libX11: CVE-2022-3554 & CVE-2022-3555 Fix memory leak

Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1d11822601fd24a396b354fa616b04ed3df8b4ef && https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8a368d808fec166b5fb3dfe6312aab22c7ee20af (From OE-Core rev: b0e0cf44fb4f6e1cf562860766a2915ee8718f77) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Hitendra Prajapati <hprajapati@mvista.com> 2022-12-26 10:15:16 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-01-06 17:33:23 +0000
commit: 2d58f993c33566e67545414f5d5c34c491b06bd1 (patch)
tree: 7e487b3f9d8cd4a3391937ea167b4c49e507de73 /meta/recipes-graphics
parent: 192cb88c17aefd7f05025ce049e51207a19433ca (diff)
download: poky-2d58f993c33566e67545414f5d5c34c491b06bd1.tar.gz
3 files changed, 100 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch
new file mode 100644
index 0000000000..973f328304
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch
@@ -0,0 +1,58 @@
+From 1d11822601fd24a396b354fa616b04ed3df8b4ef Mon Sep 17 00:00:00 2001
+From: "Thomas E. Dickey" <dickey@invisible-island.net>
+Date: Tue, 4 Oct 2022 18:26:17 -0400
+Subject: [PATCH] fix a memory leak in XRegisterIMInstantiateCallback
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1d11822601fd24a396b354fa616b04ed3df8b4ef]
+CVE: CVE-2022-3554
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+fix a memory leak in XRegisterIMInstantiateCallback
+Analysis:
+    _XimRegisterIMInstantiateCallback() opens an XIM and closes it using
+    the internal function pointers, but the internal close function does
+    not free the pointer to the XIM (this would be done in XCloseIM()).
+Report/patch:
+    Date: Mon, 03 Oct 2022 18:47:32 +0800
+    From: Po Lu <luangruo@yahoo.com>
+    To: xorg-devel@lists.x.org
+    Subject: Re: Yet another leak in Xlib
+    For reference, here's how I'm calling XRegisterIMInstantiateCallback:
+    XSetLocaleModifiers ("");
+    XRegisterIMInstantiateCallback (compositor.display,
+                                    XrmGetDatabase (compositor.display),
+                                    (char *) compositor.resource_name,
+                                    (char *) compositor.app_name,
+                                    IMInstantiateCallback, NULL);
+    and XMODIFIERS is:
+        @im=ibus
+Signed-off-by: Thomas E. Dickey's avatarThomas E. Dickey <dickey@invisible-island.net>
+---
+ modules/im/ximcp/imInsClbk.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/modules/im/ximcp/imInsClbk.c b/modules/im/ximcp/imInsClbk.c
+index 95b379c..c10e347 100644
+--- a/modules/im/ximcp/imInsClbk.c
+++ b/modules/im/ximcp/imInsClbk.c
+@@ -212,6 +212,9 @@ _XimRegisterIMInstantiateCallback(
+     if( xim ) {
+        lock = True;
+        xim->methods->close( (XIM)xim );
+       /* XIMs must be freed manually after being opened; close just
+          does the protocol to deinitialize the IM.  */
+       XFree( xim );
+        lock = False;
+        icb->call = True;
+        callback( display, client_data, NULL );
+-- 
+2.25.1
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch
new file mode 100644
index 0000000000..919e7a00fb
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch
@@ -0,0 +1,40 @@
+From 8a368d808fec166b5fb3dfe6312aab22c7ee20af Mon Sep 17 00:00:00 2001
+From: Hodong <hodong@yozmos.com>
+Date: Thu, 20 Jan 2022 00:57:41 +0900
+Subject: [PATCH] Fix two memory leaks in _XFreeX11XCBStructure()
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8a368d808fec166b5fb3dfe6312aab22c7ee20af]
+CVE: CVE-2022-3555
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+Fix two memory leaks in _XFreeX11XCBStructure()
+Even when XCloseDisplay() was called, some memory was leaked.
+XCloseDisplay() calls _XFreeDisplayStructure(), which calls
+_XFreeX11XCBStructure().
