import CS libX11-1.7.0-9.el9
This commit is contained in:
parent
1e3aed9340
commit
f19eb5aa50
@ -0,0 +1,58 @@
|
||||
From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Sun, 17 Sep 2023 14:19:40 -0700
|
||||
Subject: [PATCH] CVE-2023-43785: out-of-bounds memory access in
|
||||
_XkbReadKeySyms()
|
||||
|
||||
Make sure we allocate enough memory in the first place, and
|
||||
also handle error returns from _XkbReadBufferCopyKeySyms() when
|
||||
it detects out-of-bounds issues.
|
||||
|
||||
Reported-by: Gregory James DUCK <gjduck@gmail.com>
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
---
|
||||
src/xkb/XKBGetMap.c | 14 +++++++++-----
|
||||
1 file changed, 9 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
|
||||
index 2891d21e..31199e4a 100644
|
||||
--- a/src/xkb/XKBGetMap.c
|
||||
+++ b/src/xkb/XKBGetMap.c
|
||||
@@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
|
||||
if (offset + newMap->nSyms >= map->size_syms) {
|
||||
register int sz;
|
||||
|
||||
- sz = map->size_syms + 128;
|
||||
+ sz = offset + newMap->nSyms;
|
||||
+ sz = ((sz + (unsigned) 128) / 128) * 128;
|
||||
_XkbResizeArray(map->syms, map->size_syms, sz, KeySym);
|
||||
if (map->syms == NULL) {
|
||||
map->size_syms = 0;
|
||||
@@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
|
||||
map->size_syms = sz;
|
||||
}
|
||||
if (newMap->nSyms > 0) {
|
||||
- _XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
|
||||
- newMap->nSyms);
|
||||
+ if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
|
||||
+ newMap->nSyms) == 0)
|
||||
+ return BadLength;
|
||||
offset += newMap->nSyms;
|
||||
}
|
||||
else {
|
||||
@@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
|
||||
newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp);
|
||||
if (newSyms == NULL)
|
||||
return BadAlloc;
|
||||
- if (newMap->nSyms > 0)
|
||||
- _XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms);
|
||||
+ if (newMap->nSyms > 0) {
|
||||
+ if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 0)
|
||||
+ return BadLength;
|
||||
+ }
|
||||
else
|
||||
newSyms[0] = NoSymbol;
|
||||
oldMap->kt_index[0] = newMap->ktIndex[0];
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,37 @@
|
||||
From 204c3393c4c90a29ed6bef64e43849536e863a86 Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Thu, 7 Sep 2023 15:54:30 -0700
|
||||
Subject: [PATCH 1/3] CVE-2023-43786: stack exhaustion from infinite recursion
|
||||
in PutSubImage()
|
||||
|
||||
When splitting a single line of pixels into chunks to send to the
|
||||
X server, be sure to take into account the number of bits per pixel,
|
||||
so we don't just loop forever trying to send more pixels than fit in
|
||||
the given request size and not breaking them down into a small enough
|
||||
chunk to fix.
|
||||
|
||||
Fixes: "almost complete rewrite" (Dec. 12, 1987) from X11R2
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
---
|
||||
src/PutImage.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/PutImage.c b/src/PutImage.c
|
||||
index 857ee916..a6db7b42 100644
|
||||
--- a/src/PutImage.c
|
||||
+++ b/src/PutImage.c
|
||||
@@ -914,8 +914,9 @@ PutSubImage (
|
||||
req_width, req_height - SubImageHeight,
|
||||
dest_bits_per_pixel, dest_scanline_pad);
|
||||
} else {
|
||||
- int SubImageWidth = (((Available << 3) / dest_scanline_pad)
|
||||
- * dest_scanline_pad) - left_pad;
|
||||
+ int SubImageWidth = ((((Available << 3) / dest_scanline_pad)
|
||||
+ * dest_scanline_pad) - left_pad)
|
||||
+ / dest_bits_per_pixel;
|
||||
|
||||
PutSubImage(dpy, d, gc, image, req_xoffset, req_yoffset, x, y,
|
||||
(unsigned int) SubImageWidth, 1,
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,59 @@
|
||||
From 7916869d16bdd115ac5be30a67c3749907aea6a0 Mon Sep 17 00:00:00 2001
|
||||
From: Yair Mizrahi <yairm@jfrog.com>
|
||||
Date: Thu, 7 Sep 2023 16:15:32 -0700
|
||||
Subject: [PATCH] CVE-2023-43787: Integer overflow in XCreateImage() leading to
|
||||
a heap overflow
|
||||
|
||||
When the format is `Pixmap` it calculates the size of the image data as:
|
||||
ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
|
||||
There is no validation on the `width` of the image, and so this
|
||||
calculation exceeds the capacity of a 4-byte integer, causing an overflow.
