diff options
author | Vijay Anusuri <vanusuri@mvista.com> | 2024-01-25 12:35:06 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2024-01-31 03:51:10 -1000 |
commit | 4bda99df75e25df5ba6dccbd6df9ab3f089bb134 (patch) | |
tree | c880e7a1452ded8ad8fefe6bd97c65614377dd97 | |
parent | 70de5ee7d1203779901b54d29fc7a1ee39a55ad3 (diff) | |
download | poky-4bda99df75e25df5ba6dccbd6df9ab3f089bb134.tar.gz |
xserver-xorg: Multiple CVE fixes
Fix below CVE's
CVE-2023-6816
CVE-2024-0229
CVE-2024-21885
CVE-2024-21886
CVE-2024-0408
CVE-2024-0409
(From OE-Core rev: 14ffb41e7a49a4c0076db9ec4449a97c0f143b67)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
11 files changed, 813 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch new file mode 100644 index 0000000000..0bfff268e7 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Thu, 14 Dec 2023 11:29:49 +1000 | ||
4 | Subject: [PATCH] dix: allocate enough space for logical button maps | ||
5 | |||
6 | Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for | ||
7 | each logical button currently down. Since buttons can be arbitrarily mapped | ||
8 | to anything up to 255 make sure we have enough bits for the maximum mapping. | ||
9 | |||
10 | CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665 | ||
11 | |||
12 | This vulnerability was discovered by: | ||
13 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
14 | |||
15 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3] | ||
16 | CVE: CVE-2023-6816 | ||
17 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
18 | --- | ||
19 | Xi/xiquerypointer.c | 3 +-- | ||
20 | dix/enterleave.c | 5 +++-- | ||
21 | 2 files changed, 4 insertions(+), 4 deletions(-) | ||
22 | |||
23 | diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c | ||
24 | index 5b77b1a444..2b05ac5f39 100644 | ||
25 | --- a/Xi/xiquerypointer.c | ||
26 | +++ b/Xi/xiquerypointer.c | ||
27 | @@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client) | ||
28 | if (pDev->button) { | ||
29 | int i; | ||
30 | |||
31 | - rep.buttons_len = | ||
32 | - bytes_to_int32(bits_to_bytes(pDev->button->numButtons)); | ||
33 | + rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */ | ||
34 | rep.length += rep.buttons_len; | ||
35 | buttons = calloc(rep.buttons_len, 4); | ||
36 | if (!buttons) | ||
37 | diff --git a/dix/enterleave.c b/dix/enterleave.c | ||
38 | index 867ec74363..ded8679d76 100644 | ||
39 | --- a/dix/enterleave.c | ||
40 | +++ b/dix/enterleave.c | ||
41 | @@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail, | ||
42 | |||
43 | mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER); | ||
44 | |||
45 | - /* XI 2 event */ | ||
46 | - btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0; | ||
47 | + /* XI 2 event contains the logical button map - maps are CARD8 | ||
48 | + * so we need 256 bits for the possibly maximum mapping */ | ||
49 | + btlen = (mouse->button) ? bits_to_bytes(256) : 0; | ||
50 | btlen = bytes_to_int32(btlen); | ||
51 | len = sizeof(xXIFocusInEvent) + btlen * 4; | ||
52 | |||
53 | -- | ||
54 | GitLab | ||
55 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch new file mode 100644 index 0000000000..80ebc64e59 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch | |||
@@ -0,0 +1,87 @@ | |||
1 | From ece23be888a93b741aa1209d1dbf64636109d6a5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Mon, 18 Dec 2023 14:27:50 +1000 | ||
4 | Subject: [PATCH] dix: Allocate sufficient xEvents for our DeviceStateNotify | ||
5 | |||
6 | If a device has both a button class and a key class and numButtons is | ||
7 | zero, we can get an OOB write due to event under-allocation. | ||
8 | |||
9 | This function seems to assume a device has either keys or buttons, not | ||
10 | both. It has two virtually identical code paths, both of which assume | ||
11 | they're applying to the first event in the sequence. | ||
12 | |||
13 | A device with both a key and button class triggered a logic bug - only | ||
14 | one xEvent was allocated but the deviceStateNotify pointer was pushed on | ||
15 | once per type. So effectively this logic code: | ||
16 | |||
17 | int count = 1; | ||
18 | if (button && nbuttons > 32) count++; | ||
19 | if (key && nbuttons > 0) count++; | ||
20 | if (key && nkeys > 32) count++; // this is basically always true | ||
21 | // count is at 2 for our keys + zero button device | ||
22 | |||
23 | ev = alloc(count * sizeof(xEvent)); | ||
24 | FixDeviceStateNotify(ev); | ||
25 | if (button) | ||
26 | FixDeviceStateNotify(ev++); | ||
