diff --git a/.gitignore b/.gitignore index 212bc42..f1f2e56 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/xwayland-22.1.9.tar.xz +SOURCES/xwayland-23.2.7.tar.xz diff --git a/.xorg-x11-server-Xwayland.metadata b/.xorg-x11-server-Xwayland.metadata index 5df6a9b..8def829 100644 --- a/.xorg-x11-server-Xwayland.metadata +++ b/.xorg-x11-server-Xwayland.metadata @@ -1 +1 @@ -19ccc8ae5920620db725a08ee65d8b64c521d766 SOURCES/xwayland-22.1.9.tar.xz +0dd118bd1d816c0407ab2c67971f70ec55f4b73c SOURCES/xwayland-23.2.7.tar.xz diff --git a/SOURCES/0001-Xi-allocate-enough-XkbActions-for-our-buttons.patch b/SOURCES/0001-Xi-allocate-enough-XkbActions-for-our-buttons.patch deleted file mode 100644 index 111f095..0000000 --- a/SOURCES/0001-Xi-allocate-enough-XkbActions-for-our-buttons.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 19e9f199950aaa4b9b7696936d1b067475da999c Mon Sep 17 00:00:00 2001 -From: Peter Hutterer -Date: Tue, 28 Nov 2023 15:19:04 +1000 -Subject: [PATCH xserver] Xi: allocate enough XkbActions for our buttons - -button->xkb_acts is supposed to be an array sufficiently large for all -our buttons, not just a single XkbActions struct. Allocating -insufficient memory here means when we memcpy() later in -XkbSetDeviceInfo we write into memory that wasn't ours to begin with, -leading to the usual security ooopsiedaisies. - -CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -(cherry picked from commit 0c1a93d319558fe3ab2d94f51d174b4f93810afd) ---- - Xi/exevents.c | 12 ++++++------ - dix/devices.c | 10 ++++++++++ - 2 files changed, 16 insertions(+), 6 deletions(-) - -diff --git a/Xi/exevents.c b/Xi/exevents.c -index dcd4efb3b..54ea11a93 100644 ---- a/Xi/exevents.c -+++ b/Xi/exevents.c -@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) - } - - if (from->button->xkb_acts) { -- if (!to->button->xkb_acts) { -- to->button->xkb_acts = calloc(1, sizeof(XkbAction)); -- if (!to->button->xkb_acts) -- FatalError("[Xi] not enough memory for xkb_acts.\n"); -- } -+ size_t maxbuttons = max(to->button->numButtons, from->button->numButtons); -+ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts, -+ maxbuttons, -+ sizeof(XkbAction)); -+ memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction)); - memcpy(to->button->xkb_acts, from->button->xkb_acts, -- sizeof(XkbAction)); -+ from->button->numButtons * sizeof(XkbAction)); - } - else { - free(to->button->xkb_acts); -diff --git a/dix/devices.c b/dix/devices.c -index 7150734a5..20fef1692 100644 ---- a/dix/devices.c -+++ b/dix/devices.c -@@ -2530,6 +2530,8 @@ RecalculateMasterButtons(DeviceIntPtr slave) - - if (master->button && master->button->numButtons != maxbuttons) { - int i; -+ int last_num_buttons = master->button->numButtons; -+ - DeviceChangedEvent event = { - .header = ET_Internal, - .type = ET_DeviceChanged, -@@ -2540,6 +2542,14 @@ RecalculateMasterButtons(DeviceIntPtr slave) - }; - - master->button->numButtons = maxbuttons; -+ if (last_num_buttons < maxbuttons) { -+ master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts, -+ maxbuttons, -+ sizeof(XkbAction)); -+ memset(&master->button->xkb_acts[last_num_buttons], -+ 0, -+ (maxbuttons - last_num_buttons) * sizeof(XkbAction)); -+ } - - memcpy(&event.buttons.names, master->button->labels, maxbuttons * - sizeof(Atom)); --- -2.43.0 - diff --git a/SOURCES/0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch b/SOURCES/0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch deleted file mode 100644 index f98f71d..0000000 --- a/SOURCES/0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 1e8478455458e998dd366d2cd23d2aeab2bdeee5 Mon Sep 17 00:00:00 2001 -From: Peter Hutterer -Date: Tue, 3 Oct 2023 11:53:05 +1000 -Subject: [PATCH xserver] Xi/randr: fix handling of PropModeAppend/Prepend - -The handling of appending/prepending properties was incorrect, with at -least two bugs: the property length was set to the length of the new -part only, i.e. appending or prepending N elements to a property with P -existing elements always resulted in the property having N elements -instead of N + P. - -Second, when pre-pending a value to a property, the offset for the old -values was incorrect, leaving the new property with potentially -uninitalized values and/or resulting in OOB memory writes. -For example, prepending a 3 element value to a 5 element property would -result in this 8 value array: - [N, N, N, ?, ?, P, P, P ] P, P - ^OOB write - -The XI2 code is a copy/paste of the RandR code, so the bug exists in -both. - -CVE-2023-5367, ZDI-CAN-22153 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Peter Hutterer -(cherry picked from commit 541ab2ecd41d4d8689e71855d93e492bc554719a) ---- - Xi/xiproperty.c | 4 ++-- - randr/rrproperty.c | 4 ++-- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c -index 066ba21fba..d315f04d0e 100644 ---- a/Xi/xiproperty.c -+++ b/Xi/xiproperty.c -@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type, - XIDestroyDeviceProperty(prop); - return BadAlloc; - } -- new_value.size = len; -+ new_value.size = total_len; - new_value.type = type; - new_value.format = format; - -@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type, - case PropModePrepend: - new_data = new_value.data; - old_data = (void *) (((char *) new_value.data) + -- (prop_value->size * size_in_bytes)); -+ (len * size_in_bytes)); - break; - } - if (new_data) -diff --git a/randr/rrproperty.c b/randr/rrproperty.c -index c2fb9585c6..25469f57b2 100644 ---- a/randr/rrproperty.c -+++ b/randr/rrproperty.c -@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type, - RRDestroyOutputProperty(prop); - return BadAlloc; - } -- new_value.size = len; -+ new_value.size = total_len; - new_value.type = type; - new_value.format = format; - -@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type, - case PropModePrepend: - new_data = new_value.data; - old_data = (void *) (((char *) new_value.data) + -- (prop_value->size * size_in_bytes)); -+ (len * size_in_bytes)); - break; - } - if (new_data) --- -2.41.0 - diff --git a/SOURCES/0001-dix-allocate-enough-space-for-logical-button-maps.patch b/SOURCES/0001-dix-allocate-enough-space-for-logical-button-maps.patch deleted file mode 100644 index 581756a..0000000 --- a/SOURCES/0001-dix-allocate-enough-space-for-logical-button-maps.patch +++ /dev/null @@ -1,54 +0,0 @@ -From b5cb27032d3e486ba84a491e1420e85171c4c0a3 Mon Sep 17 00:00:00 2001 -From: Peter Hutterer -Date: Thu, 14 Dec 2023 11:29:49 +1000 -Subject: [PATCH xserver 1/9] dix: allocate enough space for logical button - maps - -Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for -each logical button currently down. Since buttons can be arbitrarily mapped -to anything up to 255 make sure we have enough bits for the maximum mapping. - -CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -(cherry picked from commit 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3) ---- - Xi/xiquerypointer.c | 3 +-- - dix/enterleave.c | 5 +++-- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c -index 5b77b1a44..2b05ac5f3 100644 ---- a/Xi/xiquerypointer.c -+++ b/Xi/xiquerypointer.c -@@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client) - if (pDev->button) { - int i; - -- rep.buttons_len = -- bytes_to_int32(bits_to_bytes(pDev->button->numButtons)); -+ rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */ - rep.length += rep.buttons_len; - buttons = calloc(rep.buttons_len, 4); - if (!buttons) -diff --git a/dix/enterleave.c b/dix/enterleave.c -index 867ec7436..ded8679d7 100644 ---- a/dix/enterleave.c -+++ b/dix/enterleave.c -@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail, - - mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER); - -- /* XI 2 event */ -- btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0; -+ /* XI 2 event contains the logical button map - maps are CARD8 -+ * so we need 256 bits for the possibly maximum mapping */ -+ btlen = (mouse->button) ? bits_to_bytes(256) : 0; - btlen = bytes_to_int32(btlen); - len = sizeof(xXIFocusInEvent) + btlen * 4; - --- -2.43.0 - diff --git a/SOURCES/0001-randr-avoid-integer-truncation-in-length-check-of-Pr.patch b/SOURCES/0001-randr-avoid-integer-truncation-in-length-check-of-Pr.patch deleted file mode 100644 index 430ead8..0000000 --- a/SOURCES/0001-randr-avoid-integer-truncation-in-length-check-of-Pr.patch +++ /dev/null @@ -1,61 +0,0 @@ -From aaf854fb25541380cc38a221c15f0e8372f48872 Mon Sep 17 00:00:00 2001 -From: Peter Hutterer -Date: Mon, 27 Nov 2023 16:27:49 +1000 -Subject: [PATCH xserver] randr: avoid integer truncation in length check of - ProcRRChange*Property - -Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty. -See also xserver@8f454b79 where this same bug was fixed for the core -protocol and XI. - -This fixes an OOB read and the resulting information disclosure. - -Length calculation for the request was clipped to a 32-bit integer. With -the correct stuff->nUnits value the expected request size was -truncated, passing the REQUEST_FIXED_SIZE check. - -The server then proceeded with reading at least stuff->num_items bytes -(depending on stuff->format) from the request and stuffing whatever it -finds into the property. In the process it would also allocate at least -stuff->nUnits bytes, i.e. 4GB. - -CVE-2023-6478, ZDI-CAN-22561 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -(cherry picked from commit 14f480010a93ff962fef66a16412fafff81ad632) ---- - randr/rrproperty.c | 2 +- - randr/rrproviderproperty.