xserver-xorg: Fix CVE-2017-10971

Backport 3 patches to fix CVE-2017-10971: In the X.Org X server before 2017-06-19, a user authenticated to an X Session could crash or execute code in the context of the X Server by exploiting a stack overflow in the endianness conversion of X Events. Reference: https://nvd.nist.gov/vuln/detail/CVE-2017-10971 (From OE-Core rev: 20428f660f2c046c63bbf63c4e4af95dac9f2b3d) (From OE-Core rev: 8c42a9508bded870d1ac018e2cfa129772983c52) Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Jackie Huang <jackie.huang@windriver.com> 2017-08-17 15:39:13 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-09-11 22:15:58 +0100
commit: e99089ce247554328716f9ed4b74b03111f37cd7 (patch)
tree: c100cf7f94fd62a881c1c0e5d05c1f5a4f63ab90 /meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-2.patch
parent: c63480c9605a22b3000dc4f0e9198e67365832e9 (diff)
download: poky-e99089ce247554328716f9ed4b74b03111f37cd7.tar.gz
1 files changed, 55 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-2.patch
new file mode 100644
index 0000000000..5c9887afa1
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-2.patch
@@ -0,0 +1,55 @@
+From 8caed4df36b1f802b4992edcfd282cbeeec35d9d Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@suse.com>
+Date: Wed, 24 May 2017 15:54:41 +0300
+Subject: [PATCH] Xi: Verify all events in ProcXSendExtensionEvent.
+The requirement is that events have type in range
+EXTENSION_EVENT_BASE..lastEvent, but it was tested
+only for first event of all.
+Signed-off-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+CVE: CVE-2017-10971
+Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=8caed4df36b1f802b4992edcfd282cbeeec35d9d]
+Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
+---
+ Xi/sendexev.c |   12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+diff --git a/Xi/sendexev.c b/Xi/sendexev.c
+index 1cf118a..5e63bfc 100644
+--- a/Xi/sendexev.c
+++ b/Xi/sendexev.c
+@@ -117,7 +117,7 @@ SProcXSendExtensionEvent(ClientPtr client)
+ int
+ ProcXSendExtensionEvent(ClientPtr client)
+ {
+-    int ret;
+    int ret, i;
+     DeviceIntPtr dev;
+     xEvent *first;
+     XEventClass *list;
+@@ -141,10 +141,12 @@ ProcXSendExtensionEvent(ClientPtr client)
+     /* The client's event type must be one defined by an extension. */
+ 
+     first = ((xEvent *) &stuff[1]);
+-    if (!((EXTENSION_EVENT_BASE <= first->u.u.type) &&
+-          (first->u.u.type < lastEvent))) {
+-        client->errorValue = first->u.u.type;
+-        return BadValue;
+    for (i = 0; i < stuff->num_events; i++) {
+        if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) &&
+            (first[i].u.u.type < lastEvent))) {
+            client->errorValue = first[i].u.u.type;
+            return BadValue;
+        }
+     }
+ 
+     list = (XEventClass *) (first + stuff->num_events);
+-- 
+1.7.9.5
author	Jackie Huang <jackie.huang@windriver.com>	2017-08-17 15:39:13 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-09-11 22:15:58 +0100
commit	e99089ce247554328716f9ed4b74b03111f37cd7 (patch)
tree	c100cf7f94fd62a881c1c0e5d05c1f5a4f63ab90 /meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-2.patch
parent	c63480c9605a22b3000dc4f0e9198e67365832e9 (diff)
download	poky-e99089ce247554328716f9ed4b74b03111f37cd7.tar.gz

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-2.patch new file mode 100644 index 0000000000..5c9887afa1 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-2.patch
@@ -0,0 +1,55 @@
	1	From 8caed4df36b1f802b4992edcfd282cbeeec35d9d Mon Sep 17 00:00:00 2001
	2	From: Michal Srb <msrb@suse.com>
	3	Date: Wed, 24 May 2017 15:54:41 +0300
	4	Subject: [PATCH] Xi: Verify all events in ProcXSendExtensionEvent.
	5
	6	The requirement is that events have type in range
	7	EXTENSION_EVENT_BASE..lastEvent, but it was tested
	8	only for first event of all.
	9
	10	Signed-off-by: Michal Srb <msrb@suse.com>
	11	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
	12	Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
	13
	14	CVE: CVE-2017-10971
	15
	16	Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=8caed4df36b1f802b4992edcfd282cbeeec35d9d]
	17
	18	Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
	19	---
	20	Xi/sendexev.c \| 12 +++++++-----
	21	1 file changed, 7 insertions(+), 5 deletions(-)
	22
	23	diff --git a/Xi/sendexev.c b/Xi/sendexev.c
	24	index 1cf118a..5e63bfc 100644
	25	--- a/Xi/sendexev.c
	26	+++ b/Xi/sendexev.c
	27	@@ -117,7 +117,7 @@ SProcXSendExtensionEvent(ClientPtr client)
	28	int
	29	ProcXSendExtensionEvent(ClientPtr client)
	30	{
	31	- int ret;
	32	+ int ret, i;
	33	DeviceIntPtr dev;
	34	xEvent *first;
	35	XEventClass *list;
	36	@@ -141,10 +141,12 @@ ProcXSendExtensionEvent(ClientPtr client)
	37	/* The client's event type must be one defined by an extension. */
	38
	39	first = ((xEvent *) &stuff[1]);
	40	- if (!((EXTENSION_EVENT_BASE <= first->u.u.type) &&
	41	- (first->u.u.type < lastEvent))) {
	42	- client->errorValue = first->u.u.type;
	43	- return BadValue;
	44	+ for (i = 0; i < stuff->num_events; i++) {
	45	+ if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) &&
	46	+ (first[i].u.u.type < lastEvent))) {
	47	+ client->errorValue = first[i].u.u.type;
	48	+ return BadValue;
	49	+ }
	50	}
	51
	52	list = (XEventClass *) (first + stuff->num_events);
	53	--
	54	1.7.9.5
	55