xserver-xorg: upgrade 21.1.4 -> 21.1.6

(From OE-Core rev: 009e8d6a292690a0c355d12be2368a9677c701f5) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Alexander Kanavin <alex.kanavin@gmail.com> 2023-01-04 12:05:07 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-01-06 12:03:47 +0000
commit: fc21330699208fb49b133964bb0e2f7d7880fa0d (patch)
tree: 21711a4f0c82069aec664f0cb2e2b8e65ddec85f /meta
parent: 2144d70e3e12e023a02d01639bb3d0080fe3036f (diff)
download: poky-fc21330699208fb49b133964bb0e2f7d7880fa0d.tar.gz
3 files changed, 1 insertions, 104 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch
deleted file mode 100644
index 0e61ec5953..0000000000
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-CVE: CVE-2022-3551
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001
-From: Peter Hutterer <peter.hutterer@who-t.net>
-Date: Wed, 13 Jul 2022 11:23:09 +1000
-Subject: [PATCH] xkb: fix some possible memleaks in XkbGetKbdByName
-GetComponentByName returns an allocated string, so let's free that if we
-fail somewhere.
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
---
- xkb/xkb.c | 26 ++++++++++++++++++++------
- 1 file changed, 20 insertions(+), 6 deletions(-)
-diff --git a/xkb/xkb.c b/xkb/xkb.c
-index 4692895db..b79a269e3 100644
--- a/xkb/xkb.c
-+++ b/xkb/xkb.c
-@@ -5935,18 +5935,32 @@ ProcXkbGetKbdByName(ClientPtr client)
-     xkb = dev->key->xkbInfo->desc;
-     status = Success;
-     str = (unsigned char *) &stuff[1];
-    if (GetComponentSpec(&str, TRUE, &status))  /* keymap, unsupported */
-        return BadMatch;
-+    {
-+        char *keymap = GetComponentSpec(&str, TRUE, &status);  /* keymap, unsupported */
-+        if (keymap) {
-+            free(keymap);
-+            return BadMatch;
-+        }
-+    }
-     names.keycodes = GetComponentSpec(&str, TRUE, &status);
-     names.types = GetComponentSpec(&str, TRUE, &status);
-     names.compat = GetComponentSpec(&str, TRUE, &status);
-     names.symbols = GetComponentSpec(&str, TRUE, &status);
-     names.geometry = GetComponentSpec(&str, TRUE, &status);
-    if (status != Success)
-+    if (status == Success) {
-+        len = str - ((unsigned char *) stuff);
-+        if ((XkbPaddedSize(len) / 4) != stuff->length)
-+            status = BadLength;
-+    }
-+
-+    if (status != Success) {
-+        free(names.keycodes);
-+        free(names.types);
-+        free(names.compat);
-+        free(names.symbols);
-+        free(names.geometry);
-         return status;
-    len = str - ((unsigned char *) stuff);
-    if ((XkbPaddedSize(len) / 4) != stuff->length)
-        return BadLength;
-+    }
- 
-     CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
-     CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
-- 
-2.34.1
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch
deleted file mode 100644
index 6f862e82f9..0000000000
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-CVE: CVE-2022-3550
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001
-From: Peter Hutterer <peter.hutterer@who-t.net>
-Date: Tue, 5 Jul 2022 12:06:20 +1000
-Subject: [PATCH] xkb: proof GetCountedString against request length attacks
-GetCountedString did a check for the whole string to be within the
-request buffer but not for the initial 2 bytes that contain the length
-field. A swapped client could send a malformed request to trigger a
-swaps() on those bytes, writing into random memory.
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
---
- xkb/xkb.c | 5 +++++
- 1 file changed, 5 insertions(+)
-diff --git a/xkb/xkb.c b/xkb/xkb.c
-index f42f59ef3..1841cff26 100644
--- a/xkb/xkb.c
-+++ b/xkb/xkb.c
-@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
-     CARD16 len;
- 
-     wire = *wire_inout;
-+
-+    if (client->req_len <
-+        bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
-+        return BadValue;
-+
-     len = *(CARD16 *) wire;
-     if (client->swapped) {
-         swaps(&len);
-- 
-2.34.1
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.6.bb
index aba09afec3..256903ce5f 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.6.bb
@@ -2,10 +2,8 @@ require xserver-xorg.inc
 SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \
           file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \
-           file://0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch \
-           file://0001-xkb-proof-GetCountedString-against-request-length-at.patch \
           "
-SRC_URI[sha256sum] = "5cc4be8ee47edb58d4a90e603a59d56b40291ad38371b0bd2471fc3cbee1c587"
+SRC_URI[sha256sum] = "1eb86ed674d042b6c8b1f9135e59395cbbca35ed551b122f73a7d8bb3bb22484"
 # These extensions are now integrated into the server, so declare the migration
 # path for in-place upgrades.
author	Alexander Kanavin <alex.kanavin@gmail.com>	2023-01-04 12:05:07 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-01-06 12:03:47 +0000
commit	fc21330699208fb49b133964bb0e2f7d7880fa0d (patch)
tree	21711a4f0c82069aec664f0cb2e2b8e65ddec85f /meta
parent	2144d70e3e12e023a02d01639bb3d0080fe3036f (diff)
download	poky-fc21330699208fb49b133964bb0e2f7d7880fa0d.tar.gz