27 | if (key) | ||
28 | FixDeviceStateNotify(ev++); // santa drops into the wrong chimney here | ||
29 | |||
30 | If the device has more than 3 valuators, the OOB is pushed back - we're | ||
31 | off by one so it will happen when the last deviceValuator event is | ||
32 | written instead. | ||
33 | |||
34 | Fix this by allocating the maximum number of events we may allocate. | ||
35 | Note that the current behavior is not protocol-correct anyway, this | ||
36 | patch fixes only the allocation issue. | ||
37 | |||
38 | Note that this issue does not trigger if the device has at least one | ||
39 | button. While the server does not prevent a button class with zero | ||
40 | buttons, it is very unlikely. | ||
41 | |||
42 | CVE-2024-0229, ZDI-CAN-22678 | ||
43 | |||
44 | This vulnerability was discovered by: | ||
45 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
46 | |||
47 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ece23be888a93b741aa1209d1dbf64636109d6a5] | ||
48 | CVE: CVE-2024-0229 | ||
49 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
50 | --- | ||
51 | dix/enterleave.c | 6 +++--- | ||
52 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
53 | |||
54 | diff --git a/dix/enterleave.c b/dix/enterleave.c | ||
55 | index ded8679d76..17964b00a4 100644 | ||
56 | --- a/dix/enterleave.c | ||
57 | +++ b/dix/enterleave.c | ||
58 | @@ -675,7 +675,8 @@ static void | ||
59 | DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) | ||
60 | { | ||
61 | int evcount = 1; | ||
62 | - deviceStateNotify *ev, *sev; | ||
63 | + deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3]; | ||
64 | + deviceStateNotify *ev; | ||
65 | deviceKeyStateNotify *kev; | ||
66 | deviceButtonStateNotify *bev; | ||
67 | |||
68 | @@ -714,7 +715,7 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) | ||
69 | } | ||
70 | } | ||
71 | |||
72 | - sev = ev = xallocarray(evcount, sizeof(xEvent)); | ||
73 | + ev = sev; | ||
74 | FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first); | ||
75 | |||
76 | if (b != NULL) { | ||
77 | @@ -770,7 +771,6 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) | ||
78 | |||
79 | DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount, | ||
80 | DeviceStateNotifyMask, NullGrab); | ||
81 | - free(sev); | ||
82 | } | ||
83 | |||
84 | void | ||
85 | -- | ||
86 | GitLab | ||
87 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-2.patch new file mode 100644 index 0000000000..65df74376b --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-2.patch | |||
@@ -0,0 +1,221 @@ | |||
1 | From 219c54b8a3337456ce5270ded6a67bcde53553d5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Mon, 18 Dec 2023 12:26:20 +1000 | ||
4 | Subject: [PATCH] dix: fix DeviceStateNotify event calculation | ||
5 | |||
6 | The previous code only made sense if one considers buttons and keys to | ||
7 | be mutually exclusive on a device. That is not necessarily true, causing | ||
8 | a number of issues. | ||
9 | |||
10 | This function allocates and fills in the number of xEvents we need to | ||
11 | send the device state down the wire. This is split across multiple | ||
12 | 32-byte devices including one deviceStateNotify event and optional | ||
13 | deviceKeyStateNotify, deviceButtonStateNotify and (possibly multiple) | ||
14 | deviceValuator events. | ||
15 | |||
16 | The previous behavior would instead compose a sequence | ||
17 | of [state, buttonstate, state, keystate, valuator...]. This is not | ||
18 | protocol correct, and on top of that made the code extremely convoluted. | ||
19 | |||
20 | Fix this by streamlining: add both button and key into the deviceStateNotify | ||
21 | and then append the key state and button state, followed by the | ||
22 | valuators. Finally, the deviceValuator events contain up to 6 valuators | ||
23 | per event but we only ever sent through 3 at a time. Let's double that | ||
24 | troughput. | ||
25 | |||
26 | CVE-2024-0229, ZDI-CAN-22678 | ||
27 | |||
28 | This vulnerability was discovered by: | ||
29 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
30 | |||
31 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/219c54b8a3337456ce5270ded6a67bcde53553d5] | ||
32 | CVE: CVE-2024-0229 | ||
33 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
34 | --- | ||
35 | dix/enterleave.c | 121 ++++++++++++++++++++--------------------------- | ||
36 | 1 file changed, 52 insertions(+), 69 deletions(-) | ||
37 | |||
38 | diff --git a/dix/enterleave.c b/dix/enterleave.c | ||
