diff options
Diffstat (limited to 'meta/recipes-graphics/xorg-lib/libx11')
9 files changed, 807 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch new file mode 100644 index 0000000000..97c4c17a8a --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch | |||
@@ -0,0 +1,333 @@ | |||
1 | From 5c539ee6aba5872fcc73aa3d46a4e9a33dc030db Mon Sep 17 00:00:00 2001 | ||
2 | From: Matthieu Herrb <matthieu@herrb.eu> | ||
3 | Date: Fri, 19 Feb 2021 15:30:39 +0100 | ||
4 | Subject: [PATCH] Reject string longer than USHRT_MAX before sending them on | ||
5 | the wire | ||
6 | |||
7 | The X protocol uses CARD16 values to represent the length so | ||
8 | this would overflow. | ||
9 | |||
10 | CVE-2021-31535 | ||
11 | |||
12 | Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> | ||
13 | |||
14 | https://lists.x.org/archives/xorg-announce/2021-May/003088.html | ||
15 | |||
16 | XLookupColor() and other X libraries function lack proper validation | ||
17 | of the length of their string parameters. If those parameters can be | ||
18 | controlled by an external application (for instance a color name that | ||
19 | can be emitted via a terminal control sequence) it can lead to the | ||
20 | emission of extra X protocol requests to the X server. | ||
21 | |||
22 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8d2e02ae650f00c4a53deb625211a0527126c605] | ||
23 | CVE: CVE-2021-31535 | ||
24 | Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com> | ||
25 | --- | ||
26 | src/Font.c | 6 ++++-- | ||
27 | src/FontInfo.c | 3 +++ | ||
28 | src/FontNames.c | 3 +++ | ||
29 | src/GetColor.c | 4 ++++ | ||
30 | src/LoadFont.c | 4 ++++ | ||
31 | src/LookupCol.c | 6 ++++-- | ||
32 | src/ParseCol.c | 5 ++++- | ||
33 | src/QuExt.c | 5 +++++ | ||
34 | src/SetFPath.c | 8 +++++++- | ||
35 | src/SetHints.c | 7 +++++++ | ||
36 | src/StNColor.c | 3 +++ | ||
37 | src/StName.c | 7 ++++++- | ||
38 | 12 files changed, 54 insertions(+), 7 deletions(-) | ||
39 | |||
40 | diff --git a/src/Font.c b/src/Font.c | ||
41 | index 09d2ae91..3f468e4b 100644 | ||
42 | --- a/src/Font.c | ||
43 | +++ b/src/Font.c | ||
44 | @@ -102,6 +102,8 @@ XFontStruct *XLoadQueryFont( | ||
45 | XF86BigfontCodes *extcodes = _XF86BigfontCodes(dpy); | ||
46 | #endif | ||
47 | |||
48 | + if (strlen(name) >= USHRT_MAX) | ||
49 | + return NULL; | ||
50 | if (_XF86LoadQueryLocaleFont(dpy, name, &font_result, (Font *)0)) | ||
51 | return font_result; | ||
52 | LockDisplay(dpy); | ||
53 | @@ -662,8 +664,8 @@ int _XF86LoadQueryLocaleFont( | ||
54 | |||
55 | if (!name) | ||
56 | return 0; | ||
57 | - l = strlen(name); | ||
58 | - if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-') | ||
59 | + l = (int) strlen(name); | ||
60 | + if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-' || l >= USHRT_MAX) | ||
61 | return 0; | ||
62 | charset = NULL; | ||
63 | /* next three lines stolen from _XkbGetCharset() */ | ||
64 | diff --git a/src/FontInfo.c b/src/FontInfo.c | ||
65 | index f870e431..51b48e29 100644 | ||
66 | --- a/src/FontInfo.c | ||
67 | +++ b/src/FontInfo.c | ||
68 | @@ -58,6 +58,9 @@ XFontStruct **info) /* RETURN */ | ||
69 | register xListFontsReq *req; | ||
70 | int j; | ||
71 | |||
72 | + if (strlen(pattern) >= USHRT_MAX) | ||
73 | + return NULL; | ||
74 | + | ||
75 | LockDisplay(dpy); | ||
76 | GetReq(ListFontsWithInfo, req); | ||
77 | req->maxNames = maxNames; | ||
78 | diff --git a/src/FontNames.c b/src/FontNames.c | ||
79 | index b78792d6..4dac4916 100644 | ||
80 | --- a/src/FontNames.c | ||
81 | +++ b/src/FontNames.c | ||
82 | @@ -51,6 +51,9 @@ int *actualCount) /* RETURN */ | ||
83 | register xListFontsReq *req; | ||
84 | unsigned long rlen = 0; | ||
85 | |||
86 | + if (strlen(pattern) >= USHRT_MAX) | ||
87 | + return NULL; | ||
88 | + | ||
89 | LockDisplay(dpy); | ||
90 | GetReq(ListFonts, req); | ||
91 | req->maxNames = maxNames; | ||
92 | diff --git a/src/GetColor.c b/src/GetColor.c | ||
93 | index cd0eb9f6..512ac308 100644 | ||
94 | --- a/src/GetColor.c | ||
95 | +++ b/src/GetColor.c | ||
96 | @@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. | ||
97 | #ifdef HAVE_CONFIG_H | ||
98 | #include <config.h> | ||
99 | #endif | ||
100 | +#include <limits.h> | ||
