diff options
-rw-r--r-- | meta/recipes-graphics/xorg-lib/libx11/fix-CVE-2021-31535.patch | 320 | ||||
-rw-r--r-- | meta/recipes-graphics/xorg-lib/libx11_1.7.0.bb | 5 |
2 files changed, 323 insertions, 2 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libx11/fix-CVE-2021-31535.patch b/meta/recipes-graphics/xorg-lib/libx11/fix-CVE-2021-31535.patch new file mode 100644 index 0000000000..2ec5cc1688 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/fix-CVE-2021-31535.patch | |||
@@ -0,0 +1,320 @@ | |||
1 | From 8d2e02ae650f00c4a53deb625211a0527126c605 Mon Sep 17 00:00:00 2001 | ||
2 | From: Matthieu Herrb <matthieu@herrb.eu> | ||
3 | Date: Fri, 19 Feb 2021 15:30:39 +0100 | ||
4 | Subject: [PATCH] Reject string longer than USHRT_MAX before sending them on | ||
5 | the wire | ||
6 | |||
7 | The X protocol uses CARD16 values to represent the length so | ||
8 | this would overflow. | ||
9 | |||
10 | CVE-2021-31535 | ||
11 | |||
12 | Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> | ||
13 | |||
14 | CVE: CVE-2021-31535 | ||
15 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8d2e02a] | ||
16 | |||
17 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
18 | --- | ||
19 | src/Font.c | 4 +++- | ||
20 | src/FontInfo.c | 3 +++ | ||
21 | src/FontNames.c | 3 +++ | ||
22 | src/GetColor.c | 4 ++++ | ||
23 | src/LoadFont.c | 4 ++++ | ||
24 | src/LookupCol.c | 6 ++++-- | ||
25 | src/ParseCol.c | 3 +++ | ||
26 | src/QuExt.c | 5 +++++ | ||
27 | src/SetFPath.c | 6 ++++++ | ||
28 | src/SetHints.c | 7 +++++++ | ||
29 | src/StNColor.c | 3 +++ | ||
30 | src/StName.c | 7 ++++++- | ||
31 | 12 files changed, 51 insertions(+), 4 deletions(-) | ||
32 | |||
33 | diff --git a/src/Font.c b/src/Font.c | ||
34 | index d4ebdaca..1cd89cca 100644 | ||
35 | --- a/src/Font.c | ||
36 | +++ b/src/Font.c | ||
37 | @@ -102,6 +102,8 @@ XFontStruct *XLoadQueryFont( | ||
38 | XF86BigfontCodes *extcodes = _XF86BigfontCodes(dpy); | ||
39 | #endif | ||
40 | |||
41 | + if (strlen(name) >= USHRT_MAX) | ||
42 | + return NULL; | ||
43 | if (_XF86LoadQueryLocaleFont(dpy, name, &font_result, (Font *)0)) | ||
44 | return font_result; | ||
45 | LockDisplay(dpy); | ||
46 | @@ -663,7 +665,7 @@ int _XF86LoadQueryLocaleFont( | ||
47 | if (!name) | ||
48 | return 0; | ||
49 | l = (int) strlen(name); | ||
50 | - if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-') | ||
51 | + if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-' || l >= USHRT_MAX) | ||
52 | return 0; | ||
53 | charset = NULL; | ||
54 | /* next three lines stolen from _XkbGetCharset() */ | ||
55 | diff --git a/src/FontInfo.c b/src/FontInfo.c | ||
56 | index 694efa10..6644b3fa 100644 | ||
57 | --- a/src/FontInfo.c | ||
58 | +++ b/src/FontInfo.c | ||
59 | @@ -58,6 +58,9 @@ XFontStruct **info) /* RETURN */ | ||
60 | register xListFontsReq *req; | ||
61 | int j; | ||
62 | |||
63 | + if (strlen(pattern) >= USHRT_MAX) | ||
64 | + return NULL; | ||
65 | + | ||
66 | LockDisplay(dpy); | ||
67 | GetReq(ListFontsWithInfo, req); | ||
68 | req->maxNames = maxNames; | ||
69 | diff --git a/src/FontNames.c b/src/FontNames.c | ||
70 | index 30912925..458d80c9 100644 | ||
71 | --- a/src/FontNames.c | ||
