import CS libX11-1.7.0-9.el9

This commit is contained in:
eabdullin 2024-03-28 10:40:46 +00:00
parent 1e3aed9340
commit f19eb5aa50
6 changed files with 261 additions and 1 deletions

View File

@ -0,0 +1,58 @@
From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 17 Sep 2023 14:19:40 -0700
Subject: [PATCH] CVE-2023-43785: out-of-bounds memory access in
_XkbReadKeySyms()
Make sure we allocate enough memory in the first place, and
also handle error returns from _XkbReadBufferCopyKeySyms() when
it detects out-of-bounds issues.
Reported-by: Gregory James DUCK <gjduck@gmail.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/xkb/XKBGetMap.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
index 2891d21e..31199e4a 100644
--- a/src/xkb/XKBGetMap.c
+++ b/src/xkb/XKBGetMap.c
@@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
if (offset + newMap->nSyms >= map->size_syms) {
register int sz;
- sz = map->size_syms + 128;
+ sz = offset + newMap->nSyms;
+ sz = ((sz + (unsigned) 128) / 128) * 128;
_XkbResizeArray(map->syms, map->size_syms, sz, KeySym);
if (map->syms == NULL) {
map->size_syms = 0;
@@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
map->size_syms = sz;
}
if (newMap->nSyms > 0) {
- _XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
- newMap->nSyms);
+ if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
+ newMap->nSyms) == 0)
+ return BadLength;
offset += newMap->nSyms;
}
else {
@@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp);
if (newSyms == NULL)
return BadAlloc;
- if (newMap->nSyms > 0)
- _XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms);
+ if (newMap->nSyms > 0) {
+ if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 0)
+ return BadLength;
+ }
else
newSyms[0] = NoSymbol;
oldMap->kt_index[0] = newMap->ktIndex[0];
--
2.41.0

View File

@ -0,0 +1,37 @@
From 204c3393c4c90a29ed6bef64e43849536e863a86 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Thu, 7 Sep 2023 15:54:30 -0700
Subject: [PATCH 1/3] CVE-2023-43786: stack exhaustion from infinite recursion
in PutSubImage()
When splitting a single line of pixels into chunks to send to the
X server, be sure to take into account the number of bits per pixel,
so we don't just loop forever trying to send more pixels than fit in
the given request size and not breaking them down into a small enough
chunk to fix.
Fixes: "almost complete rewrite" (Dec. 12, 1987) from X11R2
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/PutImage.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/PutImage.c b/src/PutImage.c
index 857ee916..a6db7b42 100644
--- a/src/PutImage.c
+++ b/src/PutImage.c
@@ -914,8 +914,9 @@ PutSubImage (
req_width, req_height - SubImageHeight,
dest_bits_per_pixel, dest_scanline_pad);
} else {
- int SubImageWidth = (((Available << 3) / dest_scanline_pad)
- * dest_scanline_pad) - left_pad;
+ int SubImageWidth = ((((Available << 3) / dest_scanline_pad)
+ * dest_scanline_pad) - left_pad)
+ / dest_bits_per_pixel;
PutSubImage(dpy, d, gc, image, req_xoffset, req_yoffset, x, y,
(unsigned int) SubImageWidth, 1,
--
2.41.0

View File

@ -0,0 +1,59 @@
From 7916869d16bdd115ac5be30a67c3749907aea6a0 Mon Sep 17 00:00:00 2001
From: Yair Mizrahi <yairm@jfrog.com>
Date: Thu, 7 Sep 2023 16:15:32 -0700
Subject: [PATCH] CVE-2023-43787: Integer overflow in XCreateImage() leading to
a heap overflow
When the format is `Pixmap` it calculates the size of the image data as:
ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
There is no validation on the `width` of the image, and so this
calculation exceeds the capacity of a 4-byte integer, causing an overflow.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/ImUtil.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/src/ImUtil.c b/src/ImUtil.c
index 36f08a03..fbfad33e 100644
--- a/src/ImUtil.c
+++ b/src/ImUtil.c
@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
#include <X11/Xlibint.h>
#include <X11/Xutil.h>
#include <stdio.h>
+#include <limits.h>
#include "ImUtil.h"
static int _XDestroyImage(XImage *);
@@ -361,13 +362,22 @@ XImage *XCreateImage (
/*
* compute per line accelerator.
*/
- {
- if (format == ZPixmap)
+ if (format == ZPixmap) {
+ if ((INT_MAX / bits_per_pixel) < width) {
+ Xfree(image);
+ return NULL;
+ }
+
min_bytes_per_line =
- ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
- else
+ ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
+ } else {
+ if ((INT_MAX - offset) < width) {
+ Xfree(image);
+ return NULL;
+ }
+
min_bytes_per_line =
- ROUNDUP((width + offset), image->bitmap_pad);
+ ROUNDUP((width + offset), image->bitmap_pad);
}
if (image_bytes_per_line == 0) {
image->bytes_per_line = min_bytes_per_line;
--
2.41.0

