summaryrefslogtreecommitdiffstats
path: root/meta/recipes-graphics/xorg-xserver
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-graphics/xorg-xserver')
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch49
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch47
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb2
3 files changed, 98 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch
new file mode 100644
index 0000000000..da735efb2b
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch
@@ -0,0 +1,49 @@
1From 96798fc1967491c80a4d0c8d9e0a80586cb2152b Mon Sep 17 00:00:00 2001
2From: Alan Coopersmith <alan.coopersmith@oracle.com>
3Date: Fri, 22 Mar 2024 18:51:45 -0700
4Subject: [PATCH] Xi: ProcXIGetSelectedEvents needs to use unswapped length to
5 send reply
6
7CVE-2024-31080
8
9Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
10Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.")
11Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
12Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
13
14Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b]
15CVE: CVE-2024-31080
16Signed-off-by: Ashish Sharma <asharma@mvista.com>
17
18 Xi/xiselectev.c | 5 ++++-
19 1 file changed, 4 insertions(+), 1 deletion(-)
20
21diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c
22index edcb8a0d36..ac14949871 100644
23--- a/Xi/xiselectev.c
24+++ b/Xi/xiselectev.c
25@@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client)
26 InputClientsPtr others = NULL;
27 xXIEventMask *evmask = NULL;
28 DeviceIntPtr dev;
29+ uint32_t length;
30
31 REQUEST(xXIGetSelectedEventsReq);
32 REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq);
33@@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client)
34 }
35 }
36
37+ /* save the value before SRepXIGetSelectedEvents swaps it */
38+ length = reply.length;
39 WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
40
41 if (reply.num_masks)
42- WriteToClient(client, reply.length * 4, buffer);
43+ WriteToClient(client, length * 4, buffer);
44
45 free(buffer);
46 return Success;
47--
48GitLab
49
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch
new file mode 100644
index 0000000000..d2c551a0e5
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch
@@ -0,0 +1,47 @@
1From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001
2From: Alan Coopersmith <alan.coopersmith@oracle.com>
3Date: Fri, 22 Mar 2024 18:56:27 -0700
4Subject: [PATCH] Xi: ProcXIPassiveGrabDevice needs to use unswapped length to
5 send reply
6
7CVE-2024-31081
8
9Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.")
10Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
11Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
12
13Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee]
14CVE: CVE-2024-31081
15Signed-off-by: Ashish Sharma <asharma@mvista.com>
16
17 Xi/xipassivegrab.c | 5 ++++-
18 1 file changed, 4 insertions(+), 1 deletion(-)
19
20diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
21index c9ac2f8553..896233bec2 100644
22--- a/Xi/xipassivegrab.c
23+++ b/Xi/xipassivegrab.c
24@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)
25 GrabParameters param;
26 void *tmp;
27 int mask_len;
28+ uint32_t length;
29
30 REQUEST(xXIPassiveGrabDeviceReq);
31 REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
32@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client)
33 }
34 }
35
36+ /* save the value before SRepXIPassiveGrabDevice swaps it */
37+ length = rep.length;
38 WriteReplyToClient(client, sizeof(rep), &rep);
39 if (rep.num_modifiers)
40- WriteToClient(client, rep.length * 4, modifiers_failed);
41+ WriteToClient(client, length * 4, modifiers_failed);
42
43 out:
44 free(modifiers_failed);
45--
46GitLab
47
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
index d6c6c5bd45..04a6e734ef 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
@@ -30,6 +30,8 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
30 file://CVE-2024-21886-2.patch \ 30 file://CVE-2024-21886-2.patch \
31 file://CVE-2024-0408.patch \ 31 file://CVE-2024-0408.patch \
32 file://CVE-2024-0409.patch \ 32 file://CVE-2024-0409.patch \
33 file://CVE-2024-31081.patch \
34 file://CVE-2024-31080.patch \
33" 35"
34SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf" 36SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf"
35SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066" 37SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-06-16 09:24:20 +0000