Miroirs/slackware-current
1
0
Fork 0
mirror of git://slackware.nl/current.git synced 2025-01-03 23:03:22 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
slackware-current/patches/source/xorg-server-xwayland/CVE-2023-6377.patch
Patrick J Volkerding 823a8c2cb7 Wed Dec 13 22:01:34 UTC 2023 
patches/packages/libxml2-2.12.3-x86_64-1_slack15.0.txz:  Upgraded.
  This update addresses regressions when building against libxml2 that were
  due to header file refactoring.
patches/packages/xorg-server-1.20.14-x86_64-10_slack15.0.txz:  Rebuilt.
  This update fixes two security issues:
  Out-of-bounds memory write in XKB button actions.
  Out-of-bounds memory read in RRChangeOutputProperty and
  RRChangeProviderProperty.
  For more information, see:
    https://lists.x.org/archives/xorg/2023-December/061517.html
    https://www.cve.org/CVERecord?id=CVE-2023-6377
    https://www.cve.org/CVERecord?id=CVE-2023-6478
  (* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-10_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-10_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-10_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-9_slack15.0.txz:  Rebuilt.
  This update fixes two security issues:
  Out-of-bounds memory write in XKB button actions.
  Out-of-bounds memory read in RRChangeOutputProperty and
  RRChangeProviderProperty.
  For more information, see:
    https://lists.x.org/archives/xorg/2023-December/061517.html
    https://www.cve.org/CVERecord?id=CVE-2023-6377
    https://www.cve.org/CVERecord?id=CVE-2023-6478
  (* Security fix *)
2023-12-14 13:39:45 +01:00

75 lines
3 KiB
Diff
Raw Blame History

From 0c1a93d319558fe3ab2d94f51d174b4f93810afd Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue, 28 Nov 2023 15:19:04 +1000
Subject: [PATCH] Xi: allocate enough XkbActions for our buttons
button->xkb_acts is supposed to be an array sufficiently large for all
our buttons, not just a single XkbActions struct. Allocating
insufficient memory here means when we memcpy() later in
XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
leading to the usual security ooopsiedaisies.
CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
---
Xi/exevents.c | 12 ++++++------
dix/devices.c | 10 ++++++++++
2 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/Xi/exevents.c b/Xi/exevents.c
index dcd4efb3bc..54ea11a938 100644
--- a/Xi/exevents.c
+++ b/Xi/exevents.c
@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
}
if (from->button->xkb_acts) {
- if (!to->button->xkb_acts) {
- to->button->xkb_acts = calloc(1, sizeof(XkbAction));
- if (!to->button->xkb_acts)
- FatalError("[Xi] not enough memory for xkb_acts.\n");
- }
+ size_t maxbuttons = max(to->button->numButtons, from->button->numButtons);
+ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
+ maxbuttons,
+ sizeof(XkbAction));
+ memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
memcpy(to->button->xkb_acts, from->button->xkb_acts,
- sizeof(XkbAction));
+ from->button->numButtons * sizeof(XkbAction));
}
else {
free(to->button->xkb_acts);
diff --git a/dix/devices.c b/dix/devices.c
index b063128df0..3f3224d626 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -2539,6 +2539,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
if (master->button && master->button->numButtons != maxbuttons) {
int i;
+ int last_num_buttons = master->button->numButtons;
+
DeviceChangedEvent event = {
.header = ET_Internal,
.type = ET_DeviceChanged,
@@ -2549,6 +2551,14 @@ RecalculateMasterButtons(DeviceIntPtr slave)
};
master->button->numButtons = maxbuttons;
+ if (last_num_buttons < maxbuttons) {
+ master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
+ maxbuttons,
+ sizeof(XkbAction));
+ memset(&master->button->xkb_acts[last_num_buttons],
+ 0,
+ (maxbuttons - last_num_buttons) * sizeof(XkbAction));
+ }
memcpy(&event.buttons.names, master->button->labels, maxbuttons *
sizeof(Atom));
--
GitLab
Reference in a new issue View git blame Copy permalink