mirror of
git://slackware.nl/current.git
synced 2024-12-29 10:25:00 +01:00
b5eac9957b
patches/packages/mozilla-firefox-102.6.0esr-x86_64-1_slack15.0.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/firefox/102.6.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2022-52/
https://www.cve.org/CVERecord?id=CVE-2022-46880
https://www.cve.org/CVERecord?id=CVE-2022-46872
https://www.cve.org/CVERecord?id=CVE-2022-46881
https://www.cve.org/CVERecord?id=CVE-2022-46874
https://www.cve.org/CVERecord?id=CVE-2022-46875
https://www.cve.org/CVERecord?id=CVE-2022-46882
https://www.cve.org/CVERecord?id=CVE-2022-46878
(* Security fix *)
patches/packages/mozilla-thunderbird-102.6.0-x86_64-1_slack15.0.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/102.6.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2022-53/
https://www.cve.org/CVERecord?id=CVE-2022-46880
https://www.cve.org/CVERecord?id=CVE-2022-46872
https://www.cve.org/CVERecord?id=CVE-2022-46881
https://www.cve.org/CVERecord?id=CVE-2022-46874
https://www.cve.org/CVERecord?id=CVE-2022-46875
https://www.cve.org/CVERecord?id=CVE-2022-46882
https://www.cve.org/CVERecord?id=CVE-2022-46878
(* Security fix *)
patches/packages/xorg-server-1.20.14-x86_64-5_slack15.0.txz: Rebuilt.
This release fixes 6 recently reported security vulnerabilities in
various extensions.
For more information, see:
https://lists.x.org/archives/xorg-announce/2022-December/003302.html
https://www.cve.org/CVERecord?id=CVE-2022-46340
https://www.cve.org/CVERecord?id=CVE-2022-46341
https://www.cve.org/CVERecord?id=CVE-2022-46342
https://www.cve.org/CVERecord?id=CVE-2022-46343
https://www.cve.org/CVERecord?id=CVE-2022-46344
https://www.cve.org/CVERecord?id=CVE-2022-4283
(* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-5_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-5_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-5_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-4_slack15.0.txz: Rebuilt.
This release fixes 6 recently reported security vulnerabilities in
various extensions.
For more information, see:
https://lists.x.org/archives/xorg-announce/2022-December/003302.html
https://www.cve.org/CVERecord?id=CVE-2022-46340
https://www.cve.org/CVERecord?id=CVE-2022-46341
https://www.cve.org/CVERecord?id=CVE-2022-46342
https://www.cve.org/CVERecord?id=CVE-2022-46343
https://www.cve.org/CVERecord?id=CVE-2022-46344
https://www.cve.org/CVERecord?id=CVE-2022-4283
(* Security fix *)
82 lines
3 KiB
Diff
82 lines
3 KiB
Diff
From 51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b Mon Sep 17 00:00:00 2001
|
|
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Date: Tue, 29 Nov 2022 13:55:32 +1000
|
|
Subject: [PATCH] Xi: disallow passive grabs with a detail > 255
|
|
|
|
The XKB protocol effectively prevents us from ever using keycodes above
|
|
255. For buttons it's theoretically possible but realistically too niche
|
|
to worry about. For all other passive grabs, the detail must be zero
|
|
anyway.
|
|
|
|
This fixes an OOB write:
|
|
|
|
ProcXIPassiveUngrabDevice() calls DeletePassiveGrabFromList with a
|
|
temporary grab struct which contains tempGrab->detail.exact = stuff->detail.
|
|
For matching existing grabs, DeleteDetailFromMask is called with the
|
|
stuff->detail value. This function creates a new mask with the one bit
|
|
representing stuff->detail cleared.
|
|
|
|
However, the array size for the new mask is 8 * sizeof(CARD32) bits,
|
|
thus any detail above 255 results in an OOB array write.
|
|
|
|
CVE-2022-46341, ZDI-CAN 19381
|
|
|
|
This vulnerability was discovered by:
|
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
---
|
|
Xi/xipassivegrab.c | 22 ++++++++++++++--------
|
|
1 file changed, 14 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
|
|
index 2769fb7c9..c9ac2f855 100644
|
|
--- a/Xi/xipassivegrab.c
|
|
+++ b/Xi/xipassivegrab.c
|
|
@@ -137,6 +137,12 @@ ProcXIPassiveGrabDevice(ClientPtr client)
|
|
return BadValue;
|
|
}
|
|
|
|
+ /* XI2 allows 32-bit keycodes but thanks to XKB we can never
|
|
+ * implement this. Just return an error for all keycodes that
|
|
+ * cannot work anyway, same for buttons > 255. */
|
|
+ if (stuff->detail > 255)
|
|
+ return XIAlreadyGrabbed;
|
|
+
|
|
if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1],
|
|
stuff->mask_len * 4) != Success)
|
|
return BadValue;
|
|
@@ -207,14 +213,8 @@ ProcXIPassiveGrabDevice(ClientPtr client)
|
|
¶m, XI2, &mask);
|
|
break;
|
|
case XIGrabtypeKeycode:
|
|
- /* XI2 allows 32-bit keycodes but thanks to XKB we can never
|
|
- * implement this. Just return an error for all keycodes that
|
|
- * cannot work anyway */
|
|
- if (stuff->detail > 255)
|
|
- status = XIAlreadyGrabbed;
|
|
- else
|
|
- status = GrabKey(client, dev, mod_dev, stuff->detail,
|
|
- ¶m, XI2, &mask);
|
|
+ status = GrabKey(client, dev, mod_dev, stuff->detail,
|
|
+ ¶m, XI2, &mask);
|
|
break;
|
|
case XIGrabtypeEnter:
|
|
case XIGrabtypeFocusIn:
|
|
@@ -334,6 +334,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client)
|
|
return BadValue;
|
|
}
|
|
|
|
+ /* We don't allow passive grabs for details > 255 anyway */
|
|
+ if (stuff->detail > 255) {
|
|
+ client->errorValue = stuff->detail;
|
|
+ return BadValue;
|
|
+ }
|
|
+
|
|
rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess);
|
|
if (rc != Success)
|
|
return rc;
|
|
--
|
|
GitLab
|
|
|