101 | #include <stdio.h> | ||
102 | #include "Xlibint.h" | ||
103 | #include "Xcmsint.h" | ||
104 | @@ -48,6 +49,9 @@ XColor *exact_def) /* RETURN */ | ||
105 | XcmsColor cmsColor_exact; | ||
106 | Status ret; | ||
107 | |||
108 | + if (strlen(colorname) >= USHRT_MAX) | ||
109 | + return (0); | ||
110 | + | ||
111 | #ifdef XCMS | ||
112 | /* | ||
113 | * Let's Attempt to use Xcms and i18n approach to Parse Color | ||
114 | diff --git a/src/LoadFont.c b/src/LoadFont.c | ||
115 | index f547976b..85735249 100644 | ||
116 | --- a/src/LoadFont.c | ||
117 | +++ b/src/LoadFont.c | ||
118 | @@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. | ||
119 | #ifdef HAVE_CONFIG_H | ||
120 | #include <config.h> | ||
121 | #endif | ||
122 | +#include <limits.h> | ||
123 | #include "Xlibint.h" | ||
124 | |||
125 | Font | ||
126 | @@ -38,6 +39,9 @@ XLoadFont ( | ||
127 | Font fid; | ||
128 | register xOpenFontReq *req; | ||
129 | |||
130 | + if (strlen(name) >= USHRT_MAX) | ||
131 | + return (0); | ||
132 | + | ||
133 | if (_XF86LoadQueryLocaleFont(dpy, name, (XFontStruct **)0, &fid)) | ||
134 | return fid; | ||
135 | |||
136 | diff --git a/src/LookupCol.c b/src/LookupCol.c | ||
137 | index f7f969f5..cd9b1368 100644 | ||
138 | --- a/src/LookupCol.c | ||
139 | +++ b/src/LookupCol.c | ||
140 | @@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. | ||
141 | #ifdef HAVE_CONFIG_H | ||
142 | #include <config.h> | ||
143 | #endif | ||
144 | +#include <limits.h> | ||
145 | #include <stdio.h> | ||
146 | #include "Xlibint.h" | ||
147 | #include "Xcmsint.h" | ||
148 | @@ -46,6 +47,9 @@ XLookupColor ( | ||
149 | XcmsCCC ccc; | ||
150 | XcmsColor cmsColor_exact; | ||
151 | |||
152 | + n = (int) strlen (spec); | ||
153 | + if (n >= USHRT_MAX) | ||
154 | + return 0; | ||
155 | #ifdef XCMS | ||
156 | /* | ||
157 | * Let's Attempt to use Xcms and i18n approach to Parse Color | ||
158 | @@ -77,8 +81,6 @@ XLookupColor ( | ||
159 | * Xcms and i18n methods failed, so lets pass it to the server | ||
160 | * for parsing. | ||
161 | */ | ||
162 | - | ||
163 | - n = strlen (spec); | ||
164 | LockDisplay(dpy); | ||
165 | GetReq (LookupColor, req); | ||
166 | req->cmap = cmap; | ||
167 | diff --git a/src/ParseCol.c b/src/ParseCol.c | ||
168 | index e997b1b8..180132dd 100644 | ||
169 | --- a/src/ParseCol.c | ||
170 | +++ b/src/ParseCol.c | ||
171 | @@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. | ||
172 | #ifdef HAVE_CONFIG_H | ||
173 | #include <config.h> | ||
174 | #endif | ||
175 | +#include <limits.h> | ||
176 | #include <stdio.h> | ||
177 | #include "Xlibint.h" | ||
178 | #include "Xcmsint.h" | ||
179 | @@ -46,7 +47,9 @@ XParseColor ( | ||
180 | XcmsColor cmsColor; | ||
181 | |||
182 | if (!spec) return(0); | ||
183 | - n = strlen (spec); | ||
184 | + n = (int) strlen (spec); | ||
185 | + if (n >= USHRT_MAX) | ||
186 | + return(0); | ||
187 | if (*spec == '#') { | ||
188 | /* | ||
189 | * RGB | ||
190 | diff --git a/src/QuExt.c b/src/QuExt.c | ||
191 | index 4e230e77..d38a1572 100644 | ||
192 | --- a/src/QuExt.c | ||
193 | +++ b/src/QuExt.c | ||
194 | @@ -27,6 +27,8 @@ in this Software without prior written authorization from The Open Group. | ||
195 | #ifdef HAVE_CONFIG_H | ||
196 | #include <config.h> | ||
197 | #endif | ||
198 | +#include <limits.h> | ||
199 | +#include <stdbool.h> | ||
200 | #include "Xlibint.h" | ||
201 | |||
202 | Bool | ||
203 | @@ -40,6 +42,9 @@ XQueryExtension( | ||
204 | xQueryExtensionReply rep; | ||
205 | register xQueryExtensionReq *req; | ||
206 | |||
207 | + if (strlen(name) >= USHRT_MAX) | ||
208 | + return false; | ||
209 | + | ||
210 | LockDisplay(dpy); | ||
211 | GetReq(QueryExtension, req); | ||
212 | req->nbytes = name ? strlen(name) : 0; | ||
213 | diff --git a/src/SetFPath.c b/src/SetFPath.c | ||
214 | index 60aaef01..3d8c50cb 100644 | ||
215 | --- a/src/SetFPath.c | ||
216 | +++ b/src/SetFPath.c | ||
217 | @@ -26,6 +26,7 @@ in this Software without prior written authorization from The Open Group. | ||
218 | |||
219 | #ifdef HAVE_CONFIG_H | ||
220 | #include <config.h> | ||
221 | +#include <limits.h> | ||
222 | #endif | ||
223 | #include "Xlibint.h" | ||
224 | |||