|
||||
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
---
|
||||
src/ImUtil.c | 20 +++++++++++++++-----
|
||||
1 file changed, 15 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/ImUtil.c b/src/ImUtil.c
|
||||
index 36f08a03..fbfad33e 100644
|
||||
--- a/src/ImUtil.c
|
||||
+++ b/src/ImUtil.c
|
||||
@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
|
||||
#include <X11/Xlibint.h>
|
||||
#include <X11/Xutil.h>
|
||||
#include <stdio.h>
|
||||
+#include <limits.h>
|
||||
#include "ImUtil.h"
|
||||
|
||||
static int _XDestroyImage(XImage *);
|
||||
@@ -361,13 +362,22 @@ XImage *XCreateImage (
|
||||
/*
|
||||
* compute per line accelerator.
|
||||
*/
|
||||
- {
|
||||
- if (format == ZPixmap)
|
||||
+ if (format == ZPixmap) {
|
||||
+ if ((INT_MAX / bits_per_pixel) < width) {
|
||||
+ Xfree(image);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
min_bytes_per_line =
|
||||
- ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
|
||||
- else
|
||||
+ ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
|
||||
+ } else {
|
||||
+ if ((INT_MAX - offset) < width) {
|
||||
+ Xfree(image);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
min_bytes_per_line =
|
||||
- ROUNDUP((width + offset), image->bitmap_pad);
|
||||
+ ROUNDUP((width + offset), image->bitmap_pad);
|
||||
}
|
||||
if (image_bytes_per_line == 0) {
|
||||
image->bytes_per_line = min_bytes_per_line;
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,41 @@
|
||||
From 73a37d5f2fcadd6540159b432a70d80f442ddf4a Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Thu, 7 Sep 2023 15:55:04 -0700
|
||||
Subject: [PATCH 2/3] XPutImage: clip images to maximum height & width allowed
|
||||
by protocol
|
||||
|
||||
The PutImage request specifies height & width of the image as CARD16
|
||||
(unsigned 16-bit integer), same as the maximum dimensions of an X11
|
||||
Drawable, which the image is being copied to.
|
||||
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
---
|
||||
src/PutImage.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/src/PutImage.c b/src/PutImage.c
|
||||
index a6db7b42..ba411e36 100644
|
||||
--- a/src/PutImage.c
|
||||
+++ b/src/PutImage.c
|
||||
@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
|
||||
#include "Xlibint.h"
|
||||
#include "Xutil.h"
|
||||
#include <stdio.h>
|
||||
+#include <limits.h>
|
||||
#include "Cr.h"
|
||||
#include "ImUtil.h"
|
||||
#include "reallocarray.h"
|
||||
@@ -962,6 +963,10 @@ XPutImage (
|
||||
height = image->height - req_yoffset;
|
||||
if ((width <= 0) || (height <= 0))
|
||||
return 0;
|
||||
+ if (width > USHRT_MAX)
|
||||
+ width = USHRT_MAX;
|
||||
+ if (height > USHRT_MAX)
|
||||
+ height = USHRT_MAX;
|
||||
|
||||
if ((image->bits_per_pixel == 1) || (image->format != ZPixmap)) {
|
||||
dest_bits_per_pixel = 1;
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,47 @@
|
||||
From b4031fc023816aca07fbd592ed97010b9b48784b Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Thu, 7 Sep 2023 16:12:27 -0700
|
||||
Subject: [PATCH 3/3] XCreatePixmap: trigger BadValue error for out-of-range
|
||||
dimensions
|
||||
|
||||
The CreatePixmap request specifies height & width of the image as CARD16
|
||||
(unsigned 16-bit integer), so if either is larger than that, set it to 0
|
||||
so the X server returns a BadValue error as the protocol requires.
