Fix CVE-2023-6377 tigervnc: xorg-x11-server: out-of-bounds memory reads/writes in XKB button actions

Resolves: RHEL-18414 Fix CVE-2023-6478 tigervnc: xorg-x11-server: out-of-bounds memory read in RRChangeOutputProperty and RRChangeProviderProperty Resolves: RHEL-18426
2023-12-18 08:11:40 +01:00 · 2023-12-18 08:11:40 +01:00 · 49fe969620
commit 49fe969620
parent 71f9cb9382
2 changed files with 115 additions and 1 deletions
--- a/tigervnc.spec
+++ b/tigervnc.spec
@ -5,7 +5,7 @@

 Name:           tigervnc
 Version:        1.13.1
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        A TigerVNC remote display system

 %global _hardened_build 1
@ -33,6 +33,9 @@ Patch100:       tigervnc-xserver120.patch
 # 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start
 Patch101:       0001-rpath-hack.patch

+# Xorg backports
+Patch300:       xorg-rename-boolean-config-value-field-from-bool-to-boolean.patch
+
 BuildRequires:  make
 BuildRequires:  gcc-c++
 BuildRequires:  gettext
@ -181,6 +184,7 @@ for all in `find . -type f -perm -001`; do
 done
 %patch100 -p1 -b .xserver120-rebased
 %patch101 -p1 -b .rpath
+%patch300 -p1 -b .xorg-rename-boolean-config-value-field-from-bool-to-boolean
 popd

 %patch1 -p1 -b .use-gnome-as-default-session
@ -370,6 +374,12 @@ fi
 %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}

 %changelog
+* Mon Dec 18 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-5
+- Fix CVE-2023-6377 tigervnc: xorg-x11-server: out-of-bounds memory reads/writes in XKB button actions
+  Resolves: RHEL-18414
+- Fix CVE-2023-6478 tigervnc: xorg-x11-server: out-of-bounds memory read in RRChangeOutputProperty and RRChangeProviderProperty
+  Resolves: RHEL-18426
+
 * Wed Nov 01 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-4
 - Fix CVE-2023-5380 tigervnc: xorg-x11-server: Use-after-free bug in DestroyWindow
  Resolves: RHEL-15237
--- a/xorg-rename-boolean-config-value-field-from-bool-to-boolean.patch
+++ b/xorg-rename-boolean-config-value-field-from-bool-to-boolean.patch
@ -0,0 +1,104 @@
+From 454b3a826edb5fc6d0fea3a9cfd1a5e8fc568747 Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Mon, 22 Jul 2019 13:51:06 -0400
+Subject: [PATCH] hw: Rename boolean config value field from bool to boolean
+
+"bool" conflicts with C++ (meh) and stdbool.h (ngh alright fine). This
+is a driver-visible change and will likely break the build for mach64,
+but it can be fixed by simply using xf86ReturnOptValBool like every
+other driver.
+
+Signed-off-by: Adam Jackson <ajax@redhat.com>
+---
+ hw/xfree86/common/xf86Opt.h    |  2 +-
+ hw/xfree86/common/xf86Option.c | 10 +++++-----
+ hw/xwin/winconfig.c            | 22 +++++++++++-----------
+ hw/xwin/winconfig.h            |  2 +-
+ 4 files changed, 18 insertions(+), 18 deletions(-)
+
+diff --git a/hw/xfree86/common/xf86Opt.h b/hw/xfree86/common/xf86Opt.h
+index 3be2a0fc7e..3046fbd417 100644
+--- a/hw/xfree86/common/xf86Opt.h
+++ b/hw/xfree86/common/xf86Opt.h
+@@ -41,7 +41,7 @@ typedef union {
+     unsigned long num;
+     const char *str;
+     double realnum;
+-    Bool bool;
+    Bool boolean;
+     OptFrequency freq;
+ } ValueUnion;
+
+diff --git a/hw/xwin/winconfig.c b/hw/xwin/winconfig.c
+index 31894d2fb0..646d690062 100644
+--- a/hw/xwin/winconfig.c
+++ b/hw/xwin/winconfig.c
+@@ -623,7 +623,7 @@ winSetBoolOption(void *optlist, const char *name, int deflt)
+     o.name = name;
+     o.type = OPTV_BOOLEAN;
+     if (ParseOptionValue(-1, optlist, &o))
+-        deflt = o.value.bool;
+        deflt = o.value.boolean;
+     return deflt;
+ }
+
+@@ -918,7 +918,7 @@ ParseOptionValue(int scrnIndex, void *options, OptionInfoPtr p)
+         }
+         if ((s = winFindOptionValue(options, newn)) != NULL) {
+             if (GetBoolValue(&opt, s)) {
+-                p->value.bool = !opt.value.bool;
+                p->value.boolean = !opt.value.boolean;
+                 p->found = TRUE;
+             }
+             else {
+@@ -968,25 +968,25 @@ static Bool
+ GetBoolValue(OptionInfoPtr p, const char *s)
+ {
+     if (*s == 0) {
+-        p->value.bool = TRUE;
+        p->value.boolean = TRUE;
+     }
+     else {
+         if (winNameCompare(s, "1") == 0)
+-            p->value.bool = TRUE;
+            p->value.boolean = TRUE;
+         else if (winNameCompare(s, "on") == 0)
+-            p->value.bool = TRUE;
+            p->value.boolean = TRUE;
+         else if (winNameCompare(s, "true") == 0)
+-            p->value.bool = TRUE;
+            p->value.boolean = TRUE;
+         else if (winNameCompare(s, "yes") == 0)
+-            p->value.bool = TRUE;
+            p->value.boolean = TRUE;
+         else if (winNameCompare(s, "0") == 0)
+-            p->value.bool = FALSE;
+            p->value.boolean = FALSE;
+         else if (winNameCompare(s, "off") == 0)
+-            p->value.bool = FALSE;
+            p->value.boolean = FALSE;
+         else if (winNameCompare(s, "false") == 0)
+-            p->value.bool = FALSE;
+            p->value.boolean = FALSE;
+         else if (winNameCompare(s, "no") == 0)
+-            p->value.bool = FALSE;
+            p->value.boolean = FALSE;
+     }
+     return TRUE;
+ }
+diff --git a/hw/xwin/winconfig.h b/hw/xwin/winconfig.h
+index f079368c7c..bd1f596509 100644
+--- a/hw/xwin/winconfig.h
+++ b/hw/xwin/winconfig.h
+@@ -199,7 +199,7 @@ typedef union {
+     unsigned long num;
+     char *str;
+     double realnum;
+-    Bool bool;
+    Bool boolean;
+     OptFrequency freq;
+ } ValueUnion;
+
+--
+GitLab
+