From f253e3a542205193ffcb2ac5f661999411543e80 Mon Sep 17 00:00:00 2001 From: Olivier Fourdan Date: Tue, 7 Feb 2023 15:51:17 +0100 Subject: [PATCH] Fix CVE-2023-0494 Resolves: rhbz#2166974 --- ...-use-after-free-in-DeepCopyPointerCl.patch | 36 +++++++++++++++++++ xorg-x11-server-Xwayland.spec | 7 +++- 2 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 0001-Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch diff --git a/0001-Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch b/0001-Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch new file mode 100644 index 0000000..595f75e --- /dev/null +++ b/0001-Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch @@ -0,0 +1,36 @@ +From 8660dd164882ce5fc1f274427e2ff3dc020d6273 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Wed, 25 Jan 2023 11:41:40 +1000 +Subject: [PATCH xserver] Xi: fix potential use-after-free in + DeepCopyPointerClasses + +CVE-2023-0494, ZDI-CAN-19596 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer +(cherry picked from commit 0ba6d8c37071131a49790243cdac55392ecf71ec) +--- + Xi/exevents.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/Xi/exevents.c b/Xi/exevents.c +index 217baa956..dcd4efb3b 100644 +--- a/Xi/exevents.c ++++ b/Xi/exevents.c +@@ -619,8 +619,10 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) + memcpy(to->button->xkb_acts, from->button->xkb_acts, + sizeof(XkbAction)); + } +- else ++ else { + free(to->button->xkb_acts); ++ to->button->xkb_acts = NULL; ++ } + + memcpy(to->button->labels, from->button->labels, + from->button->numButtons * sizeof(Atom)); +-- +2.39.1 + diff --git a/xorg-x11-server-Xwayland.spec b/xorg-x11-server-Xwayland.spec index 763e807..8a37113 100644 --- a/xorg-x11-server-Xwayland.spec +++ b/xorg-x11-server-Xwayland.spec @@ -9,7 +9,7 @@ Summary: Xwayland Name: xorg-x11-server-Xwayland Version: 21.1.3 -Release: 6%{?gitdate:.%{gitdate}git%{shortcommit}}%{?dist} +Release: 7%{?gitdate:.%{gitdate}git%{shortcommit}}%{?dist} URL: http://www.x.org %if 0%{?gitdate} @@ -55,6 +55,8 @@ Patch10015: 0006-Xext-free-the-XvRTVideoNotify-when-turning-off-from-.patch Patch10016: 0007-xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch # Follow-up to CVE-2022-46340 Patch10017: 0008-Xext-fix-invalid-event-type-mask-in-XTestSwapFakeInp.patch +# CVE-2023-0494 +Patch10018: 0001-Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch License: MIT @@ -161,6 +163,9 @@ rm -Rf $RPM_BUILD_ROOT%{_localstatedir}/lib/xkb %{_libdir}/pkgconfig/xwayland.pc %changelog +* Tue Feb 7 2023 Olivier Fourdan - 21.1.3-7 +- Fix CVE-2023-0494 (#2166974) + * Mon Dec 19 2022 Peter Hutterer - 21.1.3-6 - Follow-up fix for CVE-2022-46340 (#2151778)