From 0412d661842bde9304085420ddd45e3260bea4e6 Mon Sep 17 00:00:00 2001 From: xzyang Date: Thu, 23 Dec 2021 19:01:21 +0800 Subject: [PATCH] update to xorg-x11-server-1.20.4-16.el7_9.src.rpm Signed-off-by: xzyang --- ...rrect-bounds-checking-in-XkbSetNames.patch | 183 ++++++++++++++++++ ...ngeFeedbackControl-request-underflow.patch | 35 ++++ ...-XIChangeHierarchy-integer-underflow.patch | 36 ++++ ...ordRegisterClients-Integer-underflow.patch | 70 +++++++ ...ix-XkbSelectEvents-integer-underflow.patch | 36 ++++ ...Info-and-SetDeviceIndicators-heap-ov.patch | 100 ++++++++++ ...AnumCurTimerNotify-when-pScreen-NULL.patch | 28 +++ 0001-fix-for-ZDI-11426.patch | 33 ++++ ...bling-extensions-match-names-case-in.patch | 34 ++++ ...heck-SetMap-request-length-carefully.patch | 131 +++++++++++++ xorg-x11-server.spec | 46 ++++- 11 files changed, 731 insertions(+), 1 deletion(-) create mode 100644 0001-Correct-bounds-checking-in-XkbSetNames.patch create mode 100644 0001-Fix-XChangeFeedbackControl-request-underflow.patch create mode 100644 0001-Fix-XIChangeHierarchy-integer-underflow.patch create mode 100644 0001-Fix-XRecordRegisterClients-Integer-underflow.patch create mode 100644 0001-Fix-XkbSelectEvents-integer-underflow.patch create mode 100644 0001-Fix-XkbSetDeviceInfo-and-SetDeviceIndicators-heap-ov.patch create mode 100644 0001-animcur-Nerf-AnumCurTimerNotify-when-pScreen-NULL.patch create mode 100644 0001-fix-for-ZDI-11426.patch create mode 100644 0001-mi-When-en-dis-abling-extensions-match-names-case-in.patch create mode 100644 0002-Check-SetMap-request-length-carefully.patch diff --git a/0001-Correct-bounds-checking-in-XkbSetNames.patch b/0001-Correct-bounds-checking-in-XkbSetNames.patch new file mode 100644 index 0000000..429c8cf --- /dev/null +++ b/0001-Correct-bounds-checking-in-XkbSetNames.patch @@ -0,0 +1,183 @@ +From 1d3a1092c30af660b1366fcd344af745590aa29f Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Tue, 18 Aug 2020 14:46:32 +0200 +Subject: [PATCH xserver] Correct bounds checking in XkbSetNames() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2020-14345 / ZDI 11428 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Matthieu Herrb +(cherry picked from commit 11f22a3bf694d7061d552c99898d843bcdaf0cf1) +Signed-off-by: Michel Dänzer +--- + xkb/xkb.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 48 insertions(+) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 3162574a4..2139da7ee 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -152,6 +152,19 @@ static RESTYPE RT_XKBCLIENT; + #define CHK_REQ_KEY_RANGE(err,first,num,r) \ + CHK_REQ_KEY_RANGE2(err,first,num,r,client->errorValue,BadValue) + ++static Bool ++_XkbCheckRequestBounds(ClientPtr client, void *stuff, void *from, void *to) { ++ char *cstuff = (char *)stuff; ++ char *cfrom = (char *)from; ++ char *cto = (char *)to; ++ ++ return cfrom < cto && ++ cfrom >= cstuff && ++ cfrom < cstuff + ((size_t)client->req_len << 2) && ++ cto >= cstuff && ++ cto <= cstuff + ((size_t)client->req_len << 2); ++} ++ + /***====================================================================***/ + + int +@@ -4045,6 +4058,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, + client->errorValue = _XkbErrCode2(0x04, stuff->firstType); + return BadAccess; + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nTypes)) ++ return BadLength; + old = tmp; + tmp = _XkbCheckAtoms(tmp, stuff->nTypes, client->swapped, &bad); + if (!tmp) { +@@ -4074,6 +4089,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, + } + width = (CARD8 *) tmp; + tmp = (CARD32 *) (((char *) tmp) + XkbPaddedSize(stuff->nKTLevels)); ++ if (!