summaryrefslogtreecommitdiffstats
path: root/meta/recipes-graphics/xorg-lib/libx11
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-graphics/xorg-lib/libx11')
-rw-r--r--meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch333
-rw-r--r--meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch58
-rw-r--r--meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch38
-rw-r--r--meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch111
-rw-r--r--meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch63
-rw-r--r--meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch42
-rw-r--r--meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch46
-rw-r--r--meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch52
-rw-r--r--meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch64
9 files changed, 807 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch
new file mode 100644
index 0000000000..97c4c17a8a
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch
@@ -0,0 +1,333 @@
1From 5c539ee6aba5872fcc73aa3d46a4e9a33dc030db Mon Sep 17 00:00:00 2001
2From: Matthieu Herrb <matthieu@herrb.eu>
3Date: Fri, 19 Feb 2021 15:30:39 +0100
4Subject: [PATCH] Reject string longer than USHRT_MAX before sending them on
5 the wire
6
7The X protocol uses CARD16 values to represent the length so
8this would overflow.
9
10CVE-2021-31535
11
12Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
13
14https://lists.x.org/archives/xorg-announce/2021-May/003088.html
15
16XLookupColor() and other X libraries function lack proper validation
17of the length of their string parameters. If those parameters can be
18controlled by an external application (for instance a color name that
19can be emitted via a terminal control sequence) it can lead to the
20emission of extra X protocol requests to the X server.
21
22Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8d2e02ae650f00c4a53deb625211a0527126c605]
23CVE: CVE-2021-31535
24Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
25---
26 src/Font.c | 6 ++++--
27 src/FontInfo.c | 3 +++
28 src/FontNames.c | 3 +++
29 src/GetColor.c | 4 ++++
30 src/LoadFont.c | 4 ++++
31 src/LookupCol.c | 6 ++++--
32 src/ParseCol.c | 5 ++++-
33 src/QuExt.c | 5 +++++
34 src/SetFPath.c | 8 +++++++-
35 src/SetHints.c | 7 +++++++
36 src/StNColor.c | 3 +++
37 src/StName.c | 7 ++++++-
38 12 files changed, 54 insertions(+), 7 deletions(-)
39
40diff --git a/src/Font.c b/src/Font.c
41index 09d2ae91..3f468e4b 100644
42--- a/src/Font.c
43+++ b/src/Font.c
44@@ -102,6 +102,8 @@ XFontStruct *XLoadQueryFont(
45 XF86BigfontCodes *extcodes = _XF86BigfontCodes(dpy);
46 #endif
47
48+ if (strlen(name) >= USHRT_MAX)
49+ return NULL;
50 if (_XF86LoadQueryLocaleFont(dpy, name, &font_result, (Font *)0))
51 return font_result;
52 LockDisplay(dpy);
53@@ -662,8 +664,8 @@ int _XF86LoadQueryLocaleFont(
54
55 if (!name)
56 return 0;
57- l = strlen(name);
58- if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-')
59+ l = (int) strlen(name);
60+ if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-' || l >= USHRT_MAX)
61 return 0;
62 charset = NULL;
63 /* next three lines stolen from _XkbGetCharset() */
64diff --git a/src/FontInfo.c b/src/FontInfo.c
65index f870e431..51b48e29 100644
66--- a/src/FontInfo.c
67+++ b/src/FontInfo.c
68@@ -58,6 +58,9 @@ XFontStruct **info) /* RETURN */
