Re: [OE-core] [dunfell][PATCH] xserver-xorg: backport fixes for CVE-2022-3550, CVE-2022-3551 and CVE-2022-3553

Steve Sakoman Mon, 31 Oct 2022 14:52:16 -0700

On Sun, Oct 30, 2022 at 3:39 AM Minjae Kim <flower...@gmail.com> wrote:
>
> From: Steve Sakoman <st...@sakoman.com>


This seems to be in error since I didn't author this patch ;-)
>
> <CVE-2022-3550>
> xkb: proof GetCountedString against request length attacks
> pstream-Status: Backport 
> [https://cgit.freedesktop.org/xorg/xserver/commit/?id=11beef0b7f1ed290348e45618e5fa0d2bffcb72e]
>
> <CVE-2022-3551>
> xkb: fix some possible memleaks in XkbGetKbdByName
> Upstream-Status: Backport 
> [https://cgit.freedesktop.org/xorg/xserver/commit/?id=18f91b950e22c2a342a4fbc55e9ddf7534a707d2]
>
> <CVE-2022-3553>
> xquartz: Fix a possible crash when editing the Application
> menu due to mutaing immutable arrays
> Upstream-Status: 
> Backport[https://cgit.freedesktop.org/xorg/xserver/commit/?id=dfd057996b26420309c324ec844a5ba6dd07eda3]
>
> Signed-off-by:Minjae Kim <flower...@gmail.com>
> ---
>  .../xserver-xorg/CVE-2022-3550.patch          | 34 +++++++++++
>  .../xserver-xorg/CVE-2022-3551.patch          | 60 +++++++++++++++++++
>  .../xserver-xorg/CVE-2022-3553.patch          | 44 ++++++++++++++

All three of the patches are missing the CVE: and UpstreamStatus: tags
as well as your Signed-off-by:

Please submit a V2 with these issues fixed.

Many thanks for your help with CVEs!

