mirror of
git://slackware.nl/current.git
synced 2024-12-31 10:28:29 +01:00
823a8c2cb7
patches/packages/libxml2-2.12.3-x86_64-1_slack15.0.txz: Upgraded.
This update addresses regressions when building against libxml2 that were
due to header file refactoring.
patches/packages/xorg-server-1.20.14-x86_64-10_slack15.0.txz: Rebuilt.
This update fixes two security issues:
Out-of-bounds memory write in XKB button actions.
Out-of-bounds memory read in RRChangeOutputProperty and
RRChangeProviderProperty.
For more information, see:
https://lists.x.org/archives/xorg/2023-December/061517.html
https://www.cve.org/CVERecord?id=CVE-2023-6377
https://www.cve.org/CVERecord?id=CVE-2023-6478
(* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-10_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-10_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-10_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-9_slack15.0.txz: Rebuilt.
This update fixes two security issues:
Out-of-bounds memory write in XKB button actions.
Out-of-bounds memory read in RRChangeOutputProperty and
RRChangeProviderProperty.
For more information, see:
https://lists.x.org/archives/xorg/2023-December/061517.html
https://www.cve.org/CVERecord?id=CVE-2023-6377
https://www.cve.org/CVERecord?id=CVE-2023-6478
(* Security fix *)
59 lines
1.9 KiB
Diff
59 lines
1.9 KiB
Diff
From 14f480010a93ff962fef66a16412fafff81ad632 Mon Sep 17 00:00:00 2001
|
|
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Date: Mon, 27 Nov 2023 16:27:49 +1000
|
|
Subject: [PATCH] randr: avoid integer truncation in length check of
|
|
ProcRRChange*Property
|
|
|
|
Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
|
|
See also xserver@8f454b79 where this same bug was fixed for the core
|
|
protocol and XI.
|
|
|
|
This fixes an OOB read and the resulting information disclosure.
|
|
|
|
Length calculation for the request was clipped to a 32-bit integer. With
|
|
the correct stuff->nUnits value the expected request size was
|
|
truncated, passing the REQUEST_FIXED_SIZE check.
|
|
|
|
The server then proceeded with reading at least stuff->num_items bytes
|
|
(depending on stuff->format) from the request and stuffing whatever it
|
|
finds into the property. In the process it would also allocate at least
|
|
stuff->nUnits bytes, i.e. 4GB.
|
|
|
|
CVE-2023-6478, ZDI-CAN-22561
|
|
|
|
This vulnerability was discovered by:
|
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
---
|
|
randr/rrproperty.c | 2 +-
|
|
randr/rrproviderproperty.c | 2 +-
|
|
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/randr/rrproperty.c b/randr/rrproperty.c
|
|
index 25469f57b2..c4fef8a1f6 100644
|
|
--- a/randr/rrproperty.c
|
|
+++ b/randr/rrproperty.c
|
|
@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client)
|
|
char format, mode;
|
|
unsigned long len;
|
|
int sizeInBytes;
|
|
- int totalSize;
|
|
+ uint64_t totalSize;
|
|
int err;
|
|
|
|
REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
|
|
diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
|
|
index b79c17f9bf..90c5a9a933 100644
|
|
--- a/randr/rrproviderproperty.c
|
|
+++ b/randr/rrproviderproperty.c
|
|
@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client)
|
|
char format, mode;
|
|
unsigned long len;
|
|
int sizeInBytes;
|
|
- int totalSize;
|
|
+ uint64_t totalSize;
|
|
int err;
|
|
|
|
REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
|
|
--
|
|
GitLab
|
|
|