CVE fix for: CVE-2023-3138
Resolve: rhbz#2213762
This commit is contained in:
parent
d46c4edf48
commit
867dc4e0a1
108
0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch
Normal file
108
0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch
Normal file
@ -0,0 +1,108 @@
|
|||||||
|
From 304a654a0d57bf0f00d8998185f0360332cfa36c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||||
|
Date: Sat, 10 Jun 2023 16:30:07 -0700
|
||||||
|
Subject: [PATCH libX11] InitExt.c: Add bounds checks for extension request,
|
||||||
|
event, & error codes
|
||||||
|
|
||||||
|
Fixes CVE-2023-3138: X servers could return values from XQueryExtension
|
||||||
|
that would cause Xlib to write entries out-of-bounds of the arrays to
|
||||||
|
store them, though this would only overwrite other parts of the Display
|
||||||
|
struct, not outside the bounds allocated for that structure.
|
||||||
|
|
||||||
|
Reported-by: Gregory James DUCK <gjduck@gmail.com>
|
||||||
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||||
|
---
|
||||||
|
src/InitExt.c | 42 ++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
1 file changed, 42 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/InitExt.c b/src/InitExt.c
|
||||||
|
index 4de46f15..afc00a6b 100644
|
||||||
|
--- a/src/InitExt.c
|
||||||
|
+++ b/src/InitExt.c
|
||||||
|
@@ -33,6 +33,18 @@ from The Open Group.
|
||||||
|
#include <X11/Xos.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
|
||||||
|
+/* The X11 protocol spec reserves events 64 through 127 for extensions */
|
||||||
|
+#ifndef LastExtensionEvent
|
||||||
|
+#define LastExtensionEvent 127
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+/* The X11 protocol spec reserves requests 128 through 255 for extensions */
|
||||||
|
+#ifndef LastExtensionRequest
|
||||||
|
+#define FirstExtensionRequest 128
|
||||||
|
+#define LastExtensionRequest 255
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* This routine is used to link a extension in so it will be called
|
||||||
|
* at appropriate times.
|
||||||
|
@@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent(
|
||||||
|
WireToEventType proc) /* routine to call when converting event */
|
||||||
|
{
|
||||||
|
register WireToEventType oldproc;
|
||||||
|
+ if (event_number < 0 ||
|
||||||
|
+ event_number > LastExtensionEvent) {
|
||||||
|
+ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
|
||||||
|
+ event_number);
|
||||||
|
+ return (WireToEventType)_XUnknownWireEvent;
|
||||||
|
+ }
|
||||||
|
if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent;
|
||||||
|
LockDisplay (dpy);
|
||||||
|
oldproc = dpy->event_vec[event_number];
|
||||||
|
@@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCookie(
|
||||||
|
)
|
||||||
|
{
|
||||||
|
WireToEventCookieType oldproc;
|
||||||
|
+ if (extension < FirstExtensionRequest ||
|
||||||
|
+ extension > LastExtensionRequest) {
|
||||||
|
+ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
|
||||||
|
+ extension);
|
||||||
|
+ return (WireToEventCookieType)_XUnknownWireEventCookie;
|
||||||
|
+ }
|
||||||
|
if (proc == NULL) proc = (WireToEventCookieType)_XUnknownWireEventCookie;
|
||||||
|
LockDisplay (dpy);
|
||||||
|
oldproc = dpy->generic_event_vec[extension & 0x7F];
|
||||||
|
@@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie(
|
||||||
|
)
|
||||||
|
{
|
||||||
|
CopyEventCookieType oldproc;
|
||||||
|
+ if (extension < FirstExtensionRequest ||
|
||||||
|
+ extension > LastExtensionRequest) {
|
||||||
|
+ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
|
||||||
|
+ extension);
|
||||||
|
