From e6480d962889c5dfec84095b37099d73c9b72a8d Mon Sep 17 00:00:00 2001 From: Adam Jackson Date: Fri, 31 Jul 2020 11:39:27 -0400 Subject: [PATCH] Fix information disclosure bug in pixmap allocation (CVE-2020-14347) --- 0001-fix-for-ZDI-11426.patch | 33 +++++++++++++++++++++++++++++++++ xorg-x11-server.spec | 6 +++++- 2 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 0001-fix-for-ZDI-11426.patch diff --git a/0001-fix-for-ZDI-11426.patch b/0001-fix-for-ZDI-11426.patch new file mode 100644 index 0000000..9857e0d --- /dev/null +++ b/0001-fix-for-ZDI-11426.patch @@ -0,0 +1,33 @@ +From aac28e162e5108510065ad4c323affd6deffd816 Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Sat, 25 Jul 2020 19:33:50 +0200 +Subject: [PATCH xserver] fix for ZDI-11426 + +Avoid leaking un-initalized memory to clients by zeroing the +whole pixmap on initial allocation. + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Matthieu Herrb +Reviewed-by: Alan Coopersmith +--- + dix/pixmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/dix/pixmap.c b/dix/pixmap.c +index 1186d7dbbf..5a0146bbb6 100644 +--- a/dix/pixmap.c ++++ b/dix/pixmap.c +@@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pixDataSize) + if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize) + return NullPixmap; + +- pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize); ++ pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize); + if (!pPixmap) + return NullPixmap; + +-- +2.23.0 + diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index cc5953a..095a8d6 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -46,7 +46,7 @@ Summary: X.Org X11 X server Name: xorg-x11-server Version: 1.20.8 -Release: 2%{?gitdate:.%{gitdate}}%{?dist} +Release: 3%{?gitdate:.%{gitdate}}%{?dist} URL: http://www.x.org License: MIT @@ -95,6 +95,7 @@ Patch6: 0001-Fedora-hack-Make-the-suid-root-wrapper-always-start-.patch # Backports from current stable "server-1.20-branch": # Backports from "master" upstream: +Patch100: 0001-fix-for-ZDI-11426.patch # Backported Xwayland randr resolution change emulation support Patch501: 0001-dix-Add-GetCurrentClient-helper.patch @@ -546,6 +547,9 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %changelog +* Fri Jul 31 2020 Adam Jackson - 1.20.8-3 +- Fix information disclosure bug in pixmap allocation (CVE-2020-14347) + * Wed Jul 29 2020 Fedora Release Engineering - 1.20.8-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild