libx11: Fix for CVE-2023-43785 CVE-2023-43786 and CVE-2023-43787

import patches from ubuntu to fix CVE-2023-43785 CVE-2023-43786 CVE-2023-43787 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches?h=ubuntu/focal-security Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/6858d468d9ca55fb4c5fd70b223dbc78a3358a7f & https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/204c3393c4c90a29ed6bef64e43849536e863a86 & https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/73a37d5f2fcadd6540159b432a70d80f442ddf4a & https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/b4031fc023816aca07fbd592ed97010b9b48784b & https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/7916869d16bdd115ac5be30a67c3749907aea6a0] Reference: https://launchpad.net/ubuntu/+source/libx11/2:1.6.9-2ubuntu1.6 (From OE-Core rev: 0ebeabda9096b44ead2293356c5947367c6042fe) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2023-11-15 12:13:44 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-12-01 04:14:18 -1000
commit: 63909c1cc69255721d08a8e8c532dc38b4d1106f (patch)
tree: 914007b962138f15221768293646d8e6fe5bb16f
parent: 455398490462728c44b9951af96c1aa61a5679e2 (diff)
download: poky-63909c1cc69255721d08a8e8c532dc38b4d1106f.tar.gz
6 files changed, 272 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch
new file mode 100644
index 0000000000..dbdf096fc8
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch
@@ -0,0 +1,63 @@
+From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sun, 17 Sep 2023 14:19:40 -0700
+Subject: [PATCH libX11 1/5] CVE-2023-43785: out-of-bounds memory access in
+ _XkbReadKeySyms()
+Make sure we allocate enough memory in the first place, and
+also handle error returns from _XkbReadBufferCopyKeySyms() when
+it detects out-of-bounds issues.
+Reported-by: Gregory James DUCK <gjduck@gmail.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch?h=ubuntu/focal-security
+Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/6858d468d9ca55fb4c5fd70b223dbc78a3358a7f]
+CVE: CVE-2023-43785
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/xkb/XKBGetMap.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
+index 2891d21e..31199e4a 100644
+--- a/src/xkb/XKBGetMap.c
+++ b/src/xkb/XKBGetMap.c
+@@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
+             if (offset + newMap->nSyms >= map->size_syms) {
+                 register int sz;
+ 
+-                sz = map->size_syms + 128;
+                sz = offset + newMap->nSyms;
+                sz = ((sz + (unsigned) 128) / 128) * 128;
+                 _XkbResizeArray(map->syms, map->size_syms, sz, KeySym);
+                 if (map->syms == NULL) {
+                     map->size_syms = 0;
+@@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
+                 map->size_syms = sz;
+             }
+             if (newMap->nSyms > 0) {
+-                _XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
+-                                          newMap->nSyms);
+                if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
+                                              newMap->nSyms) == 0)
+                    return BadLength;
+                 offset += newMap->nSyms;
+             }
+             else {
+@@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
+             newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp);
+             if (newSyms == NULL)
+                 return BadAlloc;
+-            if (newMap->nSyms > 0)
+-                _XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms);
+            if (newMap->nSyms > 0) {
+                if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 0)
+                    return BadLength;
+            }
+             else
+                 newSyms[0] = NoSymbol;
+             oldMap->kt_index[0] = newMap->ktIndex[0];
+-- 
+2.39.3
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch
new file mode 100644
index 0000000000..31a99eb4ac
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch
@@ -0,0 +1,42 @@
+From 204c3393c4c90a29ed6bef64e43849536e863a86 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Thu, 7 Sep 2023 15:54:30 -0700
+Subject: [PATCH libX11 2/5] CVE-2023-43786: stack exhaustion from infinite
+ recursion in PutSubImage()
+When splitting a single line of pixels into chunks to send to the
+X server, be sure to take into account the number of bits per pixel,
+so we don't just loop forever trying to send more pixels than fit in
+the given request size and not breaking them down into a small enough
+chunk to fix.