225 | @@ -48,7 +49,12 @@ XSetFontPath ( | ||
226 | GetReq (SetFontPath, req); | ||
227 | req->nFonts = ndirs; | ||
228 | for (i = 0; i < ndirs; i++) { | ||
229 | - n += safestrlen (directories[i]) + 1; | ||
230 | + n = (int) ((size_t) n + (safestrlen (directories[i]) + 1)); | ||
231 | + if (n >= USHRT_MAX) { | ||
232 | + UnlockDisplay(dpy); | ||
233 | + SyncHandle(); | ||
234 | + return 0; | ||
235 | + } | ||
236 | } | ||
237 | nbytes = (n + 3) & ~3; | ||
238 | req->length += nbytes >> 2; | ||
239 | diff --git a/src/SetHints.c b/src/SetHints.c | ||
240 | index bc46498a..f3d727ec 100644 | ||
241 | --- a/src/SetHints.c | ||
242 | +++ b/src/SetHints.c | ||
243 | @@ -49,6 +49,7 @@ SOFTWARE. | ||
244 | #ifdef HAVE_CONFIG_H | ||
245 | #include <config.h> | ||
246 | #endif | ||
247 | +#include <limits.h> | ||
248 | #include <X11/Xlibint.h> | ||
249 | #include <X11/Xutil.h> | ||
250 | #include "Xatomtype.h" | ||
251 | @@ -214,6 +215,8 @@ XSetCommand ( | ||
252 | register char *buf, *bp; | ||
253 | for (i = 0, nbytes = 0; i < argc; i++) { | ||
254 | nbytes += safestrlen(argv[i]) + 1; | ||
255 | + if (nbytes >= USHRT_MAX) | ||
256 | + return 1; | ||
257 | } | ||
258 | if ((bp = buf = Xmalloc(nbytes))) { | ||
259 | /* copy arguments into single buffer */ | ||
260 | @@ -256,6 +259,8 @@ XSetStandardProperties ( | ||
261 | |||
262 | if (name != NULL) XStoreName (dpy, w, name); | ||
263 | |||
264 | + if (safestrlen(icon_string) >= USHRT_MAX) | ||
265 | + return 1; | ||
266 | if (icon_string != NULL) { | ||
267 | XChangeProperty (dpy, w, XA_WM_ICON_NAME, XA_STRING, 8, | ||
268 | PropModeReplace, | ||
269 | @@ -298,6 +303,8 @@ XSetClassHint( | ||
270 | |||
271 | len_nm = safestrlen(classhint->res_name); | ||
272 | len_cl = safestrlen(classhint->res_class); | ||
273 | + if (len_nm + len_cl >= USHRT_MAX) | ||
274 | + return 1; | ||
275 | if ((class_string = s = Xmalloc(len_nm + len_cl + 2))) { | ||
276 | if (len_nm) { | ||
277 | strcpy(s, classhint->res_name); | ||
278 | diff --git a/src/StNColor.c b/src/StNColor.c | ||
279 | index 8b821c3e..ba021958 100644 | ||
280 | --- a/src/StNColor.c | ||
281 | +++ b/src/StNColor.c | ||
282 | @@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. | ||
283 | #ifdef HAVE_CONFIG_H | ||
284 | #include <config.h> | ||
285 | #endif | ||
286 | +#include <limits.h> | ||
287 | #include <stdio.h> | ||
288 | #include "Xlibint.h" | ||
289 | #include "Xcmsint.h" | ||
290 | @@ -46,6 +47,8 @@ int flags) /* DoRed, DoGreen, DoBlue */ | ||
291 | XcmsColor cmsColor_exact; | ||
292 | XColor scr_def; | ||
293 | |||
294 | + if (strlen(name) >= USHRT_MAX) | ||
295 | + return 0; | ||
296 | #ifdef XCMS | ||
297 | /* | ||
298 | * Let's Attempt to use Xcms approach to Parse Color | ||
299 | diff --git a/src/StName.c b/src/StName.c | ||
300 | index b4048bff..5a632d0c 100644 | ||
301 | --- a/src/StName.c | ||
302 | +++ b/src/StName.c | ||
303 | @@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. | ||
304 | #ifdef HAVE_CONFIG_H | ||
305 | #include <config.h> | ||
306 | #endif | ||
307 | +#include <limits.h> | ||
308 | #include <X11/Xlibint.h> | ||
309 | #include <X11/Xatom.h> | ||
310 | |||
311 | @@ -36,7 +37,9 @@ XStoreName ( | ||
312 | Window w, | ||
313 | _Xconst char *name) | ||
314 | { | ||
315 | - return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, | ||
316 | + if (strlen(name) >= USHRT_MAX) | ||
317 | + return 0; | ||
318 | + return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, /* */ | ||
319 | 8, PropModeReplace, (_Xconst unsigned char *)name, | ||
320 | name ? strlen(name) : 0); | ||
321 | } | ||
322 | @@ -47,6 +50,8 @@ XSetIconName ( | ||
323 | Window w, | ||
324 | _Xconst char *icon_name) | ||
325 | { | ||
326 | + if (strlen(icon_name) >= USHRT_MAX) | ||
327 | + return 0; | ||
328 | return XChangeProperty(dpy, w, XA_WM_ICON_NAME, XA_STRING, 8, | ||
329 | PropModeReplace, (_Xconst unsigned char *)icon_name, | ||
330 | icon_name ? strlen(icon_name) : 0); | ||
331 | -- | ||
332 | 2.32.0 | ||
333 | |||
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch new file mode 100644 index 0000000000..fb61195225 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch | |||
@@ -0,0 +1,58 @@ | |||
