--- a/xfixes/cursor.c`
			`+++ b/xfixes/cursor.c`
			`@@ -1010,7 +1010,8 @@ ProcXFixesCreatePointerBarrier(ClientPtr client)`
			`{`
			`REQUEST(xXFixesCreatePointerBarrierReq);`

			`- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));`
			`+ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,`
			`+ pad_to_int32(stuff->num_devices * sizeof(CARD16)));`
			`LEGAL_NEW_RESOURCE(stuff->barrier, client);`

			`return XICreatePointerBarrier(client, stuff);`
			`@@ -1027,7 +1028,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)`

			`swaps(&stuff->length);`
			`swaps(&stuff->num_devices);`
			`- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));`
			`+ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,`
			`+ pad_to_int32(stuff->num_devices * sizeof(CARD16)));`

			`swapl(&stuff->barrier);`
			`swapl(&stuff->window);`
			`--`
			`GitLab`