69 register xListFontsReq *req;
70 int j;
71
72+ if (strlen(pattern) >= USHRT_MAX)
73+ return NULL;
74+
75 LockDisplay(dpy);
76 GetReq(ListFontsWithInfo, req);
77 req->maxNames = maxNames;
78diff --git a/src/FontNames.c b/src/FontNames.c
79index b78792d6..4dac4916 100644
80--- a/src/FontNames.c
81+++ b/src/FontNames.c
82@@ -51,6 +51,9 @@ int *actualCount) /* RETURN */
83 register xListFontsReq *req;
84 unsigned long rlen = 0;
85
86+ if (strlen(pattern) >= USHRT_MAX)
87+ return NULL;
88+
89 LockDisplay(dpy);
90 GetReq(ListFonts, req);
91 req->maxNames = maxNames;
92diff --git a/src/GetColor.c b/src/GetColor.c
93index cd0eb9f6..512ac308 100644
94--- a/src/GetColor.c
95+++ b/src/GetColor.c
96@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
97 #ifdef HAVE_CONFIG_H
98 #include <config.h>
99 #endif
100+#include <limits.h>
101 #include <stdio.h>
102 #include "Xlibint.h"
103 #include "Xcmsint.h"
104@@ -48,6 +49,9 @@ XColor *exact_def) /* RETURN */
105 XcmsColor cmsColor_exact;
106 Status ret;
107
108+ if (strlen(colorname) >= USHRT_MAX)
109+ return (0);
110+
111 #ifdef XCMS
112 /*
113 * Let's Attempt to use Xcms and i18n approach to Parse Color
114diff --git a/src/LoadFont.c b/src/LoadFont.c
115index f547976b..85735249 100644
116--- a/src/LoadFont.c
117+++ b/src/LoadFont.c
118@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
119 #ifdef HAVE_CONFIG_H
120 #include <config.h>
121 #endif
122+#include <limits.h>
123 #include "Xlibint.h"
124
125 Font
126@@ -38,6 +39,9 @@ XLoadFont (
127 Font fid;
128 register xOpenFontReq *req;
129
130+ if (strlen(name) >= USHRT_MAX)
131+ return (0);
132+
133 if (_XF86LoadQueryLocaleFont(dpy, name, (XFontStruct **)0, &fid))
134 return fid;
135
136diff --git a/src/LookupCol.c b/src/LookupCol.c
137index f7f969f5..cd9b1368 100644
138--- a/src/LookupCol.c
139+++ b/src/LookupCol.c
140@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
141 #ifdef HAVE_CONFIG_H
142 #include <config.h>
143 #endif
144+#include <limits.h>
145 #include <stdio.h>
146 #include "Xlibint.h"
147 #include "Xcmsint.h"
148@@ -46,6 +47,9 @@ XLookupColor (
149 XcmsCCC ccc;
150 XcmsColor cmsColor_exact;
151
152+ n = (int) strlen (spec);
153+ if (n >= USHRT_MAX)
154+ return 0;
155 #ifdef XCMS
156 /*
157 * Let's Attempt to use Xcms and i18n approach to Parse Color
158@@ -77,8 +81,6 @@ XLookupColor (
159 * Xcms and i18n methods failed, so lets pass it to the server
160 * for parsing.
161 */
162-
163- n = strlen (spec);
164 LockDisplay(dpy);
165 GetReq (LookupColor, req);
166 req->cmap = cmap;
167diff --git a/src/ParseCol.c b/src/ParseCol.c
168index e997b1b8..180132dd 100644
169--- a/src/ParseCol.c
170+++ b/src/ParseCol.c
171@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
172 #ifdef HAVE_CONFIG_H
173 #include <config.h>
174 #endif
175+#include <limits.h>
176 #include <stdio.h>
177 #include "Xlibint.h"
178 #include "Xcmsint.h"
179@@ -46,7 +47,9 @@ XParseColor (
180 XcmsColor cmsColor;
181
182 if (!spec) return(0);
183- n = strlen (spec);
184+ n = (int) strlen (spec);
185+ if (n >= USHRT_MAX)
186+ return(0);
187 if (*spec == '#') {
188 /*
189 * RGB
190diff --git a/src/QuExt.c b/src/QuExt.c
191index 4e230e77..d38a1572 100644
192--- a/src/QuExt.c
193+++ b/src/QuExt.c
194@@ -27,6 +27,8 @@ in this Software without prior written authorization from The Open Group.
