Fix for CVE-2023-5367

Rebuild
Related: rhbz#2158761
2023-10-28 05:19:52 +00:00 · 2023-04-25 13:30:26 +02:00
3 changed files with 92 additions and 1 deletions
--- a/.xorg-x11-server-Xwayland.metadata
+++ b/.xorg-x11-server-Xwayland.metadata
@ -0,0 +1 @@
+19ccc8ae5920620db725a08ee65d8b64c521d766 xwayland-22.1.9.tar.xz
--- a/0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch
+++ b/0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch
@ -0,0 +1,81 @@
+From 1e8478455458e998dd366d2cd23d2aeab2bdeee5 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 3 Oct 2023 11:53:05 +1000
+Subject: [PATCH xserver] Xi/randr: fix handling of PropModeAppend/Prepend
+
+The handling of appending/prepending properties was incorrect, with at
+least two bugs: the property length was set to the length of the new
+part only, i.e. appending or prepending N elements to a property with P
+existing elements always resulted in the property having N elements
+instead of N + P.
+
+Second, when pre-pending a value to a property, the offset for the old
+values was incorrect, leaving the new property with potentially
+uninitalized values and/or resulting in OOB memory writes.
+For example, prepending a 3 element value to a 5 element property would
+result in this 8 value array:
+  [N, N, N, ?, ?, P, P, P ] P, P
+                            ^OOB write
+
+The XI2 code is a copy/paste of the RandR code, so the bug exists in
+both.
+
+CVE-2023-5367, ZDI-CAN-22153
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit 541ab2ecd41d4d8689e71855d93e492bc554719a)
+---
+ Xi/xiproperty.c    | 4 ++--
+ randr/rrproperty.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
+index 066ba21fba..d315f04d0e 100644
+--- a/Xi/xiproperty.c
+++ b/Xi/xiproperty.c
+@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
+                 XIDestroyDeviceProperty(prop);
+             return BadAlloc;
+         }
+-        new_value.size = len;
+        new_value.size = total_len;
+         new_value.type = type;
+         new_value.format = format;
+ 
+@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
+         case PropModePrepend:
+             new_data = new_value.data;
+             old_data = (void *) (((char *) new_value.data) +
+-                                  (prop_value->size * size_in_bytes));
+                                  (len * size_in_bytes));
+             break;
+         }
+         if (new_data)
+diff --git a/randr/rrproperty.c b/randr/rrproperty.c
+index c2fb9585c6..25469f57b2 100644
+--- a/randr/rrproperty.c
+++ b/randr/rrproperty.c
+@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
+                 RRDestroyOutputProperty(prop);
+             return BadAlloc;
+         }
+-        new_value.size = len;
+        new_value.size = total_len;
+         new_value.type = type;
+         new_value.format = format;
+ 
+@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
+         case PropModePrepend:
+             new_data = new_value.data;
+             old_data = (void *) (((char *) new_value.data) +
+-                                  (prop_value->size * size_in_bytes));
+                                  (len * size_in_bytes));
+             break;
+         }
+         if (new_data)
+-- 
+2.41.0
+
--- a/xorg-x11-server-Xwayland.spec
+++ b/xorg-x11-server-Xwayland.spec
@ -9,7 +9,7 @@
 Summary:   Xwayland
 Name:      xorg-x11-server-Xwayland
 Version:   22.1.9
-Release:   1%{?gitdate:.%{gitdate}git%{shortcommit}}%{?dist}
+Release:   3%{?gitdate:.%{gitdate}git%{shortcommit}}%{?dist}

 URL:       http://www.x.org
 %if 0%{?gitdate}
@ -18,6 +18,9 @@ Source0:   https://gitlab.freedesktop.org/xorg/%{pkgname}/-/archive/%{commit}/%{
 Source0:   https://www.x.org/pub/individual/xserver/%{pkgname}-%{version}.tar.xz
 %endif

+# Fix for CVE-2023-5367
+Patch1:   0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch
+
 License:   MIT

 Requires: xorg-x11-server-common
@ -123,6 +126,12 @@ rm -Rf $RPM_BUILD_ROOT%{_localstatedir}/lib/xkb
 %{_libdir}/pkgconfig/xwayland.pc

 %changelog
+* Wed Oct 25 2023 Olivier Fourdan <ofourdan@redhat.com> - 22.1.9-3
+- Fix for CVE-2023-5367
+
+* Tue Apr 25 2023 Olivier Fourdan <ofourdan@redhat.com> - 22.1.9-2
+- Rebuild (#2158761)
+
 * Mon Apr  3 2023 Olivier Fourdan <ofourdan@redhat.com> - 22.1.9-1
 - xwayland 22.1.9 (#2158761)
Author	SHA1	Message	Date
Olivier Fourdan	5493f74cb3	Fix for CVE-2023-5367	2023-10-28 05:19:52 +00:00
Olivier Fourdan	9725fe50d9	Rebuild Related: rhbz#2158761	2023-04-25 13:30:26 +02:00
				`@ -0,0 +1 @@`
				`19ccc8ae5920620db725a08ee65d8b64c521d766 xwayland-22.1.9.tar.xz`