mirror of
git://slackware.nl/current.git
synced 2024-12-31 10:28:29 +01:00
b5eac9957b
patches/packages/mozilla-firefox-102.6.0esr-x86_64-1_slack15.0.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/firefox/102.6.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2022-52/
https://www.cve.org/CVERecord?id=CVE-2022-46880
https://www.cve.org/CVERecord?id=CVE-2022-46872
https://www.cve.org/CVERecord?id=CVE-2022-46881
https://www.cve.org/CVERecord?id=CVE-2022-46874
https://www.cve.org/CVERecord?id=CVE-2022-46875
https://www.cve.org/CVERecord?id=CVE-2022-46882
https://www.cve.org/CVERecord?id=CVE-2022-46878
(* Security fix *)
patches/packages/mozilla-thunderbird-102.6.0-x86_64-1_slack15.0.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/102.6.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2022-53/
https://www.cve.org/CVERecord?id=CVE-2022-46880
https://www.cve.org/CVERecord?id=CVE-2022-46872
https://www.cve.org/CVERecord?id=CVE-2022-46881
https://www.cve.org/CVERecord?id=CVE-2022-46874
https://www.cve.org/CVERecord?id=CVE-2022-46875
https://www.cve.org/CVERecord?id=CVE-2022-46882
https://www.cve.org/CVERecord?id=CVE-2022-46878
(* Security fix *)
patches/packages/xorg-server-1.20.14-x86_64-5_slack15.0.txz: Rebuilt.
This release fixes 6 recently reported security vulnerabilities in
various extensions.
For more information, see:
https://lists.x.org/archives/xorg-announce/2022-December/003302.html
https://www.cve.org/CVERecord?id=CVE-2022-46340
https://www.cve.org/CVERecord?id=CVE-2022-46341
https://www.cve.org/CVERecord?id=CVE-2022-46342
https://www.cve.org/CVERecord?id=CVE-2022-46343
https://www.cve.org/CVERecord?id=CVE-2022-46344
https://www.cve.org/CVERecord?id=CVE-2022-4283
(* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-5_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-5_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-5_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-4_slack15.0.txz: Rebuilt.
This release fixes 6 recently reported security vulnerabilities in
various extensions.
For more information, see:
https://lists.x.org/archives/xorg-announce/2022-December/003302.html
https://www.cve.org/CVERecord?id=CVE-2022-46340
https://www.cve.org/CVERecord?id=CVE-2022-46341
https://www.cve.org/CVERecord?id=CVE-2022-46342
https://www.cve.org/CVERecord?id=CVE-2022-46343
https://www.cve.org/CVERecord?id=CVE-2022-46344
https://www.cve.org/CVERecord?id=CVE-2022-4283
(* Security fix *)
74 lines
2.9 KiB
Diff
74 lines
2.9 KiB
Diff
From b79f32b57cc0c1186b2899bce7cf89f7b325161b Mon Sep 17 00:00:00 2001
|
|
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Date: Wed, 30 Nov 2022 11:20:40 +1000
|
|
Subject: [PATCH] Xext: free the XvRTVideoNotify when turning off from the same
|
|
client
|
|
|
|
This fixes a use-after-free bug:
|
|
|
|
When a client first calls XvdiSelectVideoNotify() on a drawable with a
|
|
TRUE onoff argument, a struct XvVideoNotifyRec is allocated. This struct
|
|
is added twice to the resources:
|
|
- as the drawable's XvRTVideoNotifyList. This happens only once per
|
|
drawable, subsequent calls append to this list.
|
|
- as the client's XvRTVideoNotify. This happens for every client.
|
|
|
|
The struct keeps the ClientPtr around once it has been added for a
|
|
client. The idea, presumably, is that if the client disconnects we can remove
|
|
all structs from the drawable's list that match the client (by resetting
|
|
the ClientPtr to NULL), but if the drawable is destroyed we can remove
|
|
and free the whole list.
|
|
|
|
However, if the same client then calls XvdiSelectVideoNotify() on the
|
|
same drawable with a FALSE onoff argument, only the ClientPtr on the
|
|
existing struct was set to NULL. The struct itself remained in the
|
|
client's resources.
|
|
|
|
If the drawable is now destroyed, the resource system invokes
|
|
XvdiDestroyVideoNotifyList which frees the whole list for this drawable
|
|
- including our struct. This function however does not free the resource
|
|
for the client since our ClientPtr is NULL.
|
|
|
|
Later, when the client is destroyed and the resource system invokes
|
|
XvdiDestroyVideoNotify, we unconditionally set the ClientPtr to NULL. On
|
|
a struct that has been freed previously. This is generally frowned upon.
|
|
|
|
Fix this by calling FreeResource() on the second call instead of merely
|
|
setting the ClientPtr to NULL. This removes the struct from the client
|
|
resources (but not from the list), ensuring that it won't be accessed
|
|
again when the client quits.
|
|
|
|
Note that the assignment tpn->client = NULL; is superfluous since the
|
|
XvdiDestroyVideoNotify function will do this anyway. But it's left for
|
|
clarity and to match a similar invocation in XvdiSelectPortNotify.
|
|
|
|
CVE-2022-46342, ZDI-CAN 19400
|
|
|
|
This vulnerability was discovered by:
|
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
---
|
|
Xext/xvmain.c | 4 +++-
|
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/Xext/xvmain.c b/Xext/xvmain.c
|
|
index f62747193..2a08f8744 100644
|
|
--- a/Xext/xvmain.c
|
|
+++ b/Xext/xvmain.c
|
|
@@ -811,8 +811,10 @@ XvdiSelectVideoNotify(ClientPtr client, DrawablePtr pDraw, BOOL onoff)
|
|
tpn = pn;
|
|
while (tpn) {
|
|
if (tpn->client == client) {
|
|
- if (!onoff)
|
|
+ if (!onoff) {
|
|
tpn->client = NULL;
|
|
+ FreeResource(tpn->id, XvRTVideoNotify);
|
|
+ }
|
|
return Success;
|
|
}
|
|
if (!tpn->client)
|
|
--
|
|
GitLab
|
|
|