Drop patches that are already part of xorg-x11-server

Resolves: RHEL-30755 Resolves: RHEL-30767 Resolves: RHEL-30761
2024-04-15 08:44:59 +02:00 · 2024-04-15 08:44:59 +02:00 · a6399b88df
commit a6399b88df
parent ea7d05a241
6 changed files with 9 additions and 294 deletions
--- a/tigervnc.spec
+++ b/tigervnc.spec
@ -5,7 +5,7 @@

 Name:           tigervnc
 Version:        1.13.1
-Release:        9%{?dist}
+Release:        10%{?dist}
 Summary:        A TigerVNC remote display system

 %global _hardened_build 1
@ -39,14 +39,7 @@ Patch100:       tigervnc-xserver120.patch
 Patch101:       0001-rpath-hack.patch

 # XServer patches
-# CVE-2024-0229
-# https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1251
-Patch200:       xorg-CVE-2024-0229-followup.patch
-Patch201:       xorg-CVE-2024-31080.patch
-Patch202:       xorg-CVE-2024-31081.patch
-Patch203:       xorg-CVE-2024-31082.patch
-Patch204:       xorg-CVE-2024-31083.patch
-Patch205:       xorg-CVE-2024-31083-followup.patch
+Patch200:       xorg-CVE-2024-31083-followup.patch

 BuildRequires:  make
 BuildRequires:  gcc-c++
@ -194,12 +187,7 @@ for all in `find . -type f -perm -001`; do
 done
 %patch100 -p1 -b .xserver120-rebased
 %patch101 -p1 -b .rpath
-%patch200 -p1 -b .xorg-CVE-2024-0229-followup
-%patch201 -p1 -b .xorg-CVE-2024-31080.patch
-%patch202 -p1 -b .xorg-CVE-2024-31081.patch
-%patch203 -p1 -b .xorg-CVE-2024-31082.patch
-%patch204 -p1 -b .xorg-CVE-2024-31083.patch
-%patch205 -p1 -b .xorg-CVE-2024-31083-followup
+%patch200 -p1 -b .xorg-CVE-2024-31083-followup
 popd

 %patch1 -p1 -b .use-gnome-as-default-session
@ -366,6 +354,12 @@ fi
 %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}

