From 58a82a56c1370b5098791887fd5a6343b90907b0 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 5 Nov 2024 09:06:01 +0000 Subject: [PATCH] import from CS git xorg-x11-server-1.20.11-25.el8 --- .gitignore | 2 +- ...-buffer-overflow-in-_XkbSetCompatMap.patch | 54 +++++++++++++++++++ SPECS/xorg-x11-server.spec | 7 ++- 3 files changed, 61 insertions(+), 2 deletions(-) create mode 100644 SOURCES/0001-xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch diff --git a/.gitignore b/.gitignore index a362ca6..7f0de93 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/xorg-server-1.20.11.tar.bz2 +SOURCES/xorg-server-1.20.11.tar.bz2 \ No newline at end of file diff --git a/SOURCES/0001-xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch b/SOURCES/0001-xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch new file mode 100644 index 0000000..2db1508 --- /dev/null +++ b/SOURCES/0001-xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch @@ -0,0 +1,54 @@ +From 56351307017e2501f7cd6e31efcfb55c19aba75a Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Thu, 10 Oct 2024 10:37:28 +0200 +Subject: [PATCH] xkb: Fix buffer overflow in _XkbSetCompatMap() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The _XkbSetCompatMap() function attempts to resize the `sym_interpret` +buffer. + +However, It didn't update its size properly. It updated `num_si` only, +without updating `size_si`. + +This may lead to local privilege escalation if the server is run as root +or remote code execution (e.g. x11 over ssh). + +CVE-2024-9632, ZDI-CAN-24756 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Reviewed-by: Peter Hutterer +Tested-by: Peter Hutterer +Reviewed-by: José Expósito +--- + xkb/xkb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index f203270d5..70e8279aa 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -2991,13 +2991,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev, + XkbSymInterpretPtr sym; + unsigned int skipped = 0; + +- if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) { +- compat->num_si = req->firstSI + req->nSI; ++ if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) { ++ compat->num_si = compat->size_si = req->firstSI + req->nSI; + compat->sym_interpret = reallocarray(compat->sym_interpret, +- compat->num_si, ++ compat->size_si, + sizeof(XkbSymInterpretRec)); + if (!compat->sym_interpret) { +- compat->num_si = 0; ++ compat->num_si = compat->size_si = 0; + return BadAlloc; + } + } +-- +2.46.2 + diff --git a/SPECS/xorg-x11-server.spec b/SPECS/xorg-x11-server.spec index f0e5256..6e250d3 100644 --- a/SPECS/xorg-x11-server.spec +++ b/SPECS/xorg-x11-server.spec @@ -46,7 +46,7 @@ Summary: X.Org X11 X server Name: xorg-x11-server Version: 1.20.11 -Release: 24%{?gitdate:.%{gitdate}}%{?dist} +Release: 25%{?gitdate:.%{gitdate}}%{?dist} URL: http://www.x.org License: MIT Group: User Interface/X @@ -188,6 +188,8 @@ Patch10047: 0003-Xquartz-ProcAppleDRICreatePixmap-needs-to-use-unswap.patch # CVE-2024-31083 Patch10048: 0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch Patch10049: 0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch +# CVE-2024-9632 +Patch10050: 0001-xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch BuildRequires: make BuildRequires: systemtap-sdt-devel @@ -616,6 +618,9 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %changelog +* Tue Oct 29 2024 José Expósito - 1.20.11-25 +- CVE fix for CVE-2024-9632 + * Wed Apr 10 2024 José Expósito - 1.20.11-24 - Fix regression caused by the fix for CVE-2024-31083