mirror of
git://slackware.nl/current.git
synced 2025-01-22 07:27:59 +01:00
4e88327303
extra/tigervnc/tigervnc-1.12.0-x86_64-5_slack15.0.txz: Rebuilt. Recompiled against xorg-server-1.20.14, including the latest patches for several security issues. Thanks to marav. For more information, see: https://www.cve.org/CVERecord?id=CVE-2023-6377 https://www.cve.org/CVERecord?id=CVE-2023-6478 https://www.cve.org/CVERecord?id=CVE-2023-6816 https://www.cve.org/CVERecord?id=CVE-2024-0229 https://www.cve.org/CVERecord?id=CVE-2024-0408 https://www.cve.org/CVERecord?id=CVE-2024-0409 https://www.cve.org/CVERecord?id=CVE-2024-21885 https://www.cve.org/CVERecord?id=CVE-2024-21886 https://www.cve.org/CVERecord?id=CVE-2024-21886 (* Security fix *)
75 lines
3 KiB
Diff
75 lines
3 KiB
Diff
From 0c1a93d319558fe3ab2d94f51d174b4f93810afd Mon Sep 17 00:00:00 2001
|
|
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Date: Tue, 28 Nov 2023 15:19:04 +1000
|
|
Subject: [PATCH] Xi: allocate enough XkbActions for our buttons
|
|
|
|
button->xkb_acts is supposed to be an array sufficiently large for all
|
|
our buttons, not just a single XkbActions struct. Allocating
|
|
insufficient memory here means when we memcpy() later in
|
|
XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
|
|
leading to the usual security ooopsiedaisies.
|
|
|
|
CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
|
|
|
|
This vulnerability was discovered by:
|
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
---
|
|
Xi/exevents.c | 12 ++++++------
|
|
dix/devices.c | 10 ++++++++++
|
|
2 files changed, 16 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/Xi/exevents.c b/Xi/exevents.c
|
|
index dcd4efb3bc..54ea11a938 100644
|
|
--- a/Xi/exevents.c
|
|
+++ b/Xi/exevents.c
|
|
@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
|
|
}
|
|
|
|
if (from->button->xkb_acts) {
|
|
- if (!to->button->xkb_acts) {
|
|
- to->button->xkb_acts = calloc(1, sizeof(XkbAction));
|
|
- if (!to->button->xkb_acts)
|
|
- FatalError("[Xi] not enough memory for xkb_acts.\n");
|
|
- }
|
|
+ size_t maxbuttons = max(to->button->numButtons, from->button->numButtons);
|
|
+ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
|
|
+ maxbuttons,
|
|
+ sizeof(XkbAction));
|
|
+ memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
|
|
memcpy(to->button->xkb_acts, from->button->xkb_acts,
|
|
- sizeof(XkbAction));
|
|
+ from->button->numButtons * sizeof(XkbAction));
|
|
}
|
|
else {
|
|
free(to->button->xkb_acts);
|
|
diff --git a/dix/devices.c b/dix/devices.c
|
|
index b063128df0..3f3224d626 100644
|
|
--- a/dix/devices.c
|
|
+++ b/dix/devices.c
|
|
@@ -2539,6 +2539,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
|
|
|
|
if (master->button && master->button->numButtons != maxbuttons) {
|
|
int i;
|
|
+ int last_num_buttons = master->button->numButtons;
|
|
+
|
|
DeviceChangedEvent event = {
|
|
.header = ET_Internal,
|
|
.type = ET_DeviceChanged,
|
|
@@ -2549,6 +2551,14 @@ RecalculateMasterButtons(DeviceIntPtr slave)
|
|
};
|
|
|
|
master->button->numButtons = maxbuttons;
|
|
+ if (last_num_buttons < maxbuttons) {
|
|
+ master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
|
|
+ maxbuttons,
|
|
+ sizeof(XkbAction));
|
|
+ memset(&master->button->xkb_acts[last_num_buttons],
|
|
+ 0,
|
|
+ (maxbuttons - last_num_buttons) * sizeof(XkbAction));
|
|
+ }
|
|
|
|
memcpy(&event.buttons.names, master->button->labels, maxbuttons *
|
|
sizeof(Atom));
|
|
--
|
|
GitLab
|
|
|