+However, _XFreeX11XCBStructure() did not destroy the condition variables,
+resulting in the leaking of some 40 bytes.
+Signed-off-by: default avatarHodong <hodong@yozmos.com>
+---
+ src/xcb_disp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/src/xcb_disp.c b/src/xcb_disp.c
+index 70a602f..e9becee 100644
+--- a/src/xcb_disp.c
+++ b/src/xcb_disp.c
+@@ -102,6 +102,8 @@ void _XFreeX11XCBStructure(Display *dpy)
+                dpy->xcb->pending_requests = tmp->next;
+                free(tmp);
+        }
+       xcondition_clear(dpy->xcb->event_notify);
+       xcondition_clear(dpy->xcb->reply_notify);
+        xcondition_free(dpy->xcb->event_notify);
+        xcondition_free(dpy->xcb->reply_notify);
+        Xfree(dpy->xcb);
+-- 
+2.25.1
diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.7.3.1.bb b/meta/recipes-graphics/xorg-lib/libx11_1.7.3.1.bb
index 0c3abcd896..3e6b50c0a3 100644
--- a/meta/recipes-graphics/xorg-lib/libx11_1.7.3.1.bb
+++ b/meta/recipes-graphics/xorg-lib/libx11_1.7.3.1.bb
@@ -15,6 +15,8 @@ PE = "1"
 SRC_URI = "${XORG_MIRROR}/individual/lib/${XORG_PN}-${PV}.tar.xz"
 SRC_URI += "file://disable_tests.patch \
+            file://CVE-2022-3554.patch \
+            file://CVE-2022-3555.patch \
           "
 SRC_URI[sha256sum] = "2ffd417266fb875028fdc0ef349694f63dbcd76d0b0cfacfb52e6151f4b60989"
author	Hitendra Prajapati <hprajapati@mvista.com>	2022-12-26 10:15:16 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-01-06 17:33:23 +0000
commit	2d58f993c33566e67545414f5d5c34c491b06bd1 (patch)
tree	7e487b3f9d8cd4a3391937ea167b4c49e507de73 /meta/recipes-graphics
parent	192cb88c17aefd7f05025ce049e51207a19433ca (diff)
download	poky-2d58f993c33566e67545414f5d5c34c491b06bd1.tar.gz

diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch new file mode 100644 index 0000000000..973f328304 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch
@@ -0,0 +1,58 @@
		1	From 1d11822601fd24a396b354fa616b04ed3df8b4ef Mon Sep 17 00:00:00 2001
		2	From: "Thomas E. Dickey" <dickey@invisible-island.net>
		3	Date: Tue, 4 Oct 2022 18:26:17 -0400
		4	Subject: [PATCH] fix a memory leak in XRegisterIMInstantiateCallback
		5
		6	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1d11822601fd24a396b354fa616b04ed3df8b4ef]
		7	CVE: CVE-2022-3554
		8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		9
		10	fix a memory leak in XRegisterIMInstantiateCallback
		11
		12	Analysis:
		13
		14	_XimRegisterIMInstantiateCallback() opens an XIM and closes it using
		15	the internal function pointers, but the internal close function does
		16	not free the pointer to the XIM (this would be done in XCloseIM()).