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/randr/rrproperty.c b/randr/rrproperty.c -index 25469f57b..c4fef8a1f 100644 ---- a/randr/rrproperty.c -+++ b/randr/rrproperty.c -@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client) - char format, mode; - unsigned long len; - int sizeInBytes; -- int totalSize; -+ uint64_t totalSize; - int err; - - REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq); -diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c -index b79c17f9b..90c5a9a93 100644 ---- a/randr/rrproviderproperty.c -+++ b/randr/rrproviderproperty.c -@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client) - char format, mode; - unsigned long len; - int sizeInBytes; -- int totalSize; -+ uint64_t totalSize; - int err; - - REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq); --- -2.43.0 - diff --git a/SOURCES/0002-dix-Allocate-sufficient-xEvents-for-our-DeviceStateN.patch b/SOURCES/0002-dix-Allocate-sufficient-xEvents-for-our-DeviceStateN.patch deleted file mode 100644 index b108272..0000000 --- a/SOURCES/0002-dix-Allocate-sufficient-xEvents-for-our-DeviceStateN.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 9105be1c51d6973dc8d7806108349bc152029ec5 Mon Sep 17 00:00:00 2001 -From: Peter Hutterer -Date: Mon, 18 Dec 2023 14:27:50 +1000 -Subject: [PATCH xserver 2/9] dix: Allocate sufficient xEvents for our - DeviceStateNotify - -If a device has both a button class and a key class and numButtons is -zero, we can get an OOB write due to event under-allocation. - -This function seems to assume a device has either keys or buttons, not -both. It has two virtually identical code paths, both of which assume -they're applying to the first event in the sequence. - -A device with both a key and button class triggered a logic bug - only -one xEvent was allocated but the deviceStateNotify pointer was pushed on -once per type. So effectively this logic code: - - int count = 1; - if (button && nbuttons > 32) count++; - if (key && nbuttons > 0) count++; - if (key && nkeys > 32) count++; // this is basically always true - // count is at 2 for our keys + zero button device - - ev = alloc(count * sizeof(xEvent)); - FixDeviceStateNotify(ev); - if (button) - FixDeviceStateNotify(ev++); - if (key) - FixDeviceStateNotify(ev++); // santa drops into the wrong chimney here - -If the device has more than 3 valuators, the OOB is pushed back - we're -off by one so it will happen when the last deviceValuator event is -written instead. - -Fix this by allocating the maximum number of events we may allocate. -Note that the current behavior is not protocol-correct anyway, this -patch fixes only the allocation issue. - -Note that this issue does not trigger if the device has at least one -button. While the server does not prevent a button class with zero -buttons, it is very unlikely. - -CVE-2024-0229, ZDI-CAN-22678 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -(cherry picked from commit ece23be888a93b741aa1209d1dbf64636109d6a5) ---- - dix/enterleave.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/dix/enterleave.c b/dix/enterleave.c -index ded8679d7..17964b00a 100644 ---- a/dix/enterleave.c -+++ b/dix/enterleave.c -@@ -675,7 +675,8 @@ static void - DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) - { - int evcount = 1; -- deviceStateNotify *ev, *sev; -+ deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3]; -+ deviceStateNotify *ev; - deviceKeyStateNotify *kev; - deviceButtonStateNotify *bev; - -@@ -714,7 +715,7 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) - } - } - -- sev = ev = xallocarray(evcount, sizeof(xEvent)); -+ ev = sev; - FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first); - - if (b != NULL) { -@@ -770,7 +771,6 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) - - DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount, - DeviceStateNotifyMask, NullGrab); -- free(sev); - } - - void --- -2.43.0 - diff --git a/SOURCES/0003-dix-fix-DeviceStateNotify-event-calculation.patch b/SOURCES/0003-dix-fix-DeviceStateNotify-event-calculation.patch deleted file mode 100644 index add5867..0000000 --- a/SOURCES/0003-dix-fix-DeviceStateNotify-event-calculation.patch +++ /dev/null @@ -1,219 +0,0 @@ -From ee5377d94ea587f584adbc9ab8372b3842cfa149 Mon Sep 17 00:00:00 2001 -From: Peter Hutterer -Date: Mon, 18 Dec 2023 12:26:20 +1000 -Subject: [PATCH xserver 3/9] dix: fix DeviceStateNotify event calculation - -The previous code only made sense if one considers buttons and keys to -be mutually exclusive on a device. That is not necessarily true, causing -a number of issues. - -This function allocates and fills in the number of xEvents we need to -send the device state down the wire. This is split across multiple -32-byte devices including one deviceStateNotify event and optional -deviceKeyStateNotify, deviceButtonStateNotify and (possibly multiple) -deviceValuator events. - -The previous behavior would instead compose a sequence -of [state, buttonstate, state, keystate, valuator...]