Fix CVE-2021-4008, CVE-2021-4009, CVE-2021-4010, CVE-2021-4011
Resolves: rhbz#2030160 Resolves: rhbz#2030170 Resolves: rhbz#2030174 Resolves: rhbz#2030179
This commit is contained in:
		
							parent
							
								
									da8b560041
								
							
						
					
					
						commit
						7f4f9d8e78
					
				| @ -0,0 +1,35 @@ | |||||||
|  | From acc50e6097d51fec0c6c34d84c35018a50c52d5a Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Povilas Kanapickas <povilas@radix.lt> | ||||||
|  | Date: Tue, 14 Dec 2021 15:00:00 +0200 | ||||||
|  | Subject: [PATCH xserver 1/4] record: Fix out of bounds access in | ||||||
|  |  SwapCreateRegister() | ||||||
|  | 
 | ||||||
|  | ZDI-CAN-14952, CVE-2021-4011 | ||||||
|  | 
 | ||||||
|  | This vulnerability was discovered and the fix was suggested by: | ||||||
|  | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||||||
|  | 
 | ||||||
|  | Signed-off-by: Povilas Kanapickas <povilas@radix.lt> | ||||||
|  | (cherry picked from commit e56f61c79fc3cee26d83cda0f84ae56d5979f768) | ||||||
|  | ---
 | ||||||
|  |  record/record.c | 4 ++-- | ||||||
|  |  1 file changed, 2 insertions(+), 2 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/record/record.c b/record/record.c
 | ||||||
|  | index 05d751ac2..a8aec23bd 100644
 | ||||||
|  | --- a/record/record.c
 | ||||||
|  | +++ b/record/record.c
 | ||||||
|  | @@ -2515,8 +2515,8 @@ SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
 | ||||||
|  |          swapl(pClientID); | ||||||
|  |      } | ||||||
|  |      if (stuff->nRanges > | ||||||
|  | -        client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
 | ||||||
|  | -        - stuff->nClients)
 | ||||||
|  | +        (client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
 | ||||||
|  | +        - stuff->nClients) / bytes_to_int32(sz_xRecordRange))
 | ||||||
|  |          return BadLength; | ||||||
|  |      RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges); | ||||||
|  |      return Success; | ||||||
|  | -- 
 | ||||||
|  | 2.33.1 | ||||||
|  | 
 | ||||||
| @ -0,0 +1,44 @@ | |||||||
|  | From 6bb8aeb30a2686facc48733016caade97ece10ad Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Povilas Kanapickas <povilas@radix.lt> | ||||||
|  | Date: Tue, 14 Dec 2021 15:00:01 +0200 | ||||||
|  | Subject: [PATCH xserver 2/4] xfixes: Fix out of bounds access in | ||||||
|  |  *ProcXFixesCreatePointerBarrier() | ||||||
|  | 
 | ||||||
|  | ZDI-CAN-14950, CVE-2021-4009 | ||||||
|  | 
 | ||||||
|  | This vulnerability was discovered and the fix was suggested by: | ||||||
|  | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||||||
|  | 
 | ||||||
|  | Signed-off-by: Povilas Kanapickas <povilas@radix.lt> | ||||||
|  | (cherry picked from commit b5196750099ae6ae582e1f46bd0a6dad29550e02) | ||||||
|  | ---
 | ||||||
|  |  xfixes/cursor.c | 6 ++++-- | ||||||
|  |  1 file changed, 4 insertions(+), 2 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/xfixes/cursor.c b/xfixes/cursor.c
 | ||||||
|  | index d4b68f3af..5f531a89a 100644
 | ||||||
|  | --- a/xfixes/cursor.c
 | ||||||
|  | +++ b/xfixes/cursor.c
 | ||||||
|  | @@ -1010,7 +1010,8 @@ ProcXFixesCreatePointerBarrier(ClientPtr client)
 | ||||||
|  |  { | ||||||
|  |      REQUEST(xXFixesCreatePointerBarrierReq); | ||||||
|  |   | ||||||
|  | -    REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
 | ||||||
|  | +    REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
 | ||||||
