Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package xorg-x11-server for openSUSE:Factory
checked in at 2023-12-14 22:02:29
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/xorg-x11-server (Old)
and /work/SRC/openSUSE:Factory/.xorg-x11-server.new.25432 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xorg-x11-server"
Thu Dec 14 22:02:29 2023 rev:421 rq:1132834 version:21.1.9
Changes:
--------
--- /work/SRC/openSUSE:Factory/xorg-x11-server/xorg-x11-server.changes
2023-10-25 18:02:53.746590489 +0200
+++
/work/SRC/openSUSE:Factory/.xorg-x11-server.new.25432/xorg-x11-server.changes
2023-12-14 22:02:32.422768468 +0100
@@ -1,0 +2,11 @@
+Mon Dec 4 18:49:47 UTC 2023 - Stefan Dirsch <sndir...@suse.com>
+
+- U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
+ * Out-of-bounds memory write in XKB button actions (CVE-2023-6377,
+ ZDI-CAN-22412, ZDI-CAN-22413, bsc#1217765)
+- U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
+ * Out-of-bounds memory read in RRChangeOutputProperty and
+ RRChangeProviderProperty (CVE-2023-6478, ZDI-CAN-22561,
+ bsc#1217766)
+
+-------------------------------------------------------------------
New:
----
U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
BETA DEBUG BEGIN:
New:
- U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
* Out-of-bounds memory write in XKB button actions (CVE-2023-6377,
New: ZDI-CAN-22412, ZDI-CAN-22413, bsc#1217765)
- U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
* Out-of-bounds memory read in RRChangeOutputProperty and
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ xorg-x11-server.spec ++++++
--- /var/tmp/diff_new_pack.xni97z/_old 2023-12-14 22:02:34.206832817 +0100
+++ /var/tmp/diff_new_pack.xni97z/_new 2023-12-14 22:02:34.210832961 +0100
@@ -243,6 +243,9 @@
Patch1960: u_sync-pci-ids-with-Mesa.patch
+Patch1217765:
U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch
+Patch1217766:
U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
+
%description
This package contains the X.Org Server.
@@ -401,6 +404,9 @@
%patch1940 -p1
%patch1960 -p1
+%patch1217765 -p1
+%patch1217766 -p1
+
%build
# We have some -z now related errors during X default startup (boo#1197994):
# - when loading modesetting: gbm_bo_get_plane_count
++++++ U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch ++++++
>From 924fbcb74ae5434afa7ce4603cd85ebcbdcccad5 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutte...@who-t.net>
Date: Tue, 28 Nov 2023 15:19:04 +1000
Subject: [PATCH xserver] Xi: allocate enough XkbActions for our buttons
button->xkb_acts is supposed to be an array sufficiently large for all
our buttons, not just a single XkbActions struct. Allocating
insufficient memory here means when we memcpy() later in
XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
leading to the usual security ooopsiedaisies.
CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
---
Xi/exevents.c | 12 ++++++------
dix/devices.c | 10 ++++++++++
2 files changed, 16 insertions(+), 6 deletions(-)
--- a/Xi/exevents.c
+++ a/Xi/exevents.c
@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
}
if (from->button->xkb_acts) {
- if (!to->button->xkb_acts) {
- to->button->xkb_acts = calloc(1, sizeof(XkbAction));
- if (!to->button->xkb_acts)
- FatalError("[Xi] not enough memory for xkb_acts.\n");
- }
+ size_t maxbuttons = max(to->button->numButtons,
from->button->numButtons);
+ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
+ maxbuttons,
+ sizeof(XkbAction));
+ memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
memcpy(to->button->xkb_acts, from->button->xkb_acts,
- sizeof(XkbAction));
+ from->button->numButtons * sizeof(XkbAction));
}
else {
free(to->button->xkb_acts);
--- a/dix/devices.c
+++ a/dix/devices.c
@@ -2530,6 +2530,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
if (master->button && master->button->numButtons != maxbuttons) {
int i;
+ int last_num_buttons = master->button->numButtons;
+
DeviceChangedEvent event = {
.header = ET_Internal,
.type = ET_DeviceChanged,
@@ -2540,6 +2542,14 @@ RecalculateMasterButtons(DeviceIntPtr slave)
};
master->button->numButtons = maxbuttons;
+ if (last_num_buttons < maxbuttons) {
+ master->button->xkb_acts =
xnfreallocarray(master->button->xkb_acts,
+ maxbuttons,
+ sizeof(XkbAction));
+ memset(&master->button->xkb_acts[last_num_buttons],
+ 0,
+ (maxbuttons - last_num_buttons) * sizeof(XkbAction));
+ }
memcpy(&event.buttons.names, master->button->labels, maxbuttons *
sizeof(Atom));
--
++++++ U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
++++++
>From bd59316fe54b2bcad94c883e81fe7cae2a90cdd6 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutte...@who-t.net>
Date: Mon, 27 Nov 2023 16:27:49 +1000
Subject: [PATCH xserver] randr: avoid integer truncation in length check of
ProcRRChange*Property
Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
See also xserver@8f454b79 where this same bug was fixed for the core
protocol and XI.
This fixes an OOB read and the resulting information disclosure.
Length calculation for the request was clipped to a 32-bit integer. With
the correct stuff->nUnits value the expected request size was
truncated, passing the REQUEST_FIXED_SIZE check.
The server then proceeded with reading at least stuff->num_items bytes
(depending on stuff->format) from the request and stuffing whatever it
finds into the property. In the process it would also allocate at least
stuff->nUnits bytes, i.e. 4GB.
CVE-2023-XXXXX, ZDI-CAN-22561
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
---
randr/rrproperty.c | 2 +-
randr/rrproviderproperty.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/randr/rrproperty.c b/randr/rrproperty.c
index 25469f57b2..c4fef8a1f6 100644
--- a/randr/rrproperty.c
+++ b/randr/rrproperty.c
@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client)
char format, mode;
unsigned long len;
int sizeInBytes;
- int totalSize;
+ uint64_t totalSize;
int err;
REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
index b79c17f9bf..90c5a9a933 100644
--- a/randr/rrproviderproperty.c
+++ b/randr/rrproviderproperty.c
@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client)
char format, mode;
unsigned long len;
int sizeInBytes;
- int totalSize;
+ uint64_t totalSize;
int err;
REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
--
2.43.0
