Skip to content
Snippets Groups Projects
Commit cf688027 authored by Julien Cristau's avatar Julien Cristau Committed by Vignesh Raman
Browse files

Import Debian changes 2:1.20.11-1+deb11u6

parent 35a1a047
No related branches found
Tags debian/2%1.20.11-1+deb11u6
5 merge requests!51Merge changes from apertis/v2023-security into apertis/v2023,!50Merge changes from apertis/v2022-security into apertis/v2022,!49Update from debian/bullseye-security for apertis/v2022-security,!48Update from debian/bullseye-security for apertis/v2023-security,!47Update from debian/bullseye-security for apertis/v2024dev1
Pipeline #687649 canceled
Stage: build-env
    Stage: update
      Stage: merge
        Hide whitespace changes
        Inline Side-by-side
        debian/changelog
        + 6
        0
        View file @ cf688027
        xorg-server (2:1.20.11-1+deb11u6) bullseye-security; urgency=high
        * composite: Fix use-after-free of the COW (CVE-2023-1393)
        -- Julien Cristau <jcristau@debian.org> Thu, 23 Mar 2023 11:25:56 +0100
        xorg-server (2:1.20.11-1+deb11u5) bullseye-security; urgency=high
        * Xi: fix potential use-after-free in DeepCopyPointerClasses (CVE-2023-0494)
        ......
        debian/patches/21_composite-Fix-use-after-free-of-the-COW.patch 0 → 100644
        + 37
        0
        View file @ cf688027
        From 947bd1b3f4a23565bf10879ec41ba06ebe1e1c76 Mon Sep 17 00:00:00 2001
        From: Olivier Fourdan <ofourdan@redhat.com>
        Date: Mon, 13 Mar 2023 11:08:47 +0100
        Subject: [PATCH xserver] composite: Fix use-after-free of the COW
        ZDI-CAN-19866/CVE-2023-1393
        If a client explicitly destroys the compositor overlay window (aka COW),
        we would leave a dangling pointer to that window in the CompScreen
        structure, which will trigger a use-after-free later.
        Make sure to clear the CompScreen pointer to the COW when the latter gets
        destroyed explicitly by the client.
        This vulnerability was discovered by:
        Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
        Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
        Reviewed-by: Adam Jackson <ajax@redhat.com>
        ---
        composite/compwindow.c | 5 +++++
        1 file changed, 5 insertions(+)
        --- a/composite/compwindow.c
        +++ b/composite/compwindow.c
        @@ -613,6 +613,11 @@ compDestroyWindow(WindowPtr pWin)
        ret = (*pScreen->DestroyWindow) (pWin);
        cs->DestroyWindow = pScreen->DestroyWindow;
        pScreen->DestroyWindow = compDestroyWindow;
        +
        + /* Did we just destroy the overlay window? */
        + if (pWin == cs->pOverlayWin)
        + cs->pOverlayWin = NULL;
        +
        /* compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
        return ret;
        }
        debian/patches/series
        + 1
        0
        View file @ cf688027
        ......@@ -20,3 +20,4 @@
        18_Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch
        19_xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch
        20_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch
        21_composite-Fix-use-after-free-of-the-COW.patch
        0% or .
        You are about to add 0 people to the discussion. Proceed with caution.
        Finish editing this message first!
        Please register or to comment
        Apertis Website Terms of Use Privacy Policy