|
||||
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
---
|
||||
src/CrPixmap.c | 11 +++++++++++
|
||||
1 file changed, 11 insertions(+)
|
||||
|
||||
diff --git a/src/CrPixmap.c b/src/CrPixmap.c
|
||||
index cdf31207..3cb2ca6d 100644
|
||||
--- a/src/CrPixmap.c
|
||||
+++ b/src/CrPixmap.c
|
||||
@@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group.
|
||||
#include <config.h>
|
||||
#endif
|
||||
#include "Xlibint.h"
|
||||
+#include <limits.h>
|
||||
|
||||
#ifdef USE_DYNAMIC_XCURSOR
|
||||
void
|
||||
@@ -47,6 +48,16 @@ Pixmap XCreatePixmap (
|
||||
Pixmap pid;
|
||||
register xCreatePixmapReq *req;
|
||||
|
||||
+ /*
|
||||
+ * Force a BadValue X Error if the requested dimensions are larger
|
||||
+ * than the X11 protocol has room for, since that's how callers expect
|
||||
+ * to get notified of errors.
|
||||
+ */
|
||||
+ if (width > USHRT_MAX)
|
||||
+ width = 0;
|
||||
+ if (height > USHRT_MAX)
|
||||
+ height = 0;
|
||||
+
|
||||
LockDisplay(dpy);
|
||||
GetReq(CreatePixmap, req);
|
||||
req->drawable = d;
|
||||
--
|
||||
2.41.0
|
||||
|
@ -5,7 +5,7 @@
|
||||
Summary: Core X11 protocol client library
|
||||
Name: libX11
|
||||
Version: 1.7.0
|
||||
Release: 8%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist}
|
||||
Release: 9%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist}
|
||||
License: MIT
|
||||
URL: http://www.x.org
|
||||
|
||||
@ -22,6 +22,17 @@ Patch3: 0001-makekeys-handle-the-new-_EVDEVK-xorgproto-symbols.patch
|
||||
# CVE-2023-3138
|
||||
Patch4: 0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch
|
||||
|
||||
# CVE-2023-43785
|
||||
Patch5: 0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch
|
||||
|
||||
# CVE-2023-43786
|
||||
Patch6: 0001-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch
|
||||
Patch7: 0002-XPutImage-clip-images-to-maximum-height-width-allowe.patch
|
||||
Patch8: 0003-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch
|
||||
|
||||
# CVE-2023-43787
|
||||
Patch9: 0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: xorg-x11-util-macros >= 1.11
|
||||
BuildRequires: pkgconfig(xproto) >= 7.0.15
|
||||
@ -124,6 +135,13 @@ make %{?_smp_mflags} check
|
||||
%{_mandir}/man5/*.5*
|
||||
|
||||
%changelog
|
||||
* Wed Oct 11 2023 José Expósito <jexposit@redhat.com> - 1.7.0-9
|
||||
- Fix CVE-2023-43785: out-of-bounds memory access in _XkbReadKeySyms()
|
||||
- Fix CVE-2023-43786: stack exhaustion from infinite recursion in
|
||||
PutSubImage()
|
||||
- Fix CVE-2023-43787: integer overflow in XCreateImage() leading to
|
||||
a heap overflow
|
||||
|
||||
* Wed Jul 05 2023 Olivier Fourdan <ofourdan@redhat.com> - 1.7.0-8
|
||||
- CVE fix for: CVE-2023-3138
|
||||
Resolve: rhbz#2213763
|
||||
|
Loading…
Reference in New Issue
Block a user