mirror of
git://slackware.nl/current.git
synced 2025-01-03 23:03:22 +01:00
95fd8ef935
patches/packages/gnutls-3.8.3-x86_64-1_slack15.0.txz: Upgraded. This update fixes two medium severity security issues: Fix more timing side-channel inside RSA-PSK key exchange. Fix assertion failure when verifying a certificate chain with a cycle of cross signatures. For more information, see: https://www.cve.org/CVERecord?id=CVE-2024-0553 https://www.cve.org/CVERecord?id=CVE-2024-0567 (* Security fix *) patches/packages/xorg-server-1.20.14-x86_64-11_slack15.0.txz: Rebuilt. This update fixes security issues: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer. Reattaching to different master device may lead to out-of-bounds memory access. Heap buffer overflow in XISendDeviceHierarchyEvent. Heap buffer overflow in DisableDevice. SELinux context corruption. SELinux unlabeled GLX PBuffer. For more information, see: https://lists.x.org/archives/xorg/2024-January/061525.html https://www.cve.org/CVERecord?id=CVE-2023-6816 https://www.cve.org/CVERecord?id=CVE-2024-0229 https://www.cve.org/CVERecord?id=CVE-2024-21885 https://www.cve.org/CVERecord?id=CVE-2024-21886 https://www.cve.org/CVERecord?id=CVE-2024-0408 https://www.cve.org/CVERecord?id=CVE-2024-0409 (* Security fix *) patches/packages/xorg-server-xephyr-1.20.14-x86_64-11_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xnest-1.20.14-x86_64-11_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xvfb-1.20.14-x86_64-11_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xwayland-21.1.4-x86_64-10_slack15.0.txz: Rebuilt. This update fixes security issues: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer. Reattaching to different master device may lead to out-of-bounds memory access. Heap buffer overflow in XISendDeviceHierarchyEvent. Heap buffer overflow in DisableDevice. SELinux unlabeled GLX PBuffer. For more information, see: https://lists.x.org/archives/xorg/2024-January/061525.html https://www.cve.org/CVERecord?id=CVE-2023-6816 https://www.cve.org/CVERecord?id=CVE-2024-0229 https://www.cve.org/CVERecord?id=CVE-2024-21885 https://www.cve.org/CVERecord?id=CVE-2024-21886 https://www.cve.org/CVERecord?id=CVE-2024-0408 (* Security fix *)
70 lines
2.2 KiB
Diff
70 lines
2.2 KiB
Diff
From bc1fdbe46559dd947674375946bbef54dd0ce36b Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
|
|
Date: Fri, 22 Dec 2023 18:28:31 +0100
|
|
Subject: [PATCH] Xi: do not keep linked list pointer during recursion
|
|
|
|
The `DisableDevice()` function is called whenever an enabled device
|
|
is disabled and it moves the device from the `inputInfo.devices` linked
|
|
list to the `inputInfo.off_devices` linked list.
|
|
|
|
However, its link/unlink operation has an issue during the recursive
|
|
call to `DisableDevice()` due to the `prev` pointer pointing to a
|
|
removed device.
|
|
|
|
This issue leads to a length mismatch between the total number of
|
|
devices and the number of device in the list, leading to a heap
|
|
overflow and, possibly, to local privilege escalation.
|
|
|
|
Simplify the code that checked whether the device passed to
|
|
`DisableDevice()` was in `inputInfo.devices` or not and find the
|
|
previous device after the recursion.
|
|
|
|
CVE-2024-21886, ZDI-CAN-22840
|
|
|
|
This vulnerability was discovered by:
|
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
---
|
|
dix/devices.c | 15 ++++++++++++---
|
|
1 file changed, 12 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/dix/devices.c b/dix/devices.c
|
|
index dca98c8d1b..389d28a23c 100644
|
|
--- a/dix/devices.c
|
|
+++ b/dix/devices.c
|
|
@@ -453,14 +453,20 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
|
|
{
|
|
DeviceIntPtr *prev, other;
|
|
BOOL enabled;
|
|
+ BOOL dev_in_devices_list = FALSE;
|
|
int flags[MAXDEVICES] = { 0 };
|
|
|
|
if (!dev->enabled)
|
|
return TRUE;
|
|
|
|
- for (prev = &inputInfo.devices;
|
|
- *prev && (*prev != dev); prev = &(*prev)->next);
|
|
- if (*prev != dev)
|
|
+ for (other = inputInfo.devices; other; other = other->next) {
|
|
+ if (other == dev) {
|
|
+ dev_in_devices_list = TRUE;
|
|
+ break;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ if (!dev_in_devices_list)
|
|
return FALSE;
|
|
|
|
TouchEndPhysicallyActiveTouches(dev);
|
|
@@ -511,6 +517,9 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
|
|
LeaveWindow(dev);
|
|
SetFocusOut(dev);
|
|
|
|
+ for (prev = &inputInfo.devices;
|
|
+ *prev && (*prev != dev); prev = &(*prev)->next);
|
|
+
|
|
*prev = dev->next;
|
|
dev->next = inputInfo.off_devices;
|
|
inputInfo.off_devices = dev;
|
|
--
|
|
GitLab
|
|
|