_XkbCheckRequestBounds(client, stuff, width, tmp)) ++ return BadLength; + type = &xkb->map->types[stuff->firstKTLevel]; + for (i = 0; i < stuff->nKTLevels; i++, type++) { + if (width[i] == 0) +@@ -4083,6 +4100,8 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, + type->num_levels, width[i]); + return BadMatch; + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + width[i])) ++ return BadLength; + tmp = _XkbCheckAtoms(tmp, width[i], client->swapped, &bad); + if (!tmp) { + client->errorValue = bad; +@@ -4095,6 +4114,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, + client->errorValue = 0x08; + return BadMatch; + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, ++ tmp + Ones(stuff->indicators))) ++ return BadLength; + tmp = _XkbCheckMaskedAtoms(tmp, XkbNumIndicators, stuff->indicators, + client->swapped, &bad); + if (!tmp) { +@@ -4107,6 +4129,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, + client->errorValue = 0x09; + return BadMatch; + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, ++ tmp + Ones(stuff->virtualMods))) ++ return BadLength; + tmp = _XkbCheckMaskedAtoms(tmp, XkbNumVirtualMods, + (CARD32) stuff->virtualMods, + client->swapped, &bad); +@@ -4120,6 +4145,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, + client->errorValue = 0x0a; + return BadMatch; + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, ++ tmp + Ones(stuff->groupNames))) ++ return BadLength; + tmp = _XkbCheckMaskedAtoms(tmp, XkbNumKbdGroups, + (CARD32) stuff->groupNames, + client->swapped, &bad); +@@ -4141,9 +4169,14 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, + stuff->nKeys); + return BadValue; + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nKeys)) ++ return BadLength; + tmp += stuff->nKeys; + } + if ((stuff->which & XkbKeyAliasesMask) && (stuff->nKeyAliases > 0)) { ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, ++ tmp + (stuff->nKeyAliases * 2))) ++ return BadLength; + tmp += stuff->nKeyAliases * 2; + } + if (stuff->which & XkbRGNamesMask) { +@@ -4151,6 +4184,9 @@ _XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev, + client->errorValue = _XkbErrCode2(0x0d, stuff->nRadioGroups); + return BadValue; + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, ++ tmp + stuff->nRadioGroups)) ++ return BadLength; + tmp = _XkbCheckAtoms(tmp, stuff->nRadioGroups, client->swapped, &bad); + if (!tmp) { + client->errorValue = bad; +@@ -4344,6 +4380,8 @@ ProcXkbSetNames(ClientPtr client) + /* check device-independent stuff */ + tmp = (CARD32 *) &stuff[1]; + ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) ++ return BadLength; + if (stuff->which & XkbKeycodesNameMask) { + tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); + if (!tmp) { +@@ -4351,6 +4389,8 @@ ProcXkbSetNames(ClientPtr client) + return BadAtom; + } + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) ++ return BadLength; + if (stuff->which & XkbGeometryNameMask) { + tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); + if (!tmp) { +@@ -4358,6 +4398,8 @@ ProcXkbSetNames(ClientPtr client) + return BadAtom; + } + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) ++ return BadLength; + if (stuff->which & XkbSymbolsNameMask) { + tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); + if (!tmp) { +@@ -4365,6 +4407,8 @@ ProcXkbSetNames(ClientPtr client) + return