14 files changed, 304 insertions, 3 deletions
diff --git a/meta/recipes-graphics/jpeg/files/0001-rdppm.c-Fix-buf-overrun-caused-by-bad-binary-PPM.patch b/meta/recipes-graphics/jpeg/files/0001-rdppm.c-Fix-buf-overrun-caused-by-bad-binary-PPM.patch
new file mode 100644
index 0000000000..03b6dba153
--- /dev/null
+++ b/meta/recipes-graphics/jpeg/files/0001-rdppm.c-Fix-buf-overrun-caused-by-bad-binary-PPM.patch
@@ -0,0 +1,81 @@
+From ade1818b7542ef9e11ece5ce98df91fab45d674c Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Tue, 2 Jun 2020 14:15:37 -0500
+Subject: [PATCH] rdppm.c: Fix buf overrun caused by bad binary PPM
+This extends the fix in 1e81b0c3ea26f4ea8f56de05367469333de64a9f to
+include binary PPM files with maximum values < 255, thus preventing a
+malformed binary PPM input file with those specifications from
+triggering an overrun of the rescale array and potentially crashing
+cjpeg, TJBench, or any program that uses the tjLoadImage() function.
+Fixes #433
+CVE: CVE-2020-13790
+Signed-off-by: Liu Haitao <haitao.liu@windriver.com>
+---
+ ChangeLog.md | 20 ++++++++++++++++----
+ rdppm.c      |  4 ++--
+ 2 files changed, 18 insertions(+), 6 deletions(-)
+diff --git a/ChangeLog.md b/ChangeLog.md
+index 3667d12..198c7b8 100644
+--- a/ChangeLog.md
+++ b/ChangeLog.md
+@@ -1,3 +1,15 @@
+2.0.4
+=====
+
+### Significant changes relative to 2.0.3:
+
+1. Fixed an issue in the PPM reader that caused a buffer overrun in cjpeg,
+TJBench, or the `tjLoadImage()` function if one of the values in a binary
+PPM/PGM input file exceeded the maximum value defined in the file's header and
+that maximum value was less than 255.  libjpeg-turbo 1.5.0 already included a
+similar fix for binary PPM/PGM files with maximum values greater than 255.
+
+
+ 2.0.3
+ =====
+ 
+@@ -520,10 +532,10 @@ application was linked against.
+ 
+ 3. Fixed a couple of issues in the PPM reader that would cause buffer overruns
+ in cjpeg if one of the values in a binary PPM/PGM input file exceeded the
+-maximum value defined in the file's header.  libjpeg-turbo 1.4.2 already
+-included a similar fix for ASCII PPM/PGM files.  Note that these issues were
+-not security bugs, since they were confined to the cjpeg program and did not
+-affect any of the libjpeg-turbo libraries.
+maximum value defined in the file's header and that maximum value was greater
+than 255.  libjpeg-turbo 1.4.2 already included a similar fix for ASCII PPM/PGM
+files.  Note that these issues were not security bugs, since they were confined
+to the cjpeg program and did not affect any of the libjpeg-turbo libraries.
+ 
+ 4. Fixed an issue whereby attempting to decompress a JPEG file with a corrupt
+ header using the `tjDecompressToYUV2()` function would cause the function to
+diff --git a/rdppm.c b/rdppm.c
+index 87bc330..a8507b9 100644
+--- a/rdppm.c
+++ b/rdppm.c
+@@ -5,7 +5,7 @@
+  * Copyright (C) 1991-1997, Thomas G. Lane.
+  * Modified 2009 by Bill Allombert, Guido Vollbeding.
+  * libjpeg-turbo Modifications:
+- * Copyright (C) 2015-2017, D. R. Commander.
+ * Copyright (C) 2015-2017, 2020, D. R. Commander.
+  * For conditions of distribution and use, see the accompanying README.ijg
+  * file.
+  *
+@@ -720,7 +720,7 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+     /* On 16-bit-int machines we have to be careful of maxval = 65535 */
+     source->rescale = (JSAMPLE *)
+       (*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE,
+-                                  (size_t)(((long)maxval + 1L) *
+                                  (size_t)(((long)MAX(maxval, 255) + 1L) *
+                                            sizeof(JSAMPLE)));
+     half_maxval = maxval / 2;
+     for (val = 0; val <= (long)maxval; val++) {
+-- 
+2.17.0
diff --git a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.3.bb b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.3.bb
index 1cf854de62..8ea81f386f 100644
--- a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.3.bb
+++ b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.3.bb
@@ -12,6 +12,7 @@ DEPENDS_append_x86_class-target    = " nasm-native"
 SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \
           file://0001-libjpeg-turbo-fix-package_qa-error.patch \
+           file://0001-rdppm.c-Fix-buf-overrun-caused-by-bad-binary-PPM.patch \
           "
 SRC_URI[md5sum] = "bd07fddf26f9def7bab02739eb655116"
diff --git a/meta/recipes-graphics/mesa/files/0003-Allow-enable-DRI-without-DRI-drivers.patch b/meta/recipes-graphics/mesa/files/0003-Allow-enable-DRI-without-DRI-drivers.patch
index 3458c19199..346b217585 100644
--- a/meta/recipes-graphics/mesa/files/0003-Allow-enable-DRI-without-DRI-drivers.patch
+++ b/meta/recipes-graphics/mesa/files/0003-Allow-enable-DRI-without-DRI-drivers.patch
@@ -23,7 +23,7 @@ index 0e50bb26c0a..de065c290d6 100644
 with_dri_swrast = dri_drivers.contains('swrast')
 