195 #ifdef HAVE_CONFIG_H
196 #include <config.h>
197 #endif
198+#include <limits.h>
199+#include <stdbool.h>
200 #include "Xlibint.h"
201
202 Bool
203@@ -40,6 +42,9 @@ XQueryExtension(
204 xQueryExtensionReply rep;
205 register xQueryExtensionReq *req;
206
207+ if (strlen(name) >= USHRT_MAX)
208+ return false;
209+
210 LockDisplay(dpy);
211 GetReq(QueryExtension, req);
212 req->nbytes = name ? strlen(name) : 0;
213diff --git a/src/SetFPath.c b/src/SetFPath.c
214index 60aaef01..3d8c50cb 100644
215--- a/src/SetFPath.c
216+++ b/src/SetFPath.c
217@@ -26,6 +26,7 @@ in this Software without prior written authorization from The Open Group.
218
219 #ifdef HAVE_CONFIG_H
220 #include <config.h>
221+#include <limits.h>
222 #endif
223 #include "Xlibint.h"
224
225@@ -48,7 +49,12 @@ XSetFontPath (
226 GetReq (SetFontPath, req);
227 req->nFonts = ndirs;
228 for (i = 0; i < ndirs; i++) {
229- n += safestrlen (directories[i]) + 1;
230+ n = (int) ((size_t) n + (safestrlen (directories[i]) + 1));
231+ if (n >= USHRT_MAX) {
232+ UnlockDisplay(dpy);
233+ SyncHandle();
234+ return 0;
235+ }
236 }
237 nbytes = (n + 3) & ~3;
238 req->length += nbytes >> 2;
239diff --git a/src/SetHints.c b/src/SetHints.c
240index bc46498a..f3d727ec 100644
241--- a/src/SetHints.c
242+++ b/src/SetHints.c
243@@ -49,6 +49,7 @@ SOFTWARE.
244 #ifdef HAVE_CONFIG_H
245 #include <config.h>
246 #endif
247+#include <limits.h>
248 #include <X11/Xlibint.h>
249 #include <X11/Xutil.h>
250 #include "Xatomtype.h"
251@@ -214,6 +215,8 @@ XSetCommand (
252 register char *buf, *bp;
253 for (i = 0, nbytes = 0; i < argc; i++) {
254 nbytes += safestrlen(argv[i]) + 1;
255+ if (nbytes >= USHRT_MAX)
256+ return 1;
257 }
258 if ((bp = buf = Xmalloc(nbytes))) {
259 /* copy arguments into single buffer */
260@@ -256,6 +259,8 @@ XSetStandardProperties (
261
262 if (name != NULL) XStoreName (dpy, w, name);
263
264+ if (safestrlen(icon_string) >= USHRT_MAX)
265+ return 1;
266 if (icon_string != NULL) {
267 XChangeProperty (dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
268 PropModeReplace,
269@@ -298,6 +303,8 @@ XSetClassHint(
270
271 len_nm = safestrlen(classhint->res_name);
272 len_cl = safestrlen(classhint->res_class);
273+ if (len_nm + len_cl >= USHRT_MAX)
274+ return 1;
275 if ((class_string = s = Xmalloc(len_nm + len_cl + 2))) {
276 if (len_nm) {
277 strcpy(s, classhint->res_name);
278diff --git a/src/StNColor.c b/src/StNColor.c
279index 8b821c3e..ba021958 100644
280--- a/src/StNColor.c
281+++ b/src/StNColor.c
282@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
283 #ifdef HAVE_CONFIG_H
284 #include <config.h>
285 #endif
286+#include <limits.h>
287 #include <stdio.h>
288 #include "Xlibint.h"
289 #include "Xcmsint.h"
290@@ -46,6 +47,8 @@ int flags) /* DoRed, DoGreen, DoBlue */
291 XcmsColor cmsColor_exact;
292 XColor scr_def;
293
294+ if (strlen(name) >= USHRT_MAX)
295+ return 0;
296 #ifdef XCMS
297 /*
298 * Let's Attempt to use Xcms approach to Parse Color
299diff --git a/src/StName.c b/src/StName.c
300index b4048bff..5a632d0c 100644
301--- a/src/StName.c
302+++ b/src/StName.c
303@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
304 #ifdef HAVE_CONFIG_H
305 #include <config.h>
306 #endif
307+#include <limits.h>
308 #include <X11/Xlibint.h>
309 #include <X11/Xatom.h>
