From 620a2751aff5cedbd01f711b86efd5090d7eebcc Mon Sep 17 00:00:00 2001 From: Jan Grulich Date: Wed, 7 Feb 2024 12:49:00 +0100 Subject: [PATCH] Fix use after free related to CVE-2024-21886 Resolves: RHEL-20388 Fix copy/paste error in the DeviceStateNotify Resolves: RHEL-20530 --- tigervnc.spec | 12 ++++++++++-- xorg-CVE-2024-0229-followup.patch | 32 +++++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+), 2 deletions(-) create mode 100644 xorg-CVE-2024-0229-followup.patch diff --git a/tigervnc.spec b/tigervnc.spec index d8e8451..df0d991 100644 --- a/tigervnc.spec +++ b/tigervnc.spec @@ -5,7 +5,7 @@ Name: tigervnc Version: 1.13.1 -Release: 7%{?dist} +Release: 8%{?dist} Summary: A TigerVNC remote display system %global _hardened_build 1 @@ -38,7 +38,10 @@ Patch100: tigervnc-xserver120.patch # 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start Patch101: 0001-rpath-hack.patch -# Upstreamable patches +# XServer patches +# CVE-2024-0229 +# https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1251 +Patch200: xorg-CVE-2024-0229-followup.patch BuildRequires: make BuildRequires: gcc-c++ @@ -186,6 +189,7 @@ for all in `find . -type f -perm -001`; do done %patch100 -p1 -b .xserver120-rebased %patch101 -p1 -b .rpath +%patch200 -p1 -b .xorg-CVE-2024-0229-followup popd %patch1 -p1 -b .use-gnome-as-default-session @@ -352,6 +356,10 @@ fi %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} %changelog +* Wed Feb 07 2024 Jan Grulich - 1.13.1-8 +- Fix copy/paste error in the DeviceStateNotify + Resolves: RHEL-20530 + * Mon Jan 22 2024 Jan Grulich - 1.13.1-7 - Fix CVE-2024-21886 tigervnc: xorg-x11-server: heap buffer overflow in DisableDevice Resolves: RHEL-20388 diff --git a/xorg-CVE-2024-0229-followup.patch b/xorg-CVE-2024-0229-followup.patch new file mode 100644 index 0000000..9ea651b --- /dev/null +++ b/xorg-CVE-2024-0229-followup.patch @@ -0,0 +1,32 @@ +From 133e0d651c5d12bf01999d6289e84e224ba77adc Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Mon, 22 Jan 2024 14:22:12 +1000 +Subject: [PATCH] dix: fix valuator copy/paste error in the DeviceStateNotify + event + +Fixes 219c54b8a3337456ce5270ded6a67bcde53553d5 +--- + dix/enterleave.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/dix/enterleave.c b/dix/enterleave.c +index 7b7ba1098b..c1e6ac600e 100644 +--- a/dix/enterleave.c ++++ b/dix/enterleave.c +@@ -619,11 +619,11 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v, + ev->first_valuator = first; + switch (ev->num_valuators) { + case 6: +- ev->valuator2 = v->axisVal[first + 5]; ++ ev->valuator5 = v->axisVal[first + 5]; + case 5: +- ev->valuator2 = v->axisVal[first + 4]; ++ ev->valuator4 = v->axisVal[first + 4]; + case 4: +- ev->valuator2 = v->axisVal[first + 3]; ++ ev->valuator3 = v->axisVal[first + 3]; + case 3: + ev->valuator2 = v->axisVal[first + 2]; + case 2: +-- +GitLab