+Fixes: "almost complete rewrite" (Dec. 12, 1987) from X11R2
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0002-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch?h=ubuntu/focal-security
+Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/204c3393c4c90a29ed6bef64e43849536e863a86]
+CVE: CVE-2023-43786
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/PutImage.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+diff --git a/src/PutImage.c b/src/PutImage.c
+index 857ee916..a6db7b42 100644
+--- a/src/PutImage.c
+++ b/src/PutImage.c
+@@ -914,8 +914,9 @@ PutSubImage (
+                    req_width, req_height - SubImageHeight,
+                    dest_bits_per_pixel, dest_scanline_pad);
+     } else {
+-       int SubImageWidth = (((Available << 3) / dest_scanline_pad)
+-                               * dest_scanline_pad) - left_pad;
+       int SubImageWidth = ((((Available << 3) / dest_scanline_pad)
+                              * dest_scanline_pad) - left_pad)
+                              / dest_bits_per_pixel;
+ 
+        PutSubImage(dpy, d, gc, image, req_xoffset, req_yoffset, x, y,
+                    (unsigned int) SubImageWidth, 1,
+-- 
+2.39.3
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch
new file mode 100644
index 0000000000..4800bedf41
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch
@@ -0,0 +1,46 @@
+From 73a37d5f2fcadd6540159b432a70d80f442ddf4a Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Thu, 7 Sep 2023 15:55:04 -0700
+Subject: [PATCH libX11 3/5] XPutImage: clip images to maximum height & width
+ allowed by protocol
+The PutImage request specifies height & width of the image as CARD16
+(unsigned 16-bit integer), same as the maximum dimensions of an X11
+Drawable, which the image is being copied to.
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0003-XPutImage-clip-images-to-maximum-height-width-allowe.patch?h=ubuntu/focal-security
+Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/73a37d5f2fcadd6540159b432a70d80f442ddf4a]
+CVE: CVE-2023-43786
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/PutImage.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/src/PutImage.c b/src/PutImage.c
+index a6db7b42..ba411e36 100644
+--- a/src/PutImage.c
+++ b/src/PutImage.c
+@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
+ #include "Xlibint.h"
+ #include "Xutil.h"
+ #include <stdio.h>
+#include <limits.h>
+ #include "Cr.h"
+ #include "ImUtil.h"
+ #include "reallocarray.h"
+@@ -962,6 +963,10 @@ XPutImage (
+        height = image->height - req_yoffset;
+     if ((width <= 0) || (height <= 0))
+        return 0;
+    if (width > USHRT_MAX)
+        width = USHRT_MAX;
+    if (height > USHRT_MAX)
+        height = USHRT_MAX;
+ 
+     if ((image->bits_per_pixel == 1) || (image->format != ZPixmap)) {
+        dest_bits_per_pixel = 1;
+-- 
+2.39.3
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch
new file mode 100644
index 0000000000..d35d96c4dc
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch
@@ -0,0 +1,52 @@
+From b4031fc023816aca07fbd592ed97010b9b48784b Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Thu, 7 Sep 2023 16:12:27 -0700
+Subject: [PATCH libX11 4/5] XCreatePixmap: trigger BadValue error for
+ out-of-range dimensions
+The CreatePixmap request specifies height & width of the image as CARD16
+(unsigned 16-bit integer), so if either is larger than that, set it to 0
+so the X server returns a BadValue error as the protocol requires.
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0004-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch?h=ubuntu/focal-security
+Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/b4031fc023816aca07fbd592ed97010b9b48784b]
+CVE: CVE-2023-43787
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/CrPixmap.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+diff --git a/src/CrPixmap.c b/src/CrPixmap.c
+index cdf31207..3cb2ca6d 100644
+--- a/src/CrPixmap.c
+++ b/src/CrPixmap.c
+@@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group.
+ #include <config.h>
+ #endif
+ #include "Xlibint.h"
+#include <limits.h>
+ 
+ #ifdef USE_DYNAMIC_XCURSOR
+ void
+@@ -47,6 +48,16 @@ Pixmap XCreatePixmap (
+     Pixmap pid;
+     register xCreatePixmapReq *req;
+ 
+    /*
+     * Force a BadValue X Error if the requested dimensions are larger
+     * than the X11 protocol has room for, since that's how callers expect
+     * to get notified of errors.
