rpms/xorg-x11-server-Xwayland
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2022-3550, CVE-2022-3551

Browse Source 
Resolves: rhbz#2140769, rhbz#2140771
This commit is contained in:
Olivier Fourdan 2022-11-14 11:25:31 +01:00
parent b4e11c3ee0
commit eeffd3c535
3 changed files with 103 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch Normal file
View File

@ -0,0 +1,59 @@
From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Wed, 13 Jul 2022 11:23:09 +1000
Subject: [PATCH xserver] xkb: fix some possible memleaks in XkbGetKbdByName
GetComponentByName returns an allocated string, so let's free that if we
fail somewhere.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
---
xkb/xkb.c | 26 ++++++++++++++++++++------
1 file changed, 20 insertions(+), 6 deletions(-)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index 4692895db..b79a269e3 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -5935,18 +5935,32 @@ ProcXkbGetKbdByName(ClientPtr client)
xkb = dev->key->xkbInfo->desc;
status = Success;
str = (unsigned char *) &stuff[1];
- if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */
- return BadMatch;
+ {
+ char *keymap = GetComponentSpec(&str, TRUE, &status); /* keymap, unsupported */
+ if (keymap) {
+ free(keymap);
+ return BadMatch;
+ }
+ }
names.keycodes = GetComponentSpec(&str, TRUE, &status);
names.types = GetComponentSpec(&str, TRUE, &status);
names.compat = GetComponentSpec(&str, TRUE, &status);
names.symbols = GetComponentSpec(&str, TRUE, &status);
names.geometry = GetComponentSpec(&str, TRUE, &status);
- if (status != Success)
+ if (status == Success) {
+ len = str - ((unsigned char *) stuff);
+ if ((XkbPaddedSize(len) / 4) != stuff->length)
+ status = BadLength;
+ }
+
+ if (status != Success) {
+ free(names.keycodes);
+ free(names.types);
+ free(names.compat);
+ free(names.symbols);
+ free(names.geometry);
return status;
- len = str - ((unsigned char *) stuff);
- if ((XkbPaddedSize(len) / 4) != stuff->length)
- return BadLength;
+ }
CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
--
2.38.1

35
0001-xkb-proof-GetCountedString-against-request-length-at.patch Normal file
View File

@ -0,0 +1,35 @@
From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue, 5 Jul 2022 12:06:20 +1000
Subject: [PATCH xserver] xkb: proof GetCountedString against request length
attacks
GetCountedString did a check for the whole string to be within the
request buffer but not for the initial 2 bytes that contain the length
field. A swapped client could send a malformed request to trigger a
swaps() on those bytes, writing into random memory.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
---
xkb/xkb.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index f42f59ef3..1841cff26 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
CARD16 len;
wire = *wire_inout;
+
+ if (client->req_len <
+ bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
+ return BadValue;
+
len = *(CARD16 *) wire;
if (client->swapped) {
swaps(&len);
--
2.38.1

10
xorg-x11-server-Xwayland.spec
View File

@ -9,7 +9,7 @@
Summary: Xwayland Summary: Xwayland
Name: xorg-x11-server-Xwayland Name: xorg-x11-server-Xwayland
Version: 21.1.3 Version: 21.1.3
Release: 3%{?gitdate:.%{gitdate}git%{shortcommit}}%{?dist} Release: 4%{?gitdate:.%{gitdate}git%{shortcommit}}%{?dist}
URL: http://www.x.org URL: http://www.x.org
%if 0%{?gitdate} %if 0%{?gitdate}
@ -35,6 +35,10 @@ Patch10004: 0004-render-Fix-out-of-bounds-access-in-SProcRenderCompos.patch
Patch10005: 0001-xkb-switch-to-array-index-loops-to-moving-pointers.patch Patch10005: 0001-xkb-switch-to-array-index-loops-to-moving-pointers.patch
Patch10006: 0002-xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch Patch10006: 0002-xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch
Patch10007: 0003-xkb-add-request-length-validation-for-XkbSetGeometry.patch Patch10007: 0003-xkb-add-request-length-validation-for-XkbSetGeometry.patch
# CVE-2022-3550
Patch10008: 0001-xkb-proof-GetCountedString-against-request-length-at.patch
# CVE-2022-3551
Patch10009: 0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch
License: MIT License: MIT
@ -141,6 +145,10 @@ rm -Rf $RPM_BUILD_ROOT%{_localstatedir}/lib/xkb
%{_libdir}/pkgconfig/xwayland.pc %{_libdir}/pkgconfig/xwayland.pc
%changelog %changelog
* Mon Nov 14 2022 Olivier Fourdan <ofourdan@redhat.com> - 21.1.3-4
- Fix CVE-2022-3550, CVE-2022-3551
Resolves: rhbz#2140769, rhbz#2140771
* Fri Jul 29 2022 Olivier Fourdan <ofourdan@redhat.com> - 21.1.3-3 * Fri Jul 29 2022 Olivier Fourdan <ofourdan@redhat.com> - 21.1.3-3
- CVE fix for: CVE-2022-2319/ZDI-CAN-16062, CVE-2022-2320/ZDI-CAN-16070 - CVE fix for: CVE-2022-2319/ZDI-CAN-16062, CVE-2022-2320/ZDI-CAN-16070
Resolves: rhbz#2110440, rhbz#2110433 Resolves: rhbz#2110440, rhbz#2110433