. This is not -protocol correct, and on top of that made the code extremely convoluted. - -Fix this by streamlining: add both button and key into the deviceStateNotify -and then append the key state and button state, followed by the -valuators. Finally, the deviceValuator events contain up to 6 valuators -per event but we only ever sent through 3 at a time. Let's double that -troughput. - -CVE-2024-0229, ZDI-CAN-22678 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -(cherry picked from commit 219c54b8a3337456ce5270ded6a67bcde53553d5) ---- - dix/enterleave.c | 121 ++++++++++++++++++++--------------------------- - 1 file changed, 52 insertions(+), 69 deletions(-) - -diff --git a/dix/enterleave.c b/dix/enterleave.c -index 17964b00a..7b7ba1098 100644 ---- a/dix/enterleave.c -+++ b/dix/enterleave.c -@@ -615,9 +615,15 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v, - - ev->type = DeviceValuator; - ev->deviceid = dev->id; -- ev->num_valuators = nval < 3 ? nval : 3; -+ ev->num_valuators = nval < 6 ? nval : 6; - ev->first_valuator = first; - switch (ev->num_valuators) { -+ case 6: -+ ev->valuator2 = v->axisVal[first + 5]; -+ case 5: -+ ev->valuator2 = v->axisVal[first + 4]; -+ case 4: -+ ev->valuator2 = v->axisVal[first + 3]; - case 3: - ev->valuator2 = v->axisVal[first + 2]; - case 2: -@@ -626,7 +632,6 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v, - ev->valuator0 = v->axisVal[first]; - break; - } -- first += ev->num_valuators; - } - - static void -@@ -646,7 +651,7 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k, - ev->num_buttons = b->numButtons; - memcpy((char *) ev->buttons, (char *) b->down, 4); - } -- else if (k) { -+ if (k) { - ev->classes_reported |= (1 << KeyClass); - ev->num_keys = k->xkbInfo->desc->max_key_code - - k->xkbInfo->desc->min_key_code; -@@ -670,15 +675,26 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k, - } - } - -- -+/** -+ * The device state notify event is split across multiple 32-byte events. -+ * The first one contains the first 32 button state bits, the first 32 -+ * key state bits, and the first 3 valuator values. -+ * -+ * If a device has more than that, the server sends out: -+ * - one deviceButtonStateNotify for buttons 32 and above -+ * - one deviceKeyStateNotify for keys 32 and above -+ * - one deviceValuator event per 6 valuators above valuator 4 -+ * -+ * All events but the last one have the deviceid binary ORed with MORE_EVENTS, -+ */ - static void - DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) - { -+ /* deviceStateNotify, deviceKeyStateNotify, deviceButtonStateNotify -+ * and one deviceValuator for each 6 valuators */ -+ deviceStateNotify sev[3 + (MAX_VALUATORS + 6)/6]; - int evcount = 1; -- deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3]; -- deviceStateNotify *ev; -- deviceKeyStateNotify *kev; -- deviceButtonStateNotify *bev; -+ deviceStateNotify *ev = sev; - - KeyClassPtr k; - ButtonClassPtr b; -@@ -691,82 +707,49 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) - - if ((b = dev->button) != NULL) { - nbuttons = b->numButtons; -- if (nbuttons > 32) -+ if (nbuttons > 32) /* first 32 are encoded in deviceStateNotify */ - evcount++; - } - if ((k = dev->key) != NULL) { - nkeys = k->xkbInfo->desc->max_key_code - k->xkbInfo->desc->min_key_code; -- if (nkeys > 32) -+ if (nkeys > 32) /* first 32 are encoded in deviceStateNotify */ - evcount++; -- if (nbuttons > 0) { -- evcount++; -- } - } - if ((v = dev->valuator) != NULL) { - nval = v->numAxes; -- -- if (nval > 3) -- evcount++; -- if (nval > 6) { -- if (!(k && b)) -- evcount++; -- if (nval > 9) -- evcount += ((nval - 7) / 3); -- } -+ /* first three are encoded in deviceStateNotify, then -+ * it's 6 per deviceValuator event */ -+ evcount += ((nval - 3) + 6)/6; - } - -- ev = sev; -- FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first); -- -- if (b != NULL) { -- FixDeviceStateNotify(dev, ev++, NULL, b, v, first); -- first += 3; -- nval -= 3; -- if (nbuttons > 32) { -- (ev - 1)->deviceid |= MORE_EVENTS; -- bev = (deviceButtonStateNotify *) ev++; -- bev->type = DeviceButtonStateNotify; -- bev->deviceid = dev->id; -- memcpy((char *) &bev->buttons[4], (char *) &b->down[4], -- DOWN_LENGTH - 4); -- } -- if (nval > 0) { -- (ev - 1)->deviceid |= MORE_EVENTS; -- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first); -- first += 3; -- nval -= 3; -- } -+ BUG_RETURN(evcount <= ARRAY_SIZE(sev)); -+ -+ FixDeviceStateNotify(dev, ev, k, b, v, first); -+ -+ if (b != NULL && nbuttons > 32) { -+ deviceButtonStateNotify *bev = (deviceButtonStateNotify *) ++ev; -+ (ev - 1)->deviceid |= MORE_EVENTS; -+ bev->type = DeviceButtonStateNotify; -+ bev->deviceid = dev->id; -+ memcpy((char *) &bev->buttons[4], (char *) &b->down[4], -+ DOWN_LENGTH - 4); - } - -- if (k != NULL) { -- FixDeviceStateNotify(dev, ev++, k, NULL, v, first); -- first += 3; -- nval -= 3; -- if (nkeys > 