+     */
+    if (width > USHRT_MAX)
+        width = 0;
+    if (height > USHRT_MAX)
+        height = 0;
+
+     LockDisplay(dpy);
+     GetReq(CreatePixmap, req);
+     req->drawable = d;
+-- 
+2.39.3
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch
new file mode 100644
index 0000000000..110bd445df
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch
@@ -0,0 +1,64 @@
+From 7916869d16bdd115ac5be30a67c3749907aea6a0 Mon Sep 17 00:00:00 2001
+From: Yair Mizrahi <yairm@jfrog.com>
+Date: Thu, 7 Sep 2023 16:15:32 -0700
+Subject: [PATCH libX11 5/5] CVE-2023-43787: Integer overflow in XCreateImage()
+ leading to a heap overflow
+When the format is `Pixmap` it calculates the size of the image data as:
+    ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
+There is no validation on the `width` of the image, and so this
+calculation exceeds the capacity of a 4-byte integer, causing an overflow.
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0005-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch?h=ubuntu/focal-security
+Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/7916869d16bdd115ac5be30a67c3749907aea6a0]
+CVE: CVE-2023-43787
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/ImUtil.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+diff --git a/src/ImUtil.c b/src/ImUtil.c
+index 36f08a03..fbfad33e 100644
+--- a/src/ImUtil.c
+++ b/src/ImUtil.c
+@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
+ #include <X11/Xlibint.h>
+ #include <X11/Xutil.h>
+ #include <stdio.h>
+#include <limits.h>
+ #include "ImUtil.h"
+ 
+ static int _XDestroyImage(XImage *);
+@@ -361,13 +362,22 @@ XImage *XCreateImage (
+        /*
+         * compute per line accelerator.
+         */
+-       {
+-       if (format == ZPixmap)
+       if (format == ZPixmap) {
+           if ((INT_MAX / bits_per_pixel) < width) {
+               Xfree(image);
+               return NULL;
+           }
+
+            min_bytes_per_line =
+-              ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
+-       else
+               ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
+       } else {
+           if ((INT_MAX - offset) < width) {
+               Xfree(image);
+               return NULL;
+           }
+
+            min_bytes_per_line =
+-               ROUNDUP((width + offset), image->bitmap_pad);
+               ROUNDUP((width + offset), image->bitmap_pad);
+        }
+        if (image_bytes_per_line == 0) {
+            image->bytes_per_line = min_bytes_per_line;
+-- 
+2.39.3
diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
index 568162a911..248889a1d4 100644
--- a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
+++ b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
@@ -19,6 +19,11 @@ SRC_URI += "file://Fix-hanging-issue-in-_XReply.patch \
            file://CVE-2022-3554.patch \
            file://CVE-2022-3555.patch \
            file://CVE-2023-3138.patch \
+            file://CVE-2023-43785.patch \
+            file://CVE-2023-43786-1.patch \
+            file://CVE-2023-43786-2.patch \
+            file://CVE-2023-43787-1.patch \
+            file://CVE-2023-43787-2.patch \
 "
 SRC_URI[md5sum] = "55adbfb6d4370ecac5e70598c4e7eed2"
author	Vijay Anusuri <vanusuri@mvista.com>	2023-11-15 12:13:44 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-12-01 04:14:18 -1000
commit	63909c1cc69255721d08a8e8c532dc38b4d1106f (patch)
tree	914007b962138f15221768293646d8e6fe5bb16f
parent	455398490462728c44b9951af96c1aa61a5679e2 (diff)
download	poky-63909c1cc69255721d08a8e8c532dc38b4d1106f.tar.gz

diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch new file mode 100644 index 0000000000..dbdf096fc8 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch
@@ -0,0 +1,63 @@
		1	From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001
		2	From: Alan Coopersmith <alan.coopersmith@oracle.com>
		3	Date: Sun, 17 Sep 2023 14:19:40 -0700
		4	Subject: [PATCH libX11 1/5] CVE-2023-43785: out-of-bounds memory access in
		5	_XkbReadKeySyms()
		6
		7	Make sure we allocate enough memory in the first place, and
		8	also handle error returns from _XkbReadBufferCopyKeySyms() when
		9	it detects out-of-bounds issues.