310
311@@ -36,7 +37,9 @@ XStoreName (
312 Window w,
313 _Xconst char *name)
314 {
315- return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING,
316+ if (strlen(name) >= USHRT_MAX)
317+ return 0;
318+ return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, /* */
319 8, PropModeReplace, (_Xconst unsigned char *)name,
320 name ? strlen(name) : 0);
321 }
322@@ -47,6 +50,8 @@ XSetIconName (
323 Window w,
324 _Xconst char *icon_name)
325 {
326+ if (strlen(icon_name) >= USHRT_MAX)
327+ return 0;
328 return XChangeProperty(dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
329 PropModeReplace, (_Xconst unsigned char *)icon_name,
330 icon_name ? strlen(icon_name) : 0);
331--
3322.32.0
333
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch
new file mode 100644
index 0000000000..fb61195225
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch
@@ -0,0 +1,58 @@
1From 8b51d1375a4dd6a7cf3a919da83d8e87e57e7333 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Wed, 2 Nov 2022 17:04:15 +0530
4Subject: [PATCH] CVE-2022-3554
5
6Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1d11822601fd24a396b354fa616b04ed3df8b4ef]
7CVE: CVE-2022-3554
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9
10fix a memory leak in XRegisterIMInstantiateCallback
11
12Analysis:
13
14 _XimRegisterIMInstantiateCallback() opens an XIM and closes it using
15 the internal function pointers, but the internal close function does
16 not free the pointer to the XIM (this would be done in XCloseIM()).
17
18Report/patch:
19
20 Date: Mon, 03 Oct 2022 18:47:32 +0800
21 From: Po Lu <luangruo@yahoo.com>
22 To: xorg-devel@lists.x.org
23 Subject: Re: Yet another leak in Xlib
24
25 For reference, here's how I'm calling XRegisterIMInstantiateCallback:
26
27 XSetLocaleModifiers ("");
28 XRegisterIMInstantiateCallback (compositor.display,
29 XrmGetDatabase (compositor.display),
30 (char *) compositor.resource_name,
31 (char *) compositor.app_name,
32 IMInstantiateCallback, NULL);
33 and XMODIFIERS is:
34
35 @im=ibus
36
37Signed-off-by: Thomas E. Dickey's avatarThomas E. Dickey <dickey@invisible-island.net>
38---
39 modules/im/ximcp/imInsClbk.c | 3 +++
40 1 file changed, 3 insertions(+)
41
42diff --git a/modules/im/ximcp/imInsClbk.c b/modules/im/ximcp/imInsClbk.c
43index 961aaba..0a8a874 100644
44--- a/modules/im/ximcp/imInsClbk.c
45+++ b/modules/im/ximcp/imInsClbk.c
46@@ -204,6 +204,9 @@ _XimRegisterIMInstantiateCallback(
47 if( xim ) {
48 lock = True;
49 xim->methods->close( (XIM)xim );
50+ /* XIMs must be freed manually after being opened; close just
51+ does the protocol to deinitialize the IM. */
52+ XFree( xim );
53 lock = False;
54 icb->call = True;
55 callback( display, client_data, NULL );
56--
572.25.1
58
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch
new file mode 100644
index 0000000000..855ce80e77
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch
@@ -0,0 +1,38 @@
1From 8a368d808fec166b5fb3dfe6312aab22c7ee20af Mon Sep 17 00:00:00 2001
2From: Hodong <hodong@yozmos.com>
3Date: Thu, 20 Jan 2022 00:57:41 +0900
4Subject: [PATCH] Fix two memory leaks in _XFreeX11XCBStructure()
5
6Even when XCloseDisplay() was called, some memory was leaked.
7
8XCloseDisplay() calls _XFreeDisplayStructure(), which calls
9_XFreeX11XCBStructure().
10
11However, _XFreeX11XCBStructure() did not destroy the condition variables,
12resulting in the leaking of some 40 bytes.
13
14Signed-off-by: Hodong <hodong@yozmos.com>
15
16Upstream-Status: Backport from [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8a368d808fec166b5fb3dfe6312aab22c7ee20af]
17CVE:CVE-2022-3555
18Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
19---
20 src/xcb_disp.c | 2 ++
21 1 file changed, 2 insertions(+)
22
23diff --git a/src/xcb_disp.c b/src/xcb_disp.c
24index 70a602f4..e9becee3 100644
25--- a/src/xcb_disp.c
26+++ b/src/xcb_disp.c
27@@ -102,6 +102,8 @@ void _XFreeX11XCBStructure(Display *dpy)
28 dpy->xcb->pending_requests = tmp->next;
29 free(tmp);
30 }
31+ xcondition_clear(dpy->xcb->event_notify);
32+ xcondition_clear(dpy->xcb->reply_notify);
33 xcondition_free(dpy->xcb->event_notify);
34 xcondition_free(dpy->xcb->reply_notify);
35 Xfree(dpy->xcb);
36--
372.18.2
38
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch
new file mode 100644
index 0000000000..c724cf8fdd
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch
@@ -0,0 +1,111 @@
1From 304a654a0d57bf0f00d8998185f0360332cfa36c Mon Sep 17 00:00:00 2001
2From: Alan Coopersmith <alan.coopersmith@oracle.com>
3Date: Sat, 10 Jun 2023 16:30:07 -0700
4Subject: [PATCH] InitExt.c: Add bounds checks for extension request, event, &
5 error codes
6
7Fixes CVE-2023-3138: X servers could return values from XQueryExtension
8that would cause Xlib to write entries out-of-bounds of the arrays to
9store them, though this would only overwrite other parts of the Display
10struct, not outside the bounds allocated for that structure.
11
12Reported-by: Gregory James DUCK <gjduck@gmail.com>
13Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
14
15CVE: CVE-2023-3138
16Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/304a654a0d57bf0f00d8998185f0360332cfa36c.patch]
17Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com>
18---
19 src/InitExt.c | 42 ++++++++++++++++++++++++++++++++++++++++++
20 1 file changed, 42 insertions(+)
21
22diff --git a/src/InitExt.c b/src/InitExt.c
23index 4de46f15..afc00a6b 100644
24--- a/src/InitExt.c
25+++ b/src/InitExt.c
26@@ -33,6 +33,18 @@ from The Open Group.
27 #include <X11/Xos.h>
28 #include <stdio.h>
29
30+/* The X11 protocol spec reserves events 64 through 127 for extensions */
31+#ifndef LastExtensionEvent
32+#define LastExtensionEvent 127
33+#endif
34+
35+/* The X11 protocol spec reserves requests 128 through 255 for extensions */
36+#ifndef LastExtensionRequest
37+#define FirstExtensionRequest 128
38+#define LastExtensionRequest 255
39+#endif
40+
41+
42 /*
43 * This routine is used to link a extension in so it will be called
44 * at appropriate times.
