Skip to content
Snippets Groups Projects
Commit 5cfa14c7 authored by Apertis CI robot's avatar Apertis CI robot
Browse files

Merge updates from debian/bullseye-security

parents 52b02caf d56890e7
No related branches found
No related tags found
4 merge requests!71Merge changes from apertis/v2022-security into apertis/v2022,!70Merge changes from apertis/v2023-security into apertis/v2023,!65Backport v2022 <- v2023: Update from debian/bullseye-security,!63Update from debian/bullseye-security for apertis/v2023-security
Hide whitespace changes
Inline Side-by-side
debian/changelog
+ 10
0
View file @ 5cfa14c7
xorg-server (2:1.20.11-1+deb11u10) bullseye-security; urgency=high
* Non-maintainer upload by the Security Team.
* Sync "Xi: allocate enough XkbActions for our buttons" (CVE-2023-6377)
The original upstream patch applied for CVE-2023-6377 was incomplete and
still allows OOM access.
This update syncs the patch with the upstream applied patch.
-- Salvatore Bonaccorso <carnil@debian.org> Fri, 15 Dec 2023 06:14:11 +0100
xorg-server (2:1.20.11-1+deb11u9+apertis1) apertis; urgency=medium xorg-server (2:1.20.11-1+deb11u9+apertis1) apertis; urgency=medium
* Sync updates from Debian Bullseye Security. * Sync updates from Debian Bullseye Security.
......
debian/patches/Xi-allocate-enough-XkbActions-for-our-buttons.patch
+ 20
20
View file @ 5cfa14c7
From ff830d3c47c92e7c810055b9fd56ae22fc1d5346 Mon Sep 17 00:00:00 2001 From 0c1a93d319558fe3ab2d94f51d174b4f93810afd Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net> From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue, 28 Nov 2023 15:19:04 +1000 Date: Tue, 28 Nov 2023 15:19:04 +1000
Subject: [PATCH xserver] Xi: allocate enough XkbActions for our buttons Subject: [PATCH] Xi: allocate enough XkbActions for our buttons
button->xkb_acts is supposed to be an array sufficiently large for all button->xkb_acts is supposed to be an array sufficiently large for all
our buttons, not just a single XkbActions struct. Allocating our buttons, not just a single XkbActions struct. Allocating
...@@ -14,27 +14,28 @@ CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413 ...@@ -14,27 +14,28 @@ CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
This vulnerability was discovered by: This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
--- ---
Xi/exevents.c | 8 ++++++-- Xi/exevents.c | 12 ++++++------
dix/devices.c | 11 +++++++++++ dix/devices.c | 10 ++++++++++
2 files changed, 17 insertions(+), 2 deletions(-) 2 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/Xi/exevents.c b/Xi/exevents.c diff --git a/Xi/exevents.c b/Xi/exevents.c
index dcd4efb3bc..f24de9eec4 100644 index dcd4efb3bc7a..54ea11a93872 100644
--- a/Xi/exevents.c --- a/Xi/exevents.c
+++ b/Xi/exevents.c +++ b/Xi/exevents.c
@@ -612,12 +612,16 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) @@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
}
if (from->button->xkb_acts) { if (from->button->xkb_acts) {
if (!to->button->xkb_acts) { - if (!to->button->xkb_acts) {
- to->button->xkb_acts = calloc(1, sizeof(XkbAction)); - to->button->xkb_acts = calloc(1, sizeof(XkbAction));
+ to->button->xkb_acts = calloc(from->button->numButtons, sizeof(XkbAction)); - if (!to->button->xkb_acts)
if (!to->button->xkb_acts) - FatalError("[Xi] not enough memory for xkb_acts.\n");
FatalError("[Xi] not enough memory for xkb_acts.\n"); - }
+ } else { + size_t maxbuttons = max(to->button->numButtons, from->button->numButtons);
+ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts, + to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
+ from->button->numButtons, + maxbuttons,
+ sizeof(XkbAction)); + sizeof(XkbAction));
} + memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
memcpy(to->button->xkb_acts, from->button->xkb_acts, memcpy(to->button->xkb_acts, from->button->xkb_acts,
- sizeof(XkbAction)); - sizeof(XkbAction));
+ from->button->numButtons * sizeof(XkbAction)); + from->button->numButtons * sizeof(XkbAction));
...@@ -42,10 +43,10 @@ index dcd4efb3bc..f24de9eec4 100644 ...@@ -42,10 +43,10 @@ index dcd4efb3bc..f24de9eec4 100644
else { else {
free(to->button->xkb_acts); free(to->button->xkb_acts);
diff --git a/dix/devices.c b/dix/devices.c diff --git a/dix/devices.c b/dix/devices.c
index 7150734a58..deb3010206 100644 index b063128df072..3f3224d6264f 100644
--- a/dix/devices.c --- a/dix/devices.c
+++ b/dix/devices.c +++ b/dix/devices.c
@@ -2530,6 +2530,8 @@ RecalculateMasterButtons(DeviceIntPtr slave) @@ -2539,6 +2539,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
if (master->button && master->button->numButtons != maxbuttons) { if (master->button && master->button->numButtons != maxbuttons) {
int i; int i;
...@@ -54,7 +55,7 @@ index 7150734a58..deb3010206 100644 ...@@ -54,7 +55,7 @@ index 7150734a58..deb3010206 100644
DeviceChangedEvent event = { DeviceChangedEvent event = {
.header = ET_Internal, .header = ET_Internal,
.type = ET_DeviceChanged, .type = ET_DeviceChanged,
@@ -2540,6 +2542,15 @@ RecalculateMasterButtons(DeviceIntPtr slave) @@ -2549,6 +2551,14 @@ RecalculateMasterButtons(DeviceIntPtr slave)
}; };
master->button->numButtons = maxbuttons; master->button->numButtons = maxbuttons;
...@@ -66,7 +67,6 @@ index 7150734a58..deb3010206 100644 ...@@ -66,7 +67,6 @@ index 7150734a58..deb3010206 100644
+ 0, + 0,
+ (maxbuttons - last_num_buttons) * sizeof(XkbAction)); + (maxbuttons - last_num_buttons) * sizeof(XkbAction));
+ } + }
+
memcpy(&event.buttons.names, master->button->labels, maxbuttons * memcpy(&event.buttons.names, master->button->labels, maxbuttons *
sizeof(Atom)); sizeof(Atom));
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
Apertis Website Terms of Use Privacy Policy