diff options
author | Vijay Anusuri <vanusuri@mvista.com> | 2023-11-15 12:13:44 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-12-01 04:14:18 -1000 |
commit | 63909c1cc69255721d08a8e8c532dc38b4d1106f (patch) | |
tree | 914007b962138f15221768293646d8e6fe5bb16f | |
parent | 455398490462728c44b9951af96c1aa61a5679e2 (diff) | |
download | poky-63909c1cc69255721d08a8e8c532dc38b4d1106f.tar.gz |
libx11: Fix for CVE-2023-43785 CVE-2023-43786 and CVE-2023-43787
import patches from ubuntu to fix
CVE-2023-43785
CVE-2023-43786
CVE-2023-43787
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches?h=ubuntu/focal-security
Upstream commit
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/6858d468d9ca55fb4c5fd70b223dbc78a3358a7f
&
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/204c3393c4c90a29ed6bef64e43849536e863a86
&
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/73a37d5f2fcadd6540159b432a70d80f442ddf4a
&
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/b4031fc023816aca07fbd592ed97010b9b48784b
&
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/7916869d16bdd115ac5be30a67c3749907aea6a0]
Reference: https://launchpad.net/ubuntu/+source/libx11/2:1.6.9-2ubuntu1.6
(From OE-Core rev: 0ebeabda9096b44ead2293356c5947367c6042fe)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
6 files changed, 272 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch new file mode 100644 index 0000000000..dbdf096fc8 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
3 | Date: Sun, 17 Sep 2023 14:19:40 -0700 | ||
4 | Subject: [PATCH libX11 1/5] CVE-2023-43785: out-of-bounds memory access in | ||
5 | _XkbReadKeySyms() | ||
6 | |||
7 | Make sure we allocate enough memory in the first place, and | ||
8 | also handle error returns from _XkbReadBufferCopyKeySyms() when | ||
9 | it detects out-of-bounds issues. | ||
10 | |||
11 | Reported-by: Gregory James DUCK <gjduck@gmail.com> | ||
12 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
13 | |||
14 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch?h=ubuntu/focal-security | ||
15 | Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/6858d468d9ca55fb4c5fd70b223dbc78a3358a7f] | ||
16 | CVE: CVE-2023-43785 | ||
17 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
18 | --- | ||
19 | src/xkb/XKBGetMap.c | 14 +++++++++----- | ||
20 | 1 file changed, 9 insertions(+), 5 deletions(-) | ||
21 | |||
22 | diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c | ||
23 | index 2891d21e..31199e4a 100644 | ||
24 | --- a/src/xkb/XKBGetMap.c | ||
25 | +++ b/src/xkb/XKBGetMap.c | ||
26 | @@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) | ||
27 | if (offset + newMap->nSyms >= map->size_syms) { | ||
28 | register int sz; | ||
29 | |||
30 | - sz = map->size_syms + 128; | ||
31 | + sz = offset + newMap->nSyms; | ||
32 | + sz = ((sz + (unsigned) 128) / 128) * 128; | ||
33 | _XkbResizeArray(map->syms, map->size_syms, sz, KeySym); | ||
34 | if (map->syms == NULL) { | ||
35 | map->size_syms = 0; | ||
36 | @@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) | ||
37 | map->size_syms = sz; | ||
38 | } | ||
39 | if (newMap->nSyms > 0) { | ||
40 | - _XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset], | ||
41 | - newMap->nSyms); | ||
42 | + if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset], | ||
43 | + newMap->nSyms) == 0) | ||
44 | + return BadLength; | ||
45 | offset += newMap->nSyms; | ||
46 | } | ||
47 | else { | ||
48 | @@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) | ||