Steve

>  .../xorg-xserver/xserver-xorg_1.20.14.bb      |  3 +
>  4 files changed, 141 insertions(+)
>  create mode 100644 
> meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch
>  create mode 100644 
> meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch
>  create mode 100644 
> meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch
>
> diff --git 
> a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch 
> b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch
> new file mode 100644
> index 0000000000..c1241f6ac5
> --- /dev/null
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch
> @@ -0,0 +1,34 @@
> +From 27963f7eb6d986f20c88daa40af39834ee9cf9ec Mon Sep 17 00:00:00 2001
> +From: Peter Hutterer <peter.hutte...@who-t.net>
> +Date: Sun, 30 Oct 2022 13:02:46 +0000
> +Subject: [PATCH] xkb: proof GetCountedString against request length attacks
> +
> +GetCountedString did a check for the whole string to be within the
> +request buffer but not for the initial 2 bytes that contain the length
> +field. A swapped client could send a malformed request to trigger a
> +swaps() on those bytes, writing into random memory.
> +
> +Signed-off-by: Peter Hutterer <peter.hutte...@who-t.net>
> +---
> + xkb/xkb.c | 5 +++++
> + 1 file changed, 5 insertions(+)
> +
> +diff --git a/xkb/xkb.c b/xkb/xkb.c
> +index 68c59df..c9726bc 100644
> +--- a/xkb/xkb.c
> ++++ b/xkb/xkb.c
> +@@ -5138,6 +5138,11 @@ _GetCountedString(char **wire_inout, ClientPtr 
> client, char **str)
> +     CARD16 len;
> +
> +     wire = *wire_inout;
> ++
> ++    if (client->req_len <
> ++        bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
> ++        return BadValue;
> ++
> +     len = *(CARD16 *) wire;
> +     if (client->swapped) {
> +         swaps(&len);
> +--
> +2.17.1
> +
> diff --git 
> a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch 
> b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch
> new file mode 100644
> index 0000000000..365b11ea1c
> --- /dev/null
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch
> @@ -0,0 +1,60 @@
> +From a13cd058d30f30537f7e68b934238fab20f6d55a Mon Sep 17 00:00:00 2001
> +From: Peter Hutterer <peter.hutte...@who-t.net>
> +Date: Sun, 30 Oct 2022 13:09:00 +0000
> +Subject: [PATCH] xkb: fix some possible memleaks in XkbGetKbdByName
> +
> +GetComponentByName returns an allocated string, so let's free that if we
> +fail somewhere.
> +
> +Signed-off-by: Peter Hutterer <peter.hutte...@who-t.net>
> +---
> + xkb/xkb.c | 27 ++++++++++++++++++++-------
> + 1 file changed, 20 insertions(+), 7 deletions(-)
> +
> +diff --git a/xkb/xkb.c b/xkb/xkb.c
> +index c9726bc..072c138 100644
> +--- a/xkb/xkb.c
> ++++ b/xkb/xkb.c
> +@@ -5908,19 +5908,32 @@ ProcXkbGetKbdByName(ClientPtr client)
> +     xkb = dev->key->xkbInfo->desc;
> +     status = Success;
> +     str = (unsigned char *) &stuff[1];
> +-    if (GetComponentSpec(&str, TRUE, &status))  /* keymap, unsupported */
> +-        return BadMatch;
> ++    {
> ++        char *keymap = GetComponentSpec(&str, TRUE, &status);  /* keymap, 
> unsupported */
> ++        if (keymap) {
> ++            free(keymap);
> ++            return BadMatch;
> ++        }
> ++    }
> +     names.keycodes = GetComponentSpec(&str, TRUE, &status);
> +     names.types = GetComponentSpec(&str, TRUE, &status);
> +     names.compat = GetComponentSpec(&str, TRUE, &status);
> +     names.symbols = GetComponentSpec(&str, TRUE, &status);
> +     names.geometry = GetComponentSpec(&str, TRUE, &status);
> +-    if (status != Success)
> +-        return status;
> +-    len = str - ((unsigned char *) stuff);
> +-    if ((XkbPaddedSize(len) / 4) != stuff->length)
> +-        return BadLength;
> ++    if (status == Success) {
> ++        len = str - ((unsigned char *) stuff);
> ++        if ((XkbPaddedSize(len) / 4) != stuff->length)
> ++            status = BadLength;
> ++    }
> +
> ++    if (status != Success) {
> ++        free(names.keycodes);
> ++        free(names.types);
> ++        free(names.compat);
> ++        free(names.symbols);
> ++        free(names.geometry);
> ++         return status;
> ++    }
> +     CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
> +     CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
> +
> +--
> +2.17.1
> +
> diff --git 
> a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch 
> b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch
> new file mode 100644
> index 0000000000..3026225129
> --- /dev/null
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch
> @@ -0,0 +1,44 @@
> +From d3de2d4ea02c5898ea7af93a68933bb1059b4f0d Mon Sep 17 00:00:00 2001
> +From: Jeremy Huddleston Sequoia <jerem...@apple.com>
> +Date: Sun, 30 Oct 2022 13:13:41 +0000
> +Subject: [PATCH] xquartz: Fix a possible crash when editing the Application
> + menu due to mutaing immutable arrays
> +
> +Crashing on exception: -[__NSCFArray replaceObjectAtIndex:withObject:]: 
> mutating method sent to immutable object
> +
> +Application Specific Backtrace 0:
> +0   CoreFoundation                      0x00007ff80d2c5e9b 
> __exceptionPreprocess + 242
> +1   libobjc.A.dylib                     0x00007ff80d027e48 
> objc_exception_throw + 48
> +2   CoreFoundation                      0x00007ff80d38167b 
> _CFThrowFormattedException + 194
> +3   CoreFoundation                      0x00007ff80d382a25 -[__NSCFArray 
> removeObjectAtIndex:].cold.1 + 0
> +4   CoreFoundation                      0x00007ff80d2e6c0b -[__NSCFArray 
> replaceObjectAtIndex:withObject:] + 119
> +5   X11.bin                             0x00000001003180f9 -[X11Controller 
> tableView:setObjectValue:forTableColumn:row:] + 169
> +
> +Fixes: https://github.com/XQuartz/XQuartz/issues/267
> +Signed-off-by: Jeremy Huddleston Sequoia <jerem...@apple.com>
> +---
> + hw/xquartz/X11Controller.m | 8 +++++---
> + 1 file changed, 5 insertions(+), 3 deletions(-)
> +
> +diff --git a/hw/xquartz/X11Controller.m b/hw/xquartz/X11Controller.m
> +index 3efda50..4e9a5c9 100644
> +--- a/hw/xquartz/X11Controller.m
> ++++ b/hw/xquartz/X11Controller.m
> +@@ -467,9 +467,11 @@ extern char *bundle_id_prefix;
> +     self.table_apps = table_apps;
> +
> +     NSArray * const apps = self.apps;
> +-    if (apps != nil)
> +-        [table_apps addObjectsFromArray:apps];
> +-
> ++    if (apps != nil) {
> ++        for (NSArray <NSString *> * row in apps) {
> ++            [table_apps addObject:row.mutableCopy];
> ++        }
> ++    }
> +     columns = [apps_table tableColumns];
> +     [[columns objectAtIndex:0] setIdentifier:@"0"];
> +     [[columns objectAtIndex:1] setIdentifier:@"1"];
> +--
> +2.17.1
> +
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb 
> b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
> index d176f390a4..4f5528f78b 100644
> --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
> @@ -5,6 +5,9 @@ SRC_URI += 
> "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
>             file://0001-test-xtest-Initialize-array-with-braces.patch \
>             file://sdksyms-no-build-path.patch \
>             file://0001-drmmode_display.c-add-missing-mi.h-include.patch \
> +           file://CVE-2022-3550.patch \
> +           file://CVE-2022-3551.patch \
> +           file://CVE-2022-3553.patch \
>             "
>  SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf"
>  SRC_URI[sha256sum] = 
> "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066"
> --
> 2.17.1
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#172341): 
https://lists.openembedded.org/g/openembedded-core/message/172341
Mute This Topic: https://lists.openembedded.org/mt/94664474/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [dunfell][PATCH] xserver-xorg: backport fixes for CVE-2022-3550, CVE-2022-3551 and CVE-2022-3553

Reply via email to