View File

@ -0,0 +1,41 @@
From 73a37d5f2fcadd6540159b432a70d80f442ddf4a Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Thu, 7 Sep 2023 15:55:04 -0700
Subject: [PATCH 2/3] XPutImage: clip images to maximum height & width allowed
by protocol
The PutImage request specifies height & width of the image as CARD16
(unsigned 16-bit integer), same as the maximum dimensions of an X11
Drawable, which the image is being copied to.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/PutImage.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/PutImage.c b/src/PutImage.c
index a6db7b42..ba411e36 100644
--- a/src/PutImage.c
+++ b/src/PutImage.c
@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
#include "Xlibint.h"
#include "Xutil.h"
#include <stdio.h>
+#include <limits.h>
#include "Cr.h"
#include "ImUtil.h"
#include "reallocarray.h"
@@ -962,6 +963,10 @@ XPutImage (
height = image->height - req_yoffset;
if ((width <= 0) || (height <= 0))
return 0;
+ if (width > USHRT_MAX)
+ width = USHRT_MAX;
+ if (height > USHRT_MAX)
+ height = USHRT_MAX;
if ((image->bits_per_pixel == 1) || (image->format != ZPixmap)) {
dest_bits_per_pixel = 1;
--
2.41.0

View File

@ -0,0 +1,47 @@
From b4031fc023816aca07fbd592ed97010b9b48784b Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Thu, 7 Sep 2023 16:12:27 -0700
Subject: [PATCH 3/3] XCreatePixmap: trigger BadValue error for out-of-range
dimensions
The CreatePixmap request specifies height & width of the image as CARD16
(unsigned 16-bit integer), so if either is larger than that, set it to 0
so the X server returns a BadValue error as the protocol requires.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/CrPixmap.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/src/CrPixmap.c b/src/CrPixmap.c
index cdf31207..3cb2ca6d 100644
--- a/src/CrPixmap.c
+++ b/src/CrPixmap.c
@@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group.
#include <config.h>
#endif
#include "Xlibint.h"
+#include <limits.h>
#ifdef USE_DYNAMIC_XCURSOR
void
@@ -47,6 +48,16 @@ Pixmap XCreatePixmap (
Pixmap pid;
register xCreatePixmapReq *req;
+ /*
+ * Force a BadValue X Error if the requested dimensions are larger
+ * than the X11 protocol has room for, since that's how callers expect
+ * to get notified of errors.
+ */
+ if (width > USHRT_MAX)
+ width = 0;
+ if (height > USHRT_MAX)
+ height = 0;
+
LockDisplay(dpy);
GetReq(CreatePixmap, req);
req->drawable = d;
--
2.41.0

View File

@ -5,7 +5,7 @@
Summary: Core X11 protocol client library
Name: libX11
Version: 1.7.0
Release: 8%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist}
Release: 9%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist}
License: MIT
URL: http://www.x.org
@ -22,6 +22,17 @@ Patch3: 0001-makekeys-handle-the-new-_EVDEVK-xorgproto-symbols.patch
# CVE-2023-3138
Patch4: 0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch
# CVE-2023-43785
Patch5: 0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch
# CVE-2023-43786
Patch6: 0001-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch
Patch7: 0002-XPutImage-clip-images-to-maximum-height-width-allowe.patch
Patch8: 0003-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch
# CVE-2023-43787
Patch9: 0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch
BuildRequires: make
BuildRequires: xorg-x11-util-macros >= 1.11
BuildRequires: pkgconfig(xproto) >= 7.0.15
@ -124,6 +135,13 @@ make %{?_smp_mflags} check
%{_mandir}/man5/*.5*
%changelog
* Wed Oct 11 2023 José Expósito <jexposit@redhat.com> - 1.7.0-9
- Fix CVE-2023-43785: out-of-bounds memory access in _XkbReadKeySyms()
- Fix CVE-2023-43786: stack exhaustion from infinite recursion in
PutSubImage()
- Fix CVE-2023-43787: integer overflow in XCreateImage() leading to
a heap overflow
* Wed Jul 05 2023 Olivier Fourdan <ofourdan@redhat.com> - 1.7.0-8
- CVE fix for: CVE-2023-3138
Resolve: rhbz#2213763