|  | +                       pad_to_int32(stuff->num_devices * sizeof(CARD16)));
 | ||||||
|  |      LEGAL_NEW_RESOURCE(stuff->barrier, client); | ||||||
|  |   | ||||||
|  |      return XICreatePointerBarrier(client, stuff); | ||||||
|  | @@ -1027,7 +1028,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
 | ||||||
|  |   | ||||||
|  |      swaps(&stuff->length); | ||||||
|  |      swaps(&stuff->num_devices); | ||||||
|  | -    REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
 | ||||||
|  | +    REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
 | ||||||
|  | +                       pad_to_int32(stuff->num_devices * sizeof(CARD16)));
 | ||||||
|  |   | ||||||
|  |      swapl(&stuff->barrier); | ||||||
|  |      swapl(&stuff->window); | ||||||
|  | -- 
 | ||||||
|  | 2.33.1 | ||||||
|  | 
 | ||||||
| @ -0,0 +1,34 @@ | |||||||
|  | From 67425fcab50ef24a5617e109897f38876dd81277 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Povilas Kanapickas <povilas@radix.lt> | ||||||
|  | Date: Tue, 14 Dec 2021 15:00:02 +0200 | ||||||
|  | Subject: [PATCH xserver 3/4] Xext: Fix out of bounds access in | ||||||
|  |  SProcScreenSaverSuspend() | ||||||
|  | 
 | ||||||
|  | ZDI-CAN-14951, CVE-2021-4010 | ||||||
|  | 
 | ||||||
|  | This vulnerability was discovered and the fix was suggested by: | ||||||
|  | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||||||
|  | 
 | ||||||
|  | Signed-off-by: Povilas Kanapickas <povilas@radix.lt> | ||||||
|  | (cherry picked from commit 6c4c53010772e3cb4cb8acd54950c8eec9c00d21) | ||||||
|  | ---
 | ||||||
|  |  Xext/saver.c | 2 +- | ||||||
|  |  1 file changed, 1 insertion(+), 1 deletion(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/Xext/saver.c b/Xext/saver.c
 | ||||||
|  | index c27a66c80..c23907dbb 100644
 | ||||||
|  | --- a/Xext/saver.c
 | ||||||
|  | +++ b/Xext/saver.c
 | ||||||
|  | @@ -1351,8 +1351,8 @@ SProcScreenSaverSuspend(ClientPtr client)
 | ||||||
|  |      REQUEST(xScreenSaverSuspendReq); | ||||||
|  |   | ||||||
|  |      swaps(&stuff->length); | ||||||
|  | -    swapl(&stuff->suspend);
 | ||||||
|  |      REQUEST_SIZE_MATCH(xScreenSaverSuspendReq); | ||||||
|  | +    swapl(&stuff->suspend);
 | ||||||
|  |      return ProcScreenSaverSuspend(client); | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | -- 
 | ||||||
|  | 2.33.1 | ||||||
|  | 
 | ||||||
| @ -0,0 +1,53 @@ | |||||||
|  | From 35b4681c79480d980bd8dcba390146aad7817c47 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Povilas Kanapickas <povilas@radix.lt> | ||||||
|  | Date: Tue, 14 Dec 2021 15:00:03 +0200 | ||||||
|  | Subject: [PATCH xserver 4/4] render: Fix out of bounds access in | ||||||
|  |  SProcRenderCompositeGlyphs() | ||||||
|  | 
 | ||||||
|  | ZDI-CAN-14192, CVE-2021-4008 | ||||||
|  | 
 | ||||||
|  | This vulnerability was discovered and the fix was suggested by: | ||||||
|  | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||||||
|  | 
 | ||||||
|  | Signed-off-by: Povilas Kanapickas <povilas@radix.lt> | ||||||
|  | (cherry picked from commit ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60) | ||||||
|  | ---
 | ||||||
|  |  render/render.c | 9 +++++++++ | ||||||
|  |  1 file changed, 9 insertions(+) | ||||||
|  | 
 | ||||||
|  | diff --git a/render/render.c b/render/render.c
 | ||||||
|  | index c376090ca..456f156d4 100644
 | ||||||
|  | --- a/render/render.c
 | ||||||
|  | +++ b/render/render.c
 | ||||||
|  | @@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client)
 | ||||||