39 | index 17964b00a4..7b7ba1098b 100644 | ||
40 | --- a/dix/enterleave.c | ||
41 | +++ b/dix/enterleave.c | ||
42 | @@ -615,9 +615,15 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v, | ||
43 | |||
44 | ev->type = DeviceValuator; | ||
45 | ev->deviceid = dev->id; | ||
46 | - ev->num_valuators = nval < 3 ? nval : 3; | ||
47 | + ev->num_valuators = nval < 6 ? nval : 6; | ||
48 | ev->first_valuator = first; | ||
49 | switch (ev->num_valuators) { | ||
50 | + case 6: | ||
51 | + ev->valuator2 = v->axisVal[first + 5]; | ||
52 | + case 5: | ||
53 | + ev->valuator2 = v->axisVal[first + 4]; | ||
54 | + case 4: | ||
55 | + ev->valuator2 = v->axisVal[first + 3]; | ||
56 | case 3: | ||
57 | ev->valuator2 = v->axisVal[first + 2]; | ||
58 | case 2: | ||
59 | @@ -626,7 +632,6 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v, | ||
60 | ev->valuator0 = v->axisVal[first]; | ||
61 | break; | ||
62 | } | ||
63 | - first += ev->num_valuators; | ||
64 | } | ||
65 | |||
66 | static void | ||
67 | @@ -646,7 +651,7 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k, | ||
68 | ev->num_buttons = b->numButtons; | ||
69 | memcpy((char *) ev->buttons, (char *) b->down, 4); | ||
70 | } | ||
71 | - else if (k) { | ||
72 | + if (k) { | ||
73 | ev->classes_reported |= (1 << KeyClass); | ||
74 | ev->num_keys = k->xkbInfo->desc->max_key_code - | ||
75 | k->xkbInfo->desc->min_key_code; | ||
76 | @@ -670,15 +675,26 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k, | ||
77 | } | ||
78 | } | ||
79 | |||
80 | - | ||
81 | +/** | ||
82 | + * The device state notify event is split across multiple 32-byte events. | ||
83 | + * The first one contains the first 32 button state bits, the first 32 | ||
84 | + * key state bits, and the first 3 valuator values. | ||
85 | + * | ||
86 | + * If a device has more than that, the server sends out: | ||
87 | + * - one deviceButtonStateNotify for buttons 32 and above | ||
88 | + * - one deviceKeyStateNotify for keys 32 and above | ||
89 | + * - one deviceValuator event per 6 valuators above valuator 4 | ||
90 | + * | ||
91 | + * All events but the last one have the deviceid binary ORed with MORE_EVENTS, | ||
92 | + */ | ||
93 | static void | ||
94 | DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) | ||
95 | { | ||
96 | + /* deviceStateNotify, deviceKeyStateNotify, deviceButtonStateNotify | ||
97 | + * and one deviceValuator for each 6 valuators */ | ||
98 | + deviceStateNotify sev[3 + (MAX_VALUATORS + 6)/6]; | ||
99 | int evcount = 1; | ||
100 | - deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3]; | ||
101 | - deviceStateNotify *ev; | ||
102 | - deviceKeyStateNotify *kev; | ||
103 | - deviceButtonStateNotify *bev; | ||
104 | + deviceStateNotify *ev = sev; | ||
105 | |||
106 | KeyClassPtr k; | ||
107 | ButtonClassPtr b; | ||
108 | @@ -691,82 +707,49 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) | ||
109 | |||
110 | if ((b = dev->button) != NULL) { | ||
111 | nbuttons = b->numButtons; | ||
112 | - if (nbuttons > 32) | ||
113 | + if (nbuttons > 32) /* first 32 are encoded in deviceStateNotify */ | ||
114 | evcount++; | ||
115 | } | ||
116 | if ((k = dev->key) != NULL) { | ||
117 | nkeys = k->xkbInfo->desc->max_key_code - k->xkbInfo->desc->min_key_code; | ||
118 | - if (nkeys > 32) | ||
119 | + if (nkeys > 32) /* first 32 are encoded in deviceStateNotify */ | ||
120 | evcount++; | ||
121 | - if (nbuttons > 0) { | ||
122 | - evcount++; | ||
123 | - } | ||
124 | } | ||
125 | if ((v = dev->valuator) != NULL) { | ||
126 | nval = v->numAxes; | ||
127 | - | ||
128 | - if (nval > 3) | ||
129 | - evcount++; | ||
130 | - if (nval > 6) { | ||
131 | - if (!(k && b)) | ||
132 | - evcount++; | ||
133 | - if (nval > 9) | ||
134 | - evcount += ((nval - 7) / 3); | ||
135 | - } | ||
136 | + /* first three are encoded in deviceStateNotify, then | ||
137 | + * it's 6 per deviceValuator event */ | ||
138 | + evcount += ((nval - 3) + 6)/6; | ||
139 | } | ||
140 | |||
141 | - ev = sev; | ||
142 | - FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first); | ||
143 | - | ||
144 | - if (b != NULL) { | ||
145 | - FixDeviceStateNotify(dev, ev++, NULL, b, v, first); | ||
146 | - first += 3; | ||
147 | - nval -= 3; | ||
148 | - if (nbuttons > 32) { | ||
149 | - (ev - 1)->deviceid |= MORE_EVENTS; | ||
150 | - bev = (deviceButtonStateNotify *) ev++; | ||
151 | - bev->type = DeviceButtonStateNotify; | ||
152 | - bev->deviceid = dev->id; | ||
153 | - memcpy((char *) &bev->buttons[4], (char *) &b->down[4], | ||
154 | - DOWN_LENGTH - 4); | ||
