xwayland: Fix CVE-2024-31081

Patch copied from xserver-xorg recipe. CVE reported for both and patch apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee (From OE-Core rev: 3575ad718c8ea7d808247842df19982f00725187) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2025-03-04 17:49:08 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-03-08 06:35:36 -0800
commit: 57a80e447e73eb1e5c735e24e92205ba40f8a6e5 (patch)
tree: 3803fb94cebcbfc5f645ef303900d94eb701afd4
parent: 4a8c873ccf4579b23a292252d6e61eea3f49fd7a (diff)
download: poky-57a80e447e73eb1e5c735e24e92205ba40f8a6e5.tar.gz
2 files changed, 48 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-31081.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-31081.patch
new file mode 100644
index 0000000000..4380004700
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-31081.patch
@@ -0,0 +1,47 @@
+From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 22 Mar 2024 18:56:27 -0700
+Subject: [PATCH] Xi: ProcXIPassiveGrabDevice needs to use unswapped length to
+ send reply
+CVE-2024-31081
+Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.")
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee]
+CVE: CVE-2024-31081
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ Xi/xipassivegrab.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
+index c9ac2f8553..896233bec2 100644
+--- a/Xi/xipassivegrab.c
+++ b/Xi/xipassivegrab.c
+@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+     GrabParameters param;
+     void *tmp;
+     int mask_len;
+    uint32_t length;
+ 
+     REQUEST(xXIPassiveGrabDeviceReq);
+     REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
+@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+         }
+     }
+ 
+    /* save the value before SRepXIPassiveGrabDevice swaps it */
+    length = rep.length;
+     WriteReplyToClient(client, sizeof(rep), &rep);
+     if (rep.num_modifiers)
+-        WriteToClient(client, rep.length * 4, modifiers_failed);
+        WriteToClient(client, length * 4, modifiers_failed);
+ 
+  out:
+     free(modifiers_failed);
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
index 78e849b305..5fa2402234 100644
--- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
@@ -25,6 +25,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
           file://CVE-2024-21886-1.patch \
           file://CVE-2024-21886-2.patch \
           file://CVE-2024-31080.patch \
+           file://CVE-2024-31081.patch \
 "
 SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"
author	Vijay Anusuri <vanusuri@mvista.com>	2025-03-04 17:49:08 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-03-08 06:35:36 -0800
commit	57a80e447e73eb1e5c735e24e92205ba40f8a6e5 (patch)
tree	3803fb94cebcbfc5f645ef303900d94eb701afd4
parent	4a8c873ccf4579b23a292252d6e61eea3f49fd7a (diff)
download	poky-57a80e447e73eb1e5c735e24e92205ba40f8a6e5.tar.gz

diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-31081.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-31081.patch new file mode 100644 index 0000000000..4380004700 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-31081.patch
@@ -0,0 +1,47 @@
		1	From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001
		2	From: Alan Coopersmith <alan.coopersmith@oracle.com>
		3	Date: Fri, 22 Mar 2024 18:56:27 -0700
		4	Subject: [PATCH] Xi: ProcXIPassiveGrabDevice needs to use unswapped length to
		5	send reply
		6
		7	CVE-2024-31081
		8
		9	Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.")
		10	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
		11	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
		12
		13	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee]
		14	CVE: CVE-2024-31081
		15	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		16	---
		17	Xi/xipassivegrab.c \| 5 ++++-
		18	1 file changed, 4 insertions(+), 1 deletion(-)
		19
		20	diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
		21	index c9ac2f8553..896233bec2 100644
		22	--- a/Xi/xipassivegrab.c
		23	+++ b/Xi/xipassivegrab.c
		24	@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)
		25	GrabParameters param;
		26	void *tmp;
		27	int mask_len;
		28	+ uint32_t length;
		29
		30	REQUEST(xXIPassiveGrabDeviceReq);
		31	REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
		32	@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client)
		33	}
		34	}
		35
		36	+ /* save the value before SRepXIPassiveGrabDevice swaps it */
		37	+ length = rep.length;
		38	WriteReplyToClient(client, sizeof(rep), &rep);
		39	if (rep.num_modifiers)
		40	- WriteToClient(client, rep.length * 4, modifiers_failed);
		41	+ WriteToClient(client, length * 4, modifiers_failed);
		42
		43	out:
		44	free(modifiers_failed);
		45	--
		46	GitLab
		47


diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 78e849b305..5fa2402234 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
@@ -25,6 +25,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
25	file://CVE-2024-21886-1.patch \	25	file://CVE-2024-21886-1.patch \
26	file://CVE-2024-21886-2.patch \	26	file://CVE-2024-21886-2.patch \
27	file://CVE-2024-31080.patch \	27	file://CVE-2024-31080.patch \
		28	file://CVE-2024-31081.patch \
28	"	29	"
29	SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"	30	SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"
30		31