Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package xorg-x11-server for openSUSE:Factory
checked in at 2022-07-13 14:31:53
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/xorg-x11-server (Old)
and /work/SRC/openSUSE:Factory/.xorg-x11-server.new.1523 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xorg-x11-server"
Wed Jul 13 14:31:53 2022 rev:408 rq:988635 version:21.1.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/xorg-x11-server/xorg-x11-server.changes
2022-05-12 22:58:01.416608559 +0200
+++
/work/SRC/openSUSE:Factory/.xorg-x11-server.new.1523/xorg-x11-server.changes
2022-07-13 14:32:04.829264603 +0200
@@ -1,0 +2,11 @@
+Wed Jul 6 12:21:11 UTC 2022 - Stefan Dirsch <[email protected]>
+
+- U_boo1194181-001-xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch
+ * Out-Of-Bounds Access in CheckSetDeviceIndicators()
+ (CVE-2022-2320, ZDI-CAN-16070, bsc#1194181)
+- U_boo1194179-001-xkb-rename-xkb_h-to-xkb-procs_h.patch,
+ U_boo1194179-002-xkb-add-request-length-validation-for-XkbSetGeometry.patch
+ * Out-Of-Bounds Access in _CheckSetSections()
+ (CVE-2022-2319, ZDI-CAN-16062, bsc#1194179)
+
+-------------------------------------------------------------------
New:
----
U_boo1194179-001-xkb-rename-xkb_h-to-xkb-procs_h.patch
U_boo1194179-002-xkb-add-request-length-validation-for-XkbSetGeometry.patch
U_boo1194181-001-xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ xorg-x11-server.spec ++++++
--- /var/tmp/diff_new_pack.1jxjvX/_old 2022-07-13 14:32:07.413267938 +0200
+++ /var/tmp/diff_new_pack.1jxjvX/_new 2022-07-13 14:32:07.413267938 +0200
@@ -249,6 +249,12 @@
Patch1960: u_sync-pci-ids-with-Mesa-22.0.0.patch
+#CVE-2022-2320, ZDI-CAN-16070, bsc#1194181
+Patch2001:
U_boo1194181-001-xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch
+#CVE-2022-2319, ZDI-CAN-16062, bsc#1194179
+Patch2101: U_boo1194179-001-xkb-rename-xkb_h-to-xkb-procs_h.patch
+Patch2102:
U_boo1194179-002-xkb-add-request-length-validation-for-XkbSetGeometry.patch
+
%description
This package contains the X.Org Server.
@@ -407,6 +413,9 @@
%patch1940 -p1
%patch1950 -p1
%patch1960 -p1
+%patch2001 -p1
+%patch2101 -p1
+%patch2102 -p1
%build
# We have some -z now related errors during X default startup (boo#1197994):
++++++ U_boo1194179-001-xkb-rename-xkb_h-to-xkb-procs_h.patch ++++++
>From 04a2689e96b42330718517b2a3950aa2bb1ca017 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <[email protected]>
Date: Mon, 4 Jul 2022 09:42:53 +1000
Subject: [PATCH] xkb: rename xkb.h to xkb-procs.h
This header merely defines the various protocol request handlers, so
let's rename it to something less generic and remove its include from
all the files that don't actually need it (which is almost all of them).