155 | - } | ||
156 | - if (nval > 0) { | ||
157 | - (ev - 1)->deviceid |= MORE_EVENTS; | ||
158 | - FixDeviceValuator(dev, (deviceValuator *) ev++, v, first); | ||
159 | - first += 3; | ||
160 | - nval -= 3; | ||
161 | - } | ||
162 | + BUG_RETURN(evcount <= ARRAY_SIZE(sev)); | ||
163 | + | ||
164 | + FixDeviceStateNotify(dev, ev, k, b, v, first); | ||
165 | + | ||
166 | + if (b != NULL && nbuttons > 32) { | ||
167 | + deviceButtonStateNotify *bev = (deviceButtonStateNotify *) ++ev; | ||
168 | + (ev - 1)->deviceid |= MORE_EVENTS; | ||
169 | + bev->type = DeviceButtonStateNotify; | ||
170 | + bev->deviceid = dev->id; | ||
171 | + memcpy((char *) &bev->buttons[4], (char *) &b->down[4], | ||
172 | + DOWN_LENGTH - 4); | ||
173 | } | ||
174 | |||
175 | - if (k != NULL) { | ||
176 | - FixDeviceStateNotify(dev, ev++, k, NULL, v, first); | ||
177 | - first += 3; | ||
178 | - nval -= 3; | ||
179 | - if (nkeys > 32) { | ||
180 | - (ev - 1)->deviceid |= MORE_EVENTS; | ||
181 | - kev = (deviceKeyStateNotify *) ev++; | ||
182 | - kev->type = DeviceKeyStateNotify; | ||
183 | - kev->deviceid = dev->id; | ||
184 | - memmove((char *) &kev->keys[0], (char *) &k->down[4], 28); | ||
185 | - } | ||
186 | - if (nval > 0) { | ||
187 | - (ev - 1)->deviceid |= MORE_EVENTS; | ||
188 | - FixDeviceValuator(dev, (deviceValuator *) ev++, v, first); | ||
189 | - first += 3; | ||
190 | - nval -= 3; | ||
191 | - } | ||
192 | + if (k != NULL && nkeys > 32) { | ||
193 | + deviceKeyStateNotify *kev = (deviceKeyStateNotify *) ++ev; | ||
194 | + (ev - 1)->deviceid |= MORE_EVENTS; | ||
195 | + kev->type = DeviceKeyStateNotify; | ||
196 | + kev->deviceid = dev->id; | ||
197 | + memmove((char *) &kev->keys[0], (char *) &k->down[4], 28); | ||
198 | } | ||
199 | |||
200 | + first = 3; | ||
201 | + nval -= 3; | ||
202 | while (nval > 0) { | ||
203 | - FixDeviceStateNotify(dev, ev++, NULL, NULL, v, first); | ||
204 | - first += 3; | ||
205 | - nval -= 3; | ||
206 | - if (nval > 0) { | ||
207 | - (ev - 1)->deviceid |= MORE_EVENTS; | ||
208 | - FixDeviceValuator(dev, (deviceValuator *) ev++, v, first); | ||
209 | - first += 3; | ||
210 | - nval -= 3; | ||
211 | - } | ||
212 | + ev->deviceid |= MORE_EVENTS; | ||
213 | + FixDeviceValuator(dev, (deviceValuator *) ++ev, v, first); | ||
214 | + first += 6; | ||
215 | + nval -= 6; | ||
216 | } | ||
217 | |||
218 | DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount, | ||
219 | -- | ||
220 | GitLab | ||
221 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch new file mode 100644 index 0000000000..742c122fa8 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | From df3c65706eb169d5938df0052059f3e0d5981b74 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Thu, 21 Dec 2023 13:48:10 +1000 | ||
4 | Subject: [PATCH] Xi: when creating a new ButtonClass, set the number of | ||
5 | buttons | ||
6 | |||
7 | There's a racy sequence where a master device may copy the button class | ||
8 | from the slave, without ever initializing numButtons. This leads to a | ||
9 | device with zero buttons but a button class which is invalid. | ||
10 | |||
11 | Let's copy the numButtons value from the source - by definition if we | ||
12 | don't have a button class yet we do not have any other slave devices | ||
13 | with more than this number of buttons anyway. | ||
14 | |||
15 | CVE-2024-0229, ZDI-CAN-22678 | ||
16 | |||
17 | This vulnerability was discovered by: | ||
18 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
19 | |||
20 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/df3c65706eb169d5938df0052059f3e0d5981b74] | ||
21 | CVE: CVE-2024-0229 | ||
22 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
23 | --- | ||
24 | Xi/exevents.c | 1 + | ||
25 | 1 file changed, 1 insertion(+) | ||
26 | |||
27 | diff --git a/Xi/exevents.c b/Xi/exevents.c | ||
28 | index 54ea11a938..e161714682 100644 | ||
29 | --- a/Xi/exevents.c | ||
30 | +++ b/Xi/exevents.c | ||
31 | @@ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) | ||
32 | to->button = calloc(1, sizeof(ButtonClassRec)); | ||
33 | if (!to->button) | ||
34 | FatalError("[Xi] no memory for class shift.\n"); | ||
35 | + to->button->numButtons = from->button->numButtons; | ||
36 | } | ||
37 | else | ||
38 | classes->button = NULL; | ||
39 | -- | ||
40 | GitLab | ||