1 | From 8b51d1375a4dd6a7cf3a919da83d8e87e57e7333 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Wed, 2 Nov 2022 17:04:15 +0530 | ||
4 | Subject: [PATCH] CVE-2022-3554 | ||
5 | |||
6 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1d11822601fd24a396b354fa616b04ed3df8b4ef] | ||
7 | CVE: CVE-2022-3554 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | |||
10 | fix a memory leak in XRegisterIMInstantiateCallback | ||
11 | |||
12 | Analysis: | ||
13 | |||
14 | _XimRegisterIMInstantiateCallback() opens an XIM and closes it using | ||
15 | the internal function pointers, but the internal close function does | ||
16 | not free the pointer to the XIM (this would be done in XCloseIM()). | ||
17 | |||
18 | Report/patch: | ||
19 | |||
20 | Date: Mon, 03 Oct 2022 18:47:32 +0800 | ||
21 | From: Po Lu <luangruo@yahoo.com> | ||
22 | To: xorg-devel@lists.x.org | ||
23 | Subject: Re: Yet another leak in Xlib | ||
24 | |||
25 | For reference, here's how I'm calling XRegisterIMInstantiateCallback: | ||
26 | |||
27 | XSetLocaleModifiers (""); | ||
28 | XRegisterIMInstantiateCallback (compositor.display, | ||
29 | XrmGetDatabase (compositor.display), | ||
30 | (char *) compositor.resource_name, | ||
31 | (char *) compositor.app_name, | ||
32 | IMInstantiateCallback, NULL); | ||
33 | and XMODIFIERS is: | ||
34 | |||
35 | @im=ibus | ||
36 | |||
37 | Signed-off-by: Thomas E. Dickey's avatarThomas E. Dickey <dickey@invisible-island.net> | ||
38 | --- | ||
39 | modules/im/ximcp/imInsClbk.c | 3 +++ | ||
40 | 1 file changed, 3 insertions(+) | ||
41 | |||
42 | diff --git a/modules/im/ximcp/imInsClbk.c b/modules/im/ximcp/imInsClbk.c | ||
43 | index 961aaba..0a8a874 100644 | ||
44 | --- a/modules/im/ximcp/imInsClbk.c | ||
45 | +++ b/modules/im/ximcp/imInsClbk.c | ||
46 | @@ -204,6 +204,9 @@ _XimRegisterIMInstantiateCallback( | ||
47 | if( xim ) { | ||
48 | lock = True; | ||
49 | xim->methods->close( (XIM)xim ); | ||
50 | + /* XIMs must be freed manually after being opened; close just | ||
51 | + does the protocol to deinitialize the IM. */ | ||
52 | + XFree( xim ); | ||
53 | lock = False; | ||
54 | icb->call = True; | ||
55 | callback( display, client_data, NULL ); | ||
56 | -- | ||
57 | 2.25.1 | ||
58 | |||
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch new file mode 100644 index 0000000000..855ce80e77 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | From 8a368d808fec166b5fb3dfe6312aab22c7ee20af Mon Sep 17 00:00:00 2001 | ||
2 | From: Hodong <hodong@yozmos.com> | ||
3 | Date: Thu, 20 Jan 2022 00:57:41 +0900 | ||
4 | Subject: [PATCH] Fix two memory leaks in _XFreeX11XCBStructure() | ||
5 | |||
6 | Even when XCloseDisplay() was called, some memory was leaked. | ||
7 | |||
8 | XCloseDisplay() calls _XFreeDisplayStructure(), which calls | ||
9 | _XFreeX11XCBStructure(). | ||
10 | |||
11 | However, _XFreeX11XCBStructure() did not destroy the condition variables, | ||
12 | resulting in the leaking of some 40 bytes. | ||
13 | |||
14 | Signed-off-by: Hodong <hodong@yozmos.com> | ||
15 | |||
16 | Upstream-Status: Backport from [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8a368d808fec166b5fb3dfe6312aab22c7ee20af] | ||
17 | CVE:CVE-2022-3555 | ||
18 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
19 | --- | ||
20 | src/xcb_disp.c | 2 ++ | ||
21 | 1 file changed, 2 insertions(+) | ||
22 | |||
23 | diff --git a/src/xcb_disp.c b/src/xcb_disp.c | ||
24 | index 70a602f4..e9becee3 100644 | ||
25 | --- a/src/xcb_disp.c | ||
26 | +++ b/src/xcb_disp.c | ||
27 | @@ -102,6 +102,8 @@ void _XFreeX11XCBStructure(Display *dpy) | ||
28 | dpy->xcb->pending_requests = tmp->next; | ||
29 | free(tmp); | ||
30 | } | ||
31 | + xcondition_clear(dpy->xcb->event_notify); | ||
32 | + xcondition_clear(dpy->xcb->reply_notify); | ||
33 | xcondition_free(dpy->xcb->event_notify); | ||
34 | xcondition_free(dpy->xcb->reply_notify); | ||
35 | Xfree(dpy->xcb); | ||
36 | -- | ||
37 | 2.18.2 | ||
38 | |||
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch new file mode 100644 index 0000000000..c724cf8fdd --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch | |||
@@ -0,0 +1,111 @@ | |||
