import CS libX11-1.7.0-9.el9

2024-03-28 10:40:46 +00:00 · 2024-03-28 10:40:46 +00:00 · f19eb5aa50
commit f19eb5aa50
parent 1e3aed9340
6 changed files with 261 additions and 1 deletions
--- a/SOURCES/0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch
+++ b/SOURCES/0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch
@ -0,0 +1,58 @@
 From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith@oracle.com>
 Date: Sun, 17 Sep 2023 14:19:40 -0700
 Subject: [PATCH] CVE-2023-43785: out-of-bounds memory access in
 _XkbReadKeySyms()
 Make sure we allocate enough memory in the first place, and
 also handle error returns from _XkbReadBufferCopyKeySyms() when
 it detects out-of-bounds issues.
 Reported-by: Gregory James DUCK <gjduck@gmail.com>
 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 ---
 src/xkb/XKBGetMap.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)
 diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
 index 2891d21e..31199e4a 100644
 --- a/src/xkb/XKBGetMap.c
 +++ b/src/xkb/XKBGetMap.c
@@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
             if (offset + newMap->nSyms >= map->size_syms) {
                 register int sz;
 -                sz = map->size_syms + 128;
 +                sz = offset + newMap->nSyms;
 +                sz = ((sz + (unsigned) 128) / 128) * 128;
                 _XkbResizeArray(map->syms, map->size_syms, sz, KeySym);
                 if (map->syms == NULL) {
                     map->size_syms = 0;
@@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
                 map->size_syms = sz;
             }
             if (newMap->nSyms > 0) {
 -                _XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
 -                                          newMap->nSyms);
 +                if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
 +                                              newMap->nSyms) == 0)
 +                    return BadLength;
                 offset += newMap->nSyms;
             }
             else {
@@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
             newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp);
             if (newSyms == NULL)
                 return BadAlloc;
 -            if (newMap->nSyms > 0)
 -                _XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms);
 +            if (newMap->nSyms > 0) {
 +                if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 0)
 +                    return BadLength;
 +            }
             else
                 newSyms[0] = NoSymbol;
             oldMap->kt_index[0] = newMap->ktIndex[0];
 -- 
 2.41.0
--- a/SOURCES/0001-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch
+++ b/SOURCES/0001-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch
@ -0,0 +1,37 @@
 From 204c3393c4c90a29ed6bef64e43849536e863a86 Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith@oracle.com>
 Date: Thu, 7 Sep 2023 15:54:30 -0700
 Subject: [PATCH 1/3] CVE-2023-43786: stack exhaustion from infinite recursion
 in PutSubImage()
 When splitting a single line of pixels into chunks to send to the
 X server, be sure to take into account the number of bits per pixel,
 so we don't just loop forever trying to send more pixels than fit in
 the given request size and not breaking them down into a small enough
 chunk to fix.
 Fixes: "almost complete rewrite" (Dec. 12, 1987) from X11R2
 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 ---
 src/PutImage.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/src/PutImage.c b/src/PutImage.c
 index 857ee916..a6db7b42 100644
 --- a/src/PutImage.c
 +++ b/src/PutImage.c
@@ -914,8 +914,9 @@ PutSubImage (
 		    req_width, req_height - SubImageHeight,
 		    dest_bits_per_pixel, dest_scanline_pad);
     } else {
 -	int SubImageWidth = (((Available << 3) / dest_scanline_pad)
 -				* dest_scanline_pad) - left_pad;
 +	int SubImageWidth = ((((Available << 3) / dest_scanline_pad)
 +                              * dest_scanline_pad) - left_pad)
 +                              / dest_bits_per_pixel;
 	PutSubImage(dpy, d, gc, image, req_xoffset, req_yoffset, x, y,
 		    (unsigned int) SubImageWidth, 1,
 -- 
 2.41.0
--- a/SOURCES/0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch
+++ b/SOURCES/0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch
@ -0,0 +1,59 @@
 From 7916869d16bdd115ac5be30a67c3749907aea6a0 Mon Sep 17 00:00:00 2001
 From: Yair Mizrahi <yairm@jfrog.com>
 Date: Thu, 7 Sep 2023 16:15:32 -0700
 Subject: [PATCH] CVE-2023-43787: Integer overflow in XCreateImage() leading to
 a heap overflow
 When the format is `Pixmap` it calculates the size of the image data as:
    ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
 There is no validation on the `width` of the image, and so this
 calculation exceeds the capacity of a 4-byte integer, causing an overflow.
 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 ---
 src/ImUtil.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)
 diff --git a/src/ImUtil.c b/src/ImUtil.c
 index 36f08a03..fbfad33e 100644
 --- a/src/ImUtil.c
 +++ b/src/ImUtil.c
@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
 #include <X11/Xlibint.h>
 #include <X11/Xutil.h>
 #include <stdio.h>
 +#include <limits.h>
 #include "ImUtil.h"
 static int _XDestroyImage(XImage *);
@@ -361,13 +362,22 @@ XImage *XCreateImage (
 	/*
 	 * compute per line accelerator.