BadAtom; + } + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) ++ return BadLength; + if (stuff->which & XkbPhysSymbolsNameMask) { + tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); + if (!tmp) { +@@ -4372,6 +4416,8 @@ ProcXkbSetNames(ClientPtr client) + return BadAtom; + } + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) ++ return BadLength; + if (stuff->which & XkbTypesNameMask) { + tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); + if (!tmp) { +@@ -4379,6 +4425,8 @@ ProcXkbSetNames(ClientPtr client) + return BadAtom; + } + } ++ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1)) ++ return BadLength; + if (stuff->which & XkbCompatNameMask) { + tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad); + if (!tmp) { +-- +2.28.0 + diff --git a/0001-Fix-XChangeFeedbackControl-request-underflow.patch b/0001-Fix-XChangeFeedbackControl-request-underflow.patch new file mode 100644 index 0000000..3d4f0a4 --- /dev/null +++ b/0001-Fix-XChangeFeedbackControl-request-underflow.patch @@ -0,0 +1,35 @@ +From 7aaf54a1884f71dc363f0b884e57bcb67407a6cd Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Sun, 21 Mar 2021 18:38:57 +0100 +Subject: [PATCH] Fix XChangeFeedbackControl() request underflow + +CVE-2021-3472 / ZDI-CAN-1259 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Matthieu Herrb +--- + Xi/chgfctl.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c +index 1de4da9ef..7a597e43d 100644 +--- a/Xi/chgfctl.c ++++ b/Xi/chgfctl.c +@@ -464,8 +464,11 @@ ProcXChangeFeedbackControl(ClientPtr client) + break; + case StringFeedbackClass: + { +- xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]); ++ xStringFeedbackCtl *f; + ++ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeFeedbackControlReq, ++ sizeof(xStringFeedbackCtl)); ++ f = ((xStringFeedbackCtl *) &stuff[1]); + if (client->swapped) { + if (len < bytes_to_int32(sizeof(xStringFeedbackCtl))) + return BadLength; +-- +2.25.4 + diff --git a/0001-Fix-XIChangeHierarchy-integer-underflow.patch b/0001-Fix-XIChangeHierarchy-integer-underflow.patch new file mode 100644 index 0000000..e4be3ac --- /dev/null +++ b/0001-Fix-XIChangeHierarchy-integer-underflow.patch @@ -0,0 +1,36 @@ +From eff3f6cdd398bfac040351e99e64baf3bf64fa2e Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Tue, 18 Aug 2020 14:49:04 +0200 +Subject: [PATCH xserver] Fix XIChangeHierarchy() integer underflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2020-14346 / ZDI-CAN-11429 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Matthieu Herrb +(cherry picked from commit 1e3392b07923987c6c9d09cf75b24f397b59bd5e) +Signed-off-by: Michel Dänzer +--- + Xi/xichangehierarchy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c +index cbdd91258..504defe56 100644 +--- a/Xi/xichangehierarchy.c ++++ b/Xi/xichangehierarchy.c +@@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client) + if (!stuff->num_changes) + return rc; + +- len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq); ++ len = ((size_t)client->req_len << 2) - sizeof(xXIChangeHierarchyReq); + + any = (xXIAnyHierarchyChangeInfo *) &stuff[1]; + while (stuff->num_changes--) { +-- +2.28.0 + diff --git a/0001-Fix-XRecordRegisterClients-Integer-underflow.patch b/0001-Fix-XRecordRegisterClients-Integer-underflow.patch new file mode 100644 index 0000000..6504678 --- /dev/null +++ b/0001-Fix-XRecordRegisterClients-Integer-underflow.patch @@ -0,0 +1,70 @@ +From 705d7213935820d9f56563ee9e17aa9beb365c1e Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Tue, 18 Aug 2020 14:55:01 +0200 +Subject: [PATCH xserver] Fix XRecordRegisterClients() Integer underflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2020-14362 ZDI-CAN-11574 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Matthieu Herrb +(cherry picked from commit 24acad216aa0fc2ac451c67b2b86db057a032050) +Signed-off-by: Michel Dänzer +--- + record/record.