49 | newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp); | ||
50 | if (newSyms == NULL) | ||
51 | return BadAlloc; | ||
52 | - if (newMap->nSyms > 0) | ||
53 | - _XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms); | ||
54 | + if (newMap->nSyms > 0) { | ||
55 | + if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 0) | ||
56 | + return BadLength; | ||
57 | + } | ||
58 | else | ||
59 | newSyms[0] = NoSymbol; | ||
60 | oldMap->kt_index[0] = newMap->ktIndex[0]; | ||
61 | -- | ||
62 | 2.39.3 | ||
63 | |||
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch new file mode 100644 index 0000000000..31a99eb4ac --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From 204c3393c4c90a29ed6bef64e43849536e863a86 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
3 | Date: Thu, 7 Sep 2023 15:54:30 -0700 | ||
4 | Subject: [PATCH libX11 2/5] CVE-2023-43786: stack exhaustion from infinite | ||
5 | recursion in PutSubImage() | ||
6 | |||
7 | When splitting a single line of pixels into chunks to send to the | ||
8 | X server, be sure to take into account the number of bits per pixel, | ||
9 | so we don't just loop forever trying to send more pixels than fit in | ||
10 | the given request size and not breaking them down into a small enough | ||
11 | chunk to fix. | ||
12 | |||
13 | Fixes: "almost complete rewrite" (Dec. 12, 1987) from X11R2 | ||
14 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
15 | |||
16 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0002-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch?h=ubuntu/focal-security | ||
17 | Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/204c3393c4c90a29ed6bef64e43849536e863a86] | ||
18 | CVE: CVE-2023-43786 | ||
19 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
20 | --- | ||
21 | src/PutImage.c | 5 +++-- | ||
22 | 1 file changed, 3 insertions(+), 2 deletions(-) | ||
23 | |||
24 | diff --git a/src/PutImage.c b/src/PutImage.c | ||
25 | index 857ee916..a6db7b42 100644 | ||
26 | --- a/src/PutImage.c | ||
27 | +++ b/src/PutImage.c | ||
28 | @@ -914,8 +914,9 @@ PutSubImage ( | ||
29 | req_width, req_height - SubImageHeight, | ||
30 | dest_bits_per_pixel, dest_scanline_pad); | ||
31 | } else { | ||
32 | - int SubImageWidth = (((Available << 3) / dest_scanline_pad) | ||
33 | - * dest_scanline_pad) - left_pad; | ||
34 | + int SubImageWidth = ((((Available << 3) / dest_scanline_pad) | ||
35 | + * dest_scanline_pad) - left_pad) | ||
36 | + / dest_bits_per_pixel; | ||
37 | |||
38 | PutSubImage(dpy, d, gc, image, req_xoffset, req_yoffset, x, y, | ||
39 | (unsigned int) SubImageWidth, 1, | ||
40 | -- | ||
41 | 2.39.3 | ||
42 | |||
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch new file mode 100644 index 0000000000..4800bedf41 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From 73a37d5f2fcadd6540159b432a70d80f442ddf4a Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
3 | Date: Thu, 7 Sep 2023 15:55:04 -0700 | ||
4 | Subject: [PATCH libX11 3/5] XPutImage: clip images to maximum height & width | ||
5 | allowed by protocol | ||
6 | |||
7 | The PutImage request specifies height & width of the image as CARD16 | ||
8 | (unsigned 16-bit integer), same as the maximum dimensions of an X11 | ||
9 | Drawable, which the image is being copied to. | ||
10 | |||
11 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
12 | |||
13 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0003-XPutImage-clip-images-to-maximum-height-width-allowe.patch?h=ubuntu/focal-security | ||
