diff options
| author | Vijay Anusuri <vanusuri@mvista.com> | 2024-04-10 06:19:31 +0530 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2024-04-19 04:50:38 -0700 |
| commit | 0603438c81bc53a807ed85ebe1538f52a7b78887 (patch) | |
| tree | cc1ae4b444d54831a9ba89fb45fdd886127f1648 | |
| parent | a095c9e6a349ecf5e73e74d05cb6a815877155bf (diff) | |
| download | poky-0603438c81bc53a807ed85ebe1538f52a7b78887.tar.gz | |
xserver-xorg: Fix for CVE-2024-31080 and CVE-2024-31081
Upstream-Status: Backport from
https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b
& https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee
(From OE-Core rev: 223950f9c748f89ee1b2a9df9cd77a0099e74581)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
3 files changed, 98 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch new file mode 100644 index 0000000000..40296903cd --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch | |||
| @@ -0,0 +1,49 @@ | |||
| 1 | From 96798fc1967491c80a4d0c8d9e0a80586cb2152b Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
| 3 | Date: Fri, 22 Mar 2024 18:51:45 -0700 | ||
| 4 | Subject: [PATCH] Xi: ProcXIGetSelectedEvents needs to use unswapped length to | ||
| 5 | send reply | ||
| 6 | |||
| 7 | CVE-2024-31080 | ||
| 8 | |||
| 9 | Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762 | ||
| 10 | Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.") | ||
| 11 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
| 12 | Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463> | ||
| 13 | |||
| 14 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b] | ||
| 15 | CVE: CVE-2024-31080 | ||
| 16 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 17 | --- | ||
| 18 | Xi/xiselectev.c | 5 ++++- | ||
| 19 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
| 20 | |||
| 21 | diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c | ||
| 22 | index edcb8a0d36..ac14949871 100644 | ||
| 23 | --- a/Xi/xiselectev.c | ||
| 24 | +++ b/Xi/xiselectev.c | ||
| 25 | @@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client) | ||
| 26 | InputClientsPtr others = NULL; | ||
| 27 | xXIEventMask *evmask = NULL; | ||
| 28 | DeviceIntPtr dev; | ||
| 29 | + uint32_t length; | ||
| 30 | |||
| 31 | REQUEST(xXIGetSelectedEventsReq); | ||
| 32 | REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq); | ||
| 33 | @@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client) | ||
| 34 | } | ||
| 35 | } | ||
| 36 | |||
| 37 | + /* save the value before SRepXIGetSelectedEvents swaps it */ | ||
| 38 | + length = reply.length; | ||
| 39 | WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply); | ||
| 40 | |||
| 41 | if (reply.num_masks) | ||
| 42 | - WriteToClient(client, reply.length * 4, buffer); | ||
| 43 | + WriteToClient(client, length * 4, buffer); | ||
| 44 | |||
| 45 | free(buffer); | ||
| 46 | return Success; | ||
| 47 | -- | ||
| 48 | GitLab | ||
| 49 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch new file mode 100644 index 0000000000..4380004700 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch | |||
| @@ -0,0 +1,47 @@ | |||
| 1 | From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
| 3 | Date: Fri, 22 Mar 2024 18:56:27 -0700 | ||
| 4 | Subject: [PATCH] Xi: ProcXIPassiveGrabDevice needs to use unswapped length to | ||
| 5 | send reply | ||
| 6 | |||
| 7 | CVE-2024-31081 | ||
| 8 | |||
| 9 | Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.") | ||
| 10 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
| 11 | Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463> | ||
| 12 | |||
| 13 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee] | ||
| 14 | CVE: CVE-2024-31081 | ||
| 15 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 16 | --- | ||
| 17 | Xi/xipassivegrab.c | 5 ++++- | ||
| 18 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
| 19 | |||
| 20 | diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c | ||
| 21 | index c9ac2f8553..896233bec2 100644 | ||
| 22 | --- a/Xi/xipassivegrab.c | ||
| 23 | +++ b/Xi/xipassivegrab.c | ||
| 24 | @@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client) | ||
| 25 | GrabParameters param; | ||
| 26 | void *tmp; | ||
| 27 | int mask_len; | ||
| 28 | + uint32_t length; | ||
| 29 | |||
| 30 | REQUEST(xXIPassiveGrabDeviceReq); | ||
| 31 | REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq, | ||
| 32 | @@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client) | ||
| 33 | } | ||
| 34 | } | ||
| 35 | |||
| 36 | + /* save the value before SRepXIPassiveGrabDevice swaps it */ | ||
| 37 | + length = rep.length; | ||
| 38 | WriteReplyToClient(client, sizeof(rep), &rep); | ||
| 39 | if (rep.num_modifiers) | ||
| 40 | - WriteToClient(client, rep.length * 4, modifiers_failed); | ||
| 41 | + WriteToClient(client, length * 4, modifiers_failed); | ||
| 42 | |||
| 43 | out: | ||
| 44 | free(modifiers_failed); | ||
| 45 | -- | ||
| 46 | GitLab | ||
| 47 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb index e62babd4cb..b9eed92103 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb | |||
| @@ -16,6 +16,8 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat | |||
| 16 | file://CVE-2024-21886-2.patch \ | 16 | file://CVE-2024-21886-2.patch \ |
| 17 | file://CVE-2024-0408.patch \ | 17 | file://CVE-2024-0408.patch \ |
| 18 | file://CVE-2024-0409.patch \ | 18 | file://CVE-2024-0409.patch \ |
| 19 | file://CVE-2024-31080.patch \ | ||
| 20 | file://CVE-2024-31081.patch \ | ||
| 19 | " | 21 | " |
| 20 | SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152" | 22 | SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152" |
| 21 | 23 | ||