72 | +++ b/src/FontNames.c | ||
73 | @@ -51,6 +51,9 @@ int *actualCount) /* RETURN */ | ||
74 | register xListFontsReq *req; | ||
75 | unsigned long rlen = 0; | ||
76 | |||
77 | + if (strlen(pattern) >= USHRT_MAX) | ||
78 | + return NULL; | ||
79 | + | ||
80 | LockDisplay(dpy); | ||
81 | GetReq(ListFonts, req); | ||
82 | req->maxNames = maxNames; | ||
83 | diff --git a/src/GetColor.c b/src/GetColor.c | ||
84 | index d088497f..c8178067 100644 | ||
85 | --- a/src/GetColor.c | ||
86 | +++ b/src/GetColor.c | ||
87 | @@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. | ||
88 | #ifdef HAVE_CONFIG_H | ||
89 | #include <config.h> | ||
90 | #endif | ||
91 | +#include <limits.h> | ||
92 | #include <stdio.h> | ||
93 | #include "Xlibint.h" | ||
94 | #include "Xcmsint.h" | ||
95 | @@ -48,6 +49,9 @@ XColor *exact_def) /* RETURN */ | ||
96 | XcmsColor cmsColor_exact; | ||
97 | Status ret; | ||
98 | |||
99 | + if (strlen(colorname) >= USHRT_MAX) | ||
100 | + return (0); | ||
101 | + | ||
102 | #ifdef XCMS | ||
103 | /* | ||
104 | * Let's Attempt to use Xcms and i18n approach to Parse Color | ||
105 | diff --git a/src/LoadFont.c b/src/LoadFont.c | ||
106 | index 0a3809a8..3996436f 100644 | ||
107 | --- a/src/LoadFont.c | ||
108 | +++ b/src/LoadFont.c | ||
109 | @@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. | ||
110 | #ifdef HAVE_CONFIG_H | ||
111 | #include <config.h> | ||
112 | #endif | ||
113 | +#include <limits.h> | ||
114 | #include "Xlibint.h" | ||
115 | |||
116 | Font | ||
117 | @@ -38,6 +39,9 @@ XLoadFont ( | ||
118 | Font fid; | ||
119 | register xOpenFontReq *req; | ||
120 | |||
121 | + if (strlen(name) >= USHRT_MAX) | ||
122 | + return (0); | ||
123 | + | ||
124 | if (_XF86LoadQueryLocaleFont(dpy, name, (XFontStruct **)0, &fid)) | ||
125 | return fid; | ||
126 | |||
127 | diff --git a/src/LookupCol.c b/src/LookupCol.c | ||
128 | index 9608d512..cd9b1368 100644 | ||
129 | --- a/src/LookupCol.c | ||
130 | +++ b/src/LookupCol.c | ||
131 | @@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. | ||
132 | #ifdef HAVE_CONFIG_H | ||
133 | #include <config.h> | ||
134 | #endif | ||
135 | +#include <limits.h> | ||
136 | #include <stdio.h> | ||
137 | #include "Xlibint.h" | ||
138 | #include "Xcmsint.h" | ||
139 | @@ -46,6 +47,9 @@ XLookupColor ( | ||
140 | XcmsCCC ccc; | ||
141 | XcmsColor cmsColor_exact; | ||
142 | |||
143 | + n = (int) strlen (spec); | ||
144 | + if (n >= USHRT_MAX) | ||
145 | + return 0; | ||
146 | #ifdef XCMS | ||
147 | /* | ||
148 | * Let's Attempt to use Xcms and i18n approach to Parse Color | ||
149 | @@ -77,8 +81,6 @@ XLookupColor ( | ||
150 | * Xcms and i18n methods failed, so lets pass it to the server | ||
151 | * for parsing. | ||
152 | */ | ||
153 | - | ||
154 | - n = (int) strlen (spec); | ||
155 | LockDisplay(dpy); | ||
156 | GetReq (LookupColor, req); | ||
157 | req->cmap = cmap; | ||
158 | diff --git a/src/ParseCol.c b/src/ParseCol.c | ||
159 | index 2691df36..7a84a17b 100644 | ||
160 | --- a/src/ParseCol.c | ||
161 | +++ b/src/ParseCol.c | ||
162 | @@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. | ||
163 | #ifdef HAVE_CONFIG_H | ||
164 | #include <config.h> | ||
165 | #endif | ||