 -with_dri = dri_drivers.length() != 0 and dri_drivers != ['']
-+with_dri = get_option('dri') or (_drivers.length() != 0 and _drivers != [''])
+with_dri = get_option('dri') or (dri_drivers.length() != 0 and dri_drivers != [''])
 
 gallium_drivers = get_option('gallium-drivers')
 if gallium_drivers.contains('auto')
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18390.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18390.patch
new file mode 100644
index 0000000000..ad61c95be3
--- /dev/null
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18390.patch
@@ -0,0 +1,66 @@
+From 24f67de7a9088a873844a39be03cee6882260ac9 Mon Sep 17 00:00:00 2001
+From: Gert Wollny <gert.wollny@collabora.com>
+Date: Mon, 7 Oct 2019 10:59:56 +0200
+Subject: [PATCH] vrend: check info formats in blits
+Closes #141
+Closes #142
+v2 : drop colon in error description (Emil)
+Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
+Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
+Upstream-Status: Backport 
+[https://gitlab.freedesktop.org/virgl/virglrenderer/commit/24f67de7a9088a873844a39be03cee6882260ac9]
+CVE: CVE-2019-18390
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ src/virgl_hw.h       |  1 +
+ src/vrend_renderer.c | 11 +++++++++++
+ 2 files changed, 12 insertions(+)
+diff --git a/src/virgl_hw.h b/src/virgl_hw.h
+index 145780bf..5ccf3073 100644
+--- a/src/virgl_hw.h
+++ b/src/virgl_hw.h
+@@ -426,6 +426,7 @@ enum virgl_ctx_errors {
+         VIRGL_ERROR_CTX_ILLEGAL_CMD_BUFFER,
+         VIRGL_ERROR_CTX_GLES_HAVE_TES_BUT_MISS_TCS,
+         VIRGL_ERROR_GL_ANY_SAMPLES_PASSED,
+        VIRGL_ERROR_CTX_ILLEGAL_FORMAT,
+ };
+ 
+ #define VIRGL_RESOURCE_Y_0_TOP (1 << 0)
+diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
+index 14fefb38..aa6a89c1 100644
+--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
+@@ -758,6 +758,7 @@ static const char *vrend_ctx_error_strings[] = {
+    [VIRGL_ERROR_CTX_ILLEGAL_CMD_BUFFER]    = "Illegal command buffer",
+    [VIRGL_ERROR_CTX_GLES_HAVE_TES_BUT_MISS_TCS] = "On GLES context and shader program has tesselation evaluation shader but no tesselation control shader",
+    [VIRGL_ERROR_GL_ANY_SAMPLES_PASSED] = "Query for ANY_SAMPLES_PASSED not supported",
+   [VIRGL_ERROR_CTX_ILLEGAL_FORMAT]        = "Illegal format ID",
+ };
+ 
+ static void __report_context_error(const char *fname, struct vrend_context *ctx,
+@@ -8492,6 +8493,16 @@ void vrend_renderer_blit(struct vrend_context *ctx,
+    if (ctx->in_error)
+       return;
+ 
+   if (!info->src.format || (enum virgl_formats)info->src.format >= VIRGL_FORMAT_MAX) {
+      report_context_error(ctx, VIRGL_ERROR_CTX_ILLEGAL_FORMAT, info->src.format);
+      return;
+   }
+
+   if (!info->dst.format || (enum virgl_formats)info->dst.format >= VIRGL_FORMAT_MAX) {
+      report_context_error(ctx, VIRGL_ERROR_CTX_ILLEGAL_FORMAT, info->dst.format);
+      return;
+   }
+
+    if (info->render_condition_enable == false)
+       vrend_pause_render_condition(ctx, true);
+ 
+-- 
+2.24.1
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18391.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18391.patch
new file mode 100644
index 0000000000..cc641d8293
--- /dev/null
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18391.patch
@@ -0,0 +1,51 @@
+From 2abeb1802e3c005b17a7123e382171b3fb665971 Mon Sep 17 00:00:00 2001
+From: Gert Wollny <gert.wollny@collabora.com>
+Date: Tue, 8 Oct 2019 17:27:01 +0200
+Subject: [PATCH] vrend: check that the transfer iov holds enough data for the
+ data upload
+Closes #140
+Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
+Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
+Upstream-Status: Backport 
+[https://gitlab.freedesktop.org/virgl/virglrenderer/commit/2abeb1802e3c005b17a7123e382171b3fb665971]
+CVE: CVE-2019-18391
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ src/vrend_renderer.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
+index 694e1d0e..fe23846b 100644
+--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
+@@ -7005,15 +7005,22 @@ static int vrend_renderer_transfer_write_iov(struct vrend_context *ctx,
+             invert = true;
+       }
+ 
+      send_size = util_format_get_nblocks(res->base.format, info->box->width,
+                                          info->box->height) * elsize;
+      if (res->target == GL_TEXTURE_3D ||
+          res->target == GL_TEXTURE_2D_ARRAY ||
+          res->target == GL_TEXTURE_CUBE_MAP_ARRAY)
+          send_size *= info->box->depth;
+
+       if (need_temp) {
+-         send_size = util_format_get_nblocks(res->base.format, info->box->width,
+-                                             info->box->height) * elsize * info->box->depth;
+          data = malloc(send_size);
+          if (!data)
+             return ENOMEM;
+          read_transfer_data(iov, num_iovs, data, res->base.format, info->offset,
+                             stride, layer_stride, info->box, invert);
+       } else {
+         if (send_size > iov[0].iov_len - info->offset)
+            return EINVAL;
+          data = (char*)iov[0].iov_base + info->offset;
+       }
+ 
+-- 
+2.24.1
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2020-8002.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2020-8002.patch
new file mode 100644
index 0000000000..925f2c8eb0
--- /dev/null
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2020-8002.patch
@@ -0,0 +1,39 @@
+From 63bcca251f093d83da7e290ab4bbd38ae69089b5 Mon Sep 17 00:00:00 2001
+From: Gert Wollny <gert.wollny@collabora.com>
+Date: Wed, 15 Jan 2020 13:43:58 +0100
+Subject: [PATCH] vrend: Don't try launching a grid if no CS is available
+Closes #155
+Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
+Reviewed-by: Gurchetan Singh <gurchetansingh@chromium.org>
+Upstream-Status: Backport 
+[https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/63bcca251f093d83da7e290ab4bbd38ae69089b5.patch]
+CVE: CVE-2020-8002
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ src/vrend_renderer.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
+index a054bad8..2280fc43 100644
+--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
+@@ -4604,6 +4604,13 @@ void vrend_launch_grid(struct vrend_context *ctx,
+       }
+       ctx->sub->shader_dirty = true;
+    }
+
+   if (!ctx->sub->prog) {
+      vrend_printf("%s: Skipping compute shader execution due to missing shaders: %s\n",
+                   __func__, ctx->debug_name);
+      return;
+   }
+
+    vrend_use_program(ctx, ctx->sub->prog->id);
+ 
+    vrend_draw_bind_ubo_shader(ctx, PIPE_SHADER_COMPUTE, 0);