Signed-off-by: Peter Hutterer <[email protected]>
Reviewed-by: Olivier Fourdan <[email protected]>
---
test/test_xkb.c | 1 -
xkb/ddxLoad.c | 1 -
xkb/{xkb.h => xkb-procs.h} | 0
xkb/xkb.c | 2 +-
xkb/xkbActions.c | 1 -
xkb/xkbEvents.c | 1 -
xkb/xkbInit.c | 1 -
xkb/xkbLEDs.c | 1 -
xkb/xkbSwap.c | 2 +-
xkb/xkbUtils.c | 1 -
xkb/xkbfmisc.c | 1 -
11 files changed, 2 insertions(+), 10 deletions(-)
rename xkb/{xkb.h => xkb-procs.h} (100%)
diff --git a/test/test_xkb.c b/test/test_xkb.c
index f81a7ed65..a13107390 100644
--- a/test/test_xkb.c
+++ b/test/test_xkb.c
@@ -48,7 +48,6 @@
#include "../xkb/xkbgeom.h"
#include <X11/extensions/XKMformat.h>
#include "xkbfile.h"
-#include "../xkb/xkb.h"
#include <assert.h>
#include "tests-common.h"
diff --git a/xkb/ddxLoad.c b/xkb/ddxLoad.c
index f9b7b06d9..2d203ce11 100644
--- a/xkb/ddxLoad.c
+++ b/xkb/ddxLoad.c
@@ -43,7 +43,6 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
#define XKBSRV_NEED_FILE_FUNCS
#include <xkbsrv.h>
#include <X11/extensions/XI.h>
-#include "xkb.h"
#define PRE_ERROR_MSG "\"The XKEYBOARD keymap compiler (xkbcomp)
reports:\""
#define ERROR_PREFIX "\"> \""
diff --git a/xkb/xkb.h b/xkb/xkb-procs.h
similarity index 100%
rename from xkb/xkb.h
rename to xkb/xkb-procs.h
diff --git a/xkb/xkb.c b/xkb/xkb.c
index 820cd7166..21c046913 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -38,7 +38,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
#include "extnsionst.h"
#include "extinit.h"
#include "xace.h"
-#include "xkb.h"
+#include "xkb-procs.h"
#include "protocol-versions.h"
#include <X11/extensions/XI.h>
diff --git a/xkb/xkbActions.c b/xkb/xkbActions.c
index db29091e7..5e9a6b6d6 100644
--- a/xkb/xkbActions.c
+++ b/xkb/xkbActions.c
@@ -38,7 +38,6 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
#include "exevents.h"
#include "eventstr.h"
#include <xkbsrv.h>
-#include "xkb.h"
#include <ctype.h>
#include "mi.h"
#include "mipointer.h"
diff --git a/xkb/xkbEvents.c b/xkb/xkbEvents.c
index 0bbd66186..f8f65d4a7 100644
--- a/xkb/xkbEvents.c
+++ b/xkb/xkbEvents.c
@@ -39,7 +39,6 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
#include "exglobals.h"
#include "windowstr.h"
#include <xkbsrv.h>
-#include "xkb.h"
/***====================================================================***/
diff --git a/xkb/xkbInit.c b/xkb/xkbInit.c
index 4108e1b26..de1dd3fe3 100644
--- a/xkb/xkbInit.c
+++ b/xkb/xkbInit.c
@@ -49,7 +49,6 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
#include "xkbgeom.h"
#include <X11/extensions/XKMformat.h>
#include "xkbfile.h"
-#include "xkb.h"
#define CREATE_ATOM(s) MakeAtom(s,sizeof(s)-1,1)
diff --git a/xkb/xkbLEDs.c b/xkb/xkbLEDs.c
index 5792d9fb7..d4690dad9 100644
--- a/xkb/xkbLEDs.c
+++ b/xkb/xkbLEDs.c
@@ -38,7 +38,6 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
#include <X11/extensions/XI.h>
#include <xkbsrv.h>
-#include "xkb.h"
/***====================================================================***/
diff --git a/xkb/xkbSwap.c b/xkb/xkbSwap.c
index 50cabb90e..efbdb81c1 100644
--- a/xkb/xkbSwap.c
+++ b/xkb/xkbSwap.c
@@ -36,7 +36,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
#include <xkbsrv.h>
#include "xkbstr.h"
#include "extnsionst.h"
-#include "xkb.h"
+#include "xkb-procs.h"
/*
* REQUEST SWAPPING
diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c
index 8975ade8d..dd089c204 100644
--- a/xkb/xkbUtils.c
+++ b/xkb/xkbUtils.c
@@ -67,7 +67,6 @@ DEALINGS IN THE SOFTWARE.
