import CS libX11-1.6.8-6.el8

2023-09-27 13:11:21 +00:00 · 2023-09-27 13:11:21 +00:00 · 876641c52a
commit 876641c52a
parent d6560d1921
2 changed files with 116 additions and 1 deletions
--- a/SOURCES/0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch
+++ b/SOURCES/0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch
@ -0,0 +1,108 @@
+From 304a654a0d57bf0f00d8998185f0360332cfa36c Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 10 Jun 2023 16:30:07 -0700
+Subject: [PATCH libX11] InitExt.c: Add bounds checks for extension request,
+ event, & error codes
+
+Fixes CVE-2023-3138: X servers could return values from XQueryExtension
+that would cause Xlib to write entries out-of-bounds of the arrays to
+store them, though this would only overwrite other parts of the Display
+struct, not outside the bounds allocated for that structure.
+
+Reported-by: Gregory James DUCK <gjduck@gmail.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/InitExt.c | 42 ++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 42 insertions(+)
+
+diff --git a/src/InitExt.c b/src/InitExt.c
+index 4de46f15..afc00a6b 100644
+--- a/src/InitExt.c
+++ b/src/InitExt.c
+@@ -33,6 +33,18 @@ from The Open Group.
+ #include <X11/Xos.h>
+ #include <stdio.h>
+ 
+/* The X11 protocol spec reserves events 64 through 127 for extensions */
+#ifndef LastExtensionEvent
+#define LastExtensionEvent 127
+#endif
+
+/* The X11 protocol spec reserves requests 128 through 255 for extensions */
+#ifndef LastExtensionRequest
+#define FirstExtensionRequest 128
+#define LastExtensionRequest 255
+#endif
+
+
+ /*
+  * This routine is used to link a extension in so it will be called
+  * at appropriate times.
+@@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent(
+ 	WireToEventType proc)	/* routine to call when converting event */
+ {
+ 	register WireToEventType oldproc;
+	if (event_number < 0 ||
+	    event_number > LastExtensionEvent) {
+	    fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
+		    event_number);
+	    return (WireToEventType)_XUnknownWireEvent;
+	}
+ 	if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent;
+ 	LockDisplay (dpy);
+ 	oldproc = dpy->event_vec[event_number];
+@@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCookie(
+     )
+ {
+ 	WireToEventCookieType oldproc;
+	if (extension < FirstExtensionRequest ||
+	    extension > LastExtensionRequest) {
+	    fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
+		    extension);
+	    return (WireToEventCookieType)_XUnknownWireEventCookie;
+	}
+ 	if (proc == NULL) proc = (WireToEventCookieType)_XUnknownWireEventCookie;
+ 	LockDisplay (dpy);
+ 	oldproc = dpy->generic_event_vec[extension & 0x7F];
+@@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie(
+     )
+ {
+ 	CopyEventCookieType oldproc;
+	if (extension < FirstExtensionRequest ||
+	    extension > LastExtensionRequest) {
+	    fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
+		    extension);
+	    return (CopyEventCookieType)_XUnknownCopyEventCookie;
+	}
+ 	if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie;
+ 	LockDisplay (dpy);
+ 	oldproc = dpy->generic_event_copy_vec[extension & 0x7F];
+@@ -305,6 +335,12 @@ EventToWireType XESetEventToWire(
+ 	EventToWireType proc)	/* routine to call when converting event */
+ {
+ 	register EventToWireType oldproc;
+	if (event_number < 0 ||
+	    event_number > LastExtensionEvent) {
+	    fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
+		    event_number);
+	    return (EventToWireType)_XUnknownNativeEvent;
+	}
+ 	if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent;
+ 	LockDisplay (dpy);
+ 	oldproc = dpy->wire_vec[event_number];
+@@ -325,6 +361,12 @@ WireToErrorType XESetWireToError(
+ 	WireToErrorType proc)	/* routine to call when converting error */
+ {
+ 	register WireToErrorType oldproc = NULL;
+	if (error_number < 0 ||
+	    error_number > LastExtensionError) {
+	   fprintf(stderr, "Xlib: ignoring invalid extension error %d\n",
+		    error_number);
+	   return (WireToErrorType)_XDefaultWireError;
+	}
+ 	if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError;
+ 	LockDisplay (dpy);
+ 	if (!dpy->error_vec) {
+-- 
+2.41.0
+
--- a/SPECS/libX11.spec
+++ b/SPECS/libX11.spec
@ -5,7 +5,7 @@
 Summary: Core X11 protocol client library
 Name: libX11
 Version: 1.6.8
-Release: 5%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist}
+Release: 6%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist}
 License: MIT
 Group: System Environment/Libraries
 URL: http://www.x.org
@ -25,6 +25,8 @@ Patch4: 0001-Fix-poll_for_response-race-condition.patch
 # CVE-2020-14363
 Patch5: 0001-Fix-an-integer-overflow-in-init_om.patch
 Patch6: CVE-2021-31535.patch
+# CVE-2023-3138
+Patch7: 0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch

 BuildRequires: xorg-x11-util-macros >= 1.11
 BuildRequires: pkgconfig(xproto) >= 7.0.15
@ -70,6 +72,7 @@ libX11/libxcb interoperability library
 %patch4 -p1 -b .race
 %patch5 -p1 -b .fix-an-integer-overflow-in-init_om
 %patch6 -p1 -b .cve-2021-31535
+%patch7 -p1 -b .cve-2023-3138

 %build
 autoreconf -v --install --force
@ -134,6 +137,10 @@ make %{?_smp_mflags} check
 %{_mandir}/man5/*.5*

 %changelog
+* Wed Jul 05 2023 Olivier Fourdan <ofourdan@redhat.com> - 1.6.8-6
+- CVE fix for: CVE-2023-3138
+  Resolve: rhbz#2213762
+
 * Thu Aug 12 2021 Adam Jackson <ajax@redhat.com> - 1.6.8-5
 - Fix CVE-2021-31535 (#1962439)