1 | From 304a654a0d57bf0f00d8998185f0360332cfa36c Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
3 | Date: Sat, 10 Jun 2023 16:30:07 -0700 | ||
4 | Subject: [PATCH] InitExt.c: Add bounds checks for extension request, event, & | ||
5 | error codes | ||
6 | |||
7 | Fixes CVE-2023-3138: X servers could return values from XQueryExtension | ||
8 | that would cause Xlib to write entries out-of-bounds of the arrays to | ||
9 | store them, though this would only overwrite other parts of the Display | ||
10 | struct, not outside the bounds allocated for that structure. | ||
11 | |||
12 | Reported-by: Gregory James DUCK <gjduck@gmail.com> | ||
13 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
14 | |||
15 | CVE: CVE-2023-3138 | ||
16 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/304a654a0d57bf0f00d8998185f0360332cfa36c.patch] | ||
17 | Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com> | ||
18 | --- | ||
19 | src/InitExt.c | 42 ++++++++++++++++++++++++++++++++++++++++++ | ||
20 | 1 file changed, 42 insertions(+) | ||
21 | |||
22 | diff --git a/src/InitExt.c b/src/InitExt.c | ||
23 | index 4de46f15..afc00a6b 100644 | ||
24 | --- a/src/InitExt.c | ||
25 | +++ b/src/InitExt.c | ||
26 | @@ -33,6 +33,18 @@ from The Open Group. | ||
27 | #include <X11/Xos.h> | ||
28 | #include <stdio.h> | ||
29 | |||
30 | +/* The X11 protocol spec reserves events 64 through 127 for extensions */ | ||
31 | +#ifndef LastExtensionEvent | ||
32 | +#define LastExtensionEvent 127 | ||
33 | +#endif | ||
34 | + | ||
35 | +/* The X11 protocol spec reserves requests 128 through 255 for extensions */ | ||
36 | +#ifndef LastExtensionRequest | ||
37 | +#define FirstExtensionRequest 128 | ||
38 | +#define LastExtensionRequest 255 | ||
39 | +#endif | ||
40 | + | ||
41 | + | ||
42 | /* | ||
43 | * This routine is used to link a extension in so it will be called | ||
44 | * at appropriate times. | ||
45 | @@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent( | ||
46 | WireToEventType proc) /* routine to call when converting event */ | ||
47 | { | ||
48 | register WireToEventType oldproc; | ||
49 | + if (event_number < 0 || | ||
50 | + event_number > LastExtensionEvent) { | ||
51 | + fprintf(stderr, "Xlib: ignoring invalid extension event %d\n", | ||
52 | + event_number); | ||
53 | + return (WireToEventType)_XUnknownWireEvent; | ||
54 | + } | ||
55 | if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent; | ||
56 | LockDisplay (dpy); | ||
57 | oldproc = dpy->event_vec[event_number]; | ||
58 | @@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCookie( | ||
59 | ) | ||
60 | { | ||
61 | WireToEventCookieType oldproc; | ||
62 | + if (extension < FirstExtensionRequest || | ||
63 | + extension > LastExtensionRequest) { | ||
64 | + fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n", | ||
65 | + extension); | ||
66 | + return (WireToEventCookieType)_XUnknownWireEventCookie; | ||
67 | + } | ||
68 | if (proc == NULL) proc = (WireToEventCookieType)_XUnknownWireEventCookie; | ||
69 | LockDisplay (dpy); | ||
70 | oldproc = dpy->generic_event_vec[extension & 0x7F]; | ||
71 | @@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie( | ||
72 | ) | ||
73 | { | ||
74 | CopyEventCookieType oldproc; | ||
75 | + if (extension < FirstExtensionRequest || | ||
76 | + extension > LastExtensionRequest) { | ||
77 | + fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n", | ||
78 | + extension); | ||
79 | + return (CopyEventCookieType)_XUnknownCopyEventCookie; | ||
80 | + } | ||
81 | if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie; | ||
82 | LockDisplay (dpy); | ||
83 | oldproc = dpy->generic_event_copy_vec[extension & 0x7F]; | ||
84 | @@ -305,6 +335,12 @@ EventToWireType XESetEventToWire( | ||
85 | EventToWireType proc) /* routine to call when converting event */ | ||
86 | { | ||
87 | register EventToWireType oldproc; | ||
88 | + if (event_number < 0 || | ||
89 | + event_number > LastExtensionEvent) { | ||
90 | + fprintf(stderr, "Xlib: ignoring invalid extension event %d\n", | ||
91 | + event_number); | ||
92 | + return (EventToWireType)_XUnknownNativeEvent; | ||
93 | + } | ||
94 | if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent; | ||
