xorg-x11-server-Xwayland/0003-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch
Olivier Fourdan 5937c4b23f CVE fixes
CVE fix for: CVE-2024-31080, CVE-2024-31081, CVE-2024-31083

Resolves: https://issues.redhat.com/browse/RHEL-30753
Resolves: https://issues.redhat.com/browse/RHEL-30759
Resolves: https://issues.redhat.com/browse/RHEL-30765
2024-04-09 15:28:43 +02:00

46 lines
1.4 KiB
Diff

From 672b26d1f8e1cbe67d289786e3ce887988052b64 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri, 22 Mar 2024 18:56:27 -0700
Subject: [PATCH xserver 3/4] Xi: ProcXIPassiveGrabDevice needs to use
unswapped length to send reply
CVE-2024-31081
Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 3e77295f888c67fc7645db5d0c00926a29ffecee)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1464>
---
Xi/xipassivegrab.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
index c9ac2f855..896233bec 100644
--- a/Xi/xipassivegrab.c
+++ b/Xi/xipassivegrab.c
@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)
GrabParameters param;
void *tmp;
int mask_len;
+ uint32_t length;
REQUEST(xXIPassiveGrabDeviceReq);
REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client)
}
}
+ /* save the value before SRepXIPassiveGrabDevice swaps it */
+ length = rep.length;
WriteReplyToClient(client, sizeof(rep), &rep);
if (rep.num_modifiers)
- WriteToClient(client, rep.length * 4, modifiers_failed);
+ WriteToClient(client, length * 4, modifiers_failed);
out:
free(modifiers_failed);
--
2.44.0