mirror of
git://slackware.nl/current.git
synced 2024-12-29 10:25:00 +01:00
95fd8ef935
patches/packages/gnutls-3.8.3-x86_64-1_slack15.0.txz: Upgraded. This update fixes two medium severity security issues: Fix more timing side-channel inside RSA-PSK key exchange. Fix assertion failure when verifying a certificate chain with a cycle of cross signatures. For more information, see: https://www.cve.org/CVERecord?id=CVE-2024-0553 https://www.cve.org/CVERecord?id=CVE-2024-0567 (* Security fix *) patches/packages/xorg-server-1.20.14-x86_64-11_slack15.0.txz: Rebuilt. This update fixes security issues: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer. Reattaching to different master device may lead to out-of-bounds memory access. Heap buffer overflow in XISendDeviceHierarchyEvent. Heap buffer overflow in DisableDevice. SELinux context corruption. SELinux unlabeled GLX PBuffer. For more information, see: https://lists.x.org/archives/xorg/2024-January/061525.html https://www.cve.org/CVERecord?id=CVE-2023-6816 https://www.cve.org/CVERecord?id=CVE-2024-0229 https://www.cve.org/CVERecord?id=CVE-2024-21885 https://www.cve.org/CVERecord?id=CVE-2024-21886 https://www.cve.org/CVERecord?id=CVE-2024-0408 https://www.cve.org/CVERecord?id=CVE-2024-0409 (* Security fix *) patches/packages/xorg-server-xephyr-1.20.14-x86_64-11_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xnest-1.20.14-x86_64-11_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xvfb-1.20.14-x86_64-11_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xwayland-21.1.4-x86_64-10_slack15.0.txz: Rebuilt. This update fixes security issues: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer. Reattaching to different master device may lead to out-of-bounds memory access. Heap buffer overflow in XISendDeviceHierarchyEvent. Heap buffer overflow in DisableDevice. SELinux unlabeled GLX PBuffer. For more information, see: https://lists.x.org/archives/xorg/2024-January/061525.html https://www.cve.org/CVERecord?id=CVE-2023-6816 https://www.cve.org/CVERecord?id=CVE-2024-0229 https://www.cve.org/CVERecord?id=CVE-2024-21885 https://www.cve.org/CVERecord?id=CVE-2024-21886 https://www.cve.org/CVERecord?id=CVE-2024-0408 (* Security fix *)
109 lines
3.4 KiB
Diff
109 lines
3.4 KiB
Diff
From 4a5e9b1895627d40d26045bd0b7ef3dce503cbd1 Mon Sep 17 00:00:00 2001
|
|
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Date: Thu, 4 Jan 2024 10:01:24 +1000
|
|
Subject: [PATCH] Xi: flush hierarchy events after adding/removing master
|
|
devices
|
|
|
|
The `XISendDeviceHierarchyEvent()` function allocates space to store up
|
|
to `MAXDEVICES` (256) `xXIHierarchyInfo` structures in `info`.
|
|
|
|
If a device with a given ID was removed and a new device with the same
|
|
ID added both in the same operation, the single device ID will lead to
|
|
two info structures being written to `info`.
|
|
|
|
Since this case can occur for every device ID at once, a total of two
|
|
times `MAXDEVICES` info structures might be written to the allocation.
|
|
|
|
To avoid it, once one add/remove master is processed, send out the
|
|
device hierarchy event for the current state and continue. That event
|
|
thus only ever has exactly one of either added/removed in it (and
|
|
optionally slave attached/detached).
|
|
|
|
CVE-2024-21885, ZDI-CAN-22744
|
|
|
|
This vulnerability was discovered by:
|
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
---
|
|
Xi/xichangehierarchy.c | 27 ++++++++++++++++++++++-----
|
|
1 file changed, 22 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
|
|
index d2d985848d..72d00451e3 100644
|
|
--- a/Xi/xichangehierarchy.c
|
|
+++ b/Xi/xichangehierarchy.c
|
|
@@ -416,6 +416,11 @@ ProcXIChangeHierarchy(ClientPtr client)
|
|
size_t len; /* length of data remaining in request */
|
|
int rc = Success;
|
|
int flags[MAXDEVICES] = { 0 };
|
|
+ enum {
|
|
+ NO_CHANGE,
|
|
+ FLUSH,
|
|
+ CHANGED,
|
|
+ } changes = NO_CHANGE;
|
|
|
|
REQUEST(xXIChangeHierarchyReq);
|
|
REQUEST_AT_LEAST_SIZE(xXIChangeHierarchyReq);
|
|
@@ -465,8 +470,9 @@ ProcXIChangeHierarchy(ClientPtr client)
|
|
rc = add_master(client, c, flags);
|
|
if (rc != Success)
|
|
goto unwind;
|
|
- }
|
|
+ changes = FLUSH;
|
|
break;
|
|
+ }
|
|
case XIRemoveMaster:
|
|
{
|
|
xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any;
|
|
@@ -475,8 +481,9 @@ ProcXIChangeHierarchy(ClientPtr client)
|
|
rc = remove_master(client, r, flags);
|
|
if (rc != Success)
|
|
goto unwind;
|
|
- }
|
|
+ changes = FLUSH;
|
|
break;
|
|
+ }
|
|
case XIDetachSlave:
|
|
{
|
|
xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any;
|
|
@@ -485,8 +492,9 @@ ProcXIChangeHierarchy(ClientPtr client)
|
|
rc = detach_slave(client, c, flags);
|
|
if (rc != Success)
|
|
goto unwind;
|
|
- }
|
|
+ changes = CHANGED;
|
|
break;
|
|
+ }
|
|
case XIAttachSlave:
|
|
{
|
|
xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any;
|
|
@@ -495,16 +503,25 @@ ProcXIChangeHierarchy(ClientPtr client)
|
|
rc = attach_slave(client, c, flags);
|
|
if (rc != Success)
|
|
goto unwind;
|
|
+ changes = CHANGED;
|
|
+ break;
|
|
}
|
|
+ default:
|
|
break;
|
|
}
|
|
|
|
+ if (changes == FLUSH) {
|
|
+ XISendDeviceHierarchyEvent(flags);
|
|
+ memset(flags, 0, sizeof(flags));
|
|
+ changes = NO_CHANGE;
|
|
+ }
|
|
+
|
|
len -= any->length * 4;
|
|
any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4);
|
|
}
|
|
|
|
unwind:
|
|
-
|
|
- XISendDeviceHierarchyEvent(flags);
|
|
+ if (changes != NO_CHANGE)
|
|
+ XISendDeviceHierarchyEvent(flags);
|
|
return rc;
|
|
}
|
|
--
|
|
GitLab
|
|
|