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch deleted file mode 100644 index 0e61ec5953..0000000000 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch +++ /dev/null
@@ -1,63 +0,0 @@
1	CVE: CVE-2022-3551
2	Upstream-Status: Backport
3	Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5	From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001
6	From: Peter Hutterer <peter.hutterer@who-t.net>
7	Date: Wed, 13 Jul 2022 11:23:09 +1000
8	Subject: [PATCH] xkb: fix some possible memleaks in XkbGetKbdByName
9
10	GetComponentByName returns an allocated string, so let's free that if we
11	fail somewhere.
12
13	Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
14	---
15	xkb/xkb.c \| 26 ++++++++++++++++++++------
16	1 file changed, 20 insertions(+), 6 deletions(-)
17
18	diff --git a/xkb/xkb.c b/xkb/xkb.c
19	index 4692895db..b79a269e3 100644
20	--- a/xkb/xkb.c
21	+++ b/xkb/xkb.c
22	@@ -5935,18 +5935,32 @@ ProcXkbGetKbdByName(ClientPtr client)
23	xkb = dev->key->xkbInfo->desc;
24	status = Success;
25	str = (unsigned char *) &stuff[1];
26	- if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */
27	- return BadMatch;
28	+ {
29	+ char keymap = GetComponentSpec(&str, TRUE, &status); / keymap, unsupported */
30	+ if (keymap) {
31	+ free(keymap);
32	+ return BadMatch;
33	+ }
34	+ }
35	names.keycodes = GetComponentSpec(&str, TRUE, &status);
36	names.types = GetComponentSpec(&str, TRUE, &status);
37	names.compat = GetComponentSpec(&str, TRUE, &status);
38	names.symbols = GetComponentSpec(&str, TRUE, &status);
39	names.geometry = GetComponentSpec(&str, TRUE, &status);
40	- if (status != Success)
41	+ if (status == Success) {
42	+ len = str - ((unsigned char *) stuff);
43	+ if ((XkbPaddedSize(len) / 4) != stuff->length)
44	+ status = BadLength;
45	+ }
46	+
47	+ if (status != Success) {
48	+ free(names.keycodes);
49	+ free(names.types);
50	+ free(names.compat);
51	+ free(names.symbols);
52	+ free(names.geometry);
53	return status;
54	- len = str - ((unsigned char *) stuff);
55	- if ((XkbPaddedSize(len) / 4) != stuff->length)
56	- return BadLength;
57	+ }
58
59	CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
60	CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
61	--
62	2.34.1
63


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch deleted file mode 100644 index 6f862e82f9..0000000000 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch +++ /dev/null
@@ -1,38 +0,0 @@
1	CVE: CVE-2022-3550
2	Upstream-Status: Backport
3	Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5	From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001
6	From: Peter Hutterer <peter.hutterer@who-t.net>
7	Date: Tue, 5 Jul 2022 12:06:20 +1000
8	Subject: [PATCH] xkb: proof GetCountedString against request length attacks
9
10	GetCountedString did a check for the whole string to be within the
11	request buffer but not for the initial 2 bytes that contain the length
12	field. A swapped client could send a malformed request to trigger a
13	swaps() on those bytes, writing into random memory.
14
15	Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
16	---
17	xkb/xkb.c \| 5 +++++
18	1 file changed, 5 insertions(+)
19
20	diff --git a/xkb/xkb.c b/xkb/xkb.c
21	index f42f59ef3..1841cff26 100644
22	--- a/xkb/xkb.c
23	+++ b/xkb/xkb.c
24	@@ -5137,6 +5137,11 @@ _GetCountedString(char wire_inout, ClientPtr client, char str)
25	CARD16 len;
26
27	wire = *wire_inout;
28	+
29	+ if (client->req_len <
30	+ bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
31	+ return BadValue;
32	+
33	len = (CARD16 ) wire;
34	if (client->swapped) {
35	swaps(&len);
36	--
37	2.34.1
38


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.6.bb index aba09afec3..256903ce5f 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.6.bb
@@ -2,10 +2,8 @@ require xserver-xorg.inc
2		2
3	SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \	3	SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \
4	file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \	4	file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \
5	file://0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch \
6	file://0001-xkb-proof-GetCountedString-against-request-length-at.patch \
7	"	5	"
8	SRC_URI[sha256sum] = "5cc4be8ee47edb58d4a90e603a59d56b40291ad38371b0bd2471fc3cbee1c587"	6	SRC_URI[sha256sum] = "1eb86ed674d042b6c8b1f9135e59395cbbca35ed551b122f73a7d8bb3bb22484"
9		7
10	# These extensions are now integrated into the server, so declare the migration	8	# These extensions are now integrated into the server, so declare the migration
11	# path for in-place upgrades.	9	# path for in-place upgrades.