		17
		18	Report/patch:
		19
		20	Date: Mon, 03 Oct 2022 18:47:32 +0800
		21	From: Po Lu <luangruo@yahoo.com>
		22	To: xorg-devel@lists.x.org
		23	Subject: Re: Yet another leak in Xlib
		24
		25	For reference, here's how I'm calling XRegisterIMInstantiateCallback:
		26
		27	XSetLocaleModifiers ("");
		28	XRegisterIMInstantiateCallback (compositor.display,
		29	XrmGetDatabase (compositor.display),
		30	(char *) compositor.resource_name,
		31	(char *) compositor.app_name,
		32	IMInstantiateCallback, NULL);
		33	and XMODIFIERS is:
		34
		35	@im=ibus
		36
		37	Signed-off-by: Thomas E. Dickey's avatarThomas E. Dickey <dickey@invisible-island.net>
		38	---
		39	modules/im/ximcp/imInsClbk.c \| 3 +++
		40	1 file changed, 3 insertions(+)
		41
		42	diff --git a/modules/im/ximcp/imInsClbk.c b/modules/im/ximcp/imInsClbk.c
		43	index 95b379c..c10e347 100644
		44	--- a/modules/im/ximcp/imInsClbk.c
		45	+++ b/modules/im/ximcp/imInsClbk.c
		46	@@ -212,6 +212,9 @@ _XimRegisterIMInstantiateCallback(
		47	if( xim ) {
		48	lock = True;
		49	xim->methods->close( (XIM)xim );
		50	+ /* XIMs must be freed manually after being opened; close just
		51	+ does the protocol to deinitialize the IM. */
		52	+ XFree( xim );
		53	lock = False;
		54	icb->call = True;
		55	callback( display, client_data, NULL );
		56	--
		57	2.25.1
		58


diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch new file mode 100644 index 0000000000..919e7a00fb --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch
@@ -0,0 +1,40 @@
		1	From 8a368d808fec166b5fb3dfe6312aab22c7ee20af Mon Sep 17 00:00:00 2001
		2	From: Hodong <hodong@yozmos.com>
		3	Date: Thu, 20 Jan 2022 00:57:41 +0900
		4	Subject: [PATCH] Fix two memory leaks in _XFreeX11XCBStructure()
		5
		6	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8a368d808fec166b5fb3dfe6312aab22c7ee20af]
		7	CVE: CVE-2022-3555
		8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		9
		10	Fix two memory leaks in _XFreeX11XCBStructure()
		11
		12	Even when XCloseDisplay() was called, some memory was leaked.
		13
		14	XCloseDisplay() calls _XFreeDisplayStructure(), which calls
		15	_XFreeX11XCBStructure().
		16
		17	However, _XFreeX11XCBStructure() did not destroy the condition variables,
		18	resulting in the leaking of some 40 bytes.
		19
		20	Signed-off-by: default avatarHodong <hodong@yozmos.com>
		21	---
		22	src/xcb_disp.c \| 2 ++
		23	1 file changed, 2 insertions(+)
		24
		25	diff --git a/src/xcb_disp.c b/src/xcb_disp.c
		26	index 70a602f..e9becee 100644
		27	--- a/src/xcb_disp.c
		28	+++ b/src/xcb_disp.c
		29	@@ -102,6 +102,8 @@ void _XFreeX11XCBStructure(Display *dpy)
		30	dpy->xcb->pending_requests = tmp->next;
		31	free(tmp);
		32	}
		33	+ xcondition_clear(dpy->xcb->event_notify);
		34	+ xcondition_clear(dpy->xcb->reply_notify);
		35	xcondition_free(dpy->xcb->event_notify);
		36	xcondition_free(dpy->xcb->reply_notify);
		37	Xfree(dpy->xcb);
		38	--
		39	2.25.1
		40


diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.7.3.1.bb b/meta/recipes-graphics/xorg-lib/libx11_1.7.3.1.bb index 0c3abcd896..3e6b50c0a3 100644 --- a/meta/recipes-graphics/xorg-lib/libx11_1.7.3.1.bb +++ b/meta/recipes-graphics/xorg-lib/libx11_1.7.3.1.bb
@@ -15,6 +15,8 @@ PE = "1"
15	SRC_URI = "${XORG_MIRROR}/individual/lib/${XORG_PN}-${PV}.tar.xz"	15	SRC_URI = "${XORG_MIRROR}/individual/lib/${XORG_PN}-${PV}.tar.xz"
16		16
17	SRC_URI += "file://disable_tests.patch \	17	SRC_URI += "file://disable_tests.patch \
		18	file://CVE-2022-3554.patch \
		19	file://CVE-2022-3555.patch \
18	"	20	"
19	SRC_URI[sha256sum] = "2ffd417266fb875028fdc0ef349694f63dbcd76d0b0cfacfb52e6151f4b60989"	21	SRC_URI[sha256sum] = "2ffd417266fb875028fdc0ef349694f63dbcd76d0b0cfacfb52e6151f4b60989"
20		22