32) { -- (ev - 1)->deviceid |= MORE_EVENTS; -- kev = (deviceKeyStateNotify *) ev++; -- kev->type = DeviceKeyStateNotify; -- kev->deviceid = dev->id; -- memmove((char *) &kev->keys[0], (char *) &k->down[4], 28); -- } -- if (nval > 0) { -- (ev - 1)->deviceid |= MORE_EVENTS; -- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first); -- first += 3; -- nval -= 3; -- } -+ if (k != NULL && nkeys > 32) { -+ deviceKeyStateNotify *kev = (deviceKeyStateNotify *) ++ev; -+ (ev - 1)->deviceid |= MORE_EVENTS; -+ kev->type = DeviceKeyStateNotify; -+ kev->deviceid = dev->id; -+ memmove((char *) &kev->keys[0], (char *) &k->down[4], 28); - } - -+ first = 3; -+ nval -= 3; - while (nval > 0) { -- FixDeviceStateNotify(dev, ev++, NULL, NULL, v, first); -- first += 3; -- nval -= 3; -- if (nval > 0) { -- (ev - 1)->deviceid |= MORE_EVENTS; -- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first); -- first += 3; -- nval -= 3; -- } -+ ev->deviceid |= MORE_EVENTS; -+ FixDeviceValuator(dev, (deviceValuator *) ++ev, v, first); -+ first += 6; -+ nval -= 6; - } - - DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount, --- -2.43.0 - diff --git a/SOURCES/0004-Xi-when-creating-a-new-ButtonClass-set-the-number-of.patch b/SOURCES/0004-Xi-when-creating-a-new-ButtonClass-set-the-number-of.patch deleted file mode 100644 index 3f13a70..0000000 --- a/SOURCES/0004-Xi-when-creating-a-new-ButtonClass-set-the-number-of.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 1c22e4a35e71d98a082ad2f8f7bc778a8859e18d Mon Sep 17 00:00:00 2001 -From: Peter Hutterer -Date: Thu, 21 Dec 2023 13:48:10 +1000 -Subject: [PATCH xserver 4/9] Xi: when creating a new ButtonClass, set the - number of buttons - -There's a racy sequence where a master device may copy the button class -from the slave, without ever initializing numButtons. This leads to a -device with zero buttons but a button class which is invalid. - -Let's copy the numButtons value from the source - by definition if we -don't have a button class yet we do not have any other slave devices -with more than this number of buttons anyway. - -CVE-2024-0229, ZDI-CAN-22678 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -(cherry picked from commit df3c65706eb169d5938df0052059f3e0d5981b74) ---- - Xi/exevents.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/Xi/exevents.c b/Xi/exevents.c -index 54ea11a93..e16171468 100644 ---- a/Xi/exevents.c -+++ b/Xi/exevents.c -@@ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) - to->button = calloc(1, sizeof(ButtonClassRec)); - if (!to->button) - FatalError("[Xi] no memory for class shift.\n"); -+ to->button->numButtons = from->button->numButtons; - } - else - classes->button = NULL; --- -2.43.0 - diff --git a/SOURCES/0005-Xi-flush-hierarchy-events-after-adding-removing-mast.patch b/SOURCES/0005-Xi-flush-hierarchy-events-after-adding-removing-mast.patch deleted file mode 100644 index c760402..0000000 --- a/SOURCES/0005-Xi-flush-hierarchy-events-after-adding-removing-mast.patch +++ /dev/null @@ -1,111 +0,0 @@ -From 7efd09cdb13ae1a4100f68a11947afe581fa1ee8 Mon Sep 17 00:00:00 2001 -From: Peter Hutterer -Date: Thu, 4 Jan 2024 10:01:24 +1000 -Subject: [PATCH xserver 5/9] Xi: flush hierarchy events after adding/removing - master devices - -The `XISendDeviceHierarchyEvent()` function allocates space to store up -to `MAXDEVICES` (256) `xXIHierarchyInfo` structures in `info`. - -If a device with a given ID was removed and a new device with the same -ID added both in the same operation, the single device ID will lead to -two info structures being written to `info`. - -Since this case can occur for every device ID at once, a total of two -times `MAXDEVICES` info structures might be written to the allocation. - -To avoid it, once one add/remove master is processed, send out the -device hierarchy event for the current state and continue. That event -thus only ever has exactly one of either added/removed in it (and -optionally slave attached/detached). - -CVE-2024-21885, ZDI-CAN-22744 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -(cherry picked from commit 4a5e9b1895627d40d26045bd0b7ef3dce503cbd1) ---- - Xi/xichangehierarchy.c | 27 ++++++++++++++++++++++----- - 1 file changed, 22 insertions(+), 5 deletions(-) - -diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c -index d2d985848..72d00451e 100644 ---- a/Xi/xichangehierarchy.c -+++ b/Xi/xichangehierarchy.c -@@ -416,6 +416,11 @@ ProcXIChangeHierarchy(ClientPtr client) - size_t len; /* length of data remaining in request */ - int rc = Success; - int flags[MAXDEVICES] = { 0 }; -+ enum { -+ NO_CHANGE, -+ FLUSH, -+ CHANGED, -+ } changes = NO_CHANGE; - - REQUEST(xXIChangeHierarchyReq); - REQUEST_AT_LEAST_SIZE(xXIChangeHierarchyReq); -@@ -465,8 +470,9 @@ ProcXIChangeHierarchy(ClientPtr client) - rc = add_master(client, c, flags); - if (rc != Success) - goto