mirror of
git://slackware.nl/current.git
synced 2025-01-16 15:41:42 +01:00
95fd8ef935
patches/packages/gnutls-3.8.3-x86_64-1_slack15.0.txz: Upgraded.
This update fixes two medium severity security issues:
Fix more timing side-channel inside RSA-PSK key exchange.
Fix assertion failure when verifying a certificate chain with a cycle of
cross signatures.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2024-0553
https://www.cve.org/CVERecord?id=CVE-2024-0567
(* Security fix *)
patches/packages/xorg-server-1.20.14-x86_64-11_slack15.0.txz: Rebuilt.
This update fixes security issues:
Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer.
Reattaching to different master device may lead to out-of-bounds memory access.
Heap buffer overflow in XISendDeviceHierarchyEvent.
Heap buffer overflow in DisableDevice.
SELinux context corruption.
SELinux unlabeled GLX PBuffer.
For more information, see:
https://lists.x.org/archives/xorg/2024-January/061525.html
https://www.cve.org/CVERecord?id=CVE-2023-6816
https://www.cve.org/CVERecord?id=CVE-2024-0229
https://www.cve.org/CVERecord?id=CVE-2024-21885
https://www.cve.org/CVERecord?id=CVE-2024-21886
https://www.cve.org/CVERecord?id=CVE-2024-0408
https://www.cve.org/CVERecord?id=CVE-2024-0409
(* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-11_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-11_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-11_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-10_slack15.0.txz: Rebuilt.
This update fixes security issues:
Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer.
Reattaching to different master device may lead to out-of-bounds memory access.
Heap buffer overflow in XISendDeviceHierarchyEvent.
Heap buffer overflow in DisableDevice.
SELinux unlabeled GLX PBuffer.
For more information, see:
https://lists.x.org/archives/xorg/2024-January/061525.html
https://www.cve.org/CVERecord?id=CVE-2023-6816
https://www.cve.org/CVERecord?id=CVE-2024-0229
https://www.cve.org/CVERecord?id=CVE-2024-21885
https://www.cve.org/CVERecord?id=CVE-2024-21886
https://www.cve.org/CVERecord?id=CVE-2024-0408
(* Security fix *)
60 lines
2 KiB
Diff
60 lines
2 KiB
Diff
From e5e8586a12a3ec915673edffa10dc8fe5e15dac3 Mon Sep 17 00:00:00 2001
|
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
|
Date: Wed, 6 Dec 2023 12:09:41 +0100
|
|
Subject: [PATCH] glx: Call XACE hooks on the GLX buffer
|
|
|
|
The XSELINUX code will label resources at creation by checking the
|
|
access mode. When the access mode is DixCreateAccess, it will call the
|
|
function to label the new resource SELinuxLabelResource().
|
|
|
|
However, GLX buffers do not go through the XACE hooks when created,
|
|
hence leaving the resource actually unlabeled.
|
|
|
|
When, later, the client tries to create another resource using that
|
|
drawable (like a GC for example), the XSELINUX code would try to use
|
|
the security ID of that object which has never been labeled, get a NULL
|
|
pointer and crash when checking whether the requested permissions are
|
|
granted for subject security ID.
|
|
|
|
To avoid the issue, make sure to call the XACE hooks when creating the
|
|
GLX buffers.
|
|
|
|
Credit goes to Donn Seeley <donn@xmission.com> for providing the patch.
|
|
|
|
CVE-2024-0408
|
|
|
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
---
|
|
glx/glxcmds.c | 8 ++++++++
|
|
1 file changed, 8 insertions(+)
|
|
|
|
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
|
|
index fc26a2e345..1e46d0c723 100644
|
|
--- a/glx/glxcmds.c
|
|
+++ b/glx/glxcmds.c
|
|
@@ -48,6 +48,7 @@
|
|
#include "indirect_util.h"
|
|
#include "protocol-versions.h"
|
|
#include "glxvndabi.h"
|
|
+#include "xace.h"
|
|
|
|
static char GLXServerVendorName[] = "SGI";
|
|
|
|
@@ -1392,6 +1393,13 @@ DoCreatePbuffer(ClientPtr client, int screenNum, XID fbconfigId,
|
|
if (!pPixmap)
|
|
return BadAlloc;
|
|
|
|
+ err = XaceHook(XACE_RESOURCE_ACCESS, client, glxDrawableId, RT_PIXMAP,
|
|
+ pPixmap, RT_NONE, NULL, DixCreateAccess);
|
|
+ if (err != Success) {
|
|
+ (*pGlxScreen->pScreen->DestroyPixmap) (pPixmap);
|
|
+ return err;
|
|
+ }
|
|
+
|
|
/* Assign the pixmap the same id as the pbuffer and add it as a
|
|
* resource so it and the DRI2 drawable will be reclaimed when the
|
|
* pbuffer is destroyed. */
|
|
--
|
|
GitLab
|
|
|