14 | Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/73a37d5f2fcadd6540159b432a70d80f442ddf4a] | ||
15 | CVE: CVE-2023-43786 | ||
16 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
17 | --- | ||
18 | src/PutImage.c | 5 +++++ | ||
19 | 1 file changed, 5 insertions(+) | ||
20 | |||
21 | diff --git a/src/PutImage.c b/src/PutImage.c | ||
22 | index a6db7b42..ba411e36 100644 | ||
23 | --- a/src/PutImage.c | ||
24 | +++ b/src/PutImage.c | ||
25 | @@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group. | ||
26 | #include "Xlibint.h" | ||
27 | #include "Xutil.h" | ||
28 | #include <stdio.h> | ||
29 | +#include <limits.h> | ||
30 | #include "Cr.h" | ||
31 | #include "ImUtil.h" | ||
32 | #include "reallocarray.h" | ||
33 | @@ -962,6 +963,10 @@ XPutImage ( | ||
34 | height = image->height - req_yoffset; | ||
35 | if ((width <= 0) || (height <= 0)) | ||
36 | return 0; | ||
37 | + if (width > USHRT_MAX) | ||
38 | + width = USHRT_MAX; | ||
39 | + if (height > USHRT_MAX) | ||
40 | + height = USHRT_MAX; | ||
41 | |||
42 | if ((image->bits_per_pixel == 1) || (image->format != ZPixmap)) { | ||
43 | dest_bits_per_pixel = 1; | ||
44 | -- | ||
45 | 2.39.3 | ||
46 | |||
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch new file mode 100644 index 0000000000..d35d96c4dc --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From b4031fc023816aca07fbd592ed97010b9b48784b Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
3 | Date: Thu, 7 Sep 2023 16:12:27 -0700 | ||
4 | Subject: [PATCH libX11 4/5] XCreatePixmap: trigger BadValue error for | ||
5 | out-of-range dimensions | ||
6 | |||
7 | The CreatePixmap request specifies height & width of the image as CARD16 | ||
8 | (unsigned 16-bit integer), so if either is larger than that, set it to 0 | ||
9 | so the X server returns a BadValue error as the protocol requires. | ||
10 | |||
11 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
12 | |||
13 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0004-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch?h=ubuntu/focal-security | ||
14 | Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/b4031fc023816aca07fbd592ed97010b9b48784b] | ||
15 | CVE: CVE-2023-43787 | ||
16 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
17 | --- | ||
18 | src/CrPixmap.c | 11 +++++++++++ | ||
19 | 1 file changed, 11 insertions(+) | ||
20 | |||
21 | diff --git a/src/CrPixmap.c b/src/CrPixmap.c | ||
22 | index cdf31207..3cb2ca6d 100644 | ||
23 | --- a/src/CrPixmap.c | ||
24 | +++ b/src/CrPixmap.c | ||
25 | @@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group. | ||
26 | #include <config.h> | ||
27 | #endif | ||
28 | #include "Xlibint.h" | ||
29 | +#include <limits.h> | ||
30 | |||
31 | #ifdef USE_DYNAMIC_XCURSOR | ||
32 | void | ||
33 | @@ -47,6 +48,16 @@ Pixmap XCreatePixmap ( | ||
34 | Pixmap pid; | ||
35 | register xCreatePixmapReq *req; | ||
36 | |||
37 | + /* | ||
38 | + * Force a BadValue X Error if the requested dimensions are larger | ||
39 | + * than the X11 protocol has room for, since that's how callers expect | ||
40 | + * to get notified of errors. | ||
41 | + */ | ||
42 | + if (width > USHRT_MAX) | ||
43 | + width = 0; | ||
44 | + if (height > USHRT_MAX) | ||
45 | + height = 0; | ||
46 | + | ||
47 | LockDisplay(dpy); | ||
48 | GetReq(CreatePixmap, req); | ||
49 | req->drawable = d; | ||
50 | -- | ||
51 | 2.39.3 | ||
52 | |||
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch new file mode 100644 index 0000000000..110bd445df --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch | |||
