mirror of
git://slackware.nl/current.git
synced 2025-01-16 15:41:42 +01:00
95fd8ef935
patches/packages/gnutls-3.8.3-x86_64-1_slack15.0.txz: Upgraded. This update fixes two medium severity security issues: Fix more timing side-channel inside RSA-PSK key exchange. Fix assertion failure when verifying a certificate chain with a cycle of cross signatures. For more information, see: https://www.cve.org/CVERecord?id=CVE-2024-0553 https://www.cve.org/CVERecord?id=CVE-2024-0567 (* Security fix *) patches/packages/xorg-server-1.20.14-x86_64-11_slack15.0.txz: Rebuilt. This update fixes security issues: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer. Reattaching to different master device may lead to out-of-bounds memory access. Heap buffer overflow in XISendDeviceHierarchyEvent. Heap buffer overflow in DisableDevice. SELinux context corruption. SELinux unlabeled GLX PBuffer. For more information, see: https://lists.x.org/archives/xorg/2024-January/061525.html https://www.cve.org/CVERecord?id=CVE-2023-6816 https://www.cve.org/CVERecord?id=CVE-2024-0229 https://www.cve.org/CVERecord?id=CVE-2024-21885 https://www.cve.org/CVERecord?id=CVE-2024-21886 https://www.cve.org/CVERecord?id=CVE-2024-0408 https://www.cve.org/CVERecord?id=CVE-2024-0409 (* Security fix *) patches/packages/xorg-server-xephyr-1.20.14-x86_64-11_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xnest-1.20.14-x86_64-11_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xvfb-1.20.14-x86_64-11_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xwayland-21.1.4-x86_64-10_slack15.0.txz: Rebuilt. This update fixes security issues: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer. Reattaching to different master device may lead to out-of-bounds memory access. Heap buffer overflow in XISendDeviceHierarchyEvent. Heap buffer overflow in DisableDevice. SELinux unlabeled GLX PBuffer. For more information, see: https://lists.x.org/archives/xorg/2024-January/061525.html https://www.cve.org/CVERecord?id=CVE-2023-6816 https://www.cve.org/CVERecord?id=CVE-2024-0229 https://www.cve.org/CVERecord?id=CVE-2024-21885 https://www.cve.org/CVERecord?id=CVE-2024-21886 https://www.cve.org/CVERecord?id=CVE-2024-0408 (* Security fix *)
83 lines
2.8 KiB
Diff
83 lines
2.8 KiB
Diff
From ece23be888a93b741aa1209d1dbf64636109d6a5 Mon Sep 17 00:00:00 2001
|
|
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Date: Mon, 18 Dec 2023 14:27:50 +1000
|
|
Subject: [PATCH] dix: Allocate sufficient xEvents for our DeviceStateNotify
|
|
|
|
If a device has both a button class and a key class and numButtons is
|
|
zero, we can get an OOB write due to event under-allocation.
|
|
|
|
This function seems to assume a device has either keys or buttons, not
|
|
both. It has two virtually identical code paths, both of which assume
|
|
they're applying to the first event in the sequence.
|
|
|
|
A device with both a key and button class triggered a logic bug - only
|
|
one xEvent was allocated but the deviceStateNotify pointer was pushed on
|
|
once per type. So effectively this logic code:
|
|
|
|
int count = 1;
|
|
if (button && nbuttons > 32) count++;
|
|
if (key && nbuttons > 0) count++;
|
|
if (key && nkeys > 32) count++; // this is basically always true
|
|
// count is at 2 for our keys + zero button device
|
|
|
|
ev = alloc(count * sizeof(xEvent));
|
|
FixDeviceStateNotify(ev);
|
|
if (button)
|
|
FixDeviceStateNotify(ev++);
|
|
if (key)
|
|
FixDeviceStateNotify(ev++); // santa drops into the wrong chimney here
|
|
|
|
If the device has more than 3 valuators, the OOB is pushed back - we're
|
|
off by one so it will happen when the last deviceValuator event is
|
|
written instead.
|
|
|
|
Fix this by allocating the maximum number of events we may allocate.
|
|
Note that the current behavior is not protocol-correct anyway, this
|
|
patch fixes only the allocation issue.
|
|
|
|
Note that this issue does not trigger if the device has at least one
|
|
button. While the server does not prevent a button class with zero
|
|
buttons, it is very unlikely.
|
|
|
|
CVE-2024-0229, ZDI-CAN-22678
|
|
|
|
This vulnerability was discovered by:
|
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
---
|
|
dix/enterleave.c | 6 +++---
|
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/dix/enterleave.c b/dix/enterleave.c
|
|
index ded8679d76..17964b00a4 100644
|
|
--- a/dix/enterleave.c
|
|
+++ b/dix/enterleave.c
|
|
@@ -675,7 +675,8 @@ static void
|
|
DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
|
|
{
|
|
int evcount = 1;
|
|
- deviceStateNotify *ev, *sev;
|
|
+ deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3];
|
|
+ deviceStateNotify *ev;
|
|
deviceKeyStateNotify *kev;
|
|
deviceButtonStateNotify *bev;
|
|
|
|
@@ -714,7 +715,7 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
|
|
}
|
|
}
|
|
|
|
- sev = ev = xallocarray(evcount, sizeof(xEvent));
|
|
+ ev = sev;
|
|
FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first);
|
|
|
|
if (b != NULL) {
|
|
@@ -770,7 +771,6 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
|
|
|
|
DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount,
|
|
DeviceStateNotifyMask, NullGrab);
|
|
- free(sev);
|
|
}
|
|
|
|
void
|
|
--
|
|
GitLab
|
|
|