45@@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent(
46 WireToEventType proc) /* routine to call when converting event */
47 {
48 register WireToEventType oldproc;
49+ if (event_number < 0 ||
50+ event_number > LastExtensionEvent) {
51+ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
52+ event_number);
53+ return (WireToEventType)_XUnknownWireEvent;
54+ }
55 if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent;
56 LockDisplay (dpy);
57 oldproc = dpy->event_vec[event_number];
58@@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCookie(
59 )
60 {
61 WireToEventCookieType oldproc;
62+ if (extension < FirstExtensionRequest ||
63+ extension > LastExtensionRequest) {
64+ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
65+ extension);
66+ return (WireToEventCookieType)_XUnknownWireEventCookie;
67+ }
68 if (proc == NULL) proc = (WireToEventCookieType)_XUnknownWireEventCookie;
69 LockDisplay (dpy);
70 oldproc = dpy->generic_event_vec[extension & 0x7F];
71@@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie(
72 )
73 {
74 CopyEventCookieType oldproc;
75+ if (extension < FirstExtensionRequest ||
76+ extension > LastExtensionRequest) {
77+ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
78+ extension);
79+ return (CopyEventCookieType)_XUnknownCopyEventCookie;
80+ }
81 if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie;
82 LockDisplay (dpy);
83 oldproc = dpy->generic_event_copy_vec[extension & 0x7F];
84@@ -305,6 +335,12 @@ EventToWireType XESetEventToWire(
85 EventToWireType proc) /* routine to call when converting event */
86 {
87 register EventToWireType oldproc;
88+ if (event_number < 0 ||
89+ event_number > LastExtensionEvent) {
90+ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
91+ event_number);
92+ return (EventToWireType)_XUnknownNativeEvent;
93+ }
94 if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent;
95 LockDisplay (dpy);
96 oldproc = dpy->wire_vec[event_number];
97@@ -325,6 +361,12 @@ WireToErrorType XESetWireToError(
98 WireToErrorType proc) /* routine to call when converting error */
99 {
100 register WireToErrorType oldproc = NULL;
101+ if (error_number < 0 ||
102+ error_number > LastExtensionError) {
103+ fprintf(stderr, "Xlib: ignoring invalid extension error %d\n",
104+ error_number);
105+ return (WireToErrorType)_XDefaultWireError;
106+ }
107 if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError;
108 LockDisplay (dpy);
109 if (!dpy->error_vec) {
110--
111GitLab
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch
new file mode 100644
index 0000000000..dbdf096fc8
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch
@@ -0,0 +1,63 @@
1From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001
2From: Alan Coopersmith <alan.coopersmith@oracle.com>
3Date: Sun, 17 Sep 2023 14:19:40 -0700
4Subject: [PATCH libX11 1/5] CVE-2023-43785: out-of-bounds memory access in
5 _XkbReadKeySyms()
6
7Make sure we allocate enough memory in the first place, and
8also handle error returns from _XkbReadBufferCopyKeySyms() when
9it detects out-of-bounds issues.
10
11Reported-by: Gregory James DUCK <gjduck@gmail.com>
12Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
13
14Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch?h=ubuntu/focal-security
15Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/6858d468d9ca55fb4c5fd70b223dbc78a3358a7f]
16CVE: CVE-2023-43785
17Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
18---
19 src/xkb/XKBGetMap.c | 14 +++++++++-----
20 1 file changed, 9 insertions(+), 5 deletions(-)
21
22diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
23index 2891d21e..31199e4a 100644
24--- a/src/xkb/XKBGetMap.c
25+++ b/src/xkb/XKBGetMap.c
26@@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
27 if (offset + newMap->nSyms >= map->size_syms) {
28 register int sz;
29
30- sz = map->size_syms + 128;
31+ sz = offset + newMap->nSyms;
32+ sz = ((sz + (unsigned) 128) / 128) * 128;
33 _XkbResizeArray(map->syms, map->size_syms, sz, KeySym);
34 if (map->syms == NULL) {
35 map->size_syms = 0;
36@@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
37 map->size_syms = sz;
38 }
39 if (newMap->nSyms > 0) {
40- _XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
41- newMap->nSyms);
42+ if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
43+ newMap->nSyms) == 0)
44+ return BadLength;
45 offset += newMap->nSyms;
46 }
47 else {
48@@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
49 newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp);
50 if (newSyms == NULL)
51 return BadAlloc;
52- if (newMap->nSyms > 0)
53- _XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms);
54+ if (newMap->nSyms > 0) {
55+ if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 0)
56+ return BadLength;
57+ }
58 else
59 newSyms[0] = NoSymbol;
60 oldMap->kt_index[0] = newMap->ktIndex[0];
61--
622.39.3
63
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch
new file mode 100644
index 0000000000..31a99eb4ac
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch
@@ -0,0 +1,42 @@
1From 204c3393c4c90a29ed6bef64e43849536e863a86 Mon Sep 17 00:00:00 2001
2From: Alan Coopersmith <alan.coopersmith@oracle.com>
3Date: Thu, 7 Sep 2023 15:54:30 -0700
4Subject: [PATCH libX11 2/5] CVE-2023-43786: stack exhaustion from infinite
5 recursion in PutSubImage()
6
7When splitting a single line of pixels into chunks to send to the
8X server, be sure to take into account the number of bits per pixel,
9so we don't just loop forever trying to send more pixels than fit in
10the given request size and not breaking them down into a small enough
11chunk to fix.
