xserver-xorg: Security fix CVE-2023-0494 and CVE-2023-1393

Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0ba6d8c37071131a49790243cdac55392ecf71ec & https://gitlab.freedesktop.org/xorg/xserver/-/commit/26ef545b3502f61ca722a7a3373507e88ef64110] (From OE-Core rev: 0a29894da0b41f8494f72ded25916887b4a5c729) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2023-05-30 11:32:48 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-06-13 04:00:11 -1000
commit: 09a8d858157381e3af8b0bf75482e79147ed135f (patch)
tree: 6706dfe5fe38019d415b924fd6ae0577627fae28
parent: 34d7cb536a6a653f88b293f4591f23c38dd9dcd3 (diff)
download: poky-09a8d858157381e3af8b0bf75482e79147ed135f.tar.gz
3 files changed, 86 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-0494.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-0494.patch
new file mode 100644
index 0000000000..ef2ee5d55e
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-0494.patch
@@ -0,0 +1,38 @@
+From 0ba6d8c37071131a49790243cdac55392ecf71ec Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Wed, 25 Jan 2023 11:41:40 +1000
+Subject: [PATCH] Xi: fix potential use-after-free in DeepCopyPointerClasses
+CVE-2023-0494, ZDI-CAN-19596
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0ba6d8c37071131a49790243cdac55392ecf71ec]
+CVE: CVE-2023-0494
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ Xi/exevents.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+diff --git a/Xi/exevents.c b/Xi/exevents.c
+index 217baa9561..dcd4efb3bc 100644
+--- a/Xi/exevents.c
+++ b/Xi/exevents.c
+@@ -619,8 +619,10 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
+             memcpy(to->button->xkb_acts, from->button->xkb_acts,
+                    sizeof(XkbAction));
+         }
+-        else
+        else {
+             free(to->button->xkb_acts);
+            to->button->xkb_acts = NULL;
+        }
+ 
+         memcpy(to->button->labels, from->button->labels,
+                from->button->numButtons * sizeof(Atom));
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-1393.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-1393.patch
new file mode 100644
index 0000000000..51d0e0cab6
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-1393.patch
@@ -0,0 +1,46 @@
+From 26ef545b3502f61ca722a7a3373507e88ef64110 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 13 Mar 2023 11:08:47 +0100
+Subject: [PATCH] composite: Fix use-after-free of the COW
+ZDI-CAN-19866/CVE-2023-1393
+If a client explicitly destroys the compositor overlay window (aka COW),
+we would leave a dangling pointer to that window in the CompScreen
+structure, which will trigger a use-after-free later.
+Make sure to clear the CompScreen pointer to the COW when the latter gets
+destroyed explicitly by the client.
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/26ef545b3502f61ca722a7a3373507e88ef64110]
+CVE: CVE-2023-1393
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ composite/compwindow.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/composite/compwindow.c b/composite/compwindow.c
+index 4e2494b86b..b30da589e9 100644
+--- a/composite/compwindow.c
+++ b/composite/compwindow.c
+@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin)
+     ret = (*pScreen->DestroyWindow) (pWin);
+     cs->DestroyWindow = pScreen->DestroyWindow;
+     pScreen->DestroyWindow = compDestroyWindow;
+
+    /* Did we just destroy the overlay window? */
+    if (pWin == cs->pOverlayWin)
+        cs->pOverlayWin = NULL;
+
+ /*    compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
+     return ret;
+ }
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
index ab18a87a3d..5c604fa86e 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
@@ -14,6 +14,8 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
           file://CVE-2022-46342.patch \
           file://CVE-2022-46343.patch \
           file://CVE-2022-46344.patch \
+           file://CVE-2023-0494.patch \
+           file://CVE-2023-1393.patch \
 "
 SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf"
 SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066"
author	Vijay Anusuri <vanusuri@mvista.com>	2023-05-30 11:32:48 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-06-13 04:00:11 -1000
commit	09a8d858157381e3af8b0bf75482e79147ed135f (patch)
tree	6706dfe5fe38019d415b924fd6ae0577627fae28
parent	34d7cb536a6a653f88b293f4591f23c38dd9dcd3 (diff)
download	poky-09a8d858157381e3af8b0bf75482e79147ed135f.tar.gz