unwind; -- } -+ changes = FLUSH; - break; -+ } - case XIRemoveMaster: - { - xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any; -@@ -475,8 +481,9 @@ ProcXIChangeHierarchy(ClientPtr client) - rc = remove_master(client, r, flags); - if (rc != Success) - goto unwind; -- } -+ changes = FLUSH; - break; -+ } - case XIDetachSlave: - { - xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any; -@@ -485,8 +492,9 @@ ProcXIChangeHierarchy(ClientPtr client) - rc = detach_slave(client, c, flags); - if (rc != Success) - goto unwind; -- } -+ changes = CHANGED; - break; -+ } - case XIAttachSlave: - { - xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any; -@@ -495,16 +503,25 @@ ProcXIChangeHierarchy(ClientPtr client) - rc = attach_slave(client, c, flags); - if (rc != Success) - goto unwind; -+ changes = CHANGED; -+ break; - } -+ default: - break; - } - -+ if (changes == FLUSH) { -+ XISendDeviceHierarchyEvent(flags); -+ memset(flags, 0, sizeof(flags)); -+ changes = NO_CHANGE; -+ } -+ - len -= any->length * 4; - any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4); - } - - unwind: -- -- XISendDeviceHierarchyEvent(flags); -+ if (changes != NO_CHANGE) -+ XISendDeviceHierarchyEvent(flags); - return rc; - } --- -2.43.0 - diff --git a/SOURCES/0006-Xi-do-not-keep-linked-list-pointer-during-recursion.patch b/SOURCES/0006-Xi-do-not-keep-linked-list-pointer-during-recursion.patch deleted file mode 100644 index 04ac195..0000000 --- a/SOURCES/0006-Xi-do-not-keep-linked-list-pointer-during-recursion.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 01cd3a72858ccc1afb0b42ace92263f2912619a3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= -Date: Fri, 22 Dec 2023 18:28:31 +0100 -Subject: [PATCH xserver 6/9] Xi: do not keep linked list pointer during - recursion - -The `DisableDevice()` function is called whenever an enabled device -is disabled and it moves the device from the `inputInfo.devices` linked -list to the `inputInfo.off_devices` linked list. - -However, its link/unlink operation has an issue during the recursive -call to `DisableDevice()` due to the `prev` pointer pointing to a -removed device. - -This issue leads to a length mismatch between the total number of -devices and the number of device in the list, leading to a heap -overflow and, possibly, to local privilege escalation. - -Simplify the code that checked whether the device passed to -`DisableDevice()` was in `inputInfo.devices` or not and find the -previous device after the recursion. - -CVE-2024-21886, ZDI-CAN-22840 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -(cherry picked from commit bc1fdbe46559dd947674375946bbef54dd0ce36b) ---- - dix/devices.c | 15 ++++++++++++--- - 1 file changed, 12 insertions(+), 3 deletions(-) - -diff --git a/dix/devices.c b/dix/devices.c -index 8fe4a341c..f3db37203 100644 ---- a/dix/devices.c -+++ b/dix/devices.c -@@ -453,14 +453,20 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) - { - DeviceIntPtr *prev, other; - BOOL enabled; -+ BOOL dev_in_devices_list = FALSE; - int flags[MAXDEVICES] = { 0 }; - - if (!dev->enabled) - return TRUE; - -- for (prev = &inputInfo.devices; -- *prev && (*prev != dev); prev = &(*prev)->next); -- if (*prev != dev) -+ for (other = inputInfo.devices; other; other = other->next) { -+ if (other == dev) { -+ dev_in_devices_list = TRUE; -+ break; -+ } -+ } -+ -+ if (!dev_in_devices_list) - return FALSE; - - TouchEndPhysicallyActiveTouches(dev); -@@ -511,6 +517,9 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) - LeaveWindow(dev); - SetFocusOut(dev); - -+ for (prev = &inputInfo.devices; -+ *prev && (*prev != dev); prev = &(*prev)->next); -+ - *prev = dev->next; - dev->next = inputInfo.off_devices; - inputInfo.off_devices = dev; --- -2.43.0 - diff --git a/SOURCES/0007-dix-when-disabling-a-master-float-disabled-slaved-de.patch b/SOURCES/0007-dix-when-disabling-a-master-float-disabled-slaved-de.patch deleted file mode 100644 index 7db7dbd..0000000 --- a/SOURCES/0007-dix-when-disabling-a-master-float-disabled-slaved-de.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 42f8d1828b4fc1e0b8165a767a0b74edcdbf3806 Mon Sep 17 00:00:00 2001 -From: Peter Hutterer -Date: Fri, 5 Jan 2024 09:40:27 +1000 -Subject: [PATCH xserver 7/9] dix: when disabling a master, float disabled - slaved devices too - -Disabling a master device floats all slave devices but we didn't do this -to already-disabled slave devices. As a result those devices kept their -reference to the master device resulting in access to already freed -memory if the master device was removed before the corresponding slave -device. - -And to match this behavior, also forcibly reset that pointer during -CloseDownDevices(). - -Related to CVE-2024-21886, ZDI-CAN-22840 - -(cherry picked from commit 26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8) ---- - dix/devices.