41 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-4.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-4.patch new file mode 100644 index 0000000000..d1a6214793 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-4.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | From 37539cb0bfe4ed96d4499bf371e6b1a474a740fe Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Thu, 21 Dec 2023 14:10:11 +1000 | ||
4 | Subject: [PATCH] Xi: require a pointer and keyboard device for | ||
5 | XIAttachToMaster | ||
6 | |||
7 | If we remove a master device and specify which other master devices | ||
8 | attached slaves should be returned to, enforce that those two are | ||
9 | indeeed a pointer and a keyboard. | ||
10 | |||
11 | Otherwise we can try to attach the keyboards to pointers and vice versa, | ||
12 | leading to possible crashes later. | ||
13 | |||
14 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/37539cb0bfe4ed96d4499bf371e6b1a474a740fe] | ||
15 | CVE: CVE-2024-0229 | ||
16 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
17 | --- | ||
18 | Xi/xichangehierarchy.c | 4 ++-- | ||
19 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
20 | |||
21 | diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c | ||
22 | index 504defe566..d2d985848d 100644 | ||
23 | --- a/Xi/xichangehierarchy.c | ||
24 | +++ b/Xi/xichangehierarchy.c | ||
25 | @@ -270,7 +270,7 @@ remove_master(ClientPtr client, xXIRemoveMasterInfo * r, int flags[MAXDEVICES]) | ||
26 | if (rc != Success) | ||
27 | goto unwind; | ||
28 | |||
29 | - if (!IsMaster(newptr)) { | ||
30 | + if (!IsMaster(newptr) || !IsPointerDevice(newptr)) { | ||
31 | client->errorValue = r->return_pointer; | ||
32 | rc = BadDevice; | ||
33 | goto unwind; | ||
34 | @@ -281,7 +281,7 @@ remove_master(ClientPtr client, xXIRemoveMasterInfo * r, int flags[MAXDEVICES]) | ||
35 | if (rc != Success) | ||
36 | goto unwind; | ||
37 | |||
38 | - if (!IsMaster(newkeybd)) { | ||
39 | + if (!IsMaster(newkeybd) || !IsKeyboardDevice(newkeybd)) { | ||
40 | client->errorValue = r->return_keyboard; | ||
41 | rc = BadDevice; | ||
42 | goto unwind; | ||
43 | -- | ||
44 | GitLab | ||
45 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0408.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0408.patch new file mode 100644 index 0000000000..c8f75d8a7e --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0408.patch | |||
@@ -0,0 +1,64 @@ | |||
1 | From e5e8586a12a3ec915673edffa10dc8fe5e15dac3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Olivier Fourdan <ofourdan@redhat.com> | ||
3 | Date: Wed, 6 Dec 2023 12:09:41 +0100 | ||
4 | Subject: [PATCH] glx: Call XACE hooks on the GLX buffer | ||
5 | |||
6 | The XSELINUX code will label resources at creation by checking the | ||
7 | access mode. When the access mode is DixCreateAccess, it will call the | ||
8 | function to label the new resource SELinuxLabelResource(). | ||
9 | |||
10 | However, GLX buffers do not go through the XACE hooks when created, | ||
11 | hence leaving the resource actually unlabeled. | ||
12 | |||
13 | When, later, the client tries to create another resource using that | ||
14 | drawable (like a GC for example), the XSELINUX code would try to use | ||
15 | the security ID of that object which has never been labeled, get a NULL | ||
16 | pointer and crash when checking whether the requested permissions are | ||
17 | granted for subject security ID. | ||
18 | |||
19 | To avoid the issue, make sure to call the XACE hooks when creating the | ||
20 | GLX buffers. | ||
21 | |||
22 | Credit goes to Donn Seeley <donn@xmission.com> for providing the patch. | ||
23 | |||
24 | CVE-2024-0408 | ||
25 | |||
26 | Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> | ||
27 | Acked-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
28 | |||
29 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/e5e8586a12a3ec915673edffa10dc8fe5e15dac3] | ||
30 | CVE: CVE-2024-0408 | ||
31 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
32 | --- | ||
33 | glx/glxcmds.c | 8 ++++++++ | ||
34 | 1 file changed, 8 insertions(+) | ||
35 | |||
36 | diff --git a/glx/glxcmds.c b/glx/glxcmds.c | ||
37 | index fc26a2e345..1e46d0c723 100644 | ||
38 | --- a/glx/glxcmds.c | ||
39 | +++ b/glx/glxcmds.c | ||
40 | @@ -48,6 +48,7 @@ | ||
41 | #include "indirect_util.h" | ||
42 | #include "protocol-versions.h" | ||
43 | #include "glxvndabi.h" | ||
44 | +#include "xace.h" | ||
45 | |||
46 | static char GLXServerVendorName[] = "SGI"; | ||
47 | |||
48 | @@ -1392,6 +1393,13 @@ DoCreatePbuffer(ClientPtr client, int screenNum, XID fbconfigId, | ||
49 | if (!pPixmap) | ||
50 | return BadAlloc; | ||
51 | |||
52 | + err = XaceHook(XACE_RESOURCE_ACCESS, client, glxDrawableId, RT_PIXMAP, | ||