#define XKBSRV_NEED_FILE_FUNCS
#include <xkbsrv.h>
#include "xkbgeom.h"
-#include "xkb.h"
/***====================================================================***/
diff --git a/xkb/xkbfmisc.c b/xkb/xkbfmisc.c
index 2ecdcd555..fc9197f2d 100644
--- a/xkb/xkbfmisc.c
+++ b/xkb/xkbfmisc.c
@@ -46,7 +46,6 @@
#define XKBSRV_NEED_FILE_FUNCS 1
#include <xkbsrv.h>
#include "xkbgeom.h"
-#include "xkb.h"
unsigned
_XkbKSCheckCase(KeySym ks)
--
GitLab
++++++
U_boo1194179-002-xkb-add-request-length-validation-for-XkbSetGeometry.patch
++++++
@@ -, +, @@
---
xkb/xkb.c | 43 ++++++++++++++++++++++++++++++++++++++-----
1 file changed, 38 insertions(+), 5 deletions(-)
Index: xorg-server-21.1.3/xkb/xkb.c
===================================================================
--- xorg-server-21.1.3.orig/xkb/xkb.c
+++ xorg-server-21.1.3/xkb/xkb.c
@@ -5157,7 +5157,7 @@ _GetCountedString(char **wire_inout, Cli
}
static Status
-_CheckSetDoodad(char **wire_inout,
+_CheckSetDoodad(char **wire_inout, xkbSetGeometryReq *req,
XkbGeometryPtr geom, XkbSectionPtr section, ClientPtr client)
{
char *wire;
@@ -5168,6 +5168,9 @@ _CheckSetDoodad(char **wire_inout,
Status status;
dWire = (xkbDoodadWireDesc *) (*wire_inout);
+ if (!_XkbCheckRequestBounds(client, req, dWire, dWire + 1))
+ return BadLength;
+
any = dWire->any;
wire = (char *) &dWire[1];
if (client->swapped) {
@@ -5270,7 +5273,7 @@ _CheckSetDoodad(char **wire_inout,
}
static Status
-_CheckSetOverlay(char **wire_inout,
+_CheckSetOverlay(char **wire_inout, xkbSetGeometryReq *req,
XkbGeometryPtr geom, XkbSectionPtr section, ClientPtr client)
{
register int r;
@@ -5281,6 +5284,9 @@ _CheckSetOverlay(char **wire_inout,
wire = *wire_inout;
olWire = (xkbOverlayWireDesc *) wire;
+ if (!_XkbCheckRequestBounds(client, req, olWire, olWire + 1))
+ return BadLength;
+
if (client->swapped) {
swapl(&olWire->name);
}
@@ -5292,6 +5298,9 @@ _CheckSetOverlay(char **wire_inout,
xkbOverlayKeyWireDesc *kWire;
XkbOverlayRowPtr row;
+ if (!_XkbCheckRequestBounds(client, req, rWire, rWire + 1))
+ return BadLength;
+
if (rWire->rowUnder > section->num_rows) {
client->errorValue = _XkbErrCode4(0x20, r, section->num_rows,
rWire->rowUnder);
@@ -5300,6 +5309,9 @@ _CheckSetOverlay(char **wire_inout,
row = XkbAddGeomOverlayRow(ol, rWire->rowUnder, rWire->nKeys);
kWire = (xkbOverlayKeyWireDesc *) &rWire[1];
for (k = 0; k < rWire->nKeys; k++, kWire++) {
+ if (!_XkbCheckRequestBounds(client, req, kWire, kWire + 1))
+ return BadLength;
+
if (XkbAddGeomOverlayKey(ol, row,
(char *) kWire->over,
(char *) kWire->under) == NULL) {
@@ -5333,6 +5345,9 @@ _CheckSetSections(XkbGeometryPtr geom,
register int r;
xkbRowWireDesc *rWire;
+ if (!_XkbCheckRequestBounds(client, req, sWire, sWire + 1))
+ return BadLength;
+
if (client->swapped) {
swapl(&sWire->name);
swaps(&sWire->top);
@@ -5358,6 +5373,9 @@ _CheckSetSections(XkbGeometryPtr geom,
XkbRowPtr row;
xkbKeyWireDesc *kWire;
+ if (!_XkbCheckRequestBounds(client, req, rWire, rWire + 1))
+ return BadLength;
+
if (client->swapped) {
swaps(&rWire->top);
swaps(&rWire->left);
@@ -5372,6 +5390,9 @@ _CheckSetSections(XkbGeometryPtr geom,
for (k = 0; k < rWire->nKeys; k++) {
XkbKeyPtr key;
+ if (!_XkbCheckRequestBounds(client, req, kWire, kWire + 1))