+-- 
+2.24.1
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.0.bb b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.0.bb
index d2b11c103a..e91ccc6c57 100644
--- a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.0.bb
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.0.bb
@@ -8,6 +8,9 @@ DEPENDS = "libdrm mesa libepoxy"
 SRCREV = "48cc96c9aebb9d0164830a157efc8916f08f00c0"
 SRC_URI = "git://anongit.freedesktop.org/virglrenderer \
           file://0001-gallium-Expand-libc-check-to-be-platform-OS-check.patch \
+           file://CVE-2019-18390.patch \
+           file://CVE-2019-18391.patch \
+           file://CVE-2020-8002.patch  \
           "
 S = "${WORKDIR}/git"
diff --git a/meta/recipes-graphics/waffle/waffle_1.6.0.bb b/meta/recipes-graphics/waffle/waffle_1.6.0.bb
index 8a1d5748f6..82cead9ad1 100644
--- a/meta/recipes-graphics/waffle/waffle_1.6.0.bb
+++ b/meta/recipes-graphics/waffle/waffle_1.6.0.bb
@@ -35,3 +35,8 @@ PACKAGECONFIG[x11-egl] = "-Dx11_egl=enabled,-Dx11_egl=disabled,virtual/${MLPREFI
 PACKAGECONFIG[surfaceless-egl] = "-Dsurfaceless_egl=enabled,-Dsurfaceless_egl=disabled,virtual/${MLPREFIX}libgl"
 # TODO: optionally build manpages and examples
+# Unset these to stop python trying to report the target Python setup
+_PYTHON_SYSCONFIGDATA_NAME[unexport] = "1"
+STAGING_INCDIR[unexport] = "1"
+STAGING_LIBDIR[unexport] = "1"
diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init/capability.conf b/meta/recipes-graphics/x11-common/xserver-nodm-init/capability.conf
new file mode 100644
index 0000000000..7ab7460816
--- /dev/null
+++ b/meta/recipes-graphics/x11-common/xserver-nodm-init/capability.conf
@@ -0,0 +1,2 @@
+cap_sys_admin   @USER@
+none    *
diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm b/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm
index 6c548551b8..116bb278bc 100755
--- a/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm
+++ b/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm
@@ -38,6 +38,14 @@ case "$1" in
           if [ -e /dev/hidraw0 ]; then
               chmod o+rw /dev/hidraw*
           fi
+           # Make sure that the Xorg has the cap_sys_admin capability which is
+           # needed for setting the drm master
+           if ! grep -q "^auth.*pam_cap\.so" /etc/pam.d/su; then
+               echo "auth       optional        pam_cap.so" >>/etc/pam.d/su
+           fi
+           if ! /usr/sbin/getcap $XSERVER |  grep -q cap_sys_admin; then
+               /usr/sbin/setcap cap_sys_admin+eip $XSERVER
+           fi
       fi
       # Using su rather than sudo as latest 1.8.1 cause failure [YOCTO #1211]
diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init_3.0.bb b/meta/recipes-graphics/x11-common/xserver-nodm-init_3.0.bb
index a77c56445c..7f4e1e29f1 100644
--- a/meta/recipes-graphics/x11-common/xserver-nodm-init_3.0.bb
+++ b/meta/recipes-graphics/x11-common/xserver-nodm-init_3.0.bb
@@ -10,6 +10,7 @@ SRC_URI = "file://xserver-nodm \
           file://gplv2-license.patch \
           file://xserver-nodm.service.in \
           file://xserver-nodm.conf.in \
+           file://capability.conf \
 "
 S = "${WORKDIR}"
@@ -19,7 +20,7 @@ PACKAGE_ARCH = "${MACHINE_ARCH}"
 inherit update-rc.d systemd distro_features_check
-REQUIRED_DISTRO_FEATURES = "x11"
+REQUIRED_DISTRO_FEATURES = "x11 ${@oe.utils.conditional('ROOTLESS_X', '1', 'pam', '', d)}"
 PACKAGECONFIG ??= "blank"
 # dpms and screen saver will be on only if 'blank' is in PACKAGECONFIG
@@ -40,6 +41,8 @@ do_install() {
    if [ "${ROOTLESS_X}" = "1" ] ; then
        XUSER_HOME="/home/xuser"
        XUSER="xuser"
+        install -D capability.conf ${D}${sysconfdir}/security/capability.conf
+        sed -i "s:@USER@:${XUSER}:" ${D}${sysconfdir}/security/capability.conf
    else
        XUSER_HOME=${ROOT_HOME}
        XUSER="root"
@@ -60,7 +63,7 @@ do_install() {
    fi
 }
-RDEPENDS_${PN} = "xinit ${@oe.utils.conditional('ROOTLESS_X', '1', 'xuser-account', '', d)}"
+RDEPENDS_${PN} = "xinit ${@oe.utils.conditional('ROOTLESS_X', '1', 'xuser-account libcap libcap-bin', '', d)}"
 INITSCRIPT_NAME = "xserver-nodm"
 INITSCRIPT_PARAMS = "start 9 5 . stop 20 0 1 2 3 6 ."
diff --git a/meta/recipes-graphics/xorg-font/encodings_1.0.5.bb b/meta/recipes-graphics/xorg-font/encodings_1.0.5.bb
index a39609b5da..74014ff91b 100644
--- a/meta/recipes-graphics/xorg-font/encodings_1.0.5.bb
+++ b/meta/recipes-graphics/xorg-font/encodings_1.0.5.bb
@@ -19,3 +19,7 @@ SRC_URI[sha256sum] = "bd96e16143a044b19e87f217cf6a3763a70c561d1076aad6f6d862ec41
 inherit allarch
 EXTRA_OECONF += "--with-encodingsdir=${datadir}/fonts/X11/encodings"
+# postinst from .inc doesn't apply to this recipe
+pkg_postinst_${PN} () {
+}
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch
new file mode 100644
index 0000000000..20a604869b
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch
@@ -0,0 +1,37 @@
+From aac28e162e5108510065ad4c323affd6deffd816 Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Sat, 25 Jul 2020 19:33:50 +0200
+Subject: [PATCH] fix for ZDI-11426
+Avoid leaking un-initalized memory to clients by zeroing the
+whole pixmap on initial allocation.
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Upstream-Status: Backport
+CVE: CVE-2020-14347
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ dix/pixmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/dix/pixmap.c b/dix/pixmap.c
+index 1186d7dbb..5a0146bbb 100644
+--- a/dix/pixmap.c
+++ b/dix/pixmap.c
+@@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pixDataSize)
+     if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize)
+         return NullPixmap;
+ 
+-    pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize);
+    pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize);
+     if (!pPixmap)
+         return NullPixmap;
+ 
+-- 
+2.17.1
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.5.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.5.bb
index 3de6d22e57..f0f15a2584 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.5.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.5.bb
@@ -5,6 +5,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
            file://0001-test-xtest-Initialize-array-with-braces.patch \
            file://0001-compiler.h-Do-not-include-sys-io.h-on-ARM-with-glibc.patch \
            file://sdksyms-no-build-path.patch \
+            file://CVE-2020-14347.patch \
            "
 SRC_URI[md5sum] = "c9fc7e21e11286dbedd22c00df652130"
 SRC_URI[sha256sum] = "a81d8243f37e75a03d4f8c55f96d0bc25802be6ec45c3bfa5cb614c6d01bac9d"