95 | LockDisplay (dpy); | ||
96 | oldproc = dpy->wire_vec[event_number]; | ||
97 | @@ -325,6 +361,12 @@ WireToErrorType XESetWireToError( | ||
98 | WireToErrorType proc) /* routine to call when converting error */ | ||
99 | { | ||
100 | register WireToErrorType oldproc = NULL; | ||
101 | + if (error_number < 0 || | ||
102 | + error_number > LastExtensionError) { | ||
103 | + fprintf(stderr, "Xlib: ignoring invalid extension error %d\n", | ||
104 | + error_number); | ||
105 | + return (WireToErrorType)_XDefaultWireError; | ||
106 | + } | ||
107 | if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError; | ||
108 | LockDisplay (dpy); | ||
109 | if (!dpy->error_vec) { | ||
110 | -- | ||
111 | GitLab | ||
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch new file mode 100644 index 0000000000..dbdf096fc8 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
3 | Date: Sun, 17 Sep 2023 14:19:40 -0700 | ||
4 | Subject: [PATCH libX11 1/5] CVE-2023-43785: out-of-bounds memory access in | ||
5 | _XkbReadKeySyms() | ||
6 | |||
7 | Make sure we allocate enough memory in the first place, and | ||
8 | also handle error returns from _XkbReadBufferCopyKeySyms() when | ||
9 | it detects out-of-bounds issues. | ||
10 | |||
11 | Reported-by: Gregory James DUCK <gjduck@gmail.com> | ||
12 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
13 | |||
14 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch?h=ubuntu/focal-security | ||
15 | Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/6858d468d9ca55fb4c5fd70b223dbc78a3358a7f] | ||
16 | CVE: CVE-2023-43785 | ||
17 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
18 | --- | ||
19 | src/xkb/XKBGetMap.c | 14 +++++++++----- | ||
20 | 1 file changed, 9 insertions(+), 5 deletions(-) | ||
21 | |||
22 | diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c | ||
23 | index 2891d21e..31199e4a 100644 | ||
24 | --- a/src/xkb/XKBGetMap.c | ||
25 | +++ b/src/xkb/XKBGetMap.c | ||
26 | @@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) | ||
27 | if (offset + newMap->nSyms >= map->size_syms) { | ||
28 | register int sz; | ||
29 | |||
30 | - sz = map->size_syms + 128; | ||
31 | + sz = offset + newMap->nSyms; | ||
32 | + sz = ((sz + (unsigned) 128) / 128) * 128; | ||
33 | _XkbResizeArray(map->syms, map->size_syms, sz, KeySym); | ||
34 | if (map->syms == NULL) { | ||
35 | map->size_syms = 0; | ||
36 | @@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) | ||
37 | map->size_syms = sz; | ||
38 | } | ||
39 | if (newMap->nSyms > 0) { | ||
40 | - _XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset], | ||
41 | - newMap->nSyms); | ||
42 | + if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset], | ||
43 | + newMap->nSyms) == 0) | ||
44 | + return BadLength; | ||
45 | offset += newMap->nSyms; | ||
46 | } | ||
47 | else { | ||
48 | @@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) | ||
49 | newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp); | ||
50 | if (newSyms == NULL) | ||
51 | return BadAlloc; | ||
52 | - if (newMap->nSyms > 0) | ||
53 | - _XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms); | ||
54 | + if (newMap->nSyms > 0) { | ||
55 | + if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 0) | ||
56 | + return BadLength; | ||
57 | + } | ||
58 | else | ||
59 | newSyms[0] = NoSymbol; | ||
60 | oldMap->kt_index[0] = newMap->ktIndex[0]; | ||
61 | -- | ||
62 | 2.39.3 | ||
63 | |||
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch new file mode 100644 index 0000000000..31a99eb4ac --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From 204c3393c4c90a29ed6bef64e43849536e863a86 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
3 | Date: Thu, 7 Sep 2023 15:54:30 -0700 | ||
4 | Subject: [PATCH libX11 2/5] CVE-2023-43786: stack exhaustion from infinite | ||
5 | recursion in PutSubImage() | ||
6 | |||
7 | When splitting a single line of pixels into chunks to send to the | ||
8 | X server, be sure to take into account the number of bits per pixel, | ||
9 | so we don't just loop forever trying to send more pixels than fit in | ||
10 | the given request size and not breaking them down into a small enough | ||
11 | chunk to fix. | ||