@@ -0,0 +1,64 @@ | |||
1 | From 7916869d16bdd115ac5be30a67c3749907aea6a0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yair Mizrahi <yairm@jfrog.com> | ||
3 | Date: Thu, 7 Sep 2023 16:15:32 -0700 | ||
4 | Subject: [PATCH libX11 5/5] CVE-2023-43787: Integer overflow in XCreateImage() | ||
5 | leading to a heap overflow | ||
6 | |||
7 | When the format is `Pixmap` it calculates the size of the image data as: | ||
8 | ROUNDUP((bits_per_pixel * width), image->bitmap_pad); | ||
9 | There is no validation on the `width` of the image, and so this | ||
10 | calculation exceeds the capacity of a 4-byte integer, causing an overflow. | ||
11 | |||
12 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
13 | |||
14 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0005-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch?h=ubuntu/focal-security | ||
15 | Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/7916869d16bdd115ac5be30a67c3749907aea6a0] | ||
16 | CVE: CVE-2023-43787 | ||
17 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
18 | --- | ||
19 | src/ImUtil.c | 20 +++++++++++++++----- | ||
20 | 1 file changed, 15 insertions(+), 5 deletions(-) | ||
21 | |||
22 | diff --git a/src/ImUtil.c b/src/ImUtil.c | ||
23 | index 36f08a03..fbfad33e 100644 | ||
24 | --- a/src/ImUtil.c | ||
25 | +++ b/src/ImUtil.c | ||
26 | @@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group. | ||
27 | #include <X11/Xlibint.h> | ||
28 | #include <X11/Xutil.h> | ||
29 | #include <stdio.h> | ||
30 | +#include <limits.h> | ||
31 | #include "ImUtil.h" | ||
32 | |||
33 | static int _XDestroyImage(XImage *); | ||
34 | @@ -361,13 +362,22 @@ XImage *XCreateImage ( | ||
35 | /* | ||
36 | * compute per line accelerator. | ||
37 | */ | ||
38 | - { | ||
39 | - if (format == ZPixmap) | ||
40 | + if (format == ZPixmap) { | ||
41 | + if ((INT_MAX / bits_per_pixel) < width) { | ||
42 | + Xfree(image); | ||
43 | + return NULL; | ||
44 | + } | ||
45 | + | ||
46 | min_bytes_per_line = | ||
47 | - ROUNDUP((bits_per_pixel * width), image->bitmap_pad); | ||
48 | - else | ||
49 | + ROUNDUP((bits_per_pixel * width), image->bitmap_pad); | ||
50 | + } else { | ||
51 | + if ((INT_MAX - offset) < width) { | ||
52 | + Xfree(image); | ||
53 | + return NULL; | ||
54 | + } | ||
55 | + | ||
56 | min_bytes_per_line = | ||
57 | - ROUNDUP((width + offset), image->bitmap_pad); | ||
58 | + ROUNDUP((width + offset), image->bitmap_pad); | ||
59 | } | ||
60 | if (image_bytes_per_line == 0) { | ||
61 | image->bytes_per_line = min_bytes_per_line; | ||
62 | -- | ||
63 | 2.39.3 | ||
64 | |||
diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb index 568162a911..248889a1d4 100644 --- a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb +++ b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb | |||
@@ -19,6 +19,11 @@ SRC_URI += "file://Fix-hanging-issue-in-_XReply.patch \ | |||
19 | file://CVE-2022-3554.patch \ | 19 | file://CVE-2022-3554.patch \ |
20 | file://CVE-2022-3555.patch \ | 20 | file://CVE-2022-3555.patch \ |
21 | file://CVE-2023-3138.patch \ | 21 | file://CVE-2023-3138.patch \ |
22 | file://CVE-2023-43785.patch \ | ||
23 | file://CVE-2023-43786-1.patch \ | ||
24 | file://CVE-2023-43786-2.patch \ | ||
25 | file://CVE-2023-43787-1.patch \ | ||
26 | file://CVE-2023-43787-2.patch \ | ||
22 | " | 27 | " |
23 | 28 | ||
24 | SRC_URI[md5sum] = "55adbfb6d4370ecac5e70598c4e7eed2" | 29 | SRC_URI[md5sum] = "55adbfb6d4370ecac5e70598c4e7eed2" |