166 | +#include <limits.h> | ||
167 | #include <stdio.h> | ||
168 | #include "Xlibint.h" | ||
169 | #include "Xcmsint.h" | ||
170 | @@ -47,6 +48,8 @@ XParseColor ( | ||
171 | |||
172 | if (!spec) return(0); | ||
173 | n = (int) strlen (spec); | ||
174 | + if (n >= USHRT_MAX) | ||
175 | + return(0); | ||
176 | if (*spec == '#') { | ||
177 | /* | ||
178 | * RGB | ||
179 | diff --git a/src/QuExt.c b/src/QuExt.c | ||
180 | index 2021dca4..4cb99fcf 100644 | ||
181 | --- a/src/QuExt.c | ||
182 | +++ b/src/QuExt.c | ||
183 | @@ -27,6 +27,8 @@ in this Software without prior written authorization from The Open Group. | ||
184 | #ifdef HAVE_CONFIG_H | ||
185 | #include <config.h> | ||
186 | #endif | ||
187 | +#include <limits.h> | ||
188 | +#include <stdbool.h> | ||
189 | #include "Xlibint.h" | ||
190 | |||
191 | Bool | ||
192 | @@ -40,6 +42,9 @@ XQueryExtension( | ||
193 | xQueryExtensionReply rep; | ||
194 | register xQueryExtensionReq *req; | ||
195 | |||
196 | + if (strlen(name) >= USHRT_MAX) | ||
197 | + return false; | ||
198 | + | ||
199 | LockDisplay(dpy); | ||
200 | GetReq(QueryExtension, req); | ||
201 | req->nbytes = name ? (CARD16) strlen(name) : 0; | ||
202 | diff --git a/src/SetFPath.c b/src/SetFPath.c | ||
203 | index 7d12f18c..13fce49e 100644 | ||
204 | --- a/src/SetFPath.c | ||
205 | +++ b/src/SetFPath.c | ||
206 | @@ -26,6 +26,7 @@ in this Software without prior written authorization from The Open Group. | ||
207 | |||
208 | #ifdef HAVE_CONFIG_H | ||
209 | #include <config.h> | ||
210 | +#include <limits.h> | ||
211 | #endif | ||
212 | #include "Xlibint.h" | ||
213 | |||
214 | @@ -49,6 +50,11 @@ XSetFontPath ( | ||
215 | req->nFonts = ndirs; | ||
216 | for (i = 0; i < ndirs; i++) { | ||
217 | n = (int) ((size_t) n + (safestrlen (directories[i]) + 1)); | ||
218 | + if (n >= USHRT_MAX) { | ||
219 | + UnlockDisplay(dpy); | ||
220 | + SyncHandle(); | ||
221 | + return 0; | ||
222 | + } | ||
223 | } | ||
224 | nbytes = (n + 3) & ~3; | ||
225 | req->length += nbytes >> 2; | ||
226 | diff --git a/src/SetHints.c b/src/SetHints.c | ||
227 | index e81aa9d3..61cb0684 100644 | ||
228 | --- a/src/SetHints.c | ||
229 | +++ b/src/SetHints.c | ||
230 | @@ -49,6 +49,7 @@ SOFTWARE. | ||
231 | #ifdef HAVE_CONFIG_H | ||
232 | #include <config.h> | ||
233 | #endif | ||
234 | +#include <limits.h> | ||
235 | #include <X11/Xlibint.h> | ||
236 | #include <X11/Xutil.h> | ||
237 | #include "Xatomtype.h" | ||
238 | @@ -214,6 +215,8 @@ XSetCommand ( | ||
239 | register char *buf, *bp; | ||
240 | for (i = 0, nbytes = 0; i < argc; i++) { | ||
241 | nbytes += safestrlen(argv[i]) + 1; | ||
242 | + if (nbytes >= USHRT_MAX) | ||
243 | + return 1; | ||
244 | } | ||
245 | if ((bp = buf = Xmalloc(nbytes))) { | ||
246 | /* copy arguments into single buffer */ | ||
247 | @@ -256,6 +259,8 @@ XSetStandardProperties ( | ||
248 | |||
249 | if (name != NULL) XStoreName (dpy, w, name); | ||
250 | |||
251 | + if (safestrlen(icon_string) >= USHRT_MAX) | ||
252 | + return 1; | ||
253 | if (icon_string != NULL) { | ||
254 | XChangeProperty (dpy, w, XA_WM_ICON_NAME, XA_STRING, 8, | ||
255 | PropModeReplace, | ||
256 | @@ -298,6 +303,8 @@ XSetClassHint( | ||
257 | |||