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-0494.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-0494.patch new file mode 100644 index 0000000000..ef2ee5d55e --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-0494.patch
@@ -0,0 +1,38 @@
		1	From 0ba6d8c37071131a49790243cdac55392ecf71ec Mon Sep 17 00:00:00 2001
		2	From: Peter Hutterer <peter.hutterer@who-t.net>
		3	Date: Wed, 25 Jan 2023 11:41:40 +1000
		4	Subject: [PATCH] Xi: fix potential use-after-free in DeepCopyPointerClasses
		5
		6	CVE-2023-0494, ZDI-CAN-19596
		7
		8	This vulnerability was discovered by:
		9	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		10
		11	Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
		12
		13	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0ba6d8c37071131a49790243cdac55392ecf71ec]
		14	CVE: CVE-2023-0494
		15	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		16	---
		17	Xi/exevents.c \| 4 +++-
		18	1 file changed, 3 insertions(+), 1 deletion(-)
		19
		20	diff --git a/Xi/exevents.c b/Xi/exevents.c
		21	index 217baa9561..dcd4efb3bc 100644
		22	--- a/Xi/exevents.c
		23	+++ b/Xi/exevents.c
		24	@@ -619,8 +619,10 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
		25	memcpy(to->button->xkb_acts, from->button->xkb_acts,
		26	sizeof(XkbAction));
		27	}
		28	- else
		29	+ else {
		30	free(to->button->xkb_acts);
		31	+ to->button->xkb_acts = NULL;
		32	+ }
		33
		34	memcpy(to->button->labels, from->button->labels,
		35	from->button->numButtons * sizeof(Atom));
		36	--
		37	GitLab
		38


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-1393.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-1393.patch new file mode 100644 index 0000000000..51d0e0cab6 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-1393.patch
@@ -0,0 +1,46 @@
		1	From 26ef545b3502f61ca722a7a3373507e88ef64110 Mon Sep 17 00:00:00 2001
		2	From: Olivier Fourdan <ofourdan@redhat.com>
		3	Date: Mon, 13 Mar 2023 11:08:47 +0100
		4	Subject: [PATCH] composite: Fix use-after-free of the COW
		5
		6	ZDI-CAN-19866/CVE-2023-1393
		7
		8	If a client explicitly destroys the compositor overlay window (aka COW),
		9	we would leave a dangling pointer to that window in the CompScreen
		10	structure, which will trigger a use-after-free later.
		11
		12	Make sure to clear the CompScreen pointer to the COW when the latter gets
		13	destroyed explicitly by the client.
		14
		15	This vulnerability was discovered by:
		16	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		17
		18	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
		19	Reviewed-by: Adam Jackson <ajax@redhat.com>
		20
		21	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/26ef545b3502f61ca722a7a3373507e88ef64110]
		22	CVE: CVE-2023-1393
		23	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		24	---
		25	composite/compwindow.c \| 5 +++++
		26	1 file changed, 5 insertions(+)
		27
		28	diff --git a/composite/compwindow.c b/composite/compwindow.c
		29	index 4e2494b86b..b30da589e9 100644
		30	--- a/composite/compwindow.c
		31	+++ b/composite/compwindow.c
		32	@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin)
		33	ret = (*pScreen->DestroyWindow) (pWin);
		34	cs->DestroyWindow = pScreen->DestroyWindow;
		35	pScreen->DestroyWindow = compDestroyWindow;
		36	+
		37	+ /* Did we just destroy the overlay window? */
		38	+ if (pWin == cs->pOverlayWin)
		39	+ cs->pOverlayWin = NULL;
		40	+
		41	/* compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
		42	return ret;
		43	}
		44	--
		45	GitLab
		46


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb index ab18a87a3d..5c604fa86e 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
@@ -14,6 +14,8 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
14	file://CVE-2022-46342.patch \	14	file://CVE-2022-46342.patch \
15	file://CVE-2022-46343.patch \	15	file://CVE-2022-46343.patch \
16	file://CVE-2022-46344.patch \	16	file://CVE-2022-46344.patch \
		17	file://CVE-2023-0494.patch \
		18	file://CVE-2023-1393.patch \
17	"	19	"
18	SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf"	20	SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf"
19	SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066"	21	SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066"