diff --git a/meta/recipes-graphics/jpeg/files/0001-rdppm.c-Fix-buf-overrun-caused-by-bad-binary-PPM.patch b/meta/recipes-graphics/jpeg/files/0001-rdppm.c-Fix-buf-overrun-caused-by-bad-binary-PPM.patch new file mode 100644 index 0000000000..03b6dba153 --- /dev/null +++ b/meta/recipes-graphics/jpeg/files/0001-rdppm.c-Fix-buf-overrun-caused-by-bad-binary-PPM.patch
@@ -0,0 +1,81 @@
		1	From ade1818b7542ef9e11ece5ce98df91fab45d674c Mon Sep 17 00:00:00 2001
		2	From: DRC <information@libjpeg-turbo.org>
		3	Date: Tue, 2 Jun 2020 14:15:37 -0500
		4	Subject: [PATCH] rdppm.c: Fix buf overrun caused by bad binary PPM
		5
		6	This extends the fix in 1e81b0c3ea26f4ea8f56de05367469333de64a9f to
		7	include binary PPM files with maximum values < 255, thus preventing a
		8	malformed binary PPM input file with those specifications from
		9	triggering an overrun of the rescale array and potentially crashing
		10	cjpeg, TJBench, or any program that uses the tjLoadImage() function.
		11
		12	Fixes #433
		13
		14	CVE: CVE-2020-13790
		15
		16	Signed-off-by: Liu Haitao <haitao.liu@windriver.com>
		17	---
		18	ChangeLog.md \| 20 ++++++++++++++++----
		19	rdppm.c \| 4 ++--
		20	2 files changed, 18 insertions(+), 6 deletions(-)
		21
		22	diff --git a/ChangeLog.md b/ChangeLog.md
		23	index 3667d12..198c7b8 100644
		24	--- a/ChangeLog.md
		25	+++ b/ChangeLog.md
		26	@@ -1,3 +1,15 @@
		27	+2.0.4
		28	+=====
		29	+
		30	+### Significant changes relative to 2.0.3:
		31	+
		32	+1. Fixed an issue in the PPM reader that caused a buffer overrun in cjpeg,
		33	+TJBench, or the `tjLoadImage()` function if one of the values in a binary
		34	+PPM/PGM input file exceeded the maximum value defined in the file's header and
		35	+that maximum value was less than 255. libjpeg-turbo 1.5.0 already included a
		36	+similar fix for binary PPM/PGM files with maximum values greater than 255.
		37	+
		38	+
		39	2.0.3
		40	=====
		41
		42	@@ -520,10 +532,10 @@ application was linked against.
		43
		44	3. Fixed a couple of issues in the PPM reader that would cause buffer overruns
		45	in cjpeg if one of the values in a binary PPM/PGM input file exceeded the
		46	-maximum value defined in the file's header. libjpeg-turbo 1.4.2 already
		47	-included a similar fix for ASCII PPM/PGM files. Note that these issues were
		48	-not security bugs, since they were confined to the cjpeg program and did not
		49	-affect any of the libjpeg-turbo libraries.
		50	+maximum value defined in the file's header and that maximum value was greater
		51	+than 255. libjpeg-turbo 1.4.2 already included a similar fix for ASCII PPM/PGM
		52	+files. Note that these issues were not security bugs, since they were confined
		53	+to the cjpeg program and did not affect any of the libjpeg-turbo libraries.
		54
		55	4. Fixed an issue whereby attempting to decompress a JPEG file with a corrupt
		56	header using the `tjDecompressToYUV2()` function would cause the function to
		57	diff --git a/rdppm.c b/rdppm.c
		58	index 87bc330..a8507b9 100644
		59	--- a/rdppm.c
		60	+++ b/rdppm.c
		61	@@ -5,7 +5,7 @@
		62	* Copyright (C) 1991-1997, Thomas G. Lane.
		63	* Modified 2009 by Bill Allombert, Guido Vollbeding.
		64	* libjpeg-turbo Modifications:
		65	- * Copyright (C) 2015-2017, D. R. Commander.
		66	+ * Copyright (C) 2015-2017, 2020, D. R. Commander.
		67	* For conditions of distribution and use, see the accompanying README.ijg
		68	* file.
		69	*
		70	@@ -720,7 +720,7 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
		71	/* On 16-bit-int machines we have to be careful of maxval = 65535 */
		72	source->rescale = (JSAMPLE *)
		73	(*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE,
		74	- (size_t)(((long)maxval + 1L) *
		75	+ (size_t)(((long)MAX(maxval, 255) + 1L) *
		76	sizeof(JSAMPLE)));
		77	half_maxval = maxval / 2;
		78	for (val = 0; val <= (long)maxval; val++) {
		79	--
		80	2.17.0
		81


