From 867dc4e0a186cd3ab422d5c3bd830c73497e53b3 Mon Sep 17 00:00:00 2001 From: Olivier Fourdan Date: Wed, 5 Jul 2023 14:08:59 +0200 Subject: [PATCH] CVE fix for: CVE-2023-3138 Resolve: rhbz#2213762 --- ...unds-checks-for-extension-request-ev.patch | 108 ++++++++++++++++++ libX11.spec | 9 +- 2 files changed, 116 insertions(+), 1 deletion(-) create mode 100644 0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch diff --git a/0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch b/0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch new file mode 100644 index 0000000..014bdc0 --- /dev/null +++ b/0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch @@ -0,0 +1,108 @@ +From 304a654a0d57bf0f00d8998185f0360332cfa36c Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 10 Jun 2023 16:30:07 -0700 +Subject: [PATCH libX11] InitExt.c: Add bounds checks for extension request, + event, & error codes + +Fixes CVE-2023-3138: X servers could return values from XQueryExtension +that would cause Xlib to write entries out-of-bounds of the arrays to +store them, though this would only overwrite other parts of the Display +struct, not outside the bounds allocated for that structure. + +Reported-by: Gregory James DUCK +Signed-off-by: Alan Coopersmith +--- + src/InitExt.c | 42 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 42 insertions(+) + +diff --git a/src/InitExt.c b/src/InitExt.c +index 4de46f15..afc00a6b 100644 +--- a/src/InitExt.c ++++ b/src/InitExt.c +@@ -33,6 +33,18 @@ from The Open Group. + #include + #include + ++/* The X11 protocol spec reserves events 64 through 127 for extensions */ ++#ifndef LastExtensionEvent ++#define LastExtensionEvent 127 ++#endif ++ ++/* The X11 protocol spec reserves requests 128 through 255 for extensions */ ++#ifndef LastExtensionRequest ++#define FirstExtensionRequest 128 ++#define LastExtensionRequest 255 ++#endif ++ ++ + /* + * This routine is used to link a extension in so it will be called + * at appropriate times. +@@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent( + WireToEventType proc) /* routine to call when converting event */ + { + register WireToEventType oldproc; ++ if (event_number < 0 || ++ event_number > LastExtensionEvent) { ++ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n", ++ event_number); ++ return (WireToEventType)_XUnknownWireEvent; ++ } + if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent; + LockDisplay (dpy); + oldproc = dpy->event_vec[event_number]; +@@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCookie( + ) + { + WireToEventCookieType oldproc; ++ if (extension < FirstExtensionRequest || ++ extension > LastExtensionRequest) { ++ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n", ++ extension); ++ return (WireToEventCookieType)_XUnknownWireEventCookie; ++ } + if (proc == NULL) proc = (WireToEventCookieType)_XUnknownWireEventCookie; + LockDisplay (dpy); + oldproc = dpy->generic_event_vec[extension & 0x7F]; +@@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie( + ) + { + CopyEventCookieType oldproc; ++ if (extension < FirstExtensionRequest || ++ extension > LastExtensionRequest) { ++ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n", ++ extension); ++ return (CopyEventCookieType)_XUnknownCopyEventCookie; ++ } + if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie; + LockDisplay (dpy); + oldproc = dpy->generic_event_copy_vec[extension & 0x7F]; +@@ -305,6 +335,12 @@ EventToWireType XESetEventToWire( + EventToWireType proc) /* routine to call when converting event */ + { + register EventToWireType oldproc; ++ if (event_number < 0 || ++ event_number > LastExtensionEvent) { ++ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n", ++ event_number); ++ return (EventToWireType)_XUnknownNativeEvent; ++ } + if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent; + LockDisplay (dpy); + oldproc = dpy->wire_vec[event_number]; +@@ -325,6 +361,12 @@ WireToErrorType XESetWireToError( + WireToErrorType proc) /* routine to call when converting error */ + { + register WireToErrorType oldproc = NULL; ++ if (error_number < 0 || ++ error_number > LastExtensionError) { ++ fprintf(stderr, "Xlib: ignoring invalid extension error %d\n", ++ error_number); ++ return (WireToErrorType)_XDefaultWireError; ++ } + if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError; + LockDisplay (dpy); + if (!dpy->error_vec) { +-- +2.41.0 + diff --git a/libX11.spec b/libX11.spec index ced136f..5dd0676 100644 --- a/libX11.spec +++ b/libX11.spec @@ -5,7 +5,7 @@ Summary: Core X11 protocol client library Name: libX11 Version: 1.6.8 -Release: 5%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist} +Release: 6%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist} License: MIT Group: System Environment/Libraries URL: http://www.x.org @@ -25,6 +25,8 @@ Patch4: 0001-Fix-poll_for_response-race-condition.patch # CVE-2020-14363 Patch5: 0001-Fix-an-integer-overflow-in-init_om.patch Patch6: CVE-2021-31535.patch +# CVE-2023-3138 +Patch7: 0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch BuildRequires: xorg-x11-util-macros >= 1.11 BuildRequires: pkgconfig(xproto) >= 7.0.15 @@ -70,6 +72,7 @@ libX11/libxcb interoperability library %patch4 -p1 -b .race %patch5 -p1 -b .fix-an-integer-overflow-in-init_om %patch6 -p1 -b .cve-2021-31535 +%patch7 -p1 -b .cve-2023-3138 %build autoreconf -v --install --force @@ -134,6 +137,10 @@ make %{?_smp_mflags} check %{_mandir}/man5/*.5* %changelog +* Wed Jul 05 2023 Olivier Fourdan - 1.6.8-6 +- CVE fix for: CVE-2023-3138 + Resolve: rhbz#2213762 + * Thu Aug 12 2021 Adam Jackson - 1.6.8-5 - Fix CVE-2021-31535 (#1962439)