53 | + pPixmap, RT_NONE, NULL, DixCreateAccess); | ||
54 | + if (err != Success) { | ||
55 | + (*pGlxScreen->pScreen->DestroyPixmap) (pPixmap); | ||
56 | + return err; | ||
57 | + } | ||
58 | + | ||
59 | /* Assign the pixmap the same id as the pbuffer and add it as a | ||
60 | * resource so it and the DRI2 drawable will be reclaimed when the | ||
61 | * pbuffer is destroyed. */ | ||
62 | -- | ||
63 | GitLab | ||
64 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch new file mode 100644 index 0000000000..9763e0b562 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From 2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Olivier Fourdan <ofourdan@redhat.com> | ||
3 | Date: Wed, 6 Dec 2023 11:51:56 +0100 | ||
4 | Subject: [PATCH] ephyr,xwayland: Use the proper private key for cursor | ||
5 | |||
6 | The cursor in DIX is actually split in two parts, the cursor itself and | ||
7 | the cursor bits, each with their own devPrivates. | ||
8 | |||
9 | The cursor itself includes the cursor bits, meaning that the cursor bits | ||
10 | devPrivates in within structure of the cursor. | ||
11 | |||
12 | Both Xephyr and Xwayland were using the private key for the cursor bits | ||
13 | to store the data for the cursor, and when using XSELINUX which comes | ||
14 | with its own special devPrivates, the data stored in that cursor bits' | ||
15 | devPrivates would interfere with the XSELINUX devPrivates data and the | ||
16 | SELINUX security ID would point to some other unrelated data, causing a | ||
17 | crash in the XSELINUX code when trying to (re)use the security ID. | ||
18 | |||
19 | CVE-2024-0409 | ||
20 | |||
21 | Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> | ||
22 | Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
23 | |||
24 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7] | ||
25 | CVE: CVE-2024-0409 | ||
26 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
27 | --- | ||
28 | hw/kdrive/ephyr/ephyrcursor.c | 2 +- | ||
29 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
30 | |||
31 | diff --git a/hw/kdrive/ephyr/ephyrcursor.c b/hw/kdrive/ephyr/ephyrcursor.c | ||
32 | index f991899..3f192d0 100644 | ||
33 | --- a/hw/kdrive/ephyr/ephyrcursor.c | ||
34 | +++ b/hw/kdrive/ephyr/ephyrcursor.c | ||
35 | @@ -246,7 +246,7 @@ miPointerSpriteFuncRec EphyrPointerSpriteFuncs = { | ||
36 | Bool | ||
37 | ephyrCursorInit(ScreenPtr screen) | ||
38 | { | ||
39 | - if (!dixRegisterPrivateKey(&ephyrCursorPrivateKey, PRIVATE_CURSOR_BITS, | ||
40 | + if (!dixRegisterPrivateKey(&ephyrCursorPrivateKey, PRIVATE_CURSOR, | ||
41 | sizeof(ephyrCursorRec))) | ||
42 | return FALSE; | ||
43 | |||
44 | -- | ||
45 | 2.25.1 | ||
46 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch new file mode 100644 index 0000000000..7c8fbcc3ec --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch | |||
@@ -0,0 +1,113 @@ | |||
1 | From 4a5e9b1895627d40d26045bd0b7ef3dce503cbd1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Thu, 4 Jan 2024 10:01:24 +1000 | ||
4 | Subject: [PATCH] Xi: flush hierarchy events after adding/removing master | ||
5 | devices | ||
6 | |||
7 | The `XISendDeviceHierarchyEvent()` function allocates space to store up | ||
8 | to `MAXDEVICES` (256) `xXIHierarchyInfo` structures in `info`. | ||
9 | |||
10 | If a device with a given ID was removed and a new device with the same | ||
11 | ID added both in the same operation, the single device ID will lead to | ||
12 | two info structures being written to `info`. | ||
13 | |||
14 | Since this case can occur for every device ID at once, a total of two | ||
15 | times `MAXDEVICES` info structures might be written to the allocation. | ||
16 | |||
17 | To avoid it, once one add/remove master is processed, send out the | ||
18 | device hierarchy event for the current state and continue. That event | ||
19 | thus only ever has exactly one of either added/removed in it (and | ||
20 | optionally slave attached/detached). | ||
21 | |||
22 | CVE-2024-21885, ZDI-CAN-22744 | ||
23 | |||
24 | This vulnerability was discovered by: | ||
25 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
26 | |||
27 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/4a5e9b1895627d40d26045bd0b7ef3dce503cbd1] | ||
28 | CVE: CVE-2024-21885 | ||
29 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
30 | --- | ||
31 | Xi/xichangehierarchy.c | 27 ++++++++++++++++++++++----- | ||
32 | 1 file changed, 22 insertions(+), 5 deletions(-) | ||
33 | |||
