1 files changed, 51 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch
new file mode 100644
index 0000000000..838f7d3726
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch
@@ -0,0 +1,51 @@
+From 842ca3ccef100ce010d1d8f5f6d6cc1915055900 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 29 Nov 2022 14:53:07 +1000
+Subject: [PATCH] Xext: free the screen saver resource when replacing it
+This fixes a use-after-free bug:
+When a client first calls ScreenSaverSetAttributes(), a struct
+ScreenSaverAttrRec is allocated and added to the client's
+resources.
+When the same client calls ScreenSaverSetAttributes() again, a new
+struct ScreenSaverAttrRec is allocated, replacing the old struct. The
+old struct was freed but not removed from the clients resources.
+Later, when the client is destroyed the resource system invokes
+ScreenSaverFreeAttr and attempts to clean up the already freed struct.
+Fix this by letting the resource system free the old attrs instead.
+CVE-2022-46343, ZDI-CAN 19404
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Acked-by: Olivier Fourdan <ofourdan@redhat.com>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/842ca3ccef100ce010d1d8f5f6d6cc1915055900]
+CVE: CVE-2022-46343
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ Xext/saver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/Xext/saver.c b/Xext/saver.c
+index c23907d..05b9ca3 100644
+--- a/Xext/saver.c
+++ b/Xext/saver.c
+@@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client)
+         pVlist++;
+     }
+     if (pPriv->attr)
+-        FreeScreenAttr(pPriv->attr);
+        FreeResource(pPriv->attr->resource, AttrType);
+     pPriv->attr = pAttr;
+     pAttr->resource = FakeClientID(client->index);
+     if (!AddResource(pAttr->resource, AttrType, (void *) pAttr))
+-- 
+2.25.1

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch new file mode 100644 index 0000000000..838f7d3726 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch
@@ -0,0 +1,51 @@
	1	From 842ca3ccef100ce010d1d8f5f6d6cc1915055900 Mon Sep 17 00:00:00 2001
	2	From: Peter Hutterer <peter.hutterer@who-t.net>
	3	Date: Tue, 29 Nov 2022 14:53:07 +1000
	4	Subject: [PATCH] Xext: free the screen saver resource when replacing it
	5
	6	This fixes a use-after-free bug:
	7
	8	When a client first calls ScreenSaverSetAttributes(), a struct
	9	ScreenSaverAttrRec is allocated and added to the client's
	10	resources.
	11
	12	When the same client calls ScreenSaverSetAttributes() again, a new
	13	struct ScreenSaverAttrRec is allocated, replacing the old struct. The
	14	old struct was freed but not removed from the clients resources.
	15
	16	Later, when the client is destroyed the resource system invokes
	17	ScreenSaverFreeAttr and attempts to clean up the already freed struct.
	18
	19	Fix this by letting the resource system free the old attrs instead.
	20
	21	CVE-2022-46343, ZDI-CAN 19404
	22
	23	This vulnerability was discovered by:
	24	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
	25
	26	Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
	27	Acked-by: Olivier Fourdan <ofourdan@redhat.com>
	28
	29	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/842ca3ccef100ce010d1d8f5f6d6cc1915055900]
	30	CVE: CVE-2022-46343
	31	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	32	---
	33	Xext/saver.c \| 2 +-
	34	1 file changed, 1 insertion(+), 1 deletion(-)
	35
	36	diff --git a/Xext/saver.c b/Xext/saver.c
	37	index c23907d..05b9ca3 100644
	38	--- a/Xext/saver.c
	39	+++ b/Xext/saver.c
	40	@@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client)
	41	pVlist++;
	42	}
	43	if (pPriv->attr)
	44	- FreeScreenAttr(pPriv->attr);
	45	+ FreeResource(pPriv->attr->resource, AttrType);
	46	pPriv->attr = pAttr;
	47	pAttr->resource = FakeClientID(client->index);
	48	if (!AddResource(pAttr->resource, AttrType, (void *) pAttr))
	49	--
	50	2.25.1
	51