diff options
Diffstat (limited to 'meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch')
-rw-r--r-- | meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch new file mode 100644 index 0000000000..0bfff268e7 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Thu, 14 Dec 2023 11:29:49 +1000 | ||
4 | Subject: [PATCH] dix: allocate enough space for logical button maps | ||
5 | |||
6 | Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for | ||
7 | each logical button currently down. Since buttons can be arbitrarily mapped | ||
8 | to anything up to 255 make sure we have enough bits for the maximum mapping. | ||
9 | |||
10 | CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665 | ||
11 | |||
12 | This vulnerability was discovered by: | ||
13 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
14 | |||
15 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3] | ||
16 | CVE: CVE-2023-6816 | ||
17 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
18 | --- | ||
19 | Xi/xiquerypointer.c | 3 +-- | ||
20 | dix/enterleave.c | 5 +++-- | ||
21 | 2 files changed, 4 insertions(+), 4 deletions(-) | ||
22 | |||
23 | diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c | ||
24 | index 5b77b1a444..2b05ac5f39 100644 | ||
25 | --- a/Xi/xiquerypointer.c | ||
26 | +++ b/Xi/xiquerypointer.c | ||
27 | @@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client) | ||
28 | if (pDev->button) { | ||
29 | int i; | ||
30 | |||
31 | - rep.buttons_len = | ||
32 | - bytes_to_int32(bits_to_bytes(pDev->button->numButtons)); | ||
33 | + rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */ | ||
34 | rep.length += rep.buttons_len; | ||
35 | buttons = calloc(rep.buttons_len, 4); | ||
36 | if (!buttons) | ||
37 | diff --git a/dix/enterleave.c b/dix/enterleave.c | ||
38 | index 867ec74363..ded8679d76 100644 | ||
39 | --- a/dix/enterleave.c | ||
40 | +++ b/dix/enterleave.c | ||
41 | @@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail, | ||
42 | |||
43 | mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER); | ||
44 | |||
45 | - /* XI 2 event */ | ||
46 | - btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0; | ||
47 | + /* XI 2 event contains the logical button map - maps are CARD8 | ||
48 | + * so we need 256 bits for the possibly maximum mapping */ | ||
49 | + btlen = (mouse->button) ? bits_to_bytes(256) : 0; | ||
50 | btlen = bytes_to_int32(btlen); | ||
51 | len = sizeof(xXIFocusInEvent) + btlen * 4; | ||
52 | |||
53 | -- | ||
54 | GitLab | ||
55 | |||