|  |   | ||||||
|  |          i = elt->len; | ||||||
|  |          if (i == 0xff) { | ||||||
|  | +            if (buffer + 4 > end) {
 | ||||||
|  | +                return BadLength;
 | ||||||
|  | +            }
 | ||||||
|  |              swapl((int *) buffer); | ||||||
|  |              buffer += 4; | ||||||
|  |          } | ||||||
|  | @@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client)
 | ||||||
|  |                  buffer += i; | ||||||
|  |                  break; | ||||||
|  |              case 2: | ||||||
|  | +                if (buffer + i * 2 > end) {
 | ||||||
|  | +                    return BadLength;
 | ||||||
|  | +                }
 | ||||||
|  |                  while (i--) { | ||||||
|  |                      swaps((short *) buffer); | ||||||
|  |                      buffer += 2; | ||||||
|  |                  } | ||||||
|  |                  break; | ||||||
|  |              case 4: | ||||||
|  | +                if (buffer + i * 4 > end) {
 | ||||||
|  | +                    return BadLength;
 | ||||||
|  | +                }
 | ||||||
|  |                  while (i--) { | ||||||
|  |                      swapl((int *) buffer); | ||||||
|  |                      buffer += 4; | ||||||
|  | -- 
 | ||||||
|  | 2.33.1 | ||||||
|  | 
 | ||||||
| @ -42,7 +42,7 @@ | |||||||
| Summary:   X.Org X11 X server | Summary:   X.Org X11 X server | ||||||
| Name:      xorg-x11-server | Name:      xorg-x11-server | ||||||
| Version:   1.20.11 | Version:   1.20.11 | ||||||
| Release:   6%{?gitdate:.%{gitdate}}%{?dist} | Release:   7%{?gitdate:.%{gitdate}}%{?dist} | ||||||
| URL:       http://www.x.org | URL:       http://www.x.org | ||||||
| License:   MIT | License:   MIT | ||||||
| 
 | 
 | ||||||
| @ -110,6 +110,15 @@ Patch110: 0010-modesetting-Fix-build-with-glamor-disabled.patch | |||||||
| # Because we still use automake | # Because we still use automake | ||||||
| Patch111: 0011-modesetting-set-gbm-as-dependency-for-autotools.patch | Patch111: 0011-modesetting-set-gbm-as-dependency-for-autotools.patch | ||||||
| 
 | 
 | ||||||
|  | # CVE-2021-4011 | ||||||
|  | Patch10009: 0001-record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch | ||||||
|  | # CVE-2021-4009 | ||||||
|  | Patch10010: 0002-xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch | ||||||
|  | # CVE-2021-4010 | ||||||
|  | Patch10011: 0003-Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch | ||||||
|  | # CVE-2021-4008 | ||||||
|  | Patch10012: 0004-render-Fix-out-of-bounds-access-in-SProcRenderCompos.patch | ||||||
|  | 
 | ||||||
| 
 | 
 | ||||||
| BuildRequires: make | BuildRequires: make | ||||||
| BuildRequires: systemtap-sdt-devel | BuildRequires: systemtap-sdt-devel | ||||||
| @ -520,6 +529,10 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete | |||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| %changelog | %changelog | ||||||
|  | * Thu Jan  6 2022 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-7 | ||||||
|  | - CVE fix for: CVE-2021-4008 (#2030160), CVE-2021-4009 (#2030170), | ||||||
|  |   CVE-2021-4010 (#2030174), CVE-2021-4011 (#2030179) | ||||||
|  | 
 | ||||||
| * Tue Nov 23 2021 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-6 | * Tue Nov 23 2021 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-6 | ||||||
| - Restore hardened builds | - Restore hardened builds | ||||||
|   Resolves: #2024556 |   Resolves: #2024556 | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user