diff options
Diffstat (limited to 'meta/recipes-graphics/xorg-xserver/xserver-xorg')
4 files changed, 188 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch new file mode 100644 index 0000000000..3277be0185 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | Backport patch to fix CVE-2021-4008. | ||
2 | |||
3 | CVE: CVE-2021-4008 | ||
4 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ebce7e2] | ||
5 | |||
6 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
7 | |||
8 | From ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60 Mon Sep 17 00:00:00 2001 | ||
9 | From: Povilas Kanapickas <povilas@radix.lt> | ||
10 | Date: Tue, 14 Dec 2021 15:00:03 +0200 | ||
11 | Subject: [PATCH] render: Fix out of bounds access in | ||
12 | SProcRenderCompositeGlyphs() | ||
13 | |||
14 | ZDI-CAN-14192, CVE-2021-4008 | ||
15 | |||
16 | This vulnerability was discovered and the fix was suggested by: | ||
17 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
18 | |||
19 | Signed-off-by: Povilas Kanapickas <povilas@radix.lt> | ||
20 | --- | ||
21 | render/render.c | 9 +++++++++ | ||
22 | 1 file changed, 9 insertions(+) | ||
23 | |||
24 | diff --git a/render/render.c b/render/render.c | ||
25 | index c376090ca..456f156d4 100644 | ||
26 | --- a/render/render.c | ||
27 | +++ b/render/render.c | ||
28 | @@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client) | ||
29 | |||
30 | i = elt->len; | ||
31 | if (i == 0xff) { | ||
32 | + if (buffer + 4 > end) { | ||
33 | + return BadLength; | ||
34 | + } | ||
35 | swapl((int *) buffer); | ||
36 | buffer += 4; | ||
37 | } | ||
38 | @@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client) | ||
39 | buffer += i; | ||
40 | break; | ||
41 | case 2: | ||
42 | + if (buffer + i * 2 > end) { | ||
43 | + return BadLength; | ||
44 | + } | ||
45 | while (i--) { | ||
46 | swaps((short *) buffer); | ||
47 | buffer += 2; | ||
48 | } | ||
49 | break; | ||
50 | case 4: | ||
51 | + if (buffer + i * 4 > end) { | ||
52 | + return BadLength; | ||
53 | + } | ||
54 | while (i--) { | ||
55 | swapl((int *) buffer); | ||
56 | buffer += 4; | ||
57 | -- | ||
58 | GitLab | ||
59 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4009.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4009.patch new file mode 100644 index 0000000000..ddfbb43ee4 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4009.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | Backport patch to fix CVE-2021-4009. | ||
2 | |||
3 | CVE: CVE-2021-4009 | ||
4 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b519675] | ||
5 | |||
6 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
7 | |||
8 | From b5196750099ae6ae582e1f46bd0a6dad29550e02 Mon Sep 17 00:00:00 2001 | ||
9 | From: Povilas Kanapickas <povilas@radix.lt> | ||
10 | Date: Tue, 14 Dec 2021 15:00:01 +0200 | ||
11 | Subject: [PATCH] xfixes: Fix out of bounds access in | ||
12 | *ProcXFixesCreatePointerBarrier() | ||
13 | |||
14 | ZDI-CAN-14950, CVE-2021-4009 | ||
15 | |||
16 | This vulnerability was discovered and the fix was suggested by: | ||
17 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
18 | |||
19 | Signed-off-by: Povilas Kanapickas <povilas@radix.lt> | ||
20 | --- | ||
21 | xfixes/cursor.c | 6 ++++-- | ||
22 | 1 file changed, 4 insertions(+), 2 deletions(-) | ||
23 | |||
24 | diff --git a/xfixes/cursor.c b/xfixes/cursor.c | ||
25 | index 60580b88f..c5d4554b2 100644 | ||
26 | --- a/xfixes/cursor.c | ||
27 | +++ b/xfixes/cursor.c | ||
28 | @@ -1010,7 +1010,8 @@ ProcXFixesCreatePointerBarrier(ClientPtr client) | ||
29 | { | ||
30 | REQUEST(xXFixesCreatePointerBarrierReq); | ||
31 | |||
32 | - REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices)); | ||
33 | + REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, | ||
34 | + pad_to_int32(stuff->num_devices * sizeof(CARD16))); | ||
35 | LEGAL_NEW_RESOURCE(stuff->barrier, client); | ||
36 | |||
37 | return XICreatePointerBarrier(client, stuff); | ||
38 | @@ -1027,7 +1028,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client) | ||
