Fix use after free related to CVE-2024-21886 Resolves: RHEL-20389

Fix CVE-2024-21886 tigervnc: xorg-x11-server: heap buffer overflow in DisableDevice
Resolves: RHEL-20389 Fix CVE-2024-21885 tigervnc: xorg-x11-server: heap buffer overflow in XISendDeviceHierarchyEvent Resolves: RHEL-20383 Fix CVE-2024-0229 tigervnc: xorg-x11-server: reattaching to different master device may lead to out-of-bounds memory access Resolves: RHEL-20533 Fix CVE-2023-6816 tigervnc: xorg-x11-server: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer Resolves: RHEL-21213
2024-02-08 04:59:25 +00:00 · 2024-01-22 10:28:43 +01:00
2 changed files with 43 additions and 1 deletions
--- a/tigervnc.spec
+++ b/tigervnc.spec
@ -5,7 +5,7 @@

 Name:           tigervnc
 Version:        1.13.1
-Release:        7%{?dist}
+Release:        8%{?dist}
 Summary:        A TigerVNC remote display system

 %global _hardened_build 1
@ -37,6 +37,11 @@ Patch100:       tigervnc-xserver120.patch
 # 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start
 Patch101:       0001-rpath-hack.patch

+# XServer patches
+# CVE-2024-0229
+# https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1251
+Patch200:       xorg-CVE-2024-0229-followup.patch
+
 BuildRequires:  make
 BuildRequires:  gcc-c++
 BuildRequires:  gettext
@ -185,6 +190,7 @@ for all in `find . -type f -perm -001`; do
 done
 %patch100 -p1 -b .xserver120-rebased
 %patch101 -p1 -b .rpath
+%patch200 -p1 -b .xorg-CVE-2024-0229-followup
 popd

 %patch1 -p1 -b .use-gnome-as-default-session
@ -378,6 +384,10 @@ fi
 %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}

 %changelog
+* Wed Feb 07 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-8
+- Fix copy/paste error in the DeviceStateNotify
+  Resolves: RHEL-20533
+
 * Mon Jan 22 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-7
 - Fix CVE-2024-21886 tigervnc: xorg-x11-server: heap buffer overflow in DisableDevice
  Resolves: RHEL-20389
--- a/xorg-CVE-2024-0229-followup.patch
+++ b/xorg-CVE-2024-0229-followup.patch
@ -0,0 +1,32 @@
+From 133e0d651c5d12bf01999d6289e84e224ba77adc Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 22 Jan 2024 14:22:12 +1000
+Subject: [PATCH] dix: fix valuator copy/paste error in the DeviceStateNotify
+ event
+
+Fixes 219c54b8a3337456ce5270ded6a67bcde53553d5
+---
+ dix/enterleave.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/dix/enterleave.c b/dix/enterleave.c
+index 7b7ba1098b..c1e6ac600e 100644
+--- a/dix/enterleave.c
+++ b/dix/enterleave.c
+@@ -619,11 +619,11 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
+     ev->first_valuator = first;
+     switch (ev->num_valuators) {
+     case 6:
+-        ev->valuator2 = v->axisVal[first + 5];
+        ev->valuator5 = v->axisVal[first + 5];
+     case 5:
+-        ev->valuator2 = v->axisVal[first + 4];
+        ev->valuator4 = v->axisVal[first + 4];
+     case 4:
+-        ev->valuator2 = v->axisVal[first + 3];
+        ev->valuator3 = v->axisVal[first + 3];
+     case 3:
+         ev->valuator2 = v->axisVal[first + 2];
+     case 2:
+--
+GitLab