diff options
Diffstat (limited to 'meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch')
-rw-r--r-- | meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch new file mode 100644 index 0000000000..742c122fa8 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | From df3c65706eb169d5938df0052059f3e0d5981b74 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Hutterer <peter.hutterer@who-t.net> | ||
3 | Date: Thu, 21 Dec 2023 13:48:10 +1000 | ||
4 | Subject: [PATCH] Xi: when creating a new ButtonClass, set the number of | ||
5 | buttons | ||
6 | |||
7 | There's a racy sequence where a master device may copy the button class | ||
8 | from the slave, without ever initializing numButtons. This leads to a | ||
9 | device with zero buttons but a button class which is invalid. | ||
10 | |||
11 | Let's copy the numButtons value from the source - by definition if we | ||
12 | don't have a button class yet we do not have any other slave devices | ||
13 | with more than this number of buttons anyway. | ||
14 | |||
15 | CVE-2024-0229, ZDI-CAN-22678 | ||
16 | |||
17 | This vulnerability was discovered by: | ||
18 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
19 | |||
20 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/df3c65706eb169d5938df0052059f3e0d5981b74] | ||
21 | CVE: CVE-2024-0229 | ||
22 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
23 | --- | ||
24 | Xi/exevents.c | 1 + | ||
25 | 1 file changed, 1 insertion(+) | ||
26 | |||
27 | diff --git a/Xi/exevents.c b/Xi/exevents.c | ||
28 | index 54ea11a938..e161714682 100644 | ||
29 | --- a/Xi/exevents.c | ||
30 | +++ b/Xi/exevents.c | ||
31 | @@ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) | ||
32 | to->button = calloc(1, sizeof(ButtonClassRec)); | ||
33 | if (!to->button) | ||
34 | FatalError("[Xi] no memory for class shift.\n"); | ||
35 | + to->button->numButtons = from->button->numButtons; | ||
36 | } | ||
37 | else | ||
38 | classes->button = NULL; | ||
39 | -- | ||
40 | GitLab | ||
41 | |||