258 | len_nm = safestrlen(classhint->res_name); | ||
259 | len_cl = safestrlen(classhint->res_class); | ||
260 | + if (len_nm + len_cl >= USHRT_MAX) | ||
261 | + return 1; | ||
262 | if ((class_string = s = Xmalloc(len_nm + len_cl + 2))) { | ||
263 | if (len_nm) { | ||
264 | strcpy(s, classhint->res_name); | ||
265 | diff --git a/src/StNColor.c b/src/StNColor.c | ||
266 | index 3b50401b..16dc9cbc 100644 | ||
267 | --- a/src/StNColor.c | ||
268 | +++ b/src/StNColor.c | ||
269 | @@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. | ||
270 | #ifdef HAVE_CONFIG_H | ||
271 | #include <config.h> | ||
272 | #endif | ||
273 | +#include <limits.h> | ||
274 | #include <stdio.h> | ||
275 | #include "Xlibint.h" | ||
276 | #include "Xcmsint.h" | ||
277 | @@ -46,6 +47,8 @@ int flags) /* DoRed, DoGreen, DoBlue */ | ||
278 | XcmsColor cmsColor_exact; | ||
279 | XColor scr_def; | ||
280 | |||
281 | + if (strlen(name) >= USHRT_MAX) | ||
282 | + return 0; | ||
283 | #ifdef XCMS | ||
284 | /* | ||
285 | * Let's Attempt to use Xcms approach to Parse Color | ||
286 | diff --git a/src/StName.c b/src/StName.c | ||
287 | index 58b5a5a6..04bb3aa6 100644 | ||
288 | --- a/src/StName.c | ||
289 | +++ b/src/StName.c | ||
290 | @@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. | ||
291 | #ifdef HAVE_CONFIG_H | ||
292 | #include <config.h> | ||
293 | #endif | ||
294 | +#include <limits.h> | ||
295 | #include <X11/Xlibint.h> | ||
296 | #include <X11/Xatom.h> | ||
297 | |||
298 | @@ -36,7 +37,9 @@ XStoreName ( | ||
299 | Window w, | ||
300 | _Xconst char *name) | ||
301 | { | ||
302 | - return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, | ||
303 | + if (strlen(name) >= USHRT_MAX) | ||
304 | + return 0; | ||
305 | + return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, /* */ | ||
306 | 8, PropModeReplace, (_Xconst unsigned char *)name, | ||
307 | name ? (int) strlen(name) : 0); | ||
308 | } | ||
309 | @@ -47,6 +50,8 @@ XSetIconName ( | ||
310 | Window w, | ||
311 | _Xconst char *icon_name) | ||
312 | { | ||
313 | + if (strlen(icon_name) >= USHRT_MAX) | ||
314 | + return 0; | ||
315 | return XChangeProperty(dpy, w, XA_WM_ICON_NAME, XA_STRING, 8, | ||
316 | PropModeReplace, (_Xconst unsigned char *)icon_name, | ||
317 | icon_name ? (int) strlen(icon_name) : 0); | ||
318 | -- | ||
319 | GitLab | ||
320 | |||
diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.7.0.bb b/meta/recipes-graphics/xorg-lib/libx11_1.7.0.bb index 3faee6e497..c6429cbbac 100644 --- a/meta/recipes-graphics/xorg-lib/libx11_1.7.0.bb +++ b/meta/recipes-graphics/xorg-lib/libx11_1.7.0.bb | |||
@@ -11,8 +11,9 @@ FILESEXTRAPATHS =. "${FILE_DIRNAME}/libx11:" | |||
11 | PE = "1" | 11 | PE = "1" |
12 | 12 | ||
13 | SRC_URI += "file://Fix-hanging-issue-in-_XReply.patch \ | 13 | SRC_URI += "file://Fix-hanging-issue-in-_XReply.patch \ |
14 | file://disable_tests.patch \ | 14 | file://disable_tests.patch \ |
15 | " | 15 | file://fix-CVE-2021-31535.patch \ |
16 | " | ||
16 | 17 | ||
17 | SRC_URI[sha256sum] = "36c8f93b6595437c8cfbc9f08618bcb3041cbd303e140a0013f88e4c2977cb54" | 18 | SRC_URI[sha256sum] = "36c8f93b6595437c8cfbc9f08618bcb3041cbd303e140a0013f88e4c2977cb54" |
18 | 19 | ||