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/record/record.c b/record/record.c +index f0b739b0c..05d751ac2 100644 +--- a/record/record.c ++++ b/record/record.c +@@ -2499,7 +2499,7 @@ SProcRecordQueryVersion(ClientPtr client) + } /* SProcRecordQueryVersion */ + + static int _X_COLD +-SwapCreateRegister(xRecordRegisterClientsReq * stuff) ++SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff) + { + int i; + XID *pClientID; +@@ -2509,13 +2509,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff) + swapl(&stuff->nRanges); + pClientID = (XID *) &stuff[1]; + if (stuff->nClients > +- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)) ++ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)) + return BadLength; + for (i = 0; i < stuff->nClients; i++, pClientID++) { + swapl(pClientID); + } + if (stuff->nRanges > +- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq) ++ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) + - stuff->nClients) + return BadLength; + RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges); +@@ -2530,7 +2530,7 @@ SProcRecordCreateContext(ClientPtr client) + + swaps(&stuff->length); + REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq); +- if ((status = SwapCreateRegister((void *) stuff)) != Success) ++ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success) + return status; + return ProcRecordCreateContext(client); + } /* SProcRecordCreateContext */ +@@ -2543,7 +2543,7 @@ SProcRecordRegisterClients(ClientPtr client) + + swaps(&stuff->length); + REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq); +- if ((status = SwapCreateRegister((void *) stuff)) != Success) ++ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success) + return status; + return ProcRecordRegisterClients(client); + } /* SProcRecordRegisterClients */ +-- +2.28.0 + diff --git a/0001-Fix-XkbSelectEvents-integer-underflow.patch b/0001-Fix-XkbSelectEvents-integer-underflow.patch new file mode 100644 index 0000000..321b90f --- /dev/null +++ b/0001-Fix-XkbSelectEvents-integer-underflow.patch @@ -0,0 +1,36 @@ +From 5b384e7678c5a155dd8752f018c8292153c1295e Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Tue, 18 Aug 2020 14:52:29 +0200 +Subject: [PATCH xserver] Fix XkbSelectEvents() integer underflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2020-14361 ZDI-CAN 11573 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Matthieu Herrb +(cherry picked from commit 90304b3c2018a6b8f4a79de86364d2af15cb9ad8) +Signed-off-by: Michel Dänzer +--- + xkb/xkbSwap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xkb/xkbSwap.c b/xkb/xkbSwap.c +index 1c1ed5ff4..50cabb90e 100644 +--- a/xkb/xkbSwap.c ++++ b/xkb/xkbSwap.c +@@ -76,7 +76,7 @@ SProcXkbSelectEvents(ClientPtr client) + register unsigned bit, ndx, maskLeft, dataLeft, size; + + from.c8 = (CARD8 *) &stuff[1]; +- dataLeft = (stuff->length * 4) - SIZEOF(xkbSelectEventsReq); ++ dataLeft = (client->req_len * 4) - SIZEOF(xkbSelectEventsReq); + maskLeft = (stuff->affectWhich & (~XkbMapNotifyMask)); + for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) { + if (((bit & maskLeft) == 0) || (ndx == XkbMapNotify)) +-- +2.28.0 + diff --git a/0001-Fix-XkbSetDeviceInfo-and-SetDeviceIndicators-heap-ov.patch b/0001-Fix-XkbSetDeviceInfo-and-SetDeviceIndicators-heap-ov.patch new file mode 100644 index 0000000..f288fd7 --- /dev/null +++ b/0001-Fix-XkbSetDeviceInfo-and-SetDeviceIndicators-heap-ov.patch @@ -0,0 +1,100 @@ +From 7ccb3b0eabb4658daf0ecb2c78a53609ae2c263b Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Sun, 11 Oct 2020 17:05:09 +0200 +Subject: [PATCH xserver 1/2] Fix XkbSetDeviceInfo() and SetDeviceIndicators() + heap overflows + +ZDI-CAN 11389 / CVE-2020-25712 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Matthieu Herrb +(cherry picked from commit 87c64fc5b0db9f62f4e361444f4b60501ebf67b9) +--- + xkb/xkb.c | 26 +++++++++++++++++++++++--- + 1 file changed, 23 insertions(+), 3 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 2139da7ee..f162e8d83 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -6533,7 +6533,9 @@ SetDeviceIndicators(char *wire, + unsigned changed, + int num, + int *status_rtrn, +- ClientPtr client, xkbExtensionDeviceNotify * ev) ++ ClientPtr client, ++ xkbExtensionDeviceNotify * ev, ++ xkbSetDeviceInfoReq * stuff) + { + xkbDeviceLedsWireDesc *ledWire; + int i; +@@ -6554,6 +6556,11 @@ SetDeviceIndicators(char *wire, + xkbIndicatorMapWireDesc *mapWire; + XkbSrvLedInfoPtr sli; + ++ if (!_XkbCheckRequestBounds(client, stuff, ledWire, ledWire + 1)) { ++ *status_rtrn = BadLength; ++ return (char *) ledWire; ++ } ++ + namec = mapc = statec = 0; + sli = XkbFindSrvLedInfo(dev, ledWire->ledClass, ledWire->ledID, + XkbXI_IndicatorMapsMask); +@@ -6572,6 +6579,10 @@ SetDeviceIndicators(char *wire, + memset((char *) sli->names, 0, XkbNumIndicators * sizeof(Atom)); + for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) { + if (ledWire->namesPresent & bit) { ++ if (!_XkbCheckRequestBounds(client, stuff, atomWire, atomWire + 1)) { ++ *status_rtrn = BadLength; ++ return (char *) atomWire; ++ } + sli->names[n] = (Atom) *atomWire; + if (sli->names[n] == None) + ledWire->namesPresent &= ~bit; +@@ -6589,6 +6600,10 @@ SetDeviceIndicators(char *wire, + if (ledWire->mapsPresent) { + for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) { + if (ledWire->mapsPresent & bit) { ++ if (!_XkbCheckRequestBounds(client, stuff, mapWire, mapWire + 1)) { ++ *status_rtrn = BadLength; ++ return (char *) mapWire; ++ } + sli->maps[n].flags = mapWire->flags; + sli->maps[n].which_groups = mapWire->whichGroups; + sli->maps[n].groups = mapWire->groups; +@@ -6668,7 +6683,7 @@ _XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev, + ed.deviceID = dev->id; + wire = (char *) &stuff[1]; + if (stuff->change & XkbXI_ButtonActionsMask) { +- int nBtns, sz, i; ++ int nBtns, sz, i; + XkbAction *acts; + DeviceIntPtr kbd; + +@@ -6680,7 +6695,11 @@ _XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev, + return BadAlloc; + dev->button->xkb_acts = acts; + } ++ if (stuff->firstBtn + stuff->nBtns > nBtns) ++ return BadValue; + sz = stuff->nBtns * SIZEOF(xkbActionWireDesc); ++ if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz)) ++ return BadLength; + memcpy((char *) &acts[stuff->firstBtn], (char *) wire, sz); + wire += sz; + ed.reason |= XkbXI_ButtonActionsMask; +@@ -6701,7 +6720,8 @@ _XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev, + int status = Success; + + wire = SetDeviceIndicators(wire, dev, stuff->change, +- stuff->nDeviceLedFBs, &status, client, &ed); ++ stuff->nDeviceLedFBs, &status, client, &ed, ++ stuff); + if (status != Success) + return status; + } +-- +2.28.0 + diff --git a/0001-animcur-Nerf-AnumCurTimerNotify-when-pScreen-NULL.patch b/0001-animcur-Nerf-AnumCurTimerNotify-when-pScreen-NULL.patch new file mode 100644 index 0000000..20b0284 --- /dev/null +++ b/0001-animcur-Nerf-AnumCurTimerNotify-when-pScreen-NULL.patch @@ -0,0 +1,28 @@ +From 2e54bfc16230a77a6dd1083f9263b0dfe8189a6c Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Wed, 17 Jun 2020 15:16:20 -0400 +Subject: [PATCH xserver] animcur: Nerf AnumCurTimerNotify when pScreen == NULL + +This is a terrible band-aid, but maybe it works. +--- + render/animcur.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/render/animcur.c b/render/animcur.c +index ef27bda278..44d40c23cd 100644 +--- a/render/animcur.c ++++ b/render/animcur.c +@@ -131,6 +131,10 @@ AnimCurTimerNotify(OsTimerPtr timer, CARD32 now, void *arg) + { + DeviceIntPtr dev = arg; + ScreenPtr pScreen = dev->spriteInfo->anim.pScreen; ++ ++ if (!pScreen) ++ return 0; /* aieee */ ++ + AnimCurScreenPtr as = GetAnimCurScreen(pScreen); + + AnimCurPtr ac = GetAnimCur(dev->spriteInfo->sprite->current); +-- +2.23.0 + diff --git a/0001-fix-for-ZDI-11426.patch b/0001-fix-for-ZDI-11426.patch new file mode 100644 index 0000000..7ae18a8 --- /dev/null +++ b/0001-fix-for-ZDI-11426.patch @@ -0,0 +1,33 @@ +From aac28e162e5108510065ad4c323affd6deffd816 Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Sat, 25 Jul 2020 19:33:50 +0200 +Subject: [PATCH] fix for ZDI-11426 + +Avoid leaking un-initalized memory to clients by zeroing the +whole pixmap on initial allocation. + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Matthieu Herrb +Reviewed-by: Alan Coopersmith +--- + dix/pixmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/dix/pixmap.c b/dix/pixmap.c +index 1186d7dbb..5a0146bbb 100644 +--- a/dix/pixmap.c ++++ b/dix/pixmap.c +@@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pixDataSize) + if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize) + return NullPixmap; + +- pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize); ++ pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize); + if (!pPixmap) + return NullPixmap; + +-- +2.25.4 + diff --git a/0001-mi-When-en-dis-abling-extensions-match-names-case-in.patch b/0001-mi-When-en-dis-abling-extensions-match-names-case-in.patch new file mode 100644 index 0000000..1c8f71e --- /dev/null +++ b/0001-mi-When-en-dis-abling-extensions-match-names-case-in.patch @@ -0,0 +1,34 @@ +From 2710e0997b69326ff7103229508e43b511903278 Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Thu, 29 Oct 2020 15:32:36 -0400 +Subject: [PATCH] mi: When {en,dis}abling extensions, match names + case-insensitively + +Both because extension names are inconsistently capitalized on the wire, +and because the table we're walking spells it COMPOSITE not Composite. +The latter is certainly also a bug, but there's no reason for us to be +that strict. + +[mustard: backport to 1.20.4 - ajax] + +Signed-off-by: Adam Jackson +--- + mi/miinitext.