34 | diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c | ||
35 | index d2d985848d..72d00451e3 100644 | ||
36 | --- a/Xi/xichangehierarchy.c | ||
37 | +++ b/Xi/xichangehierarchy.c | ||
38 | @@ -416,6 +416,11 @@ ProcXIChangeHierarchy(ClientPtr client) | ||
39 | size_t len; /* length of data remaining in request */ | ||
40 | int rc = Success; | ||
41 | int flags[MAXDEVICES] = { 0 }; | ||
42 | + enum { | ||
43 | + NO_CHANGE, | ||
44 | + FLUSH, | ||
45 | + CHANGED, | ||
46 | + } changes = NO_CHANGE; | ||
47 | |||
48 | REQUEST(xXIChangeHierarchyReq); | ||
49 | REQUEST_AT_LEAST_SIZE(xXIChangeHierarchyReq); | ||
50 | @@ -465,8 +470,9 @@ ProcXIChangeHierarchy(ClientPtr client) | ||
51 | rc = add_master(client, c, flags); | ||
52 | if (rc != Success) | ||
53 | goto unwind; | ||
54 | - } | ||
55 | + changes = FLUSH; | ||
56 | break; | ||
57 | + } | ||
58 | case XIRemoveMaster: | ||
59 | { | ||
60 | xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any; | ||
61 | @@ -475,8 +481,9 @@ ProcXIChangeHierarchy(ClientPtr client) | ||
62 | rc = remove_master(client, r, flags); | ||
63 | if (rc != Success) | ||
64 | goto unwind; | ||
65 | - } | ||
66 | + changes = FLUSH; | ||
67 | break; | ||
68 | + } | ||
69 | case XIDetachSlave: | ||
70 | { | ||
71 | xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any; | ||
72 | @@ -485,8 +492,9 @@ ProcXIChangeHierarchy(ClientPtr client) | ||
73 | rc = detach_slave(client, c, flags); | ||
74 | if (rc != Success) | ||
75 | goto unwind; | ||
76 | - } | ||
77 | + changes = CHANGED; | ||
78 | break; | ||
79 | + } | ||
80 | case XIAttachSlave: | ||
81 | { | ||
82 | xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any; | ||
83 | @@ -495,16 +503,25 @@ ProcXIChangeHierarchy(ClientPtr client) | ||
84 | rc = attach_slave(client, c, flags); | ||
85 | if (rc != Success) | ||
86 | goto unwind; | ||
87 | + changes = CHANGED; | ||
88 | + break; | ||
89 | } | ||
90 | + default: | ||
91 | break; | ||
92 | } | ||
93 | |||
94 | + if (changes == FLUSH) { | ||
95 | + XISendDeviceHierarchyEvent(flags); | ||
96 | + memset(flags, 0, sizeof(flags)); | ||
97 | + changes = NO_CHANGE; | ||
98 | + } | ||
99 | + | ||
100 | len -= any->length * 4; | ||
101 | any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4); | ||
102 | } | ||
103 | |||
104 | unwind: | ||
105 | - | ||
106 | - XISendDeviceHierarchyEvent(flags); | ||
107 | + if (changes != NO_CHANGE) | ||
108 | + XISendDeviceHierarchyEvent(flags); | ||
109 | return rc; | ||
110 | } | ||
111 | -- | ||
112 | GitLab | ||
113 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch new file mode 100644 index 0000000000..1e1c782963 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch | |||
@@ -0,0 +1,74 @@ | |||
1 | From bc1fdbe46559dd947674375946bbef54dd0ce36b Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com> | ||
3 | Date: Fri, 22 Dec 2023 18:28:31 +0100 | ||
4 | Subject: [PATCH] Xi: do not keep linked list pointer during recursion | ||
5 | |||
6 | The `DisableDevice()` function is called whenever an enabled device | ||
7 | is disabled and it moves the device from the `inputInfo.devices` linked | ||
8 | list to the `inputInfo.off_devices` linked list. | ||
9 | |||
10 | However, its link/unlink operation has an issue during the recursive | ||
11 | call to `DisableDevice()` due to the `prev` pointer pointing to a | ||
12 | removed device. | ||
13 | |||
14 | This issue leads to a length mismatch between the total number of | ||
15 | devices and the number of device in the list, leading to a heap | ||
16 | overflow and, possibly, to local privilege escalation. | ||
17 | |||
18 | Simplify the code that checked whether the device passed to | ||
19 | `DisableDevice()` was in `inputInfo.devices` or not and find the | ||
20 | previous device after the recursion. | ||
21 | |||
22 | CVE-2024-21886, ZDI-CAN-22840 | ||
23 | |||
24 | This vulnerability was discovered by: | ||
25 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
26 | |||
27 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/bc1fdbe46559dd947674375946bbef54dd0ce36b] | ||
28 | CVE: CVE-2024-21886 | ||
29 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
30 | --- | ||
31 | dix/devices.c | 15 ++++++++++++--- | ||
32 | 1 file changed, 12 insertions(+), 3 deletions(-) | ||
33 | |||
34 | diff --git a/dix/devices.c b/dix/devices.c | ||
35 | index dca98c8d1b..389d28a23c 100644 | ||
36 | --- a/dix/devices.c | ||
37 | +++ b/dix/devices.c | ||
38 | @@ -453,14 +453,20 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) | ||
