1 files changed, 46 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch
new file mode 100644
index 0000000000..9763e0b562
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch
@@ -0,0 +1,46 @@
+From 2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 6 Dec 2023 11:51:56 +0100
+Subject: [PATCH] ephyr,xwayland: Use the proper private key for cursor
+The cursor in DIX is actually split in two parts, the cursor itself and
+the cursor bits, each with their own devPrivates.
+The cursor itself includes the cursor bits, meaning that the cursor bits
+devPrivates in within structure of the cursor.
+Both Xephyr and Xwayland were using the private key for the cursor bits
+to store the data for the cursor, and when using XSELINUX which comes
+with its own special devPrivates, the data stored in that cursor bits'
+devPrivates would interfere with the XSELINUX devPrivates data and the
+SELINUX security ID would point to some other unrelated data, causing a
+crash in the XSELINUX code when trying to (re)use the security ID.
+CVE-2024-0409
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7]
+CVE: CVE-2024-0409
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ hw/kdrive/ephyr/ephyrcursor.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/hw/kdrive/ephyr/ephyrcursor.c b/hw/kdrive/ephyr/ephyrcursor.c
+index f991899..3f192d0 100644
+--- a/hw/kdrive/ephyr/ephyrcursor.c
+++ b/hw/kdrive/ephyr/ephyrcursor.c
+@@ -246,7 +246,7 @@ miPointerSpriteFuncRec EphyrPointerSpriteFuncs = {
+ Bool
+ ephyrCursorInit(ScreenPtr screen)
+ {
+-    if (!dixRegisterPrivateKey(&ephyrCursorPrivateKey, PRIVATE_CURSOR_BITS,
+    if (!dixRegisterPrivateKey(&ephyrCursorPrivateKey, PRIVATE_CURSOR,
+                                sizeof(ephyrCursorRec)))
+         return FALSE;
+ 
+-- 
+2.25.1

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch new file mode 100644 index 0000000000..9763e0b562 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch
@@ -0,0 +1,46 @@
	1	From 2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7 Mon Sep 17 00:00:00 2001
	2	From: Olivier Fourdan <ofourdan@redhat.com>
	3	Date: Wed, 6 Dec 2023 11:51:56 +0100
	4	Subject: [PATCH] ephyr,xwayland: Use the proper private key for cursor
	5
	6	The cursor in DIX is actually split in two parts, the cursor itself and
	7	the cursor bits, each with their own devPrivates.
	8
	9	The cursor itself includes the cursor bits, meaning that the cursor bits
	10	devPrivates in within structure of the cursor.
	11
	12	Both Xephyr and Xwayland were using the private key for the cursor bits
	13	to store the data for the cursor, and when using XSELINUX which comes
	14	with its own special devPrivates, the data stored in that cursor bits'
	15	devPrivates would interfere with the XSELINUX devPrivates data and the
	16	SELINUX security ID would point to some other unrelated data, causing a
	17	crash in the XSELINUX code when trying to (re)use the security ID.
	18
	19	CVE-2024-0409
	20
	21	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
	22	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
	23
	24	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7]
	25	CVE: CVE-2024-0409
	26	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	27	---
	28	hw/kdrive/ephyr/ephyrcursor.c \| 2 +-
	29	1 file changed, 1 insertion(+), 1 deletion(-)
	30
	31	diff --git a/hw/kdrive/ephyr/ephyrcursor.c b/hw/kdrive/ephyr/ephyrcursor.c
	32	index f991899..3f192d0 100644
	33	--- a/hw/kdrive/ephyr/ephyrcursor.c
	34	+++ b/hw/kdrive/ephyr/ephyrcursor.c
	35	@@ -246,7 +246,7 @@ miPointerSpriteFuncRec EphyrPointerSpriteFuncs = {
	36	Bool
	37	ephyrCursorInit(ScreenPtr screen)
	38	{
	39	- if (!dixRegisterPrivateKey(&ephyrCursorPrivateKey, PRIVATE_CURSOR_BITS,
	40	+ if (!dixRegisterPrivateKey(&ephyrCursorPrivateKey, PRIVATE_CURSOR,
	41	sizeof(ephyrCursorRec)))
	42	return FALSE;
	43
	44	--
	45	2.25.1
	46