 	 */
 -	{
 -	if (format == ZPixmap)
 +	if (format == ZPixmap) {
 +	    if ((INT_MAX / bits_per_pixel) < width) {
 +		Xfree(image);
 +		return NULL;
 +	    }
 +
 	    min_bytes_per_line =
 -	       ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
 -	else
 +		ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
 +	} else {
 +	    if ((INT_MAX - offset) < width) {
 +		Xfree(image);
 +		return NULL;
 +	    }
 +
 	    min_bytes_per_line =
 -	        ROUNDUP((width + offset), image->bitmap_pad);
 +		ROUNDUP((width + offset), image->bitmap_pad);
 	}
 	if (image_bytes_per_line == 0) {
 	    image->bytes_per_line = min_bytes_per_line;
 -- 
 2.41.0
--- a/SOURCES/0002-XPutImage-clip-images-to-maximum-height-width-allowe.patch
+++ b/SOURCES/0002-XPutImage-clip-images-to-maximum-height-width-allowe.patch
@ -0,0 +1,41 @@
 From 73a37d5f2fcadd6540159b432a70d80f442ddf4a Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith@oracle.com>
 Date: Thu, 7 Sep 2023 15:55:04 -0700
 Subject: [PATCH 2/3] XPutImage: clip images to maximum height & width allowed
 by protocol
 The PutImage request specifies height & width of the image as CARD16
 (unsigned 16-bit integer), same as the maximum dimensions of an X11
 Drawable, which the image is being copied to.
 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 ---
 src/PutImage.c | 5 +++++
 1 file changed, 5 insertions(+)
 diff --git a/src/PutImage.c b/src/PutImage.c
 index a6db7b42..ba411e36 100644
 --- a/src/PutImage.c
 +++ b/src/PutImage.c
@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
 #include "Xlibint.h"
 #include "Xutil.h"
 #include <stdio.h>
 +#include <limits.h>
 #include "Cr.h"
 #include "ImUtil.h"
 #include "reallocarray.h"
@@ -962,6 +963,10 @@ XPutImage (
 	height = image->height - req_yoffset;
     if ((width <= 0) || (height <= 0))
 	return 0;
 +    if (width > USHRT_MAX)
 +        width = USHRT_MAX;
 +    if (height > USHRT_MAX)
 +        height = USHRT_MAX;
     if ((image->bits_per_pixel == 1) || (image->format != ZPixmap)) {
 	dest_bits_per_pixel = 1;
 -- 
 2.41.0
--- a/SOURCES/0003-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch
+++ b/SOURCES/0003-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch
@ -0,0 +1,47 @@
 From b4031fc023816aca07fbd592ed97010b9b48784b Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith@oracle.com>
 Date: Thu, 7 Sep 2023 16:12:27 -0700
 Subject: [PATCH 3/3] XCreatePixmap: trigger BadValue error for out-of-range
 dimensions
 The CreatePixmap request specifies height & width of the image as CARD16
 (unsigned 16-bit integer), so if either is larger than that, set it to 0
 so the X server returns a BadValue error as the protocol requires.
 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 ---
 src/CrPixmap.c | 11 +++++++++++
 1 file changed, 11 insertions(+)
 diff --git a/src/CrPixmap.c b/src/CrPixmap.c
 index cdf31207..3cb2ca6d 100644
 --- a/src/CrPixmap.c
 +++ b/src/CrPixmap.c
@@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group.
 #include <config.h>
 #endif
 #include "Xlibint.h"
 +#include <limits.h>
 #ifdef USE_DYNAMIC_XCURSOR
 void
@@ -47,6 +48,16 @@ Pixmap XCreatePixmap (
     Pixmap pid;
     register xCreatePixmapReq *req;
 +    /*
 +     * Force a BadValue X Error if the requested dimensions are larger
 +     * than the X11 protocol has room for, since that's how callers expect
 +     * to get notified of errors.
 +     */
 +    if (width > USHRT_MAX)
 +        width = 0;
 +    if (height > USHRT_MAX)
 +        height = 0;
 +
     LockDisplay(dpy);
     GetReq(CreatePixmap, req);
     req->drawable = d;
 -- 
 2.41.0
--- a/SPECS/libX11.spec
+++ b/SPECS/libX11.spec
@ -5,7 +5,7 @@
 Summary: Core X11 protocol client library
 Name: libX11
 Version: 1.7.0
-Release: 8%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist}
+Release: 9%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist}
 License: MIT
 URL: http://www.x.org
@ -22,6 +22,17 @@ Patch3: 0001-makekeys-handle-the-new-_EVDEVK-xorgproto-symbols.patch
 # CVE-2023-3138
 Patch4: 0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch
 # CVE-2023-43785
 Patch5: 0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch
 # CVE-2023-43786
 Patch6: 0001-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch
 Patch7: 0002-XPutImage-clip-images-to-maximum-height-width-allowe.patch
 Patch8: 0003-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch
 # CVE-2023-43787
 Patch9: 0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch
 BuildRequires: make
 BuildRequires: xorg-x11-util-macros >= 1.11
 BuildRequires: pkgconfig(xproto) >= 7.0.15
@ -124,6 +135,13 @@ make %{?_smp_mflags} check
 %{_mandir}/man5/*.5*
 %changelog
 * Wed Oct 11 2023 José Expósito <jexposit@redhat.com> - 1.7.0-9
 - Fix CVE-2023-43785: out-of-bounds memory access in _XkbReadKeySyms()
 - Fix CVE-2023-43786: stack exhaustion from infinite recursion in
  PutSubImage()
 - Fix CVE-2023-43787: integer overflow in XCreateImage() leading to
  a heap overflow
 * Wed Jul 05 2023 Olivier Fourdan <ofourdan@redhat.com> - 1.7.0-8
 - CVE fix for: CVE-2023-3138
  Resolve: rhbz#2213763