On 7/15/23 00:13, Steve Sakoman wrote:
This is being handled with a stable branch version bump which is in
the current test queue: "libx11: upgrade 1.8.5 -> 1.8.6"
OK. Thanks.
Kai
Steve
On Fri, Jul 14, 2023 at 5:05 AM Kai Kang <kai.k...@eng.windriver.com> wrote:
From: Kai Kang <kai.k...@windriver.com>
CVE: CVE-2023-3138
Backport patch to fix CVE-2023-3138 for libx11.
Signed-off-by: Kai Kang <kai.k...@windriver.com>
---
.../xorg-lib/libx11/CVE-2023-3138.patch | 113 ++++++++++++++++++
.../recipes-graphics/xorg-lib/libx11_1.8.5.bb | 4 +-
2 files changed, 116 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch
b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch
new file mode 100644
index 0000000000..0d9397dd95
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch
@@ -0,0 +1,113 @@
+From 304a654a0d57bf0f00d8998185f0360332cfa36c Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersm...@oracle.com>
+Date: Sat, 10 Jun 2023 16:30:07 -0700
+Subject: [PATCH] InitExt.c: Add bounds checks for extension request, event, &
+ error codes
+
+Fixes CVE-2023-3138: X servers could return values from XQueryExtension
+that would cause Xlib to write entries out-of-bounds of the arrays to
+store them, though this would only overwrite other parts of the Display
+struct, not outside the bounds allocated for that structure.
+
+Reported-by: Gregory James DUCK <gjd...@gmail.com>
+Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
+
+CVE: CVE-2023-3138
+Upstream-Status: Backport
[https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/304a654]
+
+Signed-off-by: Kai Kang <kai.k...@windriver.com>
+---
+ src/InitExt.c | 42 ++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 42 insertions(+)
+
+diff --git a/src/InitExt.c b/src/InitExt.c
+index 4de46f15..afc00a6b 100644
+--- a/src/InitExt.c
++++ b/src/InitExt.c
+@@ -33,6 +33,18 @@ from The Open Group.
+ #include <X11/Xos.h>
+ #include <stdio.h>
+
++/* The X11 protocol spec reserves events 64 through 127 for extensions */
++#ifndef LastExtensionEvent
++#define LastExtensionEvent 127
++#endif
++
++/* The X11 protocol spec reserves requests 128 through 255 for extensions */
++#ifndef LastExtensionRequest
++#define FirstExtensionRequest 128
++#define LastExtensionRequest 255
++#endif
++
++
+ /*
+ * This routine is used to link a extension in so it will be called
+ * at appropriate times.
+@@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent(
+ WireToEventType proc) /* routine to call when converting event */
+ {
+ register WireToEventType oldproc;
++ if (event_number < 0 ||
++ event_number > LastExtensionEvent) {
++ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
++ event_number);
++ return (WireToEventType)_XUnknownWireEvent;
++ }
+ if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent;
+ LockDisplay (dpy);
+ oldproc = dpy->event_vec[event_number];
+@@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCookie(
+ )
+ {
+ WireToEventCookieType oldproc;
++ if (extension < FirstExtensionRequest ||
++ extension > LastExtensionRequest) {
++ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
++ extension);
++ return (WireToEventCookieType)_XUnknownWireEventCookie;
++ }
+ if (proc == NULL) proc =
(WireToEventCookieType)_XUnknownWireEventCookie;
+ LockDisplay (dpy);
+ oldproc = dpy->generic_event_vec[extension & 0x7F];
+@@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie(
+ )
+ {
+ CopyEventCookieType oldproc;
++ if (extension < FirstExtensionRequest ||
++ extension > LastExtensionRequest) {
++ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
++ extension);
++ return (CopyEventCookieType)_XUnknownCopyEventCookie;
++ }
+ if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie;
+ LockDisplay (dpy);
+ oldproc = dpy->generic_event_copy_vec[extension & 0x7F];
+@@ -305,6 +335,12 @@ EventToWireType XESetEventToWire(
+ EventToWireType proc) /* routine to call when converting event */
+ {
+ register EventToWireType oldproc;
++ if (event_number < 0 ||
++ event_number > LastExtensionEvent) {
++ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
++ event_number);
++ return (EventToWireType)_XUnknownNativeEvent;
++ }
+ if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent;
+ LockDisplay (dpy);
+ oldproc = dpy->wire_vec[event_number];
+@@ -325,6 +361,12 @@ WireToErrorType XESetWireToError(
+ WireToErrorType proc) /* routine to call when converting error */
+ {
+ register WireToErrorType oldproc = NULL;
++ if (error_number < 0 ||
++ error_number > LastExtensionError) {
++ fprintf(stderr, "Xlib: ignoring invalid extension error %d\n",
++ error_number);
++ return (WireToErrorType)_XDefaultWireError;
++ }
+ if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError;
+ LockDisplay (dpy);
+ if (!dpy->error_vec) {
+--
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.8.5.bb
b/meta/recipes-graphics/xorg-lib/libx11_1.8.5.bb
index cf2e29471a..028a757d39 100644
--- a/meta/recipes-graphics/xorg-lib/libx11_1.8.5.bb
+++ b/meta/recipes-graphics/xorg-lib/libx11_1.8.5.bb
@@ -22,7 +22,9 @@ PE = "1"
XORG_PN = "libX11"
-SRC_URI += "file://disable_tests.patch"
+SRC_URI += "file://disable_tests.patch \
+ file://CVE-2023-3138.patch \
+ "
SRC_URI[sha256sum] =
"e362c6f03c793171becd1ce2078c64789504c7d7ff48ee40a76ff76b59f6b561"
--
2.34.1
--
Kai Kang
Wind River Linux
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184424):
https://lists.openembedded.org/g/openembedded-core/message/184424
Mute This Topic: https://lists.openembedded.org/mt/100142997/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-