39 | |||
40 | swaps(&stuff->length); | ||
41 | swaps(&stuff->num_devices); | ||
42 | - REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices)); | ||
43 | + REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, | ||
44 | + pad_to_int32(stuff->num_devices * sizeof(CARD16))); | ||
45 | |||
46 | swapl(&stuff->barrier); | ||
47 | swapl(&stuff->window); | ||
48 | -- | ||
49 | GitLab | ||
50 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4010.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4010.patch new file mode 100644 index 0000000000..06ebe7d077 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4010.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | Backport patch to fix CVE-2021-4010. | ||
2 | |||
3 | CVE: CVE-2021-4010 | ||
4 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/6c4c530] | ||
5 | |||
6 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
7 | |||
8 | From 6c4c53010772e3cb4cb8acd54950c8eec9c00d21 Mon Sep 17 00:00:00 2001 | ||
9 | From: Povilas Kanapickas <povilas@radix.lt> | ||
10 | Date: Tue, 14 Dec 2021 15:00:02 +0200 | ||
11 | Subject: [PATCH] Xext: Fix out of bounds access in SProcScreenSaverSuspend() | ||
12 | |||
13 | ZDI-CAN-14951, CVE-2021-4010 | ||
14 | |||
15 | This vulnerability was discovered and the fix was suggested by: | ||
16 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
17 | |||
18 | Signed-off-by: Povilas Kanapickas <povilas@radix.lt> | ||
19 | --- | ||
20 | Xext/saver.c | 2 +- | ||
21 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
22 | |||
23 | diff --git a/Xext/saver.c b/Xext/saver.c | ||
24 | index 1d7e3cadf..f813ba08d 100644 | ||
25 | --- a/Xext/saver.c | ||
26 | +++ b/Xext/saver.c | ||
27 | @@ -1351,8 +1351,8 @@ SProcScreenSaverSuspend(ClientPtr client) | ||
28 | REQUEST(xScreenSaverSuspendReq); | ||
29 | |||
30 | swaps(&stuff->length); | ||
31 | - swapl(&stuff->suspend); | ||
32 | REQUEST_SIZE_MATCH(xScreenSaverSuspendReq); | ||
33 | + swapl(&stuff->suspend); | ||
34 | return ProcScreenSaverSuspend(client); | ||
35 | } | ||
36 | |||
37 | -- | ||
38 | GitLab | ||
39 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4011.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4011.patch new file mode 100644 index 0000000000..c7eb03091d --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4011.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | Backport patch to fix CVE-2021-4011. | ||
2 | |||
3 | CVE: CVE-2021-4011 | ||
4 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/e56f61c] | ||
5 | |||
6 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
7 | |||
8 | From e56f61c79fc3cee26d83cda0f84ae56d5979f768 Mon Sep 17 00:00:00 2001 | ||
9 | From: Povilas Kanapickas <povilas@radix.lt> | ||
10 | Date: Tue, 14 Dec 2021 15:00:00 +0200 | ||
11 | Subject: [PATCH] record: Fix out of bounds access in SwapCreateRegister() | ||
12 | |||
13 | ZDI-CAN-14952, CVE-2021-4011 | ||
14 | |||
15 | This vulnerability was discovered and the fix was suggested by: | ||
16 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
17 | |||
18 | Signed-off-by: Povilas Kanapickas <povilas@radix.lt> | ||
19 | --- | ||
20 | record/record.c | 4 ++-- | ||
21 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
22 | |||
23 | diff --git a/record/record.c b/record/record.c | ||
24 | index be154525d..e123867a7 100644 | ||
25 | --- a/record/record.c | ||
26 | +++ b/record/record.c | ||
27 | @@ -2516,8 +2516,8 @@ SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff) | ||
28 | swapl(pClientID); | ||
29 | } | ||
30 | if (stuff->nRanges > | ||
31 | - client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) | ||
32 | - - stuff->nClients) | ||
33 | + (client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) | ||
34 | + - stuff->nClients) / bytes_to_int32(sz_xRecordRange)) | ||
35 | return BadLength; | ||
36 | RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges); | ||
37 | return Success; | ||
38 | -- | ||
39 | GitLab | ||
40 | |||