libx11: fix CVE-2020-14363

(From OE-Core rev: 5919afe43083d9d0b818c26ca4d6c175efa0f7b5) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Chee Yang Lee <chee.yang.lee@intel.com> 2020-09-21 17:29:04 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-10-06 14:15:21 +0100
commit: 275a0baa72184cf0f62e0012e5bc2dfaaf41fa71 (patch)
tree: 3b2e45da78fcf7c8d34d6db2c3727e150b5adefa
parent: 0b214cad5431245f49a82997f8b87d5f2fef4c49 (diff)
download: poky-275a0baa72184cf0f62e0012e5bc2dfaaf41fa71.tar.gz
2 files changed, 37 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2020-14363.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2020-14363.patch
new file mode 100644
index 0000000000..60045e2890
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2020-14363.patch
@@ -0,0 +1,36 @@
+From acdaaadcb3d85c61fd43669fc5dddf0f8c3f911d Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Thu, 13 Aug 2020 18:02:58 +0200
+Subject: [PATCH] Fix an integer overflow in init_om()
+CVE-2020-14363
+This can lead to a double free later, as reported by Jayden Rivers.
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Upstream-Status: Backport
+[https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/acdaaadcb3d85c61fd43669fc5dddf0f8c3f911d]
+CVE: CVE-2020-14363
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ modules/om/generic/omGeneric.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/modules/om/generic/omGeneric.c b/modules/om/generic/omGeneric.c
+index c44acb88..406cec93 100644
+--- a/modules/om/generic/omGeneric.c
+++ b/modules/om/generic/omGeneric.c
+@@ -1908,7 +1908,8 @@ init_om(
+     char **required_list;
+     XOrientation *orientation;
+     char **value, buf[BUFSIZ], *bufptr;
+-    int count = 0, num = 0, length = 0;
+    int count = 0, num = 0;
+    unsigned int length = 0;
+ 
+     _XlcGetResource(lcd, "XLC_FONTSET", "on_demand_loading", &value, &count);
+     if (count > 0 && _XlcCompareISOLatin1(*value, "True") == 0)
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
index 84e0e4457e..ebd2640743 100644
--- a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
+++ b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
@@ -14,6 +14,7 @@ SRC_URI += "file://Fix-hanging-issue-in-_XReply.patch \
            file://disable_tests.patch \
            file://libx11-whitespace.patch \
            file://CVE-2020-14344.patch \
+            file://CVE-2020-14363.patch \
 "
 SRC_URI[md5sum] = "55adbfb6d4370ecac5e70598c4e7eed2"
author	Chee Yang Lee <chee.yang.lee@intel.com>	2020-09-21 17:29:04 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-10-06 14:15:21 +0100
commit	275a0baa72184cf0f62e0012e5bc2dfaaf41fa71 (patch)
tree	3b2e45da78fcf7c8d34d6db2c3727e150b5adefa
parent	0b214cad5431245f49a82997f8b87d5f2fef4c49 (diff)
download	poky-275a0baa72184cf0f62e0012e5bc2dfaaf41fa71.tar.gz

diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2020-14363.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2020-14363.patch new file mode 100644 index 0000000000..60045e2890 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2020-14363.patch
@@ -0,0 +1,36 @@
		1	From acdaaadcb3d85c61fd43669fc5dddf0f8c3f911d Mon Sep 17 00:00:00 2001
		2	From: Matthieu Herrb <matthieu@herrb.eu>
		3	Date: Thu, 13 Aug 2020 18:02:58 +0200
		4	Subject: [PATCH] Fix an integer overflow in init_om()
		5
		6	CVE-2020-14363
		7
		8	This can lead to a double free later, as reported by Jayden Rivers.
		9
		10	Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
		11
		12	Upstream-Status: Backport
		13	[https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/acdaaadcb3d85c61fd43669fc5dddf0f8c3f911d]
		14	CVE: CVE-2020-14363
		15	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		16	---
		17	modules/om/generic/omGeneric.c \| 3 ++-
		18	1 file changed, 2 insertions(+), 1 deletion(-)
		19
		20	diff --git a/modules/om/generic/omGeneric.c b/modules/om/generic/omGeneric.c
		21	index c44acb88..406cec93 100644
		22	--- a/modules/om/generic/omGeneric.c
		23	+++ b/modules/om/generic/omGeneric.c
		24	@@ -1908,7 +1908,8 @@ init_om(
		25	char **required_list;
		26	XOrientation *orientation;
		27	char *value, buf[BUFSIZ], bufptr;
		28	- int count = 0, num = 0, length = 0;
		29	+ int count = 0, num = 0;
		30	+ unsigned int length = 0;
		31
		32	_XlcGetResource(lcd, "XLC_FONTSET", "on_demand_loading", &value, &count);
		33	if (count > 0 && _XlcCompareISOLatin1(*value, "True") == 0)
		34	--
		35	GitLab
		36


diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb index 84e0e4457e..ebd2640743 100644 --- a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb +++ b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
@@ -14,6 +14,7 @@ SRC_URI += "file://Fix-hanging-issue-in-_XReply.patch \
14	file://disable_tests.patch \	14	file://disable_tests.patch \
15	file://libx11-whitespace.patch \	15	file://libx11-whitespace.patch \
16	file://CVE-2020-14344.patch \	16	file://CVE-2020-14344.patch \
		17	file://CVE-2020-14363.patch \
17	"	18	"
18		19
19	SRC_URI[md5sum] = "55adbfb6d4370ecac5e70598c4e7eed2"	20	SRC_URI[md5sum] = "55adbfb6d4370ecac5e70598c4e7eed2"