12 | |||
13 | Fixes: "almost complete rewrite" (Dec. 12, 1987) from X11R2 | ||
14 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
15 | |||
16 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0002-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch?h=ubuntu/focal-security | ||
17 | Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/204c3393c4c90a29ed6bef64e43849536e863a86] | ||
18 | CVE: CVE-2023-43786 | ||
19 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
20 | --- | ||
21 | src/PutImage.c | 5 +++-- | ||
22 | 1 file changed, 3 insertions(+), 2 deletions(-) | ||
23 | |||
24 | diff --git a/src/PutImage.c b/src/PutImage.c | ||
25 | index 857ee916..a6db7b42 100644 | ||
26 | --- a/src/PutImage.c | ||
27 | +++ b/src/PutImage.c | ||
28 | @@ -914,8 +914,9 @@ PutSubImage ( | ||
29 | req_width, req_height - SubImageHeight, | ||
30 | dest_bits_per_pixel, dest_scanline_pad); | ||
31 | } else { | ||
32 | - int SubImageWidth = (((Available << 3) / dest_scanline_pad) | ||
33 | - * dest_scanline_pad) - left_pad; | ||
34 | + int SubImageWidth = ((((Available << 3) / dest_scanline_pad) | ||
35 | + * dest_scanline_pad) - left_pad) | ||
36 | + / dest_bits_per_pixel; | ||
37 | |||
38 | PutSubImage(dpy, d, gc, image, req_xoffset, req_yoffset, x, y, | ||
39 | (unsigned int) SubImageWidth, 1, | ||
40 | -- | ||
41 | 2.39.3 | ||
42 | |||
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch new file mode 100644 index 0000000000..4800bedf41 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From 73a37d5f2fcadd6540159b432a70d80f442ddf4a Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
3 | Date: Thu, 7 Sep 2023 15:55:04 -0700 | ||
4 | Subject: [PATCH libX11 3/5] XPutImage: clip images to maximum height & width | ||
5 | allowed by protocol | ||
6 | |||
7 | The PutImage request specifies height & width of the image as CARD16 | ||
8 | (unsigned 16-bit integer), same as the maximum dimensions of an X11 | ||
9 | Drawable, which the image is being copied to. | ||
10 | |||
11 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
12 | |||
13 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0003-XPutImage-clip-images-to-maximum-height-width-allowe.patch?h=ubuntu/focal-security | ||
14 | Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/73a37d5f2fcadd6540159b432a70d80f442ddf4a] | ||
15 | CVE: CVE-2023-43786 | ||
16 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
17 | --- | ||
18 | src/PutImage.c | 5 +++++ | ||
19 | 1 file changed, 5 insertions(+) | ||
20 | |||
21 | diff --git a/src/PutImage.c b/src/PutImage.c | ||
22 | index a6db7b42..ba411e36 100644 | ||
23 | --- a/src/PutImage.c | ||
24 | +++ b/src/PutImage.c | ||
25 | @@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group. | ||
26 | #include "Xlibint.h" | ||
27 | #include "Xutil.h" | ||
28 | #include <stdio.h> | ||
29 | +#include <limits.h> | ||
30 | #include "Cr.h" | ||
31 | #include "ImUtil.h" | ||
32 | #include "reallocarray.h" | ||
33 | @@ -962,6 +963,10 @@ XPutImage ( | ||
34 | height = image->height - req_yoffset; | ||
35 | if ((width <= 0) || (height <= 0)) | ||
36 | return 0; | ||
37 | + if (width > USHRT_MAX) | ||
38 | + width = USHRT_MAX; | ||
39 | + if (height > USHRT_MAX) | ||
40 | + height = USHRT_MAX; | ||
41 | |||
42 | if ((image->bits_per_pixel == 1) || (image->format != ZPixmap)) { | ||
43 | dest_bits_per_pixel = 1; | ||
44 | -- | ||
45 | 2.39.3 | ||
46 | |||
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch new file mode 100644 index 0000000000..d35d96c4dc --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From b4031fc023816aca07fbd592ed97010b9b48784b Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
3 | Date: Thu, 7 Sep 2023 16:12:27 -0700 | ||
4 | Subject: [PATCH libX11 4/5] XCreatePixmap: trigger BadValue error for | ||
5 | out-of-range dimensions | ||
6 | |||
7 | The CreatePixmap request specifies height & width of the image as CARD16 | ||
8 | (unsigned 16-bit integer), so if either is larger than that, set it to 0 | ||
9 | so the X server returns a BadValue error as the protocol requires. | ||
10 | |||
11 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
12 | |||