+ return BadLength;
+
key = XkbAddGeomKey(row);
if (!key)
return BadAlloc;
@@ -5397,7 +5418,7 @@ _CheckSetSections(XkbGeometryPtr geom,
register int d;
for (d = 0; d < sWire->nDoodads; d++) {
- status = _CheckSetDoodad(&wire, geom, section, client);
+ status = _CheckSetDoodad(&wire, req, geom, section, client);
if (status != Success)
return status;
}
@@ -5406,7 +5427,7 @@ _CheckSetSections(XkbGeometryPtr geom,
register int o;
for (o = 0; o < sWire->nOverlays; o++) {
- status = _CheckSetOverlay(&wire, geom, section, client);
+ status = _CheckSetOverlay(&wire, req, geom, section, client);
if (status != Success)
return status;
}
@@ -5440,6 +5461,9 @@ _CheckSetShapes(XkbGeometryPtr geom,
xkbOutlineWireDesc *olWire;
XkbOutlinePtr ol;
+ if (!_XkbCheckRequestBounds(client, req, shapeWire, shapeWire + 1))
+ return BadLength;
+
shape =
XkbAddGeomShape(geom, shapeWire->name, shapeWire->nOutlines);
if (!shape)
@@ -5450,12 +5474,18 @@ _CheckSetShapes(XkbGeometryPtr geom,
XkbPointPtr pt;
xkbPointWireDesc *ptWire;
+ if (!_XkbCheckRequestBounds(client, req, olWire, olWire + 1))
+ return BadLength;
+
ol = XkbAddGeomOutline(shape, olWire->nPoints);
if (!ol)
return BadAlloc;
ol->corner_radius = olWire->cornerRadius;
ptWire = (xkbPointWireDesc *) &olWire[1];
for (p = 0, pt = ol->points; p < olWire->nPoints; p++, pt++) {
+ if (!_XkbCheckRequestBounds(client, req, ptWire, ptWire +
1))
+ return BadLength;
+
pt->x = ptWire[p].x;
pt->y = ptWire[p].y;
if (client->swapped) {
@@ -5561,12 +5591,15 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSe
return status;
for (i = 0; i < req->nDoodads; i++) {
- status = _CheckSetDoodad(&wire, geom, NULL, client);
+ status = _CheckSetDoodad(&wire, req, geom, NULL, client);
if (status != Success)
return status;
}
for (i = 0; i < req->nKeyAliases; i++) {
+ if (!_XkbCheckRequestBounds(client, req, wire, wire +
XkbKeyNameLength))
+ return BadLength;
+
if (XkbAddGeomKeyAlias(geom, &wire[XkbKeyNameLength], wire) == NULL)
return BadAlloc;
wire += 2 * XkbKeyNameLength;
++++++
U_boo1194181-001-xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch
++++++
Index: xorg-server-21.1.3/xkb/xkb.c
===================================================================
--- xorg-server-21.1.3.orig/xkb/xkb.c
+++ xorg-server-21.1.3/xkb/xkb.c
@@ -6551,7 +6551,8 @@ ProcXkbGetDeviceInfo(ClientPtr client)
static char *
CheckSetDeviceIndicators(char *wire,
DeviceIntPtr dev,
- int num, int *status_rtrn, ClientPtr client)
+ int num, int *status_rtrn, ClientPtr client,
+ xkbSetDeviceInfoReq * stuff)
{
xkbDeviceLedsWireDesc *ledWire;
int i;
@@ -6559,6 +6560,11 @@ CheckSetDeviceIndicators(char *wire,
ledWire = (xkbDeviceLedsWireDesc *) wire;
for (i = 0; i < num; i++) {
+ if (!_XkbCheckRequestBounds(client, stuff, ledWire, ledWire + 1)) {
+ *status_rtrn = BadLength;
+ return (char *) ledWire;
+ }
+
if (client->swapped) {
swaps(&ledWire->ledClass);
swaps(&ledWire->ledID);
@@ -6586,6 +6592,11 @@ CheckSetDeviceIndicators(char *wire,
atomWire = (CARD32 *) &ledWire[1];
if (nNames > 0) {
for (n = 0; n < nNames; n++) {
+ if (!_XkbCheckRequestBounds(client, stuff, atomWire,
atomWire + 1)) {
+ *status_rtrn = BadLength;
+ return (char *) atomWire;
+ }
+
if (client->swapped) {