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/dix/devices.c b/dix/devices.c -index f3db37203..95190b5b7 100644 ---- a/dix/devices.c -+++ b/dix/devices.c -@@ -483,6 +483,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) - flags[other->id] |= XISlaveDetached; - } - } -+ -+ for (other = inputInfo.off_devices; other; other = other->next) { -+ if (!IsMaster(other) && GetMaster(other, MASTER_ATTACHED) == dev) { -+ AttachDevice(NULL, other, NULL); -+ flags[other->id] |= XISlaveDetached; -+ } -+ } - } - else { - for (other = inputInfo.devices; other; other = other->next) { -@@ -1080,6 +1087,11 @@ CloseDownDevices(void) - dev->master = NULL; - } - -+ for (dev = inputInfo.off_devices; dev; dev = dev->next) { -+ if (!IsMaster(dev) && !IsFloating(dev)) -+ dev->master = NULL; -+ } -+ - CloseDeviceList(&inputInfo.devices); - CloseDeviceList(&inputInfo.off_devices); - --- -2.43.0 - diff --git a/SOURCES/0008-glx-Call-XACE-hooks-on-the-GLX-buffer.patch b/SOURCES/0008-glx-Call-XACE-hooks-on-the-GLX-buffer.patch deleted file mode 100644 index 4071d27..0000000 --- a/SOURCES/0008-glx-Call-XACE-hooks-on-the-GLX-buffer.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 4093057b98bc5a178f130c9ba6b0b28385e24ae5 Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Wed, 6 Dec 2023 12:09:41 +0100 -Subject: [PATCH xserver 8/9] glx: Call XACE hooks on the GLX buffer - -The XSELINUX code will label resources at creation by checking the -access mode. When the access mode is DixCreateAccess, it will call the -function to label the new resource SELinuxLabelResource(). - -However, GLX buffers do not go through the XACE hooks when created, -hence leaving the resource actually unlabeled. - -When, later, the client tries to create another resource using that -drawable (like a GC for example), the XSELINUX code would try to use -the security ID of that object which has never been labeled, get a NULL -pointer and crash when checking whether the requested permissions are -granted for subject security ID. - -To avoid the issue, make sure to call the XACE hooks when creating the -GLX buffers. - -Credit goes to Donn Seeley for providing the patch. - -CVE-2024-0408 - -Signed-off-by: Olivier Fourdan -Acked-by: Peter Hutterer -(cherry picked from commit e5e8586a12a3ec915673edffa10dc8fe5e15dac3) ---- - glx/glxcmds.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/glx/glxcmds.c b/glx/glxcmds.c -index fc26a2e34..1e46d0c72 100644 ---- a/glx/glxcmds.c -+++ b/glx/glxcmds.c -@@ -48,6 +48,7 @@ - #include "indirect_util.h" - #include "protocol-versions.h" - #include "glxvndabi.h" -+#include "xace.h" - - static char GLXServerVendorName[] = "SGI"; - -@@ -1392,6 +1393,13 @@ DoCreatePbuffer(ClientPtr client, int screenNum, XID fbconfigId, - if (!pPixmap) - return BadAlloc; - -+ err = XaceHook(XACE_RESOURCE_ACCESS, client, glxDrawableId, RT_PIXMAP, -+ pPixmap, RT_NONE, NULL, DixCreateAccess); -+ if (err != Success) { -+ (*pGlxScreen->pScreen->DestroyPixmap) (pPixmap); -+ return err; -+ } -+ - /* Assign the pixmap the same id as the pbuffer and add it as a - * resource so it and the DRI2 drawable will be reclaimed when the - * pbuffer is destroyed. */ --- -2.43.0 - diff --git a/SOURCES/0009-ephyr-xwayland-Use-the-proper-private-key-for-cursor.patch b/SOURCES/0009-ephyr-xwayland-Use-the-proper-private-key-for-cursor.patch deleted file mode 100644 index e69f70a..0000000 --- a/SOURCES/0009-ephyr-xwayland-Use-the-proper-private-key-for-cursor.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 51be9e767a02cdc6a524dc895dcc81abb689d50b Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Wed, 6 Dec 2023 11:51:56 +0100 -Subject: [PATCH xserver 9/9] ephyr,xwayland: Use the proper private key for - cursor - -The cursor in DIX is actually split in two parts, the cursor itself and -the cursor bits, each with their own devPrivates. - -The cursor itself includes the cursor bits, meaning that the cursor bits -devPrivates in within structure of the cursor. - -Both Xephyr and Xwayland were using the private key for the cursor bits -to store the data for the cursor, and when using XSELINUX which comes -with its own special devPrivates, the data stored in that cursor bits' -devPrivates would interfere with the XSELINUX devPrivates data and the -SELINUX security ID would point to some other unrelated data, causing a -crash in the XSELINUX code when trying to (re)use the security ID. - -CVE-2024-0409 - -Signed-off-by: Olivier Fourdan -Reviewed-by: Peter Hutterer -(cherry picked from commit 2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7) ---- - hw/xwayland/xwayland-cursor.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/xwayland/xwayland-cursor.c b/hw/xwayland/xwayland-cursor.c -index e3c1aaa50..bd94b0cfb 100644 ---- a/hw/xwayland/xwayland-cursor.c -+++ b/hw/xwayland/xwayland-cursor.c -@@ -431,7 +431,7 @@ static miPointerScreenFuncRec xwl_pointer_screen_funcs = { - Bool - xwl_screen_init_cursor(struct xwl_screen *xwl_screen) - { -- if (!dixRegisterPrivateKey(&xwl_cursor_private_key, PRIVATE_CURSOR_BITS, 0)) -+ if (!dixRegisterPrivateKey(&xwl_cursor_private_key, PRIVATE_CURSOR, 0)) - return FALSE; - - return miPointerInitialize(xwl_screen->screen, --- -2.43.0 - diff --git a/SPECS/xorg-x11-server-Xwayland.spec b/SPECS/xorg-x11-server-Xwayland.spec index 8472ac0..30908e1 100644 --- a/SPECS/xorg-x11-server-Xwayland.spec +++ b/SPECS/xorg-x11-server-Xwayland.spec @@ -8,8 +8,8 @@ Summary: Xwayland Name: xorg-x11-server-Xwayland -Version: 22.1.9 -Release: 5%{?gitdate:.%{gitdate}git%{shortcommit}}%{?dist} +Version: 23.2.7 +Release: 1%{?gitdate:.%{gitdate}git%{shortcommit}}%{?dist} URL: http://www.x.org %if 0%{?gitdate} @@ -18,45 +18,26 @@ Source0: https://gitlab.freedesktop.org/xorg/%{pkgname}/-/archive/%{commit}/%{ Source0: https://www.x.org/pub/individual/xserver/%{pkgname}-%{version}.tar.xz %endif -# Fix for CVE-2023-5367 -Patch1: 0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch -# Fix for CVE-2023-6478 -Patch2: 0001-randr-avoid-integer-truncation-in-length-check-of-Pr.patch -# Fix for CVE-2023-6377 -Patch3: 0001-Xi-allocate-enough-XkbActions-for-our-buttons.patch -# Fix for CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665 -Patch4: 0001-dix-allocate-enough-space-for-logical-button-maps.patch -# Fix for CVE-2024-0229, ZDI-CAN-22678 -Patch5: 0002-dix-Allocate-sufficient-xEvents-for-our-DeviceStateN.patch -Patch6: 0003-dix-fix-DeviceStateNotify-event-calculation.patch -Patch7: 0004-Xi-when-creating-a-new-ButtonClass-set-the-number-of.patch -# Fix for CVE-2024-21885, ZDI-CAN-22744 -Patch8: 0005-Xi-flush-hierarchy-events-after-adding-removing-mast.patch -# Fix for CVE-2024-21886, ZDI-CAN-22840 -Patch9: 0006-Xi-do-not-keep-linked-list-pointer-during-recursion.patch -Patch10: 0007-dix-when-disabling-a-master-float-disabled-slaved-de.patch -# Fix for CVE-2024-0408 -Patch11: 0008-glx-Call-XACE-hooks-on-the-GLX-buffer.patch -# Fix for CVE-2024-0409 -Patch12: 0009-ephyr-xwayland-Use-the-proper-private-key-for-cursor.patch - License: MIT Requires: xorg-x11-server-common Requires: libEGL +Requires: libepoxy >= 1.5.5 BuildRequires: gcc BuildRequires: git-core BuildRequires: meson BuildRequires: wayland-devel -BuildRequires: pkgconfig(wayland-client) >= 1.18.0 -BuildRequires: pkgconfig(wayland-protocols) +BuildRequires: desktop-file-utils + +BuildRequires: pkgconfig(wayland-client) >= 1.21.0 +BuildRequires: pkgconfig(wayland-protocols) >= 1.30 BuildRequires: pkgconfig(wayland-eglstream-protocols) -BuildRequires: pkgconfig(epoxy) +BuildRequires: pkgconfig(epoxy) >= 1.5.5 BuildRequires: pkgconfig(fontenc) -BuildRequires: pkgconfig(libdrm) >= 2.4.0 +BuildRequires: pkgconfig(libdrm) >= 2.4.89 BuildRequires: pkgconfig(libssl) BuildRequires: pkgconfig(libtirpc) BuildRequires: pkgconfig(pixman-1) @@ -79,7 +60,8 @@ BuildRequires: pkgconfig(xtrans) >= 1.3.2 BuildRequires: pkgconfig(xtst) BuildRequires: pkgconfig(xv) BuildRequires: pkgconfig(libxcvt) -BuildRequires: xorg-x11-proto-devel >= 7.7-10 +BuildRequires: pkgconfig(libdecor-0) >= 0.1.1 +BuildRequires: xorg-x11-proto-devel >= 2023.2-1 BuildRequires: mesa-libGL-devel >= 9.2 BuildRequires: mesa-libEGL-devel @@ -107,6 +89,7 @@ Xwayland is an X server for running X clients under Wayland. %package devel Summary: Development package Requires: pkgconfig +Requires: %{name}%{?_isa} = %{version}-%{release} %description devel The development package provides the developmental files which are @@ -121,6 +104,7 @@ necessary for developing Wayland compositors using Xwayland. -Ddefault_font_path=%{default_font_path} \ -Dbuilder_string="Build ID: %{name} %{version}-%{release}" \ -Dxkb_output_dir=%{_localstatedir}/lib/xkb \ + -Dserverconfigdir=%{_datadir}/xwayland \ -Dxcsecurity=true \ -Dglamor=true \ -Ddri3=true @@ -137,14 +121,29 @@ rm -Rf $RPM_BUILD_ROOT%{_includedir}/xorg rm -Rf $RPM_BUILD_ROOT%{_datadir}/aclocal rm -Rf $RPM_BUILD_ROOT%{_localstatedir}/lib/xkb +%check +desktop-file-validate %{buildroot}%{_datadir}/applications/*.desktop + %files +%dir %{_datadir}/xwayland %{_bindir}/Xwayland %{_mandir}/man1/Xwayland.1* +%{_datadir}/applications/org.freedesktop.Xwayland.desktop +%{_datadir}/xwayland/protocol.txt %files devel %{_libdir}/pkgconfig/xwayland.pc %changelog +* Thu May 16 2024 Olivier Fourdan - 23.2.7-1 +- xwayland 23.2.7 - (RHEL-29912) + +* Thu Apr 4 2024 Olivier Fourdan - 21.1.9-7 +- CVE fix for: CVE-2024-31080, CVE-2024-31081, CVE-2024-31083 + +* Wed Mar 13 2024 Olivier Fourdan - 21.1.9-6 + New build to add xorg-x11-server-Xwayland-devel (RHEL-25083) + * Tue Jan 16 2024 Olivier Fourdan - 21.1.9-5 Fix for CVE-2023-6816, CVE-2024-0229, CVE-2024-21885, CVE-2024-21886, CVE-2024-0408, CVE-2024-0409