From c88593e07dcdaae526de35cb6a34ffc50d3ba7b9 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Tue, 30 Jan 2024 19:44:53 -0500 Subject: [PATCH] Apply all CVE patches to RHEL builds Patch 3801 is specific to Fedora, but all the other patches, even those that are newer, should be applied both to Fedora and RHEL (or, possibly in the future, EPEL) builds. --- xorg-x11-server.spec | 58 +++++++++++++++++++++++--------------------- 1 file changed, 30 insertions(+), 28 deletions(-) diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index d0b2d47..7efa161 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -143,38 +143,40 @@ Patch125: xorg-x11-server-fb-access-wrapper.patch # https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1057 Patch126: 0001-present-Send-a-PresentConfigureNotify-event-for-dest.patch +# CVE-2023-5367 +Patch1010: 0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch +# CVE-2023-5380 +Patch1011: 0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch +# CVE-2023-6377 +Patch1012: 0001-Xi-allocate-enough-XkbActions-for-our-buttons.patch +# CVE-2023-6478 +Patch1013: 0001-randr-avoid-integer-truncation-in-length-check-of-Pr.patch +# CVE-2023-6816 +Patch1014: 0001-dix-allocate-enough-space-for-logical-button-maps.patch +# CVE-2024-0229 +Patch1015: 0002-dix-Allocate-sufficient-xEvents-for-our-DeviceStateN.patch +Patch1016: 0003-dix-fix-DeviceStateNotify-event-calculation.patch +Patch1017: 0004-Xi-when-creating-a-new-ButtonClass-set-the-number-of.patch +# CVE-2024-21885 +Patch1018: 0005-Xi-flush-hierarchy-events-after-adding-removing-mast.patch +# CVE-2024-21886 +Patch1019: 0006-Xi-do-not-keep-linked-list-pointer-during-recursion.patch +Patch1020: 0007-dix-when-disabling-a-master-float-disabled-slaved-de.patch +# CVE-2024-0408 +Patch1021: 0008-glx-Call-XACE-hooks-on-the-GLX-buffer.patch +# CVE-2024-0409 +Patch1022: 0009-ephyr-xwayland-Use-the-proper-private-key-for-cursor.patch +# Related to CVE-2024-21886 +Patch1023: 0001-dix-Fix-use-after-free-in-input-device-shutdown.patch +# Fix compilation error on i686 +Patch1024: 0001-ephyr-Fix-incompatible-pointer-type-build-error.patch + +## Add new patches above; Fedora-specific patches below + # Only on F38 and later (patch number starts at 3801, see autopatch below) # Upstream commits 73d6e88, f69280dd and 4127776, minus the xwayland.pc.in change Patch3801: 0001-Disallow-byte-swapped-clients-by-default.patch -# CVE-2023-5367 -Patch3810: 0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch -# CVE-2023-5380 -Patch3811: 0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch -# CVE-2023-6377 -Patch3812: 0001-Xi-allocate-enough-XkbActions-for-our-buttons.patch -# CVE-2023-6478 -Patch3813: 0001-randr-avoid-integer-truncation-in-length-check-of-Pr.patch -# CVE-2023-6816 -Patch3814: 0001-dix-allocate-enough-space-for-logical-button-maps.patch -# CVE-2024-0229 -Patch3815: 0002-dix-Allocate-sufficient-xEvents-for-our-DeviceStateN.patch -Patch3816: 0003-dix-fix-DeviceStateNotify-event-calculation.patch -Patch3817: 0004-Xi-when-creating-a-new-ButtonClass-set-the-number-of.patch -# CVE-2024-21885 -Patch3818: 0005-Xi-flush-hierarchy-events-after-adding-removing-mast.patch -# CVE-2024-21886 -Patch3819: 0006-Xi-do-not-keep-linked-list-pointer-during-recursion.patch -Patch3820: 0007-dix-when-disabling-a-master-float-disabled-slaved-de.patch -# CVE-2024-0408 -Patch3821: 0008-glx-Call-XACE-hooks-on-the-GLX-buffer.patch -# CVE-2024-0409 -Patch3822: 0009-ephyr-xwayland-Use-the-proper-private-key-for-cursor.patch -# Related to CVE-2024-21886 -Patch3823: 0001-dix-Fix-use-after-free-in-input-device-shutdown.patch -# Fix compilation error on i686 -Patch3824: 0001-ephyr-Fix-incompatible-pointer-type-build-error.patch - BuildRequires: make BuildRequires: systemtap-sdt-devel BuildRequires: git-core