1 files changed, 63 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch
new file mode 100644
index 0000000000..6392eae3f8
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch
@@ -0,0 +1,63 @@
+From 14f480010a93ff962fef66a16412fafff81ad632 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 27 Nov 2023 16:27:49 +1000
+Subject: [PATCH] randr: avoid integer truncation in length check of
+ ProcRRChange*Property
+Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
+See also xserver@8f454b79 where this same bug was fixed for the core
+protocol and XI.
+This fixes an OOB read and the resulting information disclosure.
+Length calculation for the request was clipped to a 32-bit integer. With
+the correct stuff->nUnits value the expected request size was
+truncated, passing the REQUEST_FIXED_SIZE check.
+The server then proceeded with reading at least stuff->num_items bytes
+(depending on stuff->format) from the request and stuffing whatever it
+finds into the property. In the process it would also allocate at least
+stuff->nUnits bytes, i.e. 4GB.
+CVE-2023-6478, ZDI-CAN-22561
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632]
+CVE: CVE-2023-6478
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ randr/rrproperty.c         | 2 +-
+ randr/rrproviderproperty.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+diff --git a/randr/rrproperty.c b/randr/rrproperty.c
+index 25469f57b2..c4fef8a1f6 100644
+--- a/randr/rrproperty.c
+++ b/randr/rrproperty.c
+@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client)
+     char format, mode;
+     unsigned long len;
+     int sizeInBytes;
+-    int totalSize;
+    uint64_t totalSize;
+     int err;
+ 
+     REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
+diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
+index b79c17f9bf..90c5a9a933 100644
+--- a/randr/rrproviderproperty.c
+++ b/randr/rrproviderproperty.c
+@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client)
+     char format, mode;
+     unsigned long len;
+     int sizeInBytes;
+-    int totalSize;
+    uint64_t totalSize;
+     int err;
+ 
+     REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
+-- 
+GitLab

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch new file mode 100644 index 0000000000..6392eae3f8 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch
@@ -0,0 +1,63 @@
	1	From 14f480010a93ff962fef66a16412fafff81ad632 Mon Sep 17 00:00:00 2001
	2	From: Peter Hutterer <peter.hutterer@who-t.net>
	3	Date: Mon, 27 Nov 2023 16:27:49 +1000
	4	Subject: [PATCH] randr: avoid integer truncation in length check of
	5	ProcRRChange*Property
	6
	7	Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
	8	See also xserver@8f454b79 where this same bug was fixed for the core
	9	protocol and XI.
	10
	11	This fixes an OOB read and the resulting information disclosure.
	12
	13	Length calculation for the request was clipped to a 32-bit integer. With
	14	the correct stuff->nUnits value the expected request size was
	15	truncated, passing the REQUEST_FIXED_SIZE check.
	16
	17	The server then proceeded with reading at least stuff->num_items bytes
	18	(depending on stuff->format) from the request and stuffing whatever it
	19	finds into the property. In the process it would also allocate at least
	20	stuff->nUnits bytes, i.e. 4GB.
	21
	22	CVE-2023-6478, ZDI-CAN-22561
	23
	24	This vulnerability was discovered by:
	25	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
	26
	27	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632]
	28	CVE: CVE-2023-6478
	29	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	30	---
	31	randr/rrproperty.c \| 2 +-
	32	randr/rrproviderproperty.c \| 2 +-
	33	2 files changed, 2 insertions(+), 2 deletions(-)
	34
	35	diff --git a/randr/rrproperty.c b/randr/rrproperty.c
	36	index 25469f57b2..c4fef8a1f6 100644
	37	--- a/randr/rrproperty.c
	38	+++ b/randr/rrproperty.c
	39	@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client)
	40	char format, mode;
	41	unsigned long len;
	42	int sizeInBytes;
	43	- int totalSize;
	44	+ uint64_t totalSize;
	45	int err;
	46
	47	REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
	48	diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
	49	index b79c17f9bf..90c5a9a933 100644
	50	--- a/randr/rrproviderproperty.c
	51	+++ b/randr/rrproviderproperty.c
	52	@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client)
	53	char format, mode;
	54	unsigned long len;
	55	int sizeInBytes;
	56	- int totalSize;
	57	+ uint64_t totalSize;
	58	int err;
	59
	60	REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
	61	--
	62	GitLab
	63