From 9ee015ab5c1bdb7229d0fa7d3e099b87c12727d5 Mon Sep 17 00:00:00 2001
From: Thorsten Alteholz <debian@alteholz.de>
Date: Sun, 27 Oct 2024 12:03:02 +0100
Subject: [PATCH] Import Debian changes 2:1.20.11-1+deb11u14
---
debian/changelog | 8 +++
debian/patches/series | 2 +
...-buffer-overflow-in-_XkbSetCompatMap.patch | 51 +++++++++++++++++++
3 files changed, 61 insertions(+)
create mode 100644 debian/patches/xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch
diff --git a/debian/changelog b/debian/changelog
index 3efa1b7..0ba60a4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+xorg-server (2:1.20.11-1+deb11u14) bullseye-security; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2024-9632
+ xkb: Fix buffer overflow in _XkbSetCompatMap()
+
+ -- Thorsten Alteholz <debian@alteholz.de> Sun, 27 Oct 2024 12:03:02 +0100
+
xorg-server (2:1.20.11-1+deb11u13) bullseye-security; urgency=high
* render: Avoid possible double-free in ProcRenderAddGlyphs()
diff --git a/debian/patches/series b/debian/patches/series
index 790af95..e1e46f8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -41,3 +41,5 @@ dix-Fix-use-after-free-in-input-device-shutdown.patch
20240403/0003-Xquartz-ProcAppleDRICreatePixmap-needs-to-use-unswap.patch
20240403/0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch
20240403/0005-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
+
+xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch
diff --git a/debian/patches/xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch b/debian/patches/xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch
new file mode 100644
index 0000000..60a877e
--- /dev/null
+++ b/debian/patches/xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch
@@ -0,0 +1,51 @@
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Thu, 10 Oct 2024 10:37:28 +0200
+Subject: xkb: Fix buffer overflow in _XkbSetCompatMap()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-9632
+
+The _XkbSetCompatMap() function attempts to resize the `sym_interpret`
+buffer.
+
+However, It didn't update its size properly. It updated `num_si` only,
+without updating `size_si`.
+
+This may lead to local privilege escalation if the server is run as root
+or remote code execution (e.g. x11 over ssh).
+
+CVE-2024-9632, ZDI-CAN-24756
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Tested-by: Peter Hutterer <peter.hutterer@who-t.net>
+Reviewed-by: José Expósito <jexposit@redhat.com>
+---
+ xkb/xkb.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+Index: xorg-server-1.20.11/xkb/xkb.c
+===================================================================
+--- xorg-server-1.20.11.orig/xkb/xkb.c 2024-10-27 14:28:10.550089919 +0100
++++ xorg-server-1.20.11/xkb/xkb.c 2024-10-27 14:28:10.546089918 +0100
+@@ -2993,13 +2993,13 @@
+ XkbSymInterpretPtr sym;
+ unsigned int skipped = 0;
+
+- if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) {
+- compat->num_si = req->firstSI + req->nSI;
++ if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) {
++ compat->num_si = compat->size_si = req->firstSI + req->nSI;
+ compat->sym_interpret = reallocarray(compat->sym_interpret,
+- compat->num_si,
++ compat->size_si,
+ sizeof(XkbSymInterpretRec));
+ if (!compat->sym_interpret) {
+- compat->num_si = 0;
++ compat->num_si = compat->size_si = 0;
+ return BadAlloc;
+ }
+ }
--
GitLab