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mi/miinitext.c b/mi/miinitext.c +index b7c7021..3a7f83f 100644 +--- a/mi/miinitext.c ++++ b/mi/miinitext.c +@@ -215,7 +215,7 @@ EnableDisableExtensionError(const char *name, Bool enable) + + for (i = 0; i < ARRAY_SIZE(staticExtensions); i++) { + ext = &staticExtensions[i]; +- if ((strcmp(name, ext->name) == 0) && (ext->disablePtr == NULL)) { ++ if ((strcasecmp(name, ext->name) == 0) && (ext->disablePtr == NULL)) { + ErrorF("[mi] Extension \"%s\" can not be disabled\n", name); + found = TRUE; + break; +-- +2.23.0 + diff --git a/0002-Check-SetMap-request-length-carefully.patch b/0002-Check-SetMap-request-length-carefully.patch new file mode 100644 index 0000000..83ea204 --- /dev/null +++ b/0002-Check-SetMap-request-length-carefully.patch @@ -0,0 +1,131 @@ +From 06d1a032ee491547f7037c3ff042065dc2aeaa99 Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Thu, 12 Nov 2020 19:15:07 +0100 +Subject: [PATCH xserver 2/2] Check SetMap request length carefully. + +Avoid out of bounds memory accesses on too short request. + +ZDI-CAN 11572 / CVE-2020-14360 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Matthieu Herrb +(cherry picked from commit 446ff2d3177087b8173fa779fa5b77a2a128988b) +--- + xkb/xkb.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 92 insertions(+) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index f162e8d83..68c59df02 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -2382,6 +2382,93 @@ SetVirtualModMap(XkbSrvInfoPtr xkbi, + return (char *) wire; + } + ++#define _add_check_len(new) \ ++ if (len > UINT32_MAX - (new) || len > req_len - (new)) goto bad; \ ++ else len += new ++ ++/** ++ * Check the length of the SetMap request ++ */ ++static int ++_XkbSetMapCheckLength(xkbSetMapReq *req) ++{ ++ size_t len = sz_xkbSetMapReq, req_len = req->length << 2; ++ xkbKeyTypeWireDesc *keytype; ++ xkbSymMapWireDesc *symmap; ++ BOOL preserve; ++ int i, map_count, nSyms; ++ ++ if (req_len < len) ++ goto bad; ++ /* types */ ++ if (req->present & XkbKeyTypesMask) { ++ keytype = (xkbKeyTypeWireDesc *)(req + 1); ++ for (i = 0; i < req->nTypes; i++) { ++ _add_check_len(XkbPaddedSize(sz_xkbKeyTypeWireDesc)); ++ if (req->flags & XkbSetMapResizeTypes) { ++ _add_check_len(keytype->nMapEntries ++ * sz_xkbKTSetMapEntryWireDesc); ++ preserve = keytype->preserve; ++ map_count = keytype->nMapEntries; ++ if (preserve) { ++ _add_check_len(map_count * sz_xkbModsWireDesc); ++ } ++ keytype += 1; ++ keytype = (xkbKeyTypeWireDesc *) ++ ((xkbKTSetMapEntryWireDesc *)keytype + map_count); ++ if (preserve) ++ keytype = (xkbKeyTypeWireDesc *) ++ ((xkbModsWireDesc *)keytype + map_count); ++ } ++ } ++ } ++ /* syms */ ++ if (req->present & XkbKeySymsMask) { ++ symmap = (xkbSymMapWireDesc *)((char *)req + len); ++ for (i = 0; i < req->nKeySyms; i++) { ++ _add_check_len(sz_xkbSymMapWireDesc); ++ nSyms = symmap->nSyms; ++ _add_check_len(nSyms*sizeof(CARD32)); ++ symmap += 1; ++ symmap = (xkbSymMapWireDesc *)((CARD32 *)symmap + nSyms); ++ } ++ } ++ /* actions */ ++ if (req->present & XkbKeyActionsMask) { ++ _add_check_len(req->totalActs * sz_xkbActionWireDesc ++ + XkbPaddedSize(req->nKeyActs)); ++ } ++ /* behaviours */ ++ if (req->present & XkbKeyBehaviorsMask) { ++ _add_check_len(req->totalKeyBehaviors * sz_xkbBehaviorWireDesc); ++ } ++ /* vmods */ ++ if (req->present & XkbVirtualModsMask) { ++ _add_check_len(XkbPaddedSize(Ones(req->virtualMods))); ++ } ++ /* explicit */ ++ if (req->present & XkbExplicitComponentsMask) { ++ /* two bytes per non-zero explicit componen */ ++ _add_check_len(XkbPaddedSize(req->totalKeyExplicit * sizeof(CARD16))); ++ } ++ /* modmap */ ++ if (req->present & XkbModifierMapMask) { ++ /* two bytes per non-zero modmap component */ ++ _add_check_len(XkbPaddedSize(req->totalModMapKeys * sizeof(CARD16))); ++ } ++ /* vmodmap */ ++ if (req->present & XkbVirtualModMapMask) { ++ _add_check_len(req->totalVModMapKeys * sz_xkbVModMapWireDesc); ++ } ++ if (len == req_len) ++ return Success; ++bad: ++ ErrorF("[xkb] BOGUS LENGTH in SetMap: expected %ld got %ld\n", ++ len, req_len); ++ return BadLength; ++} ++ ++ + /** + * Check if the given request can be applied to the given device but don't + * actually do anything.. +@@ -2639,6 +2726,11 @@ ProcXkbSetMap(ClientPtr client) + CHK_KBD_DEVICE(dev, stuff->deviceSpec, client, DixManageAccess); + CHK_MASK_LEGAL(0x01, stuff->present, XkbAllMapComponentsMask); + ++ /* first verify the request length carefully */ ++ rc = _XkbSetMapCheckLength(stuff); ++ if (rc != Success) ++ return rc; ++ + tmp = (char *) &stuff[1]; + + /* Check if we can to the SetMap on the requested device. If this +-- +2.28.0 + diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 3fd5065..6992236 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -42,7 +42,7 @@ Summary: X.Org X11 X server Name: xorg-x11-server Version: 1.20.4 -Release: 10%{?gitdate:.%{gitdate}}%{?dist} +Release: 16%{?gitdate:.%{gitdate}}%{?dist} URL: http://www.x.org License: MIT Group: User Interface/X @@ -130,6 +130,29 @@ Patch9900: 0001-xfree86-Only-switch-to-original-VT-if-it-is-active.patch # Bug 1763001 - Xorg.#.log show "(EE) modeset(0): [DRI2] No driver mapping found..." Patch9910: 0001-dri2-Set-fallback-driver-names-for-Intel-and-AMD-chi.patch +# Bug 1846652 - X server crash when moving animated cursor between screens +Patch9920: 0001-animcur-Nerf-AnumCurTimerNotify-when-pScreen-NULL.patch + +# Bug 1666896 - Case sensitivity when enabling/disabling X extensions breaks disabling Composite extension +Patch9930: 0001-mi-When-en-dis-abling-extensions-match-names-case-in.patch + +# CVE-2020-14345 +Patch10001: 0001-Correct-bounds-checking-in-XkbSetNames.patch +# CVE-2020-14346 +Patch10002: 0001-Fix-XIChangeHierarchy-integer-underflow.patch +# CVE-2020-14361 +Patch10003: 0001-Fix-XkbSelectEvents-integer-underflow.patch +# CVE-2020-14362 +Patch10004: 0001-Fix-XRecordRegisterClients-Integer-underflow.patch +# CVE-2020-14347 +Patch10005: 0001-fix-for-ZDI-11426.patch +# CVE-2020-25712 +Patch10006: 0001-Fix-XkbSetDeviceInfo-and-SetDeviceIndicators-heap-ov.patch +# CVE-2020-14360 +Patch10007: 0002-Check-SetMap-request-length-carefully.patch +# CVE-2021-3472 +Patch10008: 0001-Fix-XChangeFeedbackControl-request-underflow.patch + %global moduledir %{_libdir}/xorg/modules %global drimoduledir %{_libdir}/dri %global sdkdir %{_includedir}/xorg @@ -611,6 +634,27 @@ rm -rf $RPM_BUILD_ROOT %{xserver_source_dir} %changelog +* Mon May 10 2021 Adam Jackson - 1.20.4-16 +- CVE fix for: CVE-2021-3472 (#1944956) + +* Thu Dec 10 2020 Olivier Fourdan - 1.20.4-15 +- CVE fix for: CVE-2020-25712 (#1904937), CVE-2020-14360 (#1904934) + +* Thu Dec 10 2020 Olivier Fourdan - 1.20.4-14 +- CVE fix for: CVE-2020-14347 (#1862319) + +* Mon Nov 2 2020 Michel Dänzer - 1.20.4-13 +- Re-apply fixes from 1.20.4-11 + +* Fri Oct 30 2020 Michel Dänzer - 1.20.4-12 +- CVE fixes for: CVE-2020-14345 (#1872389), CVE-2020-14346 (#1872393), + CVE-2020-14361 (#1872400), CVE-2020-14362 (#1872407) +- Temporarily revert fixes from 1.20.4-11 build for delivery of CVE fixes + +* Thu Oct 29 2020 Adam Jackson - 1.20.4-11 +- Fix a crash when moving an animated cursor between screens +- Be case-insentive when matching extension names to enable or disable + * Wed Jan 08 2020 Adam Jackson - 1.20.4-10 - Set fallback DRI2 driver names for Intel and AMD -- Gitee