swapl(atomWire);
}
@@ -6597,6 +6608,10 @@ CheckSetDeviceIndicators(char *wire,
mapWire = (xkbIndicatorMapWireDesc *) atomWire;
if (nMaps > 0) {
for (n = 0; n < nMaps; n++) {
+ if (!_XkbCheckRequestBounds(client, stuff, mapWire,
mapWire + 1)) {
+ *status_rtrn = BadLength;
+ return (char *) mapWire;
+ }
if (client->swapped) {
swaps(&mapWire->virtualMods);
swapl(&mapWire->ctrls);
@@ -6648,11 +6663,6 @@ SetDeviceIndicators(char *wire,
xkbIndicatorMapWireDesc *mapWire;
XkbSrvLedInfoPtr sli;
- if (!_XkbCheckRequestBounds(client, stuff, ledWire, ledWire + 1)) {
- *status_rtrn = BadLength;
- return (char *) ledWire;
- }
-
namec = mapc = statec = 0;
sli = XkbFindSrvLedInfo(dev, ledWire->ledClass, ledWire->ledID,
XkbXI_IndicatorMapsMask);
@@ -6671,10 +6681,6 @@ SetDeviceIndicators(char *wire,
memset((char *) sli->names, 0, XkbNumIndicators * sizeof(Atom));
for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) {
if (ledWire->namesPresent & bit) {
- if (!_XkbCheckRequestBounds(client, stuff, atomWire,
atomWire + 1)) {
- *status_rtrn = BadLength;
- return (char *) atomWire;
- }
sli->names[n] = (Atom) *atomWire;
if (sli->names[n] == None)
ledWire->namesPresent &= ~bit;
@@ -6692,10 +6698,6 @@ SetDeviceIndicators(char *wire,
if (ledWire->mapsPresent) {
for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) {
if (ledWire->mapsPresent & bit) {
- if (!_XkbCheckRequestBounds(client, stuff, mapWire,
mapWire + 1)) {
- *status_rtrn = BadLength;
- return (char *) mapWire;
- }
sli->maps[n].flags = mapWire->flags;
sli->maps[n].which_groups = mapWire->whichGroups;
sli->maps[n].groups = mapWire->groups;
@@ -6731,13 +6733,17 @@ SetDeviceIndicators(char *wire,
}
static int
-_XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev,
+_XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev,
xkbSetDeviceInfoReq * stuff)
{
char *wire;
wire = (char *) &stuff[1];
if (stuff->change & XkbXI_ButtonActionsMask) {
+ int sz = stuff->nBtns * SIZEOF(xkbActionWireDesc);
+ if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz))
+ return BadLength;
+
if (!dev->button) {
client->errorValue = _XkbErrCode2(XkbErr_BadClass, ButtonClass);
return XkbKeyboardErrorCode;
@@ -6748,13 +6754,13 @@ _XkbSetDeviceInfo(ClientPtr client, Devi
dev->button->numButtons);
return BadMatch;
}
- wire += (stuff->nBtns * SIZEOF(xkbActionWireDesc));
+ wire += sz;
}
if (stuff->change & XkbXI_IndicatorsMask) {
int status = Success;
wire = CheckSetDeviceIndicators(wire, dev, stuff->nDeviceLedFBs,
- &status, client);
+ &status, client, stuff);
if (status != Success)
return status;
}
@@ -6765,8 +6771,8 @@ _XkbSetDeviceInfo(ClientPtr client, Devi
}
static int
-_XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev,
- xkbSetDeviceInfoReq * stuff)
+_XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev,
+ xkbSetDeviceInfoReq * stuff)
{
char *wire;
xkbExtensionDeviceNotify ed;
@@ -6790,8 +6796,6 @@ _XkbSetDeviceInfoCheck(ClientPtr client,
if (stuff->firstBtn + stuff->nBtns > nBtns)
return BadValue;
sz = stuff->nBtns * SIZEOF(xkbActionWireDesc);
- if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz))
- return BadLength;
memcpy((char *) &acts[stuff->firstBtn], (char *) wire, sz);
wire += sz;
ed.reason |= XkbXI_ButtonActionsMask;