12
13Fixes: "almost complete rewrite" (Dec. 12, 1987) from X11R2
14Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
15
16Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0002-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch?h=ubuntu/focal-security
17Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/204c3393c4c90a29ed6bef64e43849536e863a86]
18CVE: CVE-2023-43786
19Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
20---
21 src/PutImage.c | 5 +++--
22 1 file changed, 3 insertions(+), 2 deletions(-)
23
24diff --git a/src/PutImage.c b/src/PutImage.c
25index 857ee916..a6db7b42 100644
26--- a/src/PutImage.c
27+++ b/src/PutImage.c
28@@ -914,8 +914,9 @@ PutSubImage (
29 req_width, req_height - SubImageHeight,
30 dest_bits_per_pixel, dest_scanline_pad);
31 } else {
32- int SubImageWidth = (((Available << 3) / dest_scanline_pad)
33- * dest_scanline_pad) - left_pad;
34+ int SubImageWidth = ((((Available << 3) / dest_scanline_pad)
35+ * dest_scanline_pad) - left_pad)
36+ / dest_bits_per_pixel;
37
38 PutSubImage(dpy, d, gc, image, req_xoffset, req_yoffset, x, y,
39 (unsigned int) SubImageWidth, 1,
40--
412.39.3
42
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch
new file mode 100644
index 0000000000..4800bedf41
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch
@@ -0,0 +1,46 @@
1From 73a37d5f2fcadd6540159b432a70d80f442ddf4a Mon Sep 17 00:00:00 2001
2From: Alan Coopersmith <alan.coopersmith@oracle.com>
3Date: Thu, 7 Sep 2023 15:55:04 -0700
4Subject: [PATCH libX11 3/5] XPutImage: clip images to maximum height & width
5 allowed by protocol
6
7The PutImage request specifies height & width of the image as CARD16
8(unsigned 16-bit integer), same as the maximum dimensions of an X11
9Drawable, which the image is being copied to.
10
11Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
12
13Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0003-XPutImage-clip-images-to-maximum-height-width-allowe.patch?h=ubuntu/focal-security
14Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/73a37d5f2fcadd6540159b432a70d80f442ddf4a]
15CVE: CVE-2023-43786
16Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
17---
18 src/PutImage.c | 5 +++++
19 1 file changed, 5 insertions(+)
20
21diff --git a/src/PutImage.c b/src/PutImage.c
22index a6db7b42..ba411e36 100644
23--- a/src/PutImage.c
24+++ b/src/PutImage.c
25@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
26 #include "Xlibint.h"
27 #include "Xutil.h"
28 #include <stdio.h>
29+#include <limits.h>
30 #include "Cr.h"
31 #include "ImUtil.h"
32 #include "reallocarray.h"
33@@ -962,6 +963,10 @@ XPutImage (
34 height = image->height - req_yoffset;
35 if ((width <= 0) || (height <= 0))
36 return 0;
37+ if (width > USHRT_MAX)
38+ width = USHRT_MAX;
39+ if (height > USHRT_MAX)
40+ height = USHRT_MAX;
41
42 if ((image->bits_per_pixel == 1) || (image->format != ZPixmap)) {
43 dest_bits_per_pixel = 1;
44--
452.39.3
46
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch
new file mode 100644
index 0000000000..d35d96c4dc
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch
@@ -0,0 +1,52 @@
1From b4031fc023816aca07fbd592ed97010b9b48784b Mon Sep 17 00:00:00 2001
2From: Alan Coopersmith <alan.coopersmith@oracle.com>
3Date: Thu, 7 Sep 2023 16:12:27 -0700
4Subject: [PATCH libX11 4/5] XCreatePixmap: trigger BadValue error for
5 out-of-range dimensions
6
7The CreatePixmap request specifies height & width of the image as CARD16
8(unsigned 16-bit integer), so if either is larger than that, set it to 0
9so the X server returns a BadValue error as the protocol requires.