		10
		11	Reported-by: Gregory James DUCK <gjduck@gmail.com>
		12	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
		13
		14	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch?h=ubuntu/focal-security
		15	Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/6858d468d9ca55fb4c5fd70b223dbc78a3358a7f]
		16	CVE: CVE-2023-43785
		17	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		18	---
		19	src/xkb/XKBGetMap.c \| 14 +++++++++-----
		20	1 file changed, 9 insertions(+), 5 deletions(-)
		21
		22	diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
		23	index 2891d21e..31199e4a 100644
		24	--- a/src/xkb/XKBGetMap.c
		25	+++ b/src/xkb/XKBGetMap.c
		26	@@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
		27	if (offset + newMap->nSyms >= map->size_syms) {
		28	register int sz;
		29
		30	- sz = map->size_syms + 128;
		31	+ sz = offset + newMap->nSyms;
		32	+ sz = ((sz + (unsigned) 128) / 128) * 128;
		33	_XkbResizeArray(map->syms, map->size_syms, sz, KeySym);
		34	if (map->syms == NULL) {
		35	map->size_syms = 0;
		36	@@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
		37	map->size_syms = sz;
		38	}
		39	if (newMap->nSyms > 0) {
		40	- _XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
		41	- newMap->nSyms);
		42	+ if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
		43	+ newMap->nSyms) == 0)
		44	+ return BadLength;
		45	offset += newMap->nSyms;
		46	}
		47	else {
		48	@@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
		49	newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp);
		50	if (newSyms == NULL)
		51	return BadAlloc;
		52	- if (newMap->nSyms > 0)
		53	- _XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms);
		54	+ if (newMap->nSyms > 0) {
		55	+ if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 0)
		56	+ return BadLength;
		57	+ }
		58	else
		59	newSyms[0] = NoSymbol;
		60	oldMap->kt_index[0] = newMap->ktIndex[0];
		61	--
		62	2.39.3
		63


diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch new file mode 100644 index 0000000000..31a99eb4ac --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch
@@ -0,0 +1,42 @@
		1	From 204c3393c4c90a29ed6bef64e43849536e863a86 Mon Sep 17 00:00:00 2001
		2	From: Alan Coopersmith <alan.coopersmith@oracle.com>
		3	Date: Thu, 7 Sep 2023 15:54:30 -0700
		4	Subject: [PATCH libX11 2/5] CVE-2023-43786: stack exhaustion from infinite
		5	recursion in PutSubImage()
		6
		7	When splitting a single line of pixels into chunks to send to the
		8	X server, be sure to take into account the number of bits per pixel,
		9	so we don't just loop forever trying to send more pixels than fit in
		10	the given request size and not breaking them down into a small enough
		11	chunk to fix.
		12
		13	Fixes: "almost complete rewrite" (Dec. 12, 1987) from X11R2
		14	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
		15
		16	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0002-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch?h=ubuntu/focal-security
		17	Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/204c3393c4c90a29ed6bef64e43849536e863a86]
		18	CVE: CVE-2023-43786
		19	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		20	---
		21	src/PutImage.c \| 5 +++--
		22	1 file changed, 3 insertions(+), 2 deletions(-)
		23
		24	diff --git a/src/PutImage.c b/src/PutImage.c
		25	index 857ee916..a6db7b42 100644
		26	--- a/src/PutImage.c
		27	+++ b/src/PutImage.c
		28	@@ -914,8 +914,9 @@ PutSubImage (
		29	req_width, req_height - SubImageHeight,
		30	dest_bits_per_pixel, dest_scanline_pad);
		31	} else {
		32	- int SubImageWidth = (((Available << 3) / dest_scanline_pad)
		33	- * dest_scanline_pad) - left_pad;
		34	+ int SubImageWidth = ((((Available << 3) / dest_scanline_pad)
		35	+ * dest_scanline_pad) - left_pad)
		36	+ / dest_bits_per_pixel;
		37
		38	PutSubImage(dpy, d, gc, image, req_xoffset, req_yoffset, x, y,
		39	(unsigned int) SubImageWidth, 1,
		40	--
		41	2.39.3
		42


diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch new file mode 100644 index 0000000000..4800bedf41 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch
@@ -0,0 +1,46 @@
		1	From 73a37d5f2fcadd6540159b432a70d80f442ddf4a Mon Sep 17 00:00:00 2001
		2	From: Alan Coopersmith <alan.coopersmith@oracle.com>
		3	Date: Thu, 7 Sep 2023 15:55:04 -0700
		4	Subject: [PATCH libX11 3/5] XPutImage: clip images to maximum height & width
		5	allowed by protocol
		6
		7	The PutImage request specifies height & width of the image as CARD16
		8	(unsigned 16-bit integer), same as the maximum dimensions of an X11
		9	Drawable, which the image is being copied to.
		10
		11	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
		12
		13	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0003-XPutImage-clip-images-to-maximum-height-width-allowe.patch?h=ubuntu/focal-security
		14	Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/73a37d5f2fcadd6540159b432a70d80f442ddf4a]
		15	CVE: CVE-2023-43786
		16	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		17	---
		18	src/PutImage.c \| 5 +++++
		19	1 file changed, 5 insertions(+)
		20
		21	diff --git a/src/PutImage.c b/src/PutImage.c
		22	index a6db7b42..ba411e36 100644
		23	--- a/src/PutImage.c
		24	+++ b/src/PutImage.c
		25	@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
		26	#include "Xlibint.h"
		27	#include "Xutil.h"
		28	#include <stdio.h>
		29	+#include <limits.h>
		30	#include "Cr.h"
		31	#include "ImUtil.h"
		32	#include "reallocarray.h"
		33	@@ -962,6 +963,10 @@ XPutImage (
		34	height = image->height - req_yoffset;
		35	if ((width <= 0) \|\| (height <= 0))
		36	return 0;
		37	+ if (width > USHRT_MAX)
		38	+ width = USHRT_MAX;
		39	+ if (height > USHRT_MAX)
		40	+ height = USHRT_MAX;
		41
		42	if ((image->bits_per_pixel == 1) \|\| (image->format != ZPixmap)) {
		43	dest_bits_per_pixel = 1;
		44	--
		45	2.39.3
		46


diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch new file mode 100644 index 0000000000..d35d96c4dc --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch
@@ -0,0 +1,52 @@
		1	From b4031fc023816aca07fbd592ed97010b9b48784b Mon Sep 17 00:00:00 2001
		2	From: Alan Coopersmith <alan.coopersmith@oracle.com>
		3	Date: Thu, 7 Sep 2023 16:12:27 -0700
		4	Subject: [PATCH libX11 4/5] XCreatePixmap: trigger BadValue error for
		5	out-of-range dimensions
		6
		7	The CreatePixmap request specifies height & width of the image as CARD16
		8	(unsigned 16-bit integer), so if either is larger than that, set it to 0
		9	so the X server returns a BadValue error as the protocol requires.
		10
		11	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
		12
		13	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0004-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch?h=ubuntu/focal-security
		14	Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/b4031fc023816aca07fbd592ed97010b9b48784b]
		15	CVE: CVE-2023-43787
		16	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		17	---
		18	src/CrPixmap.c \| 11 +++++++++++
		19	1 file changed, 11 insertions(+)
		20
		21	diff --git a/src/CrPixmap.c b/src/CrPixmap.c
		22	index cdf31207..3cb2ca6d 100644
		23	--- a/src/CrPixmap.c
		24	+++ b/src/CrPixmap.c
		25	@@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group.
		26	#include <config.h>
		27	#endif
		28	#include "Xlibint.h"
		29	+#include <limits.h>
		30
		31	#ifdef USE_DYNAMIC_XCURSOR
		32	void
		33	@@ -47,6 +48,16 @@ Pixmap XCreatePixmap (
		34	Pixmap pid;
		35	register xCreatePixmapReq *req;
		36
		37	+ /*
		38	+ * Force a BadValue X Error if the requested dimensions are larger
		39	+ * than the X11 protocol has room for, since that's how callers expect
		40	+ * to get notified of errors.