 %changelog
+* Mon Apr 15 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-10
+- Drop patches that are already part of xorg-x11-server
+  Resolves: RHEL-30755
+  Resolves: RHEL-30767
+  Resolves: RHEL-30761
+
 * Thu Apr 04 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-9
 - Fix CVE-2024-31080 tigervnc: xorg-x11-server: Heap buffer overread/data leakage in ProcXIGetSelectedEvents
  Resolves: RHEL-30755
--- a/xorg-CVE-2024-0229-followup.patch
+++ b/xorg-CVE-2024-0229-followup.patch
@ -1,32 +0,0 @@
-From 133e0d651c5d12bf01999d6289e84e224ba77adc Mon Sep 17 00:00:00 2001
-From: Peter Hutterer <peter.hutterer@who-t.net>
-Date: Mon, 22 Jan 2024 14:22:12 +1000
-Subject: [PATCH] dix: fix valuator copy/paste error in the DeviceStateNotify
- event
-
-Fixes 219c54b8a3337456ce5270ded6a67bcde53553d5
---
- dix/enterleave.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/dix/enterleave.c b/dix/enterleave.c
-index 7b7ba1098b..c1e6ac600e 100644
--- a/dix/enterleave.c
-+++ b/dix/enterleave.c
-@@ -619,11 +619,11 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
-     ev->first_valuator = first;
-     switch (ev->num_valuators) {
-     case 6:
-        ev->valuator2 = v->axisVal[first + 5];
-+        ev->valuator5 = v->axisVal[first + 5];
-     case 5:
-        ev->valuator2 = v->axisVal[first + 4];
-+        ev->valuator4 = v->axisVal[first + 4];
-     case 4:
-        ev->valuator2 = v->axisVal[first + 3];
-+        ev->valuator3 = v->axisVal[first + 3];
-     case 3:
-         ev->valuator2 = v->axisVal[first + 2];
-     case 2:
--
-GitLab
--- a/xorg-CVE-2024-31080.patch
+++ b/xorg-CVE-2024-31080.patch
@ -1,45 +0,0 @@
-From 96798fc1967491c80a4d0c8d9e0a80586cb2152b Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Fri, 22 Mar 2024 18:51:45 -0700
-Subject: [PATCH 1/4] Xi: ProcXIGetSelectedEvents needs to use unswapped length
- to send reply
-
-CVE-2024-31080
-
-Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
-Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.")
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
---
- Xi/xiselectev.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c
-index edcb8a0d3..ac1494987 100644
--- a/Xi/xiselectev.c
-+++ b/Xi/xiselectev.c
-@@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client)
-     InputClientsPtr others = NULL;
-     xXIEventMask *evmask = NULL;
-     DeviceIntPtr dev;
-+    uint32_t length;
- 
-     REQUEST(xXIGetSelectedEventsReq);
-     REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq);
-@@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client)
-         }
-     }
- 
-+    /* save the value before SRepXIGetSelectedEvents swaps it */
-+    length = reply.length;
-     WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
- 
-     if (reply.num_masks)
-        WriteToClient(client, reply.length * 4, buffer);
-+        WriteToClient(client, length * 4, buffer);
- 
-     free(buffer);
-     return Success;
-- 
-2.44.0
-
--- a/xorg-CVE-2024-31081.patch
+++ b/xorg-CVE-2024-31081.patch
@ -1,43 +0,0 @@
-From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Fri, 22 Mar 2024 18:56:27 -0700
-Subject: [PATCH 2/4] Xi: ProcXIPassiveGrabDevice needs to use unswapped length
- to send reply
-
-CVE-2024-31081
-
-Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.")
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
---
- Xi/xipassivegrab.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
-index c9ac2f855..896233bec 100644
--- a/Xi/xipassivegrab.c
-+++ b/Xi/xipassivegrab.c
-@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)
-     GrabParameters param;
-     void *tmp;
-     int mask_len;
-+    uint32_t length;
- 
-     REQUEST(xXIPassiveGrabDeviceReq);
-     REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
-@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client)
-         }
-     }
- 
-+    /* save the value before SRepXIPassiveGrabDevice swaps it */
-+    length = rep.length;
-     WriteReplyToClient(client, sizeof(rep), &rep);
-     if (rep.num_modifiers)
-        WriteToClient(client, rep.length * 4, modifiers_failed);
-+        WriteToClient(client, length * 4, modifiers_failed);
- 
-  out:
-     free(modifiers_failed);
-- 
-2.44.0
-
--- a/xorg-CVE-2024-31082.patch
+++ b/xorg-CVE-2024-31082.patch
@ -1,47 +0,0 @@
-From 6c684d035c06fd41c727f0ef0744517580864cef Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Fri, 22 Mar 2024 19:07:34 -0700
-Subject: [PATCH 3/4] Xquartz: ProcAppleDRICreatePixmap needs to use unswapped
- length to send reply
-
-CVE-2024-31082
-
-Fixes: 14205ade0 ("XQuartz: appledri: Fix byte swapping in replies")
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
---
- hw/xquartz/xpr/appledri.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/hw/xquartz/xpr/appledri.c b/hw/xquartz/xpr/appledri.c
