libX11: CVE-2022-3554 Fix memory leak

Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1d11822601fd24a396b354fa616b04ed3df8b4ef (From OE-Core rev: 1d36df9c9ec0ea13c4e0c3794b0d97305e2c6ac1) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Hitendra Prajapati <hprajapati@mvista.com> 2022-11-02 18:57:06 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-11-09 17:42:03 +0000
commit: 32c25a02023aabb9add718ff1c398ec45b0105d6 (patch)
tree: 81d3a0398229a18564e673906251a17deddf3e9e /meta
parent: 3903d753f9ba8d990010dd563bfd39206823515b (diff)
download: poky-32c25a02023aabb9add718ff1c398ec45b0105d6.tar.gz
2 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch
new file mode 100644
index 0000000000..fb61195225
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch
@@ -0,0 +1,58 @@
+From 8b51d1375a4dd6a7cf3a919da83d8e87e57e7333 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Wed, 2 Nov 2022 17:04:15 +0530
+Subject: [PATCH] CVE-2022-3554
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1d11822601fd24a396b354fa616b04ed3df8b4ef]
+CVE: CVE-2022-3554
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+fix a memory leak in XRegisterIMInstantiateCallback
+Analysis:
+    _XimRegisterIMInstantiateCallback() opens an XIM and closes it using
+    the internal function pointers, but the internal close function does
+    not free the pointer to the XIM (this would be done in XCloseIM()).
+Report/patch:
+    Date: Mon, 03 Oct 2022 18:47:32 +0800
+    From: Po Lu <luangruo@yahoo.com>
+    To: xorg-devel@lists.x.org
+    Subject: Re: Yet another leak in Xlib
+    For reference, here's how I'm calling XRegisterIMInstantiateCallback:
+    XSetLocaleModifiers ("");
+    XRegisterIMInstantiateCallback (compositor.display,
+                                    XrmGetDatabase (compositor.display),
+                                    (char *) compositor.resource_name,
+                                    (char *) compositor.app_name,
+                                    IMInstantiateCallback, NULL);
+    and XMODIFIERS is:
+        @im=ibus
+Signed-off-by: Thomas E. Dickey's avatarThomas E. Dickey <dickey@invisible-island.net>
+---
+ modules/im/ximcp/imInsClbk.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/modules/im/ximcp/imInsClbk.c b/modules/im/ximcp/imInsClbk.c
+index 961aaba..0a8a874 100644
+--- a/modules/im/ximcp/imInsClbk.c
+++ b/modules/im/ximcp/imInsClbk.c
+@@ -204,6 +204,9 @@ _XimRegisterIMInstantiateCallback(
+     if( xim ) {
+        lock = True;
+        xim->methods->close( (XIM)xim );
+       /* XIMs must be freed manually after being opened; close just
+          does the protocol to deinitialize the IM.  */
+       XFree( xim );
+        lock = False;
+        icb->call = True;
+        callback( display, client_data, NULL );
+-- 
+2.25.1
diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
index ff2a6f7265..72ab1d4150 100644
--- a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
+++ b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
@@ -16,6 +16,7 @@ SRC_URI += "file://Fix-hanging-issue-in-_XReply.patch \
            file://CVE-2020-14344.patch \
            file://CVE-2020-14363.patch \
            file://CVE-2021-31535.patch \
+            file://CVE-2022-3554.patch \
 "
 SRC_URI[md5sum] = "55adbfb6d4370ecac5e70598c4e7eed2"
author	Hitendra Prajapati <hprajapati@mvista.com>	2022-11-02 18:57:06 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-11-09 17:42:03 +0000
commit	32c25a02023aabb9add718ff1c398ec45b0105d6 (patch)
tree	81d3a0398229a18564e673906251a17deddf3e9e /meta
parent	3903d753f9ba8d990010dd563bfd39206823515b (diff)
download	poky-32c25a02023aabb9add718ff1c398ec45b0105d6.tar.gz

diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch new file mode 100644 index 0000000000..fb61195225 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch
@@ -0,0 +1,58 @@
		1	From 8b51d1375a4dd6a7cf3a919da83d8e87e57e7333 Mon Sep 17 00:00:00 2001
		2	From: Hitendra Prajapati <hprajapati@mvista.com>
		3	Date: Wed, 2 Nov 2022 17:04:15 +0530
		4	Subject: [PATCH] CVE-2022-3554
		5
		6	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1d11822601fd24a396b354fa616b04ed3df8b4ef]
		7	CVE: CVE-2022-3554
		8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		9
		10	fix a memory leak in XRegisterIMInstantiateCallback
		11
		12	Analysis:
		13
		14	_XimRegisterIMInstantiateCallback() opens an XIM and closes it using
		15	the internal function pointers, but the internal close function does
		16	not free the pointer to the XIM (this would be done in XCloseIM()).
		17
		18	Report/patch:
		19
		20	Date: Mon, 03 Oct 2022 18:47:32 +0800
		21	From: Po Lu <luangruo@yahoo.com>
		22	To: xorg-devel@lists.x.org
		23	Subject: Re: Yet another leak in Xlib
		24
		25	For reference, here's how I'm calling XRegisterIMInstantiateCallback:
		26
		27	XSetLocaleModifiers ("");
		28	XRegisterIMInstantiateCallback (compositor.display,
		29	XrmGetDatabase (compositor.display),
		30	(char *) compositor.resource_name,
		31	(char *) compositor.app_name,
		32	IMInstantiateCallback, NULL);
		33	and XMODIFIERS is:
		34
		35	@im=ibus
		36
		37	Signed-off-by: Thomas E. Dickey's avatarThomas E. Dickey <dickey@invisible-island.net>
		38	---
		39	modules/im/ximcp/imInsClbk.c \| 3 +++
		40	1 file changed, 3 insertions(+)
		41
		42	diff --git a/modules/im/ximcp/imInsClbk.c b/modules/im/ximcp/imInsClbk.c
		43	index 961aaba..0a8a874 100644
		44	--- a/modules/im/ximcp/imInsClbk.c
		45	+++ b/modules/im/ximcp/imInsClbk.c
		46	@@ -204,6 +204,9 @@ _XimRegisterIMInstantiateCallback(
		47	if( xim ) {
		48	lock = True;
		49	xim->methods->close( (XIM)xim );
		50	+ /* XIMs must be freed manually after being opened; close just
		51	+ does the protocol to deinitialize the IM. */
		52	+ XFree( xim );
		53	lock = False;
		54	icb->call = True;
		55	callback( display, client_data, NULL );
		56	--
		57	2.25.1
		58


diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb index ff2a6f7265..72ab1d4150 100644 --- a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb +++ b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
@@ -16,6 +16,7 @@ SRC_URI += "file://Fix-hanging-issue-in-_XReply.patch \
16	file://CVE-2020-14344.patch \	16	file://CVE-2020-14344.patch \
17	file://CVE-2020-14363.patch \	17	file://CVE-2020-14363.patch \
18	file://CVE-2021-31535.patch \	18	file://CVE-2021-31535.patch \
		19	file://CVE-2022-3554.patch \
19	"	20	"
20		21
21	SRC_URI[md5sum] = "55adbfb6d4370ecac5e70598c4e7eed2"	22	SRC_URI[md5sum] = "55adbfb6d4370ecac5e70598c4e7eed2"