mirror of
git://slackware.nl/current.git
synced 2025-01-03 23:03:22 +01:00
b5eac9957b
patches/packages/mozilla-firefox-102.6.0esr-x86_64-1_slack15.0.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/firefox/102.6.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2022-52/
https://www.cve.org/CVERecord?id=CVE-2022-46880
https://www.cve.org/CVERecord?id=CVE-2022-46872
https://www.cve.org/CVERecord?id=CVE-2022-46881
https://www.cve.org/CVERecord?id=CVE-2022-46874
https://www.cve.org/CVERecord?id=CVE-2022-46875
https://www.cve.org/CVERecord?id=CVE-2022-46882
https://www.cve.org/CVERecord?id=CVE-2022-46878
(* Security fix *)
patches/packages/mozilla-thunderbird-102.6.0-x86_64-1_slack15.0.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/102.6.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2022-53/
https://www.cve.org/CVERecord?id=CVE-2022-46880
https://www.cve.org/CVERecord?id=CVE-2022-46872
https://www.cve.org/CVERecord?id=CVE-2022-46881
https://www.cve.org/CVERecord?id=CVE-2022-46874
https://www.cve.org/CVERecord?id=CVE-2022-46875
https://www.cve.org/CVERecord?id=CVE-2022-46882
https://www.cve.org/CVERecord?id=CVE-2022-46878
(* Security fix *)
patches/packages/xorg-server-1.20.14-x86_64-5_slack15.0.txz: Rebuilt.
This release fixes 6 recently reported security vulnerabilities in
various extensions.
For more information, see:
https://lists.x.org/archives/xorg-announce/2022-December/003302.html
https://www.cve.org/CVERecord?id=CVE-2022-46340
https://www.cve.org/CVERecord?id=CVE-2022-46341
https://www.cve.org/CVERecord?id=CVE-2022-46342
https://www.cve.org/CVERecord?id=CVE-2022-46343
https://www.cve.org/CVERecord?id=CVE-2022-46344
https://www.cve.org/CVERecord?id=CVE-2022-4283
(* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-5_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-5_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-5_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-4_slack15.0.txz: Rebuilt.
This release fixes 6 recently reported security vulnerabilities in
various extensions.
For more information, see:
https://lists.x.org/archives/xorg-announce/2022-December/003302.html
https://www.cve.org/CVERecord?id=CVE-2022-46340
https://www.cve.org/CVERecord?id=CVE-2022-46341
https://www.cve.org/CVERecord?id=CVE-2022-46342
https://www.cve.org/CVERecord?id=CVE-2022-46343
https://www.cve.org/CVERecord?id=CVE-2022-46344
https://www.cve.org/CVERecord?id=CVE-2022-4283
(* Security fix *)
71 lines
2.1 KiB
Diff
71 lines
2.1 KiB
Diff
From 8f454b793e1f13c99872c15f0eed1d7f3b823fe8 Mon Sep 17 00:00:00 2001
|
|
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Date: Tue, 29 Nov 2022 13:26:57 +1000
|
|
Subject: [PATCH] Xi: avoid integer truncation in length check of
|
|
ProcXIChangeProperty
|
|
|
|
This fixes an OOB read and the resulting information disclosure.
|
|
|
|
Length calculation for the request was clipped to a 32-bit integer. With
|
|
the correct stuff->num_items value the expected request size was
|
|
truncated, passing the REQUEST_FIXED_SIZE check.
|
|
|
|
The server then proceeded with reading at least stuff->num_items bytes
|
|
(depending on stuff->format) from the request and stuffing whatever it
|
|
finds into the property. In the process it would also allocate at least
|
|
stuff->num_items bytes, i.e. 4GB.
|
|
|
|
The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty,
|
|
so let's fix that too.
|
|
|
|
CVE-2022-46344, ZDI-CAN 19405
|
|
|
|
This vulnerability was discovered by:
|
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
---
|
|
Xi/xiproperty.c | 4 ++--
|
|
dix/property.c | 3 ++-
|
|
2 files changed, 4 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
|
|
index 68c362c62..066ba21fb 100644
|
|
--- a/Xi/xiproperty.c
|
|
+++ b/Xi/xiproperty.c
|
|
@@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client)
|
|
REQUEST(xChangeDevicePropertyReq);
|
|
DeviceIntPtr dev;
|
|
unsigned long len;
|
|
- int totalSize;
|
|
+ uint64_t totalSize;
|
|
int rc;
|
|
|
|
REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq);
|
|
@@ -1130,7 +1130,7 @@ ProcXIChangeProperty(ClientPtr client)
|
|
{
|
|
int rc;
|
|
DeviceIntPtr dev;
|
|
- int totalSize;
|
|
+ uint64_t totalSize;
|
|
unsigned long len;
|
|
|
|
REQUEST(xXIChangePropertyReq);
|
|
diff --git a/dix/property.c b/dix/property.c
|
|
index 94ef5a0ec..acce94b2c 100644
|
|
--- a/dix/property.c
|
|
+++ b/dix/property.c
|
|
@@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client)
|
|
WindowPtr pWin;
|
|
char format, mode;
|
|
unsigned long len;
|
|
- int sizeInBytes, totalSize, err;
|
|
+ int sizeInBytes, err;
|
|
+ uint64_t totalSize;
|
|
|
|
REQUEST(xChangePropertyReq);
|
|
|
|
--
|
|
GitLab
|
|
|