diff options
author | Vijay Anusuri <vanusuri@mvista.com> | 2024-04-10 06:19:31 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2024-04-19 04:50:38 -0700 |
commit | 0603438c81bc53a807ed85ebe1538f52a7b78887 (patch) | |
tree | cc1ae4b444d54831a9ba89fb45fdd886127f1648 | |
parent | a095c9e6a349ecf5e73e74d05cb6a815877155bf (diff) | |
download | poky-0603438c81bc53a807ed85ebe1538f52a7b78887.tar.gz |
xserver-xorg: Fix for CVE-2024-31080 and CVE-2024-31081
Upstream-Status: Backport from
https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b
& https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee
(From OE-Core rev: 223950f9c748f89ee1b2a9df9cd77a0099e74581)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
3 files changed, 98 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch new file mode 100644 index 0000000000..40296903cd --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | From 96798fc1967491c80a4d0c8d9e0a80586cb2152b Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
3 | Date: Fri, 22 Mar 2024 18:51:45 -0700 | ||
4 | Subject: [PATCH] Xi: ProcXIGetSelectedEvents needs to use unswapped length to | ||
5 | send reply | ||
6 | |||
7 | CVE-2024-31080 | ||
8 | |||
9 | Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762 | ||
10 | Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.") | ||
11 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
12 | Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463> | ||
13 | |||
14 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b] | ||
15 | CVE: CVE-2024-31080 | ||
16 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
17 | --- | ||
18 | Xi/xiselectev.c | 5 ++++- | ||
19 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
20 | |||
21 | diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c | ||
22 | index edcb8a0d36..ac14949871 100644 | ||
23 | --- a/Xi/xiselectev.c | ||
24 | +++ b/Xi/xiselectev.c | ||
25 | @@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client) | ||
26 | InputClientsPtr others = NULL; | ||
27 | xXIEventMask *evmask = NULL; | ||
28 | DeviceIntPtr dev; | ||
29 | + uint32_t length; | ||
30 | |||
31 | REQUEST(xXIGetSelectedEventsReq); | ||
32 | REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq); | ||
33 | @@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client) | ||
34 | } | ||
35 | } | ||
36 | |||
37 | + /* save the value before SRepXIGetSelectedEvents swaps it */ | ||
38 | + length = reply.length; | ||
39 | WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply); | ||
40 | |||
41 | if (reply.num_masks) | ||
42 | - WriteToClient(client, reply.length * 4, buffer); | ||
43 | + WriteToClient(client, length * 4, buffer); | ||
44 | |||
45 | free(buffer); | ||
46 | return Success; | ||
47 | -- | ||
48 | GitLab | ||
49 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch new file mode 100644 index 0000000000..4380004700 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch | |||
@@ -0,0 +1,47 @@ | |||
1 | From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
3 | Date: Fri, 22 Mar 2024 18:56:27 -0700 | ||
4 | Subject: [PATCH] Xi: ProcXIPassiveGrabDevice needs to use unswapped length to | ||
5 | send reply | ||
6 | |||
7 | CVE-2024-31081 | ||
8 | |||
9 | Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.") | ||
10 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
11 | Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463> | ||
12 | |||
13 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee] | ||
14 | CVE: CVE-2024-31081 | ||
15 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
16 | --- | ||
17 | Xi/xipassivegrab.c | 5 ++++- | ||
18 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
19 | |||
20 | diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c | ||
21 | index c9ac2f8553..896233bec2 100644 | ||
22 | --- a/Xi/xipassivegrab.c | ||
23 | +++ b/Xi/xipassivegrab.c | ||
24 | @@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client) | ||
25 | GrabParameters param; | ||
26 | void *tmp; | ||
27 | int mask_len; | ||
28 | + uint32_t length; | ||
29 | |||
30 | REQUEST(xXIPassiveGrabDeviceReq); | ||
31 | REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq, | ||
32 | @@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client) | ||
33 | } | ||
34 | } | ||
35 | |||
36 | + /* save the value before SRepXIPassiveGrabDevice swaps it */ | ||
37 | + length = rep.length; | ||
38 | WriteReplyToClient(client, sizeof(rep), &rep); | ||
39 | if (rep.num_modifiers) | ||
40 | - WriteToClient(client, rep.length * 4, modifiers_failed); | ||
41 | + WriteToClient(client, length * 4, modifiers_failed); | ||
42 | |||
43 | out: | ||
44 | free(modifiers_failed); | ||
45 | -- | ||
46 | GitLab | ||
47 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb index e62babd4cb..b9eed92103 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb | |||
@@ -16,6 +16,8 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat | |||
16 | file://CVE-2024-21886-2.patch \ | 16 | file://CVE-2024-21886-2.patch \ |
17 | file://CVE-2024-0408.patch \ | 17 | file://CVE-2024-0408.patch \ |
18 | file://CVE-2024-0409.patch \ | 18 | file://CVE-2024-0409.patch \ |
19 | file://CVE-2024-31080.patch \ | ||
20 | file://CVE-2024-31081.patch \ | ||
19 | " | 21 | " |
20 | SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152" | 22 | SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152" |
21 | 23 | ||