diff options
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch | 49 | ||||
-rw-r--r-- | meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb | 1 |
2 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch new file mode 100644 index 0000000000..da735efb2b --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | From 96798fc1967491c80a4d0c8d9e0a80586cb2152b Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
3 | Date: Fri, 22 Mar 2024 18:51:45 -0700 | ||
4 | Subject: [PATCH] Xi: ProcXIGetSelectedEvents needs to use unswapped length to | ||
5 | send reply | ||
6 | |||
7 | CVE-2024-31080 | ||
8 | |||
9 | Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762 | ||
10 | Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.") | ||
11 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
12 | Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463> | ||
13 | |||
14 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b] | ||
15 | CVE: CVE-2024-31080 | ||
16 | Signed-off-by: Ashish Sharma <asharma@mvista.com> | ||
17 | |||
18 | Xi/xiselectev.c | 5 ++++- | ||
19 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
20 | |||
21 | diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c | ||
22 | index edcb8a0d36..ac14949871 100644 | ||
23 | --- a/Xi/xiselectev.c | ||
24 | +++ b/Xi/xiselectev.c | ||
25 | @@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client) | ||
26 | InputClientsPtr others = NULL; | ||
27 | xXIEventMask *evmask = NULL; | ||
28 | DeviceIntPtr dev; | ||
29 | + uint32_t length; | ||
30 | |||
31 | REQUEST(xXIGetSelectedEventsReq); | ||
32 | REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq); | ||
33 | @@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client) | ||
34 | } | ||
35 | } | ||
36 | |||
37 | + /* save the value before SRepXIGetSelectedEvents swaps it */ | ||
38 | + length = reply.length; | ||
39 | WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply); | ||
40 | |||
41 | if (reply.num_masks) | ||
42 | - WriteToClient(client, reply.length * 4, buffer); | ||
43 | + WriteToClient(client, length * 4, buffer); | ||
44 | |||
45 | free(buffer); | ||
46 | return Success; | ||
47 | -- | ||
48 | GitLab | ||
49 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb index ade250542f..04a6e734ef 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb | |||
@@ -31,6 +31,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat | |||
31 | file://CVE-2024-0408.patch \ | 31 | file://CVE-2024-0408.patch \ |
32 | file://CVE-2024-0409.patch \ | 32 | file://CVE-2024-0409.patch \ |
33 | file://CVE-2024-31081.patch \ | 33 | file://CVE-2024-31081.patch \ |
34 | file://CVE-2024-31080.patch \ | ||
34 | " | 35 | " |
35 | SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf" | 36 | SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf" |
36 | SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066" | 37 | SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066" |