diff options
| -rw-r--r-- | meta/recipes-graphics/xwayland/xwayland/CVE-2024-9632.patch | 59 | ||||
| -rw-r--r-- | meta/recipes-graphics/xwayland/xwayland_22.1.8.bb | 1 |
2 files changed, 60 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-9632.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-9632.patch new file mode 100644 index 0000000000..54888f6347 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-9632.patch | |||
| @@ -0,0 +1,59 @@ | |||
| 1 | From ba1d14f8eff2a123bd7ff4d48c02e1d5131358e0 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Matthieu Herrb <matthieu@herrb.eu> | ||
| 3 | Date: Thu, 10 Oct 2024 10:37:28 +0200 | ||
| 4 | Subject: [PATCH] xkb: Fix buffer overflow in _XkbSetCompatMap() | ||
| 5 | |||
| 6 | The _XkbSetCompatMap() function attempts to resize the `sym_interpret` | ||
| 7 | buffer. | ||
| 8 | |||
| 9 | However, It didn't update its size properly. It updated `num_si` only, | ||
| 10 | without updating `size_si`. | ||
| 11 | |||
| 12 | This may lead to local privilege escalation if the server is run as root | ||
| 13 | or remote code execution (e.g. x11 over ssh). | ||
| 14 | |||
| 15 | CVE-2024-9632, ZDI-CAN-24756 | ||
| 16 | |||
| 17 | This vulnerability was discovered by: | ||
| 18 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
| 19 | |||
| 20 | Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
| 21 | Tested-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
| 22 | Reviewed-by: José Expósito <jexposit@redhat.com> | ||
| 23 | (cherry picked from commit 85b77657) | ||
| 24 | |||
| 25 | Part-of: <!1734> | ||
| 26 | |||
| 27 | CVE: CVE-2024-9632 | ||
| 28 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ba1d14f8eff2a123bd7ff4d48c02e1d5131358e0] | ||
| 29 | |||
| 30 | Signed-off-by: Yogita Urade <yogita.urade@windriver.com> | ||
| 31 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 32 | --- | ||
| 33 | xkb/xkb.c | 8 ++++---- | ||
| 34 | 1 file changed, 4 insertions(+), 4 deletions(-) | ||
| 35 | |||
| 36 | diff --git a/xkb/xkb.c b/xkb/xkb.c | ||
| 37 | index 276dc19..7da00a0 100644 | ||
| 38 | --- a/xkb/xkb.c | ||
| 39 | +++ b/xkb/xkb.c | ||
| 40 | @@ -2992,13 +2992,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev, | ||
| 41 | XkbSymInterpretPtr sym; | ||
| 42 | unsigned int skipped = 0; | ||
| 43 | |||
| 44 | - if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) { | ||
| 45 | - compat->num_si = req->firstSI + req->nSI; | ||
| 46 | + if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) { | ||
| 47 | + compat->num_si = compat->size_si = req->firstSI + req->nSI; | ||
| 48 | compat->sym_interpret = reallocarray(compat->sym_interpret, | ||
| 49 | - compat->num_si, | ||
| 50 | + compat->size_si, | ||
| 51 | sizeof(XkbSymInterpretRec)); | ||
| 52 | if (!compat->sym_interpret) { | ||
| 53 | - compat->num_si = 0; | ||
| 54 | + compat->num_si = compat->size_si = 0; | ||
| 55 | return BadAlloc; | ||
| 56 | } | ||
| 57 | } | ||
| 58 | -- | ||
| 59 | 2.40.0 | ||
diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 258a875697..23575b387e 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb | |||
| @@ -28,6 +28,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ | |||
| 28 | file://CVE-2024-31081.patch \ | 28 | file://CVE-2024-31081.patch \ |
| 29 | file://CVE-2024-31083-0001.patch \ | 29 | file://CVE-2024-31083-0001.patch \ |
| 30 | file://CVE-2024-31083-0002.patch \ | 30 | file://CVE-2024-31083-0002.patch \ |
| 31 | file://CVE-2024-9632.patch \ | ||
| 31 | " | 32 | " |
| 32 | SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" | 33 | SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" |
| 33 | 34 | ||