-index 77574655b..40422b61a 100644
--- a/hw/xquartz/xpr/appledri.c
-+++ b/hw/xquartz/xpr/appledri.c
-@@ -272,6 +272,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
-     xAppleDRICreatePixmapReply rep;
-     int width, height, pitch, bpp;
-     void *ptr;
-+    CARD32 stringLength;
- 
-     REQUEST_SIZE_MATCH(xAppleDRICreatePixmapReq);
- 
-@@ -307,6 +308,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
-     if (sizeof(rep) != sz_xAppleDRICreatePixmapReply)
-         ErrorF("error sizeof(rep) is %zu\n", sizeof(rep));
- 
-+    stringLength = rep.stringLength;  /* save unswapped value */
-     if (client->swapped) {
-         swaps(&rep.sequenceNumber);
-         swapl(&rep.length);
-@@ -319,7 +321,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
-     }
- 
-     WriteToClient(client, sizeof(rep), &rep);
-    WriteToClient(client, rep.stringLength, path);
-+    WriteToClient(client, stringLength, path);
- 
-     return Success;
- }
-- 
-2.44.0
-
--- a/xorg-CVE-2024-31083.patch
+++ b/xorg-CVE-2024-31083.patch
@ -1,112 +0,0 @@
-From bdca6c3d1f5057eeb31609b1280fc93237b00c77 Mon Sep 17 00:00:00 2001
-From: Peter Hutterer <peter.hutterer@who-t.net>
-Date: Tue, 30 Jan 2024 13:13:35 +1000
-Subject: [PATCH 4/4] render: fix refcounting of glyphs during
- ProcRenderAddGlyphs
-
-Previously, AllocateGlyph would return a new glyph with refcount=0 and a
-re-used glyph would end up not changing the refcount at all. The
-resulting glyph_new array would thus have multiple entries pointing to
-the same non-refcounted glyphs.
-
-AddGlyph may free a glyph, resulting in a UAF when the same glyph
-pointer is then later used.
-
-Fix this by returning a refcount of 1 for a new glyph and always
-incrementing the refcount for a re-used glyph, followed by dropping that
-refcount back down again when we're done with it.
-
-CVE-2024-31083, ZDI-CAN-22880
-
-This vulnerability was discovered by:
-Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
-
-Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
---
- render/glyph.c         |  5 +++--
- render/glyphstr_priv.h |  1 +
- render/render.c        | 15 +++++++++++----
- 3 files changed, 15 insertions(+), 6 deletions(-)
-
-diff --git a/render/glyph.c b/render/glyph.c
-index 850ea8440..13991f8a1 100644
--- a/render/glyph.c
-+++ b/render/glyph.c
-@@ -245,10 +245,11 @@ FreeGlyphPicture(GlyphPtr glyph)
-     }
- }
- 
-static void
-+void
- FreeGlyph(GlyphPtr glyph, int format)
- {
-     CheckDuplicates(&globalGlyphs[format], "FreeGlyph");
-+    BUG_RETURN(glyph->refcnt == 0);
-     if (--glyph->refcnt == 0) {
-         GlyphRefPtr gr;
-         int i;
-@@ -354,7 +355,7 @@ AllocateGlyph(xGlyphInfo * gi, int fdepth)
-     glyph = (GlyphPtr) malloc(size);
-     if (!glyph)
-         return 0;
-    glyph->refcnt = 0;
-+    glyph->refcnt = 1;
-     glyph->size = size + sizeof(xGlyphInfo);
-     glyph->info = *gi;
-     dixInitPrivates(glyph, (char *) glyph + head_size, PRIVATE_GLYPH);
-diff --git a/render/glyphstr.h b/render/glyphstr.h
-index 2f51bd244..3b1d806d1 100644
--- a/render/glyphstr.h
-+++ b/render/glyphstr.h
-@@ -108,6 +108,7 @@ extern Bool
- extern GlyphPtr FindGlyph(GlyphSetPtr glyphSet, Glyph id);
- 
- extern GlyphPtr AllocateGlyph(xGlyphInfo * gi, int format);
-+extern void FreeGlyph(GlyphPtr glyph, int format);
- 
- extern Bool
-  ResizeGlyphSet(GlyphSetPtr glyphSet, CARD32 change);
-diff --git a/render/render.c b/render/render.c
-index 29c5055c6..fe5e37dd9 100644
--- a/render/render.c
-+++ b/render/render.c
-@@ -1076,6 +1076,7 @@ ProcRenderAddGlyphs(ClientPtr client)
- 
-         if (glyph_new->glyph && glyph_new->glyph != DeletedGlyph) {
-             glyph_new->found = TRUE;
-+            ++glyph_new->glyph->refcnt;
-         }
-         else {
-             GlyphPtr glyph;
-@@ -1168,8 +1169,10 @@ ProcRenderAddGlyphs(ClientPtr client)
-         err = BadAlloc;
-         goto bail;
-     }
-    for (i = 0; i < nglyphs; i++)
-+    for (i = 0; i < nglyphs; i++) {
-         AddGlyph(glyphSet, glyphs[i].glyph, glyphs[i].id);
-+        FreeGlyph(glyphs[i].glyph, glyphSet->fdepth);
-+    }
- 
-     if (glyphsBase != glyphsLocal)
-         free(glyphsBase);
-@@ -1179,9 +1182,13 @@ ProcRenderAddGlyphs(ClientPtr client)
-         FreePicture((void *) pSrc, 0);
-     if (pSrcPix)
-         FreeScratchPixmapHeader(pSrcPix);
-    for (i = 0; i < nglyphs; i++)
-        if (glyphs[i].glyph && !glyphs[i].found)
-            free(glyphs[i].glyph);
-+    for (i = 0; i < nglyphs; i++) {
-+        if (glyphs[i].glyph) {
-+            --glyphs[i].glyph->refcnt;
-+            if (!glyphs[i].found)
-+                free(glyphs[i].glyph);
-+        }
-+    }
-     if (glyphsBase != glyphsLocal)
-         free(glyphsBase);
-     return err;
-- 
-2.44.0
-