10
11Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
12
13Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0004-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch?h=ubuntu/focal-security
14Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/b4031fc023816aca07fbd592ed97010b9b48784b]
15CVE: CVE-2023-43787
16Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
17---
18 src/CrPixmap.c | 11 +++++++++++
19 1 file changed, 11 insertions(+)
20
21diff --git a/src/CrPixmap.c b/src/CrPixmap.c
22index cdf31207..3cb2ca6d 100644
23--- a/src/CrPixmap.c
24+++ b/src/CrPixmap.c
25@@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group.
26 #include <config.h>
27 #endif
28 #include "Xlibint.h"
29+#include <limits.h>
30
31 #ifdef USE_DYNAMIC_XCURSOR
32 void
33@@ -47,6 +48,16 @@ Pixmap XCreatePixmap (
34 Pixmap pid;
35 register xCreatePixmapReq *req;
36
37+ /*
38+ * Force a BadValue X Error if the requested dimensions are larger
39+ * than the X11 protocol has room for, since that's how callers expect
40+ * to get notified of errors.
41+ */
42+ if (width > USHRT_MAX)
43+ width = 0;
44+ if (height > USHRT_MAX)
45+ height = 0;
46+
47 LockDisplay(dpy);
48 GetReq(CreatePixmap, req);
49 req->drawable = d;
50--
512.39.3
52
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch
new file mode 100644
index 0000000000..110bd445df
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch
@@ -0,0 +1,64 @@
1From 7916869d16bdd115ac5be30a67c3749907aea6a0 Mon Sep 17 00:00:00 2001
2From: Yair Mizrahi <yairm@jfrog.com>
3Date: Thu, 7 Sep 2023 16:15:32 -0700
4Subject: [PATCH libX11 5/5] CVE-2023-43787: Integer overflow in XCreateImage()
5 leading to a heap overflow
6
7When the format is `Pixmap` it calculates the size of the image data as:
8 ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
9There is no validation on the `width` of the image, and so this
10calculation exceeds the capacity of a 4-byte integer, causing an overflow.
11
12Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
13
14Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0005-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch?h=ubuntu/focal-security
15Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/7916869d16bdd115ac5be30a67c3749907aea6a0]
16CVE: CVE-2023-43787
17Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
18---
19 src/ImUtil.c | 20 +++++++++++++++-----
20 1 file changed, 15 insertions(+), 5 deletions(-)
21
22diff --git a/src/ImUtil.c b/src/ImUtil.c
23index 36f08a03..fbfad33e 100644
24--- a/src/ImUtil.c
25+++ b/src/ImUtil.c
26@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
27 #include <X11/Xlibint.h>
28 #include <X11/Xutil.h>
29 #include <stdio.h>
30+#include <limits.h>
31 #include "ImUtil.h"
32
33 static int _XDestroyImage(XImage *);
34@@ -361,13 +362,22 @@ XImage *XCreateImage (
35 /*
36 * compute per line accelerator.
37 */
38- {
39- if (format == ZPixmap)
40+ if (format == ZPixmap) {
41+ if ((INT_MAX / bits_per_pixel) < width) {
42+ Xfree(image);
43+ return NULL;
44+ }
45+
46 min_bytes_per_line =
47- ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
48- else
49+ ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
50+ } else {
51+ if ((INT_MAX - offset) < width) {
52+ Xfree(image);
53+ return NULL;
54+ }
55+
56 min_bytes_per_line =
57- ROUNDUP((width + offset), image->bitmap_pad);
58+ ROUNDUP((width + offset), image->bitmap_pad);
59 }
60 if (image_bytes_per_line == 0) {
61 image->bytes_per_line = min_bytes_per_line;
62--
632.39.3
64
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-29 10:54:19 +0000