xserver-xorg: Backport fix for CVE-2024-31080

Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b] (From OE-Core rev: f950b5a09c6dd19bdd5a942ae34516338e723942) Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Ashish Sharma <asharma@mvista.com> 2024-04-07 00:32:10 +0530
committer: Steve Sakoman <steve@sakoman.com> 2024-04-13 04:51:47 -0700
commit: b027cb1af8e5e19059eef63684db1edefef2bb54 (patch)
tree: 8d320561d43c4b7291018dfc93d13dba9b82ac8a /meta
parent: 42694d5ea21588ecb289ed5106656e839ae326ff (diff)
download: poky-b027cb1af8e5e19059eef63684db1edefef2bb54.tar.gz
2 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch
new file mode 100644
index 0000000000..da735efb2b
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch
@@ -0,0 +1,49 @@
+From 96798fc1967491c80a4d0c8d9e0a80586cb2152b Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 22 Mar 2024 18:51:45 -0700
+Subject: [PATCH] Xi: ProcXIGetSelectedEvents needs to use unswapped length to
+ send reply
+CVE-2024-31080
+Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
+Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.")
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b]
+CVE: CVE-2024-31080
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+ Xi/xiselectev.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c
+index edcb8a0d36..ac14949871 100644
+--- a/Xi/xiselectev.c
+++ b/Xi/xiselectev.c
+@@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client)
+     InputClientsPtr others = NULL;
+     xXIEventMask *evmask = NULL;
+     DeviceIntPtr dev;
+    uint32_t length;
+ 
+     REQUEST(xXIGetSelectedEventsReq);
+     REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq);
+@@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client)
+         }
+     }
+ 
+    /* save the value before SRepXIGetSelectedEvents swaps it */
+    length = reply.length;
+     WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
+ 
+     if (reply.num_masks)
+-        WriteToClient(client, reply.length * 4, buffer);
+        WriteToClient(client, length * 4, buffer);
+ 
+     free(buffer);
+     return Success;
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
index ade250542f..04a6e734ef 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
@@ -31,6 +31,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
           file://CVE-2024-0408.patch \
           file://CVE-2024-0409.patch \
           file://CVE-2024-31081.patch \
+           file://CVE-2024-31080.patch \
 "
 SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf"
 SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066"
author	Ashish Sharma <asharma@mvista.com>	2024-04-07 00:32:10 +0530
committer	Steve Sakoman <steve@sakoman.com>	2024-04-13 04:51:47 -0700
commit	b027cb1af8e5e19059eef63684db1edefef2bb54 (patch)
tree	8d320561d43c4b7291018dfc93d13dba9b82ac8a /meta
parent	42694d5ea21588ecb289ed5106656e839ae326ff (diff)
download	poky-b027cb1af8e5e19059eef63684db1edefef2bb54.tar.gz

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch new file mode 100644 index 0000000000..da735efb2b --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch
@@ -0,0 +1,49 @@
		1	From 96798fc1967491c80a4d0c8d9e0a80586cb2152b Mon Sep 17 00:00:00 2001
		2	From: Alan Coopersmith <alan.coopersmith@oracle.com>
		3	Date: Fri, 22 Mar 2024 18:51:45 -0700
		4	Subject: [PATCH] Xi: ProcXIGetSelectedEvents needs to use unswapped length to
		5	send reply
		6
		7	CVE-2024-31080
		8
		9	Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
		10	Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.")
		11	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
		12	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
		13
		14	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b]
		15	CVE: CVE-2024-31080
		16	Signed-off-by: Ashish Sharma <asharma@mvista.com>
		17
		18	Xi/xiselectev.c \| 5 ++++-
		19	1 file changed, 4 insertions(+), 1 deletion(-)
		20
		21	diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c
		22	index edcb8a0d36..ac14949871 100644
		23	--- a/Xi/xiselectev.c
		24	+++ b/Xi/xiselectev.c
		25	@@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client)
		26	InputClientsPtr others = NULL;
		27	xXIEventMask *evmask = NULL;
		28	DeviceIntPtr dev;
		29	+ uint32_t length;
		30
		31	REQUEST(xXIGetSelectedEventsReq);
		32	REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq);
		33	@@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client)
		34	}
		35	}
		36
		37	+ /* save the value before SRepXIGetSelectedEvents swaps it */
		38	+ length = reply.length;
		39	WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
		40
		41	if (reply.num_masks)
		42	- WriteToClient(client, reply.length * 4, buffer);
		43	+ WriteToClient(client, length * 4, buffer);
		44
		45	free(buffer);
		46	return Success;
		47	--
		48	GitLab
		49


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb index ade250542f..04a6e734ef 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
@@ -31,6 +31,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
31	file://CVE-2024-0408.patch \	31	file://CVE-2024-0408.patch \
32	file://CVE-2024-0409.patch \	32	file://CVE-2024-0409.patch \
33	file://CVE-2024-31081.patch \	33	file://CVE-2024-31081.patch \
		34	file://CVE-2024-31080.patch \
34	"	35	"
35	SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf"	36	SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf"
36	SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066"	37	SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066"