+ return (CopyEventCookieType)_XUnknownCopyEventCookie;
|
||||||
|
+ }
|
||||||
|
if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie;
|
||||||
|
LockDisplay (dpy);
|
||||||
|
oldproc = dpy->generic_event_copy_vec[extension & 0x7F];
|
||||||
|
@@ -305,6 +335,12 @@ EventToWireType XESetEventToWire(
|
||||||
|
EventToWireType proc) /* routine to call when converting event */
|
||||||
|
{
|
||||||
|
register EventToWireType oldproc;
|
||||||
|
+ if (event_number < 0 ||
|
||||||
|
+ event_number > LastExtensionEvent) {
|
||||||
|
+ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
|
||||||
|
+ event_number);
|
||||||
|
+ return (EventToWireType)_XUnknownNativeEvent;
|
||||||
|
+ }
|
||||||
|
if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent;
|
||||||
|
LockDisplay (dpy);
|
||||||
|
oldproc = dpy->wire_vec[event_number];
|
||||||
|
@@ -325,6 +361,12 @@ WireToErrorType XESetWireToError(
|
||||||
|
WireToErrorType proc) /* routine to call when converting error */
|
||||||
|
{
|
||||||
|
register WireToErrorType oldproc = NULL;
|
||||||
|
+ if (error_number < 0 ||
|
||||||
|
+ error_number > LastExtensionError) {
|
||||||
|
+ fprintf(stderr, "Xlib: ignoring invalid extension error %d\n",
|
||||||
|
+ error_number);
|
||||||
|
+ return (WireToErrorType)_XDefaultWireError;
|
||||||
|
+ }
|
||||||
|
if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError;
|
||||||
|
LockDisplay (dpy);
|
||||||
|
if (!dpy->error_vec) {
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -5,7 +5,7 @@
|
|||||||
Summary: Core X11 protocol client library
|
Summary: Core X11 protocol client library
|
||||||
Name: libX11
|
Name: libX11
|
||||||
Version: 1.6.8
|
Version: 1.6.8
|
||||||
Release: 5%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist}
|
Release: 6%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist}
|
||||||
License: MIT
|
License: MIT
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
URL: http://www.x.org
|
URL: http://www.x.org
|
||||||
@ -25,6 +25,8 @@ Patch4: 0001-Fix-poll_for_response-race-condition.patch
|
|||||||
# CVE-2020-14363
|
# CVE-2020-14363
|
||||||
Patch5: 0001-Fix-an-integer-overflow-in-init_om.patch
|
Patch5: 0001-Fix-an-integer-overflow-in-init_om.patch
|
||||||
Patch6: CVE-2021-31535.patch
|
Patch6: CVE-2021-31535.patch
|
||||||
|
# CVE-2023-3138
|
||||||
|
Patch7: 0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch
|
||||||
|
|
||||||
BuildRequires: xorg-x11-util-macros >= 1.11
|
BuildRequires: xorg-x11-util-macros >= 1.11
|
||||||
BuildRequires: pkgconfig(xproto) >= 7.0.15
|
BuildRequires: pkgconfig(xproto) >= 7.0.15
|
||||||
@ -70,6 +72,7 @@ libX11/libxcb interoperability library
|
|||||||
%patch4 -p1 -b .race
|
%patch4 -p1 -b .race
|
||||||
%patch5 -p1 -b .fix-an-integer-overflow-in-init_om
|
%patch5 -p1 -b .fix-an-integer-overflow-in-init_om
|
||||||
%patch6 -p1 -b .cve-2021-31535
|
%patch6 -p1 -b .cve-2021-31535
|
||||||
|
%patch7 -p1 -b .cve-2023-3138
|
||||||
|
|
||||||
%build
|
%build
|
||||||
autoreconf -v --install --force
|
autoreconf -v --install --force
|
||||||
@ -134,6 +137,10 @@ make %{?_smp_mflags} check
|
|||||||
%{_mandir}/man5/*.5*
|
%{_mandir}/man5/*.5*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jul 05 2023 Olivier Fourdan <ofourdan@redhat.com> - 1.6.8-6
|
||||||
|
- CVE fix for: CVE-2023-3138
|
||||||
|
Resolve: rhbz#2213762
|
||||||
|
|
||||||
* Thu Aug 12 2021 Adam Jackson <ajax@redhat.com> - 1.6.8-5
|
* Thu Aug 12 2021 Adam Jackson <ajax@redhat.com> - 1.6.8-5
|
||||||
- Fix CVE-2021-31535 (#1962439)
|
- Fix CVE-2021-31535 (#1962439)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user