		41	+ */
		42	+ if (width > USHRT_MAX)
		43	+ width = 0;
		44	+ if (height > USHRT_MAX)
		45	+ height = 0;
		46	+
		47	LockDisplay(dpy);
		48	GetReq(CreatePixmap, req);
		49	req->drawable = d;
		50	--
		51	2.39.3
		52


diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch new file mode 100644 index 0000000000..110bd445df --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch
@@ -0,0 +1,64 @@
		1	From 7916869d16bdd115ac5be30a67c3749907aea6a0 Mon Sep 17 00:00:00 2001
		2	From: Yair Mizrahi <yairm@jfrog.com>
		3	Date: Thu, 7 Sep 2023 16:15:32 -0700
		4	Subject: [PATCH libX11 5/5] CVE-2023-43787: Integer overflow in XCreateImage()
		5	leading to a heap overflow
		6
		7	When the format is `Pixmap` it calculates the size of the image data as:
		8	ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
		9	There is no validation on the `width` of the image, and so this
		10	calculation exceeds the capacity of a 4-byte integer, causing an overflow.
		11
		12	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
		13
		14	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0005-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch?h=ubuntu/focal-security
		15	Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/7916869d16bdd115ac5be30a67c3749907aea6a0]
		16	CVE: CVE-2023-43787
		17	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		18	---
		19	src/ImUtil.c \| 20 +++++++++++++++-----
		20	1 file changed, 15 insertions(+), 5 deletions(-)
		21
		22	diff --git a/src/ImUtil.c b/src/ImUtil.c
		23	index 36f08a03..fbfad33e 100644
		24	--- a/src/ImUtil.c
		25	+++ b/src/ImUtil.c
		26	@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
		27	#include <X11/Xlibint.h>
		28	#include <X11/Xutil.h>
		29	#include <stdio.h>
		30	+#include <limits.h>
		31	#include "ImUtil.h"
		32
		33	static int _XDestroyImage(XImage *);
		34	@@ -361,13 +362,22 @@ XImage *XCreateImage (
		35	/*
		36	* compute per line accelerator.
		37	*/
		38	- {
		39	- if (format == ZPixmap)
		40	+ if (format == ZPixmap) {
		41	+ if ((INT_MAX / bits_per_pixel) < width) {
		42	+ Xfree(image);
		43	+ return NULL;
		44	+ }
		45	+
		46	min_bytes_per_line =
		47	- ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
		48	- else
		49	+ ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
		50	+ } else {
		51	+ if ((INT_MAX - offset) < width) {
		52	+ Xfree(image);
		53	+ return NULL;
		54	+ }
		55	+
		56	min_bytes_per_line =
		57	- ROUNDUP((width + offset), image->bitmap_pad);
		58	+ ROUNDUP((width + offset), image->bitmap_pad);
		59	}
		60	if (image_bytes_per_line == 0) {
		61	image->bytes_per_line = min_bytes_per_line;
		62	--
		63	2.39.3
		64


diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb index 568162a911..248889a1d4 100644 --- a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb +++ b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
@@ -19,6 +19,11 @@ SRC_URI += "file://Fix-hanging-issue-in-_XReply.patch \
19	file://CVE-2022-3554.patch \	19	file://CVE-2022-3554.patch \
20	file://CVE-2022-3555.patch \	20	file://CVE-2022-3555.patch \
21	file://CVE-2023-3138.patch \	21	file://CVE-2023-3138.patch \
		22	file://CVE-2023-43785.patch \
		23	file://CVE-2023-43786-1.patch \
		24	file://CVE-2023-43786-2.patch \
		25	file://CVE-2023-43787-1.patch \
		26	file://CVE-2023-43787-2.patch \
22	"	27	"
23		28
24	SRC_URI[md5sum] = "55adbfb6d4370ecac5e70598c4e7eed2"	29	SRC_URI[md5sum] = "55adbfb6d4370ecac5e70598c4e7eed2"