diff --git a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.3.bb b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.3.bb index 1cf854de62..8ea81f386f 100644 --- a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.3.bb +++ b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.3.bb
@@ -12,6 +12,7 @@ DEPENDS_append_x86_class-target = " nasm-native"
12		12
13	SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \	13	SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \
14	file://0001-libjpeg-turbo-fix-package_qa-error.patch \	14	file://0001-libjpeg-turbo-fix-package_qa-error.patch \
		15	file://0001-rdppm.c-Fix-buf-overrun-caused-by-bad-binary-PPM.patch \
15	"	16	"
16		17
17	SRC_URI[md5sum] = "bd07fddf26f9def7bab02739eb655116"	18	SRC_URI[md5sum] = "bd07fddf26f9def7bab02739eb655116"


diff --git a/meta/recipes-graphics/mesa/files/0003-Allow-enable-DRI-without-DRI-drivers.patch b/meta/recipes-graphics/mesa/files/0003-Allow-enable-DRI-without-DRI-drivers.patch index 3458c19199..346b217585 100644 --- a/meta/recipes-graphics/mesa/files/0003-Allow-enable-DRI-without-DRI-drivers.patch +++ b/meta/recipes-graphics/mesa/files/0003-Allow-enable-DRI-without-DRI-drivers.patch
@@ -23,7 +23,7 @@ index 0e50bb26c0a..de065c290d6 100644
23	with_dri_swrast = dri_drivers.contains('swrast')	23	with_dri_swrast = dri_drivers.contains('swrast')
24		24
25	-with_dri = dri_drivers.length() != 0 and dri_drivers != ['']	25	-with_dri = dri_drivers.length() != 0 and dri_drivers != ['']
26	+with_dri = get_option('dri') or (_drivers.length() != 0 and _drivers != [''])	26	+with_dri = get_option('dri') or (dri_drivers.length() != 0 and dri_drivers != [''])
27		27
28	gallium_drivers = get_option('gallium-drivers')	28	gallium_drivers = get_option('gallium-drivers')
29	if gallium_drivers.contains('auto')	29	if gallium_drivers.contains('auto')


diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18390.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18390.patch new file mode 100644 index 0000000000..ad61c95be3 --- /dev/null +++ b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18390.patch
@@ -0,0 +1,66 @@
		1	From 24f67de7a9088a873844a39be03cee6882260ac9 Mon Sep 17 00:00:00 2001
		2	From: Gert Wollny <gert.wollny@collabora.com>
		3	Date: Mon, 7 Oct 2019 10:59:56 +0200
		4	Subject: [PATCH] vrend: check info formats in blits
		5
		6	Closes #141
		7	Closes #142
		8
		9	v2 : drop colon in error description (Emil)
		10
		11	Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
		12	Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
		13
		14	Upstream-Status: Backport
		15	[https://gitlab.freedesktop.org/virgl/virglrenderer/commit/24f67de7a9088a873844a39be03cee6882260ac9]
		16	CVE: CVE-2019-18390
		17	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		18	---
		19	src/virgl_hw.h \| 1 +
		20	src/vrend_renderer.c \| 11 +++++++++++
		21	2 files changed, 12 insertions(+)
		22
		23	diff --git a/src/virgl_hw.h b/src/virgl_hw.h
		24	index 145780bf..5ccf3073 100644
		25	--- a/src/virgl_hw.h
		26	+++ b/src/virgl_hw.h
		27	@@ -426,6 +426,7 @@ enum virgl_ctx_errors {
		28	VIRGL_ERROR_CTX_ILLEGAL_CMD_BUFFER,
		29	VIRGL_ERROR_CTX_GLES_HAVE_TES_BUT_MISS_TCS,
		30	VIRGL_ERROR_GL_ANY_SAMPLES_PASSED,
		31	+ VIRGL_ERROR_CTX_ILLEGAL_FORMAT,
		32	};
		33
		34	#define VIRGL_RESOURCE_Y_0_TOP (1 << 0)
		35	diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
		36	index 14fefb38..aa6a89c1 100644
		37	--- a/src/vrend_renderer.c
		38	+++ b/src/vrend_renderer.c
		39	@@ -758,6 +758,7 @@ static const char *vrend_ctx_error_strings[] = {
		40	[VIRGL_ERROR_CTX_ILLEGAL_CMD_BUFFER] = "Illegal command buffer",
		41	[VIRGL_ERROR_CTX_GLES_HAVE_TES_BUT_MISS_TCS] = "On GLES context and shader program has tesselation evaluation shader but no tesselation control shader",
		42	[VIRGL_ERROR_GL_ANY_SAMPLES_PASSED] = "Query for ANY_SAMPLES_PASSED not supported",
		43	+ [VIRGL_ERROR_CTX_ILLEGAL_FORMAT] = "Illegal format ID",
		44	};
		45
		46	static void __report_context_error(const char fname, struct vrend_context ctx,
		47	@@ -8492,6 +8493,16 @@ void vrend_renderer_blit(struct vrend_context *ctx,
		48	if (ctx->in_error)
		49	return;
		50
		51	+ if (!info->src.format \|\| (enum virgl_formats)info->src.format >= VIRGL_FORMAT_MAX) {
		52	+ report_context_error(ctx, VIRGL_ERROR_CTX_ILLEGAL_FORMAT, info->src.format);
		53	+ return;
		54	+ }
		55	+
		56	+ if (!info->dst.format \|\| (enum virgl_formats)info->dst.format >= VIRGL_FORMAT_MAX) {
		57	+ report_context_error(ctx, VIRGL_ERROR_CTX_ILLEGAL_FORMAT, info->dst.format);
		58	+ return;
		59	+ }
		60	+
		61	if (info->render_condition_enable == false)
		62	vrend_pause_render_condition(ctx, true);
		63
		64	--
		65	2.24.1
		66


diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18391.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18391.patch new file mode 100644 index 0000000000..cc641d8293 --- /dev/null +++ b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18391.patch
@@ -0,0 +1,51 @@
		1	From 2abeb1802e3c005b17a7123e382171b3fb665971 Mon Sep 17 00:00:00 2001
		2	From: Gert Wollny <gert.wollny@collabora.com>
		3	Date: Tue, 8 Oct 2019 17:27:01 +0200
		4	Subject: [PATCH] vrend: check that the transfer iov holds enough data for the
		5	data upload
		6
		7	Closes #140
		8
		9	Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
		10	Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
		11
		12	Upstream-Status: Backport
		13	[https://gitlab.freedesktop.org/virgl/virglrenderer/commit/2abeb1802e3c005b17a7123e382171b3fb665971]
		14	CVE: CVE-2019-18391
		15	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		16	---
		17	src/vrend_renderer.c \| 11 +++++++++--
		18	1 file changed, 9 insertions(+), 2 deletions(-)
		19
		20	diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
		21	index 694e1d0e..fe23846b 100644
		22	--- a/src/vrend_renderer.c
		23	+++ b/src/vrend_renderer.c
		24	@@ -7005,15 +7005,22 @@ static int vrend_renderer_transfer_write_iov(struct vrend_context *ctx,
		25	invert = true;
		26	}
		27
		28	+ send_size = util_format_get_nblocks(res->base.format, info->box->width,
		29	+ info->box->height) * elsize;
		30	+ if (res->target == GL_TEXTURE_3D \|\|
		31	+ res->target == GL_TEXTURE_2D_ARRAY \|\|
		32	+ res->target == GL_TEXTURE_CUBE_MAP_ARRAY)
		33	+ send_size *= info->box->depth;
		34	+
		35	if (need_temp) {
		36	- send_size = util_format_get_nblocks(res->base.format, info->box->width,
		37	- info->box->height) * elsize * info->box->depth;
		38	data = malloc(send_size);
		39	if (!data)
		40	return ENOMEM;
		41	read_transfer_data(iov, num_iovs, data, res->base.format, info->offset,
		42	stride, layer_stride, info->box, invert);
		43	} else {
		44	+ if (send_size > iov[0].iov_len - info->offset)
		45	+ return EINVAL;
		46	data = (char*)iov[0].iov_base + info->offset;
		47	}
		48
		49	--
		50	2.24.1
		51


diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2020-8002.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2020-8002.patch new file mode 100644 index 0000000000..925f2c8eb0 --- /dev/null +++ b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2020-8002.patch
@@ -0,0 +1,39 @@
		1	From 63bcca251f093d83da7e290ab4bbd38ae69089b5 Mon Sep 17 00:00:00 2001
		2	From: Gert Wollny <gert.wollny@collabora.com>
		3	Date: Wed, 15 Jan 2020 13:43:58 +0100
		4	Subject: [PATCH] vrend: Don't try launching a grid if no CS is available
		5
		6	Closes #155
		7
		8	Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
		9	Reviewed-by: Gurchetan Singh <gurchetansingh@chromium.org>
		10
		11	Upstream-Status: Backport
		12	[https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/63bcca251f093d83da7e290ab4bbd38ae69089b5.patch]
		13	CVE: CVE-2020-8002
		14	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		15	---
		16	src/vrend_renderer.c \| 7 +++++++
		17	1 file changed, 7 insertions(+)
		18
		19	diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
		20	index a054bad8..2280fc43 100644
		21	--- a/src/vrend_renderer.c
		22	+++ b/src/vrend_renderer.c
		23	@@ -4604,6 +4604,13 @@ void vrend_launch_grid(struct vrend_context *ctx,
		24	}
		25	ctx->sub->shader_dirty = true;
		26	}
		27	+
		28	+ if (!ctx->sub->prog) {
		29	+ vrend_printf("%s: Skipping compute shader execution due to missing shaders: %s\n",
		30	+ __func__, ctx->debug_name);
		31	+ return;
		32	+ }
		33	+
		34	vrend_use_program(ctx, ctx->sub->prog->id);
		35
		36	vrend_draw_bind_ubo_shader(ctx, PIPE_SHADER_COMPUTE, 0);
		37	--
		38	2.24.1
		39


diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.0.bb b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.0.bb index d2b11c103a..e91ccc6c57 100644 --- a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.0.bb +++ b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.0.bb
@@ -8,6 +8,9 @@ DEPENDS = "libdrm mesa libepoxy"
8	SRCREV = "48cc96c9aebb9d0164830a157efc8916f08f00c0"	8	SRCREV = "48cc96c9aebb9d0164830a157efc8916f08f00c0"
9	SRC_URI = "git://anongit.freedesktop.org/virglrenderer \	9	SRC_URI = "git://anongit.freedesktop.org/virglrenderer \
10	file://0001-gallium-Expand-libc-check-to-be-platform-OS-check.patch \	10	file://0001-gallium-Expand-libc-check-to-be-platform-OS-check.patch \
		11	file://CVE-2019-18390.patch \
		12	file://CVE-2019-18391.patch \
		13	file://CVE-2020-8002.patch \
11	"	14	"
12		15
13	S = "${WORKDIR}/git"	16	S = "${WORKDIR}/git"


diff --git a/meta/recipes-graphics/waffle/waffle_1.6.0.bb b/meta/recipes-graphics/waffle/waffle_1.6.0.bb index 8a1d5748f6..82cead9ad1 100644 --- a/meta/recipes-graphics/waffle/waffle_1.6.0.bb +++ b/meta/recipes-graphics/waffle/waffle_1.6.0.bb
@@ -35,3 +35,8 @@ PACKAGECONFIG[x11-egl] = "-Dx11_egl=enabled,-Dx11_egl=disabled,virtual/${MLPREFI
35	PACKAGECONFIG[surfaceless-egl] = "-Dsurfaceless_egl=enabled,-Dsurfaceless_egl=disabled,virtual/${MLPREFIX}libgl"	35	PACKAGECONFIG[surfaceless-egl] = "-Dsurfaceless_egl=enabled,-Dsurfaceless_egl=disabled,virtual/${MLPREFIX}libgl"
36		36
37	# TODO: optionally build manpages and examples	37	# TODO: optionally build manpages and examples
		38
		39	# Unset these to stop python trying to report the target Python setup
		40	_PYTHON_SYSCONFIGDATA_NAME[unexport] = "1"
		41	STAGING_INCDIR[unexport] = "1"
		42	STAGING_LIBDIR[unexport] = "1"


diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init/capability.conf b/meta/recipes-graphics/x11-common/xserver-nodm-init/capability.conf new file mode 100644 index 0000000000..7ab7460816 --- /dev/null +++ b/meta/recipes-graphics/x11-common/xserver-nodm-init/capability.conf
@@ -0,0 +1,2 @@
		1	cap_sys_admin @USER@
		2	none *


diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm b/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm index 6c548551b8..116bb278bc 100755 --- a/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm +++ b/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm
@@ -38,6 +38,14 @@ case "$1" in
38	if [ -e /dev/hidraw0 ]; then	38	if [ -e /dev/hidraw0 ]; then
39	chmod o+rw /dev/hidraw*	39	chmod o+rw /dev/hidraw*
40	fi	40	fi
		41	# Make sure that the Xorg has the cap_sys_admin capability which is
		42	# needed for setting the drm master
		43	if ! grep -q "^auth.*pam_cap\.so" /etc/pam.d/su; then
		44	echo "auth optional pam_cap.so" >>/etc/pam.d/su
		45	fi
		46	if ! /usr/sbin/getcap $XSERVER \| grep -q cap_sys_admin; then
		47	/usr/sbin/setcap cap_sys_admin+eip $XSERVER
		48	fi
41	fi	49	fi
42		50
43	# Using su rather than sudo as latest 1.8.1 cause failure [YOCTO #1211]	51	# Using su rather than sudo as latest 1.8.1 cause failure [YOCTO #1211]


diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init_3.0.bb b/meta/recipes-graphics/x11-common/xserver-nodm-init_3.0.bb index a77c56445c..7f4e1e29f1 100644 --- a/meta/recipes-graphics/x11-common/xserver-nodm-init_3.0.bb +++ b/meta/recipes-graphics/x11-common/xserver-nodm-init_3.0.bb
@@ -10,6 +10,7 @@ SRC_URI = "file://xserver-nodm \
10	file://gplv2-license.patch \	10	file://gplv2-license.patch \
11	file://xserver-nodm.service.in \	11	file://xserver-nodm.service.in \
12	file://xserver-nodm.conf.in \	12	file://xserver-nodm.conf.in \
		13	file://capability.conf \
13	"	14	"
14		15
15	S = "${WORKDIR}"	16	S = "${WORKDIR}"
@@ -19,7 +20,7 @@ PACKAGE_ARCH = "${MACHINE_ARCH}"
19		20
20	inherit update-rc.d systemd distro_features_check	21	inherit update-rc.d systemd distro_features_check
21		22
22	REQUIRED_DISTRO_FEATURES = "x11"	23	REQUIRED_DISTRO_FEATURES = "x11 ${@oe.utils.conditional('ROOTLESS_X', '1', 'pam', '', d)}"
23		24
24	PACKAGECONFIG ??= "blank"	25	PACKAGECONFIG ??= "blank"
25	# dpms and screen saver will be on only if 'blank' is in PACKAGECONFIG	26	# dpms and screen saver will be on only if 'blank' is in PACKAGECONFIG
@@ -40,6 +41,8 @@ do_install() {
40	if [ "${ROOTLESS_X}" = "1" ] ; then	41	if [ "${ROOTLESS_X}" = "1" ] ; then
41	XUSER_HOME="/home/xuser"	42	XUSER_HOME="/home/xuser"
42	XUSER="xuser"	43	XUSER="xuser"
		44	install -D capability.conf ${D}${sysconfdir}/security/capability.conf
		45	sed -i "s:@USER@:${XUSER}:" ${D}${sysconfdir}/security/capability.conf
43	else	46	else
44	XUSER_HOME=${ROOT_HOME}	47	XUSER_HOME=${ROOT_HOME}
45	XUSER="root"	48	XUSER="root"
@@ -60,7 +63,7 @@ do_install() {
60	fi	63	fi
61	}	64	}
62		65
63	RDEPENDS_${PN} = "xinit ${@oe.utils.conditional('ROOTLESS_X', '1', 'xuser-account', '', d)}"	66	RDEPENDS_${PN} = "xinit ${@oe.utils.conditional('ROOTLESS_X', '1', 'xuser-account libcap libcap-bin', '', d)}"
64		67
65	INITSCRIPT_NAME = "xserver-nodm"	68	INITSCRIPT_NAME = "xserver-nodm"
66	INITSCRIPT_PARAMS = "start 9 5 . stop 20 0 1 2 3 6 ."	69	INITSCRIPT_PARAMS = "start 9 5 . stop 20 0 1 2 3 6 ."


diff --git a/meta/recipes-graphics/xorg-font/encodings_1.0.5.bb b/meta/recipes-graphics/xorg-font/encodings_1.0.5.bb index a39609b5da..74014ff91b 100644 --- a/meta/recipes-graphics/xorg-font/encodings_1.0.5.bb +++ b/meta/recipes-graphics/xorg-font/encodings_1.0.5.bb
@@ -19,3 +19,7 @@ SRC_URI[sha256sum] = "bd96e16143a044b19e87f217cf6a3763a70c561d1076aad6f6d862ec41
19	inherit allarch	19	inherit allarch
20		20
21	EXTRA_OECONF += "--with-encodingsdir=${datadir}/fonts/X11/encodings"	21	EXTRA_OECONF += "--with-encodingsdir=${datadir}/fonts/X11/encodings"
		22
		23	# postinst from .inc doesn't apply to this recipe
		24	pkg_postinst_${PN} () {
		25	}


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch new file mode 100644 index 0000000000..20a604869b --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch
@@ -0,0 +1,37 @@
		1	From aac28e162e5108510065ad4c323affd6deffd816 Mon Sep 17 00:00:00 2001
		2	From: Matthieu Herrb <matthieu@herrb.eu>
		3	Date: Sat, 25 Jul 2020 19:33:50 +0200
		4	Subject: [PATCH] fix for ZDI-11426
		5
		6	Avoid leaking un-initalized memory to clients by zeroing the
		7	whole pixmap on initial allocation.
		8
		9	This vulnerability was discovered by:
		10	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		11
		12	Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
		13	Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
		14
		15	Upstream-Status: Backport
		16	CVE: CVE-2020-14347
		17	Signed-off-by: Li Zhou <li.zhou@windriver.com>
		18	---
		19	dix/pixmap.c \| 2 +-
		20	1 file changed, 1 insertion(+), 1 deletion(-)
		21
		22	diff --git a/dix/pixmap.c b/dix/pixmap.c
		23	index 1186d7dbb..5a0146bbb 100644
		24	--- a/dix/pixmap.c
		25	+++ b/dix/pixmap.c
		26	@@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pixDataSize)
		27	if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize)
		28	return NullPixmap;
		29
		30	- pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize);
		31	+ pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize);
		32	if (!pPixmap)
		33	return NullPixmap;
		34
		35	--
		36	2.17.1
		37


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.5.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.5.bb index 3de6d22e57..f0f15a2584 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.5.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.5.bb
@@ -5,6 +5,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
5	file://0001-test-xtest-Initialize-array-with-braces.patch \	5	file://0001-test-xtest-Initialize-array-with-braces.patch \
6	file://0001-compiler.h-Do-not-include-sys-io.h-on-ARM-with-glibc.patch \	6	file://0001-compiler.h-Do-not-include-sys-io.h-on-ARM-with-glibc.patch \
7	file://sdksyms-no-build-path.patch \	7	file://sdksyms-no-build-path.patch \
		8	file://CVE-2020-14347.patch \
8	"	9	"
9	SRC_URI[md5sum] = "c9fc7e21e11286dbedd22c00df652130"	10	SRC_URI[md5sum] = "c9fc7e21e11286dbedd22c00df652130"
10	SRC_URI[sha256sum] = "a81d8243f37e75a03d4f8c55f96d0bc25802be6ec45c3bfa5cb614c6d01bac9d"	11	SRC_URI[sha256sum] = "a81d8243f37e75a03d4f8c55f96d0bc25802be6ec45c3bfa5cb614c6d01bac9d"