39 | { | ||
40 | DeviceIntPtr *prev, other; | ||
41 | BOOL enabled; | ||
42 | + BOOL dev_in_devices_list = FALSE; | ||
43 | int flags[MAXDEVICES] = { 0 }; | ||
44 | |||
45 | if (!dev->enabled) | ||
46 | return TRUE; | ||
47 | |||
48 | - for (prev = &inputInfo.devices; | ||
49 | - *prev && (*prev != dev); prev = &(*prev)->next); | ||
50 | - if (*prev != dev) | ||
51 | + for (other = inputInfo.devices; other; other = other->next) { | ||
52 | + if (other == dev) { | ||
53 | + dev_in_devices_list = TRUE; | ||
54 | + break; | ||
55 | + } | ||
56 | + } | ||
57 | + | ||
58 | + if (!dev_in_devices_list) | ||
59 | return FALSE; | ||
60 | |||
61 | TouchEndPhysicallyActiveTouches(dev); | ||
62 | @@ -511,6 +517,9 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) | ||
63 | LeaveWindow(dev); | ||
64 | SetFocusOut(dev); | ||
65 | |||
66 | + for (prev = &inputInfo.devices; | ||
67 | + *prev && (*prev != dev); prev = &(*prev)->next); | ||
68 | + | ||
69 | *prev = dev->next; | ||
70 | dev->next = inputInfo.off_devices; | ||
71 | inputInfo.off_devices = dev; | ||
72 | -- | ||
73 | GitLab | ||
74 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch new file mode 100644 index 0000000000..af607df4f0 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | From 26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Fri, 5 Jan 2024 09:40:27 +1000 | ||
4 | Subject: [PATCH] dix: when disabling a master, float disabled slaved devices | ||
5 | too | ||
6 | |||
7 | Disabling a master device floats all slave devices but we didn't do this | ||
8 | to already-disabled slave devices. As a result those devices kept their | ||
9 | reference to the master device resulting in access to already freed | ||
10 | memory if the master device was removed before the corresponding slave | ||
11 | device. | ||
12 | |||
13 | And to match this behavior, also forcibly reset that pointer during | ||
14 | CloseDownDevices(). | ||
15 | |||
16 | Related to CVE-2024-21886, ZDI-CAN-22840 | ||
17 | |||
18 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8] | ||
19 | CVE: CVE-2024-21886 | ||
20 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
21 | --- | ||
22 | dix/devices.c | 12 ++++++++++++ | ||
23 | 1 file changed, 12 insertions(+) | ||
24 | |||
25 | diff --git a/dix/devices.c b/dix/devices.c | ||
26 | index 389d28a23c..84a6406d13 100644 | ||
27 | --- a/dix/devices.c | ||
28 | +++ b/dix/devices.c | ||
29 | @@ -483,6 +483,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) | ||
30 | flags[other->id] |= XISlaveDetached; | ||
31 | } | ||
32 | } | ||
33 | + | ||
34 | + for (other = inputInfo.off_devices; other; other = other->next) { | ||
35 | + if (!IsMaster(other) && GetMaster(other, MASTER_ATTACHED) == dev) { | ||
36 | + AttachDevice(NULL, other, NULL); | ||
37 | + flags[other->id] |= XISlaveDetached; | ||
38 | + } | ||
39 | + } | ||
40 | } | ||
41 | else { | ||
42 | for (other = inputInfo.devices; other; other = other->next) { | ||
43 | @@ -1088,6 +1095,11 @@ CloseDownDevices(void) | ||
44 | dev->master = NULL; | ||
45 | } | ||
46 | |||
47 | + for (dev = inputInfo.off_devices; dev; dev = dev->next) { | ||
48 | + if (!IsMaster(dev) && !IsFloating(dev)) | ||
49 | + dev->master = NULL; | ||
50 | + } | ||
51 | + | ||
52 | CloseDeviceList(&inputInfo.devices); | ||
53 | CloseDeviceList(&inputInfo.off_devices); | ||
54 | |||
55 | -- | ||
56 | GitLab | ||
57 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb index 4fdf3a0ec3..d6c6c5bd45 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb | |||
@@ -20,6 +20,16 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat | |||
20 | file://CVE-2023-5380.patch \ | 20 | file://CVE-2023-5380.patch \ |
21 | file://CVE-2023-6377.patch \ | 21 | file://CVE-2023-6377.patch \ |
22 | file://CVE-2023-6478.patch \ | 22 | file://CVE-2023-6478.patch \ |
23 | file://CVE-2023-6816.patch \ | ||
24 | file://CVE-2024-0229-1.patch \ | ||
25 | file://CVE-2024-0229-2.patch \ | ||
26 | file://CVE-2024-0229-3.patch \ | ||
27 | file://CVE-2024-0229-4.patch \ | ||
28 | file://CVE-2024-21885.patch \ | ||
29 | file://CVE-2024-21886-1.patch \ | ||
30 | file://CVE-2024-21886-2.patch \ | ||
31 | file://CVE-2024-0408.patch \ | ||
32 | file://CVE-2024-0409.patch \ | ||
23 | " | 33 | " |
24 | SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf" | 34 | SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf" |
25 | SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066" | 35 | SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066" |