13 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0004-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch?h=ubuntu/focal-security | ||
14 | Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/b4031fc023816aca07fbd592ed97010b9b48784b] | ||
15 | CVE: CVE-2023-43787 | ||
16 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
17 | --- | ||
18 | src/CrPixmap.c | 11 +++++++++++ | ||
19 | 1 file changed, 11 insertions(+) | ||
20 | |||
21 | diff --git a/src/CrPixmap.c b/src/CrPixmap.c | ||
22 | index cdf31207..3cb2ca6d 100644 | ||
23 | --- a/src/CrPixmap.c | ||
24 | +++ b/src/CrPixmap.c | ||
25 | @@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group. | ||
26 | #include <config.h> | ||
27 | #endif | ||
28 | #include "Xlibint.h" | ||
29 | +#include <limits.h> | ||
30 | |||
31 | #ifdef USE_DYNAMIC_XCURSOR | ||
32 | void | ||
33 | @@ -47,6 +48,16 @@ Pixmap XCreatePixmap ( | ||
34 | Pixmap pid; | ||
35 | register xCreatePixmapReq *req; | ||
36 | |||
37 | + /* | ||
38 | + * Force a BadValue X Error if the requested dimensions are larger | ||
39 | + * than the X11 protocol has room for, since that's how callers expect | ||
40 | + * to get notified of errors. | ||
41 | + */ | ||
42 | + if (width > USHRT_MAX) | ||
43 | + width = 0; | ||
44 | + if (height > USHRT_MAX) | ||
45 | + height = 0; | ||
46 | + | ||
47 | LockDisplay(dpy); | ||
48 | GetReq(CreatePixmap, req); | ||
49 | req->drawable = d; | ||
50 | -- | ||
51 | 2.39.3 | ||
52 | |||
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch new file mode 100644 index 0000000000..110bd445df --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch | |||
@@ -0,0 +1,64 @@ | |||
1 | From 7916869d16bdd115ac5be30a67c3749907aea6a0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yair Mizrahi <yairm@jfrog.com> | ||
3 | Date: Thu, 7 Sep 2023 16:15:32 -0700 | ||
4 | Subject: [PATCH libX11 5/5] CVE-2023-43787: Integer overflow in XCreateImage() | ||
5 | leading to a heap overflow | ||
6 | |||
7 | When the format is `Pixmap` it calculates the size of the image data as: | ||
8 | ROUNDUP((bits_per_pixel * width), image->bitmap_pad); | ||
9 | There is no validation on the `width` of the image, and so this | ||
10 | calculation exceeds the capacity of a 4-byte integer, causing an overflow. | ||
11 | |||
12 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
13 | |||
14 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0005-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch?h=ubuntu/focal-security | ||
15 | Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/7916869d16bdd115ac5be30a67c3749907aea6a0] | ||
16 | CVE: CVE-2023-43787 | ||
17 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
18 | --- | ||
19 | src/ImUtil.c | 20 +++++++++++++++----- | ||
20 | 1 file changed, 15 insertions(+), 5 deletions(-) | ||
21 | |||
22 | diff --git a/src/ImUtil.c b/src/ImUtil.c | ||
23 | index 36f08a03..fbfad33e 100644 | ||
24 | --- a/src/ImUtil.c | ||
25 | +++ b/src/ImUtil.c | ||
26 | @@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group. | ||
27 | #include <X11/Xlibint.h> | ||
28 | #include <X11/Xutil.h> | ||
29 | #include <stdio.h> | ||
30 | +#include <limits.h> | ||
31 | #include "ImUtil.h" | ||
32 | |||
33 | static int _XDestroyImage(XImage *); | ||
34 | @@ -361,13 +362,22 @@ XImage *XCreateImage ( | ||
35 | /* | ||
36 | * compute per line accelerator. | ||
37 | */ | ||
38 | - { | ||
39 | - if (format == ZPixmap) | ||
40 | + if (format == ZPixmap) { | ||
41 | + if ((INT_MAX / bits_per_pixel) < width) { | ||
42 | + Xfree(image); | ||
43 | + return NULL; | ||
44 | + } | ||
45 | + | ||
46 | min_bytes_per_line = | ||
47 | - ROUNDUP((bits_per_pixel * width), image->bitmap_pad); | ||
48 | - else | ||
49 | + ROUNDUP((bits_per_pixel * width), image->bitmap_pad); | ||
50 | + } else { | ||
51 | + if ((INT_MAX - offset) < width) { | ||
52 | + Xfree(image); | ||
53 | + return NULL; | ||
54 | + } | ||
55 | + | ||
56 | min_bytes_per_line = | ||
57 | - ROUNDUP((width + offset), image->bitmap_pad); | ||
58 | + ROUNDUP((width + offset), image->bitmap_pad); | ||
59 | } | ||
60 | if (image_bytes_per_line == 0) { | ||
61 | image->bytes_per_line = min_bytes_per_line; | ||
62 | -- | ||
63 | 2.39.3 | ||
64 | |||