CVE fix for: CVE-2023-5367
Resolves: https://issues.redhat.com/browse/RHEL-13430
This commit is contained in:
José Expósito
parent
324c7d6071
commit
d0ad6c3e40
80
0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch
Normal file
80
0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch
Normal file
@ -0,0 +1,80 @@
|
|||||||
|
From a31ba141824a7649e11f0ef7673718ce559d6337 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||||
|
Date: Tue, 3 Oct 2023 11:53:05 +1000
|
||||||
|
Subject: [PATCH xserver 1/4] Xi/randr: fix handling of PropModeAppend/Prepend
|
||||||
|
|
||||||
|
The handling of appending/prepending properties was incorrect, with at
|
||||||
|
least two bugs: the property length was set to the length of the new
|
||||||
|
part only, i.e. appending or prepending N elements to a property with P
|
||||||
|
existing elements always resulted in the property having N elements
|
||||||
|
instead of N + P.
|
||||||
|
|
||||||
|
Second, when pre-pending a value to a property, the offset for the old
|
||||||
|
values was incorrect, leaving the new property with potentially
|
||||||
|
uninitalized values and/or resulting in OOB memory writes.
|
||||||
|
For example, prepending a 3 element value to a 5 element property would
|
||||||
|
result in this 8 value array:
|
||||||
|
[N, N, N, ?, ?, P, P, P ] P, P
|
||||||
|
^OOB write
|
||||||
|
|
||||||
|
The XI2 code is a copy/paste of the RandR code, so the bug exists in
|
||||||
|
both.
|
||||||
|
|
||||||
|
CVE-2023-5367, ZDI-CAN-22153
|
||||||
|
|
||||||
|
This vulnerability was discovered by:
|
||||||
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||||
|
|
||||||
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||||
|
---
|
||||||
|
Xi/xiproperty.c | 4 ++--
|
||||||
|
randr/rrproperty.c | 4 ++--
|
||||||
|
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
|
||||||
|
index 6ec419e870..563c4f31a5 100644
|
||||||
|
--- a/Xi/xiproperty.c
|
||||||
|
+++ b/Xi/xiproperty.c
|
||||||
|
@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
|
||||||
|
XIDestroyDeviceProperty(prop);
|
||||||
|
return BadAlloc;
|
||||||
|
}
|
||||||
|
- new_value.size = len;
|
||||||
|
+ new_value.size = total_len;
|
||||||
|
new_value.type = type;
|
||||||
|
new_value.format = format;
|
||||||
|
|
||||||
|
@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
|
||||||
|
case PropModePrepend:
|
||||||
|
new_data = new_value.data;
|
||||||
|
old_data = (void *) (((char *) new_value.data) +
|
||||||
|
- (prop_value->size * size_in_bytes));
|
||||||
|
+ (len * size_in_bytes));
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
if (new_data)
|
||||||
|
diff --git a/randr/rrproperty.c b/randr/rrproperty.c
|
||||||
|
index c2fb9585c6..25469f57b2 100644
|
||||||
|
--- a/randr/rrproperty.c
|
||||||
|
+++ b/randr/rrproperty.c
|
||||||
|
@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
|
||||||
|
RRDestroyOutputProperty(prop);
|
||||||
|
return BadAlloc;
|
||||||
|
}
|
||||||
|
- new_value.size = len;
|
||||||
|
+ new_value.size = total_len;
|
||||||
|
new_value.type = type;
|
||||||
|
new_value.format = format;
|
||||||
|
|
||||||
|
@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
|
||||||
|
case PropModePrepend:
|
||||||
|
new_data = new_value.data;
|
||||||
|
old_data = (void *) (((char *) new_value.data) +
|
||||||
|
- (prop_value->size * size_in_bytes));
|
||||||
|
+ (len * size_in_bytes));
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
if (new_data)
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
||||||
@ -42,7 +42,7 @@
|
|||||||
Summary: X.Org X11 X server
|
Summary: X.Org X11 X server
|
||||||
Name: xorg-x11-server
|
Name: xorg-x11-server
|
||||||
Version: 1.20.11
|
Version: 1.20.11
|
||||||
Release: 19%{?gitdate:.%{gitdate}}%{?dist}
|
Release: 20%{?gitdate:.%{gitdate}}%{?dist}
|
||||||
URL: http://www.x.org
|
URL: http://www.x.org
|
||||||
License: MIT
|
License: MIT
|
||||||
|
|
||||||
@ -157,6 +157,8 @@ Patch10025: 0008-Xext-fix-invalid-event-type-mask-in-XTestSwapFakeInp.patch
|
|||||||
Patch10026: 0001-Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch
|
Patch10026: 0001-Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch
|
||||||
# CVE-2023-1393
|
# CVE-2023-1393
|
||||||
Patch10027: 0001-composite-Fix-use-after-free-of-the-COW.patch
|
Patch10027: 0001-composite-Fix-use-after-free-of-the-COW.patch
|
||||||
|
# CVE-2023-5367
|
||||||
|
Patch10028: 0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch
|
||||||
|
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
BuildRequires: systemtap-sdt-devel
|
BuildRequires: systemtap-sdt-devel
|
||||||
@ -566,6 +568,10 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Oct 25 2023 José Expósito <jexposit@redhat.com> - 1.20.11-20
|
||||||
|
- CVE fix for: CVE-2023-5367
|
||||||
|
Resolves: https://issues.redhat.com/browse/RHEL-13430
|
||||||
|
|
||||||
* Tue Jun 6 2023 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-19
|
* Tue Jun 6 2023 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-19
|
||||||
- Backport fix for a deadlock with DRI3
|
- Backport fix for a deadlock with DRI3
|
||||||
Resolves: rhbz#2192550
|
Resolves: rhbz#2192550
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user